GuardDuty finding types by potentially impacted resources GuardDuty active finding types

GuardDuty finding types

A finding is a notification that GuardDuty generates when it detects an indication of a suspicious or malicious activity in your AWS account. GuardDuty generates a finding in an account that has enabled GuardDuty.

For information about important changes to the GuardDuty finding types, including newly added or retired finding types, see Document history for Amazon GuardDuty.

For information about finding types which are now retired, see Retired finding types.

GuardDuty finding types by potentially impacted resources

The following pages are categorized by the potentially impacted resource type associated to a GuardDuty finding:

GuardDuty active finding types

The following table shows all of the active finding types sorted by the foundational data source or feature, as applicable. In the following table, some of the findings have their Finding severity column values marked with an asterisk (*) or a plus sign (+):

^*These finding types have variable severity. A finding of a particular type may have a different severity depending on the context specific to the finding. For more information about a finding type, view its detailed description.

⁺EC2 findings that use VPC flow logs as a data source do not support IPv6 traffic.

Finding type	Resource type	Foundational data source/Feature	Finding severity
Discovery:S3/AnomalousBehavior	Amazon S3	CloudTrail data events for S3	Low
Discovery:S3/MaliciousIPCaller	Amazon S3	CloudTrail data events for S3	High
Discovery:S3/MaliciousIPCaller.Custom	Amazon S3	CloudTrail data events for S3	High
Discovery:S3/TorIPCaller	Amazon S3	CloudTrail data events for S3	Medium
Exfiltration:S3/AnomalousBehavior	Amazon S3	CloudTrail data events for S3	High
Exfiltration:S3/MaliciousIPCaller	Amazon S3	CloudTrail data events for S3	High
Impact:S3/AnomalousBehavior.Delete	Amazon S3	CloudTrail data events for S3	High
Impact:S3/AnomalousBehavior.Permission	Amazon S3	CloudTrail data events for S3	High
Impact:S3/AnomalousBehavior.Write	Amazon S3	CloudTrail data events for S3	Medium
Impact:S3/MaliciousIPCaller	Amazon S3	CloudTrail data events for S3	High
PenTest:S3/KaliLinux	Amazon S3	CloudTrail data events for S3	Medium
PenTest:S3/ParrotLinux	Amazon S3	CloudTrail data events for S3	Medium
PenTest:S3/PentooLinux	Amazon S3	CloudTrail data events for S3	Medium
UnauthorizedAccess:S3/TorIPCaller	Amazon S3	CloudTrail data events for S3	High
UnauthorizedAccess:S3/MaliciousIPCaller.Custom	Amazon S3	CloudTrail data events for S3	High
CredentialAccess:IAMUser/AnomalousBehavior	IAM	CloudTrail management events	Medium
DefenseEvasion:IAMUser/AnomalousBehavior	IAM	CloudTrail management events	Medium
Discovery:IAMUser/AnomalousBehavior	IAM	CloudTrail management events	Low
Exfiltration:IAMUser/AnomalousBehavior	IAM	CloudTrail management events	High
Impact:IAMUser/AnomalousBehavior	IAM	CloudTrail management events	High
InitialAccess:IAMUser/AnomalousBehavior	IAM	CloudTrail management events	Medium
PenTest:IAMUser/KaliLinux	IAM	CloudTrail management events	Medium
PenTest:IAMUser/ParrotLinux	IAM	CloudTrail management events	Medium
PenTest:IAMUser/PentooLinux	IAM	CloudTrail management events	Medium
Persistence:IAMUser/AnomalousBehavior	IAM	CloudTrail management events	Medium
Stealth:IAMUser/PasswordPolicyChange	IAM	CloudTrail management events	Low*
UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.InsideAWS	IAM	CloudTrail management events	High*
Policy:S3/AccountBlockPublicAccessDisabled	Amazon S3	CloudTrail management events	Low
Policy:S3/BucketAnonymousAccessGranted	Amazon S3	CloudTrail management events	High
Policy:S3/BucketBlockPublicAccessDisabled	Amazon S3	CloudTrail management events	Low
Policy:S3/BucketPublicAccessGranted	Amazon S3	CloudTrail management events	High
PrivilegeEscalation:IAMUser/AnomalousBehavior	IAM	CloudTrail management events	Medium
Recon:IAMUser/MaliciousIPCaller	IAM	CloudTrail management events	Medium
Recon:IAMUser/MaliciousIPCaller.Custom	IAM	CloudTrail management events	Medium
Recon:IAMUser/TorIPCaller	IAM	CloudTrail management events	Medium
Stealth:IAMUser/CloudTrailLoggingDisabled	IAM	CloudTrail management events	Low
Stealth:S3/ServerAccessLoggingDisabled	Amazon S3	CloudTrail management events	Low
UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.B	IAM	CloudTrail management events	Medium
UnauthorizedAccess:IAMUser/MaliciousIPCaller	IAM	CloudTrail management events	Medium
UnauthorizedAccess:IAMUser/MaliciousIPCaller.Custom	IAM	CloudTrail management events	Medium
UnauthorizedAccess:IAMUser/TorIPCaller	IAM	CloudTrail management events	Medium
Policy:IAMUser/RootCredentialUsage	IAM	CloudTrail management events or CloudTrail data events for S3	Low
UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS	IAM	CloudTrail management events or CloudTrail data events for S3	High
AttackSequence:IAM/CompromisedCredentials	Resources involved in attack sequence	CloudTrail management events	Critical
AttackSequence:S3/CompromisedData	Resources involved in attack sequence	CloudTrail management events and CloudTrail data events for S3	Critical
Backdoor:EC2/C&CActivity.B!DNS	Amazon EC2	DNS logs	High
CryptoCurrency:EC2/BitcoinTool.B!DNS	Amazon EC2	DNS logs	High
Impact:EC2/AbusedDomainRequest.Reputation	Amazon EC2	DNS logs	Medium
Impact:EC2/BitcoinDomainRequest.Reputation	Amazon EC2	DNS logs	High
Impact:EC2/MaliciousDomainRequest.Reputation	Amazon EC2	DNS logs	High
Impact:EC2/SuspiciousDomainRequest.Reputation	Amazon EC2	DNS logs	Low
Trojan:EC2/BlackholeTraffic!DNS	Amazon EC2	DNS logs	Medium
Trojan:EC2/DGADomainRequest.B	Amazon EC2	DNS logs	High
Trojan:EC2/DGADomainRequest.C!DNS	Amazon EC2	DNS logs	High
Trojan:EC2/DNSDataExfiltration	Amazon EC2	DNS logs	High
Trojan:EC2/DriveBySourceTraffic!DNS	Amazon EC2	DNS logs	High
Trojan:EC2/DropPoint!DNS	Amazon EC2	DNS logs	Medium
Trojan:EC2/PhishingDomainRequest!DNS	Amazon EC2	DNS logs	High
UnauthorizedAccess:EC2/MetadataDNSRebind	Amazon EC2	DNS logs	High
Execution:Container/MaliciousFile	Container	EBS Malware Protection	Varies depending on the detected threat
Execution:Container/SuspiciousFile	Container	EBS Malware Protection	Varies depending on the detected threat
Execution:EC2/MaliciousFile	Amazon EC2	EBS Malware Protection	Varies depending on the detected threat
Execution:EC2/SuspiciousFile	Amazon EC2	EBS Malware Protection	Varies depending on the detected threat
Execution:ECS/MaliciousFile	ECS	EBS Malware Protection	Varies depending on the detected threat
Execution:ECS/SuspiciousFile	ECS	EBS Malware Protection	Varies depending on the detected threat
Execution:Kubernetes/MaliciousFile	Kubernetes	EBS Malware Protection	Varies depending on the detected threat
Execution:Kubernetes/SuspiciousFile	Kubernetes	EBS Malware Protection	Varies depending on the detected threat
CredentialAccess:Kubernetes/AnomalousBehavior.SecretsAccessed	Kubernetes	EKS audit logs	Medium
CredentialAccess:Kubernetes/MaliciousIPCaller	Kubernetes	EKS audit logs	High
CredentialAccess:Kubernetes/MaliciousIPCaller.Custom	Kubernetes	EKS audit logs	High
CredentialAccess:Kubernetes/SuccessfulAnonymousAccess	Kubernetes	EKS audit logs	High
CredentialAccess:Kubernetes/TorIPCaller	Kubernetes	EKS audit logs	High
DefenseEvasion:Kubernetes/MaliciousIPCaller	Kubernetes	EKS audit logs	High
DefenseEvasion:Kubernetes/MaliciousIPCaller.Custom	Kubernetes	EKS audit logs	High
DefenseEvasion:Kubernetes/SuccessfulAnonymousAccess	Kubernetes	EKS audit logs	High
DefenseEvasion:Kubernetes/TorIPCaller	Kubernetes	EKS audit logs	High
Discovery:Kubernetes/AnomalousBehavior.PermissionChecked	Kubernetes	EKS audit logs	Low
Discovery:Kubernetes/MaliciousIPCaller	Kubernetes	EKS audit logs	Medium
Discovery:Kubernetes/MaliciousIPCaller.Custom	Kubernetes	EKS audit logs	Medium
Discovery:Kubernetes/SuccessfulAnonymousAccess	Kubernetes	EKS audit logs	Medium
Discovery:Kubernetes/TorIPCaller	Kubernetes	EKS audit logs	Medium
Execution:Kubernetes/ExecInKubeSystemPod	Kubernetes	EKS audit logs	Medium
Execution:Kubernetes/AnomalousBehavior.ExecInPod	Kubernetes	EKS audit logs	Medium
Execution:Kubernetes/AnomalousBehavior.WorkloadDeployed	Kubernetes	EKS audit logs	Low
Impact:Kubernetes/MaliciousIPCaller	Kubernetes	EKS audit logs	High
Impact:Kubernetes/MaliciousIPCaller.Custom	Kubernetes	EKS audit logs	High
Impact:Kubernetes/SuccessfulAnonymousAccess	Kubernetes	EKS audit logs	High
Impact:Kubernetes/TorIPCaller	Kubernetes	EKS audit logs	High
Persistence:Kubernetes/ContainerWithSensitiveMount	Kubernetes	EKS audit logs	Medium
Persistence:Kubernetes/MaliciousIPCaller	Kubernetes	EKS audit logs	Medium
Persistence:Kubernetes/MaliciousIPCaller.Custom	Kubernetes	EKS audit logs	Medium
Persistence:Kubernetes/SuccessfulAnonymousAccess	Kubernetes	EKS audit logs	High
Persistence:Kubernetes/TorIPCaller	Kubernetes	EKS audit logs	Medium
Policy:Kubernetes/AdminAccessToDefaultServiceAccount	Kubernetes	EKS audit logs	High
Policy:Kubernetes/AnonymousAccessGranted	Kubernetes	EKS audit logs	High
Policy:Kubernetes/KubeflowDashboardExposed	Kubernetes	EKS audit logs	Medium
Policy:Kubernetes/ExposedDashboard	Kubernetes	EKS audit logs	Medium
PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleBindingCreated	Kubernetes	EKS audit logs	Medium*
PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleCreated	Kubernetes	EKS audit logs	Low
Persistence:Kubernetes/AnomalousBehavior.WorkloadDeployed!ContainerWithSensitiveMount	Kubernetes	EKS audit logs	High
PrivilegeEscalation:Kubernetes/AnomalousBehavior.WorkloadDeployed!PrivilegedContainer	Kubernetes	EKS audit logs	High
PrivilegeEscalation:Kubernetes/PrivilegedContainer	Kubernetes	EKS audit logs	Medium
Backdoor:Lambda/C&CActivity.B	Lambda	Lambda Network Activity Monitoring	High
CryptoCurrency:Lambda/BitcoinTool.B	Lambda	Lambda Network Activity Monitoring	High
Trojan:Lambda/BlackholeTraffic	Lambda	Lambda Network Activity Monitoring	Medium
Trojan:Lambda/DropPoint	Lambda	Lambda Network Activity Monitoring	Medium
UnauthorizedAccess:Lambda/MaliciousIPCaller.Custom	Lambda	Lambda Network Activity Monitoring	Medium
UnauthorizedAccess:Lambda/TorClient	Lambda	Lambda Network Activity Monitoring	High
UnauthorizedAccess:Lambda/TorRelay	Lambda	Lambda Network Activity Monitoring	High
Object:S3/MaliciousFile	S3Object	Malware Protection for S3	High
CredentialAccess:RDS/AnomalousBehavior.FailedLogin	Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases	RDS Login Activity Monitoring	Low
CredentialAccess:RDS/AnomalousBehavior.SuccessfulBruteForce	Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases	RDS Login Activity Monitoring	High
CredentialAccess:RDS/AnomalousBehavior.SuccessfulLogin	Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases	RDS Login Activity Monitoring	Variable*
CredentialAccess:RDS/MaliciousIPCaller.FailedLogin	Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases	RDS Login Activity Monitoring	Medium
CredentialAccess:RDS/MaliciousIPCaller.SuccessfulLogin	Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases	RDS Login Activity Monitoring	High
CredentialAccess:RDS/TorIPCaller.FailedLogin	Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases	RDS Login Activity Monitoring	Medium
CredentialAccess:RDS/TorIPCaller.SuccessfulLogin	Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases	RDS Login Activity Monitoring	High
Discovery:RDS/MaliciousIPCaller	Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases	RDS Login Activity Monitoring	Medium
Discovery:RDS/TorIPCaller	Supported Amazon Aurora, Amazon RDS, and Aurora Limitless databases	RDS Login Activity Monitoring	Medium
Backdoor:Runtime/C&CActivity.B	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
Backdoor:Runtime/C&CActivity.B!DNS	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
CryptoCurrency:Runtime/BitcoinTool.B	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
CryptoCurrency:Runtime/BitcoinTool.B!DNS	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
DefenseEvasion:Runtime/FilelessExecution	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Medium
DefenseEvasion:Runtime/ProcessInjection.Proc	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
DefenseEvasion:Runtime/ProcessInjection.Ptrace	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Medium
DefenseEvasion:Runtime/ProcessInjection.VirtualMemoryWrite	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
DefenseEvasion:Runtime/PtraceAntiDebugging	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Low
DefenseEvasion:Runtime/SuspiciousCommand	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
Discovery:Runtime/SuspiciousCommand	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Low
Execution:Runtime/MaliciousFileExecuted	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
Execution:Runtime/NewBinaryExecuted	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Medium
Execution:Runtime/NewLibraryLoaded	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Medium
Execution:Runtime/SuspiciousCommand	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Variable
Execution:Runtime/SuspiciousShellCreated	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Low
Execution:Runtime/SuspiciousTool	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Variable
Execution:Runtime/ReverseShell	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
Impact:Runtime/AbusedDomainRequest.Reputation	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Medium
Impact:Runtime/BitcoinDomainRequest.Reputation	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
Impact:Runtime/CryptoMinerExecuted	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
Impact:Runtime/MaliciousDomainRequest.Reputation	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Medium
Impact:Runtime/SuspiciousDomainRequest.Reputation	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Low
Persistence:Runtime/SuspiciousCommand	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Medium
PrivilegeEscalation:Runtime/CGroupsReleaseAgentModified	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
PrivilegeEscalation:Runtime/ContainerMountsHostDirectory	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Medium
PrivilegeEscalation:Runtime/DockerSocketAccessed	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Medium
PrivilegeEscalation:Runtime/ElevationToRoot	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Medium
PrivilegeEscalation:Runtime/RuncContainerEscape	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
PrivilegeEscalation:Runtime/SuspiciousCommand	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Medium
PrivilegeEscalation:Runtime/UserfaultfdUsage	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Medium
Trojan:Runtime/BlackholeTraffic	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Medium
Trojan:Runtime/BlackholeTraffic!DNS	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Medium
Trojan:Runtime/DropPoint	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Medium
Trojan:Runtime/DGADomainRequest.C!DNS	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
Trojan:Runtime/DriveBySourceTraffic!DNS	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
Trojan:Runtime/DropPoint!DNS	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	Medium
Trojan:Runtime/PhishingDomainRequest!DNS	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
UnauthorizedAccess:Runtime/MetadataDNSRebind	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
UnauthorizedAccess:Runtime/TorClient	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
UnauthorizedAccess:Runtime/TorRelay	Instance, EKS cluster, ECS cluster, or container	Runtime Monitoring	High
Backdoor:EC2/C&CActivity.B	Amazon EC2	VPC flow logs⁺	High
Backdoor:EC2/DenialOfService.Dns	Amazon EC2	VPC flow logs⁺	High
Backdoor:EC2/DenialOfService.Tcp	Amazon EC2	VPC flow logs⁺	High
Backdoor:EC2/DenialOfService.Udp	Amazon EC2	VPC flow logs⁺	High
Backdoor:EC2/DenialOfService.UdpOnTcpPorts	Amazon EC2	VPC flow logs⁺	High
Backdoor:EC2/DenialOfService.UnusualProtocol	Amazon EC2	VPC flow logs⁺	High
Backdoor:EC2/Spambot	Amazon EC2	VPC flow logs⁺	Medium
Behavior:EC2/NetworkPortUnusual	Amazon EC2	VPC flow logs⁺	Medium
Behavior:EC2/TrafficVolumeUnusual	Amazon EC2	VPC flow logs⁺	Medium
CryptoCurrency:EC2/BitcoinTool.B	Amazon EC2	VPC flow logs⁺	High
DefenseEvasion:EC2/UnusualDNSResolver	Amazon EC2	VPC flow logs⁺	Medium
DefenseEvasion:EC2/UnusualDoHActivity	Amazon EC2	VPC flow logs⁺	Medium
DefenseEvasion:EC2/UnusualDoTActivity	Amazon EC2	VPC flow logs⁺	Medium
Impact:EC2/PortSweep	Amazon EC2	VPC flow logs⁺	High
Impact:EC2/WinRMBruteForce	Amazon EC2	VPC flow logs⁺	Low*
Recon:EC2/PortProbeEMRUnprotectedPort	Amazon EC2	VPC flow logs⁺	High
Recon:EC2/PortProbeUnprotectedPort	Amazon EC2	VPC flow logs⁺	Low*
Recon:EC2/Portscan	Amazon EC2	VPC flow logs⁺	Medium
Trojan:EC2/BlackholeTraffic	Amazon EC2	VPC flow logs⁺	Medium
Trojan:EC2/DropPoint	Amazon EC2	VPC flow logs⁺	Medium
UnauthorizedAccess:EC2/MaliciousIPCaller.Custom	Amazon EC2	VPC flow logs⁺	Medium
UnauthorizedAccess:EC2/RDPBruteForce	Amazon EC2	VPC flow logs⁺	Low*
UnauthorizedAccess:EC2/SSHBruteForce	Amazon EC2	VPC flow logs⁺	Low*
UnauthorizedAccess:EC2/TorClient	Amazon EC2	VPC flow logs⁺	High
UnauthorizedAccess:EC2/TorRelay	Amazon EC2	VPC flow logs⁺	High

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

GuardDuty considerations for Export CSV option in accounts

EC2 finding types