AWS GuardDuty

Overview

AWS GuardDuty integration - regscale aws sync_guardduty - collects threat detection evidence and assesses incident response controls (SI-4, IR-4, IR-5, SI-3, RA-5).

Command Syntax

regscale aws sync_guardduty [OPTIONS]

Basic Usage

# Collect GuardDuty evidence (default - no issues created)
regscale aws sync_guardduty --regscale_id 123

# Filter by account and specific controls
regscale aws sync_guardduty \
  --regscale_id 123 \
  --account-id 123456789012 \
  --evidence-control-ids SI-4,IR-4

# Create issues from findings (non-default)
regscale aws sync_guardduty \
  --regscale_id 123 \
  --create-issues \
  --create-vulnerabilities \
  --no-collect-evidence

NIST 800-53 Controls Assessed

• SI-4: System Monitoring
• IR-4: Incident Handling
• IR-5: Incident Monitoring
• SI-3: Malicious Code Protection
• RA-5: Vulnerability Monitoring and Scanning

What Gets Created in RegScale

• Control Assessments: SI and IR family controls
• Evidence: Detector configurations, active findings, threat detections
• Issues (optional): GuardDuty findings as issues
• Vulnerabilities (optional): Threat detections as vulnerabilities

Default Behavior

By default, GuardDuty sync collects evidence only and does NOT create issues. This prevents alert fatigue from every GuardDuty finding.

To create issues: --create-issues --no-collect-evidence

Common Use Cases

Evidence Collection for SI-4 (Default)

regscale aws sync_guardduty \
  --regscale_id 123 \
  --evidence-control-ids SI-4,IR-4,IR-5

Incident Response Investigation

regscale aws sync_guardduty \
  --regscale_id 123 \
  --create-issues \
  --create-vulnerabilities \
  --account-id 123456789012

Command Options

Best Practices

1. Enable GuardDuty in all regions
2. Collect evidence regularly for SI-4 control
3. Integrate with SIEM for alert management
4. Use issues sparingly - only for incident response
5. Review high-severity findings in AWS console