Enable GuardDuty in each AWS account and region; in delegated-administrator (AWS Organizations) setups, ensure member account findings are aggregated to the admin account.
Configure EventBridge to capture GuardDuty findings by creating an EventBridge rule with source aws.guardduty and detail-type GuardDuty Finding; route matched events to a target such as an SNS topic, Lambda function, or SQS queue.
Optionally configure S3 export in GuardDuty Settings > Findings export options to persist findings beyond the 90-day in-console retention window; set export frequency to 15 minutes, 1 hour, or 6 hours (default).
In the Lambda (or SOAR) target, parse the EventBridge event detail; key fields include detail.type (finding type string), detail.severity (numeric 0-10), detail.resource (affected AWS resource), and detail.service.action for network and process context.
Implement automated response actions in Lambda based on finding type: for example, call EC2 ModifyInstanceAttribute to block network access for Trojan:EC2/DNSDataExfiltration findings, or call IAM CreateAccessKey with immediate disable for UnauthorizedAccess findings.
Known gotchas
EventBridge receives new findings within approximately 5 minutes of generation; updates to existing findings (same finding ID) are published at a configurable frequency (15 min / 1 hr / 6 hr) — do not expect real-time updates for ongoing finding patterns.
GuardDuty numeric severity (0.1-10) does not map 1:1 to named severities; Low is 0.1-3.9, Medium is 4.0-6.9, High is 7.0-8.9, Critical is 9.0-10 — filter thresholds in Lambda logic accordingly.
Multi-region deployments require an EventBridge rule in each region; findings from eu-west-1 do not automatically appear in us-east-1 event buses unless you configure cross-region event routing.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp