AWS Guard Duty

  • Updated on Jan 21, 2025
Prev Next
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

Overview

Table name: aws_guard_duty

Amazon GuardDuty is a threat detection service that continuously monitors AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.

Send data to Hunters

To connect AWS Guard Duty logs:

  1. Follow this guide under the Exporting findings to a bucket with the Console section, and ship the logs to a destination bucket.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in JSON format.

{"schemaVersion":"2.0","accountId":"970461268677","region":"us-west-2","partition":"aws","id":"465645456646","arn":"arn:aws:guardduty:us-west-2:970461268677:detector/456455646/finding/46bf6fd104fe63890fa1f3f038a05929","type":"Discovery:IAMUser/AnomalousBehavior","resource":{"resourceType":"AccessKey","accessKeyDetails":{"accessKeyId":"465564646","principalId":"AIDA6D477ZLC7UL6QDWPB","userType":"IAMUser","userName":"script-readonlyuser"}},"service":{"serviceName":"guardduty","detectorId":"3eb8b0b0d507b3540dca10097c9751f9","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"api":"ListBuckets","serviceName":"s3.amazonaws.com","callerType":"Remote IP","remoteIpDetails":{"ipAddressV4":"1.1.1.1","organization":{"asn":"135823","asnOrg":"Apace Internet Pvt Ltd","isp":"Apace Internet Pvt","org":"Apace Internet Pvt"},"country":{"countryName":"India"},"city":{"cityName":"city"},"geoLocation":{"lat":28.6145,"lon":77.3063}},"affectedResources":{}}},"resourceRole":"TARGET","additionalInfo":{"userAgent":{"fullUserAgent":"[Boto3/1.20.49 Python/3.9.10 Darwin/21.3.0 Botocore/1.23.49 Resource]","userAgentCategory":"Botocore"},"anomalies":{"anomalousAPIs":"s3.amazonaws.com:[ListBuckets:success , GetBucketLifecycle:success]"},"profiledBehavior":{"rareProfiledAPIsAccountProfiling":"ListBuckets","infrequentProfiledAPIsAccountProfiling":"","frequentProfiledAPIsAccountProfiling":"GetIPSet , DescribeImages , ListTopics , ListRoles , GetBucketWebsite , DescribeReservedInstances , GetLifecyclePolicy , GetAccountSummary , DescribeScalingPolicies , DescribeAccountAttributes , DescribeSubnets , DescribeVolumes , DescribeAddresses , DescribeFileSystemPolicy , DescribeCustomerGateways , GetTopicAttributes , ListGroups , GetBucketTagging , DescribeLaunchConfigurations","rareProfiledAPIsUserIdentityProfiling":"DescribeNatGateways , DescribeRouteTables , ListWebACLs","infrequentProfiledAPIsUserIdentityProfiling":"","frequentProfiledAPIsUserIdentityProfiling":"","rareProfiledUserTypesAccountProfiling":"","infrequentProfiledUserTypesAccountProfiling":"","frequentProfiledUserTypesAccountProfiling":"IAM_USER , ASSUMED_ROLE , AWS_SERVICE , ROLE","rareProfiledUserNamesAccountProfiling":"","infrequentProfiledUserNamesAccountProfiling":"script-readonlyuser","frequentProfiledUserNamesAccountProfiling":"AWSServiceRoleForAutoScaling , AWSServiceRoleForSecurityHub , S3_Lambda_log_Optimization , Cloudhealth_CrossAccount , Insight-webportal-QA-WAFA-LambdaRoleReputationList-ZAHJOCZ9MI9Q , WAF-CloudFront-CloudFront-LambdaRoleReputationList-11JN8SB8FYO2M , Insight-API-Gateway-Stagi-LambdaRoleReputationList-1LAQ7NRYABCJM , lambda_execute , Insight-Devcom-QA-WAFACL-LambdaRoleReputationList-JZMUU1BDUKNC , Insight-Devcom-Staging-WA-LambdaRoleReputationList-1I4FXHWWBIIPM , Insight-Webportal-Staging-LambdaRoleReputationList-4YO2YLLYAVLM , Insight-Adminportal-QA-WA-LambdaRoleReputationList-1LLZ1AU9W5Q4H , QualysEC2Role , Netgear-WAFACL-AlbStack-2-LambdaRoleReputationList-12WKU4B2GRJVF , SNSSuccessFeedback , WAFSTGACL-LambdaRoleReputationListsParser-15RBTLDW2WR95 , EC2-CWLambdaLogs , Netgear-WAFSTGACL-AlbStac-LambdaRoleReputationList-W35SLH7FTM0M , logs.amazonaws.com","rareProfiledASNsAccountProfiling":"asnNumber: 58965 asnOrg: rttrtrrt BROADBAND SOLUTIONS PVT.LTD. asnNumber: 38266 asnOrg: Vodafone India Ltd. asnNumber: 132453 asnOrg: rtrt PLAY BROADBAND PRIVATE LIMITED asnNumber: 7922 asnOrg: rtrtrtrt-7922","infrequentProfiledASNsAccountProfiling":"asnNumber: 133982 asnOrg: Excitel Broadband Private Limited asnNumber: 18209 asnOrg: Atria Convergence Technologies pvt ltd","frequentProfiledASNsAccountProfiling":"asnNumber: 14618 asnOrg: AMAZON-AES asnNumber: 16509 asnOrg: AMAZON-02 asnNumber: 27385 asnOrg: QUALYS asnNumber: 24560 asnOrg: Bharti Airtel Ltd., Telemedia Services asnNumber: 45609 asnOrg: Bharti Airtel Ltd. AS for GPRS Service asnNumber: 55836 asnOrg: Reliance Jio Infocomm Limited asnNumber: 9498 asnOrg: BHARTI Airtel Ltd. asnNumber: 24309 asnOrg: Atria Convergence Technologies Pvt. Ltd. Broadband Internet Service Provider INDIA asnNumber: 45820 asnOrg: Tata Teleservices ISP AS asnNumber: 137650 asnOrg: Micronet It Services Private Limited","rareProfiledASNsUserIdentityProfiling":"asnNumber: 9498 asnOrg: fsdfds sfsf Ltd.","infrequentProfiledASNsUserIdentityProfiling":"asnNumber: 24560 asnOrg: Bharti Airtel Ltd., Telemedia Services","frequentProfiledASNsUserIdentityProfiling":"","rareProfiledUserAgentsAccountProfiling":"","infrequentProfiledUserAgentsAccountProfiling":"","frequentProfiledUserAgentsAccountProfiling":"aws-sdk-cloudformation , aws-sdk-cloudtrail , AWS Service , OTHER , aws-sdk-lambda , aws-sdk-emr , aws-sdk-configservice , aws-sdk-ec2 , Botocore , aws-sdk-efs , aws-internal/3 , aws-sdk-go , aws-sdk-elasticloadbalancingv2 , aws-sdk-elasticache , aws-sdk-kinesis , aws-sdk-java , aws-sdk-autoscaling , aws-sdk-dynamodb , aws-sdk-ruby2 , aws-sdk-nodejs","rareProfiledUserAgentsUserIdentityProfiling":"","infrequentProfiledUserAgentsUserIdentityProfiling":"Botocore","frequentProfiledUserAgentsUserIdentityProfiling":""},"unusualBehavior":{"unusualAPIsAccountProfiling":"","unusualAPIsUserIdentityProfiling":"ListBuckets , GetBucketLifecycle","unusualUserTypesAccountProfiling":"","unusualUserNamesAccountProfiling":"","unusualASNsAccountProfiling":"asnNumber: 135823 asnOrg: Apace Internet Pvt Ltd","unusualASNsUserIdentityProfiling":"asnNumber: 135823 asnOrg: Apace Internet Pvt Ltd","unusualUserAgentsAccountProfiling":"","unusualUserAgentsUserIdentityProfiling":"","isUnusualUserIdentity":"false"}},"eventFirstSeen":"2022-02-09T17:41:36.000Z","eventLastSeen":"2022-02-09T17:45:31.000Z","archived":false,"count":1},"severity":2,"createdAt":"2022-02-09T17:57:25.628Z","updatedAt":"2022-02-09T17:57:25.628Z","title":"User IAMUser : script-readonlyuser is anomalously invoking APIs commonly used in Discovery tactics.","description":"APIs commonly used in Discovery tactics were invoked by user IAMUser : script-readonlyuser, under anomalous circumstances. Such activity is not typically seen from this user."}