By default, GuardDuty will generate findings and make them available on the web console. It is also possible to set up a CloudWatch Events rule to react to these findings as they come in. To do this through the AWS web console, we can navigate to the CloudWatch Events rule page and create a new rule. For this rule, we will select GuardDuty as the service to match, and then GuardDuty Finding as the event type to match. Then, we will select some sort of target to send the information on findings to. The target could be a variety of things, such as simple notification service (SNS) topic to then text or email the data of the finding to the security team, or possibly Lambda function, which then reacts to the finding type to try and automatically remediate it:

This screenshot shows a CloudWatch Events rule being created to trigger on GuardDuty findings and to target the ExampleFunction Lambda function when it is triggered. This kind of rule allows you to automate alerting and/or defense against findings that GuardDuty is triggering.

An example Lambda function might parse the data that CloudWatch Events sends it, determine what finding type was triggered, and then react based on that. For example, if GuardDuty alerted that an EC2 instance was making connections to a known cryptocurrency-related domain, Lambda function might auto-block outbound internet access to that domain in the security group that the EC2 instance lies within. You could also add another target to the CloudWatch Events rule that uses SNS to send a text message to your security team. This way, if cryptocurrency-related activity was detected, it will automatically be blocked by Lambda function and the security team will be alerted, where they could then decide on what steps they should followup with to properly secure the environment again.