Findings by resource type Findings table

Finding types

For information about important changes to the GuardDuty finding types, including newly added or retired finding types, see Document history for Amazon GuardDuty.

For information about finding types which are now retired, see Retired finding types.

Findings by resource type

The following pages are categorized by resource type associated to a GuardDuty finding:

Findings table

The following table shows all of the active finding types sorted by the foundational data source or feature, as applicable. Some of the following finding types may have a variable severity, indicated by an asterisk (*). For information about the variable severity of a finding type, view the detailed description of that finding type.

Finding type	Resource type	Foundational data source/Feature	Finding severity
Discovery:S3/AnomalousBehavior	Amazon S3	CloudTrail data events for S3	Low
Discovery:S3/MaliciousIPCaller	Amazon S3	CloudTrail data events for S3	High
Discovery:S3/MaliciousIPCaller.Custom	Amazon S3	CloudTrail data events for S3	High
Discovery:S3/TorIPCaller	Amazon S3	CloudTrail data events for S3	Medium
Exfiltration:S3/AnomalousBehavior	Amazon S3	CloudTrail data events for S3	High
Exfiltration:S3/MaliciousIPCaller	Amazon S3	CloudTrail data events for S3	High
Impact:S3/AnomalousBehavior.Delete	Amazon S3	CloudTrail data events for S3	High
Impact:S3/AnomalousBehavior.Permission	Amazon S3	CloudTrail data events for S3	High
Impact:S3/AnomalousBehavior.Write	Amazon S3	CloudTrail data events for S3	Medium
Impact:S3/MaliciousIPCaller	Amazon S3	CloudTrail data events for S3	High
PenTest:S3/KaliLinux	Amazon S3	CloudTrail data events for S3	Medium
PenTest:S3/ParrotLinux	Amazon S3	CloudTrail data events for S3	Medium
PenTest:S3/PentooLinux	Amazon S3	CloudTrail data events for S3	Medium
UnauthorizedAccess:S3/TorIPCaller	Amazon S3	CloudTrail data events for S3	High
UnauthorizedAccess:S3/MaliciousIPCaller.Custom	Amazon S3	CloudTrail data events for S3	High
CredentialAccess:IAMUser/AnomalousBehavior	IAM	CloudTrail management event	Medium
DefenseEvasion:IAMUser/AnomalousBehavior	IAM	CloudTrail management event	Medium
Discovery:IAMUser/AnomalousBehavior	IAM	CloudTrail management event	Low
Exfiltration:IAMUser/AnomalousBehavior	IAM	CloudTrail management event	High
Impact:IAMUser/AnomalousBehavior	IAM	CloudTrail management event	High
InitialAccess:IAMUser/AnomalousBehavior	IAM	CloudTrail management event	Medium
PenTest:IAMUser/KaliLinux	IAM	CloudTrail management event	Medium
PenTest:IAMUser/ParrotLinux	IAM	CloudTrail management event	Medium
PenTest:IAMUser/PentooLinux	IAM	CloudTrail management event	Medium
Persistence:IAMUser/AnomalousBehavior	IAM	CloudTrail management event	Medium
Stealth:IAMUser/PasswordPolicyChange	IAM	CloudTrail management event	Low*
UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS	IAM	CloudTrail management event	High*
Policy:S3/AccountBlockPublicAccessDisabled	Amazon S3	CloudTrail management event	Low
Policy:S3/BucketAnonymousAccessGranted	Amazon S3	CloudTrail management event	High
Policy:S3/BucketBlockPublicAccessDisabled	Amazon S3	CloudTrail management event	Low
Policy:S3/BucketPublicAccessGranted	Amazon S3	CloudTrail management event	High
PrivilegeEscalation:IAMUser/AnomalousBehavior	IAM	CloudTrail management event	Medium
Recon:IAMUser/MaliciousIPCaller	IAM	CloudTrail management event	Medium
Recon:IAMUser/MaliciousIPCaller.Custom	IAM	CloudTrail management event	Medium
Recon:IAMUser/TorIPCaller	IAM	CloudTrail management event	Medium
Stealth:IAMUser/CloudTrailLoggingDisabled	IAM	CloudTrail management event	Low
Stealth:S3/ServerAccessLoggingDisabled	Amazon S3	CloudTrail management event	Low
UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B	IAM	CloudTrail management event	Medium
UnauthorizedAccess:IAMUser/MaliciousIPCaller	IAM	CloudTrail management event	Medium
UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom	IAM	CloudTrail management event	Medium
UnauthorizedAccess:IAMUser/TorIPCaller	IAM	CloudTrail management event	Medium
Policy:IAMUser/RootCredentialUsage	IAM	CloudTrail management events or CloudTrail data events for S3	Low
UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS	IAM	CloudTrail management events or CloudTrail data events for S3	High
Backdoor:EC2/C&CActivity.B!DNS	Amazon EC2	DNS logs	High
CryptoCurrency:EC2/BitcoinTool.B!DNS	Amazon EC2	DNS logs	High
Impact:EC2/AbusedDomainRequest.Reputation	Amazon EC2	DNS logs	Medium
Impact:EC2/BitcoinDomainRequest.Reputation	Amazon EC2	DNS logs	High
Impact:EC2/MaliciousDomainRequest.Reputation	Amazon EC2	DNS logs	High
Impact:EC2/SuspiciousDomainRequest.Reputation	Amazon EC2	DNS logs	Low
Trojan:EC2/BlackholeTraffic!DNS	Amazon EC2	DNS logs	Medium
Trojan:EC2/DGADomainRequest.B	Amazon EC2	DNS logs	High
Trojan:EC2/DGADomainRequest.C!DNS	Amazon EC2	DNS logs	High
Trojan:EC2/DNSDataExfiltration	Amazon EC2	DNS logs	High
Trojan:EC2/DriveBySourceTraffic!DNS	Amazon EC2	DNS logs	High
Trojan:EC2/DropPoint!DNS	Amazon EC2	DNS logs	Medium
Trojan:EC2/PhishingDomainRequest!DNS	Amazon EC2	DNS logs	High
UnauthorizedAccess:EC2/MetadataDNSRebind	Amazon EC2	DNS logs	High
Execution:Container/MaliciousFile	Container	EBS Malware Protection	Varies depending on the detected threat
Execution:Container/SuspiciousFile	Container	EBS Malware Protection	Varies depending on the detected threat
Execution:EC2/MaliciousFile	EC2	EBS Malware Protection	Varies depending on the detected threat
Execution:EC2/SuspiciousFile	EC2	EBS Malware Protection	Varies depending on the detected threat
Execution:ECS/MaliciousFile	ECS	EBS Malware Protection	Varies depending on the detected threat
Execution:ECS/SuspiciousFile	ECS	EBS Malware Protection	Varies depending on the detected threat
Execution:Kubernetes/MaliciousFile	Kubernetes	EBS Malware Protection	Varies depending on the detected threat
Execution:Kubernetes/SuspiciousFile	Kubernetes	EBS Malware Protection	Varies depending on the detected threat
	Kubernetes	Kubernetes audit logs	Medium
CredentialAccess:Kubernetes/MaliciousIPCaller	Kubernetes	Kubernetes audit logs	High
CredentialAccess:Kubernetes/MaliciousIPCaller.Custom	Kubernetes	Kubernetes audit logs	High
CredentialAccess:Kubernetes/SuccessfulAnonymousAccess	Kubernetes	Kubernetes audit logs	High
CredentialAccess:Kubernetes/TorIPCaller	Kubernetes	Kubernetes audit logs	High
DefenseEvasion:Kubernetes/MaliciousIPCaller	Kubernetes	Kubernetes audit logs	High
DefenseEvasion:Kubernetes/MaliciousIPCaller.Custom	Kubernetes	Kubernetes audit logs	High
DefenseEvasion:Kubernetes/SuccessfulAnonymousAccess	Kubernetes	Kubernetes audit logs	High
DefenseEvasion:Kubernetes/TorIPCaller	Kubernetes	Kubernetes audit logs	High
Discovery:Kubernetes/AnomalousBehavior.PermissionChecked	Kubernetes	Kubernetes audit logs	Low
Discovery:Kubernetes/MaliciousIPCaller	Kubernetes	Kubernetes audit logs	Medium
Discovery:Kubernetes/MaliciousIPCaller.Custom	Kubernetes	Kubernetes audit logs	Medium
Discovery:Kubernetes/SuccessfulAnonymousAccess	Kubernetes	Kubernetes audit logs	Medium
Discovery:Kubernetes/TorIPCaller	Kubernetes	Kubernetes audit logs	Medium
Execution:Kubernetes/ExecInKubeSystemPod	Kubernetes	Kubernetes audit logs	Medium
Execution:Kubernetes/AnomalousBehavior.ExecInPod	Kubernetes	Kubernetes audit logs	Medium
Execution:Kubernetes/AnomalousBehavior.WorkloadDeployed	Kubernetes	Kubernetes audit logs	Low
Impact:Kubernetes/MaliciousIPCaller	Kubernetes	Kubernetes audit logs	High
Impact:Kubernetes/MaliciousIPCaller.Custom	Kubernetes	Kubernetes audit logs	High
Impact:Kubernetes/SuccessfulAnonymousAccess	Kubernetes	Kubernetes audit logs	High
Impact:Kubernetes/TorIPCaller	Kubernetes	Kubernetes audit logs	High
Persistence:Kubernetes/ContainerWithSensitiveMount	Kubernetes	Kubernetes audit logs	Medium
Persistence:Kubernetes/MaliciousIPCaller	Kubernetes	Kubernetes audit logs	Medium
Persistence:Kubernetes/MaliciousIPCaller.Custom	Kubernetes	Kubernetes audit logs	Medium
Persistence:Kubernetes/SuccessfulAnonymousAccess	Kubernetes	Kubernetes audit logs	High
Persistence:Kubernetes/TorIPCaller	Kubernetes	Kubernetes audit logs	Medium
Policy:Kubernetes/AdminAccessToDefaultServiceAccount	Kubernetes	Kubernetes audit logs	High
Policy:Kubernetes/AnonymousAccessGranted	Kubernetes	Kubernetes audit logs	High
Policy:Kubernetes/KubeflowDashboardExposed	Kubernetes	Kubernetes audit logs	Medium
Policy:Kubernetes/ExposedDashboard	Kubernetes	Kubernetes audit logs	Medium
	Kubernetes	Kubernetes audit logs	Medium*
PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleCreated	Kubernetes	Kubernetes audit logs	Low
Persistence:Kubernetes/AnomalousBehavior.WorkloadDeployed!ContainerWithSensitiveMount	Kubernetes	Kubernetes audit logs	High
PrivilegeEscalation:Kubernetes/AnomalousBehavior.WorkloadDeployed!PrivilegedContainer	Kubernetes	Kubernetes audit logs	High
PrivilegeEscalation:Kubernetes/PrivilegedContainer	Kubernetes	Kubernetes audit logs	Medium
Backdoor:Lambda/C&CActivity.B	Lambda	Lambda Network Activity Monitoring	High
CryptoCurrency:Lambda/BitcoinTool.B	Lambda	Lambda Network Activity Monitoring	High
Trojan:Lambda/BlackholeTraffic	Lambda	Lambda Network Activity Monitoring	Medium
Trojan:Lambda/DropPoint	Lambda	Lambda Network Activity Monitoring	Medium
UnauthorizedAccess:Lambda/MaliciousIPCaller.Custom	Lambda	Lambda Network Activity Monitoring	Medium
UnauthorizedAccess:Lambda/TorClient	Lambda	Lambda Network Activity Monitoring	High
UnauthorizedAccess:Lambda/TorRelay	Lambda	Lambda Network Activity Monitoring	High
CredentialAccess:RDS/AnomalousBehavior.FailedLogin	Supported Amazon Aurora databases	RDS Login Activity Monitoring	Low
CredentialAccess:RDS/AnomalousBehavior.SuccessfulBruteForce	Supported Amazon Aurora databases	RDS Login Activity Monitoring	High
CredentialAccess:RDS/AnomalousBehavior.SuccessfulLogin	Supported Amazon Aurora databases	RDS Login Activity Monitoring	Variable*
CredentialAccess:RDS/MaliciousIPCaller.FailedLogin	Supported Amazon Aurora databases	RDS Login Activity Monitoring	Medium
CredentialAccess:RDS/MaliciousIPCaller.SuccessfulLogin	Supported Amazon Aurora databases	RDS Login Activity Monitoring	High
CredentialAccess:RDS/TorIPCaller.FailedLogin	Supported Amazon Aurora databases	RDS Login Activity Monitoring	Medium
CredentialAccess:RDS/TorIPCaller.SuccessfulLogin	Supported Amazon Aurora databases	RDS Login Activity Monitoring	High
Discovery:RDS/MaliciousIPCaller	Supported Amazon Aurora databases	RDS Login Activity Monitoring	Medium
Discovery:RDS/TorIPCaller	Supported Amazon Aurora databases	RDS Login Activity Monitoring	Medium
Backdoor:Runtime/C&CActivity.B	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
Backdoor:Runtime/C&CActivity.B!DNS	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
CryptoCurrency:Runtime/BitcoinTool.B	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
CryptoCurrency:Runtime/BitcoinTool.B!DNS	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
DefenseEvasion:Runtime/FilelessExecution	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Medium
DefenseEvasion:Runtime/ProcessInjection.Proc	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
DefenseEvasion:Runtime/ProcessInjection.Ptrace	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Medium
DefenseEvasion:Runtime/ProcessInjection.VirtualMemoryWrite	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
DefenseEvasion:Runtime/PtraceAntiDebugging	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Low
DefenseEvasion:Runtime/SuspiciousCommand	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
Execution:Runtime/MaliciousFileExecuted	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
Execution:Runtime/NewBinaryExecuted	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Medium
Execution:Runtime/NewLibraryLoaded	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Medium
Execution:Runtime/SuspiciousCommand	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Variable
Execution:Runtime/SuspiciousTool	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Variable
Execution:Runtime/ReverseShell	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
Impact:Runtime/AbusedDomainRequest.Reputation	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Medium
Impact:Runtime/BitcoinDomainRequest.Reputation	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
Impact:Runtime/CryptoMinerExecuted	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
Impact:Runtime/MaliciousDomainRequest.Reputation	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Medium
Impact:Runtime/SuspiciousDomainRequest.Reputation	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Low
PrivilegeEscalation:Runtime/CGroupsReleaseAgentModified	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
PrivilegeEscalation:Runtime/ContainerMountsHostDirectory	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Medium
PrivilegeEscalation:Runtime/DockerSocketAccessed	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Medium
PrivilegeEscalation:Runtime/RuncContainerEscape	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
PrivilegeEscalation:Runtime/UserfaultfdUsage	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Medium
Trojan:Runtime/BlackholeTraffic	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Medium
Trojan:Runtime/BlackholeTraffic!DNS	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Medium
Trojan:Runtime/DropPoint	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Medium
Trojan:Runtime/DGADomainRequest.C!DNS	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
Trojan:Runtime/DriveBySourceTraffic!DNS	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
Trojan:Runtime/DropPoint!DNS	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Medium
Trojan:Runtime/PhishingDomainRequest!DNS	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
UnauthorizedAccess:Runtime/MetadataDNSRebind	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
UnauthorizedAccess:Runtime/TorClient	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
UnauthorizedAccess:Runtime/TorRelay	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
Backdoor:EC2/C&CActivity.B	EC2	VPC flow logs	High
Backdoor:EC2/DenialOfService.Dns	EC2	VPC flow logs	High
Backdoor:EC2/DenialOfService.Tcp	EC2	VPC flow logs	High
Backdoor:EC2/DenialOfService.Udp	EC2	VPC flow logs	High
Backdoor:EC2/DenialOfService.UdpOnTcpPorts	EC2	VPC flow logs	High
Backdoor:EC2/DenialOfService.UnusualProtocol	EC2	VPC flow logs	High
Backdoor:EC2/Spambot	EC2	VPC flow logs	Medium
Behavior:EC2/NetworkPortUnusual	EC2	VPC flow logs	Medium
Behavior:EC2/TrafficVolumeUnusual	EC2	VPC flow logs	Medium
CryptoCurrency:EC2/BitcoinTool.B	EC2	VPC flow logs	High
DefenseEvasion:EC2/UnusualDNSResolver	EC2	VPC flow logs	Medium
DefenseEvasion:EC2/UnusualDoHActivity	EC2	VPC flow logs	Medium
DefenseEvasion:EC2/UnusualDoTActivity	EC2	VPC flow logs	Medium
Impact:EC2/PortSweep	EC2	VPC flow logs	High
Impact:EC2/WinRMBruteForce	EC2	VPC flow logs	Low*
Recon:EC2/PortProbeEMRUnprotectedPort	EC2	VPC flow logs	High
Recon:EC2/PortProbeUnprotectedPort	EC2	VPC flow logs	Low*
Recon:EC2/Portscan	EC2	VPC flow logs	Medium
Trojan:EC2/BlackholeTraffic	EC2	VPC flow logs	Medium
Trojan:EC2/DropPoint	EC2	VPC flow logs	Medium
UnauthorizedAccess:EC2/MaliciousIPCaller.Custom	EC2	VPC flow logs	Medium
UnauthorizedAccess:EC2/RDPBruteForce	EC2	VPC flow logs	Low*
UnauthorizedAccess:EC2/SSHBruteForce	EC2	VPC flow logs	Low*
UnauthorizedAccess:EC2/TorClient	EC2	VPC flow logs	High
UnauthorizedAccess:EC2/TorRelay	EC2	VPC flow logs	High

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Sample findings

EC2 finding types