Monitoring Scans

Monitoring GuardDuty Malware Protection for EC2 Scans

Scan Status and Results:

Possible Scan Statuses:

Completed: The scan has finished.
Running: The scan is ongoing.
Skipped: The scan was not performed.
Failed: The scan could not complete.

Scan Results:

Clean: No malware detected.
Infected: Malware was found.

Scan Types:

GuardDuty-Initiated: Automatically triggered by GuardDuty findings.
On-Demand: Manually initiated by users.
Retention Period:
- Scan results are retained for 90 days.

Tracking and Filtering Scans:

GuardDuty Console: Navigate to Malware Scans in the GuardDuty console to track and manage scans.

Filter Criteria: Scans can be filtered by the following attributes:

EC2_INSTANCE_ARN
SCAN_ID
ACCOUNT_ID
SCAN_TYPE (GuardDuty or On-demand)
GUARDDUTY_FINDING_ID (for GuardDuty-initiated scans)
SCAN_STATUS
SCAN_START_TIME

Filter Usage Example: Use the following AWS CLI command to retrieve scan details based on the scan ID or other filter criteria:

aws guardduty describe-malware-scans --detector-id <detector-id> \
--max-results 1 --sort-criteria '{"AttributeName": "scanStartTime", "OrderBy": "DESC"}' \
--filter-criteria '{"FilterCriterion":[{"CriterionKey":"SCAN_ID", "FilterCondition":{"EqualsValue":"123456789012"}}] }'

Customization Options:

Adjust detector-id, max-results, and EqualsValue to match your environment.
The AttributeName in the sort criteria must be scanStartTime.

PreviousEC2 Protection Resources NextEC2 Malware Protection Events: CloudWatch

Last updated 9 months ago