For security teams to organize their own analysis of VPC flow logs, CloudTrail logs, and DNS logs - from log collection, formatting, analysis, conclusions, to actions - the entire process is a very time-consuming and labor-intensive task. With GuardDuty, you can enable it with just a few clicks in the AWS Management Console to implement threat detection in your cloud environment. AWS launched the cloud threat detection service - GuardDuty in 2017, aiming to help AWS users avoid potential security threats and protect their AWS accounts and workloads.

What Can GuardDuty Do

Your account launched instances in regions you've never used before; your EC2 instances are being attacked; your EC2 instances are mining Bitcoin without your knowledge; your EC2 instances are launching network attacks without your knowledge; machines running penetration testing tools are making API calls using your account credentials. All of the above issues can be detected by GuardDuty when they occur.

GuardDuty Principles

Amazon GuardDuty is a continuous security monitoring service that identifies unexpected and unauthorized malicious activity in your AWS environment by analyzing data sources (VPC flow logs, AWS CloudTrail event logs, and DNS logs), using threat intelligence feeds (such as lists of malicious IP addresses and domains), and machine learning.

GuardDuty Advantages

For security teams to organize their own analysis of VPC flow logs, CloudTrail logs, and DNS logs - from log collection, formatting, analysis, conclusions, to actions - the entire process is a very time-consuming and labor-intensive task. With GuardDuty, you can enable it with just a few clicks in the AWS Management Console, without deploying or maintaining any software or hardware.

Integrates the latest threat intelligence feeds from AWS, CrowdStrike, and Proofpoint. Threat intelligence combined with machine learning and behavioral models helps you detect activities such as cryptocurrency mining, credential cracking, unauthorized anomalous data access, communication with known command and control servers, or API calls from known malicious IPs.

Security teams can aggregate findings from accounts across the organization into a single GuardDuty administrator account for management. Aggregated detection results are also available through CloudWatch Events, making it easy to integrate with existing enterprise event management systems.

GuardDuty can use Amazon CloudWatch Events and AWS Lambda to perform automated remediation actions.

GuardDuty Pricing

Amazon GuardDuty is priced based on the number of AWS CloudTrail events analyzed and the volume of Amazon VPC flow logs and DNS log data analyzed. There are no additional charges for enabling these log sources for GuardDuty analysis. Taking the Oregon region as an example, the pricing is as follows:

GuardDuty Finding Types

For complete GuardDuty finding types, refer to the following URL:

https://docs.aws.amazon.com/zh_cn/guardduty/latest/ug/guardduty_finding-types-active.html

How to Enable GuardDuty

For how to enable GuardDuty, refer to the following URL:

https://docs.aws.amazon.com/zh_cn/guardduty/latest/ug/guardduty_settingup.html

If you need further assistance or services, please leave a message. Taiyue Cloud Business will provide automation tools and professional services.