401 Reading 19 - marsecguy/reading-notes-cyberops GitHub Wiki

Amazon GuardDuty

1. What are some of the IoCs that GuardDuty can detect?

   • Escalation of privileges
   • Use of exposed credentials
   • Communication with malicious IP addresses or domains
   • Presence of malware
   • Unusual patterns of login events

2. What are some of the data sources which GuardDuty can use?

   • AWS CloudTrail
   • VPC flow logs
   • DNS logs

3. How does GuardDuty use access behavior to spot potential malicious activity?

   • It uses machine learning to establish a baseline of normal behaviors and then detects events that fall outside of those normal behaviors.

Source: AWS