Finding details
In the Amazon GuardDuty console, you can view finding details in the finding summary section. Finding details vary based on the finding type.
There are two primary details that determine what kind of information is available for any
finding. The first is the resource type, which can be Instance
,
AccessKey
, S3Bucket
, S3Object
, Kubernetes
cluster
, ECS cluster
, Container
,
RDSDBInstance
, RDSLimitlessDB
, or Lambda
. The second detail that determines
finding information is Resource Role. Resource role can be
Target
, meaning the resource was the target of suspicious activity. For
instance type findings, resource role can also be Actor
, which means that your
resource was the actor carrying out suspicious activity. This topic describes some of the
commonly available details for findings. For GuardDuty Runtime Monitoring finding types
and Malware Protection for S3 finding type, the resource role is not
populated.
Topics
Finding overview
A finding's Overview section contains the most basic identifying features of the finding, including the following information:
-
Account ID – The ID of the Amazon account in which the activity took place that prompted GuardDuty to generate this finding.
-
Count – The number of times GuardDuty has aggregated an activity matching this pattern to this finding ID.
-
Created at – The time and date when this finding was first created. If this value differs from Updated at, it indicates that the activity has occurred multiple times and is an ongoing issue.
Note
Timestamps for findings in the GuardDuty console appear in your local time zone, while JSON exports and CLI outputs display timestamps in UTC.
-
Finding ID – A unique identifier for this finding type and set of parameters. New occurrences of activity matching this pattern will be aggregated to the same ID.
-
Finding type – A formatted string representing the type of activity that triggered the finding. For more information, see GuardDuty finding format.
-
Region – The Amazon Region in which the finding was generated. For more information about supported Regions, see Regions and endpoints
-
Resource ID – The ID of the Amazon resource against which the activity took place that prompted GuardDuty to generate this finding.
-
Scan ID – Applicable to findings when GuardDuty Malware Protection for EC2 is enabled, this is an identifier of the malware scan that runs on the EBS volumes attached to the potentially compromised EC2 instance or container workload. For more information, see Malware Protection for EC2 finding details.
-
Severity – A finding's assigned severity level of either Critical, High, Medium, or Low. For more information, see Findings severity levels.
-
Updated at – The last time this finding was updated with new activity matching the pattern that prompted GuardDuty to generate this finding.
Resource
The Resource affected gives details about the Amazon resource that was targeted by the initiating activity. The information available varies based on resource type and action type.
Resource role – The role of the Amazon resource that initiated the finding. This value can be TARGET or ACTOR, and represents whether your resource was the target of the suspicious activity or the actor that performed the suspicious activity.
Resource type – The type of the affected resource. If multiple resources were involved, a finding can include multiple resources types. The resource types are Instance, AccessKey, S3Bucket, S3Object, KubernetesCluster, ECSCluster, Container, RDSDBInstance, RDSLimitlessDB, and Lambda. Depending on the resource type, different finding details are available. Select a resource option tab to learn about the details available for that resource.
Attack sequence finding details
GuardDuty provides details for each finding it generates in your account. These details help you understand the reasons behind the finding. This section focuses on details associated with Attack sequence finding types. This includes insights such as potentially impacted resources, timeline of events, indicators, signals, and endpoints involved in the finding.
To view details associated with signals that are GuardDuty findings, see the associated sections on this page.
In the GuardDuty console, when you select an attack sequence finding, the details side panel is divided into the following tabs:
-
Overview – Provides a compact view of the attack sequence details, including signals, MITRE tactics, and potentially impacted resources.
-
Signals – Displays a timeline of events that are involved in an attack sequence.
-
Resources – Provides information about the potentially impacted resources, or the resources that are potentially at risk.
The following list provides descriptions associated with the attack sequence finding details.
- Signals
-
A signal could be an API activity or a finding that GuardDuty uses to detect an attack sequence finding. GuardDuty considers the weak signals that don't present themselves as clear threat, piece them together, and correlate with individually generated findings. For more context, the Signals tab provides a timeline of the signals, as observed by GuardDuty.
Each signal, that is a GuardDuty finding, has it's own severity level and value assigned to it. In the GuardDuty console, you can select each signal to view the associated details.
- Actors
-
Provides details about the threat actors in an attack sequence. For more information, see Actor in Amazon GuardDuty API Reference.
- Endpoints
-
Provides details about the network endpoints that were used in this attack sequence. For more information, see NetworkEndpoint in Amazon GuardDuty API Reference. For information about how GuardDuty determines location, see .
- Indicators
-
Includes observed data that matches the pattern of a security issue. This data specifies as to why GuardDuty there is an indication of a potentially suspicious activity. For example, when the indicator name is
HIGH_RISK_API
, this indicates an action commonly used by threat actors, or a sensitive action that may cause potential impact to an Amazon Web Services account, such as accessing credentials or modifying a resource.The following table includes a list of potential indicators and their descriptions:
Indicator name Description SUSPICIOUS_USER_AGENT
The user agent is associated with potentially known suspicious or exploited applications, such as Amazon S3 clients and attack tools.
SUSPICIOUS_NETWORK
The network is associated with known low reputation scores, such as risky virtual private network (VPN) providers and proxy services.
MALICIOUS_IP
The IP address has confirmed threat intelligence indicating malicious intent.
TOR_IP
The IP address is associated with a Tor exit node.
HIGH_RISK_API
The Amazon API that includes the Amazon Web Services service name and
eventName
indicates an action commonly used by threat actors, or is a sensitive action that may cause potential impact to an Amazon Web Services account, such as credential access or resource modification.ATTACK_TACTIC
The MITRE tactics, such as Discovery and Impact.
ATTACK_TECHNIQUE
The MITRE technique used by the threat actor in an attack sequence. Examples include gaining access to resources and using them in an unintended way, and exploiting vulnerabilities.
UNUSUAL_API_FOR_ACCOUNT
Indicates that the Amazon API was invoked anomalously, based on the account's historical baseline. For more information, see Anomalous behavior.
UNUSUAL_ASN_FOR_ACCOUNT
Indicates that the Autonomous System Number (ASN) was identified as anomalous, based on the account's historical baseline. For more information, see Anomalous behavior.
UNUSUAL_ASN_FOR_USER
Indicates that the Autonomous System Number (ASN) was identified as anomalous, based on the user's historical baseline. For more information, see Anomalous behavior.
MITRE tactics
This field specifies the MITRE ATT&CK tactics that the threat actor attempts through an attack sequence. GuardDuty uses the MITRE ATT&ACK framework that adds context to the entire attack sequence. The colors that the GuardDuty console uses to specify the threat purposes that have been used by the threat actor, align with the colors that indicate the critical, high, medium, and low Findings severity levels.
- Network indicators
-
Indicators include a combination of network indicator values that explain why a network is indicative of a suspicious behavior. This section is applicable only when the Indicator includes
SUSPICIOUS_NETWORK
orMALICIOUS_IP
. The following example shows how network indicators might be associated with an indicator, where:-
AnyCompany
is an Autonomous System (AS). -
TUNNEL_VPN
,IS_ANONYMOUS
, andALLOWS_FREE_ACCESS
are the network indicators.
...{ "key": "SUSPICIOUS_NETWORK", "values": [{ "
AnyCompany
": [ "TUNNEL_VPN", "IS_ANONYMOUS", "ALLOWS_FREE_ACCESS" ] }] } ...The following table includes the network indicator values and their description. These tags are added based on the threat intelligence GuardDuty collects from sources such as Spur
Network indicator value Description TUNNEL_VPN
Network or IP address is associated with a VPN tunnel type. This refers to a specific protocol that helps establishing a secure, encrypted connection between two points over a public network.
TUNNEL_PROXY
Network or IP address is associated with a Proxy tunnel type. This refers to a specific protocol that helps establishing a connection through a proxy server.
TUNNEL_RDP
Network or IP address is associated with using a method of encapsulating remote desktop (RDP) traffic within another protocol to enhance security, bypass network restrictions, or enable remote access through firewalls.
IS_ANONYMOUS
Network or IP address is associated with a known anonymous or proxy services. This may indicate potential suspicious activities hiding behind anonymous networks.
KNOWN_THREAT_OPERATOR
Network or IP address is associated with a known risky tunnel provider. This indicates that suspicious activity has been detected from an IP address that is linked to a VPN, proxy, or other tunneling services frequently used for malicious purposes.
ALLOWS_FREE_ACCESS
Network or IP address is associated with a tunnel operator that allows access to it's service without requiring authentication or payment. It might also include trial accounts or limited usage experiences offered by various online services.
ALLOWS_CRYPTO
Network or IP address is associated with a tunnel provider (such as VPN or proxy service) that exclusively accepts cryptocurrency or other digital currencies as the method of payment.
ALLOWS_TORRENTS
Network or IP address is associated with services or platforms that allow torrent traffic. Such services are often associated with supporting and using torrent, and copyright circumvention activities.
RISK_CALLBACK_PROXY
Network or IP address is associated with devices known to route traffic for residential proxies, malware proxies, or other callback proxy-type networks. This doesn't imply all activity on the network is proxy-related, but rather that the network has the capability to route traffic on behalf of these proxy networks.
RISK_GEO_MISMATCH
This indicator suggests that the datacenter or hosting location of a network differs from the expected location of the users and devices behind it. If this indicator value is not present, it doesn't mean that there is no mismatch. It might imply that there is insufficient data to confirm the discrepancy.
IS_SCANNER
Network or IP address is associated with conducting persistent login attempts against web forms.
RISK_WEB_SCRAPING
Network of IP address is associated with automated web clients and other programmatic web activities.
CLIENT_BEHAVIOR_FILE_SHARING
Network or IP address is associated with client behavior indicative of file sharing activities, such as peer-to-peer (P2P) networks, or file sharing protocols.
CATEGORY_COMMERCIAL_VPN
Network or IP address is associated with a tunnel operator that is categorized as a traditional Commercial Virtual Private Network (VPN) service operating within datacenter space.
CATEGORY_FREE_VPN
Network or IP address is associated with a tunnel operator that is categorized as a completely free VPN service.
CATEGORY_RESIDENTIAL_PROXY
Network or IP address is associated with a tunnel operator that is categorized as an SDK, malware, or get-paid-to sourced proxy service.
OPERATOR_XXX
The name of the service provider that is operating this tunnel.
-
RDS database (DB) user details
Note
This section is applicable to findings when you enable the RDS Protection feature in GuardDuty. For more information, see GuardDuty RDS Protection.
The GuardDuty finding provides the following user and authentication details of the potentially compromised database:
-
User – The user name used to make the anomalous login attempt.
-
Application – The application name used to make the anomalous login attempt.
-
Database – The name of the database instance involved in the anomalous login attempt.
-
SSL – The version of the Secure Socket Layer (SSL) used for the network.
-
Auth method – The authentication method used by the user involved in the finding.
For information about the potentially compromised resource, see Resource.
Runtime Monitoring finding details
Note
These details may be available only if GuardDuty generates one of the GuardDuty Runtime Monitoring finding types.
This section contains the runtime details such as process details and any required context. Process details describe information about the observed process, and runtime context describes any additional information about the potentially suspicious activity.
Process details
-
Name – The name of the process.
-
Executable path – The absolute path of the process executable file.
-
Executable SHA-256 – The
SHA256
hash of the process executable. -
Namespace PID – The process ID of the process in a secondary PID namespace other than the host level PID namespace. For processes inside a container, it is the process ID observed inside the container.
-
Present working directory – The present working directory of the process.
-
Process ID – The ID assigned to the process by operating system.
-
startTime – The time when the process started. This is in UTC date string format (
2023-03-22T19:37:20.168Z
). -
UUID – The unique ID assigned to the process by GuardDuty.
-
Parent UUID – The unique ID of the parent process. This ID is assigned to the parent process by GuardDuty.
-
User – The user that executed the process.
-
User ID – The ID of the user that executed the process.
-
Effective user ID – The effective user ID of the process at the time of the event.
-
Lineage – Information about the ancestors of the process.
-
Process ID – The ID assigned to the process by operating system.
-
UUID – The unique ID assigned to the process by GuardDuty.
-
Executable path – The absolute path of the process executable file.
-
Effective user ID – The effective user ID of the process at the time of the event.
-
Parent UUID – The unique ID of the parent process. This ID is assigned to the parent process by GuardDuty.
-
Start Time – The time when the process started.
-
Namespace PID – The process ID of the process in a secondary PID namespace other than the host level PID namespace. For processes inside a container, it is the process ID observed inside the container.
-
User ID – The user ID of the user that executed the process.
-
Name – Name of the process.
-
Runtime context
From the following fields, a generated finding may include only those fields that are relevant to the finding type.
-
Mount Source – The path on the host that is mounted by the container.
-
Mount Target – The path in the container that is mapped to the host directory.
-
Filesystem Type – Represents the type of the mounted filesystem.
-
Flags – Represents options that control the behavior of the event involved in this finding.
-
Modifying Process – Information about the process that created or modified a binary, script, or a library, inside a container at runtime.
-
Modified At – The timestamp at which the process created or modified a binary, script, or library inside a container at runtime. This field is in the UTC date string format (
2023-03-22T19:37:20.168Z
). -
Library Path – The path to the new library that was loaded.
-
LD Preload Value – The value of the
LD_PRELOAD
environment variable. -
Socket Path – The path to the Docker socket that was accessed.
-
Runc Binary Path – The path to the
runc
binary. -
Release Agent Path – The path to the
cgroup
release agent file. -
Command Line Example – The example of the command line involved in the potentially suspicious activity.
-
Tool Category – Category that the tool belongs to. Some of the examples are Backdoor Tool, Pentest Tool, Network Scanner, and Network Sniffer.
-
Tool Name – The name of the potentially suspicous tool.
-
Script Path – The path to the executed script that generated the finding.
-
Threat File Path – The suspicious path for which the threat intelligence details were found.
-
Service Name – The name of the security service that has been disabled.
EBS volumes scan details
Note
This section is applicable to findings when you turn on the GuardDuty-initiated malware scan in Malware Protection for EC2.
The EBS volumes scan provides details about the EBS volume attached to the potentially compromised EC2 instance or container workload.
-
Scan ID – The identifier of the malware scan.
-
Scan started at – The date and time when the malware scan started.
-
Scan completed at – The date and time when the malware scan completed.
-
Trigger Finding ID – The finding ID of the GuardDuty finding that initiated this malware scan.
-
Sources – The potential values are
Bitdefender
andAmazon
.For more information about the scan engine used to detect malware, see GuardDuty malware detection scan engine.
-
Scan detections – The complete view of details and results for each malware scan.
-
Scanned item count – The total number of scanned files. It provides details such as
totalGb
,files
, andvolumes
. -
Threats detected item count – The total number of malicious
files
detected during the scan. -
Highest severity threat details – The details of the highest severity threat detected during the scan and the number of malicious files. It provides details such as
severity
,threatName
, andcount
. -
Threats detected by Name – The container element grouping threats of all severity levels. It provides details such as
itemCount
,uniqueThreatNameCount
,shortened
, andthreatNames
.
-
Malware Protection for EC2 finding details
Note
This section is applicable to findings when you turn on the GuardDuty-initiated malware scan in Malware Protection for EC2.
When the Malware Protection for EC2 scan detects malware, you can view the scan details by selecting the
corresponding finding on the Findings page in the https://console.amazonaws.cn/guardduty/
The following information is available under the Threats detected section in the details panel.
-
Name – The name of the threat, obtained by grouping the files by detection.
-
Severity – The severity of the threat detected.
-
Hash – The SHA-256 of the file.
-
File path – The location of the malicious file in the EBS volume.
-
File name – The name of the file in which the threat was detected.
-
Volume ARN – The ARN of the scanned EBS volumes.
The following information is available under the Malware scan details section in the details panel.
-
Scan ID – The scan ID of the malware scan.
-
Scan started at – The date and time when the scan started.
-
Scan completed at – The date and time when the scan completed.
-
Files scanned – The total number of scanned files and directories.
-
Total GB scanned – The amount of storage scanned during the process.
-
Trigger finding ID – The finding ID of the GuardDuty finding that initiated this malware scan.
-
The following information is available under the Volume details section in the details panel.
-
Volume ARN – The Amazon Resource Name (ARN) of the volume.
-
SnapshotARN – The ARN of the snapshot of the EBS volume.
-
Status – The scan status of the volume, such as
Running
,Skipped
, andCompleted
. -
Encryption type – The type of encryption used to encrypt the volume. For example,
CMCMK
. -
Device name – The name of the device. For example,
/dev/xvda
.
-
Malware Protection for S3 finding details
The following malware scan details are available when you enable both GuardDuty and Malware Protection for S3 in your Amazon Web Services account:
-
Threats – A list of threats detected during the malware scan.
Multiple potential threats in archive files
If you have an archive file with potentially multiple threats in it, Malware Protection for S3 reports only the first detected threat. After this, the scan status is marked as complete. GuardDuty generates the associated finding type and also sends EventBridge events that it generates. For more information about monitoring the Amazon S3 object scans using the EventBridge events, see the sample notification schema for THREATS_FOUND in S3 object scan result.
-
Item path – A list of nested item path and hash details of the scanned S3 object.
-
Nested item path – Item path of the scanned S3 object where the threat was detected.
The value of this field is available only if the top-level object is an archive and if threat is detected inside an archive.
-
Hash – Hash of the threat detected in this finding.
-
-
Sources – The potential values are
Bitdefender
andAmazon
.For more information about the scan engine used to detect malware, see GuardDuty malware detection scan engine.
Action
A finding's Action gives details about the type of activity that triggered the finding. The information available varies based on action type.
Action type – The finding activity type. This value can be NETWORK_CONNECTION, PORT_PROBE, DNS_REQUEST, AWS_API_CALL, or RDS_LOGIN_ATTEMPT. The information available varies based on action type:
-
NETWORK_CONNECTION – Indicates that network traffic was exchanged between the identified EC2 instance and the remote host. This action type has the following additional information:
-
Connection direction – The network connection direction observed in the activity that prompted GuardDuty to generate the finding. The values can be one of the following:
-
INBOUND – Indicates that a remote host initiated a connection to a local port on the identified EC2 instance in your account.
-
OUTBOUND – Indicates that the identified EC2 instance initiated a connection to a remote host.
-
UNKNOWN – Indicates that GuardDuty could not determine the direction of the connection.
-
-
Protocol – The network connection protocol observed in the activity that prompted GuardDuty to generate the finding.
-
Local IP – The original source IP address of the traffic that triggered the finding. This info can be used to distinguish between the IP address of an intermediate layer through which traffic flows, and the original source IP address of the traffic that triggered the finding. For example the IP address of an EKS pod as opposed to the IP address of the instance on which the EKS pod is running.
-
Blocked – Indicates whether the targeted port is blocked.
-
-
PORT_PROBE – Indicates that a remote host probed the identified EC2 instance on multiple open ports. This action type has the following additional information:
-
Local IP – The original source IP address of the traffic that triggered the finding. This info can be used to distinguish between the IP address of an intermediate layer through which traffic flows, and the original source IP address of the traffic that triggered the finding. For example the IP address of an EKS pod as opposed to the IP address of the instance on which the EKS pod is running.
-
Blocked – Indicates whether the targeted port is blocked.
-
-
DNS_REQUEST – Indicates that the identified EC2 instance queried a domain name. This action type has the following additional information:
-
Protocol – The network connection protocol observed in the activity that prompted GuardDuty to generate the finding.
-
Blocked – Indicates whether the targeted port is blocked.
-
-
AWS_API_CALL – Indicates that an Amazon API was invoked. This action type has the following additional information:
-
API – The name of the API operation that was invoked and thus prompted GuardDuty to generate this finding.
Note
These operations can also include non-API events captured by Amazon CloudTrail. For more information, see Non-API events captured by CloudTrail.
-
User Agent – The user agent that made the API request. This value tells you whether the call was made from the Amazon Web Services Management Console, an Amazon service, the Amazon SDKs, or the Amazon CLI.
-
ERROR CODE – If the finding was triggered by a failed API call this displays the error code for that call.
-
Service name – The DNS name of the service that attempted to make the API call that triggered the finding.
-
-
RDS_LOGIN_ATTEMPT – Indicates that a login attempt was made to the potentially compromised database from a remote IP address.
-
IP address – The remote IP address that was used to make the potentially suspicious login attempt.
-
Actor or Target
A finding has an Actor section if the Resource
role was TARGET
. This indicates that your resource was
targeted by suspicious activity, and the Actor section contains
details about the entity that targeted your resource.
A finding has a Target section if the Resource
role was ACTOR
. This indicates that your resource was
involved in suspicious activity against a remote host, and this section contains
information on the IP or domain that your resource targeted.
The information available in the Actor or Target section can include the following:
-
Affiliated – Details about whether the Amazon account of the remote API caller is related to your GuardDuty environment. If this value is
true
, the API caller is affiliated to your account in some manner; iffalse
, the API caller is from outside your environment. -
Remote Account ID – The account ID that owns the outbound IP address that was used to access the resource at the final network.
-
IP address – The IP address involved in the activity that prompted GuardDuty to generate the finding.
-
Location – Location information for the IP address involved in the activity that prompted GuardDuty to generate the finding.
-
Organization – ISP organization information of the IP address involved in the activity that prompted GuardDuty to generate the finding.
-
Port – The port number involved in the activity that prompted GuardDuty to generate the finding.
-
Domain – The domain involved in the activity that prompted GuardDuty to generate the finding.
-
Domain with suffix – The second- and top-level domain involved in an activity that potentially prompted GuardDuty to generate the finding. For a list of top-level and second-level domains, see public suffix list
.
Additional information
All findings have an Additional information section that can include the following information:
-
Threat list name – The name of the threat list that includes the IP address or the domain name involved in the activity that prompted GuardDuty to generate the finding.
-
Sample – A true or false value that indicates whether this is a sample finding.
-
Archived – A true or false value that indicates whether this is finding has been archived.
-
Unusual – Activity details that were not observed historically. These can include an unusual (previously not observed) user, location, time, bucket, login behavior, or ASN Org.
-
Unusual protocol – The network connection protocol involved in the activity that prompted GuardDuty to generate the finding.
-
Agent details – Details about the security agent that is currently deployed on the EKS cluster in your Amazon Web Services account. This is only applicable to EKS Runtime Monitoring finding types.
-
Agent version – The version of the GuardDuty security agent.
-
Agent Id – The unique identifier of the GuardDuty security agent.
-
Evidence
Findings based on threat intelligence have an Evidence section that includes the following information:
-
Threat intelligence details – The name of the threat list on which the recognized
Threat name
appears. -
Threat name – The name of the malware family or other identifier that is associated with the threat.
-
Threat file SHA256 – SHA256 of the file that generated the finding.
Anomalous behavior
Findings types that end in AnomalousBehavior indicate that the finding was generated by the GuardDuty anomaly detection machine learning (ML) model. The ML model evaluates all API requests to your account and identifies anomalous events that are associated with tactics used by adversaries. The ML model tracks various factors of the API request, such as the user that made the request, the location the request was made from, and the specific API that was requested.
Details about which factors of the API request are unusual for the CloudTrail user identity
that invoked the request can be found in the finding details. The identities are defined
by the
CloudTrail userIdentity Element, and the possible values are: Root
,
IAMUser
, AssumedRole
, FederatedUser
,
AWSAccount
, or AWSService
.
In addition to the details available for all GuardDuty findings that are associated with API activity, AnomalousBehavior findings have additional details that are outlined in the following section. These details can be viewed in the console and are also available in the finding's JSON.
-
Anomalous APIs – A list of API requests that were invoked by the user identity in proximity to the primary API request associated with the finding. This pane further breaks down the details of the API event in the following ways.
-
The first API listed is the primary API, which is the API request associated with the highest-risk observed activity. This is the API that triggered the finding and correlates to the attack stage of the finding type. This is also the API that is detailed under the Action section in the console, and in the finding's JSON.
-
Any other APIs listed are additional anomalous APIs from the listed user identity observed in proximity to the primary API. If there is only one API on the list, the ML model did not identify any additional API requests from that user identity as anomalous.
-
The list of APIs is divided based on whether an API was successfully called, or if the API was unsuccessfully called, meaning an error response was received. The type of error response received is listed above each unsuccessfully called API. Possible error response types are:
access denied
,access denied exception
,auth failure
,instance limit exceeded
,invalid permission - duplicate
,invalid permission - not found
, andoperation not permitted
. -
APIs are categorized by their associated service.
-
For more context, choose Historical APIs to view the details about the top APIs, to a maximum of 20, usually seen for both the user identity and all users within the account. The APIs are marked Rare (less than once a month), Infrequent (a few times a month), or Frequent (daily to weekly), depending on how often they are used within your account.
-
-
Unusual Behavior (Account) – This section gives additional details about the profiled behavior for your account.
Profiled behavior
GuardDuty continually learns about the activities within your account based on delivered events. These activities and their observed frequency is known as profiled behavior.
The information tracked in this panel includes:
-
ASN Org – The Autonomous System Number (ASN) org that the anomalous API call was made from.
-
User Name – The name of the user that made the anomalous API call.
-
User Agent– The user agent used to make the anomalous API call. The user agent is the method used to make the call such as
aws-cli
orBotocore
. -
User Type – The type of user that made the anomalous API call. Possible values are
AWS_SERVICE
,ASSUMED_ROLE
,IAM_USER
, orROLE
. -
Bucket – The name of the S3 bucket that is being accessed.
-
-
Unusual Behavior (User Identity) – This section gives additional details about the profiled behavior for the User Identity involved with the finding. When a behavior isn't identified as historical, this means the GuardDuty ML model hasn't previously seen this user identity making this API call in this way within the training period. The following additional details about the User Identity are available:
-
ASN Org – The ASN Org the anomalous API call was made from.
-
User Agent– The user agent used to make the anomalous API call. The user agent is the method used to make the call such as
aws-cli
orBotocore
. -
Bucket – The name of the S3 bucket that is being accessed.
-
-
Unusual Behavior (Bucket) – This section gives additional details about the profiled behavior for the S3 bucket associated with the finding. When a behavior isn't identified as historical, this means the GuardDuty ML model hasn't previously seen API calls made to this bucket in this way within the training period. The information tracked in this section includes:
-
ASN Org – The ASN Org the anomalous API call was made from.
-
User Name – The name of the user that made the anomalous API call.
-
User Agent– The user agent used to make the anomalous API call. The user agent is the method used to make the call such as
aws-cli
orBotocore
. -
User Type – The type of user that made the anomalous API call. Possible values are
AWS_SERVICE
,ASSUMED_ROLE
,IAM_USER
, orROLE
.
Note
For more context on historical behaviors, choose Historical behavior in either Unusual behavior (Account), User ID, or Bucket section to view details about the expected behavior in your account for each of the following categories: Rare (less than once a month), Infrequent (a few times a month), or Frequent (daily to weekly), depending on how often they are used within your account.
-
-
Unusual Behavior (Database) – This section provides additional details about the profiled behavior for the database instance associated with the finding. When a behavior isn't identified as historical, it means that the GuardDuty ML model hasn't previously seen a login attempt made to this database instance in this way within the training period. The information tracked for this section in the finding panel includes:
-
User name – The user name used to make the anomalous login attempt.
-
ASN Org – The ASN Org that the anomalous login attempt was made from.
-
Application name – The application name used to make the anomalous login attempt.
-
Database name – The name of the database instance involved in the anomalous login attempt.
The Historical behavior section provides more context on the previously observed User names, ASN Orgs, Application names, and Database names for the associated database. Each unique value has an associated count representing the number of times this value was observed in a successful login event.
-
S3 volume-based anomalies
This section details the contextual information for S3 volume-based anomalies. The volume-based finding (Exfiltration:S3/AnomalousBehavior) monitors for unusual numbers of S3 API calls made to the S3 buckets by users, indicating potential data exfiltration. The following S3 API calls are monitored for volume-based anomaly detection.
-
GetObject
-
CopyObject.Read
-
SelectObjectContent
The following metrics would help to build a baseline of usual behavior when an IAM entity accesses an S3 bucket. To detect data exfiltration, volume-based anomaly detection finding evaluates all the activities against the usual behavioral baseline. Choose Historical behavior in the Unusual behavior (User Identity), Observed Volume (User Identity), and Observed Volume (Bucket) sections to view the following metrics, respectively.
-
Number of
s3-api-name
API calls invoked by the IAM user or IAM role (depends on which one was issued) associated with the affected S3 bucket over the past 24 hours. -
Number of
s3-api-name
API calls invoked by the IAM user or IAM role (depends on which one was issued) associated with all S3 buckets over the past 24 hours. -
Number of
s3-api-name
API calls across all IAM user or IAM role (depends on which one was issued) associated with the affected S3 bucket over the past 24 hours.
RDS login activity-based anomalies
This section details the count of login attempts performed by the unusual actor
and is grouped by the result of the login attempts. The RDS Protection finding types identify anomalous behavior by monitoring the login events for unusual patterns
of successfulLoginCount
, failedLoginCount
, and
incompleteConnectionCount
.
-
successfulLoginCount – This counter represents the sum of successful connections (correct combination of login attributes) made to the database instance by the unusual actor. Login attributes include user name, password, and database name.
-
failedLoginCount – This counter represents the sum of failed (unsuccessful) login attempts made to establish a connection to the database instance. This indicates that one or more attributes of the login combination, such as user name, password, or database name were incorrect.
-
incompleteConnectionCount – This counter represents the number of connection attempts that can't be classified as successful or failed. These connections are closed before the database provides a response. For example, port scanning where the database port is connected but no piece of information is sent to the database, or the connection was aborted before the login completed in a successful or failed attempt.