Amazon GuardDuty
Amazon Guard Duty User Guide

GuardDuty Behavior Finding Types

This section covers the active Behavior threat purpose finding types. For information about important changes to the GuardDuty finding types, including newly added or retired finding types, see Document History for Amazon GuardDuty.

Important

The default severity value of a finding type is subject to change based on various criteria when the finding is generated.

Behavior:EC2/NetworkPortUnusual

Default severity: Medium

Finding description

EC2 instance is communicating with a remote host on an unusual server port.

This finding informs you that an EC2 instance in your AWS environment is behaving in a way that deviates from the established baseline. This EC2 instance has no prior history of communications on this remote port. Your EC2 instance might be compromised. For more information, see Remediating a Compromised EC2 Instance.

Behavior:EC2/TrafficVolumeUnusual

Default severity: Medium

Finding description

EC2 instance is generating unusually large amounts of network traffic to a remote host.

This finding informs you that an EC2 instance in your AWS environment is behaving in a way that deviates from the established baseline. This EC2 instance has no prior history of sending this much traffic to this remote host. Your EC2 instance might be compromised. For more information, see Remediating a Compromised EC2 Instance.