Finding types - Amazon GuardDuty
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Finding types

For information about important changes to the GuardDuty finding types, including newly added or retired finding types, see Document history for Amazon GuardDuty.

For information about retired finding types see Retired finding types.

Findings by resource type

The following pages are broken down by each resource type GuardDuty currently generates findings for. The pages contain detailed information on all finding types for that resources type.

Findings table

The following table lists all finding types by name, resource, data source and severity. A severity listed with an asterisk (*) indicates the finding has variable severities depending the circumstances of the finding, which are described in the details for that finding. Choose the finding name to open more info about that finding.

Finding type

Resource

Data source

Severity

Backdoor:EC2/C&CActivity.B

EC2

VPC flow logs

High

Backdoor:EC2/C&CActivity.B!DNS

EC2

DNS logs

High

Backdoor:EC2/DenialOfService.Dns

EC2

VPC flow logs

High

Backdoor:EC2/DenialOfService.Tcp

EC2

VPC flow logs

High

Backdoor:EC2/DenialOfService.Udp

EC2

VPC flow logs

High

Backdoor:EC2/DenialOfService.UdpOnTcpPorts

EC2

VPC flow logs

High

Backdoor:EC2/DenialOfService.UnusualProtocol

EC2

VPC flow logs

High

Backdoor:EC2/Spambot

EC2

VPC flow logs

Medium

Behavior:EC2/NetworkPortUnusual

EC2

VPC flow logs

Medium

Behavior:EC2/TrafficVolumeUnusual

EC2

VPC flow logs

Medium

CredentialAccess:IAMUser/AnomalousBehavior

IAM

CloudTrail management event

Medium

CredentialAccess:Kubernetes/MaliciousIPCaller

Kubernetes

Kubernetes audit logs

High

CredentialAccess:Kubernetes/MaliciousIPCaller.Custom

Kubernetes

Kubernetes audit logs

High

CredentialAccess:Kubernetes/SuccessfulAnonymousAccess

Kubernetes

Kubernetes audit logs

High

CredentialAccess:Kubernetes/TorIPCaller

Kubernetes

Kubernetes audit logs

High

CryptoCurrency:EC2/BitcoinTool.B

EC2

VPC flow logs

High

CryptoCurrency:EC2/BitcoinTool.B!DNS

EC2

DNS logs

High

DefenseEvasion:IAMUser/AnomalousBehavior

IAM

CloudTrail management event

Medium

DefenseEvasion:Kubernetes/MaliciousIPCaller

Kubernetes

Kubernetes audit logs

High

DefenseEvasion:Kubernetes/MaliciousIPCaller.Custom

Kubernetes

Kubernetes audit logs

High

DefenseEvasion:Kubernetes/SuccessfulAnonymousAccess

Kubernetes

Kubernetes audit logs

High

DefenseEvasion:Kubernetes/TorIPCaller

Kubernetes

Kubernetes audit logs

High

Discovery:IAMUser/AnomalousBehavior

IAM

CloudTrail management event

Low

Discovery:Kubernetes/MaliciousIPCaller

Kubernetes

Kubernetes audit logs

Medium

Discovery:Kubernetes/MaliciousIPCaller.Custom

Kubernetes

Kubernetes audit logs

Medium

Discovery:Kubernetes/SuccessfulAnonymousAccess

Kubernetes

Kubernetes audit logs

Medium

Discovery:Kubernetes/TorIPCaller

Kubernetes

Kubernetes audit logs

Medium

Discovery:S3/AnomalousBehavior

S3

CloudTrail data events for S3

Low

Discovery:S3/MaliciousIPCaller

S3

CloudTrail data events for S3

High

Discovery:S3/MaliciousIPCaller.Custom

S3

CloudTrail data events for S3

High

Discovery:S3/TorIPCaller

S3

CloudTrail data events for S3

Medium

Execution:Kubernetes/ExecInKubeSystemPod

Kubernetes

Kubernetes audit logs

Medium

Exfiltration:IAMUser/AnomalousBehavior

IAM

CloudTrail management event

High

Exfiltration:S3/AnomalousBehavior

S3

CloudTrail data events for S3

High

Exfiltration:S3/MaliciousIPCaller

S3

CloudTrail data events for S3

High

Impact:EC2/AbusedDomainRequest.Reputation

EC2

DNS logs

Medium

Impact:EC2/BitcoinDomainRequest.Reputation

EC2

DNS logs

High

Impact:EC2/MaliciousDomainRequest.Reputation

EC2

DNS logs

High

Impact:EC2/PortSweep

EC2

VPC flow logs

High

Impact:EC2/SuspiciousDomainRequest.Reputation

EC2

DNS logs

Low

Impact:EC2/WinRMBruteForce

EC2

VPC flow logs

Low*

Impact:IAMUser/AnomalousBehavior

IAM

CloudTrail management event

High

Impact:Kubernetes/MaliciousIPCaller

Kubernetes

Kubernetes audit logs

High

Impact:Kubernetes/MaliciousIPCaller.Custom

Kubernetes

Kubernetes audit logs

High

Impact:Kubernetes/SuccessfulAnonymousAccess

Kubernetes

Kubernetes audit logs

High

Impact:Kubernetes/TorIPCaller

Kubernetes

Kubernetes audit logs

High

Impact:S3/AnomalousBehavior.Delete

S3

CloudTrail data events for S3

High

Impact:S3/AnomalousBehavior.Permission

S3

CloudTrail data events for S3

High

Impact:S3/AnomalousBehavior.Write

S3

CloudTrail data events for S3

Medium

Impact:S3/MaliciousIPCaller

S3

CloudTrail data events for S3

High

InitialAccess:IAMUser/AnomalousBehavior

IAM

CloudTrail management event

Medium

PenTest:IAMUser/KaliLinux

IAM

CloudTrail management event

Medium

PenTest:IAMUser/ParrotLinux

IAM

CloudTrail management event

Medium

PenTest:IAMUser/PentooLinux

IAM

CloudTrail management event

Medium

PenTest:S3/KaliLinux

S3

CloudTrail data events for S3

Medium

PenTest:S3/ParrotLinux

S3

CloudTrail data events for S3

Medium

PenTest:S3/PentooLinux

S3

CloudTrail data events for S3

Medium

Persistence:IAMUser/AnomalousBehavior

IAM

CloudTrail management event

Medium

Persistence:Kubernetes/ContainerWithSensitiveMount

Kubernetes

Kubernetes audit logs

Medium

Persistence:Kubernetes/MaliciousIPCaller

Kubernetes

Kubernetes audit logs

Medium

Persistence:Kubernetes/MaliciousIPCaller.Custom

Kubernetes

Kubernetes audit logs

Medium

Persistence:Kubernetes/SuccessfulAnonymousAccess

Kubernetes

Kubernetes audit logs

High

Persistence:Kubernetes/TorIPCaller

Kubernetes

Kubernetes audit logs

Medium

Policy:IAMUser/RootCredentialUsage

IAM

CloudTrail management events or CloudTrail data events for S3

Low

Policy:Kubernetes/AdminAccessToDefaultServiceAccount

Kubernetes

Kubernetes audit logs

High

Policy:Kubernetes/AnonymousAccessGranted

Kubernetes

Kubernetes audit logs

High

Policy:Kubernetes/KubeflowDashboardExposed

Kubernetes

Kubernetes audit logs

Medium

Policy:Kubernetes/ExposedDashboard

Kubernetes

Kubernetes audit logs

Medium

Policy:S3/AccountBlockPublicAccessDisabled

S3

CloudTrail management events

Low

Policy:S3/BucketAnonymousAccessGranted

S3

CloudTrail management events

High

Policy:S3/BucketBlockPublicAccessDisabled

S3

CloudTrail management events

Low

Policy:S3/BucketPublicAccessGranted

S3

CloudTrail management events

High

PrivilegeEscalation:IAMUser/AnomalousBehavior

IAM

CloudTrail management events

Medium

PrivilegeEscalation:Kubernetes/PrivilegedContainer

Kubernetes

Kubernetes audit logs

Medium

Recon:EC2/PortProbeEMRUnprotectedPort

EC2

VPC flow logs

High

Recon:EC2/PortProbeUnprotectedPort

EC2

VPC flow logs

Low*

Recon:EC2/Portscan

EC2

VPC flow logs

Medium

Recon:IAMUser/MaliciousIPCaller

IAM

CloudTrail management events

Medium

Recon:IAMUser/MaliciousIPCaller.Custom

IAM

CloudTrail management events

Medium

Recon:IAMUser/TorIPCaller

IAM

CloudTrail management events

Medium

Stealth:IAMUser/CloudTrailLoggingDisabled

IAM

CloudTrail management events

Low

Stealth:IAMUser/PasswordPolicyChange

IAM

CloudTrail management event

Low*

Stealth:S3/ServerAccessLoggingDisabled

S3

CloudTrail management events

Low

Trojan:EC2/BlackholeTraffic

EC2

VPC flow logs

Medium

Trojan:EC2/BlackholeTraffic!DNS

EC2

DNS logs

Medium

Trojan:EC2/DGADomainRequest.B

EC2

DNS logs

High

Trojan:EC2/DGADomainRequest.C!DNS

EC2

DNS logs

High

Trojan:EC2/DNSDataExfiltration

EC2

DNS logs

High

Trojan:EC2/DriveBySourceTraffic!DNS

EC2

DNS logs

High

Trojan:EC2/DropPoint

EC2

VPC flow logs

Medium

Trojan:EC2/DropPoint!DNS

EC2

DNS logs

Medium

Trojan:EC2/PhishingDomainRequest!DNS

EC2

DNS logs

High

UnauthorizedAccess:EC2/MaliciousIPCaller.Custom

EC2

VPC flow logs

Medium

UnauthorizedAccess:EC2/MetadataDNSRebind

EC2

DNS logs

High

UnauthorizedAccess:EC2/RDPBruteForce

EC2

VPC flow logs

Low*

UnauthorizedAccess:EC2/SSHBruteForce

EC2

VPC flow logs

Low*

UnauthorizedAccess:EC2/TorClient

EC2

VPC flow logs

High

UnauthorizedAccess:EC2/TorRelay

EC2

VPC flow logs

High

UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B

IAM

CloudTrail management events

Medium

UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS

IAM

CloudTrail management event

High*

UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS

IAM

CloudTrail management events or CloudTrail data events for S3

High

UnauthorizedAccess:IAMUser/MaliciousIPCaller

IAM

CloudTrail management events

Medium

UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom

IAM

CloudTrail management events

Medium

UnauthorizedAccess:IAMUser/TorIPCaller

IAM

CloudTrail management events

Medium

UnauthorizedAccess:S3/MaliciousIPCaller.Custom

S3

CloudTrail data events S3

High

UnauthorizedAccess:S3/TorIPCaller

S3

CloudTrail data events for S3

High

Execution:EC2/MaliciousFile

EC2

EBS volumes

Varies depending on the detected threat

Execution:ECS/MaliciousFile

ECS

EBS volumes

Varies depending on the detected threat

Execution:Kubernetes/MaliciousFile

Kubernetes

EBS volumes

Varies depending on the detected threat

Execution:Container/MaliciousFile

Container

EBS volumes

Varies depending on the detected threat

Execution:EC2/SuspiciousFile

EC2

EBS volumes

Varies depending on the detected threat

Execution:ECS/SuspiciousFile

ECS

EBS volumes

Varies depending on the detected threat

Execution:Kubernetes/SuspiciousFile

Kubernetes

EBS volumes

Varies depending on the detected threat

Execution:Container/SuspiciousFile

Container

EBS volumes

Varies depending on the detected threat