AWS GuardDuty

Version: AWS GuardDuty.

Amazon GuardDuty is a threat detection service that continuously monitors malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3.

Amazon GuardDuty can be integrated with Netsurion using Lambda function. After the logs are received from GuardDuty, Netsurion alerts you of the following findings:

  • Backdoor
  • Crypto Currency
  • Discovery
  • Impact
  • Pentest
  • Persistence
  • Policy
  • Privilege Escalation
  • Recon
  • Resource Consumption
  • Stealth
  • Trojan
  • Unauthorized Access

Netsurion dashboard will display the summarized view of GuardDuty findings based on Threat type, Source IP and Map view of suspicious activities source location.

Netsurion reports will provide activities summary on scheduled basis. These reports will also furnish details about all activities, resources affected, about the threat actor, etc.

Netsurion Data Source Integration for AWS GuardDuty monitors the following components:
  • Security – AWS Finding details, backdoor, recon, stealth, trojan, unauthorized access and many more.

After configuring AWS GuardDuty to deliver events to Netsurion manager, alerts, saved searches, dashboard and reports can be configured into Netsurion.

Some of the Data Source Integrations available in Netsurion are listed below.

Alerts

Type Name Description
Security AWS Guardduty - Backdoor detected This alert will be triggered when the backdoor activities happen on your AWS environment.
Security AWS Guardduty - Cryptocurrency based threat detected This alert will be triggered when the cryptocurrency related activities (like EC2 instance is querying an IP address that is associated with bitcoin) attempt to happen on your AWS environment.
Security AWS Guardduty - Discovery category threat detected This alert will be triggered when the unusual discovery activities (like S3 API such as GetObjectAcl or ListObjects, was invoked from a Tor exit node IP address) happen on your AWS environment.
Security AWS Guardduty - Impact category threat detected This alert will be triggered when the unusual impactable activities (like IAM API call for changing permission on one or more buckets or objects.) happen on your AWS environment.
Security AWS Guardduty - Pentest activities detected This alert will be triggered when the pentest activities (like API invoked by parrot security Linux machine) happen on your AWS environment.
Security AWS Guardduty - Persistence activities detected This alert will be triggered when specific principal in your AWS environment is exhibiting different behavior from the established baseline.
Security AWS Guardduty - Policy based activities detected This alert will be triggered when the policy related activities (like root credential usage) happened on your AWS environment.
Security AWS Guardduty - Privilege Escalation detected This alert will be triggered when the principal attempts to assign a highly permissive policy to itself.
Security AWS Guardduty - Recon activities detected This alert will be triggered when activities that can list or describe AWS resources in an account within your environment was invoked from an IP address and is included on an internal threat list.
Security AWS Guardduty - Stealth activities detected This alert will be triggered when the attacker activities attempt cover their tracks by eliminating any trace of their activity while gaining access to your AWS resources for malicious purposes.
Security AWS Guardduty - Trojan detected This alert will be triggered when the trojan activities (DGA domain request, DNS data exfiltration, Drive by source traffic, etc.) happen on your AWS environment.
Security AWS Guardduty - Unauthorized Access detected This alert will be triggered when the unauthorized activities (putobject or putobjectacl api was invoked from a Tor exit node IP address.) happen on your AWS environment.

Reports

Type Name Description
Security AWS Guardduty - Findings This report will give detailed information about the findings detected by AWS GuardDuty. It will have details about rule name, its categories, resource affected, threat actor, identity of attacker like IP address, ASN, and geolocation.

Documentation

The configuration details in this guide are consistent with the Netsurion Open XDR platform version 9.2 and later, and AWS GuardDuty.

Download Integration Guide and How-to Guide for more information and to configuration instructions.