GuardDuty finding types - Amazon GuardDuty

GuardDuty finding types

A finding is a notification that GuardDuty generates when it detects an indication of a suspicious or malicious activity in your AWS account. GuardDuty generates a finding in an account that has enabled GuardDuty.

For information about important changes to the GuardDuty finding types, including newly added or retired finding types, see Document history for Amazon GuardDuty.

For information about finding types which are now retired, see Retired finding types.

GuardDuty finding types by potentially impacted resources

The following pages are categorized by the potentially impacted resource type associated to a GuardDuty finding:

GuardDuty active finding types

The following table shows all of the active finding types sorted by the foundational data source or feature, as applicable. Some of the following finding types may have a variable severity, indicated by an asterisk (*). For information about the variable severity of a finding type, view the detailed description of that finding type.

Finding type

Resource type

Foundational data source/Feature

Finding severity

Discovery:S3/AnomalousBehavior

Amazon S3

CloudTrail data events for S3

Low

Discovery:S3/MaliciousIPCaller

Amazon S3

CloudTrail data events for S3

High

Discovery:S3/MaliciousIPCaller.Custom

Amazon S3

CloudTrail data events for S3

High

Discovery:S3/TorIPCaller

Amazon S3

CloudTrail data events for S3

Medium

Exfiltration:S3/AnomalousBehavior

Amazon S3

CloudTrail data events for S3

High

Exfiltration:S3/MaliciousIPCaller

Amazon S3

CloudTrail data events for S3

High

Impact:S3/AnomalousBehavior.Delete

Amazon S3

CloudTrail data events for S3

High

Impact:S3/AnomalousBehavior.Permission

Amazon S3

CloudTrail data events for S3

High

Impact:S3/AnomalousBehavior.Write

Amazon S3

CloudTrail data events for S3

Medium

Impact:S3/MaliciousIPCaller

Amazon S3

CloudTrail data events for S3

High

PenTest:S3/KaliLinux

Amazon S3

CloudTrail data events for S3

Medium

PenTest:S3/ParrotLinux

Amazon S3

CloudTrail data events for S3

Medium

PenTest:S3/PentooLinux

Amazon S3

CloudTrail data events for S3

Medium

UnauthorizedAccess:S3/TorIPCaller

Amazon S3

CloudTrail data events for S3

High

UnauthorizedAccess:S3/MaliciousIPCaller.Custom

Amazon S3

CloudTrail data events for S3

High

CredentialAccess:IAMUser/AnomalousBehavior

IAM

CloudTrail management events

Medium

DefenseEvasion:IAMUser/AnomalousBehavior

IAM

CloudTrail management events

Medium

Discovery:IAMUser/AnomalousBehavior

IAM

CloudTrail management events

Low

Exfiltration:IAMUser/AnomalousBehavior

IAM

CloudTrail management events

High

Impact:IAMUser/AnomalousBehavior

IAM

CloudTrail management events

High

InitialAccess:IAMUser/AnomalousBehavior

IAM

CloudTrail management events

Medium

PenTest:IAMUser/KaliLinux

IAM

CloudTrail management events

Medium

PenTest:IAMUser/ParrotLinux

IAM

CloudTrail management events

Medium

PenTest:IAMUser/PentooLinux

IAM

CloudTrail management events

Medium

Persistence:IAMUser/AnomalousBehavior

IAM

CloudTrail management events

Medium

Stealth:IAMUser/PasswordPolicyChange

IAM

CloudTrail management events

Low*

UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS

IAM

CloudTrail management events

High*

Policy:S3/AccountBlockPublicAccessDisabled

Amazon S3

CloudTrail management events

Low

Policy:S3/BucketAnonymousAccessGranted

Amazon S3

CloudTrail management events

High

Policy:S3/BucketBlockPublicAccessDisabled

Amazon S3

CloudTrail management events

Low

Policy:S3/BucketPublicAccessGranted

Amazon S3

CloudTrail management events

High

PrivilegeEscalation:IAMUser/AnomalousBehavior

IAM

CloudTrail management events

Medium

Recon:IAMUser/MaliciousIPCaller

IAM

CloudTrail management events

Medium

Recon:IAMUser/MaliciousIPCaller.Custom

IAM

CloudTrail management events

Medium

Recon:IAMUser/TorIPCaller

IAM

CloudTrail management events

Medium

Stealth:IAMUser/CloudTrailLoggingDisabled

IAM

CloudTrail management events

Low

Stealth:S3/ServerAccessLoggingDisabled

Amazon S3

CloudTrail management events

Low

UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B

IAM

CloudTrail management events

Medium

UnauthorizedAccess:IAMUser/MaliciousIPCaller

IAM

CloudTrail management events

Medium

UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom

IAM

CloudTrail management events

Medium

UnauthorizedAccess:IAMUser/TorIPCaller

IAM

CloudTrail management events

Medium

Policy:IAMUser/RootCredentialUsage

IAM

CloudTrail management events or CloudTrail data events for S3

Low

UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS

IAM

CloudTrail management events or CloudTrail data events for S3

High

AttackSequence:IAM/CompromisedCredentials

Resources involved in attack sequence

CloudTrail management events

Critical

AttackSequence:S3/CompromisedData

Resources involved in attack sequence

CloudTrail management events and CloudTrail data events for S3

Critical

Backdoor:EC2/C&CActivity.B!DNS

Amazon EC2

DNS logs

High

CryptoCurrency:EC2/BitcoinTool.B!DNS

Amazon EC2

DNS logs

High

Impact:EC2/AbusedDomainRequest.Reputation

Amazon EC2

DNS logs

Medium

Impact:EC2/BitcoinDomainRequest.Reputation

Amazon EC2

DNS logs

High

Impact:EC2/MaliciousDomainRequest.Reputation

Amazon EC2

DNS logs

High

Impact:EC2/SuspiciousDomainRequest.Reputation

Amazon EC2

DNS logs

Low

Trojan:EC2/BlackholeTraffic!DNS

Amazon EC2

DNS logs

Medium

Trojan:EC2/DGADomainRequest.B

Amazon EC2

DNS logs

High

Trojan:EC2/DGADomainRequest.C!DNS

Amazon EC2

DNS logs

High

Trojan:EC2/DNSDataExfiltration

Amazon EC2

DNS logs

High

Trojan:EC2/DriveBySourceTraffic!DNS

Amazon EC2

DNS logs

High

Trojan:EC2/DropPoint!DNS

Amazon EC2

DNS logs

Medium

Trojan:EC2/PhishingDomainRequest!DNS

Amazon EC2

DNS logs

High

UnauthorizedAccess:EC2/MetadataDNSRebind

Amazon EC2

DNS logs

High

Execution:Container/MaliciousFile

Container

EBS Malware Protection

Varies depending on the detected threat

Execution:Container/SuspiciousFile

Container

EBS Malware Protection

Varies depending on the detected threat

Execution:EC2/MaliciousFile

Amazon EC2

EBS Malware Protection

Varies depending on the detected threat

Execution:EC2/SuspiciousFile

Amazon EC2

EBS Malware Protection

Varies depending on the detected threat

Execution:ECS/MaliciousFile

ECS

EBS Malware Protection

Varies depending on the detected threat

Execution:ECS/SuspiciousFile

ECS

EBS Malware Protection

Varies depending on the detected threat

Execution:Kubernetes/MaliciousFile

Kubernetes

EBS Malware Protection

Varies depending on the detected threat

Execution:Kubernetes/SuspiciousFile

Kubernetes

EBS Malware Protection

Varies depending on the detected threat

CredentialAccess:Kubernetes/AnomalousBehavior.SecretsAccessed

Kubernetes

EKS audit logs

Medium

CredentialAccess:Kubernetes/MaliciousIPCaller

Kubernetes

EKS audit logs

High

CredentialAccess:Kubernetes/MaliciousIPCaller.Custom

Kubernetes

EKS audit logs

High

CredentialAccess:Kubernetes/SuccessfulAnonymousAccess

Kubernetes

EKS audit logs

High

CredentialAccess:Kubernetes/TorIPCaller

Kubernetes

EKS audit logs

High

DefenseEvasion:Kubernetes/MaliciousIPCaller

Kubernetes

EKS audit logs

High

DefenseEvasion:Kubernetes/MaliciousIPCaller.Custom

Kubernetes

EKS audit logs

High

DefenseEvasion:Kubernetes/SuccessfulAnonymousAccess

Kubernetes

EKS audit logs

High

DefenseEvasion:Kubernetes/TorIPCaller

Kubernetes

EKS audit logs

High

Discovery:Kubernetes/AnomalousBehavior.PermissionChecked

Kubernetes

EKS audit logs

Low

Discovery:Kubernetes/MaliciousIPCaller

Kubernetes

EKS audit logs

Medium

Discovery:Kubernetes/MaliciousIPCaller.Custom

Kubernetes

EKS audit logs

Medium

Discovery:Kubernetes/SuccessfulAnonymousAccess

Kubernetes

EKS audit logs

Medium

Discovery:Kubernetes/TorIPCaller

Kubernetes

EKS audit logs

Medium

Execution:Kubernetes/ExecInKubeSystemPod

Kubernetes

EKS audit logs

Medium

Execution:Kubernetes/AnomalousBehavior.ExecInPod

Kubernetes

EKS audit logs

Medium

Execution:Kubernetes/AnomalousBehavior.WorkloadDeployed

Kubernetes

EKS audit logs

Low

Impact:Kubernetes/MaliciousIPCaller

Kubernetes

EKS audit logs

High

Impact:Kubernetes/MaliciousIPCaller.Custom

Kubernetes

EKS audit logs

High

Impact:Kubernetes/SuccessfulAnonymousAccess

Kubernetes

EKS audit logs

High

Impact:Kubernetes/TorIPCaller

Kubernetes

EKS audit logs

High

Persistence:Kubernetes/ContainerWithSensitiveMount

Kubernetes

EKS audit logs

Medium

Persistence:Kubernetes/MaliciousIPCaller

Kubernetes

EKS audit logs

Medium

Persistence:Kubernetes/MaliciousIPCaller.Custom

Kubernetes

EKS audit logs

Medium

Persistence:Kubernetes/SuccessfulAnonymousAccess

Kubernetes

EKS audit logs

High

Persistence:Kubernetes/TorIPCaller

Kubernetes

EKS audit logs

Medium

Policy:Kubernetes/AdminAccessToDefaultServiceAccount

Kubernetes

EKS audit logs

High

Policy:Kubernetes/AnonymousAccessGranted

Kubernetes

EKS audit logs

High

Policy:Kubernetes/KubeflowDashboardExposed

Kubernetes

EKS audit logs

Medium

Policy:Kubernetes/ExposedDashboard

Kubernetes

EKS audit logs

Medium

PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleBindingCreated

Kubernetes

EKS audit logs

Medium*

PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleCreated

Kubernetes

EKS audit logs

Low

Persistence:Kubernetes/AnomalousBehavior.WorkloadDeployed!ContainerWithSensitiveMount

Kubernetes

EKS audit logs

High

PrivilegeEscalation:Kubernetes/AnomalousBehavior.WorkloadDeployed!PrivilegedContainer

Kubernetes

EKS audit logs

High

PrivilegeEscalation:Kubernetes/PrivilegedContainer

Kubernetes

EKS audit logs

Medium

Backdoor:Lambda/C&CActivity.B

Lambda

Lambda Network Activity Monitoring

High

CryptoCurrency:Lambda/BitcoinTool.B

Lambda

Lambda Network Activity Monitoring

High

Trojan:Lambda/BlackholeTraffic

Lambda

Lambda Network Activity Monitoring

Medium

Trojan:Lambda/DropPoint

Lambda

Lambda Network Activity Monitoring

Medium

UnauthorizedAccess:Lambda/MaliciousIPCaller.Custom

Lambda

Lambda Network Activity Monitoring

Medium

UnauthorizedAccess:Lambda/TorClient

Lambda

Lambda Network Activity Monitoring

High

UnauthorizedAccess:Lambda/TorRelay

Lambda

Lambda Network Activity Monitoring

High

Object:S3/MaliciousFile

S3Object

Malware Protection for S3

High

CredentialAccess:RDS/AnomalousBehavior.FailedLogin

Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases

RDS Login Activity Monitoring

Low

CredentialAccess:RDS/AnomalousBehavior.SuccessfulBruteForce

Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases

RDS Login Activity Monitoring

High

CredentialAccess:RDS/AnomalousBehavior.SuccessfulLogin

Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases

RDS Login Activity Monitoring

Variable*

CredentialAccess:RDS/MaliciousIPCaller.FailedLogin

Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases

RDS Login Activity Monitoring

Medium

CredentialAccess:RDS/MaliciousIPCaller.SuccessfulLogin

Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases

RDS Login Activity Monitoring

High

CredentialAccess:RDS/TorIPCaller.FailedLogin

Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases

RDS Login Activity Monitoring

Medium

CredentialAccess:RDS/TorIPCaller.SuccessfulLogin

Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases

RDS Login Activity Monitoring

High

Discovery:RDS/MaliciousIPCaller

Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases

RDS Login Activity Monitoring

Medium

Discovery:RDS/TorIPCaller

Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases

RDS Login Activity Monitoring

Medium

Backdoor:Runtime/C&CActivity.B

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

High

Backdoor:Runtime/C&CActivity.B!DNS

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

High

CryptoCurrency:Runtime/BitcoinTool.B

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

High

CryptoCurrency:Runtime/BitcoinTool.B!DNS

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

High

DefenseEvasion:Runtime/FilelessExecution

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

Medium

DefenseEvasion:Runtime/ProcessInjection.Proc

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

High

DefenseEvasion:Runtime/ProcessInjection.Ptrace

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

Medium

DefenseEvasion:Runtime/ProcessInjection.VirtualMemoryWrite

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

High

DefenseEvasion:Runtime/PtraceAntiDebugging

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

Low

DefenseEvasion:Runtime/SuspiciousCommand

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

High

Discovery:Runtime/SuspiciousCommand

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

Low

Execution:Runtime/MaliciousFileExecuted

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

High

Execution:Runtime/NewBinaryExecuted

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

Medium

Execution:Runtime/NewLibraryLoaded

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

Medium

Execution:Runtime/SuspiciousCommand

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

Variable

Execution:Runtime/SuspiciousShellCreated

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

Low

Execution:Runtime/SuspiciousTool

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

Variable

Execution:Runtime/ReverseShell

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

High

Impact:Runtime/AbusedDomainRequest.Reputation

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

Medium

Impact:Runtime/BitcoinDomainRequest.Reputation

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

High

Impact:Runtime/CryptoMinerExecuted

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

High

Impact:Runtime/MaliciousDomainRequest.Reputation

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

Medium

Impact:Runtime/SuspiciousDomainRequest.Reputation

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

Low

Persistence:Runtime/SuspiciousCommand

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

Medium

PrivilegeEscalation:Runtime/CGroupsReleaseAgentModified

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

High

PrivilegeEscalation:Runtime/ContainerMountsHostDirectory

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

Medium

PrivilegeEscalation:Runtime/DockerSocketAccessed

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

Medium

PrivilegeEscalation:Runtime/ElevationToRoot

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

Medium

PrivilegeEscalation:Runtime/RuncContainerEscape

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

High

PrivilegeEscalation:Runtime/SuspiciousCommand

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

Medium

PrivilegeEscalation:Runtime/UserfaultfdUsage

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

Medium

Trojan:Runtime/BlackholeTraffic

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

Medium

Trojan:Runtime/BlackholeTraffic!DNS

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

Medium

Trojan:Runtime/DropPoint

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

Medium

Trojan:Runtime/DGADomainRequest.C!DNS

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

High

Trojan:Runtime/DriveBySourceTraffic!DNS

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

High

Trojan:Runtime/DropPoint!DNS

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

Medium

Trojan:Runtime/PhishingDomainRequest!DNS

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

High

UnauthorizedAccess:Runtime/MetadataDNSRebind

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

High

UnauthorizedAccess:Runtime/TorClient

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

High

UnauthorizedAccess:Runtime/TorRelay

Instance, EKS cluster, ECS cluster, or container

Runtime Monitoring

High

Backdoor:EC2/C&CActivity.B

Amazon EC2

VPC flow logs

High

Backdoor:EC2/DenialOfService.Dns

Amazon EC2

VPC flow logs

High

Backdoor:EC2/DenialOfService.Tcp

Amazon EC2

VPC flow logs

High

Backdoor:EC2/DenialOfService.Udp

Amazon EC2

VPC flow logs

High

Backdoor:EC2/DenialOfService.UdpOnTcpPorts

Amazon EC2

VPC flow logs

High

Backdoor:EC2/DenialOfService.UnusualProtocol

Amazon EC2

VPC flow logs

High

Backdoor:EC2/Spambot

Amazon EC2

VPC flow logs

Medium

Behavior:EC2/NetworkPortUnusual

Amazon EC2

VPC flow logs

Medium

Behavior:EC2/TrafficVolumeUnusual

Amazon EC2

VPC flow logs

Medium

CryptoCurrency:EC2/BitcoinTool.B

Amazon EC2

VPC flow logs

High

DefenseEvasion:EC2/UnusualDNSResolver

Amazon EC2

VPC flow logs

Medium

DefenseEvasion:EC2/UnusualDoHActivity

Amazon EC2

VPC flow logs

Medium

DefenseEvasion:EC2/UnusualDoTActivity

Amazon EC2

VPC flow logs

Medium

Impact:EC2/PortSweep

Amazon EC2

VPC flow logs

High

Impact:EC2/WinRMBruteForce

Amazon EC2

VPC flow logs

Low*

Recon:EC2/PortProbeEMRUnprotectedPort

Amazon EC2

VPC flow logs

High

Recon:EC2/PortProbeUnprotectedPort

Amazon EC2

VPC flow logs

Low*

Recon:EC2/Portscan

Amazon EC2

VPC flow logs

Medium

Trojan:EC2/BlackholeTraffic

Amazon EC2

VPC flow logs

Medium

Trojan:EC2/DropPoint

Amazon EC2

VPC flow logs

Medium

UnauthorizedAccess:EC2/MaliciousIPCaller.Custom

Amazon EC2

VPC flow logs

Medium

UnauthorizedAccess:EC2/RDPBruteForce

Amazon EC2

VPC flow logs

Low*

UnauthorizedAccess:EC2/SSHBruteForce

Amazon EC2

VPC flow logs

Low*

UnauthorizedAccess:EC2/TorClient

Amazon EC2

VPC flow logs

High

UnauthorizedAccess:EC2/TorRelay

Amazon EC2

VPC flow logs

High