AWS GuardDuty

Introduction

Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the following data sources: -VPC Flow Logs

AWS CloudTrail event logs
DNS logs

Amazon GuardDuty uses threat intelligence feeds (such as lists of malicious IPs and domains) and machine learning to identify unexpected and potentially unauthorized and malicious activity within your AWS environment. This can include issues like escalations of privileges, uses of exposed credentials, or communication with malicious IPs, URLs, or domains.

For example, GuardDuty can detect compromised EC2 instances serving malware or mining bitcoin. It also monitors AWS account access behavior for signs of compromise, such as:

unauthorized infrastructure deployments
instances deployed in a region that has never been used
unusual API calls
password policy changes to reduce password strength

Note

Use the OpsRamp AWS public cloud integration to discover and collect metrics against the AWS service.

Setup

To set up the OpsRamp AWS integration and discover the AWS service, go to AWS Integration Discovery Profile and select GuardDuty.

Metrics


OpsRamp Metric	Metric Display Name	Unit	Aggregation Type	Description
n/a	n/a	n/a	n/a	n/a n/a.

Event support

CloudTrail event support

Supported (CreateIPSet, CreateThreatIntelSet, DeleteThreatIntelSet, DeleteIPSet)
Configurable in OpsRamp AWS Integration Discovery Profile.

CloudWatch alarm support

Not Supported

External reference

What is Amazon GuardDuty?