Finding types - Amazon GuardDuty

Finding types

For information about important changes to the GuardDuty finding types, including newly added or retired finding types, see Document history for Amazon GuardDuty.

For information about retired finding types see Retired finding types.

Findings by resource type

The following pages are broken down by each resource type GuardDuty currently generates findings for. The pages contain detailed information on all finding types for that resources type.

Findings table

The following table lists all finding types by name, threat purpose, resource and severity. A severity listed with an asterisk (*) indicates the finding has variable severities depending the circumstances of the finding, which are described in the details for that finding. Choose the finding name to open more info about that finding.

FINDING TYPE

THREAT PURPOSE

RESOURCE

SEVERITY

Backdoor:EC2/C&CActivity.B

EC2

VPC flow logs

High

Backdoor:EC2/C&CActivity.B!DNS

EC2

DNS logs

High

Backdoor:EC2/DenialOfService.Dns

EC2

VPC flow logs

High

Backdoor:EC2/DenialOfService.Tcp

EC2

VPC flow logs

High

Backdoor:EC2/DenialOfService.Udp

EC2

VPC flow logs

High

Backdoor:EC2/DenialOfService.UdpOnTcpPorts

EC2

VPC flow logs

High

Backdoor:EC2/DenialOfService.UnusualProtocol

EC2

VPC flow logs

High

Backdoor:EC2/Spambot

EC2

VPC flow logs

Medium

Behavior:EC2/NetworkPortUnusual

EC2

VPC flow logs

Medium

Behavior:EC2/TrafficVolumeUnusual

EC2

VPC flow logs

Medium

CredentialAccess:IAMUser/AnomalousBehavior

IAM

CloudTrail management event

Medium

CryptoCurrency:EC2/BitcoinTool.B

EC2

VPC flow logs

High

CryptoCurrency:EC2/BitcoinTool.B!DNS

EC2

DNS logs

High

DefenseEvasion:IAMUser/AnomalousBehavior

IAM

CloudTrail management event

Medium

Discovery:IAMUser/AnomalousBehavior

IAM

CloudTrail management event

Low

Discovery:S3/MaliciousIPCaller

S3

CloudTrail S3 data event

High

Discovery:S3/MaliciousIPCaller.Custom

S3

CloudTrail S3 data event

High

Discovery:S3/TorIPCaller

S3

CloudTrail S3 data event

Medium

Exfiltration:IAMUser/AnomalousBehavior

IAM

CloudTrail management event

High

Exfiltration:S3/MaliciousIPCaller

S3

CloudTrail S3 data event

High

Exfiltration:S3/ObjectRead.Unusual

S3

CloudTrail management event

Medium*

Impact:EC2/AbusedDomainRequest.Reputation

EC2

DNS logs

Medium

Impact:EC2/BitcoinDomainRequest.Reputation

EC2

DNS logs

High

Impact:EC2/MaliciousDomainRequest.Reputation

EC2

DNS logs

High

Impact:EC2/PortSweep

EC2

VPC flow logs

High

Impact:EC2/SuspiciousDomainRequest.Reputation

EC2

DNS logs

Low

Impact:EC2/WinRMBruteForce

EC2

VPC flow logs

Low*

Impact:IAMUser/AnomalousBehavior

IAM

CloudTrail management event

High

Impact:S3/MaliciousIPCaller

S3

CloudTrail S3 data event

High

InitialAccess:IAMUser/AnomalousBehavior

IAM

CloudTrail management event

Medium

PenTest:IAMUser/KaliLinux

IAM

CloudTrail management event

Medium

PenTest:IAMUser/ParrotLinux

IAM

CloudTrail management event

Medium

PenTest:IAMUser/PentooLinux

IAM

CloudTrail management event

Medium

PenTest:S3/KaliLinux

S3

CloudTrail S3 data event

Medium

PenTest:S3/ParrotLinux

S3

CloudTrail S3 data event

Medium

PenTest:S3/PentooLinux

S3

CloudTrail S3 data event

Medium

Persistence:IAMUser/AnomalousBehavior

IAM

CloudTrail management event

Medium

Policy:IAMUser/RootCredentialUsage

IAM

CloudTrail management event or CloudTrail data event

Low

Policy:S3/AccountBlockPublicAccessDisabled

S3

CloudTrail management event

Low

Policy:S3/BucketAnonymousAccessGranted

S3

CloudTrail management event

High

Policy:S3/BucketBlockPublicAccessDisabled

S3

CloudTrail management event

Low

Policy:S3/BucketPublicAccessGranted

S3

CloudTrail management event

High

PrivilegeEscalation:IAMUser/AnomalousBehavior

IAM

CloudTrail management event

Medium

Recon:EC2/PortProbeEMRUnprotectedPort

EC2

VPC flow logs

High

Recon:EC2/PortProbeUnprotectedPort

EC2

VPC flow logs

Low*

Recon:EC2/Portscan

EC2

VPC flow logs

Medium

Recon:IAMUser/MaliciousIPCaller

IAM

CloudTrail management event

Medium

Recon:IAMUser/MaliciousIPCaller.Custom

IAM

CloudTrail management event

Medium

Recon:IAMUser/TorIPCaller

IAM

CloudTrail management event

Medium

Stealth:IAMUser/CloudTrailLoggingDisabled

IAM

CloudTrail management event

Low

Stealth:IAMUser/PasswordPolicyChange

IAM

CloudTrail management event

Low

Stealth:S3/ServerAccessLoggingDisabled

S3

CloudTrail management event

Low

Trojan:EC2/BlackholeTraffic

EC2

VPC flow logs

Medium

Trojan:EC2/BlackholeTraffic!DNS

EC2

DNS logs

Medium

Trojan:EC2/DGADomainRequest.B

EC2

DNS logs

High

Trojan:EC2/DGADomainRequest.C!DNS

EC2

DNS logs

High

Trojan:EC2/DNSDataExfiltration

EC2

DNS logs

High

Trojan:EC2/DriveBySourceTraffic!DNS

EC2

DNS logs

Medium

Trojan:EC2/DropPoint

EC2

VPC flow logs

Medium

Trojan:EC2/DropPoint!DNS

EC2

DNS logs

Medium

Trojan:EC2/PhishingDomainRequest!DNS

EC2

DNS logs

High

UnauthorizedAccess:EC2/MaliciousIPCaller.Custom

EC2

VPC flow logs

Medium

UnauthorizedAccess:EC2/MetadataDNSRebind

EC2

DNS logs

High

UnauthorizedAccess:EC2/RDPBruteForce

EC2

VPC flow logs

Low*

UnauthorizedAccess:EC2/SSHBruteForce

EC2

VPC flow logs

Low*

UnauthorizedAccess:EC2/TorClient

EC2

VPC flow logs

High

UnauthorizedAccess:EC2/TorRelay

EC2

VPC flow logs

High

UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B

IAM

CloudTrail management event

Medium

UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration

IAM

CloudTrail management event

High

UnauthorizedAccess:IAMUser/MaliciousIPCaller

IAM

CloudTrail management event

Medium

UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom

IAM

CloudTrail management event

Medium

UnauthorizedAccess:IAMUser/TorIPCaller

IAM

CloudTrail management event

Medium

UnauthorizedAccess:S3/MaliciousIPCaller.Custom

S3

CloudTrail S3 data event

High

UnauthorizedAccess:S3/TorIPCaller

S3

CloudTrail S3 data event

High