AWS GuardDuty

Version: AWS GuardDuty.

Amazon GuardDuty is a threat detection service that continuously monitors malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3.

Amazon GuardDuty can be integrated with Netsurion Open XDR using Lambda function. After the logs are received from GuardDuty, Netsurion Open XDR alerts you of the following findings:

  • Backdoor
  • Crypto Currency
  • Discovery
  • Impact
  • Pentest
  • Persistence
  • Policy
  • Privilege Escalation
  • Recon
  • Resource Consumption
  • Stealth
  • Trojan
  • Unauthorized Access

Netsurion Open XDR dashboard will display the summarized view of GuardDuty findings based on Threat type, Source IP and Map view of suspicious activities source location. Netsurion Open XDR reports will provide activities summary on scheduled basis. These reports will also furnish details about all activities, resources affected, about the threat actor, etc.

The following are the key Data Source Integration available in Netsurion Open XDR.

Alerts

TypeNameDescription
SecurityAWS GuardDuty – Backdoor detectedThis alert will be triggered when the backdoor activities happen on your AWS environment.
SecurityAWS GuardDuty – Cryptocurrency based threat detectedThis alert will be triggered when the cryptocurrency related activities (like EC2 instance is querying an IP address that is associated with bitcoin) attempt to happen on your AWS environment.
SecurityAWS GuardDuty – Discovery category threat detectedThis alert will be triggered when the unusual discovery activities (like S3 API such as GetObjectAcl or ListObjects, was invoked from a Tor exit node IP address) happen on your AWS environment.
SecurityAWS GuardDuty – Impact category threat detectedThis alert will be triggered when the unusual impactable activities (like IAM API call for changing permission on one or more buckets or objects.) happen on your AWS environment.
SecurityAWS GuardDuty – Pentest activities detectedThis alert will be triggered when the pentest activities (like API invoked by parrot security Linux machine) happen on your AWS environment.
SecurityAWS GuardDuty – Persistence activities detectedThis alert will be triggered when specific principal in your AWS environment is exhibiting different behavior from the established baseline.
SecurityAWS GuardDuty – Policy based activities detectedThis alert will be triggered when the policy related activities (like root credential usage) happened on your AWS environment.
SecurityAWS GuardDuty – Privilege Escalation detectedThis alert will be triggered when the principal attempts to assign a highly permissive policy to itself.
SecurityAWS GuardDuty – Recon activities detectedThis alert will be triggered when activities that can list or describe AWS resources in an account within your environment was invoked from an IP address and is included on an internal threat list.
SecurityAWS GuardDuty – Stealth activities detectedThis alert will be triggered when the attacker activities attempt cover their tracks by eliminating any trace of their activity while gaining access to your AWS resources for malicious purposes.
SecurityAWS GuardDuty – Trojan detectedThis alert will be triggered when the trojan activities (DGA domain request, DNS data exfiltration, Drive by source traffic, etc.) happen on your AWS environment.
SecurityAWS GuardDuty – Unauthorized Access detectedThis alert will be triggered when the unauthorized activities (putobject or putobjectacl api was invoked from a Tor exit node IP address.) happen on your AWS environment.

Reports

TypeNameDescription
SecurityAWS Guardduty – FindingsThis report will give detailed information about the findings detected by AWS GuardDuty. It will have details about rule name, its categories, resource affected, threat actor, identity of attacker like IP address, ASN, and geolocation.

Documentation

The configuration details are consistent with Netsurion Open XDR 9.2 and later, and AWS GuardDuty.

Download Integration Guide and How-to Guide for configuration instructions and more information.