Amazon Guard​Duty

Amazon GuardDuty is a continuous security monitoring service that analyzes and processes Amazon Virtual Private Cloud (VPC) flow logs, AWS CloudTrail event logs, and DNS logs. It uses threat intelligence feeds (such as lists of malicious IPs and domains) and machine learning to identify unexpected, potentially unauthorized, and malicious activity within your AWS environment.

Securonix integrates with Amazon GuardDuty for event context enrichment and to identify threats such as privilege escalation, use of exposed credentials, or communications with malicious IPs, URLs, or domains. This integration can also be used for AWS-specific security events, such as detecting compromised EC2 instances that serve malware or mine bitcoin or monitoring AWS account access behavior for signs of compromise.

Audit Source (API) Service/Module Covered Event Types Related Threats Details
Amazon GuardDuty Amazon GuardDuty: Intelligent threat detection and continuous monitoring on your AWS account and workload. Security Alerts, Create/Delete Detectors, Create/Delete Threat Intelligence Set, Create/Delete IP Set, Create/Delete Member Set, Get Findings/Detector/Invitations/Threat Intel Set, Archive Findings DNS, DDoS, Insider Threat, Network Based Threats, Malware, Phishing, AWS Account Compromise (Unauthorized infrastructure deployments, unusual API calls etc.) Amazon GuardDuty Security Event Logs. Used for event context identification and threat detection.