Saket Bajoria

Amazon GuardDuty and RSA NetWitness Integration

Blog Post created by Saket Bajoria Employee on Apr 13, 2018

Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and workloads. The service analyzes Amazon CloudTrail, AWS VPC Flow Log data and other services to look for issues such as inbound port scans, possible backdoor access to your systems, unauthorized use of your account, and many other potential problems. GuardDuty can be used to monitor a group of AWS accounts and have their findings routed to another AWS account—the master account—that is owned by a security team. Amazon GuardDuty starts to generate customized threat intelligence for you.


GuardDuty is a regional service. So, when GuardDuty is enabled for a particular AWS Region, findings are generated and delivered for that region only. Each region needs to be configured individually.




The RSA NetWitness Plugin framework uses the AWS Python SDK to access the GuardDuty logs.


This plugin supports different finding types alerted by Guardduty, all types are explained here:

The following are Amazon GuardDuty limits per AWS account per region:


RSA NetWitness can already collect native cloudtrail logs and with this integration with GuardDuty it further expands its visibility into advanced threat detection provided by Amazon which not only monitors cloudtrail logs but also AWS VPC  and flow logs. Combined with the complete visibility that RSA NetWitness Platform delivers for threat detection and response across logs, network, and endpoints for both private and public cloud environments – securing the cloud is simplified.


Downloads and Documentation:


Configuration Guide: Amazon GuardDuty Event Source Configuration Guide 

Collector Package on RSA Live: "Amazon GuardDuty"

Parser on RSA Live: CEF (device.type="amazonguardduty")