[
  {
    "Id": "1",
    "Arn": "arn:aws:sns:REGION:ACCOUNT_ID:guardduty-malware-alerts",
    "RoleArn": "arn:aws:iam::ACCOUNT_ID:role/GuardDuty-EventBridge-Role",
    "InputTransformer": {
      "InputPathsMap": {
        "title":           "$.detail.title",
        "severity":        "$.detail.severity",
        "findingType":     "$.detail.type",
        "instanceId":      "$.detail.resource.instanceDetails.instanceId",
        "instanceName":    "$.detail.resource.instanceDetails.tags[0].value",
        "privateIp":       "$.detail.resource.instanceDetails.networkInterfaces[0].privateIpAddress",
        "region":          "$.region",
        "account":         "$.account",
        "threatName":      "$.detail.service.ebsVolumeScanDetails.scanDetections.highestSeverityThreatDetails.threatName",
        "threatSeverity":  "$.detail.service.ebsVolumeScanDetails.scanDetections.highestSeverityThreatDetails.severity",
        "fileName":        "$.detail.service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames[0].filePaths[0].fileName",
        "filePath":        "$.detail.service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames[0].filePaths[0].filePath",
        "time":            "$.detail.service.eventFirstSeen",
        "findingArn":      "$.detail.arn"
      },
      "InputTemplate": "\"GuardDuty Malware Alert\\n\\nTitle    : <title>\\nSeverity : <severity>\\nType     : <findingType>\\n\\nInstance : <instanceId> (<instanceName>)\\nPrivateIP: <privateIp>\\nRegion   : <region>\\nAccount  : <account>\\n\\nThreat   : <threatName>\\nSeverity : <threatSeverity>\\nFile     : <fileName>\\nPath     : <filePath>\\n\\nDetected : <time>\\nFinding  : <findingArn>\\n\\nAutomated response triggered — forensic collection and instance isolation in progress.\""
    }
  },
  {
    "Id": "2",
    "Arn": "arn:aws:ssm:REGION:ACCOUNT_ID:automation-definition/GuardDuty-EC2-Isolate-And-Collect",
    "RoleArn": "arn:aws:iam::ACCOUNT_ID:role/GuardDuty-EventBridge-Role",
    "InputTransformer": {
      "InputPathsMap": {
        "instance": "$.detail.resource.instanceDetails.instanceId"
      },
      "InputTemplate": "{\"InstanceId\":[\"<instance>\"],\"IsolationSecurityGroupId\":[\"sg-YOUR_ISOLATION_SG_ID\"],\"AutomationAssumeRole\":[\"arn:aws:iam::ACCOUNT_ID:role/GuardDuty-SSM-Automation-Role\"],\"AwsRegion\":[\"ap-south-1\"]}"
    }
  }
]