AWS GuardDuty finding

Goal

Detect when an AWS GuardDuty finding has been raised.

Strategy

AWS GuardDuty is a native threat detection service that monitors:

  • CloudTrail management events
  • AWS CloudTrail data events for Amazon S3
  • DNS logs
  • Kubernetes audit logs
  • Amazon VPC flow logs
  • RDS login activity monitoring

It also analyzes Amazon EBS volume data for Malware Protection in Amazon GuardDuty. With these data sources, GuardDuty generates security findings for your account.

Triage and response

  1. Investigate the GuardDuty finding to determine if it is malicious or benign.
  2. If the finding is deemed malicious, follow the remediation guidance provided by Amazon along with any internal incident response processes.
  3. Otherwise findings can be managed to reduce false positives through:

Changelog

  • 7 September 2023 - Updated group by value for EC2 query.
  • 28 November 2023 - Added query for Runtime findings.
  • 19 December 2023 - Added query for Runtime findings from ECS clusters.
  • 9 December 2024 - Added query for Attack sequence findings and critical severity.