AWS GuardDuty logs Ingestion in Splunk

This project showcases an event-driven, real-time architecture for streaming AWS GuardDuty findings into Splunk with sub-minute latency. Modern security operations require immediate visibility into threats, and this pipeline delivers findings to your SIEM within seconds of detection.
The architecture leverages Amazon EventBridge to capture GuardDuty findings as they occur, routes them through SNS for flexible message distribution, buffers them in SQS for reliable delivery, and finally streams them into Splunk. This approach is essential for Security Operations Centers (SOCs) that need to detect and respond to threats immediately, trigger automated remediation workflows, or meet strict security SLAs.

Key Components:

• GuardDuty: Generates security findings in real-time
• EventBridge: Captures events using pattern matching and routes to targets
• SNS (Simple Notification Service): Distributes notifications to multiple subscribers
• SQS (Simple Queue Service): Buffers messages for reliable, decoupled delivery
• IAM: Manages permissions across all services
• Splunk Add-on for AWS: Continuously polls SQS and ingests messages

When to Use This Pipeline:

• Real-time security alerting (seconds, not minutes)
• Immediate incident response and SOAR integration
• Multiple consumers processing the same findings (via SNS fanout)
• Event-driven automation and workflows
• Strict security SLAs requiring fast detection

What Makes This Project Valuable?

This pipeline represents modern, cloud-native security architecture patterns. By decoupling event producers (GuardDuty) from consumers (Splunk) using EventBridge, SNS, and SQS, you build a resilient system that can scale to handle thousands of findings per hour. The message buffering in SQS ensures no findings are lost even if Splunk is temporarily unavailable. This architecture is commonly used by enterprises running 24/7 SOCs and enables advanced use cases like multi-region threat correlation and automated incident response.