GuardDuty is an intelligent threat (anomaly) detection service.
Intelligent threat detection – Amazon GuardDuty – Amazon Web Services
GuardDuty continuously monitors your AWS accounts and workloads and detects any unauthorized behavior using machine learning.
- GuardDuty uses machine learning for threat detection.
- It takes 7~14 days to set a baseline (normal behavior).
- GuardDuty updates a database of known malicious domains or IPs using external feeds from third parties.
- It has Built-in detection for EC2, S3, and IAM.
- It monitors CloudTrail, VPC, Flow Logs, and DNS logs.
- Alerts appear in the GuardDuty console and CloudWatch Events.
- Unusual API calls
- API calls from known malicious domains or IPs
- Unauthorized deployments
- Port Scanning
- Crypto-currency mining