Data Sources
- CloudTrail management events and S3 data events
- VPC Flow Logs (not actual logs — internal analysis)
- DNS logs (Route 53 Resolver queries)
- EKS audit logs and runtime monitoring
- Lambda network activity monitoring
Finding Categories
- Recon: port scanning, API enumeration
- UnauthorizedAccess: compromised credentials, unusual API calls
- Trojan/Backdoor: malware communication, C2 connections
- CryptoCurrency: mining activity
- Impact: resource hijacking, data destruction
Severity & Response
- High (7.0–8.9): immediate action needed
- Medium (4.0–6.9): investigate and potentially remediate
- Low (1.0–3.9): informational, may indicate early-stage attacks
- Findings → EventBridge → Lambda/Step Functions for automation
Multi-Account
- Administrator account: manages member accounts (delegated from Org)
- Findings from all members visible in administrator account
- Auto-enable for new accounts in Organization
- Trusted IP lists: suppress findings from known IPs
Practice GuardDuty Questions
Put your knowledge to the test with practice questions.