Amazon GuardDuty¶
Amazon GuardDuty monitors AWS accounts for unusual activity and reports security findings.
Send these findings to Observe using Amazon EventBridge and Kinesis Data Firehose.
Enable GuardDuty¶
Enable GuardDuty in your desired AWS regions, following the Amazon GuardDuty documentation. There is no need to enable exporting to an S3 bucket.
Forward from EventBridge to Kinesis Firehose¶
The recommended method to ingest findings is from GuardDuty to EventBridge, then from EventBridge to a Kinesis Data Firehose delivery stream, and then to Observe.
Create a delivery stream¶
If needed, follow the instructions at Amazon Kinesis Firehose to create a delivery stream that sends to Observe. If you have installed the Observe AWS Integration, you can send to its delivery stream instead of creating a new one.
Create an EventBridge rule¶
Following the instructions at Creating Amazon EventBridge rules that react to events, create an EventBridge rule to send findings from EventBridge to Kinesis Firehose.
Configure the rule as appropriate for your environment, with the pattern to match and target as described below:
Under Define pattern, configure the following options:

Select Event pattern to build a pattern to match events
Under Event matching pattern, select Pre-defined pattern by service.
For the Service provider, select AWS
For Service name, select GuardDuty
For Event type, select GuardDuty Finding
Under Select targets:

For Target, select Firehose delivery stream from the menu
For Stream, select your desired stream
As findings are generated, GuardDuty exports them to this delivery stream, which forwards them to Observe.