Introduction

Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the following data sources: -VPC Flow Logs

  • AWS CloudTrail event logs
  • DNS logs

Amazon GuardDuty uses threat intelligence feeds (such as lists of malicious IPs and domains) and machine learning to identify unexpected and potentially unauthorized and malicious activity within your AWS environment. This can include issues like escalations of privileges, uses of exposed credentials, or communication with malicious IPs, URLs, or domains.

For example, GuardDuty can detect compromised EC2 instances serving malware or mining bitcoin. It also monitors AWS account access behavior for signs of compromise, such as:

  • unauthorized infrastructure deployments
  • instances deployed in a region that has never been used
  • unusual API calls
  • password policy changes to reduce password strength

Setup

To set up the OpsRamp AWS integration and discover the AWS service, go to AWS Integration Discovery Profile and select GuardDuty.

Metrics

OpsRamp MetricMetric Display NameUnitAggregation TypeDescription
n/an/an/an/an/a n/a.

Event support

CloudTrail event support

  • Supported (CreateIPSet, CreateThreatIntelSet, DeleteThreatIntelSet, DeleteIPSet)
  • Configurable in OpsRamp AWS Integration Discovery Profile.

CloudWatch alarm support

  • Not Supported

External reference