AWS GuardDuty Integration

AWS GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and unauthorized behavior. It analyzes events from AWS CloudTrail, VPC Flow Logs, and DNS logs using machine learning, anomaly detection, and integrated threat intelligence to identify threats such as unauthorized access, data exfiltration attempts, compromised EC2 instances, and cryptocurrency mining.

This integration routes GuardDuty security findings to the alert management platform via Amazon SNS + AWS EventBridge. When GuardDuty detects a threat, EventBridge captures the finding and forwards it to an SNS topic, which delivers the payload to the platform's webhook endpoint. The platform maps the finding's numeric severity score to a standardized priority level and opens an alert for the on-call team.

Note: GuardDuty findings are one-directional — the service does not send a separate "resolved" event when a finding is archived. Alerts created from GuardDuty findings must be manually closed in the platform after investigation.

Integration Flow

AWS GuardDuty
      │
      │  Detects threat / finding
      ▼
Amazon EventBridge
      │
      │  Rule matches "GuardDuty Finding"
      ▼
Amazon SNS Topic
      │
      │  HTTPS subscription delivers payload
      ▼
Platform Webhook Endpoint
      │
      │  Schema validation + SNS Message parsing
      ▼
Alert Created → Priority mapped → On-Call Team Notified

Payload Schema

GuardDuty payloads arrive as SNS notification envelopes. The Message field contains a JSON-serialized EventBridge event with the full finding detail nested inside.

Outer SNS Envelope

Parsed Message Field (EventBridge Event)

Severity Mapping

GuardDuty uses a continuous numeric severity scale. The platform maps these values to standardized priority levels as follows:

AWS currently uses severity values in the 0.1 – 8.9 range. Values 0 and 9.0 – 10.0 are reserved for future use.

Payloads

Finding Detected (ALERT)

This is a real payload captured from AWS GuardDuty via SNS. The Message field arrives as a JSON string and must be parsed to access the finding detail.

json

After the platform parses the Message field, the key finding fields are:

json

Resulting alert: Priority → MEDIUM (severity 5), Type → ALERT

Prerequisites

Before configuring this integration, make sure you have:

• An active AWS account with GuardDuty enabled in at least one region

• Permissions to create and manage SNS topics, EventBridge rules, and SNS subscriptions

• A platform account with permission to create sources

Setup

Step 1: Create an Alert Source on the Platform

1. Log in to the alert management platform.

2. Navigate to Sources → Add Source.

3. Select AWS GuardDuty as the provider.

4. Enter a name for this source (e.g., GuardDuty – Production (us-east-1)).

5. Save and copy the generated Webhook URL and Token.

Step 2: Create an SNS Topic

1. Log in to the AWS Management Console.

2. Open the Simple Notification Service (SNS) console.

3. In the left sidebar, click Topics → Create topic.

4. Configure the topic:

   • Type: Standard

   • Name: GuardDutyAlerts (or any descriptive name)

   • Leave all other settings as default.

5. Click Create topic.

— Create topic form with Standard type selected

Step 3: Subscribe the Platform Webhook to the SNS Topic

1. On the topic detail page, click Create subscription.

— Topic detail page with "Create subscription" button

1. Configure the subscription:

   • Topic ARN: Auto-populated (your topic)

   • Protocol: HTTPS

   • Endpoint: Paste your platform Webhook URL (from Step 1)

   • Enable raw message delivery: Leave unchecked ← This is critical. The SNS envelope must be preserved so the platform can validate the subscription confirmation.

— Subscription form with HTTPS protocol and webhook URL entered

1. Click Create subscription.

2. The platform automatically confirms the subscription. Within a few seconds, the subscription status should change from PendingConfirmation to Confirmed.

— Subscription status showing "Confirmed"

Important: If the subscription remains in PendingConfirmation, verify that your webhook endpoint is publicly reachable and that the platform's SNS confirmation handler is functioning.

Step 4: Enable AWS GuardDuty

If GuardDuty is not yet enabled in your account:

1. Open the GuardDuty console.

2. Click Get started → Enable GuardDuty.

— GuardDuty welcome screen with "Enable GuardDuty" button

If GuardDuty is already enabled, skip to Step 5.

Step 5: Create an EventBridge Rule

1. Open the Amazon EventBridge console.

2. In the left sidebar, click Rules (under Buses) → Create rule.

3. Configure the rule:

   • Name: GuardDutyToSNS (or any name)

   • Description: Forward GuardDuty findings to SNS

   • Event bus: default

   • Rule type: Rule with an event pattern

4. Click Next.

5. In the Event pattern section:

   • Event source: AWS events

   • AWS service: GuardDuty

   • Event type: GuardDuty Finding

— Event pattern form with GuardDuty Finding selected

1. The event pattern will be automatically populated:

json

Optional — Filter by severity: To only forward medium, high, and critical findings (severity ≥ 4.0) to reduce noise, use a custom pattern:

json

1. Click Next.

2. In the Target section:

   • Target types: AWS service

   • Select a target: SNS topic

   • Topic: Select the SNS topic created in Step 2

— Target configuration with SNS topic selected

1. Click Next → Review → Create rule.

— Rule successfully created and showing as Enabled

Step 6: Test the Integration

1. Open the GuardDuty console.

2. In the left sidebar, click Settings.

3. Under Sample findings, click Generate sample findings.

— GuardDuty Settings page with "Generate sample findings" button

1. Click Findings in the left sidebar.

2. You should see multiple sample findings (prefixed with [SAMPLE]) in the findings list.

— GuardDuty findings list with [SAMPLE] findings visible

1. Within a few minutes, the findings should appear as alerts on the platform.

— Platform alerts list showing GuardDuty findings as HIGH/CRITICAL alerts

Sample findings cover all GuardDuty finding types across EC2, IAM, S3, EKS, RDS, and more. They use placeholder values and are marked with "sample": true in the finding JSON.a

Finding Types Reference

GuardDuty organizes findings into categories based on the affected AWS resource and threat type. Common finding types you may receive:

The full list of GuardDuty finding types is available in the AWS GuardDuty documentation.

Multi-Region Setup

GuardDuty operates at the region level. If you have GuardDuty enabled in multiple AWS regions, you must repeat Steps 2–5 for each region, or use GuardDuty multi-account / delegated administrator setup to aggregate findings to a central account.

For multi-region setups, it is recommended to:

1. Create one SNS topic per region (e.g., GuardDutyAlerts-us-east-1, GuardDutyAlerts-eu-west-1).

2. Create separate platform sources per region for clear visibility.

3. Name each source with the region (e.g., GuardDuty – Production (eu-west-1)).

Alert Lifecycle

After resolving a security finding in AWS (archiving it in GuardDuty), manually close the corresponding alert in the platform to keep your incident queue clean.

Troubleshooting