AWS GuardDuty finding

guardduty
이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect when an AWS GuardDuty finding has been raised.

Strategy

AWS GuardDuty is a native threat detection service that monitors:

  • CloudTrail management events
  • AWS CloudTrail data events for Amazon S3
  • DNS logs
  • Kubernetes audit logs
  • Amazon VPC flow logs
  • RDS login activity monitoring

It also analyzes Amazon EBS volume data for Malware Protection in Amazon GuardDuty. With these data sources, GuardDuty generates security findings for your account.

Triage and response

  1. Investigate the GuardDuty finding to determine if it is malicious or benign.
  2. If the finding is deemed malicious, follow the remediation guidance provided by Amazon along with any internal incident response processes.
  3. Otherwise findings can be managed to reduce false positives through:

Changelog

  • 7 September 2023 - Updated group by value for EC2 query.
  • 28 November 2023 - Added query for Runtime findings.
  • 19 December 2023 - Added query for Runtime findings from ECS clusters.