loader image

AWS GuardDuty

x Mindflow

AWS GuardDuty was integrated by Mindflow to enable users to automate their incident management and better protect their information system.

AWS GuardDuty Overview

AWS GuardDuty is a threat detection service available the AWS stack. It continuously monitors malicious activity and unauthorized behavior to protect your AWS accounts, EC2 workloads, container applications, and data stored in Amazon S3.

To that end, AWS GuardDuty combines machine learning, anomaly detection, network monitoring, and malicious file discovery, utilizing both AWS-developed and industry-leading third-party sources to help protect workloads and data on AWS.

GuardDuty analyzes events across multiple AWS data sources (CloudTrail event logs, Amazon VPC flow Logs, Amazon EKS audit logs, and DNS query logs.

Then GuardDuty identifies unusual activity within your accounts, analyzes the security relevance of the activity, gives the context in which it was invoked, and assigns a severity. Analysts can thus determine if they should perform further investigation.

AWS guardduty

Finally, actions required can be automated by integrating with other AWS services: AWS Security Hub, Amazon EventBridge, AWS Lambda, and AWS Step Functions. In case of further investigations are needed, Amazon Detective is also integrated with GuardDuty.

As GuadDuty is also manageable via HTTPS APIs, Mindflow users can orchestrate actions and links to services mentioned above from Mindflow’s platform.

Benefits

Accurate, account-level threat detection

Detect signs of account compromise, such as AWS resource access from unusual geolocation at an atypical time of day. For programmatic AWS accounts, GuardDuty checks for unusual API calls, such as attempts to obscure account activity by disabling CloudTrail logging or taking snapshots of a database from a malicious IP address.

Continuous monitoring across AWS accounts

AWS GuardDuty continuously monitors and analyzes your AWS account and workload event data found in AWS CloudTrail, VPC Flow Logs, and DNS Logs to aggregate threat detection instead of working on an account-by-account basis.

Threat detections developed and optimized for the cloud

Reconnaissance: unusual API activity, intra-VPC port scunique unusual failed login request patterns, or unblocked port probing from a known bad IP.

Instance compromise: cryptocurrency mining, C&C activity, malware using domain generation algorithms, outbound DoS activity, unusually high network traffic volume, unusual network protocols, outbound instance communication with a known malicious IP, temporary EC2 credentials used by an external IP address, and data exfiltration using DNS.

Account compromise: API calls from unusual geolocation or anonymizing proxy, attempts to disable CloudTrail logging, changes weakening account password policy, unusual instance or infrastructure launches, infrastructure deployments in an unusual region, and API calls from known malicious IP addresses.

Bucket compromise: suspicious data access patterns indicating credential misuse, unusual AWS S3 API activity from a remote host, unauthorized S3 access from known malicious IP addresses, and API calls to retrieve data in S3 buckets from a user with no prior history of accessing the bucket or invoked from an unusual location.

Threat severity levels for efficient prioritization

Three severity levels (Low, Medium, and High) are available to prioritize their response.

Deployment with no additional software or infrastructure

You can enable AWS GuardDuty on a single account through AWS Management Console or an API call. With a few more clicks in the console, you can allow GuardDuty across multiple accounts.

Want to enhance your service with orchestration and automation capabilities? Get in touch with our partner team.

Related integrations