Get a Demo

AWS GuardDuty + D3 Smart SOAR

Secure Your Cloud Systems

Amazon GuardDuty is a threat detection service that continuously monitors Amazon Web Services accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. Smart SOAR’s integration with AWS GuardDuty enables automation-powered response to cloud security alerts. 

Respond cohesively across cloud and hybrid environments

Increase the quality of investigations

Triage GuardDuty alerts with D3’s Event Pipeline

Get the D3 Integrations Guide

Benefits and Capabilities

GuardDuty produces security findings based on its analysis of logs, threat intelligence, and machine learning, which enables it to detect unusual or suspicious activity in your AWS environment. Smart SOAR can retrieve security findings from GuardDuty in order to rapidly orchestrate a response.

  • Orchestrate across hundreds of integrated systems, including AWS platforms such as EC2, Lambda, SSM, and S3 Buckets
  • Capture suspicious behaviors that slip past signature-based tools
  • Seamlessly oversee hybrid environments, by managing cloud and on-premise incident response through Smart SOAR
Flowchart depicting the integration process between AWS GuardDuty and D3 Security's Smart SOAR

Use CAse

Cryptomining

AWS GuardDuty can detect compromised EC2 instances that have been hijacked by an adversary to mine bitcoin. Smart SOAR retrieves that event and extracts IOCs and TTPs to compare against third-party threat intelligence to determine risk. Based on this information, the user can escalate the event to an incident if further investigation is required.

  • Run a prebuilt automation-powered playbook for cryptomining, which includes domain analysis and EC2 instance analysis.
  • Hunt for cryptomining threats based on ingested threat reports.
  • Orchestrate rapid response across integrated tools.

Use Case

Insider Threat Detection and Mitigation

AWS GuardDuty can be utilized to identify potential insider threats by monitoring and flagging unusual data access patterns or unauthorized attempts to access sensitive data. Smart SOAR, upon receiving such alerts, employs its MITRE ATT&CK framework correlation to categorize the nature of the threat, focusing on tactics and techniques indicative of insider behavior. 

  • Smart SOAR’s automation capabilities then kick in, extracting IOCs and comparing them against known threat intelligence. 
  • If the threat is verified, D3 activates a specialized playbook for insider threats, which includes steps for securing compromised accounts, assessing data exposure, and initiating necessary legal or HR protocols.

Why Smart SOAR?

Joint users of AWS GuardDuty and D3 Smart SOAR don’t just get automated cloud security; they also get the countless other features that make Smart SOAR the leading independent SOAR solution, including:

Expert-built codeless integrations across the stack

Tier 1–3 automation, based on deep research into the capabilities of common tools

The Event Pipeline, which reduces alert volume by up to 98%

Cross-dimension correlation, which acts across tools, timeframes, TTPs, and artifacts

AWS GuardDuty Integration: Summary

Key Details
Feature-rich integration
Developed and maintained by D3
Drag integration into visual playbooks
Test integration from playbook
Automated response across cloud and on-premise systems

Integrations Done the Right Way

An unlimited number of pre-built integrations, expertly maintained by the largest technical team in security automation. Thoroughly researched, tested and built—and delivered for free. Always.

See All Integrations