Amazon GuardDuty

Amazon GuardDuty Security Blogs
AWS re:Post questions for Amazon GuardDuty
Amazon GuardDuty FAQs
Amazon GuardDuty Pricing
Free Cybersecurity Training
Automated response & remediation
1. Integration with AWS Security Hub
2. EventBridge (Enrichment, Actions, Notifications)
Anomaly Detection & Machine Learning
1. Findings
  1. EC2 findings
    1. Backdoor:EC2/C&CActivity.B
    2. Backdoor:EC2/C&CActivity.B!DNS
    3. Backdoor:EC2/DenialOfService.Dns
    4. Backdoor:EC2/DenialOfService.Tcp
    5. Backdoor:EC2/DenialOfService.Udp
    6. Backdoor:EC2/DenialOfService.UdpOnTcpPorts
    7. Backdoor:EC2/DenialOfService.UnusualProtocol
    8. Backdoor:EC2/Spambot
    9. Behavior:EC2/NetworkPortUnusual
    10. Behavior:EC2/TrafficVolumeUnusual
    11. CryptoCurrency:EC2/BitcoinTool.B
    12. CryptoCurrency:EC2/BitcoinTool.B!DNS
    13. Impact:EC2/AbusedDomainRequest.Reputation
    14. Impact:EC2/BitcoinDomainRequest.Reputation
    15. Impact:EC2/MaliciousDomainRequest.Reputation
    16. Impact:EC2/PortSweep
    17. Impact:EC2/SuspiciousDomainRequest.Reputation
    18. Impact:EC2/WinRMBruteForce
    19. Recon:EC2/PortProbeEMRUnprotectedPort
    20. Recon:EC2/PortProbeUnprotectedPort
    21. Recon:EC2/Portscan
    22. Trojan:EC2/BlackholeTraffic
    23. Trojan:EC2/BlackholeTraffic!DNS
    24. Trojan:EC2/DGADomainRequest.B
    25. Trojan:EC2/DGADomainRequest.C!DNS
    26. Trojan:EC2/DNSDataExfiltration
    27. Trojan:EC2/DriveBySourceTraffic!DNS
    28. Trojan:EC2/DropPoint
    29. Trojan:EC2/DropPoint!DNS
    30. Trojan:EC2/PhishingDomainRequest!DNS
    31. UnauthorizedAccess:EC2/MaliciousIPCaller.Custom
    32. UnauthorizedAccess:EC2/MetadataDNSRebind
    33. UnauthorizedAccess:EC2/RDPBruteForce
    34. UnauthorizedAccess:EC2/SSHBruteForce
    35. UnauthorizedAccess:EC2/TorClient
    36. UnauthorizedAccess:EC2/TorRelay
  2. IAM findings
    1. CredentialAccess:IAMUser/AnomalousBehavior
    2. DefenseEvasion:IAMUser/AnomalousBehavior
    3. Discovery:IAMUser/AnomalousBehavior
    4. Exfiltration:IAMUser/AnomalousBehavior
    5. Impact:IAMUser/AnomalousBehavior
    6. InitialAccess:IAMUser/AnomalousBehavior
    7. PenTest:IAMUser/KaliLinux
    8. PenTest:IAMUser/ParrotLinux
    9. PenTest:IAMUser/PentooLinux
    10. Persistence:IAMUser/AnomalousBehavior
    11. Policy:IAMUser/RootCredentialUsage
    12. PrivilegeEscalation:IAMUser/AnomalousBehavior
    13. Recon:IAMUser/MaliciousIPCaller
    14. Recon:IAMUser/MaliciousIPCaller.Custom
    15. Recon:IAMUser/TorIPCaller
    16. Stealth:IAMUser/CloudTrailLoggingDisabled
    17. Stealth:IAMUser/PasswordPolicyChange
    18. UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B
    19. UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS
    20. UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS
    21. UnauthorizedAccess:IAMUser/MaliciousIPCaller
    22. UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom
    23. UnauthorizedAccess:IAMUser/TorIPCaller
  3. S3 findings
    1. Discovery:S3/MaliciousIPCaller
    2. Discovery:S3/MaliciousIPCaller.Custom
    3. Discovery:S3/TorIPCaller
    4. Exfiltration:S3/MaliciousIPCaller
    5. Exfiltration:S3/ObjectRead.Unusual
    6. Impact:S3/MaliciousIPCaller
    7. PenTest:S3/KaliLinux
    8. PenTest:S3/ParrotLinux
    9. PenTest:S3/PentooLinux
    10. Policy:S3/AccountBlockPublicAccessDisabled
    11. Policy:S3/BucketAnonymousAccessGranted
    12. Policy:S3/BucketBlockPublicAccessDisabled
    13. Policy:S3/BucketPublicAccessGranted
    14. Stealth:S3/ServerAccessLoggingDisabled
    15. UnauthorizedAccess:S3/MaliciousIPCaller.Custom
    16. UnauthorizedAccess:S3/TorIPCaller
  4. Kubernetes findings
    1. CredentialAccess:Kubernetes/MaliciousIPCaller
    2. CredentialAccess:Kubernetes/MaliciousIPCaller.Custom
    3. CredentialAccess:Kubernetes/SuccessfulAnonymousAccess
    4. CredentialAccess:Kubernetes/TorIPCaller
    5. DefenseEvasion:Kubernetes/MaliciousIPCaller
    6. DefenseEvasion:Kubernetes/MaliciousIPCaller.Custom
    7. DefenseEvasion:Kubernetes/SuccessfulAnonymousAccess
    8. DefenseEvasion:Kubernetes/TorIPCaller
    9. Discovery:Kubernetes/MaliciousIPCaller
    10. Discovery:Kubernetes/MaliciousIPCaller.Custom
    11. Discovery:Kubernetes/SuccessfulAnonymousAccess
    12. Discovery:Kubernetes/TorIPCaller
    13. Execution:Kubernetes/ExecInKubeSystemPod
    14. Impact:Kubernetes/MaliciousIPCaller
    15. Impact:Kubernetes/MaliciousIPCaller.Custom
    16. Impact:Kubernetes/SuccessfulAnonymousAccess
    17. Impact:Kubernetes/TorIPCaller
    18. Persistence:Kubernetes/ContainerWithSensitiveMount
    19. Persistence:Kubernetes/MaliciousIPCaller
    20. Persistence:Kubernetes/MaliciousIPCaller.Custom
    21. Persistence:Kubernetes/SuccessfulAnonymousAccess
    22. Persistence:Kubernetes/TorIPCaller
    23. Policy:Kubernetes/AdminAccessToDefaultServiceAccount
    24. Policy:Kubernetes/AnonymousAccessGranted
    25. Policy:Kubernetes/ExposedDashboard
    26. Policy:Kubernetes/KubeflowDashboardExposed
    27. PrivilegeEscalation:Kubernetes/PrivilegedContainer
2. Managing Findings
  1. Filtering findings
  2. Suppression rules
  3. Trusted and Threat lists
  4. Exporting findings
Pivot to Amazon Detective
1. Triage, Scoping, Response
Internal AWS Sources
1. CloudTrail Management Events
2. CloudTrail S3 Data Events
3. VPC Flow Logs
4. DNS logs
5. Kubernetes audit logs
Amazon GuardDuty Partners
1. Activation and Operationalization
  1. Alert Logic
  2. Sumo Logic
  3. Turbot
2. Security Intelligence
  1. Aviatrix
  2. Check Point
  3. Expel
  4. FireEye
  5. Fortinet
  6. IBM
  7. Juniper
  8. McAfee
  9. PaloAlto
  10. Rapid7
  11. Recorded Future
  12. Sophos
  13. Splunk
  14. Trend Micro
3. Consulting and Integration
  1. Accenture
  2. Deloitte
  3. Logicworks
4. Alerting and Ticketing
  1. PagerDuty
Threat intelligence (IP and domains)
1. AWS Security
2. Threat Feed 3rd party providers
  1. Proofpoint
  2. CrowdStrike
3. Custom threat lists