Ingest Amazon GuardDuty security findings

Latest Dynatrace Preview

Dynatrace integration with Amazon GuardDuty allows you to unify and contextualize security findings across tools and products, enabling central prioritization, visualization, and automation.

GuardDuty detects suspicious activities in your AWS accounts, workloads, and data. The Dynatrace platform observes the runtime entities related to those AWS resources. Ingesting the detection findings from GuardDuty helps you analyze them in the context of their production apps.

Hub

Explore in Dynatrace Hub

Ingest Amazon GuardDuty detection findings.

How it works

guardduty

  1. Amazon GuardDuty events are sent to Amazon EventBridge, which triggers an AWS Lambda function.

  2. The Lambda function pre-processes the events and sends them to Dynatrace via a dedicated OpenPipeline security ingest endpoint.

  1. The OpenPipeline ingest endpoint processes and maps the data according to the Semantic Dictionary conventions.

  2. Data is stored in a bucket called default_security_custom_events (for details, see: Built-in Grail buckets).

Prerequisites

See below for the Amazon GuardDuty and Dynatrace requirements.

Amazon GuardDuty requirements

  • Install and configure the latest AWS CLI.

  • Select the AWS region where you want to create the event forwarder.

    1. In a terminal, run:

      aws configure

    2. Set your default region (for example, us-east-1).

Dynatrace requirements

  • Generate an access token for security events ingestion with the openpipeline.events_security scope and save it for later.

Get started

To set up Amazon GuardDuty ingestion, follow the steps below.

  1. Download the Dynatrace CloudFormation template from GitHub.

  2. Set up the secret with the OpenPipeline API token.

    Run the following command, making sure to replace <your_API_token> with your actual access token created in Prerequisites.

    aws secretsmanager create-secret \
    --name dynatrace-aws-guardduty-event-forwarder-open-pipeline-ingest-api-token \
    --description "Dynatrace token, allows data to be sent to the OpenPipeline endpoint." \
    --secret-string '{"DYNATRACE_OPENPIPELINE_INGEST_API_TOKEN": "<your_API_token>"}'

  3. Deploy the CloudFormation template and AWS resources.

    Run the following command, making sure to replace

    • <AWS_secret_ARN> with the ARN of the secret created previously
    • <your_Dynatrace_ingest_URL> with the URL of your Dynatrace ingest endpoint for security events (for example, https://mytenant.apps.dynatrace.com/platform/ingest/v1/events.security)
    aws cloudformation deploy  \
    --template-file ./dynatrace_aws_guardduty_event_forwarder_template.yaml \
    --stack-name dynatrace-aws-guardduty-event-forwarder \
    --parameter-overrides \
    "AwsSecretArn"="<AWS_secret_ARN>" \
    "DynatraceOpenPipelineEndpoint"="<your_Dynatrace_ingest_URL>" \
    --capabilities CAPABILITY_NAMED_IAM

  4. Verify configuration by running the following queries in Notebooks:

    fetch events
    | filter dt.system.bucket == "default_security_custom_events"
    | filter event.kind == "SECURITY_EVENT"
            AND event.provider=="Amazon GuardDuty"
            AND event.type=="DETECTION_FINDING"

Use cases

FAQ

Which data model is used for the security logs and events coming from Amazon GuardDuty?

Detection finding events store the individual detection findings per affected object represented by an AWS resource.

Which extension fields are added on the events ingested from Amazon GuardDuty?

The aws namespace is added to store AWS-related information with the following fields:

  • aws.account.id

  • aws.region

  • aws.availability_zone

  • aws.resource.type

  • aws.resource.name

What Amazon GuardDuty resource types are supported by Dynatrace for runtime contextualization?

CONTAINER: All the detection findings with a container as the target resource are classified as CONTAINER in object.type, and the container namespace is added with the corresponding fields:

  • container.id

  • container.name

  • container.image.name

  • container.image.version

How do we normalize the risk score for Amazon GuardDuty findings?

  • dt.security.risk.level is mapped from the severity level determined by Amazon GuardDuty mapping of the severity score (detail.severity).

  • dt.security.risk.score is mapped directly from the severity score (detail.severity) set by Amazon GuardDuty.

dt.security.risk.level (mapped from finding.severity)
dt.security.risk.score (mapped from finding.score)
CRITICAL -> CRITICAL
9.0-10.0
HIGH -> HIGH
7.00-8.9
MEDIUM -> MEDIUM
4.0-6.9
LOW -> LOW
1.0-3.9