Findings by resource type Findings table

Finding types

For information about important changes to the GuardDuty finding types, including newly added or retired finding types, see Document history for Amazon GuardDuty.

For information about retired finding types see Retired finding types.

Findings by resource type

The following pages are broken down by each resource type GuardDuty currently generates findings for. The pages contain detailed information on all finding types for that resources type.

Findings table

The following table lists all finding types by name, resource, data source and severity. A severity listed with an asterisk (*) indicates the finding has variable severities depending the circumstances of the finding, which are described in the details for that finding. Choose the finding name to open more info about that finding.

Finding type	Resource	Data source	Severity
Backdoor:EC2/C&CActivity.B	EC2	VPC flow logs	High
Backdoor:EC2/C&CActivity.B!DNS	EC2	DNS logs	High
Backdoor:EC2/DenialOfService.Dns	EC2	VPC flow logs	High
Backdoor:EC2/DenialOfService.Tcp	EC2	VPC flow logs	High
Backdoor:EC2/DenialOfService.Udp	EC2	VPC flow logs	High
Backdoor:EC2/DenialOfService.UdpOnTcpPorts	EC2	VPC flow logs	High
Backdoor:EC2/DenialOfService.UnusualProtocol	EC2	VPC flow logs	High
Backdoor:EC2/Spambot	EC2	VPC flow logs	Medium
Behavior:EC2/NetworkPortUnusual	EC2	VPC flow logs	Medium
Behavior:EC2/TrafficVolumeUnusual	EC2	VPC flow logs	Medium
CredentialAccess:IAMUser/AnomalousBehavior	IAM	CloudTrail management event	Medium
CredentialAccess:Kubernetes/MaliciousIPCaller	Kubernetes	Kubernetes audit logs	High
CredentialAccess:Kubernetes/MaliciousIPCaller.Custom	Kubernetes	Kubernetes audit logs	High
CredentialAccess:Kubernetes/SuccessfulAnonymousAccess	Kubernetes	Kubernetes audit logs	High
CredentialAccess:Kubernetes/TorIPCaller	Kubernetes	Kubernetes audit logs	High
CryptoCurrency:EC2/BitcoinTool.B	EC2	VPC flow logs	High
CryptoCurrency:EC2/BitcoinTool.B!DNS	EC2	DNS logs	High
DefenseEvasion:IAMUser/AnomalousBehavior	IAM	CloudTrail management event	Medium
DefenseEvasion:Kubernetes/MaliciousIPCaller	Kubernetes	Kubernetes audit logs	High
DefenseEvasion:Kubernetes/MaliciousIPCaller.Custom	Kubernetes	Kubernetes audit logs	High
DefenseEvasion:Kubernetes/SuccessfulAnonymousAccess	Kubernetes	Kubernetes audit logs	High
DefenseEvasion:Kubernetes/TorIPCaller	Kubernetes	Kubernetes audit logs	High
Discovery:IAMUser/AnomalousBehavior	IAM	CloudTrail management event	Low
Discovery:Kubernetes/MaliciousIPCaller	Kubernetes	Kubernetes audit logs	Medium
Discovery:Kubernetes/MaliciousIPCaller.Custom	Kubernetes	Kubernetes audit logs	Medium
Discovery:Kubernetes/SuccessfulAnonymousAccess	Kubernetes	Kubernetes audit logs	Medium
Discovery:Kubernetes/TorIPCaller	Kubernetes	Kubernetes audit logs	Medium
Discovery:S3/AnomalousBehavior	S3	CloudTrail data events for S3	Low
Discovery:S3/MaliciousIPCaller	S3	CloudTrail data events for S3	High
Discovery:S3/MaliciousIPCaller.Custom	S3	CloudTrail data events for S3	High
Discovery:S3/TorIPCaller	S3	CloudTrail data events for S3	Medium
Execution:Kubernetes/ExecInKubeSystemPod	Kubernetes	Kubernetes audit logs	Medium
Exfiltration:IAMUser/AnomalousBehavior	IAM	CloudTrail management event	High
Exfiltration:S3/AnomalousBehavior	S3	CloudTrail data events for S3	High
Exfiltration:S3/MaliciousIPCaller	S3	CloudTrail data events for S3	High
Impact:EC2/AbusedDomainRequest.Reputation	EC2	DNS logs	Medium
Impact:EC2/BitcoinDomainRequest.Reputation	EC2	DNS logs	High
Impact:EC2/MaliciousDomainRequest.Reputation	EC2	DNS logs	High
Impact:EC2/PortSweep	EC2	VPC flow logs	High
Impact:EC2/SuspiciousDomainRequest.Reputation	EC2	DNS logs	Low
Impact:EC2/WinRMBruteForce	EC2	VPC flow logs	Low*
Impact:IAMUser/AnomalousBehavior	IAM	CloudTrail management event	High
Impact:Kubernetes/MaliciousIPCaller	Kubernetes	Kubernetes audit logs	High
Impact:Kubernetes/MaliciousIPCaller.Custom	Kubernetes	Kubernetes audit logs	High
Impact:Kubernetes/SuccessfulAnonymousAccess	Kubernetes	Kubernetes audit logs	High
Impact:Kubernetes/TorIPCaller	Kubernetes	Kubernetes audit logs	High
Impact:S3/AnomalousBehavior.Delete	S3	CloudTrail data events for S3	High
Impact:S3/AnomalousBehavior.Permission	S3	CloudTrail data events for S3	High
Impact:S3/AnomalousBehavior.Write	S3	CloudTrail data events for S3	Medium
Impact:S3/MaliciousIPCaller	S3	CloudTrail data events for S3	High
InitialAccess:IAMUser/AnomalousBehavior	IAM	CloudTrail management event	Medium
PenTest:IAMUser/KaliLinux	IAM	CloudTrail management event	Medium
PenTest:IAMUser/ParrotLinux	IAM	CloudTrail management event	Medium
PenTest:IAMUser/PentooLinux	IAM	CloudTrail management event	Medium
PenTest:S3/KaliLinux	S3	CloudTrail data events for S3	Medium
PenTest:S3/ParrotLinux	S3	CloudTrail data events for S3	Medium
PenTest:S3/PentooLinux	S3	CloudTrail data events for S3	Medium
Persistence:IAMUser/AnomalousBehavior	IAM	CloudTrail management event	Medium
Persistence:Kubernetes/ContainerWithSensitiveMount	Kubernetes	Kubernetes audit logs	Medium
Persistence:Kubernetes/MaliciousIPCaller	Kubernetes	Kubernetes audit logs	Medium
Persistence:Kubernetes/MaliciousIPCaller.Custom	Kubernetes	Kubernetes audit logs	Medium
Persistence:Kubernetes/SuccessfulAnonymousAccess	Kubernetes	Kubernetes audit logs	High
Persistence:Kubernetes/TorIPCaller	Kubernetes	Kubernetes audit logs	Medium
Policy:IAMUser/RootCredentialUsage	IAM	CloudTrail management events or CloudTrail data events for S3	Low
Policy:Kubernetes/AdminAccessToDefaultServiceAccount	Kubernetes	Kubernetes audit logs	High
Policy:Kubernetes/AnonymousAccessGranted	Kubernetes	Kubernetes audit logs	High
Policy:Kubernetes/KubeflowDashboardExposed	Kubernetes	Kubernetes audit logs	Medium
Policy:Kubernetes/ExposedDashboard	Kubernetes	Kubernetes audit logs	Medium
Policy:S3/AccountBlockPublicAccessDisabled	S3	CloudTrail management events	Low
Policy:S3/BucketAnonymousAccessGranted	S3	CloudTrail management events	High
Policy:S3/BucketBlockPublicAccessDisabled	S3	CloudTrail management events	Low
Policy:S3/BucketPublicAccessGranted	S3	CloudTrail management events	High
PrivilegeEscalation:IAMUser/AnomalousBehavior	IAM	CloudTrail management events	Medium
PrivilegeEscalation:Kubernetes/PrivilegedContainer	Kubernetes	Kubernetes audit logs	Medium
Recon:EC2/PortProbeEMRUnprotectedPort	EC2	VPC flow logs	High
Recon:EC2/PortProbeUnprotectedPort	EC2	VPC flow logs	Low*
Recon:EC2/Portscan	EC2	VPC flow logs	Medium
Recon:IAMUser/MaliciousIPCaller	IAM	CloudTrail management events	Medium
Recon:IAMUser/MaliciousIPCaller.Custom	IAM	CloudTrail management events	Medium
Recon:IAMUser/TorIPCaller	IAM	CloudTrail management events	Medium
Stealth:IAMUser/CloudTrailLoggingDisabled	IAM	CloudTrail management events	Low
Stealth:IAMUser/PasswordPolicyChange	IAM	CloudTrail management event	Low*
Stealth:S3/ServerAccessLoggingDisabled	S3	CloudTrail management events	Low
Trojan:EC2/BlackholeTraffic	EC2	VPC flow logs	Medium
Trojan:EC2/BlackholeTraffic!DNS	EC2	DNS logs	Medium
Trojan:EC2/DGADomainRequest.B	EC2	DNS logs	High
Trojan:EC2/DGADomainRequest.C!DNS	EC2	DNS logs	High
Trojan:EC2/DNSDataExfiltration	EC2	DNS logs	High
Trojan:EC2/DriveBySourceTraffic!DNS	EC2	DNS logs	High
Trojan:EC2/DropPoint	EC2	VPC flow logs	Medium
Trojan:EC2/DropPoint!DNS	EC2	DNS logs	Medium
Trojan:EC2/PhishingDomainRequest!DNS	EC2	DNS logs	High
UnauthorizedAccess:EC2/MaliciousIPCaller.Custom	EC2	VPC flow logs	Medium
UnauthorizedAccess:EC2/MetadataDNSRebind	EC2	DNS logs	High
UnauthorizedAccess:EC2/RDPBruteForce	EC2	VPC flow logs	Low*
UnauthorizedAccess:EC2/SSHBruteForce	EC2	VPC flow logs	Low*
UnauthorizedAccess:EC2/TorClient	EC2	VPC flow logs	High
UnauthorizedAccess:EC2/TorRelay	EC2	VPC flow logs	High
UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B	IAM	CloudTrail management events	Medium
UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS	IAM	CloudTrail management event	High*
UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS	IAM	CloudTrail management events or CloudTrail data events for S3	High
UnauthorizedAccess:IAMUser/MaliciousIPCaller	IAM	CloudTrail management events	Medium
UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom	IAM	CloudTrail management events	Medium
UnauthorizedAccess:IAMUser/TorIPCaller	IAM	CloudTrail management events	Medium
UnauthorizedAccess:S3/MaliciousIPCaller.Custom	S3	CloudTrail data events S3	High
UnauthorizedAccess:S3/TorIPCaller	S3	CloudTrail data events for S3	High
Execution:EC2/MaliciousFile	EC2	EBS volumes	Varies depending on the detected threat
Execution:ECS/MaliciousFile	ECS	EBS volumes	Varies depending on the detected threat
Execution:Kubernetes/MaliciousFile	Kubernetes	EBS volumes	Varies depending on the detected threat
Execution:Container/MaliciousFile	Container	EBS volumes	Varies depending on the detected threat
Execution:EC2/SuspiciousFile	EC2	EBS volumes	Varies depending on the detected threat
Execution:ECS/SuspiciousFile	ECS	EBS volumes	Varies depending on the detected threat
Execution:Kubernetes/SuspiciousFile	Kubernetes	EBS volumes	Varies depending on the detected threat
Execution:Container/SuspiciousFile	Container	EBS volumes	Varies depending on the detected threat

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Sample findings

EC2 finding types