Skip to main content

AWS - GuardDuty Event Collector

This Integration is part of the AWS - GuardDuty Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.8.0 and later.

Amazon Web Services Guard Duty Service Event Collector integration for Cortex XSIAM.

Configure AWS - GuardDuty Event Collector on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for AWS - GuardDuty Event Collector.

  3. Click Add instance to create and configure a new integration instance.

    AWS Default RegionTrue
    Role ARNFalse
    Role Session NameFalse
    Role Session DurationFalse
    Access KeyFalse
    Secret KeyFalse
    TimeoutThe time in seconds until a timeout exception is reached. You can specify just the read timeout (for example 60) or also the connect timeout preceded by a comma (for example 60,10). If a connect timeout is not specified, a default of 10 seconds will be used.False
    RetriesThe maximum number of retry attempts when connection or throttling errors are encountered. Set to 0 to disable retries. The default value is 5 and the limit is 10. Note: Increasing the number of retries will increase the execution time.False
    First fetch timeFalse
    Number of events to fetch per fetch.False
    Guard Duty Severity levelThe minimum severity of the events to fetch (inclusive).True
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
    The product corresponding to the integration that originated the events.False
    The vendor name corresponding to the integration that originated the events.False
  4. Click Test to validate the URLs, token, and connection.


You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.


Manual command to fetch events and display them.

Base Command#



Argument NameDescriptionRequired
should_push_eventsSet this argument to True to create events, otherwise the command will only display them. Possible values are: true, false. Default is false.Required
severityThe minimum severity of the events to fetch (inclusive). Possible values are: Low, Medium, High. Default is Low.Required
collect_fromThe date to start collecting the events from.Optional
limitThe maximum amount of events to return.Optional

Context Output#

There is no context output for this command.

Command example#

!aws-gd-get-events severity=Low should_push_events=false limit=1 collect_from="60 days ago"

Human Readable Output#

AWSGuardDuty Logs#
Account IdArnCreated AtDescriptionIdPartitionRegionResourceSchema VersionServiceSeverityTitleTypeUpdated At
SomeAccountIdSomeArn2022-08-16T07:22:39.877ZA container with a sensitive host path mounted inside was launched on EKS Cluster SomeFindingEKSClusterName. If this behavior is not expected, it may indicate that your credentials are compromised.<some_id>aws<some_region>EksClusterDetails: {"Name": "SomeFindingEKSClusterName", "Arn": "SomeFindingEKSClusterArn", "VpcId": "SomeFindingEKSClusterVpcId", "Status": "ACTIVE", "Tags": [{"Key": "SomeFindingEKSClusterTag1", "Value": "SomeFindingEKSClusterTagValue1"}, {"Key": "SomeFindingEKSClusterTag2", "Value": "SomeFindingEKSClusterTagValue2"}, {"Key": "SomeFindingEKSClusterTag3", "Value": "SomeFindingEKSClusterTagValue3"}], "CreatedAt": "2021-11-11T10:15:55.218000"}
KubernetesDetails: {"KubernetesUserDetails": {"Username": "SomeFindingUserName", "Uid": "SomeFindingUID", "Groups": ["SomeFindingUserGroup"]}, "KubernetesWorkloadDetails": {"Name": "SomeFindingKubernetesWorkloadName", "Type": "SomeFindingKubernetesWorkloadType", "Uid": "SomeFindingKubernetesWorkloadUID", "Namespace": "SomeFindingKubernetesWorkloadNamespace", "Containers": [{"Name": "SomeFindingContainerName", "Image": "SomeFindingContainerImage", "ImagePrefix": "SomeFindingContainerImagePrefix", "VolumeMounts": [{"Name": "SomeFindingVolumeName", "MountPath": "SomeFindingVolumeMountPath"}]}], "Volumes": [{"Name": "SomeFindingVolumeName", "HostPath": {"Path": "SomeFindingHostPath"}}]}}
ResourceType: EKSCluster
2.0Action: {"ActionType": "KUBERNETES_API_CALL", "KubernetesApiCallAction": {"RequestUri": "SomeFindingRequestURI", "Verb": "create", "UserAgent": "", "RemoteIpDetails": {"City": {"CityName": "SomeFindingCityName"}, "Country": {"CountryName": "SomeFindingCountryName"}, "GeoLocation": {"Lat": 0, "Lon": 0}, "IpAddressV4": "", "Organization": {"Asn": "0", "AsnOrg": "SomeFindingASNOrg", "Isp": "SomeFindingISP", "Org": "SomeFindingORG"}}, "StatusCode": 201}}
Archived: true
Count: 1
DetectorId: detectorid
EventFirstSeen: 2022-08-16T07:22:39.000Z
EventLastSeen: 2022-08-16T07:22:39.000Z
ResourceRole: TARGET
ServiceName: guardduty
AdditionalInfo: {"Value": "{\"sample\":true}", "Type": "default"}
5Container launched with a sensitive host path mounted inside.Persistence:Kubernetes/ContainerWithSensitiveMount2022-08-16T07:22:39.877Z