Integrating with Amazon Security Hub - Amazon GuardDuty
How Amazon GuardDuty sends findings to Amazon Security HubViewing GuardDuty findings in Amazon Security HubEnabling and configuring the integrationUsing GuardDuty controls in Security HubStopping the publication of findings to Security Hub
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Integrating with Amazon Security Hub

Amazon Security Hub provides you with a comprehensive view of your security state in Amazon and helps you to check your environment against security industry standards and best practices. Security Hub collects security data from across Amazon accounts, services, and supported third-party partner products and helps you to analyze your security trends and identify the highest priority security issues.

The Amazon GuardDuty integration with Security Hub enables you to send findings from GuardDuty to Security Hub. Security Hub can then include those findings in its analysis of your security posture.

How Amazon GuardDuty sends findings to Amazon Security Hub

In Amazon Security Hub, security issues are tracked as findings. Some findings come from issues that are detected by other Amazon services or by third-party partners. Security Hub also has a set of rules that it uses to detect security issues and generate findings.

Security Hub provides tools to manage findings from across all of these sources. You can view and filter lists of findings and view details for a finding. For more information, see Viewing findings in the Amazon Security Hub User Guide. You can also track the status of an investigation into a finding. For more information, see Taking action on findings in the Amazon Security Hub User Guide.

All findings in Security Hub use a standard JSON format called the Amazon Security Finding Format (ASFF). The ASFF includes details about the source of the issue, the affected resources, and the current status of the finding. See Amazon Security Finding Format (ASFF) in the Amazon Security Hub User Guide.

Amazon GuardDuty is one of the Amazon services that sends findings to Security Hub.

Types of findings that GuardDuty sends to Security Hub

Once you enable GuardDuty and Security Hub in the same account within the same Amazon Web Services Region, GuardDuty starts sending all the generated findings to Security Hub. These findings are sent to Security Hub using the Amazon Security Finding Format (ASFF). In ASFF, the Types field provides the finding type.

Latency for sending new findings

When GuardDuty creates a new finding, it is usually sent to Security Hub within five minutes.

Retrying when Security Hub is not available

If Security Hub is not available, GuardDuty retries sending the findings until they are received.

Updating existing findings in Security Hub

After it sends a finding to Security Hub, GuardDuty sends updates to reflect additional observations of the finding activity to Security Hub. The new observations of these findings are sent to Security Hub based on the Step 5 – Frequency for exporting findings settings in your Amazon Web Services account.

When you archive or unarchive a finding, GuardDuty doesn't send that finding to Security Hub. Any manually unarchived finding that later become active in GuardDuty is not sent to Security Hub.

Viewing GuardDuty findings in Amazon Security Hub

Sign in to the Amazon Web Services Management Console and open the Amazon Security Hub console at https://console.amazonaws.cn/securityhub/.

You can now use either of the following ways to view the GuardDuty findings in the Security Hub console:

Option 1: Using Integrations in Security Hub

  1. In the left navigation pane, choose Integrations.

  2. On the Integrations page, check the Status for Amazon: GuardDuty.

    • If the Status is Accepting findings, then choose See findings next to Accepting findings.

    • If not, then for more information about how Integrations work, see Security Hub integrations in Amazon Security Hub User Guide.

Option 2: Using Findings in Security Hub

  1. In the left navigation pane, choose Findings.

  2. On the Findings page, add the filter Product name and enter GuardDuty to view only GuardDuty findings.

Interpreting GuardDuty finding names in Amazon Security Hub

GuardDuty sends the findings to Security Hub using the Amazon Security Finding Format (ASFF). In ASFF, the Types field provides the finding type. ASFF types use a different naming scheme than GuardDuty types. The table below details all the GuardDuty finding types with their ASFF counterpart as they appear in Security Hub.

Note

For some GuardDuty finding types Security Hub assigns different ASFF finding names depending on whether the finding detail's Resource Role was ACTOR or TARGET. For more information see Finding details.

GuardDuty finding type

ASFF finding type

AttackSequence:IAM/CompromisedCredentials

TTPs/AttackSequence:IAM/CompromisedCredentials

AttackSequence:S3/CompromisedData

TTPs/AttackSequence:S3/CompromisedData

Backdoor:EC2/C&CActivity.B

TTPs/Command and Control/Backdoor:EC2-C&CActivity.B

Backdoor:EC2/C&CActivity.B!DNS

TTPs/Command and Control/Backdoor:EC2-C&CActivity.B!DNS

Backdoor:EC2/DenialOfService.Dns

TTPs/Command and Control/Backdoor:EC2-DenialOfService.Dns

Backdoor:EC2/DenialOfService.Tcp

TTPs/Command and Control/Backdoor:EC2-DenialOfService.Tcp

Backdoor:EC2/DenialOfService.Udp

TTPs/Command and Control/Backdoor:EC2-DenialOfService.Udp

Backdoor:EC2/DenialOfService.UdpOnTcpPorts

TTPs/Command and Control/Backdoor:EC2-DenialOfService.UdpOnTcpPorts

Backdoor:EC2/DenialOfService.UnusualProtocol

TTPs/Command and Control/Backdoor:EC2-DenialOfService.UnusualProtocol

Backdoor:EC2/Spambot

TTPs/Command and Control/Backdoor:EC2-Spambot

Behavior:EC2/NetworkPortUnusual

Unusual Behaviors/VM/Behavior:EC2-NetworkPortUnusual

Behavior:EC2/TrafficVolumeUnusual

Unusual Behaviors/VM/Behavior:EC2-TrafficVolumeUnusual

Backdoor:Lambda/C&CActivity.B

TTPs/Command and Control/Backdoor:Lambda-C&CActivity.B

Backdoor:Runtime/C&CActivity.B

TTPs/Command and Control/Backdoor:Runtime-C&CActivity.B

Backdoor:Runtime/C&CActivity.B!DNS

TTPs/Command and Control/Backdoor:Runtime-C&CActivity.B!DNS

CredentialAccess:IAMUser/AnomalousBehavior

TTPs/Credential Access/IAMUser-AnomalousBehavior

CredentialAccess:Kubernetes/AnomalousBehavior.SecretsAccessed

TTPs/AnomalousBehavior/CredentialAccess:Kubernetes-SecretsAccessed
CredentialAccess:Kubernetes/MaliciousIPCaller

TTPs/CredentialAccess/CredentialAccess:Kubernetes-MaliciousIPCaller
CredentialAccess:Kubernetes/MaliciousIPCaller.Custom

TTPs/CredentialAccess/CredentialAccess:Kubernetes-MaliciousIPCaller.Custom
CredentialAccess:Kubernetes/SuccessfulAnonymousAccess

TTPs/CredentialAccess/CredentialAccess:Kubernetes-SuccessfulAnonymousAccess
CredentialAccess:Kubernetes/TorIPCaller

TTPs/CredentialAccess/CredentialAccess:Kubernetes-TorIPCaller

CredentialAccess:RDS/AnomalousBehavior.FailedLogin

TTPs/Credential Access/CredentialAccess:RDS-AnomalousBehavior.FailedLogin

CredentialAccess:RDS/AnomalousBehavior.SuccessfulBruteForce

TTPs/Credential Access/RDS-AnomalousBehavior.SuccessfulBruteForce

CredentialAccess:RDS/AnomalousBehavior.SuccessfulLogin

TTPs/Credential Access/RDS-AnomalousBehavior.SuccessfulLogin

CredentialAccess:RDS/MaliciousIPCaller.FailedLogin

TTPs/Credential Access/RDS-MaliciousIPCaller.FailedLogin

CredentialAccess:RDS/MaliciousIPCaller.SuccessfulLogin

TTPs/Credential Access/RDS-MaliciousIPCaller.SuccessfulLogin

CredentialAccess:RDS/TorIPCaller.FailedLogin

TTPs/Credential Access/RDS-TorIPCaller.FailedLogin

CredentialAccess:RDS/TorIPCaller.SuccessfulLogin

TTPs/Credential Access/RDS-TorIPCaller.SuccessfulLogin

CryptoCurrency:EC2/BitcoinTool.B

TTPs/Command and Control/CryptoCurrency:EC2-BitcoinTool.B

CryptoCurrency:EC2/BitcoinTool.B!DNS

TTPs/Command and Control/CryptoCurrency:EC2-BitcoinTool.B!DNS

CryptoCurrency:Lambda/BitcoinTool.B

TTPs/Command and Control/CryptoCurrency:Lambda-BitcoinTool.B

Effects/Resource Consumption/CryptoCurrency:Lambda-BitcoinTool.B

CryptoCurrency:Runtime/BitcoinTool.B

TTPs/Command and Control/CryptoCurrency:Runtime-BitcoinTool.B

CryptoCurrency:Runtime/BitcoinTool.B!DNS

TTPs/Command and Control/CryptoCurrency:Runtime-BitcoinTool.B!DNS

DefenseEvasion:EC2/UnusualDNSResolver

TTPs/DefenseEvasion/EC2:Unusual-DNS-Resolver

DefenseEvasion:EC2/UnusualDoHActivity

TTPs/DefenseEvasion/EC2:Unusual-DoH-Activity

DefenseEvasion:EC2/UnusualDoTActivity

TTPs/DefenseEvasion/EC2:Unusual-DoT-Activity

DefenseEvasion:IAMUser/AnomalousBehavior

TTPs/Defense Evasion/IAMUser-AnomalousBehavior

DefenseEvasion:Kubernetes/MaliciousIPCaller

TTPs/DefenseEvasion/DefenseEvasion:Kubernetes-MaliciousIPCaller

DefenseEvasion:Kubernetes/MaliciousIPCaller.Custom

TTPs/DefenseEvasion/DefenseEvasion:Kubernetes-MaliciousIPCaller.Custom

DefenseEvasion:Kubernetes/SuccessfulAnonymousAccess

TTPs/DefenseEvasion/DefenseEvasion:Kubernetes-SuccessfulAnonymousAccess

DefenseEvasion:Kubernetes/TorIPCaller

TTPs/DefenseEvasion/DefenseEvasion:Kubernetes-TorIPCaller

DefenseEvasion:Runtime/FilelessExecution

TTPs/Defense Evasion/DefenseEvasion:Runtime-FilelessExecution

DefenseEvasion:Runtime/ProcessInjection.Proc

TTPs/Defense Evasion/DefenseEvasion:Runtime-ProcessInjection.Proc

DefenseEvasion:Runtime/ProcessInjection.Ptrace

TTPs/Defense Evasion/DefenseEvasion:Runtime-ProcessInjection.Ptrace

DefenseEvasion:Runtime/ProcessInjection.VirtualMemoryWrite

TTPs/Defense Evasion/DefenseEvasion:Runtime-ProcessInjection.VirtualMemoryWrite

DefenseEvasion:Runtime/PtraceAntiDebugging

TTPs/DefenseEvasion/DefenseEvasion:Runtime-PtraceAntiDebugging

DefenseEvasion:Runtime/SuspiciousCommand

TTPs/DefenseEvasion/DefenseEvasion:Runtime-SuspiciousCommand

Discovery:IAMUser/AnomalousBehavior

TTPs/Discovery/IAMUser-AnomalousBehavior

Discovery:Kubernetes/AnomalousBehavior.PermissionChecked

TTPs/AnomalousBehavior/Discovery:Kubernetes-PermissionChecked

Discovery:Kubernetes/MaliciousIPCaller

TTPs/Discovery/Discovery:Kubernetes-MaliciousIPCaller

Discovery:Kubernetes/MaliciousIPCaller.Custom

TTPs/Discovery/Discovery:Kubernetes-MaliciousIPCaller.Custom

Discovery:Kubernetes/SuccessfulAnonymousAccess

TTPs/Discovery/Discovery:Kubernetes-SuccessfulAnonymousAccess

Discovery:Kubernetes/TorIPCaller

TTPs/Discovery/Discovery:Kubernetes-TorIPCaller

Discovery:RDS/MaliciousIPCaller

TTPs/Discovery/RDS-MaliciousIPCaller

Discovery:RDS/TorIPCaller

TTPs/Discovery/RDS-TorIPCaller

Discovery:Runtime/SuspiciousCommand

TTPs/Discovery/Discovery:Runtime-SuspiciousCommand

Discovery:S3/AnomalousBehavior

TTPs/Discovery:S3-AnomalousBehavior

Discovery:S3/BucketEnumeration.Unusual

TTPs/Discovery:S3-BucketEnumeration.Unusual

Discovery:S3/MaliciousIPCaller.Custom

TTPs/Discovery:S3-MaliciousIPCaller.Custom

Discovery:S3/TorIPCaller

TTPs/Discovery:S3-TorIPCaller

Discovery:S3/MaliciousIPCaller

TTPs/Discovery:S3-MaliciousIPCaller
Exfiltration:IAMUser/AnomalousBehavior

TTPs/Exfiltration/IAMUser-AnomalousBehavior
Execution:Kubernetes/ExecInKubeSystemPod

TTPs/Execution/Execution:Kubernetes-ExecInKubeSystemPod

Execution:Kubernetes/AnomalousBehavior.ExecInPod

TTPs/AnomalousBehavior/Execution:Kubernetes-ExecInPod

Execution:Kubernetes/AnomalousBehavior.WorkloadDeployed

TTPs/AnomalousBehavior/Execution:Kubernetes-WorkloadDeployed

Impact:Kubernetes/MaliciousIPCaller

TTPs/Impact/Impact:Kubernetes-MaliciousIPCaller

Impact:Kubernetes/MaliciousIPCaller.Custom

TTPs/Impact/Impact:Kubernetes-MaliciousIPCaller.Custom

Impact:Kubernetes/SuccessfulAnonymousAccess

TTPs/Impact/Impact:Kubernetes-SuccessfulAnonymousAccess

Impact:Kubernetes/TorIPCaller

TTPs/Impact/Impact:Kubernetes-TorIPCaller

Persistence:Kubernetes/ContainerWithSensitiveMount

TTPs/Persistence/Persistence:Kubernetes-ContainerWithSensitiveMount

Persistence:Kubernetes/AnomalousBehavior.WorkloadDeployed!ContainerWithSensitiveMount

TTPs/AnomalousBehavior/Persistence:Kubernetes-WorkloadDeployed!ContainerWithSensitiveMount

PrivilegeEscalation:Kubernetes/AnomalousBehavior.WorkloadDeployed!PrivilegedContainer

TTPs/AnomalousBehavior/PrivilegeEscalation:Kubernetes-WorkloadDeployed!PrivilegedContainer

Persistence:Kubernetes/MaliciousIPCaller

TTPs/Persistence/Persistence:Kubernetes-MaliciousIPCaller

Persistence:Kubernetes/MaliciousIPCaller.Custom

TTPs/Persistence/Persistence:Kubernetes-MaliciousIPCaller.Custom

Persistence:Kubernetes/SuccessfulAnonymousAccess

TTPs/Persistence/Persistence:Kubernetes-SuccessfulAnonymousAccess

Persistence:Kubernetes/TorIPCaller

TTPs/Persistence/Persistence:Kubernetes-TorIPCaller

Execution:EC2/MaliciousFile

TTPs/Execution/Execution:EC2-MaliciousFile

Execution:ECS/MaliciousFile

TTPs/Execution/Execution:ECS-MaliciousFile

Execution:Kubernetes/MaliciousFile

TTPs/Execution/Execution:Kubernetes-MaliciousFile

Execution:Container/MaliciousFile

TTPs/Execution/Execution:Container-MaliciousFile

Execution:EC2/SuspiciousFile

TTPs/Execution/Execution:EC2-SuspiciousFile

Execution:ECS/SuspiciousFile

TTPs/Execution/Execution:ECS-SuspiciousFile

Execution:Kubernetes/SuspiciousFile

TTPs/Execution/Execution:Kubernetes-SuspiciousFile

Execution:Container/SuspiciousFile

TTPs/Execution/Execution:Container-SuspiciousFile

Execution:Runtime/MaliciousFileExecuted

TTPs/Execution/Execution:Runtime-MaliciousFileExecuted

Execution:Runtime/NewBinaryExecuted

TTPs/Execution/Execution:Runtime-NewBinaryExecuted

Execution:Runtime/NewLibraryLoaded

TTPs/Execution/Execution:Runtime-NewLibraryLoaded

Execution:Runtime/ReverseShell

TTPs/Execution/Execution:Runtime-ReverseShell

Execution:Runtime/SuspiciousCommand

TTPs/Execution/Execution:Runtime-SuspiciousCommand

Execution:Runtime/SuspiciousShellCreated

TTPs/Execution/Execution:Runtime-SuspiciousShellCreated

Execution:Runtime/SuspiciousTool

TTPs/Execution/Execution:Runtime-SuspiciousTool

Exfiltration:S3/AnomalousBehavior

TTPs/Exfiltration:S3-AnomalousBehavior

Exfiltration:S3/ObjectRead.Unusual

TTPs/Exfiltration:S3-ObjectRead.Unusual

Exfiltration:S3/MaliciousIPCaller

TTPs/Exfiltration:S3-MaliciousIPCaller

Impact:EC2/AbusedDomainRequest.Reputation

TTPs/Impact:EC2-AbusedDomainRequest.Reputation

Impact:EC2/BitcoinDomainRequest.Reputation

TTPs/Impact:EC2-BitcoinDomainRequest.Reputation

Impact:EC2/MaliciousDomainRequest.Reputation

TTPs/Impact:EC2-MaliciousDomainRequest.Reputation

Impact:EC2/PortSweep

TTPs/Impact/Impact:EC2-PortSweep

Impact:EC2/SuspiciousDomainRequest.Reputation

TTPs/Impact:EC2-SuspiciousDomainRequest.Reputation

Impact:EC2/WinRMBruteForce

TTPs/Impact/Impact:EC2-WinRMBruteForce

Impact:IAMUser/AnomalousBehavior

TTPs/Impact/IAMUser-AnomalousBehavior

Impact:Runtime/AbusedDomainRequest.Reputation

TTPs/Impact/Impact:Runtime-AbusedDomainRequest.Reputation

Impact:Runtime/BitcoinDomainRequest.Reputation

TTPs/Impact/Impact:Runtime-BitcoinDomainRequest.Reputation

Impact:Runtime/CryptoMinerExecuted

TTPs/Impact/Impact:Runtime-CryptoMinerExecuted

Impact:Runtime/MaliciousDomainRequest.Reputation

TTPs/Impact/Impact:Runtime-MaliciousDomainRequest.Reputation

Impact:Runtime/SuspiciousDomainRequest.Reputation

TTPs/Impact/Impact:Runtime-SuspiciousDomainRequest.Reputatio

Impact:S3/AnomalousBehavior.Delete

TTPs/Impact:S3-AnomalousBehavior.Delete

Impact:S3/AnomalousBehavior.Permission

TTPs/Impact:S3-AnomalousBehavior.Permission

Impact:S3/AnomalousBehavior.Write

TTPs/Impact:S3-AnomalousBehavior.Write

Impact:S3/ObjectDelete.Unusual

TTPs/Impact:S3-ObjectDelete.Unusual

Impact:S3/PermissionsModification.Unusual

TTPs/Impact:S3-PermissionsModification.Unusual

Impact:S3/MaliciousIPCaller

TTPs/Impact:S3-MaliciousIPCaller

InitialAccess:IAMUser/AnomalousBehavior

TTPs/Initial Access/IAMUser-AnomalousBehavior

Object:S3/MaliciousFile

TTPs/Object/Object:S3-MaliciousFile

PenTest:IAMUser/KaliLinux

TTPs/PenTest:IAMUser/KaliLinux

PenTest:IAMUser/ParrotLinux

TTPs/PenTest:IAMUser/ParrotLinux

PenTest:IAMUser/PentooLinux

TTPs/PenTest:IAMUser/PentooLinux

PenTest:S3/KaliLinux

TTPs/PenTest:S3-KaliLinux

PenTest:S3/ParrotLinux

TTPs/PenTest:S3-ParrotLinux

PenTest:S3/PentooLinux

TTPs/PenTest:S3-PentooLinux

Persistence:IAMUser/AnomalousBehavior

TTPs/Persistence/IAMUser-AnomalousBehavior

Persistence:IAMUser/NetworkPermissions

TTPs/Persistence/Persistence:IAMUser-NetworkPermissions

Persistence:IAMUser/ResourcePermissions

TTPs/Persistence/Persistence:IAMUser-ResourcePermissions

Persistence:IAMUser/UserPermissions

TTPs/Persistence/Persistence:IAMUser-UserPermissions

Persistence:Runtime/SuspiciousCommand

TTPs/Persistence/Persistence:Runtime-SuspiciousCommand

Policy:IAMUser/RootCredentialUsage

TTPs/Policy:IAMUser-RootCredentialUsage

Policy:IAMUser/ShortTermRootCredentialUsage

TTPs/Policy:IAMUser-ShortTermRootCredentialUsage

Policy:Kubernetes/AdminAccessToDefaultServiceAccount

Software and Configuration Checks/Amazon Security Best Practices/Policy:Kubernetes-AdminAccessToDefaultServiceAccount

Policy:Kubernetes/AnonymousAccessGranted

Software and Configuration Checks/Amazon Security Best Practices/Policy:Kubernetes-AnonymousAccessGranted

Policy:Kubernetes/ExposedDashboard

Software and Configuration Checks/Amazon Security Best Practices/Policy:Kubernetes-ExposedDashboard

Policy:Kubernetes/KubeflowDashboardExposed

Software and Configuration Checks/Amazon Security Best Practices/Policy:Kubernetes-KubeflowDashboardExposed

Policy:S3/AccountBlockPublicAccessDisabled

TTPs/Policy:S3-AccountBlockPublicAccessDisabled

Policy:S3/BucketAnonymousAccessGranted

TTPs/Policy:S3-BucketAnonymousAccessGranted

Policy:S3/BucketBlockPublicAccessDisabled

Effects/Data Exposure/Policy:S3-BucketBlockPublicAccessDisabled

Policy:S3/BucketPublicAccessGranted

TTPs/Policy:S3-BucketPublicAccessGranted

PrivilegeEscalation:IAMUser/AnomalousBehavior

TTPs/Privilege Escalation/IAMUser-AnomalousBehavior

PrivilegeEscalation:IAMUser/AdministrativePermissions

TTPs/Privilege Escalation/PrivilegeEscalation:IAMUser-AdministrativePermissions

PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleBindingCreated

TTPs/AnomalousBehavior/PrivilegeEscalation:Kubernetes-RoleBindingCreated

PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleCreated

TTPs/AnomalousBehavior/PrivilegeEscalation:Kubernetes-RoleCreated

PrivilegeEscalation:Kubernetes/PrivilegedContainer

TTPs/PrivilegeEscalation/PrivilegeEscalation:Kubernetes-PrivilegedContainer

PrivilegeEscalation:Runtime/ContainerMountsHostDirectory

TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-ContainerMountsHostDirectory

PrivilegeEscalation:Runtime/CGroupsReleaseAgentModified

TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-CGroupsReleaseAgentModified

PrivilegeEscalation:Runtime/DockerSocketAccessed

TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-DockerSocketAccessed

PrivilegeEscalation:Runtime/ElevationToRoot

TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-ElevationToRoot

PrivilegeEscalation:Runtime/RuncContainerEscape

TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-RuncContainerEscape

PrivilegeEscalation:Runtime/SuspiciousCommand

Software and Configuration Checks/PrivilegeEscalation:Runtime-SuspiciousCommand

PrivilegeEscalation:Runtime/UserfaultfdUsage

TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-UserfaultfdUsage

Recon:EC2/PortProbeEMRUnprotectedPort

TTPs/Discovery/Recon:EC2-PortProbeEMRUnprotectedPort

Recon:EC2/PortProbeUnprotectedPort

TTPs/Discovery/Recon:EC2-PortProbeUnprotectedPort

Recon:EC2/Portscan

TTPs/Discovery/Recon:EC2-Portscan

Recon:IAMUser/MaliciousIPCaller

TTPs/Discovery/Recon:IAMUser-MaliciousIPCaller

Recon:IAMUser/MaliciousIPCaller.Custom

TTPs/Discovery/Recon:IAMUser-MaliciousIPCaller.Custom

Recon:IAMUser/NetworkPermissions

TTPs/Discovery/Recon:IAMUser-NetworkPermissions

Recon:IAMUser/ResourcePermissions

TTPs/Discovery/Recon:IAMUser-ResourcePermissions

Recon:IAMUser/TorIPCaller

TTPs/Discovery/Recon:IAMUser-TorIPCaller

Recon:IAMUser/UserPermissions

TTPs/Discovery/Recon:IAMUser-UserPermissions

ResourceConsumption:IAMUser/ComputeResources

Unusual Behaviors/User/ResourceConsumption:IAMUser-ComputeResources

Stealth:IAMUser/CloudTrailLoggingDisabled

TTPs/Defense Evasion/Stealth:IAMUser-CloudTrailLoggingDisabled

Stealth:IAMUser/LoggingConfigurationModified

TTPs/Defense Evasion/Stealth:IAMUser-LoggingConfigurationModified

Stealth:IAMUser/PasswordPolicyChange

TTPs/Defense Evasion/Stealth:IAMUser-PasswordPolicyChange

Stealth:S3/ServerAccessLoggingDisabled

TTPs/Defense Evasion/Stealth:S3-ServerAccessLoggingDisabled

Trojan:EC2/BlackholeTraffic

TTPs/Command and Control/Trojan:EC2-BlackholeTraffic

Trojan:EC2/BlackholeTraffic!DNS

TTPs/Command and Control/Trojan:EC2-BlackholeTraffic!DNS

Trojan:EC2/DGADomainRequest.B

TTPs/Command and Control/Trojan:EC2-DGADomainRequest.B

Trojan:EC2/DGADomainRequest.C!DNS

TTPs/Command and Control/Trojan:EC2-DGADomainRequest.C!DNS

Trojan:EC2/DNSDataExfiltration

TTPs/Command and Control/Trojan:EC2-DNSDataExfiltration

Trojan:EC2/DriveBySourceTraffic!DNS

TTPs/Initial Access/Trojan:EC2-DriveBySourceTraffic!DNS

Trojan:EC2/DropPoint

Effects/Data Exfiltration/Trojan:EC2-DropPoint

Trojan:EC2/DropPoint!DNS

Effects/Data Exfiltration/Trojan:EC2-DropPoint!DNS

Trojan:EC2/PhishingDomainRequest!DNS

TTPs/Command and Control/Trojan:EC2-PhishingDomainRequest!DNS

Trojan:Lambda/BlackholeTraffic

TTPs/Command and Control/Trojan:Lambda-BlackholeTraffic

Trojan:Lambda/DropPoint

Effects/Data Exfiltration/Trojan:Lambda-DropPoint

Trojan:Runtime/BlackholeTraffic

TTPs/Command and Control/Trojan:Runtime-BlackholeTraffic

Trojan:Runtime/BlackholeTraffic!DNS

TTPs/Command and Control/Trojan:Runtime-BlackholeTraffic!DNS

Trojan:Runtime/DGADomainRequest.C!DNS

TTPs/Command and Control/Trojan:Runtime-DGADomainRequest.C!DNS

Trojan:Runtime/DriveBySourceTraffic!DNS

TTPs/Initial Access/Trojan:Runtime-DriveBySourceTraffic!DNS

Trojan:Runtime/DropPoint

Effects/Data Exfiltration/Trojan:Runtime-DropPoint

Trojan:Runtime/DropPoint!DNS

Effects/Data Exfiltration/Trojan:Runtime-DropPoint!DNS

Trojan:Runtime/PhishingDomainRequest!DNS

TTPs/Command and Control/Trojan:Runtime-PhishingDomainRequest!DNS

UnauthorizedAccess:EC2/MaliciousIPCaller.Custom

TTPs/Command and Control/UnauthorizedAccess:EC2-MaliciousIPCaller.Custom

UnauthorizedAccess:EC2/MetadataDNSRebind

TTPs/UnauthorizedAccess:EC2-MetadataDNSRebind

UnauthorizedAccess:EC2/RDPBruteForce

TTPs/Initial Access/UnauthorizedAccess:EC2-RDPBruteForce

UnauthorizedAccess:EC2/SSHBruteForce

TTPs/Initial Access/UnauthorizedAccess:EC2-SSHBruteForce

UnauthorizedAccess:EC2/TorClient

Effects/Resource Consumption/UnauthorizedAccess:EC2-TorClient

UnauthorizedAccess:EC2/TorRelay

Effects/Resource Consumption/UnauthorizedAccess:EC2-TorRelay

UnauthorizedAccess:IAMUser/ConsoleLogin

Unusual Behaviors/User/UnauthorizedAccess:IAMUser-ConsoleLogin

UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B

TTPs/UnauthorizedAccess:IAMUser-ConsoleLoginSuccess.B

UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS

Effects/Data Exfiltration/UnauthorizedAccess:IAMUser-InstanceCredentialExfiltration.InsideAWS

UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS

Effects/Data Exfiltration/UnauthorizedAccess:IAMUser-InstanceCredentialExfiltration.OutsideAWS

UnauthorizedAccess:IAMUser/MaliciousIPCaller

TTPs/UnauthorizedAccess:IAMUser-MaliciousIPCaller

UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom

TTPs/UnauthorizedAccess:IAMUser-MaliciousIPCaller.Custom

UnauthorizedAccess:IAMUser/TorIPCaller

TTPs/Command and Control/UnauthorizedAccess:IAMUser-TorIPCaller

UnauthorizedAccess:Lambda/MaliciousIPCaller.Custom

TTPs/Command and Control/UnauthorizedAccess:Lambda-MaliciousIPCaller.Custom

UnauthorizedAccess:Lambda/TorClient

Effects/Resource Consumption/UnauthorizedAccess:Lambda-TorClient

UnauthorizedAccess:Lambda/TorRelay

Effects/Resource Consumption/UnauthorizedAccess:Lambda-TorRelay

UnauthorizedAccess:Runtime/MetadataDNSRebind

TTPs/UnauthorizedAccess:Runtime-MetadataDNSRebind

UnauthorizedAccess:Runtime/TorRelay

Effects/Resource Consumption/UnauthorizedAccess:Runtime-TorRelay

UnauthorizedAccess:Runtime/TorClient

Effects/Resource Consumption/UnauthorizedAccess:Runtime-TorClient

UnauthorizedAccess:S3/MaliciousIPCaller.Custom

TTPs/UnauthorizedAccess:S3-MaliciousIPCaller.Custom

UnauthorizedAccess:S3/TorIPCaller

TTPs/UnauthorizedAccess:S3-TorIPCaller

Typical finding from GuardDuty

GuardDuty sends findings to Security Hub using the Amazon Security Finding Format (ASFF).

Here is an example of a typical finding from GuardDuty.


  {
  "SchemaVersion": "2018-10-08",
  "Id": "arn:aws-cn:guardduty:us-east-1:193043430472:detector/d4b040365221be2b54a6264dc9a4bc64/finding/46ba0ac2845071e23ccdeb2ae03bfdea",
  "ProductArn": "arn:aws-cn:securityhub:us-east-1:product/aws/guardduty",
  "GeneratorId": "arn:aws-cn:guardduty:us-east-1:193043430472:detector/d4b040365221be2b54a6264dc9a4bc64",
  "AwsAccountId": "193043430472",
  "Types": [
    "TTPs/Initial Access/UnauthorizedAccess:EC2-SSHBruteForce"
  ],
  "FirstObservedAt": "2020-08-22T09:15:57Z",
  "LastObservedAt": "2020-09-30T11:56:49Z",
  "CreatedAt": "2020-08-22T09:34:34.146Z",
  "UpdatedAt": "2020-09-30T12:14:00.206Z",
  "Severity": {
    "Product": 2,
    "Label": "MEDIUM",
    "Normalized": 40
  },
  "Title": "199.241.229.197 is performing SSH brute force attacks against i-0c10c2c7863d1a356.",
  "Description": "199.241.229.197 is performing SSH brute force attacks against i-0c10c2c7863d1a356. Brute force attacks are used to gain unauthorized access to your instance by guessing the SSH password.",
  "SourceUrl": "https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=46ba0ac2845071e23ccdeb2ae03bfdea",
  "ProductFields": {
    "aws/guardduty/service/action/networkConnectionAction/remotePortDetails/portName": "Unknown",
    "aws/guardduty/service/archived": "false",
    "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/asnOrg": "CENTURYLINK-US-LEGACY-QWEST",
    "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/geoLocation/lat": "42.5122",
    "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/ipAddressV4": "199.241.229.197",
    "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/geoLocation/lon": "-90.7384",
    "aws/guardduty/service/action/networkConnectionAction/blocked": "false",
    "aws/guardduty/service/action/networkConnectionAction/remotePortDetails/port": "46717",
    "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/country/countryName": "United States",
    "aws/guardduty/service/serviceName": "guardduty",
    "aws/guardduty/service/evidence": "",
    "aws/guardduty/service/action/networkConnectionAction/localIpDetails/ipAddressV4": "172.31.43.6",
    "aws/guardduty/service/detectorId": "d4b040365221be2b54a6264dc9a4bc64",
    "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/org": "CenturyLink",
    "aws/guardduty/service/action/networkConnectionAction/connectionDirection": "INBOUND",
    "aws/guardduty/service/eventFirstSeen": "2020-08-22T09:15:57Z",
    "aws/guardduty/service/eventLastSeen": "2020-09-30T11:56:49Z",
    "aws/guardduty/service/action/networkConnectionAction/localPortDetails/portName": "SSH",
    "aws/guardduty/service/action/actionType": "NETWORK_CONNECTION",
    "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/city/cityName": "Dubuque",
    "aws/guardduty/service/additionalInfo": "",
    "aws/guardduty/service/resourceRole": "TARGET",
    "aws/guardduty/service/action/networkConnectionAction/localPortDetails/port": "22",
    "aws/guardduty/service/action/networkConnectionAction/protocol": "TCP",
    "aws/guardduty/service/count": "74",
    "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/asn": "209",
    "aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/isp": "CenturyLink",
    "aws/securityhub/FindingId": "arn:aws-cn:securityhub:us-east-1::product/aws/guardduty/arn:aws-cn:guardduty:us-east-1:193043430472:detector/d4b040365221be2b54a6264dc9a4bc64/finding/46ba0ac2845071e23ccdeb2ae03bfdea",
    "aws/securityhub/ProductName": "GuardDuty",
    "aws/securityhub/CompanyName": "Amazon"
  },
  "Resources": [
    {
      "Type": "AwsEc2Instance",
      "Id": "arn:aws-cn:ec2:us-east-1:193043430472:instance/i-0c10c2c7863d1a356",
      "Partition": "aws",
      "Region": "us-east-1",
      "Tags": {
        "Name": "kubectl"
      },
      "Details": {
        "AwsEc2Instance": {
          "Type": "t2.micro",
          "ImageId": "ami-02354e95b39ca8dec",
          "IpV4Addresses": [
            "18.234.130.16",
            "172.31.43.6"
          ],
          "VpcId": "vpc-a0c2d7c7",
          "SubnetId": "subnet-4975b475",
          "LaunchedAt": "2020-08-03T23:21:57Z"
        }
      }
    }
  ],
  "WorkflowState": "NEW",
  "Workflow": {
    "Status": "NEW"
  },
  "RecordState": "ACTIVE"
}

Enabling and configuring the integration

To use the integration with Amazon Security Hub, you must enable Security Hub. For information on how to enable Security Hub, see Setting up Security Hub in the Amazon Security Hub User Guide.

When you enable both GuardDuty and Security Hub, the integration is enabled automatically. GuardDuty immediately begins to send findings to Security Hub.

Using GuardDuty controls in Security Hub

Amazon Security Hub uses security controls to evaluate your Amazon resources, and check your compliance against security industry standards and best practices. You can use the controls related to GuardDuty resources and selected protection plans. For more information, see Amazon GuardDuty controls in the Amazon Security Hub User Guide.

For a list of all the controls across Amazon services and resources, see Security Hub controls reference in the Amazon Security Hub User Guide.

Stopping the publication of findings to Security Hub

To stop sending findings to Security Hub, you can use either the Security Hub console or the API.

See Disabling and enabling the flow of findings from an integration (console) or Disabling the flow of findings from an integration (Security Hub API, Amazon CLI) in the Amazon Security Hub User Guide.