GuardDuty Extended Threat Detection

When you enable Amazon GuardDuty in your account in a specific AWS Region, Extended Threat Detection is also enabled by default. There is no additional cost associated with the usage of Extended Threat Detection. By default, it correlates events across all GuardDuty foundational data sources. However, when you enable more GuardDuty protection plans, such as S3 Protection, this will open additional types of attack sequence detections by widening the range of event sources. This will potentially help with a more comprehensive threat analysis and better detection of attack sequences. For more information, see Enable related protection plans.

GuardDuty correlates multiple events, including API activities and GuardDuty findings. These events are called Signals. Sometimes, there might be events in your environment that, on their own, don't present themselves as a clear potential threat. GuardDuty terms them as weak signals. With Extended Threat Detection, GuardDuty identifies when a sequence of multiple actions align to a potentially suspicious activity, and generates an attack sequence finding in your account. These multiple actions can include weak signals and already identified GuardDuty findings in your account.

GuardDuty is also designed to identify potential in-progress or recent attack behaviors (within a 24-hour rolling time window) in your account. For example, an attack could start by an actor gaining unintended access to a compute workload. The actor would then perform a series of steps, including enumeration, escalation of privileges, and exfiltration of AWS credentials. These credentials could potentially be used for further compromise or malicious access to data.

By default, the Extended Threat Detection page in GuardDuty console displays the Status as Enabled. Use the following steps to access the Extended Threat Detection page in GuardDuty console:

Attack sequence findings are just like other GuardDuty findings in your account. You can view them on the Findings page in the GuardDuty console. For information about viewing findings, see Findings page in GuardDuty console.

Similar to other GuardDuty findings, attack sequence findings are also automatically sent to Amazon EventBridge. Based on your settings, attack sequence findings are also exported to a publishing destination (Amazon S3 bucket). To set a new publishing destination or update an existing one, see Exporting generated findings to Amazon S3.

For GuardDuty to detect an attack sequence that potentially includes data compromise in your Amazon Simple Storage Service (Amazon S3) buckets, you must enable S3 Protection in your account. This helps GuardDuty correlate more diverse signals across multiple data sources. GuardDuty uses dedicated S3 Protection plan to identify findings that could potentially be one of the multiple stages in an attack sequence. For example, with GuardDuty foundational threat detection alone, GuardDuty can identify a potential attack sequence starting from IAM privilege discovery activity on Amazon S3 APIs, and detect subsequent S3 control plane alterations, such as changes that make bucket resource policy more permissive. When you enable S3 Protection, GuardDuty expands its threat detection scope. It also gains the ability to detect potential data exfiltration activities that may occur after S3 bucket access becomes more permissive.

If Amazon S3 is not enabled, GuardDuty will not be able to generate individual S3 Protection finding types. Therefore, GuardDuty will not be able to detect multi-stage attack sequences that involve associated findings. Therefore, GuardDuty will not be able to generate attack sequences associated to compromise of data.