Enabling Operationalization of GuardDuty Findings

Many organizations have established Security Programs that include a Security Information and Event Management solution or application such as Splunk, Elasticsearch, logz.io, etc. One of the first steps to enable the security team to respond to issues is ensuring they know the issues exist.

Enabling a delegated administrator account for GuardDuty management separate from the Organization Master account would be recommended. This is done to keep the integrity of the Org account by reducing users need to even authenticate to it. Once an account has been designated the delegated administrator and all members accounts have been integrated, the admin account will be the only one that can do any suppression of findings.

At this point, the findings for all joined accounts will show as findings in the admin account. Thanks to this, EventBridge can be leveraged to provide further maturity of the solution by integrating it further with existing SIEM architecture.

In the delegated admin account (shown as Security Operations Account above), enable a EventBridge rule to capture all GuardDuty findings. By nature of the design, it will capture the events from all member accounts.

By selecting Event bus in another AWS account and supplying the account number for the Central Logging account, the matched events from all accounts will be sent to a central location for aggregation.

Repeating this step in the Central Logging account, choosing an SQS queue, Kinesis Firehose, or SNS for email notification/ingestion will allow the integration with an existing SIEM.




Modernizing companies’ AWS security and governance programs at scale.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} POL! Let's Go Hack Free Resources Generator

{UPDATE} Monster Truck 3D ATV OffRoad Driving Crash Racing Sim Game Hack Free Resources Generator

Yield Farming

Data economy likely to widen with MyData

UniDexBot Referral program

ReMeLife Launches REME Private Members Token Rounds

Patex, anonymity on Ethereum.

I Hacked Every Single Staff Account on AirIndia within 1.5 Minutes :)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
John Byrd

John Byrd

Modernizing companies’ AWS security and governance programs at scale.

More from Medium

How to reduce AWS EBS cost by 20%

ECS vs EKS vs Fargate: What to choose in 2022

3 Tips to Modernize your Cisco ISE Deployment