Amazon GuardDuty

Amazon GuardDuty Security Blogs
AWS re:Post questions for Amazon GuardDuty
Amazon GuardDuty FAQs
Amazon GuardDuty Pricing
Free Cybersecurity Training
Automated response & remediation
1. Integration with AWS Security Hub
2. EventBridge (Enrichment, Actions, Notifications)
Anomaly Detection & Machine Learning
1. EC2 findings
  1. Backdoor:EC2/C&CActivity.B
  2. Backdoor:EC2/C&CActivity.B!DNS
  3. Backdoor:EC2/DenialOfService.Dns
  4. Backdoor:EC2/DenialOfService.Tcp
  5. Backdoor:EC2/DenialOfService.Udp
  6. Backdoor:EC2/DenialOfService.UdpOnTcpPorts
  7. Backdoor:EC2/DenialOfService.UnusualProtocol
  8. Backdoor:EC2/Spambot
  9. Behavior:EC2/NetworkPortUnusual
  10. Behavior:EC2/TrafficVolumeUnusual
  11. CryptoCurrency:EC2/BitcoinTool.B
  12. CryptoCurrency:EC2/BitcoinTool.B!DNS
  13. Impact:EC2/AbusedDomainRequest.Reputation
  14. Impact:EC2/BitcoinDomainRequest.Reputation
  15. Impact:EC2/MaliciousDomainRequest.Reputation
  16. Impact:EC2/PortSweep
  17. Impact:EC2/SuspiciousDomainRequest.Reputation
  18. Impact:EC2/WinRMBruteForce
  19. Recon:EC2/PortProbeEMRUnprotectedPort
  20. Recon:EC2/PortProbeUnprotectedPort
  21. Recon:EC2/Portscan
  22. Trojan:EC2/BlackholeTraffic
  23. Trojan:EC2/BlackholeTraffic!DNS
  24. Trojan:EC2/DGADomainRequest.B
  25. Trojan:EC2/DGADomainRequest.C!DNS
  26. Trojan:EC2/DNSDataExfiltration
  27. Trojan:EC2/DriveBySourceTraffic!DNS
  28. Trojan:EC2/DropPoint
  29. Trojan:EC2/DropPoint!DNS
  30. Trojan:EC2/PhishingDomainRequest!DNS
  31. UnauthorizedAccess:EC2/MaliciousIPCaller.Custom
  32. UnauthorizedAccess:EC2/MetadataDNSRebind
  33. UnauthorizedAccess:EC2/RDPBruteForce
  34. UnauthorizedAccess:EC2/SSHBruteForce
  35. UnauthorizedAccess:EC2/TorClient
  36. UnauthorizedAccess:EC2/TorRelay
2. IAM findings
  1. CredentialAccess:IAMUser/AnomalousBehavior
  2. DefenseEvasion:IAMUser/AnomalousBehavior
  3. Discovery:IAMUser/AnomalousBehavior
  4. Exfiltration:IAMUser/AnomalousBehavior
  5. Impact:IAMUser/AnomalousBehavior
  6. InitialAccess:IAMUser/AnomalousBehavior
  7. PenTest:IAMUser/KaliLinux
  8. PenTest:IAMUser/ParrotLinux
  9. PenTest:IAMUser/PentooLinux
  10. Persistence:IAMUser/AnomalousBehavior
  11. Policy:IAMUser/RootCredentialUsage
  12. PrivilegeEscalation:IAMUser/AnomalousBehavior
  13. Recon:IAMUser/MaliciousIPCaller
  14. Recon:IAMUser/MaliciousIPCaller.Custom
  15. Recon:IAMUser/TorIPCaller
  16. Stealth:IAMUser/CloudTrailLoggingDisabled
  17. Stealth:IAMUser/PasswordPolicyChange
  18. UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B
  19. UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS
  20. UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS
  21. UnauthorizedAccess:IAMUser/MaliciousIPCaller
  22. UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom
  23. UnauthorizedAccess:IAMUser/TorIPCaller
3. S3 findings
  1. Discovery:S3/MaliciousIPCaller
  2. Discovery:S3/MaliciousIPCaller.Custom
  3. Discovery:S3/TorIPCaller
  4. Exfiltration:S3/MaliciousIPCaller
  5. Exfiltration:S3/ObjectRead.Unusual
  6. Impact:S3/MaliciousIPCaller
  7. PenTest:S3/KaliLinux
  8. PenTest:S3/ParrotLinux
  9. PenTest:S3/PentooLinux
  10. Policy:S3/AccountBlockPublicAccessDisabled
  11. Policy:S3/BucketAnonymousAccessGranted
  12. Policy:S3/BucketBlockPublicAccessDisabled
  13. Policy:S3/BucketPublicAccessGranted
  14. Stealth:S3/ServerAccessLoggingDisabled
  15. UnauthorizedAccess:S3/MaliciousIPCaller.Custom
  16. UnauthorizedAccess:S3/TorIPCaller
4. Kubernetes findings
  1. CredentialAccess:Kubernetes/MaliciousIPCaller
  2. CredentialAccess:Kubernetes/MaliciousIPCaller.Custom
  3. CredentialAccess:Kubernetes/SuccessfulAnonymousAccess
  4. CredentialAccess:Kubernetes/TorIPCaller
  5. DefenseEvasion:Kubernetes/MaliciousIPCaller
  6. DefenseEvasion:Kubernetes/MaliciousIPCaller.Custom
  7. DefenseEvasion:Kubernetes/SuccessfulAnonymousAccess
  8. DefenseEvasion:Kubernetes/TorIPCaller
  9. Discovery:Kubernetes/MaliciousIPCaller
  10. Discovery:Kubernetes/MaliciousIPCaller.Custom
  11. Discovery:Kubernetes/SuccessfulAnonymousAccess
  12. Discovery:Kubernetes/TorIPCaller
  13. Execution:Kubernetes/ExecInKubeSystemPod
  14. Impact:Kubernetes/MaliciousIPCaller
  15. Impact:Kubernetes/MaliciousIPCaller.Custom
  16. Impact:Kubernetes/SuccessfulAnonymousAccess
  17. Impact:Kubernetes/TorIPCaller
  18. Persistence:Kubernetes/ContainerWithSensitiveMount
  19. Persistence:Kubernetes/MaliciousIPCaller
  20. Persistence:Kubernetes/MaliciousIPCaller.Custom
  21. Persistence:Kubernetes/SuccessfulAnonymousAccess
  22. Persistence:Kubernetes/TorIPCaller
  23. Policy:Kubernetes/AdminAccessToDefaultServiceAccount
  24. Policy:Kubernetes/AnonymousAccessGranted
  25. Policy:Kubernetes/ExposedDashboard
  26. Policy:Kubernetes/KubeflowDashboardExposed
  27. PrivilegeEscalation:Kubernetes/PrivilegedContainer
Pivot to Amazon Detective
1. Triage, Scoping, Response
Internal AWS Sources
1. CloudTrail Management Events
2. CloudTrail S3 Data Events
3. VPC Flow Logs
4. DNS logs
5. Kubernetes audit logs
Amazon GuardDuty Partners
1. Activation and Operationalization
  1. Alert Logic
  2. Sumo Logic
  3. Turbot
2. Security Intelligence
  1. Aviatrix
  2. Check Point
  3. Expel
  4. FireEye
  5. Fortinet
  6. IBM
  7. Juniper
  8. McAfee
  9. PaloAlto
  10. Rapid7
  11. Recorded Future
  12. Sophos
  13. Splunk
  14. Trend Micro
3. Consulting and Integration
  1. Accenture
  2. Deloitte
  3. Logicworks
4. Alerting and Ticketing
  1. PagerDuty
Threat intelligence (IP and domains)
1. AWS Security
2. Threat Feed 3rd party providers
  1. Proofpoint
  2. CrowdStrike
3. Custom threat lists