Amazon GuardDuty | GuardDuty Findings Flashcards
How can I stop Amazon GuardDuty from looking at my logs and data sources?
GuardDuty Findings
Amazon GuardDuty | Security, Identity & Compliance
You can stop Amazon GuardDuty from analyzing your data sources at any time by choosing to suspend the service in the general settings. This will immediately stop the service from analyzing data, but not delete your existing findings or configurations. You can also choose to disable the service in the general settings. This will delete all remaining data, including your findings and configurations before relinquishing the service permissions and resetting the service.
What can Amazon GuardDuty detect?
GuardDuty Findings
Amazon GuardDuty | Security, Identity & Compliance
Amazon GuardDuty gives you access to built-in detection techniques that are developed and optimized for the cloud. The detection algorithms are maintained and continuously improved upon by AWS Security. The primary detection categories include:
Reconnaissance – Activity suggesting reconnaissance by an attacker, such as unusual API activity, intra-VPC port scanning, unusual patterns of failed login requests, or unblocked port probing from a known bad IP.
Instance compromise – Activity indicating an instance compromise, such as cryptocurrency mining, malware using domain generation algorithms (DGA), outbound denial of service activity, unusually high volume of network traffic, unusual network protocols, outbound instance communication with a known malicious IP, temporary Amazon EC2 credentials used by an external IP address, and data exfiltration using DNS.
Account compromise – Common patterns indicative of account compromise include API calls from an unusual geolocation or anonymizing proxy, attempts to disable AWS CloudTrail logging, unusual instance or infrastructure launches, infrastructure deployments in an unusual region, and API calls from known malicious IP addresses.
What is Amazon GuardDuty threat intelligence?
GuardDuty Findings
Amazon GuardDuty | Security, Identity & Compliance
Amazon GuardDuty threat intelligence is made up of IP addresses and domains known to be used by attackers. GuardDuty threat intelligence is provided by AWS Security and third party providers, such as Proofpoint and CrowdStrike. These threat intelligence feeds are pre-integrated and continuously updated in GuardDuty at no additional cost.
Can I supply my own threat intelligence?
GuardDuty Findings
Amazon GuardDuty | Security, Identity & Compliance
Yes. Amazon GuardDuty makes it easy to upload your own threat intelligence or IP safe list. When this feature is used, these lists are only applied to your account and not shared with other customers.
How do machine learning and behavioral anomaly detections work?
GuardDuty Findings
Amazon GuardDuty | Security, Identity & Compliance
The more advanced behavioral and machine learning detections take between 7 and 14 days to set a baseline of behavior in your account. After that time, the anomaly detections flip from a learning mode to an active mode. Once active, you will only see findings generated from these detections if the service observes behavior that suggests a threat.
How are security findings delivered?
GuardDuty Findings
Amazon GuardDuty | Security, Identity & Compliance
When a threat is detected, Amazon GuardDuty delivers a detailed security finding to the GuardDuty console and AWS CloudWatch Events. This makes alerts actionable and easy to integrate into existing event management or workflow systems. The findings include the category, resource affected, and meta-data associated with the resource, such as a severity level.
What is the format of Amazon GuardDuty findings?
GuardDuty Findings
Amazon GuardDuty | Security, Identity & Compliance
Amazon GuardDuty findings come in a common JSON format that is also used by Amazon Macie and Amazon Inspector. This makes it easy for customers and partners to consume security findings from all three services and incorporate them into broader event management, workflow, or security solutions.
How long are security findings made available in Amazon GuardDuty?
GuardDuty Findings
Amazon GuardDuty | Security, Identity & Compliance
Security findings are retained and made available through the Amazon GuardDuty console and APIs for 90-days. After 90-days, the findings are discarded. To retain findings for longer than 90-days, you can enable AWS CloudWatch Events to automatically push findings to an Amazon S3 bucket in your account or other data store for long-term retention.
Can I take automated preventative actions using Amazon GuardDuty?
GuardDuty Findings
Amazon GuardDuty | Security, Identity & Compliance
With Amazon GuardDuty, AWS CloudWatch Events, and AWS Lambda, you have the flexibility to set up automated preventative actions based on a security finding. For example, you can create a Lambda function to modify your AWS security group rules based on security findings. If you get a GuardDuty finding indicating one of your Amazon EC2 instances is being probed by a known malicious IP, you can address it through a CloudWatch Events rule that triggers a Lambda function to automatically modify your security group rules and restrict access on that port.
How are Amazon GuardDuty detections developed and managed?
GuardDuty Findings
Amazon GuardDuty | Security, Identity & Compliance
Amazon GuardDuty has a team focused on the development, management, and iteration of detections. This produces a steady cadence of new detections in the service and continuous iteration on existing detections. Several feedback mechanisms are built into the service, such as the thumbs up and thumbs down in each security finding found in the GuardDuty UI. This allows customers to provide feedback that is incorporated into future iterations of GuardDuty detections.
