<h1 id="guardduty">GuardDuty<a aria-hidden="true" class="anchor-heading icon-link" href="#guardduty"></a></h1>
<p>Amazon GuardDuty is a continuous security monitoring service that can help identify unexpected, and possibly unauthorised or malicious, activity in <abbr title="Amazon Web Services">AWS</abbr> environments.</p>
<p>The service can identify issues like:</p>
<ul>
<li>Privilege escalation</li>
<li>Exposed credentials</li>
<li>Communication with malicious hosts</li>
<li>Compute instances mining cryptocurrency</li>
</ul>
<h1 id="concepts">Concepts<a aria-hidden="true" class="anchor-heading icon-link" href="#concepts"></a></h1>
<ul>
<li><strong>Member accounts</strong> are <abbr title="Amazon Web Services">AWS</abbr> accounts considered members of the GuardDuty service. Up to 5,000 member accounts can be added to a single GuardDuty administrator account.</li>
<li><strong>Detectors</strong> are regional objects that represent the GuardDuty service.</li>
<li><strong>Data sources</strong> provide data to the GuardDuty service for analysis.</li>
<li><strong>Findings</strong> are potential security issues identified during analysis.</li>
<li><strong>Suppression rules</strong> allow specific combinations of attributes to be excluded from findings.</li>
<li><strong>Trusted <abbr title="Internet Protocol">IP</abbr> lists</strong></li>
<li><strong>Threat lists</strong> are known-bad lists of <abbr title="Internet Protocol">IP</abbr> addresses and domains gathered through threat intelligence.</li>
</ul>
<h1 id="data-sources">Data sources<a aria-hidden="true" class="anchor-heading icon-link" href="#data-sources"></a></h1>
<p>The following data sources are ingested:</p>
<ul>
<li><a href="/notes/26afa666-55a1-4e6d-baab-d158fd6d8080">CloudTrail</a>:
<ul>
<li>Event Logs</li>
<li>Management Events</li>
<li><a href="/notes/0e7fb4d2-045e-45d7-a27a-adc8580d02ea">S3</a> Data Events</li>
</ul>
</li>
<li><a href="/notes/8b9ee242-c381-4f4e-ac83-e371b0a6f69c">VPC</a> Flow Logs</li>
<li><abbr title="Domain Name System">DNS</abbr> logs from the <abbr title="Amazon Web Services">AWS</abbr> resolver service</li>
</ul>
<hr>
<strong>Backlinks</strong>
<ul>
<li><a href="/notes/3259dce8-e5c5-4866-899e-3ed2dc7f43cc">Macie (public)</a></li>
<li><a href="/notes/1635c404-b008-4023-b648-397650853e16">Security Hub (public)</a></li>
</ul>

GuardDuty


![Digital brain](assets/images/logo.svg){display: block, margin: 0 auto, max-height: 50vh}

Hi, I'm Luke 👋

I'm a software engineer turned site reliability engineer. I'm currently big on knowledge management and learning.

# Find me elsewhere

- [👨‍💻 DEV](https://dev.to/lukecarrier)
- [🚢 GitHub](https://github.com/LukeCarrier)
- [👔 LinkedIn](https://www.linkedin.com/in/lukecarrier/)
- [📄 Résumé](https://github.com/LukeCarrier/resume)
