Ensure GuardDuty is enabled in the target account and region; obtain the detector ID with ListDetectors or from the console
Call ListFindings with the detector ID and a FindingCriteria map to filter by severity (e.g., severity GreaterThanOrEqual 7 for high/critical), type, or updatedAt timestamp
Pass the returned finding IDs to GetFindings (max 50 per call) to retrieve full finding details including resource, action, and threat intelligence enrichment
Parse the finding's service.action field to understand the triggering event (e.g., AwsApiCall, NetworkConnectionAction); use type and title for triage prioritization
Archive findings that have been remediated using ArchiveFindings; this suppresses them from the active findings view without deleting the record
Set up EventBridge rules on the GuardDuty findings event pattern to route new high-severity findings to an SNS topic or security ticketing system for real-time alerting
Known gotchas
GuardDuty severity scores use a numeric scale where higher is more severe, but the mapping to low/medium/high/critical bands has specific numeric boundaries; do not assume a simple 1-10 split
ListFindings returns only finding IDs, not full details; omitting the GetFindings call will leave you with unusable data
Suppression rules created in the console differ from ArchiveFindings; suppressed findings are never created whereas archived findings exist but are hidden — understand which behavior your workflow needs
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp