Amazon GuardDuty

Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.

For more information on AWS GuardDuty, click here.

Integration Method: API

Tables: Detection Finding (2004)

This integration supports the following events.

This integration supports the following versions.

Note:

AWS GuardDuty doesn’t follow a traditional versioning system. It continuously updates its security agents for different services. As of this document preparation, the latest update to the security agent was on March 02, 2025. For more information, click here.

Prerequisites

• To Configure AWS GuardDuty, refer here.

• Refer to this common procedure on how to create an IAM user, configure the AWS Access Key and AWS Secret Key, attach an IAM policy with required permissions.

• The user should have access to the DataBee console.

Configuration Overview

1. Generate an AWS Access Key & Secret Key with the required IAM policies.

2. Add the AWS GuardDuty in the DataBee console with the below parameters.

AWS GuardDuty Configuration

1. Start by creating an IAM user with the API credentials. This common step is documented at Prerequisites.

2. Once the IAM user has been created, Refer this document AWS GuardDuty Setup for further steps.

3. Ensure AWS Access Key is attached to an IAM policy with following Actions allowed on the GuardDuty resource. Refer here more info on the policy. 

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Action": [
           "guardduty:Describe*",
           "guardduty:Get*",
           "guardduty:List*"
         ],
         "Resource": "*"
       },
       {
         "Effect": "Allow",
         "Action": [
           "organizations:ListDelegatedAdministrators",
           "organizations:ListAWSServiceAccessForOrganization",
           "organizations:DescribeOrganizationalUnit",
           "organizations:DescribeAccount",
           "organizations:DescribeOrganization",
           "organizations:ListAccounts"
         ],
         "Resource": "*"
       }
     ]
   }

DataBee Configuration

1. Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
    
   

2. Search for the AWS GuardDuty and click it as shown below.
    

3. Click on the API Ingest option for collection method.
    

4. Enter feed contact information and click Next.
    

5. In the configuration page, confirm the following:

   • API Base URL: this is the base URL that DataBee will interact with. Replace <aws-region> with appropriate AWS region.

   • Authorization Method: AWS Signature

   • Access Key: paste the AWS Client Access Key.

   • Secret Key: paste the AWS Client Secret Key.

   • AWS Region: type the AWS region.

   • Session Token: can be left empty.

   • Service Name: guardduty

   • Event Types: preselected for all the event types that integration pulls.

     

6. Click Submit.

Troubleshooting Tips

• Ensure the Access Key, Secret Key, Region are pasted correctly. Since you cannot view the Secret Key after the 1^st time, re-create the AWS Access Key & AWS Secret Key, paste it on a text editor to ensure no spaces or unexpected characters are included and reconfigure the DataBee feed.

• Ensure the AWS GuardDuty scopes/permissions are correct.