Difference between revisions of "Amazon GuardDuty"
Jump to navigation
Jump to search
↑ https://aws.amazon.com/about-aws/whats-new/2017/11/announcing-amazon-guardduty-intelligent-threat-detection/
↑ https://aws.amazon.com/blogs/aws/new-using-amazon-guardduty-to-protect-your-s3-buckets/
| Line 3: | Line 3: | ||
** CloudTrail management events: activated by default, cannot be disabled. | ** CloudTrail management events: activated by default, cannot be disabled. | ||
** [[S3 protection]]: S3 data events (Jul 2020)<ref>https://aws.amazon.com/blogs/aws/new-using-amazon-guardduty-to-protect-your-s3-buckets/</ref>, full list https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html | ** [[S3 protection]]: S3 data events (Jul 2020)<ref>https://aws.amazon.com/blogs/aws/new-using-amazon-guardduty-to-protect-your-s3-buckets/</ref>, full list https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html | ||
| + | ** [[EC2 Instance Credential Exfiltration]] | ||
| + | |||
* [[VPC Flow]] Logs | * [[VPC Flow]] Logs | ||
* [[DNS query logs]] | * [[DNS query logs]] | ||
Revision as of 02:10, 15 February 2022
wikipedia:Amazon GuardDuty (Nov 2017) [1] threat detection uses
- AWS CloudTrail logs:
- CloudTrail management events: activated by default, cannot be disabled.
- S3 protection: S3 data events (Jul 2020)[2], full list https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html
- EC2 Instance Credential Exfiltration
- VPC Flow Logs
- DNS query logs
- Homepage: https://aws.amazon.com/guardduty/
Detection examples
- Compromised EC2 instances mining bitcoin
- An attacker scanning your web servers for known application vulnerabilities
- GuardDuty does not process requests to objects that you have made publicly accessible, but it does alert you when a bucket is made publicly accessible
Cost
Formats
- TXT
- STIX
- OTX_CSV
- ALIEN_VAULT
- PROOF_POINT
- FIRE_EYE
Related
- AWS CloudTrail management event analysis
- Delegated Administrator
- CrowdStrike
- AWS CloudTrail Insights
EC2 instance i-XXXXXXX is communicating with IP address 163.x.x.x.x on the Tor Anonymizing Proxy network marked as an Entry node. Jump to navigationJump to search
Activities
- https://aws.amazon.com/premiumsupport/knowledge-center/guardduty-cloudwatch-sns-rule/
- Read FAQ: https://aws.amazon.com/guardduty/faqs/
- Read https://stackoverflow.com/questions/tagged/amazon-guardduty?tab=Votes
- Alarms: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_cloudwatch.html
See also
- Amazon GuardDuty:
aws guardduty[ list-detector | list-findings | create-detector ] - AWS GuardDuty, S3 protection, for EKS.
aws guardduty, Finding type, aws-guardduty-agent EKS addon, Runtine Monitoring - AWS security, AWS Security Hub, AWS CloudTrail, Amazon GuardDuty, Amazon Detective, AWS WAF, AWS Audit Manager, Amazon Fraud Detector, Cloudsploit, AWS Certified Security - Specialty, AWS Security Assurance Services, AWS GDPR, Amazon Inspector, AWS Network Firewall
Advertising:
