Collected runtime event types that GuardDuty uses
The GuardDuty security agent collects the following events types and sends them to the GuardDuty backend for threat detection and analysis. GuardDuty doesn't make these events accessible to you. If GuardDuty detects a potential threat and generates a Runtime Monitoring finding, you can view the corresponding finding details. For more information about how GuardDuty uses the collected event types, see Opting out of using your data for service improvement.
Process events
| Field name | Description |
|---|---|
Process name |
Name of the observed process. |
Process Path |
Absolute path of the process executable. |
Process ID |
The ID assigned to the process by the operating system. |
Namespace PID |
The process ID of the process in a secondary PID namespace other than the host level PID namespace. For processes inside a container, it is the process ID observed inside the container. |
Process User ID |
The unique ID of the user that executed the process. |
Process UUID |
The unique ID assigned to the process by GuardDuty. |
Process GID |
Process ID of the process group. |
Process EGID |
Effective group ID of the process group. |
Process EUID |
Effective user ID of the process. |
Process User Name |
The user name that executed the process. |
Process Start Time |
The time when the process was created. This field is in the UTC date string format ( |
Process Executable SHA-256 |
The |
Process Script Path |
Path of the script file that was executed. |
Process Environment Variable |
The environment variable made available to the process. Only |
Process Present Working Directory (PWD) |
Present working directory of the process. |
Parent process |
Process details of the parent process. A parent process is a process that created the observed process. |
|
Command Line Arguments Presently, this field is limited to specific agent versions corresponding to the resource type:
For more information, see GuardDuty agent release history. |
Command-line arguments provided at the time of process execution. This field might contain sensitive customer data. |
Container events
Field name |
Description |
|---|---|
Container Name |
Name of the container. When available,
this field displays the
value of the label |
Container UID |
The unique ID of the container assigned by the container runtime. |
Container Runtime |
The container runtime (such as |
Container Image ID |
The ID of the container image. |
Container Image Name |
Name of the container image. |
AWS Fargate (Amazon ECS only) task events
Field name |
Description |
|---|---|
Task Amazon Resource Name (ARN) |
The ARN of the task. |
Cluster Name |
The name of the Amazon ECS cluster. |
Family Name |
The task definition's family name. The |
Service Name |
The name of the Amazon ECS service, if the task was launched as part of a service. |
Launch Type |
The infrastructure on which your task runs. For Runtime Monitoring with resource type as |
CPU |
The number of CPU units used by the task as expressed in the task definition. |
Kubernetes pod events
Field name |
Description |
|---|---|
Pod ID |
The ID of the Kubernetes pod. |
Pod name |
Name of the Kubernetes pod. |
Pod Namespace |
Name of the Kubernetes namespace to which the Kubernetes workload belongs. |
Kubernetes Cluster Name |
Name of the Kubernetes cluster. |
DNS events
Field name |
Description |
|---|---|
Socket Type |
Type of socket to indicate communication semantics. For example, |
Address Family |
Represents the communication protocol associated with the address.
For example, the address family |
Direction ID |
The ID of the connection direction. |
Protocol Number |
The layer 4 protocol number such as 17 for UDP and 6 for TCP. |
DNS Remote Endpoint IP |
The remote IP of the connection. |
DNS Remote Endpoint Port |
The port number of the connection. |
DNS Local Endpoint IP |
The local IP of the connection. |
DNS Local Endpoint Port |
The port number of the connection. |
DNS Payload |
The payload of DNS packets that contains DNS queries and responses. |
Open events
Field name |
Description |
|---|---|
Filepath |
Path of the file that is opened in this event. |
Flags |
Describes the file access mode, such as read-only, write-only, and read-write. |
Load module event
Field name |
Description |
|---|---|
Module Name |
Name of the module loaded into the kernel. |
Mprotect events
Field name |
Description |
|---|---|
Address Range |
The address range for which the access protections were modified. |
Memory Regions |
Specifies the Region of a process's address space such as stack and heap. |
Flags |
Represents options that control the behavior of this event. |
Mount events
Field name |
Description |
|---|---|
Mount Target |
The path where the mount source is mounted. |
Mount Source |
The path on the host that is mounted at the mount target. |
Filesystem Type |
Represents the type of mounted fileSystem. |
Flags |
Represents options that control the behavior of this event. |
Link events
Field name |
Description |
|---|---|
Link Path |
Path where the hard link gets created. |
Target Path |
Path of the file at which the hard link points. |
Symlink events
Field name |
Description |
|---|---|
Link Path |
Path where the symbolic link is created. |
Target Path |
Path of the file at which the symbolic link points. |
Dup events
Field name |
Description |
|---|---|
Old File Descriptor |
A file descriptor that represents an open file object. |
New File Descriptor |
A new file descriptor that is a duplicate of the old file descriptor. Both the old and new file descriptors represent the same open file object. |
Dup Remote Endpoint IP |
The remote IP address of the network socket represented by the old file descriptor. Only applicable when the old file descriptor represents a network socket. |
Dup Remote Endpoint Port |
The remote port of the network socket represented by the old file descriptor. Only applicable when the old file descriptor represents a network socket. |
Dup Local Endpoint IP |
The local IP address of the network socket represented by the old file descriptor. Only applicable when the old file descriptor represents a network socket. |
Dup Local Endpoint Port |
The local port of the network socket represented by the old file descriptor. Only applicable when the old file descriptor represents a network socket. |
Memory map event
Field name |
Description |
|---|---|
Filepath |
Path of the file to which the memory is mapped. |
Socket events
Field name |
Description |
|---|---|
Address family |
Represents the communication protocol
associated with the address. For example, the address family |
Socket Type |
Type of socket to indicate communication semantics. For example, |
Protocol number |
Specifies a particular protocol within the address family.
Usually there is a single protocol in address families. For example, the address family |
Connect events
Field name |
Description |
|---|---|
Address family |
Represents the communication protocol
associated with the address. For example, the address family |
Socket Type |
Type of socket to indicate communication semantics. For example, |
Protocol Number |
Specifies a particular protocol within the address family. Usually there is a single protocol
in address families. For example, the address family |
Filepath |
Path of the socket file if the address family is |
Remote Endpoint IP |
The remote IP of the connection. |
Remote Endpoint Port |
The port number of the connection. |
Local Endpoint IP |
The local IP of the connection. |
Local Endpoint Port |
The port number of the connection. |
Process VM Readv events
Field name |
Description |
|---|---|
Flags |
Represents options that control the behavior of this event. |
Target PID |
Process ID of the process from which memory is being read. |
Target Process UUID |
The unique ID of the target process. |
Target Executable Path |
The absolute path of the target process executable file. |
Process VM Writev events
Field name |
Description |
|---|---|
Flags |
Represents options that control the behavior of this event. |
Target PID |
Process ID of the process to which memory is being written. |
Target Process UUID |
The unique ID of the target process. |
Target Executable Path |
The absolute path of the target process executable file. |
Ptrace events
Field name |
Description |
|---|---|
Target PID |
Process ID of the target process. |
Target Process UUID |
The unique ID of the target process. |
Target Executable Path |
The absolute path of the target process executable file. |
Flags |
Represents options that control the behavior of this event. |
Bind events
Field name |
Description |
|---|---|
Address Family |
Represents the communication protocol associated with the address. For
example, the address family |
Socket type |
Type of socket to indicate communication semantics. For example,
|
Protocol number |
The layer 4 protocol number such as 17 for UDP and 6 for TCP. |
Local endpoint IP |
The local IP of the connection. |
Local endpoint port |
The port number of the connection. |
Listen events
Field name |
Description |
|---|---|
Address Family |
Represents the communication protocol associated with the address. For
example, the address family |
Socket type |
Type of socket to indicate communication semantics. For example,
|
Protocol number |
The layer 4 protocol number such as 17 for UDP and 6 for TCP. |
Local endpoint IP |
The local IP of the connection. |
Local endpoint port |
The port number of the connection. |
Rename events
Field name |
Description |
|---|---|
Filepath |
Path where the file that is renamed. |
Target |
The new path of the file. |
Set UID events
Field name |
Description |
|---|---|
New EUID |
The new effective user ID of the process. |
New UID |
The new user ID of the process. |
Chmod events
Field name |
Description |
|---|---|
Filepath |
Path of the file that invokes this event. |
Filemode |
The updated access permissions for the associated file. |
