Amazon GuardDuty Integration Guide | PagerDuty

Integration Guide for Amazon GuardDuty

Integration Overview

PagerDuty’s integration with Amazon GuardDuty allows you to automate response workflows for security issues that could affect your AWS infrastructure. PagerDuty ensures that the right people are notified about things like unauthorized behavior, and you can use PagerDuty’s alert grouping to reduce noise by grouping similar alerts into a single issue. This is a one-way integration, sending findings to PagerDuty.

Follow the instructions below to configure Amazon GuardDuty with PagerDuty. If you have any questions or need any assistance, please contact our support team at support@pagerduty.com.

In PagerDuty

There are two ways that Amazon GuardDuty can be integrated with PagerDuty: via Global Event Routing or through an integration on a PagerDuty Service.

Integrating with Global Event Routing

Integrating with Global Event Routing may be beneficial if you want to build different routing rules based on the payload coming from AWS. You can also leverage features such as scheduling rules or appending information with a note. If you would like to learn more, please visit our article on Global Event Routing.

  1. From the Configuration menu, select Event Rules
  1. On the Event Rules screen, copy your Integration Key.
  1. Once you have your Integration Key, the Integration URL will be:

https://events.pagerduty.com/x-ere/[YOUR_INTEGRATION_KEY_HERE]

You can now proceed to the In the AWS Management Console section below.

Integrating with a PagerDuty Service

Integrating with a PagerDuty Service directly can be beneficial if you don’t need to route alerts from AWS to different responders based on the event payload. You can still use service-level event rules to perform actions such as suppressing.

  1. From the Configuration menu, select Services.
  2. On your Services page: If you are creating a new service for your integration, click +Add New Service. It is recommended that you create a service specifically for Amazon GuardDuty notifications.

If you are adding your integration to an existing service, click the name of the service you want to add the integration to. Then click the Integrations tab and click the +New Integration button.

  1. Select Amazon GuardDuty from the Integration Type menu and enter an Integration Name.
    If you are creating a new service for your integration, in General Settings, enter a Name for your new service. Then, in Incident Settings, specify the Escalation Policy, Notification Urgency, and Incident Behavior for your new service.
  2. Click the Add Service or Add Integration button to save your new integration. You will be redirected to the Integrations page for your service.
  3. Copy the Integration URL for your new integration.

In the AWS Management Console

  1. In the SNS console, click Create Topic. This will be used to route alerts to PagerDuty from AWS.
  1. Enter a Topic name and Display name, then click Create topic. You may want to name your topic after your PagerDuty service’s name.
  2. Now that your topic has been created, click Create Subscription.
  1. Make sure HTTPS is the selected Protocol. Paste your SNS Webhook URL from step 5 (above) into the Endpoint field and click Create Subscription.
  1. Your subscription should be automatically confirmed. Click the refresh icon to make sure the Subscription ID is not PendingConfirmation.
  1. Navigate to the Amazon GuardDuty console. If this is your first time setting up this service, search for GuardDuty, and click Enable GuardDuty.
  2. Once you have enabled GuardDuty, you can begin building CloudWatch Event Rules to send alerts to PagerDuty. Navigate to the CloudWatch console.
  3. Select Events, then click Get Started to create a rule. One or more rules can be created to send specific alerts to PagerDuty when a GuardDuty finding is opened.
  4. Select GuardDuty as the Service Name, then select GuardDuty Finding as the Event Type.
  1. Click Add a target and select SNS topic, then select Your Topic Name (the SNS topic you created above in step 1) and then click Configure Details.
  1. Assign a Name like GuardDuty-to-PD-Findings and click Create Rule.
  1. To ensure configuration was successful, navigate back to the Amazon GuardDuty console to generate sample findings, which should trigger sample events in PagerDuty. Select Settings, then select Generate Sample Findings and then click Findings in the left navigation bar. You will see the sample findings that have been generated. In PagerDuty, you will see the correlating sample alert.

Congratulations, you have now integrated Amazon GuardDuty with PagerDuty! For more information on how to adjust settings to deduplicate events within PagerDuty, please visit our article on Event Management.