GuardDuty
GuardDuty
- Analyzes selected logs to produce observable records of suspicious activities (
findings)
- VPC Flow Logs (does not require you to enable VPC Flow Logs)
- CloudTrail (does not require you to create a trail)
- DNS queries (from VPC DNS resolvers)
- ECS Runtime Monitoring
- Regional: can aggregate via CloudWatch Events to push to a central store
- Based on threat intelligence (IP addresses and domain-based lists) and machine learning
- Receives feeds from 3rd parties like Proofpoint, CrowdStrike, and AWS Security for known malicious domains/IP addresses
- Sample malicious behaviour flagged
- Unusual API calls, calls from a known malicious IP
- Attempts to disable CloudTrail logging
- Unauthorized deployments
- Compromised instances
- Reconnaissance by attackers
- Port scanning, failed logins

Components
| Component |
Description |
| Detector |
- Consumes information and generates findings within a specific AWS account and region
- Suspension:
- GuardDuty allows you to disable or suspend the detector in an account, on a per-region basis
- Suspending a detector stops the detection of new findings but keeps information about previously detected findings
- Disabling a detector stops the detection and deletes all related findings
|
| Finding |
- Attributes
- ID
- time of the finding
- severity
- finding type
- affected resources
- action details
- Naming convention: name contains, in order
- Threat purpose (objective of the attack)
- Resource type affected by the suspicious activity
- Threat family name and variant (optional)
- Artifact (type of resource owned by the attacker)
|
| Master Account |
- The master account receives findings from other (
member) accounts - Has the capability to:
- manage (enable, disable, or suspend) the detectors
- manage the findings workflow (archive and create suppression rules)
- configure threat lists for member accounts
|
Delivery of Findings
| Type |
Description |
| Archive |
- You can automatically send findings to an archive by creating suppression rules
- Each suppression rule is represented by a filter
- When a finding matches the filter, the finding is automatically marked as archived
|
| GuardDuty Console |
Last 90 days |
| S3 |
- GuardDuty will export active findings (not suppressed) within
5m of its first occurrence - If an active finding receives recurrent events, you can configure how frequently those events are reported (every
15m, 1h, 6h) - Exported files of findings are encrypted by KMS
|
| CloudWatch Events |
Send new findings to CloudWatch Events every 5mins, and updated findings every 6 hours (default) |
AWS Security Incident Response