1. Amazon GuardDuty Security Blogs
  2. AWS re:Post questions for Amazon GuardDuty
  3. Amazon GuardDuty FAQs
  4. Amazon GuardDuty Pricing
  5. Free Cybersecurity Training
  6. Automated response & remediation
    1. Integration with AWS Security Hub
    2. EventBridge (Enrichment, Actions, Notifications)
  7. Anomaly Detection & Machine Learning
    1. EC2 findings
      1. Backdoor:EC2/C&CActivity.B
      2. Backdoor:EC2/C&CActivity.B!DNS
      3. Backdoor:EC2/DenialOfService.Dns
      4. Backdoor:EC2/DenialOfService.Tcp
      5. Backdoor:EC2/DenialOfService.Udp
      6. Backdoor:EC2/DenialOfService.UdpOnTcpPorts
      7. Backdoor:EC2/DenialOfService.UnusualProtocol
      8. Backdoor:EC2/Spambot
      9. Behavior:EC2/NetworkPortUnusual
      10. Behavior:EC2/TrafficVolumeUnusual
      11. CryptoCurrency:EC2/BitcoinTool.B
      12. CryptoCurrency:EC2/BitcoinTool.B!DNS
      13. Impact:EC2/AbusedDomainRequest.Reputation
      14. Impact:EC2/BitcoinDomainRequest.Reputation
      15. Impact:EC2/MaliciousDomainRequest.Reputation
      16. Impact:EC2/PortSweep
      17. Impact:EC2/SuspiciousDomainRequest.Reputation
      18. Impact:EC2/WinRMBruteForce
      19. Recon:EC2/PortProbeEMRUnprotectedPort
      20. Recon:EC2/PortProbeUnprotectedPort
      21. Recon:EC2/Portscan
      22. Trojan:EC2/BlackholeTraffic
      23. Trojan:EC2/BlackholeTraffic!DNS
      24. Trojan:EC2/DGADomainRequest.B
      25. Trojan:EC2/DGADomainRequest.C!DNS
      26. Trojan:EC2/DNSDataExfiltration
      27. Trojan:EC2/DriveBySourceTraffic!DNS
      28. Trojan:EC2/DropPoint
      29. Trojan:EC2/DropPoint!DNS
      30. Trojan:EC2/PhishingDomainRequest!DNS
      31. UnauthorizedAccess:EC2/MaliciousIPCaller.Custom
      32. UnauthorizedAccess:EC2/MetadataDNSRebind
      33. UnauthorizedAccess:EC2/RDPBruteForce
      34. UnauthorizedAccess:EC2/SSHBruteForce
      35. UnauthorizedAccess:EC2/TorClient
      36. UnauthorizedAccess:EC2/TorRelay
    2. IAM findings
      1. CredentialAccess:IAMUser/AnomalousBehavior
      2. DefenseEvasion:IAMUser/AnomalousBehavior
      3. Discovery:IAMUser/AnomalousBehavior
      4. Exfiltration:IAMUser/AnomalousBehavior
      5. Impact:IAMUser/AnomalousBehavior
      6. InitialAccess:IAMUser/AnomalousBehavior
      7. PenTest:IAMUser/KaliLinux
      8. PenTest:IAMUser/ParrotLinux
      9. PenTest:IAMUser/PentooLinux
      10. Persistence:IAMUser/AnomalousBehavior
      11. Policy:IAMUser/RootCredentialUsage
      12. PrivilegeEscalation:IAMUser/AnomalousBehavior
      13. Recon:IAMUser/MaliciousIPCaller
      14. Recon:IAMUser/MaliciousIPCaller.Custom
      15. Recon:IAMUser/TorIPCaller
      16. Stealth:IAMUser/CloudTrailLoggingDisabled
      17. Stealth:IAMUser/PasswordPolicyChange
      18. UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B
      19. UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS
      20. UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS
      21. UnauthorizedAccess:IAMUser/MaliciousIPCaller
      22. UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom
      23. UnauthorizedAccess:IAMUser/TorIPCaller
    3. S3 findings
      1. Discovery:S3/MaliciousIPCaller
      2. Discovery:S3/MaliciousIPCaller.Custom
      3. Discovery:S3/TorIPCaller
      4. Exfiltration:S3/MaliciousIPCaller
      5. Exfiltration:S3/ObjectRead.Unusual
      6. Impact:S3/MaliciousIPCaller
      7. PenTest:S3/KaliLinux
      8. PenTest:S3/ParrotLinux
      9. PenTest:S3/PentooLinux
      10. Policy:S3/AccountBlockPublicAccessDisabled
      11. Policy:S3/BucketAnonymousAccessGranted
      12. Policy:S3/BucketBlockPublicAccessDisabled
      13. Policy:S3/BucketPublicAccessGranted
      14. Stealth:S3/ServerAccessLoggingDisabled
      15. UnauthorizedAccess:S3/MaliciousIPCaller.Custom
      16. UnauthorizedAccess:S3/TorIPCaller
    4. Kubernetes findings
      1. CredentialAccess:Kubernetes/MaliciousIPCaller
      2. CredentialAccess:Kubernetes/MaliciousIPCaller.Custom
      3. CredentialAccess:Kubernetes/SuccessfulAnonymousAccess
      4. CredentialAccess:Kubernetes/TorIPCaller
      5. DefenseEvasion:Kubernetes/MaliciousIPCaller
      6. DefenseEvasion:Kubernetes/MaliciousIPCaller.Custom
      7. DefenseEvasion:Kubernetes/SuccessfulAnonymousAccess
      8. DefenseEvasion:Kubernetes/TorIPCaller
      9. Discovery:Kubernetes/MaliciousIPCaller
      10. Discovery:Kubernetes/MaliciousIPCaller.Custom
      11. Discovery:Kubernetes/SuccessfulAnonymousAccess
      12. Discovery:Kubernetes/TorIPCaller
      13. Execution:Kubernetes/ExecInKubeSystemPod
      14. Impact:Kubernetes/MaliciousIPCaller
      15. Impact:Kubernetes/MaliciousIPCaller.Custom
      16. Impact:Kubernetes/SuccessfulAnonymousAccess
      17. Impact:Kubernetes/TorIPCaller
      18. Persistence:Kubernetes/ContainerWithSensitiveMount
      19. Persistence:Kubernetes/MaliciousIPCaller
      20. Persistence:Kubernetes/MaliciousIPCaller.Custom
      21. Persistence:Kubernetes/SuccessfulAnonymousAccess
      22. Persistence:Kubernetes/TorIPCaller
      23. Policy:Kubernetes/AdminAccessToDefaultServiceAccount
      24. Policy:Kubernetes/AnonymousAccessGranted
      25. Policy:Kubernetes/ExposedDashboard
      26. Policy:Kubernetes/KubeflowDashboardExposed
      27. PrivilegeEscalation:Kubernetes/PrivilegedContainer
  8. Pivot to Amazon Detective
    1. Triage, Scoping, Response
  9. Internal AWS Sources
    1. CloudTrail Management Events
    2. CloudTrail S3 Data Events
    3. VPC Flow Logs
    4. DNS logs
    5. Kubernetes audit logs
  10. Amazon GuardDuty Partners
    1. Activation and Operationalization
      1. Alert Logic
      2. Sumo Logic
      3. Turbot
    2. Security Intelligence
      1. Aviatrix
      2. Check Point
      3. Expel
      4. FireEye
      5. Fortinet
      6. IBM
      7. Juniper
      8. McAfee
      9. PaloAlto
      10. Rapid7
      11. Recorded Future
      12. Sophos
      13. Splunk
      14. Trend Micro
    3. Consulting and Integration
      1. Accenture
      2. Deloitte
      3. Logicworks
    4. Alerting and Ticketing
      1. PagerDuty
  11. Threat intelligence (IP and domains)
    1. AWS Security
    2. Threat Feed 3rd party providers
      1. Proofpoint
      2. CrowdStrike
    3. Custom threat lists