Amazon GuardDuty
Amazon Guard Duty User Guide

GuardDuty Finding Types Format

When GuardDuty detects suspicious or unexpected behavior in your AWS environment, it generates a finding. A finding is a notification that contains the details about a potential security issue that GuardDuty discovers. The finding details include information about what happened, what AWS resources were involved in the suspicious activity, when this activity took place, and other information.

One of the most useful pieces of information in the finding details is a finding type. The purpose of the finding type is to provide a concise yet readable description of the potential security issue. For example, the GuardDuty Recon:EC2/PortProbeUnprotectedPort finding type quickly informs you that somewhere in your AWS environment, an EC2 instance has an unprotected port that a potential attacker is probing.

GuardDuty uses the following format for the various finding types that it generates:

ThreatPurpose:ResourceTypeAffected/ThreatFamilyName.ThreatFamilyVariant!Artifact

This is what each part of the format represents:

  • ThreatPurpose - describes the primary purpose of a threat or a potential attack. In the current release of GuardDuty, ThreatPurpose can have the following values:

    • Backdoor - this value indicates that the attack has compromised an AWS resource and is capable of contacting its home command and control (C&C) server to receive further instructions for malicious activity.

    • Behavior - this value indicates that GuardDuty is detecting activity or activity patterns that are different from the established baseline for a particular AWS resource.

    • Cryptocurrency - this value indicates that GuardDuty is detecting software that is associated with cryptocurrencies (for example, Bitcoin).

    • Pentest - Sometimes owners of AWS resources or their authorized representatives intentionally run tests against AWS applications to find vulnerabilities, like open security groups or access keys that are overly permissive. These pen tests are done in an attempt to identify and lock down vulnerable resources before they are discovered by attackers. However, some of the tools used by authorized pen testers are freely available, and therefore can be used by unauthorized users or attackers to run probing tests. Although GuardDuty can't identify the true purpose behind such activity, the Pentest value indicates that GuardDuty is detecting such activity and that it is similar to the activity generated by known pen testing tools. Therefore, it can be a potential attack.

    • Persistence - this value indicates that a principal in your AWS environment is exhibiting behavior that is different from the established baseline. For example, this principal has no prior history of updating network configuration settings, or updating policies or permissions attached to AWS users or resources.

    • Policy - this value indicates that your AWS account is exhibiting behavior that goes against recommended security best practices.

    • Recon - this value indicates that a reconnaissance attack is underway, scoping out vulnerabilities in your AWS environment by probing ports, listing users, database tables, and so on.

    • ResourceConsumption - this value indicates that a principal in your AWS environment is exhibiting behavior that is different from the established baseline. For example, this principal has no prior history of launching EC2 instances.

    • Stealth - this value indicates that an attack is actively trying to hide its actions and its tracks. For example, an attack might use an anonymizing proxy server, making it virtually impossible to gauge the true nature of the activity.

    • Trojan - this value indicates that an attack is using Trojan programs that silently carry out malicious activity. Sometimes this software takes on an appearance of a legitimate program. Sometimes users accidentally run this software. Other times this software might run automatically by exploiting a vulnerability.

    • UnauthorizedAccess - this value indicates that GuardDuty is detecting suspicious activity or a suspicious activity pattern by an unauthorized individual.

  • ResourceTypeAffected - describes which AWS resource is identified in this finding as the potential target of an attack. In this release of GuardDuty, only EC2 instances and principals (and their credentials) can be identified as affected resources in GuardDuty findings.

  • ThreatFamilyName - describes the overall threat or potential malicious activity that GuardDuty is detecting. For example, a value of NetworkPortUnusual indicates that an EC2 instance identified in the GuardDuty finding has no prior history of communications on a particular remote port that also is identified in the finding.

  • ThreatFamilyVariant - describes the specific variant of the ThreatFamily that GuardDuty is detecting. Attackers often slightly modify the functionality of the attack, thus creating new variants.

  • Artifact - describes a specific resource that is owned by a tool that is used in the attack. For example, DNS in the finding type CryptoCurrency:EC2/BitcoinTool.B!DNS indicates that an EC2 instance is communicating with a known Bitcoin-related domain.