☁️
CTHFM: AWS
  • Welcome
  • Getting Started
    • Account Setup
  • AWS CLI
    • AWS CLI Overview
    • Installation
  • AWS Fundamentals
    • AWS Documentation
    • AWS Shared Responsibility Model
    • Organizational Hierarchy
    • AWS Principals
    • IAM Fundamentals
      • IAM Policy Components
      • IAM Documentation References
    • AWS Security Services Overview
    • AWS Core Services
    • AWS Frameworks
    • Regions and Availability Zones
  • SQL
    • SQL Refresher for Threat Hunting
  • Logging Reference
    • Cloudtrail
      • What is Cloudtrail?
      • Setting Up Cloudtrail
      • Cloudtrail Events Structure
      • Filtering and Searching CloudTrail Logs
      • IAM ID Prefixes
      • Additional Resources
      • API References
    • VPCFlow Logs
    • GuardDuty
      • Multi-Account Setup
      • GuardDuty Concepts
      • GuardDuty Finding References
      • S3 Protection
      • Malware Protection
        • EC2 Malware Protection
          • EC2 Protection Resources
          • Monitoring Scans
          • EC2 Malware Protection Events: CloudWatch
        • S3 Malware Protection
          • Enabling S3 Malware Protection
          • After Enabling S3 Malware Protection
          • S3 Malware Resource Plan Status
          • S3 Malware Protection Quotas
      • RDS Protection Enablement
      • Lambda Protection Enablement
      • Trusted IP Lists and Threat Lists in Amazon GuardDuty
      • Remediation Recommendations
      • GuardDuty API Reference
      • GuardDuty Quotas
    • Access Analyzer
      • Setup
      • External Access and Unused Access Analyzer Findings
      • Review Findings
      • Access Analyzer Resources
      • Access Analyzer API Reference
    • AWS Network Firewall
      • Permissions
      • Firewall Log Contents
      • Logging Destinations
      • CloudWatch Firewall Metrics
    • AWS Config
      • Resource Management in AWS Config
      • AWS Config Integrations
      • AWS Config Resources
      • Configuration Item
      • Config Rules
        • Evaluation Modes
  • CloudWatch
    • Amazon CloudWatch
      • CloudWatch Concepts
      • CloudWatch Metrics
        • Filter Pattern Syntax
      • CloudWatch Alarms
        • Alarm Recommendations
      • Subscriptions
      • CloudWatch Agent
      • CloudWatch Insights
        • Supported Logs and Discovered Fields
        • CloudWatch Insights Query Syntax
      • Anomaly Detection
        • Create Anomaly Detector
        • Alarms for Anomaly Detections
      • CloudWatch Filter Syntax
      • CloudWatch Service Quota
  • Athena For Threat Hunting
    • Introduction to Athena
    • Setting Up Athena
    • SQL For Threat Hunters
    • Automated Response
    • Query Best Practices
  • AWS Security Research and Resources
    • AWS Security Blog
    • AWS Goat
    • Cloud Goat
    • Pacu
    • Prowler
    • Scout Suite
  • Threat Hunting in AWS
    • Threat Hunting in AWS
    • Threat Hunting Introduction
    • Threat Hunting Process
      • Hypothesis Generation
      • Investigation
      • Identification
      • Resolution & Follow Up
    • Pyramid of Pain
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Att&CK Data Sources
      • MITRE Att&CK Mitigations
    • MITRE Att&ck: AWS
      • MITRE Att&CK Matrix
      • Amazon Web Services Security Control Mappings
    • AWS Threat Hunting Ideas
      • AWS Threat Hunting Ideas: EC2
      • AWS Threat Hunting Ideas: Lambda
      • AWS Threat Hunting Ideas: SQS
      • AWS Threat Hunting Ideas: SNS
      • AWS Threat Hunting Ideas: RDS
Powered by GitBook
On this page
  • What is Amazon GuardDuty?
  • How GuardDuty Works
  • Log Record Structure of GuardDuty Findings
  1. Logging Reference

GuardDuty

What is Amazon GuardDuty?

Amazon GuardDuty is a managed threat detection service in AWS that continuously monitors your cloud environment for anomalies, malicious activity, and known threats. It analyzes data sources such as CloudTrail logs, VPC Flow Logs, and DNS logs to identify suspicious behaviors, unauthorized access attempts, and compromised resources. GuardDuty also uses machine learning and threat intelligence feeds to provide contextual alerts called findings.

GuardDuty plays a key role in AWS security by providing actionable alerts, helping threat hunters detect and respond to threats efficiently.

How GuardDuty Works

  1. Data Sources Used by GuardDuty:

    • CloudTrail Management Events: Detects unusual API activity.

    • CloudTrail S3 Data Events: Monitors access to S3 buckets for unauthorized access.

    • VPC Flow Logs: Analyzes network traffic for suspicious connections.

    • DNS Logs: Identifies attempts to resolve malicious domains.

  2. Threat Detection Techniques:

    • Anomaly Detection: Detects deviations from normal behavior (e.g., unusual IP activity).

    • Threat Intelligence: Uses feeds from AWS and external providers to detect known malicious IPs and domains.

    • Machine Learning Models: Identifies patterns of attacks like brute force attempts and data exfiltration.

  3. GuardDuty Findings: Each finding includes:

    • Resource involved: The EC2 instance, IAM user, or service targeted.

    • Severity: A score between 0 and 8 (Low, Medium, or High).

    • Description: A detailed message about the detected issue.

Log Record Structure of GuardDuty Findings

Each GuardDuty finding provides detailed information about the anomalous event. Here’s an example of the JSON structure for a finding:

{
  "id": "12abc345-678d-901e-2345-678f901g2h34",
  "severity": 7.5,
  "resource": {
    "instanceDetails": {
      "instanceId": "i-0123456789abcdef0",
      "tags": [{"key": "Name", "value": "web-server"}]
    }
  },
  "type": "UnauthorizedAccess:EC2/SSHBruteForce",
  "description": "An SSH brute force attack was detected on an EC2 instance.",
  "service": {
    "detectorId": "abc12345-6789-def0-1234-567890abcdef",
    "action": {
      "actionType": "NETWORK_CONNECTION",
      "networkConnectionAction": {
        "remoteIpDetails": {
          "ipAddressV4": "203.0.113.25",
          "organization": {"asn": "AS12345"}
        }
      }
    }
  }
}
PreviousVPCFlow LogsNextMulti-Account Setup

Last updated 8 months ago