Difference between revisions of "Amazon GuardDuty"
Jump to navigation
Jump to search
↑ https://aws.amazon.com/about-aws/whats-new/2017/11/announcing-amazon-guardduty-intelligent-threat-detection/
↑ https://aws.amazon.com/blogs/aws/new-using-amazon-guardduty-to-protect-your-s3-buckets/
↑ https://aws.amazon.com/blogs/aws/amazon-guardduty-enhances-detection-of-ec2-instance-credential-exfiltration/
(28 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
[[wikipedia:Amazon GuardDuty]] ([[AWS timeline|Nov 2017]]) <ref>https://aws.amazon.com/about-aws/whats-new/2017/11/announcing-amazon-guardduty-intelligent-threat-detection/</ref> [[threat detection]] uses | [[wikipedia:Amazon GuardDuty]] ([[AWS timeline|Nov 2017]]) <ref>https://aws.amazon.com/about-aws/whats-new/2017/11/announcing-amazon-guardduty-intelligent-threat-detection/</ref> [[threat detection]] uses | ||
− | * [[AWS CloudTrail]] logs | + | * [[AWS CloudTrail]] logs: |
− | * [[VPC Flow]] | + | ** [[CloudTrail management events]]: activated by default, cannot be disabled. |
+ | ** [[S3 protection]]: S3 data events (Jul 2020)<ref>https://aws.amazon.com/blogs/aws/new-using-amazon-guardduty-to-protect-your-s3-buckets/</ref>, full list https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html | ||
+ | ** [[EC2 Instance Credential Exfiltration]] ([[AWS timeline|Jan 2022]]) <ref>https://aws.amazon.com/blogs/aws/amazon-guardduty-enhances-detection-of-ec2-instance-credential-exfiltration/</ref> | ||
+ | |||
+ | * [[VPC Flow Logs]] | ||
* [[DNS query logs]] | * [[DNS query logs]] | ||
+ | |||
+ | * Homepage: https://aws.amazon.com/guardduty/ | ||
+ | |||
+ | == Detection examples == | ||
+ | * Compromised EC2 instances mining bitcoin | ||
+ | * An attacker scanning your web servers for known application vulnerabilities | ||
+ | * GuardDuty does not process requests to objects that you have made publicly accessible, but it does alert you when a bucket is made publicly accessible | ||
== Cost == | == Cost == | ||
Line 19: | Line 30: | ||
* [[AWS CloudTrail]] management event analysis | * [[AWS CloudTrail]] management event analysis | ||
* [[Delegated Administrator]] | * [[Delegated Administrator]] | ||
− | * [[S3 | + | * [[CrowdStrike]] |
+ | * [[AWS CloudTrail Insights]] | ||
+ | * [[AWS Guardrails in AWS Control Tower]] | ||
+ | * <code>[[EC2 instance i-XXXXXXX is communicating with IP address 163.x.x.x.x on the Tor Anonymizing Proxy network marked as an Entry node. Jump to navigationJump to search]]</code> | ||
+ | * <code>[[aws-guardduty-agent]]</code> | ||
+ | * [[AWS IAM Access Analyzer]] | ||
+ | * [[S3 security]] | ||
== Activities == | == Activities == | ||
* https://aws.amazon.com/premiumsupport/knowledge-center/guardduty-cloudwatch-sns-rule/ | * https://aws.amazon.com/premiumsupport/knowledge-center/guardduty-cloudwatch-sns-rule/ | ||
+ | * Read FAQ: https://aws.amazon.com/guardduty/faqs/ | ||
+ | * Read https://stackoverflow.com/questions/tagged/amazon-guardduty?tab=Votes | ||
+ | * Alarms: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_cloudwatch.html | ||
+ | * https://github.com/aws-samples/amazon-guardduty-for-aws-organizations-with-terraform | ||
== See also == | == See also == |
Latest revision as of 08:49, 19 June 2024
wikipedia:Amazon GuardDuty (Nov 2017) [1] threat detection uses
- AWS CloudTrail logs:
- CloudTrail management events: activated by default, cannot be disabled.
- S3 protection: S3 data events (Jul 2020)[2], full list https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html
- EC2 Instance Credential Exfiltration (Jan 2022) [3]
- Homepage: https://aws.amazon.com/guardduty/
Detection examples[edit]
- Compromised EC2 instances mining bitcoin
- An attacker scanning your web servers for known application vulnerabilities
- GuardDuty does not process requests to objects that you have made publicly accessible, but it does alert you when a bucket is made publicly accessible
Cost[edit]
Formats[edit]
- TXT
- STIX
- OTX_CSV
- ALIEN_VAULT
- PROOF_POINT
- FIRE_EYE
Related[edit]
- AWS CloudTrail management event analysis
- Delegated Administrator
- CrowdStrike
- AWS CloudTrail Insights
- AWS Guardrails in AWS Control Tower
EC2 instance i-XXXXXXX is communicating with IP address 163.x.x.x.x on the Tor Anonymizing Proxy network marked as an Entry node. Jump to navigationJump to search
aws-guardduty-agent
- AWS IAM Access Analyzer
- S3 security
Activities[edit]
- https://aws.amazon.com/premiumsupport/knowledge-center/guardduty-cloudwatch-sns-rule/
- Read FAQ: https://aws.amazon.com/guardduty/faqs/
- Read https://stackoverflow.com/questions/tagged/amazon-guardduty?tab=Votes
- Alarms: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_cloudwatch.html
- https://github.com/aws-samples/amazon-guardduty-for-aws-organizations-with-terraform
See also[edit]
- Amazon GuardDuty:
aws guardduty
[ list-detector | list-findings | create-detector | update-detector ]
- AWS GuardDuty, S3 protection, for EKS.
aws guardduty
, Finding type, aws-guardduty-agent EKS addon, Runtine Monitoring - AWS security, AWS Security Hub, AWS CloudTrail, Amazon GuardDuty, Amazon Detective, AWS WAF, AWS Audit Manager, Amazon Fraud Detector, Cloudsploit, AWS Certified Security - Specialty, AWS Security Assurance Services, AWS GDPR, Amazon Inspector, AWS Network Firewall, Zelkova
Advertising: