☁️
CTHFM: AWS
  • Welcome
  • Getting Started
    • Account Setup
  • AWS CLI
    • AWS CLI Overview
    • Installation
  • AWS Fundamentals
    • AWS Documentation
    • AWS Shared Responsibility Model
    • Organizational Hierarchy
    • AWS Principals
    • IAM Fundamentals
      • IAM Policy Components
      • IAM Documentation References
    • AWS Security Services Overview
    • AWS Core Services
    • AWS Frameworks
    • Regions and Availability Zones
  • SQL
    • SQL Refresher for Threat Hunting
  • Logging Reference
    • Cloudtrail
      • What is Cloudtrail?
      • Setting Up Cloudtrail
      • Cloudtrail Events Structure
      • Filtering and Searching CloudTrail Logs
      • IAM ID Prefixes
      • Additional Resources
      • API References
    • VPCFlow Logs
    • GuardDuty
      • Multi-Account Setup
      • GuardDuty Concepts
      • GuardDuty Finding References
      • S3 Protection
      • Malware Protection
        • EC2 Malware Protection
          • EC2 Protection Resources
          • Monitoring Scans
          • EC2 Malware Protection Events: CloudWatch
        • S3 Malware Protection
          • Enabling S3 Malware Protection
          • After Enabling S3 Malware Protection
          • S3 Malware Resource Plan Status
          • S3 Malware Protection Quotas
      • RDS Protection Enablement
      • Lambda Protection Enablement
      • Trusted IP Lists and Threat Lists in Amazon GuardDuty
      • Remediation Recommendations
      • GuardDuty API Reference
      • GuardDuty Quotas
    • Access Analyzer
      • Setup
      • External Access and Unused Access Analyzer Findings
      • Review Findings
      • Access Analyzer Resources
      • Access Analyzer API Reference
    • AWS Network Firewall
      • Permissions
      • Firewall Log Contents
      • Logging Destinations
      • CloudWatch Firewall Metrics
    • AWS Config
      • Resource Management in AWS Config
      • AWS Config Integrations
      • AWS Config Resources
      • Configuration Item
      • Config Rules
        • Evaluation Modes
  • CloudWatch
    • Amazon CloudWatch
      • CloudWatch Concepts
      • CloudWatch Metrics
        • Filter Pattern Syntax
      • CloudWatch Alarms
        • Alarm Recommendations
      • Subscriptions
      • CloudWatch Agent
      • CloudWatch Insights
        • Supported Logs and Discovered Fields
        • CloudWatch Insights Query Syntax
      • Anomaly Detection
        • Create Anomaly Detector
        • Alarms for Anomaly Detections
      • CloudWatch Filter Syntax
      • CloudWatch Service Quota
  • Athena For Threat Hunting
    • Introduction to Athena
    • Setting Up Athena
    • SQL For Threat Hunters
    • Automated Response
    • Query Best Practices
  • AWS Security Research and Resources
    • AWS Security Blog
    • AWS Goat
    • Cloud Goat
    • Pacu
    • Prowler
    • Scout Suite
  • Threat Hunting in AWS
    • Threat Hunting in AWS
    • Threat Hunting Introduction
    • Threat Hunting Process
      • Hypothesis Generation
      • Investigation
      • Identification
      • Resolution & Follow Up
    • Pyramid of Pain
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Att&CK Data Sources
      • MITRE Att&CK Mitigations
    • MITRE Att&ck: AWS
      • MITRE Att&CK Matrix
      • Amazon Web Services Security Control Mappings
    • AWS Threat Hunting Ideas
      • AWS Threat Hunting Ideas: EC2
      • AWS Threat Hunting Ideas: Lambda
      • AWS Threat Hunting Ideas: SQS
      • AWS Threat Hunting Ideas: SNS
      • AWS Threat Hunting Ideas: RDS
Powered by GitBook
On this page
  • Overview
  • 1. Findings
  • 2. Severity Levels
  • 3. Detector
  • 4. Data Sources
  • 5. Threat Intelligence Feeds
  • 6. Finding Types
  • 7. Member Accounts and Administrator Accounts
  • 8. Auto-Enable
  • 9. Archive and Suppress Findings
  • 10. Suppression Rules
  • 11. Region-Level Configuration
  • 12. Integration with AWS Services
  • 13. Finding History
  • 14. Trusted IP Lists and Threat Lists
  • 15. Remediation Options
  • Best Practices for GuardDuty
  1. Logging Reference
  2. GuardDuty

GuardDuty Concepts

Overview

Understanding the key concepts and terminology of Amazon GuardDuty is essential for effective threat detection and response within AWS. Below is a detailed guide to the fundamental terms used in GuardDuty.

1. Findings

GuardDuty generates findings, which are alerts for potential security issues detected within your AWS environment. Each finding contains details like the affected resource, severity, and a description of the issue.

  • Example Finding Types:

    • UnauthorizedAccess/SSHBruteForce: Brute-force attack detected on an EC2 instance.

    • Recon/PortScan: A port scan detected from an EC2 instance.

    • CryptoCurrency/BitcoinTool.B!DNS: Crypto-mining activity detected.

2. Severity Levels

Each GuardDuty finding is assigned a severity score between 0 and 8, indicating how critical the issue is.

Severity Level

Range

Description

Low

0–3

Suspicious behavior, but not immediately dangerous.

Medium

4–6

Potential security risk requiring investigation.

High

7–8

Critical issue requiring immediate attention.

3. Detector

A detector is the main GuardDuty resource that analyzes data sources to identify suspicious activities. You need to enable a detector in each AWS account and region where you want GuardDuty to be active.

4. Data Sources

GuardDuty analyzes multiple data sources to generate findings.

  • CloudTrail Management Events: Tracks API calls and helps detect unauthorized access.

  • CloudTrail S3 Data Events: Monitors S3 bucket access to detect unauthorized or unusual activity.

  • VPC Flow Logs: Captures network traffic metadata for detecting unusual connections.

  • DNS Logs: Analyzes DNS queries to detect connections to malicious domains.

5. Threat Intelligence Feeds

GuardDuty leverages threat intelligence feeds from AWS and external providers to detect malicious IPs, domains, and actors. This allows GuardDuty to identify known threats quickly.

6. Finding Types

Findings are categorized by the type of threat or anomaly detected.

  • UnauthorizedAccess: Detects attempts to access your environment without authorization (e.g., SSH brute force attacks).

  • Recon: Detects reconnaissance activities like port scans.

  • Exfiltration: Identifies attempts to transfer data outside your environment.

  • CryptoCurrency: Detects crypto-mining activities in your resources.

7. Member Accounts and Administrator Accounts

  • Administrator Account: The central account that manages GuardDuty for multiple accounts.

  • Member Account: AWS accounts that report findings to the administrator account for centralized monitoring.

8. Auto-Enable

Auto-enable allows GuardDuty to be automatically activated for all new and existing accounts within an AWS Organization. This ensures that all accounts are consistently monitored without manual intervention.

9. Archive and Suppress Findings

  • Archive: Marks a finding as resolved, so it no longer appears in the active findings list.

  • Suppress Findings: Use suppression rules to filter out findings that are not relevant or are expected behavior, reducing noise in the alerting system.

10. Suppression Rules

Suppression rules are used to automatically ignore findings that match specific criteria. For example, you might suppress findings for specific IPs or certain types of activity that you consider benign.

{
  "name": "SuppressPortScan",
  "criteria": {
    "type": "Recon:EC2/PortScan",
    "accountId": "123456789012"
  }
}

11. Region-Level Configuration

GuardDuty detectors must be enabled in each AWS region where you want to monitor for threats. You can enable GuardDuty across all regions to ensure full coverage.

12. Integration with AWS Services

GuardDuty integrates with several AWS services to enhance security operations:

  • AWS Security Hub: Aggregates GuardDuty findings across accounts and regions for centralized monitoring.

  • CloudWatch Alarms: Creates alerts based on the severity of findings.

  • AWS Lambda: Automates responses to findings, such as isolating compromised EC2 instances.

  • Amazon S3: Stores findings for long-term analysis using Athena.

13. Finding History

GuardDuty stores findings history for a specific period, allowing you to review past findings and analyze trends. You can also export findings to S3 for long-term storage and analysis.

14. Trusted IP Lists and Threat Lists

  • Trusted IP List: A list of known safe IPs that GuardDuty will not generate findings for.

  • Threat List: A list of known malicious IPs or domains that GuardDuty will monitor and alert on.

15. Remediation Options

  • Manual Remediation: Review findings and take manual actions, such as disabling compromised accounts or isolating instances.

  • Automated Remediation: Use AWS Lambda functions to automatically respond to certain findings (e.g., shut down an instance showing suspicious activity).

Example of an SSH Brute Force Finding

{
  "type": "UnauthorizedAccess:EC2/SSHBruteForce",
  "resource": {
    "instanceDetails": {
      "instanceId": "i-0abcd1234efgh5678"
    }
  },
  "severity": 6.5,
  "service": {
    "action": {
      "networkConnectionAction": {
        "remoteIpDetails": {
          "ipAddressV4": "192.0.2.123",
          "organization": {
            "asn": "AS12345",
            "isp": "MaliciousISP"
          }
        }
      }
    }
  }
}

Best Practices for GuardDuty

  1. Enable GuardDuty in All Regions: Some attacks may target unused regions, so it's crucial to enable GuardDuty in every AWS region.

  2. Automate Responses with Lambda: Use automated remediation to reduce response times for critical findings.

  3. Filter Noise with Suppression Rules: Suppress findings that are expected or non-actionable to reduce alert fatigue.

  4. Integrate with Security Hub: Use AWS Security Hub to consolidate findings from multiple accounts and regions.

  5. Monitor Findings Trends: Regularly review historical findings to identify patterns or recurring threats.

PreviousMulti-Account SetupNextGuardDuty Finding References

Last updated 8 months ago