AWS GuardDuty Integration
Ingest security findings, track threat severity distribution, and analyze detection trends across your AWS GuardDuty deployments. Get AI-powered threat correlation to identify attack chains before they escalate.
How It Works
Enable GuardDuty EventBridge Integration
Configure GuardDuty to emit findings to Amazon EventBridge. TigerOps provides a CloudFormation template that creates the EventBridge rule and Lambda forwarder to ingest findings.
Deploy TigerOps Finding Forwarder
Run the TigerOps CloudFormation stack to deploy the Lambda-based finding forwarder. Findings are normalized and enriched with account, region, and resource metadata before ingestion.
Configure Severity-Based Routing
Map GuardDuty finding severity levels (Low/Medium/High/Critical) to TigerOps alert priorities. Route critical findings to PagerDuty or Slack on-call channels automatically.
Correlate with Infrastructure Metrics
TigerOps links GuardDuty findings with infrastructure anomalies from EC2, VPC Flow Logs, and CloudTrail to build a complete attack timeline in one incident view.
What You Get Out of the Box
Security Finding Ingestion
Real-time ingestion of all GuardDuty findings including threat type, affected resource, severity score, and MITRE ATT&CK technique classification.
Threat Severity Distribution
Dashboard panels showing finding counts broken down by severity (Low/Medium/High/Critical), finding type category, and affected AWS account or region.
Detection Trend Analysis
Historical finding rate trends by threat type. Identify whether specific attack patterns are increasing, decreasing, or correlated with application deployment events.
Multi-Account Aggregation
Aggregate GuardDuty findings from all member accounts in your AWS Organization into a single TigerOps view. Filter and drill down by account, region, or resource.
Finding Suppression Tracking
Track auto-suppressed and manually archived findings separately from active threats. Measure suppression rule effectiveness and detect suppression rule abuse.
AI Threat Correlation Engine
TigerOps AI correlates GuardDuty findings with CloudTrail API call anomalies, VPC Flow Log traffic spikes, and IAM policy changes to identify coordinated attack chains.
CloudFormation Stack for GuardDuty Finding Forwarder
Deploy the TigerOps EventBridge-to-Lambda forwarder to stream GuardDuty findings in real time.
# TigerOps CloudFormation — GuardDuty Finding Forwarder
# aws cloudformation deploy \
# --template-file tigerops-guardduty-forwarder.yaml \
# --stack-name tigerops-guardduty \
# --capabilities CAPABILITY_IAM
Parameters:
TigerOpsApiKey:
Type: String
NoEcho: true
MinimumSeverity:
Type: Number
Default: 4.0
Description: Minimum GuardDuty severity to forward (1-10)
Resources:
GuardDutyEventRule:
Type: AWS::Events::Rule
Properties:
Name: tigerops-guardduty-findings
EventPattern:
source:
- aws.guardduty
detail-type:
- GuardDuty Finding
detail:
severity:
- numeric:
- ">="
- !Ref MinimumSeverity
Targets:
- Arn: !GetAtt FindingForwarderFunction.Arn
Id: TigerOpsFindingForwarder
FindingForwarderFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: tigerops-guardduty-forwarder
Runtime: python3.12
Handler: index.handler
Environment:
Variables:
TIGEROPS_API_KEY: !Ref TigerOpsApiKey
TIGEROPS_ENDPOINT: https://ingest.atatus.net/api/v1/security/findings
Code:
ZipFile: |
import json, os, urllib.request
def handler(event, context):
finding = event['detail']
payload = json.dumps({
'source': 'guardduty',
'account': event['account'],
'region': event['region'],
'finding': finding
}).encode()
req = urllib.request.Request(
os.environ['TIGEROPS_ENDPOINT'],
data=payload,
headers={
'Authorization': f"Bearer {os.environ['TIGEROPS_API_KEY']}",
'Content-Type': 'application/json'
}
)
urllib.request.urlopen(req)Common Questions
How does TigerOps ingest GuardDuty findings — are they metrics or events?
TigerOps ingests GuardDuty findings as structured security events via EventBridge, not as CloudWatch metrics. The finding payload includes full JSON including resource details, threat intelligence indicators, and network connection information for deep analysis.
Can TigerOps receive GuardDuty findings from all accounts in an AWS Organization?
Yes. TigerOps supports GuardDuty Organizations mode. Deploy the TigerOps EventBridge forwarding stack in your GuardDuty administrator account to receive findings aggregated from all member accounts with full account metadata attached.
Does TigerOps support GuardDuty Malware Protection findings?
Yes. GuardDuty Malware Protection findings for EC2 and ECS are ingested alongside standard threat findings. TigerOps groups malware scan results by instance, container, and S3 object type with threat name and severity breakdown.
How are repeat GuardDuty findings handled to prevent alert fatigue?
TigerOps applies deduplication on finding IDs and groups repeat occurrences of the same finding type from the same resource into a single incident with an occurrence count. Alert suppression rules can be configured per finding type or resource tag.
Can I build compliance dashboards with GuardDuty data in TigerOps?
Yes. TigerOps provides pre-built compliance dashboard templates that display GuardDuty finding trends alongside other security signals. These dashboards are exportable as PDF reports for SOC2, PCI-DSS, and ISO 27001 audit evidence.
Stop Treating GuardDuty Findings as Background Noise
Finding ingestion, severity routing, and AI threat chain correlation. Deploy in 5 minutes.