Amazon GuardDuty Integration Guide | PagerDuty

Integration Guide for Amazon GuardDuty

Integration Overview

PagerDuty’s integration with Amazon GuardDuty allows you to automate response workflows for security issues that could affect your AWS infrastructure. PagerDuty ensures that the right people are notified about things like unauthorized behavior, and you can use PagerDuty’s alert grouping to reduce noise by grouping similar alerts into a single issue. This is a one-way integration, sending findings to PagerDuty.

Follow the instructions below to configure Amazon GuardDuty with PagerDuty. If you have any questions or need any assistance, please contact our Support team.

In PagerDuty

There are two ways that Amazon GuardDuty can be integrated with PagerDuty: via Global Event Rules or through an integration on a PagerDuty Service.

Integrating with Global Event Rules

Integrating with Global Event Rules may be beneficial if you want to build different routing rules based on the payload coming from AWS. If you would like to learn more, please visit our article on Global Event Rules.

  1. From the Services menu, select Event Rules.
  2. Select your Ruleset, then expand the Incoming Event Source and copy your Integration Key.
  1. Once you have your Integration Key, the Integration URL will be:[YOUR_INTEGRATION_KEY_HERE]

You can now proceed to the In the AWS Management Console section below.

Integrating with a PagerDuty Service

Integrating with a PagerDuty Service directly can be beneficial if you don’t need to route alerts from AWS to different responders based on the event payload. You can still use service-level event rules to perform actions such as suppressing.

  1. From the Services menu, select Service Directory.
  2. On your Service Directory page: If you are creating a new service for your integration, click + New Service. It is recommended that you create a service specifically for Amazon GuardDuty notifications.

If you are adding your integration to an existing service, click the name of the service you want to add the integration to. Then click the Integrations tab and click the Add a new integration link.

  1. Select Amazon GuardDuty from the Integration Type menu and enter an Integration Name.
    If you are creating a new service for your integration, in General Settings, enter a Name for your new service. Then, in Incident Settings, specify the Escalation Policy, Notification Urgency, and Incident Behavior for your new service.
  2. Click the Add Service or Add Integration button to save your new integration. You will be redirected to the Integrations page for your service.
  3. Copy the Integration URL for your new integration.

In the AWS Management Console

  1. In the Services search bar, search and select Simple Notification Service (SNS). On the SNS dashboard, select Topics and click Create Topic. This will be used to route alerts to PagerDuty from AWS.
  1. Enter a Topic name (you may want to name your topic after your PagerDuty service’s name) and Display name, then click Create topic.
  2. Now that your topic has been created, Select Subscriptions in the left hand menu and click Create Subscription.
  3. Make sure HTTPS is the selected Protocol. Paste your Integration URL from step 5 (above) into the Endpoint field, ensure that the Enable raw message delivery checkbox is unchecked and click Create Subscription.
  4. Your subscription should be automatically confirmed. Click the refresh icon to make sure the Subscription ID is not PendingConfirmation.
  5. Next, in the Services search bar, search and select the Amazon GuardDuty console. If this is your first time setting up this service, search for GuardDuty, and click Enable GuardDuty.
  6. Once you have enabled GuardDuty, you can begin building CloudWatch Event Rules to send alerts to PagerDuty. Navigate to the CloudWatch console.
  7. Select Events, then click Get Started to create a rule. One or more rules can be created to send specific alerts to PagerDuty when a GuardDuty finding is opened.
  8. Select GuardDuty as the Service Name, then select GuardDuty Finding as the Event Type.
  1. Click Add a target and select SNS topic, then select Your Topic Name (the SNS topic you created above in step 1) and then click Configure Details.
  2. Assign a Name like GuardDuty-to-PD-Findings and click Create Rule.
  3. To ensure configuration was successful, navigate back to the Amazon GuardDuty console to generate sample findings, which should trigger sample events in PagerDuty. Select Settings, then select Generate Sample Findings and then click Findings in the left navigation bar. You will see the sample findings that have been generated. In PagerDuty, you will see the correlating sample alert.

Congratulations, you have now integrated Amazon GuardDuty with PagerDuty! For more information on how to adjust settings to deduplicate events within PagerDuty, please visit our article on Event Management.


Why are my CloudWatch events not triggering incidents in PagerDuty?

Events that are not sent properly from CloudWatch will be dropped and will not trigger alerts in PagerDuty. This integration expects to find in the Message property a nested JSON-encoded object from which meaningful data about the alert can be extracted to compose the PagerDuty incident. You can find details on Amazon's SNS Message attributes here.

AWS also has some troubleshooting docs on their side which outline some things to look for on the CloudWatch side.

Updated 10 days ago

Amazon GuardDuty Integration Guide | PagerDuty

Integration Guide for Amazon GuardDuty

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.