Finding details - Amazon GuardDuty
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Finding details

In the Amazon GuardDuty console, you can view finding details in the finding summary section. Finding details vary based on the finding type.

There are two primary details that determine what kind of information is available for any finding. The first is the resource type, which can be Instance, AccessKey, S3Bucket, Kubernetes cluster, ECS cluster, or Container. The second detail that determines finding information is Resource Role. Resource role can be Target for access keys, meaning the resource was the target of suspicious activity. For instance type findings, resource role can also be Actor, which means that your resource was the actor carrying out suspicious activity. This topic describes some of the commonly available details for findings.

Finding summary

A finding's summary section contains the most basic identifying features of the finding, including the following information:

  • Account ID – The ID of the Amazon account in which the activity took place that prompted GuardDuty to generate this finding.

  • Count – The number of times GuardDuty has aggregated an activity matching this pattern to this finding ID.

  • Created at – The time and date when this finding was first created. If this value differs from Updated at, it indicates that the activity has occurred multiple times and is an ongoing issue.

    Note

    Timestamps for findings in the GuardDuty console appear in your local time zone, while JSON exports and CLI outputs display timestamps in UTC.

  • Finding ID – A unique Finding ID for this finding type and set of parameters. New occurrences of activity matching this pattern will be aggregated to the same ID.

  • Finding type – A formatted string representing the type of activity that triggered the finding. For more information, see GuardDuty finding format.

  • Region – The Amazon Region in which the finding was generated. For more information about supported Regions, see Regions and endpoints

  • Resource ID – The ID of the Amazon resource against which the activity took place that prompted GuardDuty to generate this finding.

  • Scan ID – Applicable to findings when GuardDuty Malware Protection is enabled, this is an identifier of the malware scan that runs on the EBS volumes attached to the potentially compromised EC2 instance or container workload. For more information, see Malware Protection finding details.

  • Severity – A finding's assigned severity level of either High, Medium, or Low. For more information, see Severity levels for GuardDuty findings.

  • Updated at – The last time this finding was updated with new activity matching the pattern that prompted GuardDuty to generate this finding.

    Note

    Timestamps for findings in the GuardDuty console appear in your local time zone, while JSON exports and CLI outputs display timestamps in UTC.

Resource

The Resource affected gives details on the Amazon resource that was targeted by the trigger activity. The information available varies based on resource type and action type.

Resource role – The role of the Amazon resource that triggered the finding. This value can be TARGET or ACTOR, and represents whether your resource was the target of the suspicious activity or the actor that preformed the suspicious activity.

Resource type – The type of the affected resource. A finding can include multiple resources types if multiple resources were involved. The resource types are Instance, AccessKey, S3Bucket, KubernetesCluster, ECSCluster, and Containers. Depending on the resource type, different finding details are available. Select a resource option tab to learn about the details available for that resource.

Instance

Instance details:

Note

Some instance details may be missing if the instance has already been terminated or if the underlying API invocation originated from an EC2 instance in a different Region when making a cross-Region API call.

  • Instance ID – The ID of the EC2 instance involved in the activity that prompted GuardDuty to generate the finding.

  • Instance Type – The type of the EC2 instance involved in the finding.

  • Launch Time – The time and date the instance was launched.

  • Outpost ARN – The Amazon Resource Name (ARN) of Amazon Outposts. Only applicable to Amazon Outposts instances. For more information, see What is Amazon Outposts?

  • Security Group Name – The name of the Security Group attached to the involved instance.

  • Security Group ID – The ID of the Security Group attached to the involved instance.

  • Instance state – The current state of the targeted instance.

  • Availability Zone – The Amazon Region Availability Zone in which the involved instance is located.

  • Image ID – The ID of the Amazon Machine Image used to build the instance involved in the activity.

  • Image Description – A description of the ID of the Amazon Machine Image used to build the instance involved in the activity.

  • Tags – A list of tags attached to this resource, listed in the format of key:value.

AccessKey

Access Key details:

  • Access key ID – The Access key ID of the user engaged in the activity that prompted GuardDuty to generate the finding.

  • Principal ID – The principal ID of the user engaged in the activity that prompted GuardDuty to generate the finding.

  • User type – The type of user engaged in the activity that prompted GuardDuty to generate the finding. For more information, see CloudTrail userIdentity element.

  • User name – The name of the user engaged in the activity that prompted GuardDuty to generate the finding.

S3Bucket

S3 bucket details:

  • Name – The name of the bucket involved in the finding.

  • ARN – The ARN of the bucket involved in the finding.

  • Owner – The canonical user ID of the user that owns the bucket involved in the finding. For more information on canonical user IDs see Amazon account identifiers.

  • Type – The type of bucket finding, can be either Destination or Source.

  • Default server side encryption – The encryption details for the bucket.

  • Bucket Tags – A list of tags attached to this resource, listed in the format of key:value.

  • Effective Permissions – An evaluation of all effective permissions and policies on the bucket that indicates whether the involved bucket is publicly exposed. Values can be Public or Not public.

EKSCluster

Kubernetes Cluster details:

  • Name – The name of the Kubernetes cluster.

  • ARN – The ARN that identifies the cluster.

  • Created At – The time and date when this cluster was created.

    Note

    Timestamps for findings in the GuardDuty console appear in your local time zone, while JSON exports and CLI outputs display timestamps in UTC.

  • VPC ID – The ID of the VPC that is associated to your cluster.

  • Status – The current status of the cluster.

  • Tags – The metadata that you apply to the cluster to help you to categorize and organize them. Each tag consists of a key and an optional value, listed in the format key:value. You get to define both key and value.

    Cluster tags do not propagate to any other resource associated with the cluster.

ECSCluster

ECS Cluster details:

  • ARN – The ARN that identifies the cluster.

  • Name – The name of the cluster.

  • Status – The current status of the cluster.

  • Active services count – The number of services that are running on the cluster in an ACTIVE state. You can view these services with .

  • Registered container instances count – The number of container instances registered into the cluster. This includes container instances in both ACTIVE and DRAINING status.

  • Running tasks count – The number of tasks in the cluster that are in the RUNNING state.

  • Tags – The metadata that you apply to the cluster to help you to categorize and organize them. Each tag consists of a key and an optional value, listed in the format key:value. You get to define both key and value.

  • Task details – The details of a task in a cluster.

Container

Container details:

Note

This resource is available in the Malware Protection findings related to the container.

  • Container runtime – The container runtime (such as docker or containerd) used to run the container.

  • ID – The container instance ID or full ARN entries for the container instance.

  • Name – The name of the container.

  • Image – The image of the container instance.

  • Volume mounts – List of container volume mounts. A container can mount a volume under its file system.

  • Security context – The container security context defines privilege and access control settings for a container.

  • Process details – Describes the details of the process that is associated to the finding.

EBS volumes scan details

Note

This section is applicable to findings when you enable the Malware Protection feature in GuardDuty. For more information, see Malware Protection in Amazon GuardDuty.

The EBS volumes scan provides details about the EBS volume that was attached to the potentially compromised EC2 instance or container workload(s).

  • Scan ID – The identifier of the malware scan.

  • Scan started at – The date and time when the malware scan started.

  • Scan completed at – The date and time when the malware scan completed.

  • Trigger Finding ID – The finding ID of the GuardDuty finding that initiated this malware scan.

  • Sources – The possible values are Bitdefender and Amazon.

  • Scan detections – The complete view of details and results for each malware scan.

    • Scanned item count – The total number of scanned files. It provides details such as totalGb, files, and volumes.

    • Threats detected item count – The total number of malicious files detected during the scan.

    • Highest severity threat details – The details of the highest severity threat detected during the scan and the number of malicious files. It provides details such as severity, threatName, and count.

    • Threats detected by Name – The container element grouping threats of all severity levels. It provides details such as itemCount, uniqueThreatNameCount, shortened, and threatNames.

Action

A finding's Action gives details on the type of activity that triggered the finding. The information available varies based on action type.

  • Action type – The finding activity type. This value can be NETWORK_CONNECTION, PORT_PROBE, DNS_REQUEST, or AWS_API_CALL. The information available varies based on action type:

    • NETWORK_CONNECTION – Indicates that network traffic was exchanged between the identified EC2 instance and the remote host. This action type has the following additional information:

      • Connection direction – The network connection direction observed in the activity that prompted GuardDuty to generate the finding. The values can be one of the following:

        • INBOUND – Indicates that a remote host initiated a connection to a local port on the identified EC2 instance in your account.

        • OUTBOUND – Indicates that the identified EC2 instance initiated a connection to a remote host.

        • UNKNOWN – Indicates that GuardDuty could not determine the direction of the connection.

      • Protocol – The network connection protocol observed in the activity that prompted GuardDuty to generate the finding.

      • Local IP – The original source IP address of the traffic that triggered the finding. This info can be used to distinguish between the IP address of an intermediate layer through which traffic flows, and the original source IP address of the traffic that triggered the finding. For example the IP address of an EKS pod as opposed to the IP address of the instance on which the EKS pod is running.

      • Blocked – Indicates whether the targeted port is blocked.

    • PORT_PROBE – Indicates that a remote host probed the identified EC2 instance on multiple open ports. This action type has the following additional information:

      • Local IP – The original source IP address of the traffic that triggered the finding. This info can be used to distinguish between the IP address of an intermediate layer through which traffic flows, and the original source IP address of the traffic that triggered the finding. For example the IP address of an EKS pod as opposed to the IP address of the instance on which the EKS pod is running.

      • Blocked – Indicates whether the targeted port is blocked.

    • DNS_REQUEST – Indicates that the identified EC2 instance queried a domain name. This action type has the following additional information:

      • Protocol – The network connection protocol observed in the activity that prompted GuardDuty to generate the finding.

      • Blocked – Indicates whether the targeted port is blocked.

    • AWS_API_CALL – Indicates that an Amazon API was invoked. This action type has the following additional information:

      • API – The name of the API operation that was invoked and thus prompted GuardDuty to generate this finding.

        Note

        These operations can also include non-API events captured by Amazon CloudTrail. For more information, see Non-API events captured by CloudTrail.

      • User Agent – The user agent that made the API request. This value tells you whether the call was made from the Amazon Management Console, an Amazon service, the Amazon SDKs or the Amazon CLI.

      • ERROR CODE – If the finding was triggered by a failed API call this displays the error code for that call.

      • Service name – The DNS name of the service that attempted to make the API call that triggered the finding.

Malware Protection finding details

Note

This section is applicable to findings when you enable the Malware Protection feature in GuardDuty. For more information, see Malware Protection in Amazon GuardDuty.

When the Malware Protection scan detects malware, you can view the scan details by selecting the corresponding finding on the Findings page in the https://console.amazonaws.cn/guardduty/ console. The severity of your Malware Protection finding depends on the severity of the GuardDuty finding.

Note

The GuardDutyFindingDetected tag specifies that the snapshots contains malware.

The following information is available under the Threats detected section in the details panel.

  • Name – The name of the threat, obtained by grouping the files by detection.

  • Severity – The severity of the threat detected.

  • Hash – The SHA-256 of the file.

  • File path – The location of the malicious file in the EBS volume.

  • File name – The name of the file in which the threat was detected.

  • Volume ARN – The ARN of the scanned EBS volumes.

The following information is available under the Malware scan details section in the details panel.

  • Scan ID – The scan ID of the malware scan.

  • Scan started at – The date and time when the scan started.

  • Scan completed at – The date and time when the scan completed.

  • Files scanned – The total number of scanned files and directories.

  • Total GB scanned – The amount of storage scanned during the process.

  • Trigger finding ID – The finding ID of the GuardDuty finding that initiated this malware scan.

  • The following information is available under the Volume details section in the details panel.

    • Volume ARN – The Amazon Resource Name (ARN) of the volume.

    • SnapshotARN – The ARN of the snapshot of the EBS volume.

    • Status – The scan status of the volume, such as Running, Skipped, and Completed.

    • Encryption type – The type of encryption used to encrypt the volume. For example, CMCMK.

    • Device name – The name of the device. For example, /dev/xvda.

Actor or Target

A finding has an Actor section if the Resource role was TARGET. This indicates that your resource was targeted by suspicious activity, and the Actor section contains details on the entity that targeted your resource.

A finding has a Target section if the Resource role was ACTOR. This indicates that your resource was involved in suspicious activity against a remote host, and this section contains information on the IP or domain that your resource targeted.

The information available in the Actor or Target section can include the following:

  • Affiliated – Details on whether the Amazon account of the remote API caller is related to your GuardDuty environment. If this value is true, the API caller is affiliated to your account in some manner; if false, the API caller is from outside your environment.

  • Remote Account ID – The account ID that owns the egress IP address that was used to access the resource at the final network.

  • IP address – The IP address involved in the activity that prompted GuardDuty to generate the finding.

  • Location – Location information for the IP address involved in the activity that prompted GuardDuty to generate the finding.

  • Organization – ISP organization information of the IP address involved in the activity that prompted GuardDuty to generate the finding.

  • Port – The port number involved in the activity that prompted GuardDuty to generate the finding.

  • Domain – The domain involved in the activity that prompted GuardDuty to generate the finding.

Additional information

All findings have an Additional information section that can include the following information:

  • Threat list name – The name of the threat list that includes the IP address or the domain name involved in the activity that prompted GuardDuty to generate the finding.

  • Sample – A true or false value that indicates whether this is a sample finding.

  • Archived – A true or false value that indicates whether this is finding has been archived.

  • Unusual – activity details that were not observed historically. These can include an unusual (previously not observed) user, location, time, or bucket.

  • Unusual protocol – The network connection protocol involved in the activity that prompted GuardDuty to generate the finding.

Evidence

Findings based on DNS logs have an Evidence section that includes the following information:

  • Threat intelligence details – The name of the threat list that the recognized Threat name appears on.

  • Threat name – The name of the malware family, or other identifier, associated with the threat.

Anomalous behavior

Findings types that end in AnomalousBehavior indicate that the finding was generated by the GuardDuty anomaly detection machine learning (ML) model. The ML model evaluates all API requests to your account and identifies anomalous events that are associated with tactics used by adversaries. The ML model tracks various factors of the API request, such as the user that made the request, the location the request was made from, and the specific API that was requested.

Details about which factors of the API request are unusual for the CloudTrail user identity that invoked the request can be found in the finding details. The identities are defined by the CloudTrail userIdentity Element, possible values are: Root, IAMUser, AssumedRole, FederatedUser, AWSAccount, or AWSService.

In addition to the details available for all GuardDuty findings that are associated with API activity, AnomalousBehavior findings have additional details that are outlined in the following section. These details can be viewed in the console and are also available in the finding's JSON.

  • Anomalous APIs – A list of API requests that were invoked by the user identity in proximity to the primary API request associated with the finding. This pane further breaks down the details of the API event in the following ways:

    Anomalous APIs – A list of API requests that were invoked by the user identity in proximity to the primary API request associated with the finding. This pane further breaks down the details of the API event in the following ways:

    • The first API listed is the primary API, which is the API request associated with the highest-risk observed activity. This is the API that triggered the finding and correlates to the attack stage of the finding type. This is also the API that is detailed under the Action section in the console, and in the finding's JSON.

    • Any other APIs listed are additional anomalous APIs from the listed user identity observed in proximity to the primary API. If there is only one API on the list, the ML model did not identify any additional API requests from that user identity as anomalous.

    • The list of APIs is divided based on whether an API was successfully called, or if the API was unsuccessfully called, meaning an error response was received. The type of error response received is listed above each unsuccessfully-called API. Possible error response types are: access denied, access denied exception, auth failure, instance limit exceeded, invalid permission - duplicate, invalid permission - not found, and operation not permitted.

    • APIs are categorized by their associated service.

    Note

    For more context, choose Historical APIs to view the details on the top APIs, to a maximum of 20, usually seen for both the user identity and all users within the account. The APIs are marked Rare (less than once a month), Infrequent (a few times a month), or Frequent (daily to weekly), depending on how often they are used within your account.

  • Unusual Behavior (Account) – This section gives additional details on the profiled behavior for your account. The information tracked in this panel includes:

    • ASN Org – The ASN Org the anomalous API call was made from.

    • User Name – The name of the user that made the anomalous API call.

    • User Agent– The user agent used to make the anomalous API call. The user agent is the method used to make the call such as aws-cli or Botocore.

      User Agent– The user agent used to make the anomalous API call. The user agent is the method used to make the call such as aws-cli or Botocore.

    • User Type – The type of user that made the anomalous API call. Possible values are AWS_SERVICE, ASSUMED_ROLE, IAM_USER, or ROLE.

    • Bucket – The name of the S3 bucket that is being accessed.

  • Unusual Behavior (User Identity) – This section gives additional details on the profiled behavior for the User Identity involved with the finding. When a behavior isn't identified as historical, this means GuardDuty's ML model hasn't previously seen this user identity making this API call in this way within the training period. The following additional details about the User Identity are available:

    • ASN Org – The ASN Org the anomalous API call was made from.

    • User Agent– The user agent used to make the anomalous API call. The user agent is the method used to make the call such as aws-cli or Botocore.

    • Bucket – The name of the S3 bucket that is being accessed.

  • Unusual Behavior (Bucket) – This section gives additional details on the profiled behavior for the S3 bucket associated with the finding. When a behavior isn't identified as historical, this means GuardDuty's ML model hasn't previously seen API calls made to this bucket in this way within the training period. The information tracked in this section includes:

    • ASN Org – The ASN Org the anomalous API call was made from.

    • User Name – The name of the user that made the anomalous API call.

    • User Agent– The user agent used to make the anomalous API call. The user agent is the method used to make the call such as aws-cli or Botocore.

    • User Type – The type of user that made the anomalous API call. Possible values are AWS_SERVICE, ASSUMED_ROLE, IAM_USER, or ROLE.

    Note

    For more context on historical behaviors, choose Historical behavior in either Unusual behavior (Account), User ID, or Bucket section to view details on the expected behavior in your account for each of the following categories: Rare (less than once a month), Infrequent (a few times a month), or Frequent (daily to weekly), depending on how often they are used within your account.

S3 volume-based anomalies

This section details the contextual information for S3 volume-based anomalies. The volume-based finding (Exfiltration:S3/AnomalousBehavior) monitors for unusual number of S3 API calls made to the S3 buckets by user, indicating potential data exfiltration. The following S3 API calls are monitored for volume-based anomaly detection.

  • GetObject

  • CopyObject.Read

  • SelectObjectContent

The following metrics would help to build a baseline of usual behavior when an IAM entity accesses an S3 bucket. To detect data exfiltration, volume-based anomaly detection finding evaluates all the activities against the usual behavioral baseline. Choose Historical behavior in the Unusual behavior (User Identity), Observed Volume (User Identity), and Observed Volume (Bucket) sections to view the following metrics, respectively.

  • Number of s3-api-name API calls invoked by the user for the affected S3 bucket over the past 24 hours.

  • Number of s3-api-name API calls invoked by the user across all S3 buckets over the past 24 hours.

  • Number of s3-api-name API calls across all users for the affected S3 bucket over the past 24 hours.