GDPatrol: A Lambda-powered Security Orchestration framework for AWS GuardDuty


A Serverless Security Orchestration Automation and Response (SOAR) Framework for AWS GuardDuty. The GDPatrol Lambda function receives the GuardDuty findings through the CloudWatch Event Rule and executes the appropriate actions to mitigate the threats according to their types and severity. The deployment script will enable GuardDuty and deploy the GDPatrol Lambda function in all supported regions.

Supported actions:

  • blacklist_ip(at the VPC level, using a Network ACL)
  • whitelist_ip
  • block_domain
  • quarantine_instance (deny all traffic ingress and egress to the EC2 instance)
  • snapshot_instance
  • disable_account (disable every action for a particular account)
  • disable_ec2_access
  • enable_ec2_access
  • disable_sg_access (Disable Security Group Access)
  • enable_sg_access
  • asg_detach_instance (detach instance from an auto-scaling group)

The actions to be executed are configured in the config.json file:

  "type": "Backdoor:EC2/C&CActivity.B!DNS",
  "actions": ["block_domain", "asg_detach_instance", "quarantine_instance", "snapshot_instance"],
  "reliability": 5




  • Python 3.6 (should be compatible with 2.7 as well but I didn’t test it)
  • Boto3

git clone


You can easily create your own playbooks by just adding or removing the actions and changing the reliability in the config.json for the desired finding type.

By default, all findings are assigned a reliability value of 5: the reliability is then added to the “severity” value found in the finding JSON, and the actions are only executed if the sum of the two values is higher than 10.

This ensures that, by default, only the playbooks for the GuardDuty findings with a severity of 6 or higher will be executed, while providing a way to effectively yet simply modify the behaviour by modifying the reliability value of the config file.

After any change to the config file locally, run again and the script will recreate the Lambda function with the updated config.json file. The GuardDuty findings types are documented here.




The deployment script makes the following calls, make sure your account has the appropriate permissions:

List Roles, Delete Role Policy, Delete Role, Create Role, Put Role Policy

List Functions, Delete Function, Create Function, Add Permission

CloudWatch Events:
List Rules, List Targets By Rule, Remove Targets, Delete Rule, Put Rule, Put Targets

List Detectors, Create Detector, Update Detector


Copyright (c) 2018 Antonio Sorrentino