Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your cloud-environment. With Amazon GuardDuty you now have an intelligent and cost-effective option for continuous threat detection in AWS. The service uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats. GuardDuty analyzes tens of billions of events across multiple AWS data sources, such as AWS CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs. Typically, we use Amazon GuardDuty for customers who require a higher level of security such as payment providers or highly frequented portals and stores.
Common use cases
Amazon GuardDuty is mainly used in environments with very high security requirements. These include environments that are operated in the context of PCI-DSS. Amazon GuardDuty classifies findings into different severity levels, which are structured as follows:
High: A High severity level indicates that the resource in question (an EC2 instance or a set of IAM user credentials) is compromised and is actively being used for unauthorized purposes.
8.9 - 7.0
Medium: A Medium severity level indicates suspicious activity that deviates from normally observed behavior and, depending on your use case, may be indicative of a resource compromise.
6.9 - 4.0
Low: A low severity level indicates attempted suspicious activity that did not compromise your network, for example, a port scan or a failed intrusion attempt.
3.9 - 1.0
If we are alerted by Amazon GurdDuty, we will evaluate the finding and contact the customer to discuss the next steps. In any case a close cooperation is required. Depending on the severity, we will take initial steps to be able to ensure the security of the environment. This includes, for example, blocking IPs or isolating components of the environment, possibly causing disruptions to the application. We can also be asked to perform more in-depth analyses as Professional Service.
In our standard configuration, Amazon GuardDuty alerts on the severity levels Medium and High.