GuardDuty out of the box is 70% noise. Here's how we tune it.
Cloud Security
Default GuardDuty pages your on-call for kubectl exec, RDP brute force from your own VPN, and Tor exit nodes that turn out to be a marketing intern on holiday. Tuning is mandatory, not optional.
By Arjun Raghavan, Security & Systems Lead, BIPI · March 3, 2024 · 7 min read
We turned on GuardDuty for a fintech client with 14 accounts and watched the SOC queue go from 40 tickets a week to 380. Most of it was Recon:EC2/PortProbeUnprotectedPort firing on a load balancer that was supposed to be public, and UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B because their travelling CFO logged in from Lisbon. The SOC manager threatened to disable the service. We had three days to fix it.
GuardDuty is a strong detection engine wrapped in defaults that assume nothing about your environment. Once you tell it what your environment actually looks like, the signal climbs fast. Here is the playbook we run on every engagement.
Suppress by resource tag, not by finding ID
The wrong way to tune GuardDuty is to mute finding types globally. The right way is to suppress findings whose target resources carry a known-exposed tag. We put exposure:public on internet-facing ALBs and NAT gateways, and write a suppression rule that drops PortProbe findings only when the target has that tag. The same finding on an untagged or exposure:internal resource still pages the on-call.
Tag-driven suppression survives account migrations, scales across OUs, and gives auditors a clean answer to why a finding was muted. Suppression by raw resource ID becomes a graveyard inside a quarter.
Re-grade severities for your blast radius
GuardDuty ships severities calibrated for a generic enterprise. A medium-severity Backdoor:EC2/C&CActivity.B!DNS finding on a sandbox account is interesting. The same finding on a PCI workload account is a sev-1, full stop. We use EventBridge rules that read the account ID and the resource tag, then re-emit the finding into the SIEM with an adjusted severity field. The original GuardDuty severity stays untouched for compliance evidence.
Pipe to the SIEM, not to email
Email-based GuardDuty notifications die in filters or get marked read by whoever is on call. EventBridge to Kinesis Firehose to S3, then Splunk or Sentinel pulls from there. You get retention, search, correlation with CloudTrail, and the ability to write detections that combine GuardDuty with VPC Flow Logs. We see 4x reduction in mean time to triage when findings land in the same pane as the rest of the security telemetry.
Turn on the optional protection plans selectively
S3 Protection, EKS Protection, Malware Protection for EC2, and RDS Protection are now separate add-ons with separate price tags. Enable them per-account based on workload. We turn on EKS Protection only on accounts running production Kubernetes, RDS Protection only on accounts with sensitive data classifications. Blanket-enabling everything in a 200-account org adds five-figure monthly spend with nothing to show for half of it.
- S3 Protection: enable on accounts holding regulated data buckets
- EKS Protection: enable on accounts with production EKS clusters and audit logs already on
- Malware Protection: enable for accounts running unsigned third-party AMIs or partner workloads
- RDS Protection: enable on accounts with PII or PCI databases
Review the suppression list every 90 days
Suppression rules rot. The internet-facing ALB you tagged exposure:public 18 months ago has been deleted; the new resource that took its private IP now gets ignored. We schedule a quarterly review where every active suppression rule has to be re-justified by the team that owns the workload. About 30% get retired each cycle, and we usually surface two or three real findings that had been hidden for months.
GuardDuty earns its keep when the alerts that survive tuning are the ones worth waking someone up for. If your SOC ignores it, the attackers will know before you do.
Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.