Skip to content

GuardDuty

General Info

  • Analyzes selected logs to produce observable records of suspicious activities (findings)
    • VPC Flow Logs (does not require you to enable VPC Flow Logs)
    • CloudTrail (does not require you to create a trail)
    • DNS queries (from VPC DNS resolvers)
  • Regional: can aggregate via CloudWatch Events to push to a central store
  • Based on threat intelligence (IP addresses and domain-based lists) and machine learning
    • Receives feeds from 3rd parties like Proofpoint, CrowdStrike, and AWS Security for known malicious domains/IP addresses
  • Sample malicious behaviour flagged
    • Unusual API calls, calls from a known malicious IP
    • Attempts to disable CloudTrail logging
    • Unauthorized deployments
    • Compromised instances
    • Reconnaissance by attackers
    • Port scanning, failed logins

Components

Component Description
Detector
  • Consumes information and generates findings within a specific AWS account and region
  • Suspension:
    • GuardDuty allows you to disable or suspend the detector in an account, on a per-region basis
    • Suspending a detector stops the detection of new findings but keeps information about previously detected findings
    • Disabling a detector stops the detection and deletes all related findings
Finding
  • Attributes
    • ID
    • time of the finding
    • severity
    • finding type
    • affected resources
    • action details
  • Naming convention: name contains, in order
    1. Threat purpose (objective of the attack)
    2. Resource type affected by the suspicious activity
    3. Threat family name and variant (optional)
    4. Artifact (type of resource owned by the attacker)
Master Account
  • The master account receives findings from other (member) accounts
  • Has the capability to:
    • manage (enable, disable, or suspend) the detectors
    • manage the findings workflow (archive and create suppression rules)
    • configure threat lists for member accounts

Delivery of Findings

Type Description
Archive
  • You can automatically send findings to an archive by creating suppression rules
  • Each suppression rule is represented by a filter
  • When a finding matches the filter, the finding is automatically marked as archived
GuardDuty Console Last 90 days
S3
  • GuardDuty will export active findings (not suppressed) within 5m of its first occurrence
  • If an active finding receives recurrent events, you can configure how frequently those events are reported (every 15m, 1h, 6h)
  • Exported files of findings are encrypted by KMS
CloudWatch Events Send new findings to CloudWatch Events every 5mins, and updated findings every 6 hours (default)