AWS Guard Duty

Prev Next
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

Table name: aws_guard_duty

Amazon GuardDuty is a threat detection service that continuously monitors AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.

To connect AWS Guard Duty logs:

  1. Follow this guide under the Exporting findings to a bucket with the Console section, and ship the logs to a destination bucket.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Logs are expected in JSON format.

{"schemaVersion":"2.0","accountId":"970461268677","region":"us-west-2","partition":"aws","id":"465645456646","arn":"arn:aws:guardduty:us-west-2:970461268677:detector/456455646/finding/46bf6fd104fe63890fa1f3f038a05929","type":"Discovery:IAMUser/AnomalousBehavior","resource":{"resourceType":"AccessKey","accessKeyDetails":{"accessKeyId":"465564646","principalId":"AIDA6D477ZLC7UL6QDWPB","userType":"IAMUser","userName":"script-readonlyuser"}},"service":{"serviceName":"guardduty","detectorId":"3eb8b0b0d507b3540dca10097c9751f9","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"api":"ListBuckets","serviceName":"s3.amazonaws.com","callerType":"Remote IP","remoteIpDetails":{"ipAddressV4":"1.1.1.1","organization":{"asn":"135823","asnOrg":"Apace Internet Pvt Ltd","isp":"Apace Internet Pvt","org":"Apace Internet Pvt"},"country":{"countryName":"India"},"city":{"cityName":"city"},"geoLocation":{"lat":28.6145,"lon":77.3063}},"affectedResources":{}}},"resourceRole":"TARGET","additionalInfo":{"userAgent":{"fullUserAgent":"[Boto3/1.20.49 Python/3.9.10 Darwin/21.3.0 Botocore/1.23.49 Resource]","userAgentCategory":"Botocore"},"anomalies":{"anomalousAPIs":"s3.amazonaws.com:[ListBuckets:success , GetBucketLifecycle:success]"},"profiledBehavior":{"rareProfiledAPIsAccountProfiling":"ListBuckets","infrequentProfiledAPIsAccountProfiling":"","frequentProfiledAPIsAccountProfiling":"GetIPSet , DescribeImages , ListTopics , ListRoles , GetBucketWebsite , DescribeReservedInstances , GetLifecyclePolicy , GetAccountSummary , DescribeScalingPolicies , DescribeAccountAttributes , DescribeSubnets , DescribeVolumes , DescribeAddresses , DescribeFileSystemPolicy , DescribeCustomerGateways , GetTopicAttributes , ListGroups , GetBucketTagging , DescribeLaunchConfigurations","rareProfiledAPIsUserIdentityProfiling":"DescribeNatGateways , DescribeRouteTables , ListWebACLs","infrequentProfiledAPIsUserIdentityProfiling":"","frequentProfiledAPIsUserIdentityProfiling":"","rareProfiledUserTypesAccountProfiling":"","infrequentProfiledUserTypesAccountProfiling":"","frequentProfiledUserTypesAccountProfiling":"IAM_USER , ASSUMED_ROLE , AWS_SERVICE , ROLE","rareProfiledUserNamesAccountProfiling":"","infrequentProfiledUserNamesAccountProfiling":"script-readonlyuser","frequentProfiledUserNamesAccountProfiling":"AWSServiceRoleForAutoScaling , AWSServiceRoleForSecurityHub , S3_Lambda_log_Optimization , Cloudhealth_CrossAccount , Insight-webportal-QA-WAFA-LambdaRoleReputationList-ZAHJOCZ9MI9Q , WAF-CloudFront-CloudFront-LambdaRoleReputationList-11JN8SB8FYO2M , Insight-API-Gateway-Stagi-LambdaRoleReputationList-1LAQ7NRYABCJM , lambda_execute , Insight-Devcom-QA-WAFACL-LambdaRoleReputationList-JZMUU1BDUKNC , Insight-Devcom-Staging-WA-LambdaRoleReputationList-1I4FXHWWBIIPM , Insight-Webportal-Staging-LambdaRoleReputationList-4YO2YLLYAVLM , Insight-Adminportal-QA-WA-LambdaRoleReputationList-1LLZ1AU9W5Q4H , QualysEC2Role , Netgear-WAFACL-AlbStack-2-LambdaRoleReputationList-12WKU4B2GRJVF , SNSSuccessFeedback , WAFSTGACL-LambdaRoleReputationListsParser-15RBTLDW2WR95 , EC2-CWLambdaLogs , Netgear-WAFSTGACL-AlbStac-LambdaRoleReputationList-W35SLH7FTM0M , logs.amazonaws.com","rareProfiledASNsAccountProfiling":"asnNumber: 58965 asnOrg: rttrtrrt BROADBAND SOLUTIONS PVT.LTD. asnNumber: 38266 asnOrg: Vodafone India Ltd. asnNumber: 132453 asnOrg: rtrt PLAY BROADBAND PRIVATE LIMITED asnNumber: 7922 asnOrg: rtrtrtrt-7922","infrequentProfiledASNsAccountProfiling":"asnNumber: 133982 asnOrg: Excitel Broadband Private Limited asnNumber: 18209 asnOrg: Atria Convergence Technologies pvt ltd","frequentProfiledASNsAccountProfiling":"asnNumber: 14618 asnOrg: AMAZON-AES asnNumber: 16509 asnOrg: AMAZON-02 asnNumber: 27385 asnOrg: QUALYS asnNumber: 24560 asnOrg: Bharti Airtel Ltd., Telemedia Services asnNumber: 45609 asnOrg: Bharti Airtel Ltd. AS for GPRS Service asnNumber: 55836 asnOrg: Reliance Jio Infocomm Limited asnNumber: 9498 asnOrg: BHARTI Airtel Ltd. asnNumber: 24309 asnOrg: Atria Convergence Technologies Pvt. Ltd. Broadband Internet Service Provider INDIA asnNumber: 45820 asnOrg: Tata Teleservices ISP AS asnNumber: 137650 asnOrg: Micronet It Services Private Limited","rareProfiledASNsUserIdentityProfiling":"asnNumber: 9498 asnOrg: fsdfds sfsf Ltd.","infrequentProfiledASNsUserIdentityProfiling":"asnNumber: 24560 asnOrg: Bharti Airtel Ltd., Telemedia Services","frequentProfiledASNsUserIdentityProfiling":"","rareProfiledUserAgentsAccountProfiling":"","infrequentProfiledUserAgentsAccountProfiling":"","frequentProfiledUserAgentsAccountProfiling":"aws-sdk-cloudformation , aws-sdk-cloudtrail , AWS Service , OTHER , aws-sdk-lambda , aws-sdk-emr , aws-sdk-configservice , aws-sdk-ec2 , Botocore , aws-sdk-efs , aws-internal/3 , aws-sdk-go , aws-sdk-elasticloadbalancingv2 , aws-sdk-elasticache , aws-sdk-kinesis , aws-sdk-java , aws-sdk-autoscaling , aws-sdk-dynamodb , aws-sdk-ruby2 , aws-sdk-nodejs","rareProfiledUserAgentsUserIdentityProfiling":"","infrequentProfiledUserAgentsUserIdentityProfiling":"Botocore","frequentProfiledUserAgentsUserIdentityProfiling":""},"unusualBehavior":{"unusualAPIsAccountProfiling":"","unusualAPIsUserIdentityProfiling":"ListBuckets , GetBucketLifecycle","unusualUserTypesAccountProfiling":"","unusualUserNamesAccountProfiling":"","unusualASNsAccountProfiling":"asnNumber: 135823 asnOrg: Apace Internet Pvt Ltd","unusualASNsUserIdentityProfiling":"asnNumber: 135823 asnOrg: Apace Internet Pvt Ltd","unusualUserAgentsAccountProfiling":"","unusualUserAgentsUserIdentityProfiling":"","isUnusualUserIdentity":"false"}},"eventFirstSeen":"2022-02-09T17:41:36.000Z","eventLastSeen":"2022-02-09T17:45:31.000Z","archived":false,"count":1},"severity":2,"createdAt":"2022-02-09T17:57:25.628Z","updatedAt":"2022-02-09T17:57:25.628Z","title":"User IAMUser : script-readonlyuser is anomalously invoking APIs commonly used in Discovery tactics.","description":"APIs commonly used in Discovery tactics were invoked by user IAMUser : script-readonlyuser, under anomalous circumstances. Such activity is not typically seen from this user."}
JSON