AWS GuardDuty Integration

XGEN SOAR Integration

D3’s integration with AWS GuardDuty enables automation-powered response to cloud security alerts. GuardDuty produces security findings based on its analysis of logs, threat intelligence, and machine learning, which enables it to detect unusual or suspicious activity in your AWS environment. D3 can retrieve security findings from GuardDuty in order to rapidly orchestrate a response.
AWS GuardDuty Integration

Integration Features

Automate response to GuardDuty alerts
Orchestrate across hundreds of integrated systems, including AWS platforms such as EC2, Lambda, SSM, and S3 Buckets
Capture suspicious behaviors that slip past signature-based tools
Seamlessly oversee hybrid environments, by managing cloud and on-premise incident response through D3

Key Use Case



AWS GuardDuty can detect compromised EC2 instances that have been hijacked by an adversary to mine bitcoin. D3 would retrieve the event, run it through MITRE ATT&CK correlation to identify tactics and techniques, and extract IOCs to compare against third-party threat intelligence to determine risk. Based on this information, the user can escalate the event to an incident if further investigation is required. D3 has a prebuilt automation-powered playbook for cryptomining, which includes domain analysis and EC2 instance analysis.

Kill-Chain Investigations

AWS GuardDuty’s ability to capture suspicious behaviors makes it well suited to uncover elements of large-scale incidents. For example, if a suspicious escalation of privileges is detected, this could be just one link in the “kill chain” of an attack. When the event is escalated to D3, it can be correlated against the MITRE ATT&CK matrix to determine the adversary techniques. D3 can then run searches on the relevant IOCs and timeframes to find more traces of the attack.
X AWS GuardDuty Integration