What is Amazon GuardDuty?
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3. AWS Partners offer solutions integrated with GuardDuty to simplify deployment and operations across different use cases.
Amazon GuardDuty categories
Find an AWS Partner
Activation and Operationalization
-
Alert Logic
Alert Logic MDR Essentials is an AWS-native security service that shows why, where, and how to respond to Amazon GuardDuty findings while continuously assessing AWS configurations to find exposures and recommend actions that prevent future compromises. Customers can take action sooner with incident response support that explains Amazon GuardDuty findings, provides additional detail about which assets are impacted, recommends which actions to prioritize, and provides workflow to make response more efficient. MDR Essentials helps you mitigate risk with continuous checks for configuration mistakes in AWS account and service configurations. Alert Logic MDR Essentials can be launched immediately with minimal permissions, zero footprint in your AWS environment, and no security experience required.
-
Fortinet
Fortinet's Security Fabric solutions are trusted by over 600,000 organizations around the world. FortiCNP, Fortinet’s cloud-native protection solution, provides customers with actionable insights based on security findings from Amazon GuardDuty, Amazon Inspector, AWS Security Hub, and Fortinet Security Fabric solutions such as FortiGate and FortiWeb. FortiCNP calculates risk for cloud resources by correlating multiple security findings using a patented risk score algorithm and presents customers with a prioritized list of resources that have the most risk impact on their cloud environment. By using FortiCNP Fortinet and AWS joint customers reduce alert fatigue and maximize the value of their security investments.
-
Sumo Logic
Sumo Logic’s Continuous Intelligence platform delivers comprehensive visibility into the security and compliance posture of applications running in AWS, and helps customers detect and respond to threats faster. Sumo Logic’s platform provides real-time actionable visibility using Amazon GuardDuty findings and when combined with additional log sources and broader context, allows security and IT teams to get full stack visibility for quicker threat detection and response. The SumoLogic Cloud SIEM helps customers operationalize Amazon GuardDuty best practices across multiple AWS accounts.
-
Turbot
Turbot's Guardrail policies for Amazon GuardDuty help enterprises ensure Amazon GuardDuty is setup and configured according to defined policies for threat detection to continuously monitor for malicious or unauthorized behavior across AWS accounts and workloads. Turbot provides point and click policy enforcements to setup and configure Amazon GuardDuty account configurations across a multi-account model. Turbot's Guardrails can restrict use of the Amazon GuardDuty service to specific accounts, regions, users, and roles. In addition, Turbot can enforce specific detector configurations per account per region, enforce IP and threat set list configurations, send all configurations in real-time to the Turbot Configuration Management Database (CMDB) , and provide guidance for setting other Guardrail configurations to remediate any Amazon GuardDuty findings. This allows customers to quickly setup and scale Amazon GuardDuty across multiple AWS Accounts, while enforcing company policies and providing real-time recommendations to adjust Guardrail policies to prevent findings from occurring in the future.
Security Intelligence
-
Aviatrix
The Aviatrix Secure Networking Platform builds secure networking in AWS. One of the options within the platform is public subnet filtering. This feature allows you to leverage AWS Ingress Routing along with Amazon GuardDuty findings. When Aviatrix Gateways are configured for public subnet filtering, they will take GuardDuty findings and feed them into Aviatrix Gateways to create an IPS solution that automatically blocks identified malicious traffic. This unique Aviatrix solution enhances the Aviatrix Secure Networking Platform with GuardDuty findings to provide IPS capabilities.
-
Check Point
Check Point CloudGuard adds advanced multi-layered security to enhance the protection of AWS environments from sophisticated threats. CloudGuard Network Security consumes and leverages contextual information such as asset tags and security groups to automatically update security policies in real time. It uses with Amazon GuardDuty to collect additional threat information, such as malicious IP addresses. CloudGuard Posture Management reduces the time to detect threats by investigating and prioritizing the alerts on your behalf. Ingesting Amazon GuardDuty findings along with external threat intelligence feeds provides enhanced context around network and security configuration, IAM privileges, host vulnerabilities and threat detection to automatically remediate issues with a pre-defined security playbook. CloudGuard Intelligence works with Amazon GuardDuty to control the blast radius of an attack by providing detailed incident investigation and custom policy alerts for SOC teams.
-
Datadog
Datadog is the observability and security platform for cloud applications. Our SaaS platform integrates and automates infrastructure monitoring, application performance monitoring, log management, real-user monitoring, and more to provide unified, real-time observability and security for our customers’ entire technology stack. Datadog improves security by centralizing GuardDuty findings, offering real-time alerts, custom dashboards, and correlating data sources. It streamlines incident response, aids compliance, and detects anomalies, bolstering AWS security. It speeds up GuardDuty investigations, supports remediation, and manages false positives using Datadog's Suppression rules and Trusted IP lists.
-
Expel
Expel helps customers detect threats and mitigate security risks unique to AWS. Expel uses the AWS API to consume customer Amazon GuardDuty findings directly from their AWS Accounts and then normalize Amazon GuardDuty data in Expel Workbench for analysts that are managing events. Expel helps customers increase speed of deploying workloads to AWS while managing security of the AWS infrastructure.
-
FireEye
FireEye Helix cloud-hosted security operations platform provides customers visibility of malicious activity, unauthorized behavior and threat hunting capabilities. Customers gain visibility in minutes by correlating findings with metadata from AWS CloudWatch Events. This data is enriched with additional threat intelligence, evaluated with behavior analysis and machine learning to prioritize alerts that are most actionable. FireEye Helix provides investigation content and rules for Amazon GuardDuty findings, derived from frontline Mandiant expertise. This allows customers to take control of incidents from alert to fix and prioritizes threats across their ecosystem.
-
IBM
IBM Security supports Amazon GuardDuty with both managed security services and QRadar SIEM for AWS environments. IBM Security delivers an integrated system of analytics, real-time defenses and proven experts to help you operate securely in the cloud. IBM Security can help customers who have enabled Amazon GuardDuty, integrate security findings and events from AWS into QRadar SIEM and security operations. IBM threat insight combines global threat insight and augmented intelligence via second stage analytics for advanced event classification. AWS customers can also engage X-Force Incident Response services for response planning, preparation, and remediation.
-
Juniper Networks
Customers rely on the Amazon GuardDuty to continuously monitor their AWS workloads for suspicious activity and unauthorized behavior. The threat intelligence provided by Amazon GuardDuty is consumed by security teams to either block or log access from the source. Now the intelligence from Amazon Guard Duty can be ingested by the Juniper SRX platform either directly from an Amazon S3 bucket or in the form of security intelligence feeds from Juniper ATP Cloud. With this SecIntel the vSRX firewall can take relevant actions and block or log connections to the threat sources identified.
-
McAfee
The McAfee® Cloud Workload Security (CWS) solution automates the discovery and defense of workloads to eliminate blind spots, deliver advanced threat defense, and simplify cloud security. Amazon GuardDuty findings are utilized by CWS to enrich security context. Events such as network connections, port probes, and DNS requests for Amazon EC2 instances are automatically identified and flagged. This assures customers they can create a single, automated policy to effectively secure workloads as they transition through hybrid environments, enabling operational excellence for cyber security teams.
-
Palo Alto Networks
Palo Alto Networks’ offers customers multiple security solutions that help operationalize Amazon GuardDuty.
Prisma®™ Cloud ingests many AWS APIs and has hundreds of pre-built AWS policies to monitor and visualize risk to all AWS environments. Prisma Cloud ingests Amazon GuardDuty data, correlates it with the other threat intelligence information, and presents contextualized and actionable information. Cortex XSOAR’s security orchestration, automation and response capabilities are used to deploy and manage a variety of AWS services securely. Cortex XSOAR leverages the Amazon GuardDuty content pack to ingest findings, create incidents and trigger remediation playbooks.
The VM-Series and CN-Series next generation firewalls complement AWS security groups and AWS WAF by controlling your AWS traffic based on the application identity and preventing known and unknown threats. The VM-Series and CN-Series products use Amazon GuardDuty threat intelligence to block traffic from unauthorized IP addresses. Palo Alto Networks provides a broad set of product integrations with Amazon GuardDuty enabling customers to maximize the value of the joint solutions.
-
Rapid7
Rapid7 InsightIDR is a Security Information and Event Management (SIEM) optimized for threat detection. InsightIDR offers a number of integrations to monitor AWS environments. InsightIDR's effectively triages and investigates Amazon GuardDuty findings. An Amazon GuardDuty finding can automatically trigger a new investigation in InsightIDR. Customers view the full alert data from Amazon GuardDuty, along with relevant logs from AWS like AWS CloudTrail and data from other sources. The ability to view a Amazon GuardDuty findings and all contextual data in a consolidated and intuitive timeline makes validating alerts fast and efficient. If an alert turns out to be malicious, customers can immediately react with InsightIDR's built-in automated responses.
-
Recorded Future
Recorded Future is a provider of intelligence for enterprise security. By combining persistent and pervasive automated data collection and analytics with human analysis, Recorded Future delivers intelligence that is timely, accurate, and actionable. Recorded Future is trusted by over 1,000 businesses and government organizations around the world. The Recorded Future reduces time to threat identification and remediation. Recorded Future delivers security intelligence to arm security and IT teams that use Amazon GuardDuty with the real-time information needed to detect incidents earlier and prioritize findings with confidence.
-
Sophos
Respond faster to security threats identified by Amazon GuardDuty with Sophos. Sophos protects organizations from today’s most advanced cyberthreats and helps them build secure and scalable cloud transformations with AWS. Sophos Cloud Optix provides aggregation of Amazon GuardDuty alerts from multiple regions and accounts to provide organizations with a view across AWS environments. Risk prioritization of alerts, enables busy security teams to focus on and fix their most critical security issues. Sophos Managed Threat Response service fuses automated protection and managed services, leveraging Amazon GuardDuty to achieve the visibility needed to quickly identify critical cloud security events used in breach attempts across AWS environments.
-
Splunk
Splunk integration enhances the Splunk's analytics-driven approach’s security capabilities. Amazon GuardDuty findings from across regions and accounts stream to the Splunk platform allowing analysts to identify, investigate and remediate potential threats in their AWS environments. Amazon GuardDuty findings are available to Splunk Enterprise, Splunk Security Essentials, Splunk Enterprise Security, Splunk Phantom and other Splunk security offerings.
-
Trend Micro
Trend Micro Deep Security™ provides comprehensive security controls delivered from a single agent, which can be managed from a single console, API, or orchestration tool. Protecting Amazon EC2 instances and Amazon ECS deployments with intrusion prevention, application control, anti-malware, and more. Deep Security provides detection and prevention, while Amazon GuardDuty augments this with additional visibility anddetection. Deep Security offer visibility, prevention and detection when securing your Amazon EC2 instances and Amazon ECS deployments.
Consulting and Integration
-
PagerDuty
PagerDuty's digital operations management platform empowers teams to proactively mitigate issues by automatically turning any signal into the right insight and action. PagerDuty's integration with Amazon GuardDuty and 300+ security and monitoring tools helps customers identify the signal in the noise with a full stack view and automated grouping of related alerts. It rapidly and automatically engages the right experts to deliver critical security controls and learn from past breaches to deliver more secure services.
Alerting and Ticketing
-
Accenture
Accenture is a global professional services company that provides an end-to-end solution to migrate to and manage operations on AWS. The Accenture AWS Business Group (AABG) combines the capabilities and services required to help accelerate your adoption of the AWS Cloud. Through the Accenture AWS Business Group, Accenture and AWS are committed to help you transform organizational processes and skills, adopt a cloud-first strategy to innovate new products and services, operate securely at global scale, and quickly achieve business results. Accenture AWS Business Group provides transformational services for security in AWS, including guidance on the use and integration of Amazon GuardDuty into a broader cloud security operations strategy.
-
Deloitte
Deloitte is one of the largest professional services firms in the world, through a network of more than 244,000 professionals, industry specialists, and an ecosystem of alliances, Deloitte assists customers in turning complex business issues into opportunities for growth. As AWS Premier Partner with the Security Competency, Deloitte’s Cyber Risk Services for AWS incorporate security capability areas built on their experience serving customers, industry leading practices, and applicable regulatory requirements. The services allow customers to assess AWS capabilities, including AWS security services such as Amazon GuardDuty, and manage risks with their control responsibilities.
-
Logicworks
Logicworks is an AWS Premier Consulting Partner that provides secure, compliant cloud services for customers that need to accelerate cloud adoption, strengthen governance, and achieve agility on the AWS cloud. Logicworks' proprietary automation platform is designed to provide an additional layer of protection by scanning environments and enforcing security configurations across its customers' AWS accounts, and incorporates Amazon Inspector, AWS Config, AWS CloudTrail, AWS CloudWatch, AWS Lambda, and other security tools. The Logicworks platform incorporates Amazon GuardDuty in order to add machine learning-based analysis of suspicious traffic and API activity for customers using Logicworks on AWS.
Threat Feed
-
CrowdStrike
Customers get threat intelligence feeds from CrowdStrike in real-time, while also identifying modern threats by continuously monitoring the network activity, data access patterns, and account behavior within their AWS environments. Leveraging CrowdStrike cloud-scale AI analytics and indicator of attack (IOA)-based threat prevention, customers can detect, identify, and investigate related threats and block similar attacks in the future with proactive threat hunting and automated threat response. In addition, Falcon platform leverages AWS Security Hub, AWS Control Tower, and AWS System Manager, while securing Amazon EC2, Amazon EKS, Amazon ECS, and extended footprint.
-
Proofpoint
Proofpoint provides intelligence-led next generation products and solutions for security, compliance, digital risk, and response. Proofpoint’s Emerging Threats IP address and domain reputation intelligence is based-on a broad footprint of protective technologies spanning email, mobile, social, SaaS, and network environments. Proofpoint ET Intelligence helps detect and surface threats hidden in traffic and activity between customer AWS instances to or from malicious sites and bad actors. This provides proactive alerting for suspicious or malicious activity such as email, mobile, or social media credential or account phishing, imposter and BEC attacks, as well as malware command-and-control and related behaviors. Additionally, customers can further leverage Proofpoint’s ET Intelligence for deeper context, hunting, sample detection, and history via a subscription to Proofpoint’s ET Intelligence portal.
Become an Amazon GuardDuty Partner
To become an Amazon GuardDuty Partner, you must be an AWS Partner or have joined the AWS ISV Partner Path and have a product that has earned the “Reviewed by AWS” badge by completing an AWS Foundational Technical Review (FTR) with Amazon GuardDuty.
If you have a qualified security solution and are interested in becoming an Amazon GuardDuty Partner, please send an email to [email protected] with your company and product(s) names, APN tier level, and contact information.
To get started, review customer use cases, implementations, and API documentation.