Findings by resource type Findings table

Finding types

For information about important changes to the GuardDuty finding types, including newly added or retired finding types, see Document history for Amazon GuardDuty.

For information about retired finding types see Retired finding types.

Findings by resource type

The following pages are broken down by each resource type GuardDuty currently generates findings for. The pages contain detailed information on all finding types for that resources type.

Findings table

The following table lists all finding types by name, resource, data source and severity. A severity listed with an asterisk (*) indicates the finding has variable severities depending the circumstances of the finding, which are described in the details for that finding. Choose the finding name to open more info about that finding.

FINDING TYPE	RESOURCE	DATA SOURCE	SEVERITY
Backdoor:EC2/C&CActivity.B	EC2	VPC Flow Logs	High
Backdoor:EC2/C&CActivity.B!DNS	EC2	DNS logs	High
Backdoor:EC2/DenialOfService.Dns	EC2	VPC Flow Logs	High
Backdoor:EC2/DenialOfService.Tcp	EC2	VPC Flow Logs	High
Backdoor:EC2/DenialOfService.Udp	EC2	VPC Flow Logs	High
Backdoor:EC2/DenialOfService.UdpOnTcpPorts	EC2	VPC Flow Logs	High
Backdoor:EC2/DenialOfService.UnusualProtocol	EC2	VPC Flow Logs	High
Backdoor:EC2/Spambot	EC2	VPC Flow Logs	Medium
Behavior:EC2/NetworkPortUnusual	EC2	VPC Flow Logs	Medium
Behavior:EC2/TrafficVolumeUnusual	EC2	VPC Flow Logs	Medium
CredentialAccess:IAMUser/AnomalousBehavior	IAM	CloudTrail management event	Medium
CryptoCurrency:EC2/BitcoinTool.B	EC2	VPC Flow Logs	High
CryptoCurrency:EC2/BitcoinTool.B!DNS	EC2	DNS logs	High
DefenseEvasion:IAMUser/AnomalousBehavior	IAM	CloudTrail management event	Medium
Discovery:IAMUser/AnomalousBehavior	IAM	CloudTrail management event	Low
Discovery:S3/MaliciousIPCaller	S3	CloudTrail S3 data event	High
Discovery:S3/MaliciousIPCaller.Custom	S3	CloudTrail S3 data event	High
Discovery:S3/TorIPCaller	S3	CloudTrail S3 data event	Medium
Exfiltration:IAMUser/AnomalousBehavior	IAM	CloudTrail management event	High
Exfiltration:S3/MaliciousIPCaller	S3	CloudTrail S3 data event	High
Exfiltration:S3/ObjectRead.Unusual	S3	S3 CloudTrail data event	Medium*
Impact:EC2/AbusedDomainRequest.Reputation	EC2	DNS logs	Medium
Impact:EC2/BitcoinDomainRequest.Reputation	EC2	DNS logs	High
Impact:EC2/MaliciousDomainRequest.Reputation	EC2	DNS logs	High
Impact:EC2/PortSweep	EC2	VPC Flow Logs	High
Impact:EC2/SuspiciousDomainRequest.Reputation	EC2	DNS logs	Low
Impact:EC2/WinRMBruteForce	EC2	VPC Flow Logs	Low*
Impact:IAMUser/AnomalousBehavior	IAM	CloudTrail management event	High
Impact:S3/MaliciousIPCaller	S3	CloudTrail S3 data event	High
InitialAccess:IAMUser/AnomalousBehavior	IAM	CloudTrail management event	Medium
PenTest:IAMUser/KaliLinux	IAM	CloudTrail management event	Medium
PenTest:IAMUser/ParrotLinux	IAM	CloudTrail management event	Medium
PenTest:IAMUser/PentooLinux	IAM	CloudTrail management event	Medium
PenTest:S3/KaliLinux	S3	CloudTrail S3 data event	Medium
PenTest:S3/ParrotLinux	S3	CloudTrail S3 data event	Medium
PenTest:S3/PentooLinux	S3	CloudTrail S3 data event	Medium
Persistence:IAMUser/AnomalousBehavior	IAM	CloudTrail management event	Medium
Policy:IAMUser/RootCredentialUsage	IAM	CloudTrail management event or CloudTrail data event	Low
Policy:S3/AccountBlockPublicAccessDisabled	S3	CloudTrail management event	Low
Policy:S3/BucketAnonymousAccessGranted	S3	CloudTrail management event	High
Policy:S3/BucketBlockPublicAccessDisabled	S3	CloudTrail management event	Low
Policy:S3/BucketPublicAccessGranted	S3	CloudTrail management event	High
PrivilegeEscalation:IAMUser/AnomalousBehavior	IAM	CloudTrail management event	Medium
Recon:EC2/PortProbeEMRUnprotectedPort	EC2	VPC Flow Logs	High
Recon:EC2/PortProbeUnprotectedPort	EC2	VPC Flow Logs	Low*
Recon:EC2/Portscan	EC2	VPC Flow Logs	Medium
Recon:IAMUser/MaliciousIPCaller	IAM	CloudTrail management event	Medium
Recon:IAMUser/MaliciousIPCaller.Custom	IAM	CloudTrail management event	Medium
Recon:IAMUser/TorIPCaller	IAM	CloudTrail management event	Medium
Stealth:IAMUser/CloudTrailLoggingDisabled	IAM	CloudTrail management event	Low
Stealth:IAMUser/PasswordPolicyChange	IAM	CloudTrail management event	Low
Stealth:S3/ServerAccessLoggingDisabled	S3	CloudTrail management event	Low
Trojan:EC2/BlackholeTraffic	EC2	VPC Flow Logs	Medium
Trojan:EC2/BlackholeTraffic!DNS	EC2	DNS logs	Medium
Trojan:EC2/DGADomainRequest.B	EC2	DNS logs	High
Trojan:EC2/DGADomainRequest.C!DNS	EC2	DNS logs	High
Trojan:EC2/DNSDataExfiltration	EC2	DNS logs	High
Trojan:EC2/DriveBySourceTraffic!DNS	EC2	DNS logs	High
Trojan:EC2/DropPoint	EC2	VPC Flow Logs	Medium
Trojan:EC2/DropPoint!DNS	EC2	DNS logs	Medium
Trojan:EC2/PhishingDomainRequest!DNS	EC2	DNS logs	High
UnauthorizedAccess:EC2/MaliciousIPCaller.Custom	EC2	VPC Flow Logs	Medium
UnauthorizedAccess:EC2/MetadataDNSRebind	EC2	DNS logs	High
UnauthorizedAccess:EC2/RDPBruteForce	EC2	VPC Flow Logs	Low*
UnauthorizedAccess:EC2/SSHBruteForce	EC2	VPC Flow Logs	Low*
UnauthorizedAccess:EC2/TorClient	EC2	VPC Flow Logs	High
UnauthorizedAccess:EC2/TorRelay	EC2	VPC Flow Logs	High
UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B	IAM	CloudTrail management event	Medium
UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS	IAM	CloudTrail management event	High
UnauthorizedAccess:IAMUser/MaliciousIPCaller	IAM	CloudTrail management event	Medium
UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom	IAM	CloudTrail management event	Medium
UnauthorizedAccess:IAMUser/TorIPCaller	IAM	CloudTrail management event	Medium
UnauthorizedAccess:S3/MaliciousIPCaller.Custom	S3	CloudTrail S3 data event	High
UnauthorizedAccess:S3/TorIPCaller	S3	CloudTrail S3 data event	High

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Sample findings

EC2 finding types