GuardDuty is an intelligent threat detection service and it performs continuous security monitoring in your cloud environment. It'll analyze millions and even billions of events across your AWS account from resources like CloudTrail, VPC Flow Logs, and DNS logs, and it'll expose any potential threats.

So using threat intelligence feeds to block a list of malicious IPs and or domain names, it has incorporated machine learning to continuously monitor and model API invocations within an account. And it uses this to mitigate these potential threats.

You have to activate the GuardDuty service within your AWS account. From there, it's going to continuously monitor your AWS accounts and your workloads using that machine learning, to detect any threats. From there, it can automatically mitigate threats and provide you with findings for visibility and or potential remediation.

Use cases of GuardDuty.

• To Improve visibility - So we can get good insight into things like compromised credentials, any suspicious logins.
• To Enhance our investigation - if we need metadata or any impact resource details, then we can find that root cause using GuardDuty.
• To detect malware, so we can scan our EBS volumes for malware files that may be used to do some malicious behavior on our network,
• To route our security findings to a preferred operational tool - So things like Security Hub or EventBridge, we can route these security findings.

A lot of cases will route these security findings and there will be some automation and some remediation done based upon those security findings.

So where does GuardDuty pull its data from?

AWS CloudTrail event logs.

• We know CloudTrail monitors and records every API call in your account, so GuardDuty will analyze CloudTrail event logs.

CloudTrail management events

CloudTrail S3 data events

• So any events that relate to management eventslike logging in, logging out, invalid login to S3,these are all data events, Deleting images in a bucket. Right? These are S3 data events.So that's a data source as well.

A VPC flow log

• captured information about the IP traffic going to and from the EC2 instances in your VPC

DNS logs

-** if you use AWS DNS resolvers for your EC2 instances, and most of us do because that's the default setting, GuardDuty can access and process your requests and response DNS logs through internal DNS resolvers. If you use other DNS resolvers, GuardDuty won't have access to those logs. So it's only if you use the AWS DNS resolvers.**

Amazon Detective

Identify and analyse the security incidents and find out the root cause of the security incidents.

1. Activate Amazon Detective
2. View and organize data
3. Investigate findings
4. Find out Root cause