AWS GuardDuty

Overview

Datadog integrates with AWS GuardDuty through a Lambda function that ships GuardDuty findings to Datadog’s Log Management solution.

Setup

Log collection

Enable logging

1. If you haven’t already, set up the Datadog Forwarder Lambda function.

2. Create a new rule in Amazon EventBridge. Give the rule a name and select Rule with an event pattern. Click Next.

3. Build the event pattern to match your GuardDuty Findings. In the Event source section, select AWS events or EventBridge partner events. In the Event pattern section, specify AWS services for the source, GuardDuty for the service, and GuardDuty Finding as the type. Click Next.

4. Select the Datadog Forwarder as the target. Set AWS service as the target type, Lambda function as the target, and choose the Datadog forwarder from the dropdown Function menu. Click Next.

5. Configure any desired tags, and click Create rule.

Send your logs to Datadog

1. In the AWS console, go to Lambda.

2. Click Functions and select the Datadog forwarder.

3. In the Function Overview section, click Add Trigger. Select EventBridge (CloudWatch Events) from the dropdown menu, and specify the rule created in the enable logging section.

4. See any new GuardDuty Findings in the Datadog Log Explorer.