Amazon GuardDuty

Amazon GuardDuty monitors AWS accounts for unusual activity and reports security findings.

Send these findings to Observe using Amazon EventBridge and Kinesis Data Firehose.

Enable GuardDuty

Enable GuardDuty in your desired AWS regions, following the Amazon GuardDuty documentation. There is no need to enable exporting to an S3 bucket.

Forward from EventBridge to Kinesis Firehose

The recommended method to ingest findings is from GuardDuty to EventBridge, then from EventBridge to a Kinesis Data Firehose delivery stream, and then to Observe.

Create a delivery stream

If needed, follow the instructions at Amazon Kinesis Firehose to create a delivery stream that sends to Observe. If you have installed the Observe AWS Integration, you can send to its delivery stream instead of creating a new one.

Create an EventBridge rule

Following the instructions at Creating Amazon EventBridge rules that react to events, create an EventBridge rule to send findings from EventBridge to Kinesis Firehose.

Configure the rule as appropriate for your environment, with the pattern to match and target as described below:

Under Define pattern, configure the following options:

The Define pattern section for configuring an EventBridge rule

  • Select Event pattern to build a pattern to match events

  • Under Event matching pattern, select Pre-defined pattern by service.

  • For the Service provider, select AWS

  • For Service name, select GuardDuty

  • For Event type, select GuardDuty Finding

Under Select targets:

The Select targets section for configuring an EventBridge rule

  • For Target, select Firehose delivery stream from the menu

  • For Stream, select your desired stream

As findings are generated, GuardDuty exports them to this delivery stream, which forwards them to Observe.