Finding details - Amazon GuardDuty
Finding overviewResourceRDS database (DB) user detailsRuntime Monitoring finding detailsEBS volumes scan detailsMalware Protection finding detailsActionActor or TargetAdditional informationEvidenceAnomalous behavior
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Finding details

In the Amazon GuardDuty console, you can view finding details in the finding summary section. Finding details vary based on the finding type.

There are two primary details that determine what kind of information is available for any finding. The first is the resource type, which can be Instance, AccessKey, S3Bucket, Kubernetes cluster, ECS cluster, Container, RDSDBInstance, or Lambda. The second detail that determines finding information is Resource Role. Resource role can be Target for access keys, meaning the resource was the target of suspicious activity. For instance type findings, resource role can also be Actor, which means that your resource was the actor carrying out suspicious activity. This topic describes some of the commonly available details for findings.

Finding overview

A finding's Overview section contains the most basic identifying features of the finding, including the following information:

  • Account ID – The ID of the Amazon account in which the activity took place that prompted GuardDuty to generate this finding.

  • Count – The number of times GuardDuty has aggregated an activity matching this pattern to this finding ID.

  • Created at – The time and date when this finding was first created. If this value differs from Updated at, it indicates that the activity has occurred multiple times and is an ongoing issue.

    Note

    Timestamps for findings in the GuardDuty console appear in your local time zone, while JSON exports and CLI outputs display timestamps in UTC.

  • Finding ID – A unique identifier for this finding type and set of parameters. New occurrences of activity matching this pattern will be aggregated to the same ID.

  • Finding type – A formatted string representing the type of activity that triggered the finding. For more information, see GuardDuty finding format.

  • Region – The Amazon Region in which the finding was generated. For more information about supported Regions, see Regions and endpoints

  • Resource ID – The ID of the Amazon resource against which the activity took place that prompted GuardDuty to generate this finding.

  • Scan ID – Applicable to findings when GuardDuty Malware Protection is enabled, this is an identifier of the malware scan that runs on the EBS volumes attached to the potentially compromised EC2 instance or container workload. For more information, see Malware Protection finding details.

  • Severity – A finding's assigned severity level of either High, Medium, or Low. For more information, see Severity levels for GuardDuty findings.

  • Updated at – The last time this finding was updated with new activity matching the pattern that prompted GuardDuty to generate this finding.

Resource

The Resource affected gives details about the Amazon resource that was targeted by the initiating activity. The information available varies based on resource type and action type.

Resource role – The role of the Amazon resource that initiated the finding. This value can be TARGET or ACTOR, and represents whether your resource was the target of the suspicious activity or the actor that performed the suspicious activity.

Resource type – The type of the affected resource. If multiple resources were involved, a finding can include multiple resources types. The resource types are Instance, AccessKey, S3Bucket, KubernetesCluster, ECSCluster, Container, RDSDBInstance, and Lambda. Depending on the resource type, different finding details are available. Select a resource option tab to learn about the details available for that resource.

Instance

Instance details:

Note

Some instance details may be missing if the instance has already been stopped or if the underlying API invocation originated from an EC2 instance in a different Region when making a cross-Region API call.

  • Instance ID – The ID of the EC2 instance involved in the activity that prompted GuardDuty to generate the finding.

  • Instance Type – The type of the EC2 instance involved in the finding.

  • Launch Time – The time and date that the instance was launched.

  • Outpost ARN – The Amazon Resource Name (ARN) of Amazon Outposts. Only applicable to Amazon Outposts instances. For more information, see What is Amazon Outposts?

  • Security Group Name – The name of the Security Group attached to the involved instance.

  • Security Group ID – The ID of the Security Group attached to the involved instance.

  • Instance state – The current state of the targeted instance.

  • Availability Zone – The Amazon Region Availability Zone in which the involved instance is located.

  • Image ID – The ID of the Amazon Machine Image used to build the instance involved in the activity.

  • Image Description – A description of the ID of the Amazon Machine Image used to build the instance involved in the activity.

  • Tags – A list of tags attached to this resource, listed in the format of key:value.

AccessKey

Access Key details:

  • Access key ID – The Access key ID of the user engaged in the activity that prompted GuardDuty to generate the finding.

  • Principal ID – The principal ID of the user engaged in the activity that prompted GuardDuty to generate the finding.

  • User type – The type of user engaged in the activity that prompted GuardDuty to generate the finding. For more information, see CloudTrail userIdentity element.

  • User name – The name of the user engaged in the activity that prompted GuardDuty to generate the finding.

S3Bucket

Amazon S3 bucket details:

  • Name – The name of the bucket involved in the finding.

  • ARN – The ARN of the bucket involved in the finding.

  • Owner – The canonical user ID of the user that owns the bucket involved in the finding. For more information on canonical user IDs see Amazon account identifiers.

  • Type – The type of bucket finding, can be either Destination or Source.

  • Default server side encryption – The encryption details for the bucket.

  • Bucket Tags – A list of tags attached to this resource, listed in the format of key:value.

  • Effective Permissions – An evaluation of all effective permissions and policies on the bucket that indicates whether the involved bucket is publicly exposed. Values can be Public or Not public.

EKSCluster

Kubernetes cluster details:

  • Name – The name of the Kubernetes cluster.

  • ARN – The ARN that identifies the cluster.

  • Created At – The time and date when this cluster was created.

    Note

    Timestamps for findings in the GuardDuty console appear in your local time zone, while JSON exports and CLI outputs display timestamps in UTC.

  • VPC ID – The ID of the VPC that is associated to your cluster.

  • Status – The current status of the cluster.

  • Tags – The metadata that you apply to the cluster to help you to categorize and organize them. Each tag consists of a key and an optional value, listed in the format key:value. You get to define both key and value.

    Cluster tags do not propagate to any other resource associated with the cluster.

Kubernetes workload details:

  • Type – The type of Kubernetes workload, such as pod, deployment, and job.

  • Name – The name of the Kubernetes workload.

  • Uid – The unique ID of the Kubernetes workload.

  • Created at – The time and date when this workload was created.

  • Labels – The key-value pairs attached to the Kubernetes workload.

  • Containers – The details of the container running as a part of Kubernetes workload.

  • Namespace – The workload belongs to this Kubernetes namespace.

  • Volumes – The volumes used by the Kubernetes workload.

    • Host path – Represents a preexisting file or directory on the host machine that the volume maps to.

    • Name – The name of the volume.

  • pod security context – Defines the privilege and acess control settings for all containers in a pod.

  • Host network – Set to true if the pods are included in the Kubernetes workload.

Kubernetes user details:

  • Groups – Kubernetes RBAC (role-access based control) groups of the user involved in the activity that generated the finding.

  • ID – Unique ID of the Kubernetes user.

  • Username – Name of the Kubernetes user involved in the activity that generated the finding.

  • Session name – Entity that assumed the IAM role with Kubernetes RBAC permissions.

ECSCluster

ECS cluster details:

  • ARN – The ARN that identifies the cluster.

  • Name – The name of the cluster.

  • Status – The current status of the cluster.

  • Active services count – The number of services that are running on the cluster in an ACTIVE state. You can view these services with ListServices

  • Registered container instances count – The number of container instances registered into the cluster. This includes container instances in both ACTIVE and DRAINING status.

  • Running tasks count – The number of tasks in the cluster that are in the RUNNING state.

  • Tags – The metadata that you apply to the cluster to help you to categorize and organize them. Each tag consists of a key and an optional value, listed in the format key:value. You get to define both key and value.

  • Containers – The details about the container that's associated with the task:

    • Container name – The name of the container.

    • Container image – The image of the container.

  • Task details – The details of a task in a cluster.

    • ARN – The Amazon Resource Name (ARN) of the task.

    • Definition ARN – The Amazon Resource Name (ARN) of the task definition that creates the task.

    • Version – The version counter for the task.

    • Task created at – The Unix timestamp when the task was created.

    • Task started at – The Unix timestamp when the task started.

    • Task started by – The tag specified when a task is started.

Container

Container details:

  • Container runtime – The container runtime (such as docker or containerd) used to run the container.

  • ID – The container instance ID or full ARN entries for the container instance.

  • Name – The name of the container.

    When available, this field displays the value of the label io.kubenetes.container.name.

  • Image – The image of the container instance.

  • Volume mounts – List of container volume mounts. A container can mount a volume under its file system.

  • Security context – The container security context defines privilege and access control settings for a container.

  • Process details – Describes the details of the process that is associated to the finding.

RDSDBInstance

RDSDBInstance details:

Note

This resource is available in RDS Protection findings related to the database instance.

  • Database Instance ID – The identifier associated to the database instance that was involved in the GuardDuty finding.

  • Engine – The database engine name of the database instance involved in the finding. Possible values are Aurora MySQL-Compatible or Aurora PostgreSQL-Compatible.

  • Engine version – The version of the database engine that was involved in the GuardDuty finding.

  • Database cluster ID – The identifier of the database cluster that contains the database instance ID involved in the GuardDuty finding.

  • Database instance ARN – The ARN that identifies the database instance involved in the GuardDuty finding.

Lambda
Lambda function details

  • Function name – The name of the Lambda function involved in the finding.

  • Function version – The version of the Lambda function involved in the finding.

  • Function description – A description of the Lambda function involved in the finding.

  • Function ARN – The Amazon Resource Name (ARN) of the Lambda function involved in the finding.

  • Revision ID – The revision ID of the Lambda function version.

  • Role – The execution role of the Lambda function involved in the finding.

  • VPC configuration – The Amazon VPC configuration, including the VPC ID, security group, and subnet IDs associated with your Lambda function.

  • VPC ID – The ID of the Amazon VPC that is associated with the Lambda function involved in the finding.

  • Subnet IDs – The ID of the subnets that are associated with your Lambda function.

  • Security Group – The security group attached to the involved Lambda function. This includes the security group name and group ID.

  • Tags – A list of tags attached to this resource, listed in the format of key:value pair.

RDS database (DB) user details

Note

This section is applicable to findings when you enable the RDS Protection feature in GuardDuty. For more information, see GuardDuty RDS Protection.

The GuardDuty finding provides the following user and authentication details of the potentially compromised database.

  • User – The user name used to make the anomalous login attempt.

  • Application – The application name used to make the anomalous login attempt.

  • Database – The name of the database instance involved in the anomalous login attempt.

  • SSL – The version of the Secure Socket Layer (SSL) used for the network.

  • Auth method – The authentication method used by the user involved in the finding.

Runtime Monitoring finding details

Note

These details may be available only if GuardDuty generates one of the Runtime Monitoring finding types.

This section contains the runtime details such as process details and any required context. Process details describe information about the observed process and runtime context describes any additional information about the potentially suspicious activity.

Process details

  • Name – The name of the process.

  • Executable path – The absolute path of the process executable file.

  • Executable SHA-256 – The SHA256 hash of the process executable.

  • Namespace PID – The process ID of the process in a secondary PID namespace other than the host level PID namespace. For processes inside a container, it is the process ID observed inside the container.

  • Present working directory – The present working directory of the process.

  • Process ID – The ID assigned to the process by operating system.

  • startTime – The time when the process started. This is in UTC date string format (2023-03-22T19:37:20.168Z).

  • UUID – The unique ID assigned to the process by GuardDuty.

  • Parent UUID – The unique ID of the parent process. This ID is assigned to the parent process by GuardDuty.

  • User – The user that executed the process.

  • User ID – The ID of the user that executed the process.

  • Effective user ID – The effective user ID of the process at the time of the event.

  • Lineage – Information about the ancestors of the process.

    • Process ID – The ID assigned to the process by operating system.

    • UUID – The unique ID assigned to the process by GuardDuty.

    • Executable path – The absolute path of the process executable file.

    • Effective user ID – The effective user ID of the process at the time of the event.

    • Parent UUID – The unique ID of the parent process. This ID is assigned to the parent process by GuardDuty.

    • Start Time – The time when the process started.

    • Namespace PID – The process ID of the process in a secondary PID namespace other than the host level PID namespace. For processes inside a container, it is the process ID observed inside the container.

    • User ID – The user ID of the user that executed the process.

    • Name – Name of the process.

Runtime context

From the following fields, a generated finding may include only those fields that are relevant to the finding type.

  • Mount Source – The path on the host that is mounted by the container.

  • Mount Target – The path in the container that is mapped to the host directory.

  • Filesystem Type – Represents the type of the mounted filesystem.

  • Flags – Represents options that control the behavior of the event involved in this finding.

  • Modifying Process – Information about the process that created or modified a binary, script, or a library, inside a container at runtime.

  • Modified At – The timestamp at which the process created or modified a binary, script, or library inside a container at runtime. This field is in the UTC date string format (2023-03-22T19:37:20.168Z).

  • Library Path – The path to the new library that was loaded.

  • LD Preload Value – The value of the LD_PRELOAD environment variable.

  • Socket Path – The path to the Docker socket that was accessed.

  • Runc Binary Path – The path to the runc binary.

  • Release Agent Path – The path to the cgroup release agent file.

  • Command Line Example – The example of the command line involved in the potentially suspicious activity.

  • Tool Category – Category that the tool belongs to. Some of the examples are Backdoor Tool, Pentest Tool, Network Scanner, and Network Sniffer.

  • Tool Name – The name of the potentially suspicous tool.

  • Script Path – The path to the executed script that generated the finding.

  • Threat File Path – The suspicious path for which the threat intelligence details were found.

  • Service Name – The name of the security service that has been disabled.

EBS volumes scan details

Note

This section is applicable to findings when you turn on the GuardDuty-initiated malware scan in GuardDuty Malware Protection.

The EBS volumes scan provides details about the EBS volume attached to the potentially compromised EC2 instance or container workload.

  • Scan ID – The identifier of the malware scan.

  • Scan started at – The date and time when the malware scan started.

  • Scan completed at – The date and time when the malware scan completed.

  • Trigger Finding ID – The finding ID of the GuardDuty finding that initiated this malware scan.

  • Sources – The possible values are Bitdefender and Amazon.

  • Scan detections – The complete view of details and results for each malware scan.

    • Scanned item count – The total number of scanned files. It provides details such as totalGb, files, and volumes.

    • Threats detected item count – The total number of malicious files detected during the scan.

    • Highest severity threat details – The details of the highest severity threat detected during the scan and the number of malicious files. It provides details such as severity, threatName, and count.

    • Threats detected by Name – The container element grouping threats of all severity levels. It provides details such as itemCount, uniqueThreatNameCount, shortened, and threatNames.

Malware Protection finding details

Note

This section is applicable to findings when you turn on the GuardDuty-initiated malware scan in GuardDuty Malware Protection.

When the Malware Protection scan detects malware, you can view the scan details by selecting the corresponding finding on the Findings page in the https://console.amazonaws.cn/guardduty/ console. The severity of your Malware Protection finding depends on the severity of the GuardDuty finding.

Note

The GuardDutyFindingDetected tag specifies that the snapshots contains malware.

The following information is available under the Threats detected section in the details panel.

  • Name – The name of the threat, obtained by grouping the files by detection.

  • Severity – The severity of the threat detected.

  • Hash – The SHA-256 of the file.

  • File path – The location of the malicious file in the EBS volume.

  • File name – The name of the file in which the threat was detected.

  • Volume ARN – The ARN of the scanned EBS volumes.

The following information is available under the Malware scan details section in the details panel.

  • Scan ID – The scan ID of the malware scan.

  • Scan started at – The date and time when the scan started.

  • Scan completed at – The date and time when the scan completed.

  • Files scanned – The total number of scanned files and directories.

  • Total GB scanned – The amount of storage scanned during the process.

  • Trigger finding ID – The finding ID of the GuardDuty finding that initiated this malware scan.

  • The following information is available under the Volume details section in the details panel.

    • Volume ARN – The Amazon Resource Name (ARN) of the volume.

    • SnapshotARN – The ARN of the snapshot of the EBS volume.

    • Status – The scan status of the volume, such as Running, Skipped, and Completed.

    • Encryption type – The type of encryption used to encrypt the volume. For example, CMCMK.

    • Device name – The name of the device. For example, /dev/xvda.

Action

A finding's Action gives details about the type of activity that triggered the finding. The information available varies based on action type.

Action type – The finding activity type. This value can be NETWORK_CONNECTION, PORT_PROBE, DNS_REQUEST, AWS_API_CALL, or RDS_LOGIN_ATTEMPT. The information available varies based on action type:

  • NETWORK_CONNECTION – Indicates that network traffic was exchanged between the identified EC2 instance and the remote host. This action type has the following additional information:

    • Connection direction – The network connection direction observed in the activity that prompted GuardDuty to generate the finding. The values can be one of the following:

      • INBOUND – Indicates that a remote host initiated a connection to a local port on the identified EC2 instance in your account.

      • OUTBOUND – Indicates that the identified EC2 instance initiated a connection to a remote host.

      • UNKNOWN – Indicates that GuardDuty could not determine the direction of the connection.

    • Protocol – The network connection protocol observed in the activity that prompted GuardDuty to generate the finding.

    • Local IP – The original source IP address of the traffic that triggered the finding. This info can be used to distinguish between the IP address of an intermediate layer through which traffic flows, and the original source IP address of the traffic that triggered the finding. For example the IP address of an EKS pod as opposed to the IP address of the instance on which the EKS pod is running.

    • Blocked – Indicates whether the targeted port is blocked.

  • PORT_PROBE – Indicates that a remote host probed the identified EC2 instance on multiple open ports. This action type has the following additional information:

    • Local IP – The original source IP address of the traffic that triggered the finding. This info can be used to distinguish between the IP address of an intermediate layer through which traffic flows, and the original source IP address of the traffic that triggered the finding. For example the IP address of an EKS pod as opposed to the IP address of the instance on which the EKS pod is running.

    • Blocked – Indicates whether the targeted port is blocked.

  • DNS_REQUEST – Indicates that the identified EC2 instance queried a domain name. This action type has the following additional information:

    • Protocol – The network connection protocol observed in the activity that prompted GuardDuty to generate the finding.

    • Blocked – Indicates whether the targeted port is blocked.

  • AWS_API_CALL – Indicates that an Amazon API was invoked. This action type has the following additional information:

    • API – The name of the API operation that was invoked and thus prompted GuardDuty to generate this finding.

      Note

      These operations can also include non-API events captured by Amazon CloudTrail. For more information, see Non-API events captured by CloudTrail.

    • User Agent – The user agent that made the API request. This value tells you whether the call was made from the Amazon Web Services Management Console, an Amazon service, the Amazon SDKs, or the Amazon CLI.

    • ERROR CODE – If the finding was triggered by a failed API call this displays the error code for that call.

    • Service name – The DNS name of the service that attempted to make the API call that triggered the finding.

  • RDS_LOGIN_ATTEMPT – Indicates that a login attempt was made to the potentially compromised database from a remote IP address.

    • IP address – The remote IP address that was used to make the potentially suspicious login attempt.

Actor or Target

A finding has an Actor section if the Resource role was TARGET. This indicates that your resource was targeted by suspicious activity, and the Actor section contains details about the entity that targeted your resource.

A finding has a Target section if the Resource role was ACTOR. This indicates that your resource was involved in suspicious activity against a remote host, and this section contains information on the IP or domain that your resource targeted.

The information available in the Actor or Target section can include the following:

  • Affiliated – Details about whether the Amazon account of the remote API caller is related to your GuardDuty environment. If this value is true, the API caller is affiliated to your account in some manner; if false, the API caller is from outside your environment.

  • Remote Account ID – The account ID that owns the outbound IP address that was used to access the resource at the final network.

  • IP address – The IP address involved in the activity that prompted GuardDuty to generate the finding.

  • Location – Location information for the IP address involved in the activity that prompted GuardDuty to generate the finding.

  • Organization – ISP organization information of the IP address involved in the activity that prompted GuardDuty to generate the finding.

  • Port – The port number involved in the activity that prompted GuardDuty to generate the finding.

  • Domain – The domain involved in the activity that prompted GuardDuty to generate the finding.

  • Domain with suffix – The second- and top-level domain involved in an activity that potentially prompted GuardDuty to generate the finding. For a list of top-level and second-level domains, see public suffix list.

Additional information

All findings have an Additional information section that can include the following information:

  • Threat list name – The name of the threat list that includes the IP address or the domain name involved in the activity that prompted GuardDuty to generate the finding.

  • Sample – A true or false value that indicates whether this is a sample finding.

  • Archived – A true or false value that indicates whether this is finding has been archived.

  • Unusual – Activity details that were not observed historically. These can include an unusual (previously not observed) user, location, time, bucket, login behavior, or ASN Org.

  • Unusual protocol – The network connection protocol involved in the activity that prompted GuardDuty to generate the finding.

  • Agent details – Details about the security agent that is currently deployed on the EKS cluster in your Amazon Web Services account. This is only applicable to EKS Runtime Monitoring finding types.

    • Agent version – The version of the GuardDuty security agent.

    • Agent Id – The unique identifier of the GuardDuty security agent.

Evidence

Findings based on threat intelligence have an Evidence section that includes the following information:

  • Threat intelligence details – The name of the threat list on which the recognized Threat name appears.

  • Threat name – The name of the malware family or other identifier that is associated with the threat.

  • Threat file SHA256 – SHA256 of the file that generated the finding.

Anomalous behavior

Findings types that end in AnomalousBehavior indicate that the finding was generated by the GuardDuty anomaly detection machine learning (ML) model. The ML model evaluates all API requests to your account and identifies anomalous events that are associated with tactics used by adversaries. The ML model tracks various factors of the API request, such as the user that made the request, the location the request was made from, and the specific API that was requested.

Details about which factors of the API request are unusual for the CloudTrail user identity that invoked the request can be found in the finding details. The identities are defined by the CloudTrail userIdentity Element, and the possible values are: Root, IAMUser, AssumedRole, FederatedUser, AWSAccount, or AWSService.

In addition to the details available for all GuardDuty findings that are associated with API activity, AnomalousBehavior findings have additional details that are outlined in the following section. These details can be viewed in the console and are also available in the finding's JSON.

  • Anomalous APIs – A list of API requests that were invoked by the user identity in proximity to the primary API request associated with the finding. This pane further breaks down the details of the API event in the following ways.

    • The first API listed is the primary API, which is the API request associated with the highest-risk observed activity. This is the API that triggered the finding and correlates to the attack stage of the finding type. This is also the API that is detailed under the Action section in the console, and in the finding's JSON.

    • Any other APIs listed are additional anomalous APIs from the listed user identity observed in proximity to the primary API. If there is only one API on the list, the ML model did not identify any additional API requests from that user identity as anomalous.

    • The list of APIs is divided based on whether an API was successfully called, or if the API was unsuccessfully called, meaning an error response was received. The type of error response received is listed above each unsuccessfully called API. Possible error response types are: access denied, access denied exception, auth failure, instance limit exceeded, invalid permission - duplicate, invalid permission - not found, and operation not permitted.

    • APIs are categorized by their associated service.

    Note

    For more context, choose Historical APIs to view the details about the top APIs, to a maximum of 20, usually seen for both the user identity and all users within the account. The APIs are marked Rare (less than once a month), Infrequent (a few times a month), or Frequent (daily to weekly), depending on how often they are used within your account.

  • Unusual Behavior (Account) – This section gives additional details about the profiled behavior for your account. The information tracked in this panel includes:

    • ASN Org – The ASN Org that the anomalous API call was made from.

    • User Name – The name of the user that made the anomalous API call.

    • User Agent– The user agent used to make the anomalous API call. The user agent is the method used to make the call such as aws-cli or Botocore.

    • User Type – The type of user that made the anomalous API call. Possible values are AWS_SERVICE, ASSUMED_ROLE, IAM_USER, or ROLE.

    • Bucket – The name of the S3 bucket that is being accessed.

  • Unusual Behavior (User Identity) – This section gives additional details about the profiled behavior for the User Identity involved with the finding. When a behavior isn't identified as historical, this means the GuardDuty ML model hasn't previously seen this user identity making this API call in this way within the training period. The following additional details about the User Identity are available:

    • ASN Org – The ASN Org the anomalous API call was made from.

    • User Agent– The user agent used to make the anomalous API call. The user agent is the method used to make the call such as aws-cli or Botocore.

    • Bucket – The name of the S3 bucket that is being accessed.

  • Unusual Behavior (Bucket) – This section gives additional details about the profiled behavior for the S3 bucket associated with the finding. When a behavior isn't identified as historical, this means the GuardDuty ML model hasn't previously seen API calls made to this bucket in this way within the training period. The information tracked in this section includes:

    • ASN Org – The ASN Org the anomalous API call was made from.

    • User Name – The name of the user that made the anomalous API call.

    • User Agent– The user agent used to make the anomalous API call. The user agent is the method used to make the call such as aws-cli or Botocore.

    • User Type – The type of user that made the anomalous API call. Possible values are AWS_SERVICE, ASSUMED_ROLE, IAM_USER, or ROLE.

    Note

    For more context on historical behaviors, choose Historical behavior in either Unusual behavior (Account), User ID, or Bucket section to view details about the expected behavior in your account for each of the following categories: Rare (less than once a month), Infrequent (a few times a month), or Frequent (daily to weekly), depending on how often they are used within your account.

  • Unusual Behavior (Database) – This section provides additional details about the profiled behavior for the database instance associated with the finding. When a behavior isn't identified as historical, it means that the GuardDuty ML model hasn't previously seen a login attempt made to this database instance in this way within the training period. The information tracked for this section in the finding panel includes:

    • User name – The user name used to make the anomalous login attempt.

    • ASN Org – The ASN Org that the anomalous login attempt was made from.

    • Application name – The application name used to make the anomalous login attempt.

    • Database name – The name of the database instance involved in the anomalous login attempt.

    Note

    The Historical behavior section provides more context on the previously observed User names, ASN Orgs, Application names, and Database names for the associated database. Each unique value has an associated count representing the number of times this value was observed in a successful login event.

S3 volume-based anomalies

This section details the contextual information for S3 volume-based anomalies. The volume-based finding (Exfiltration:S3/AnomalousBehavior) monitors for unusual numbers of S3 API calls made to the S3 buckets by users, indicating potential data exfiltration. The following S3 API calls are monitored for volume-based anomaly detection.

  • GetObject

  • CopyObject.Read

  • SelectObjectContent

The following metrics would help to build a baseline of usual behavior when an IAM entity accesses an S3 bucket. To detect data exfiltration, volume-based anomaly detection finding evaluates all the activities against the usual behavioral baseline. Choose Historical behavior in the Unusual behavior (User Identity), Observed Volume (User Identity), and Observed Volume (Bucket) sections to view the following metrics, respectively.

  • Number of s3-api-name API calls invoked by the IAM user or IAM role (depends on which one was issued) associated with the affected S3 bucket over the past 24 hours.

  • Number of s3-api-name API calls invoked by the IAM user or IAM role (depends on which one was issued) associated with all S3 buckets over the past 24 hours.

  • Number of s3-api-name API calls across all IAM user or IAM role (depends on which one was issued) associated with the affected S3 bucket over the past 24 hours.

RDS login activity-based anomalies

This section details the count of login attempts performed by the unusual actor and is grouped by the result of the login attempts. The RDS Protection finding types identify anomalous behavior by monitoring the login events for unusual patterns of successfulLoginCount, failedLoginCount, and incompleteConnectionCount.

  • successfulLoginCount – This counter represents the sum of successful connections (correct combination of login attributes) made to the database instance by the unusual actor. Login attributes include user name, password, and database name.

  • failedLoginCount – This counter represents the sum of failed (unsuccessful) login attempts made to establish a connection to the database instance. This indicates that one or more attributes of the login combination, such as user name, password, or database name were incorrect.

  • incompleteConnectionCount – This counter represents the number of connection attempts that can't be classified as successful or failed. These connections are closed before the database provides a response. For example, port scanning where the database port is connected but no piece of information is sent to the database, or the connection was aborted before the login completed in a successful or failed attempt.