Amazon GuardDuty

Amazon GuardDuty monitors AWS accounts for unusual activity and reports security findings.

Send these findings to Observe using Amazon EventBridge and Kinesis Data Firehose.

Enabling GuardDuty

Enable GuardDuty in your desired AWS regions, following the Amazon GuardDuty documentation. You do not have to enable exporting to an S3 bucket.

Forwarding from EventBridge to Kinesis Firehose

The recommended method to ingest findings is from GuardDuty to EventBridge, then from EventBridge to a Kinesis Data Firehose delivery stream, and then to Observe.

Creating a delivery stream

If needed, follow the instructions at Amazon Kinesis Firehose to create a delivery stream that sends data to Observe. If you have installed the Observe AWS Integration, you can send to that delivery stream instead of creating a new one.

Creating an EventBridge rule

Following the instructions at Creating Amazon EventBridge rules that react to events, create an EventBridge rule to send findings from EventBridge to Kinesis Firehose.

Configure the rule as appropriate for your environment, with the pattern to match and target as described below:

Under Define pattern, configure the following options:

The Define pattern section for configuring an EventBridge rule

Figure 1 - Define a pattern for an EventBridge rule

  • Select Event pattern to build a pattern to match events

  • Under Event matching pattern, select Pre-defined pattern by service.

  • For the Service provider, select AWS.

  • For Service name, select GuardDuty.

  • For Event type, select GuardDuty Finding.

Under Select targets:

The Select targets section for configuring an EventBridge rule

Figure 2 - Select targets for an EventBridge rule

  • For Target, select Firehose delivery stream from the menu.

  • For Stream, select your desired stream.

As findings are generated, GuardDuty exports them to this delivery stream, which forwards them to Observe.