AWS GuardDuty

Updated 1 year ago by TruSTAR

This TruSTAR integration for Amazon Web Services (AWS) is an AWS Lambda function that is automatically triggered every time a AWS Guard Duty Finding is fired. It converts the Finding into a TruSTAR Intelligence Report and submits it to a private TruSTAR Enclave.


  • Send Cloud watch events into a TruSTAR enclave for enrichment and triage.

Demo Video


  • AWS Instance with access to Guard Duty and access to configure Lamda functions.


Downloading Required Files

The following bundle is required to manually install the TruSTAR AWS Guard integration.

Bundle Name


AWS Guard Duty App Bundle (

Contains the lambda functions that a user will need to trigger Guard Duty events

Setup and Configuration

  1. Create Lambda Function.
  2. Navigate to Lambda →  Create Function.
  1. Fill out the details, refer to image below
  • Name – Unique name to identify Lambda function
  • Runtime – Select Python 3.7
  • Role – Select a role which has access to “AWS CloudWatch Logs”
  1. Select create function
  1. Select Upload a zip file in Function code and upload the bundle.
  2. Enter the environment variables:
  1. Change the timeout to 3 mins and the memory (MB) to 128 MB
  1. Change the reserve concurrency to 5
  2. Save the changes

Creating a CloudWatch Event Rule

  1. Navigate to Services -> Management Tools -> Cloud Watch.
  2. Click Rules -> Create Rule and choose the details you want for the rule.
  3. Add the Target and select the Lambda function.
  4. Click Configure Details.
  1. Add the name of the configure rule details and Create rule.
  1. Select Create Rule.

Sample JSON Event

This is what a typical event in JSON format looks like when it is submitted to TruSTAR as an Intel Report.

"version": "0",
"id": "c8c4daa7-a20c-2f03-0070-b7393dd542ad",
"detail-type": "GuardDuty Finding",
"source": "aws.guardduty",
"account": "123456789012",
"time": "1970-01-01T00:00:00Z",
"region": "us-east-1",
"resources": [],
"detail": {
"schemaVersion": "2.0",
"accountId": "123456789012",
"region": "us-east-1",
"partition": "aws",
"id": "99afba5c5c43e07c9e3e5e2e544e95df",
"arn": "arn:aws:guardduty:us-east-1:123456789012:detector/123456789012/finding/16afba5c5c43e07c9e3e5e2e544e95df",
"type": "99:EC2/Stateless.IntegTest",
"resource": {
"resourceType": "Instance",
"instanceDetails": {
"instanceId": "i-05746eb48123455e0",
"instanceType": "t2.micro",
"launchTime": 1492735675000,
"productCodes": [],
"networkInterfaces": [
"ipv6Addresses": [],
"privateDnsName": "",
"privateIpAddress": "",
"privateIpAddresses": [
"privateDnsName": "",
"privateIpAddress": ""
"subnetId": "subnet-d58b7123",
"vpcId": "vpc-34865123",
"securityGroups": [
"groupName": "launch-wizard-1",
"groupId": "sg-9918a123"
"publicDnsName": "",
"publicIp": ""
"tags": [
"key": "Name",
"value": "ssh-22-open"
"instanceState": "running",
"availabilityZone": "us-east-1b",
"imageId": "ami-4836a123",
"imageDescription": "Amazon Linux AMI 2017.03.0.20170417 x86_64 HVM GP2"
"service": {
"serviceName": "guardduty",
"detectorId": "3caf4e0aaa46ce4ccbcef949a8785353",
"action": {
"networkConnectionAction": {
"connectionDirection": "OUTBOUND",
"remoteIpDetails": {
"ipAddressV4": "",
"organization": {
"asn": -1,
"isp": "GeneratedFindingISP",
"org": "GeneratedFindingORG"
"country": {
"countryName": "United States"
"city": {
"cityName": "GeneratedFindingCityName"
"geoLocation": {
"lat": 0,
"lon": 0
"remotePortDetails": {
"port": 22,
"portName": "SSH"
"localPortDetails": {
"port": 2000,
"portName": "Unknown"
"protocol": "TCP",
"blocked": false
"resourceRole": "TARGET",
"additionalInfo": {
"unusualProtocol": "UDP",
"threatListName": "GeneratedFindingCustomerListName",
"unusual": 22
"eventFirstSeen": "2017-10-31T23:16:23Z",
"eventLastSeen": "2017-10-31T23:16:23Z",
"archived": false,
"count": 1
"severity": 5,
"createdAt": "2017-10-31T23:16:23.824Z",
"updatedAt": "2017-10-31T23:16:23.824Z",
"title": "99:EC2/Stateless.IntegTest",
"description": "99:EC2/Stateless.IntegTest"

Please reach out to for any additional questions.

How Did We Do?