Stack Overflow
Stack Overflow

Questions tagged [amazon-guardduty]

Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the following Data sources: VPC Flow Logs, AWS CloudTrail management event logs, Cloudtrail S3 data event logs, and DNS logs. It uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected and potentially unauthorized and malicious activity within the AWS environment.

See: What is Amazon GuardDuty?

19 questions
2
votes
3 answers

How to Detect Someone Erasing Cloudtrail Logs

I'd like to monitor for anyone trying to erase logs from my CloudTrail's S3 Bucket. I have tried deleting myself with my own IAM User one of the logs on this bucket but CloudTrail itself didn't seem to notice I have erased an object from it's…
Exiett
  • 77
  • 7
2
votes
1 answer

Identify AWS IAM user that assumed an IAM role

I'm working on a system that receives new findings from Amazon GuardDuty. Most access in our organization is delegated to IAM roles instead of directly to users, so the findings usually result from the actions of assumed roles, and the actor…
Nic
  • 4,319
  • 5
  • 29
  • 36
1
vote
1 answer

AWS GuardDuty: "There was a problem fetching your GuardDuty detector ID"

I want to use AWS GuardDuty for a project but I get this error each time I want to access it: There was a problem fetching your GuardDuty detector ID. Please refresh the page in your browser. What might the cause of this error?
Quail
  • 11
  • 2
1
vote
1 answer

AWS CloudTrail Insights vs GuardDuty

CloudTrail Insights identifies any anomalies in the CloudTrail Events. And out of all the inputs to the GuardDuty, CloudTrail Events is one of it. Looks like both CloudTrail Insights and GuardDuty provide similar service. Would like to know the…
Praveen Sripati
  • 32,799
  • 16
  • 80
  • 117
1
vote
1 answer

Terraform 0.15 - Multiple Providers \ Regions and Guardduty

I’m trying to deploy AWS Guardduty using Organisations to multiple regions. In my root config I’ve created the following provider: # If I remove this default provider out i get prompted for a region provider "aws" { profile =…
Paul Houghton
  • 11
  • 1
1
vote
1 answer

Monitoring Guardduty findings using CloudWatch

I have been trying to find a way to use aws CloudWatch to monitor Guardduty findings. Looks like there is no simple way to integrate the two services? So far, I have only been able to create a SNS topic and have it send me an email based on…
NetSystemAdmin
  • 505
  • 1
  • 6
  • 16
1
vote
1 answer

map[string]*type "invalid memory address or nil pointer dereference"

When i try to access the struct field i got an error invalid memory address or nil pointer dereference. gdreport/main.go:30 +0x1e6 i have no clue about the error: here is my code: var strPtr []*string var findingId []string =…
Khaedir
  • 29
  • 1
  • 5
1
vote
1 answer

AccessDeniedException (caller is not authorized to call API) using AWS GuardDuty

Aws lambda and CLI both returned "InternalServerErrorException: An error occurred (InternalServerErrorException) when calling the UpdateThreatIntelSet operation: The request is rejected because the caller is not authorized to call this API." IAM…
Lee.Tan
  • 619
  • 2
  • 6
  • 18
0
votes
1 answer

Guard duty malware protection scans

I am planning to use Guard Duty for Malware protection on our EC2 instances. As per docs, there are two types of scans Guard Duty initiated scans and on-demand scans. My question is - Is having snapshots of the attached EBS volumes an absolute…
Deepti Saini
  • 1
  • 2
0
votes
1 answer

AWS GuardDuty: UnauthorizedAccess:EC2/MaliciousIPCaller.Custom = probe/attempt OR breach?

I get this AWS GuardDuty warning: UnauthorizedAccess:EC2/MaliciousIPCaller.Custom An EC2 instance is making connections to an IP address on a custom threat list. Default severity: Medium The above warning seems to imply that an attacker was…
Pierre
  • 2,335
  • 22
  • 40
0
votes
0 answers

AWS Security Hub API does not return Latitude and Longitudes

I am working on a project which needs to display the identified AWS security threats on a globe. They have specifically asked to use Security Hub API to get the GaurdDuty, Firewall etc. identified threats by integrating them to Security Hub. We were…
Dulanjali
  • 27
  • 1
  • 7
0
votes
0 answers

AWS GuardDuty cost too high due to CloudTrail events analyzed

In my monthly AWS account bill, GuardDuty shows that it analyzed around 1 million CloudTrail events in the month but when I downloaded the csv with all the events for the month, the row count is close to 400,000 only. And this is a repeating pattern…
nu_popli
  • 920
  • 1
  • 7
  • 12
0
votes
1 answer

Is it possible to block malicious domains in AWS by adding them in Threat List?

I am trying to block malicious domains through AWS Guard Duty which were being queried by some of the EC2 instances. During some research I found out, We can block only IP addresses by adding them in Threat list not the domains. So, is there any…
Mahesh Jandwani
  • 41
  • 6
0
votes
0 answers

Dynamically Creating nested models in Pydantic

I'm trying to parse AWS GuardDuty Json data, however some nested datafields are finding specific. Is there are way of doing something like this in pydantic: from pydantic import Basemodel from pydantic.main import create_model class…
SnowBoundShip53
  • 28
  • 4
0
votes
0 answers

Guardduty not able to detect attacks outside the Aws

I am trying to test guardduty by pulling off a brute force attack on Windows target ec2 host from my local windows machine (outside aws) using RDP. What i can see is there are no finding getting created on guardduty console even though i tried…
jayendra bhatt
  • 1,337
  • 2
  • 19
  • 41
1
2