AWS GuardDuty
Version: AWS GuardDuty.
Amazon GuardDuty is a threat detection service that continuously monitors malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3.
Amazon GuardDuty can be integrated with Netsurion Open XDR using Lambda function. After the logs are received from GuardDuty, Netsurion Open XDR alerts you of the following findings:
- Backdoor
- Crypto Currency
- Discovery
- Impact
- Pentest
- Persistence
- Policy
- Privilege Escalation
- Recon
- Resource Consumption
- Stealth
- Trojan
- Unauthorized Access
Netsurion Open XDR dashboard will display the summarized view of GuardDuty findings based on Threat type, Source IP and Map view of suspicious activities source location. Netsurion Open XDR reports will provide activities summary on scheduled basis. These reports will also furnish details about all activities, resources affected, about the threat actor, etc.
The following are the key Data Source Integration available in Netsurion Open XDR.
Alerts
| Type | Name | Description |
|---|---|---|
| Security | AWS GuardDuty – Backdoor detected | This alert will be triggered when the backdoor activities happen on your AWS environment. |
| Security | AWS GuardDuty – Cryptocurrency based threat detected | This alert will be triggered when the cryptocurrency related activities (like EC2 instance is querying an IP address that is associated with bitcoin) attempt to happen on your AWS environment. |
| Security | AWS GuardDuty – Discovery category threat detected | This alert will be triggered when the unusual discovery activities (like S3 API such as GetObjectAcl or ListObjects, was invoked from a Tor exit node IP address) happen on your AWS environment. |
| Security | AWS GuardDuty – Impact category threat detected | This alert will be triggered when the unusual impactable activities (like IAM API call for changing permission on one or more buckets or objects.) happen on your AWS environment. |
| Security | AWS GuardDuty – Pentest activities detected | This alert will be triggered when the pentest activities (like API invoked by parrot security Linux machine) happen on your AWS environment. |
| Security | AWS GuardDuty – Persistence activities detected | This alert will be triggered when specific principal in your AWS environment is exhibiting different behavior from the established baseline. |
| Security | AWS GuardDuty – Policy based activities detected | This alert will be triggered when the policy related activities (like root credential usage) happened on your AWS environment. |
| Security | AWS GuardDuty – Privilege Escalation detected | This alert will be triggered when the principal attempts to assign a highly permissive policy to itself. |
| Security | AWS GuardDuty – Recon activities detected | This alert will be triggered when activities that can list or describe AWS resources in an account within your environment was invoked from an IP address and is included on an internal threat list. |
| Security | AWS GuardDuty – Stealth activities detected | This alert will be triggered when the attacker activities attempt cover their tracks by eliminating any trace of their activity while gaining access to your AWS resources for malicious purposes. |
| Security | AWS GuardDuty – Trojan detected | This alert will be triggered when the trojan activities (DGA domain request, DNS data exfiltration, Drive by source traffic, etc.) happen on your AWS environment. |
| Security | AWS GuardDuty – Unauthorized Access detected | This alert will be triggered when the unauthorized activities (putobject or putobjectacl api was invoked from a Tor exit node IP address.) happen on your AWS environment. |
Reports
| Type | Name | Description |
|---|---|---|
| Security | AWS Guardduty – Findings | This report will give detailed information about the findings detected by AWS GuardDuty. It will have details about rule name, its categories, resource affected, threat actor, identity of attacker like IP address, ASN, and geolocation. |
Documentation
The configuration details are consistent with Netsurion Open XDR 9.2 and later, and AWS GuardDuty.
Download Integration Guide and How-to Guide for configuration instructions and more information.