GuardDuty Findings

01 Sign in to the AWS Management Console.

02 Navigate to AWS GuardDuty home page at https://console.aws.amazon.com/guardduty.

03 In the left navigation panel, under Findings, click Current to access the Current findings page.

04 Click on the GuardDuty finding that you want to examine to expand the finding details panel.

05 Analyze the selected AWS GuardDuty finding by checking the following attributes:

1. Type – a concise yet readable description of the potential security issue. For more information, see AWS GuardDuty finding types.
2. Severity – a finding's assigned severity level of either High, Medium or Low.
3. Account ID – the ID of the AWS account in which the activity took place that prompted the service to generate the finding.
4. Resource ID – the ID of the AWS resource against which the activity took place that prompted the service to generate the finding.
5. Threat list name – the name of the threat list that includes the IP address/domain name involved in the suspicious activity that prompted the AWS GuardDuty service to generate the finding.
6. Action type – the finding activity type. This value can be one of the following: NETWORK_CONNECTION (when traffic was exchanged between the identified instance and the remote host), AWS_API_CALL (when an AWS API is invoked), PORT_PROBE (when a remote host probed the identified instance on multiple opened ports) or DNS_REQUEST (when the identified instance queried a domain name).
7. Actor IP address/domain – the IP address or domain involved in the suspicious activity.
8. Actor port – the port number involved in the activity that prompted AWS GuardDuty to generate the finding.
9. Actor location – location information of the IP address involved in the activity that prompted the service to generate the finding.

06 Based on the information returned at the previous step you can analyze the selected finding and make a plan to implement the recommended fix (see Remediation/Resolution section).

07 Repeat steps no. 4 – 6 to check and analyze other Amazon GuardDuty findings available in the current region.

08 Change the AWS region from the navigation bar and repeat the audit process for other regions.

01 Run list-detectors command (OSX/Linux/UNIX) using custom query filters to list the ID of the Amazon GuardDuty detector, available in the selected region. A detector is an object that represents the AWS GuardDuty service. A detector must be created in order for GuardDuty to become operational:

aws guardduty list-detectors
	--region us-east-1
	--query 'DetectorIds'

02 The command output should return an array with the requested detector ID:

[
    "DetectorId": "aaabbbcccdddeeefff01234567890123"
]

03 Run list-findings command (OSX/Linux/UNIX) using custom query filters to list the IDs of the existing AWS GuardDuty findings, available in the selected region:

aws guardduty list-findings
	--region us-east-1
	--detector-id aaabbbcccdddeeefff01234567890123
	--query 'FindingIds'

04 The command output should return an array with the existing finding IDs:

[
    "bbbbccccddddeeee1234567890123456",
    "ccccddddeeeeffff1234567890123456",
    "ddddeeeeffffgggg1234567890123456"
]

05 Run get-findings command (OSX/Linux/UNIX) using the ID of the GuardDuty detector returned at step no. 2 and the ID of the finding that you want to examine as identifiers, to describe the selected Amazon GuardDuty finding:

aws guardduty get-findings
	--region us-east-1
	--detector-id aaabbbcccdddeeefff01234567890123
	--finding-ids bbbbccccddddeeee1234567890123456

06 The command output should return the metadata for selected GuardDuty finding:

{
    "Findings": [
        {
            "Title": "Unprotected port on EC2 instance i-012345678aabbccdd is being probed.",
            "Type": "Recon:EC2/PortProbeUnprotectedPort",
            "Region": "us-east-1",
            "Partition": "aws",
            "Arn": "arn:aws:guardduty:us-east-1:123456789012:detector/aaabbbcccdddeeefff01234567890123/finding/bbbbccccddddeeee1234567890123456",
            "UpdatedAt": "2017-12-12T19:18:55.329Z",
            "SchemaVersion": "2.0",
            "Severity": 2.0,
            "Id": "bbbbccccddddeeee1234567890123456",
            "CreatedAt": "2017-12-12T19:18:55.329Z",
            "AccountId": "123456789012",

            ...

            "Description": "EC2 instance has an unprotected port which is being probed by a known malicious host.",
            "Service": {
                "Count": 1,
                "Archived": false,
                "ServiceName": "guardduty",
                "EventFirstSeen": "2017-12-12T19:10:53Z",
                "ResourceRole": "TARGET",
                "EventLastSeen": "2017-12-12T19:11:46Z",
                "DetectorId": "aaabbbcccdddeeefff01234567890123",
                "Action": {
                    "ActionType": "PORT_PROBE"
                }
            },

            ...

            "Resource": {
                "ResourceType": "Instance",
                "InstanceDetails": {
                    "ProductCodes": [],
                    "AvailabilityZone": "us-east-1a",
                    "InstanceId": "i-012345678aabbccdd",
                    "InstanceState": "running",
                    "ImageId": "ami-abcd01234",
                    "InstanceType": "c4.large",
                }
            }
        }
    ]
}

07 Analyze the selected AWS GuardDuty finding metadata by checking the following attributes:

1. "Title" – the title of the selected AWS GuardDuty finding.
2. "Type" – the type of the finding (e.g. "Recon:EC2/PortProbeUnprotectedPort"). For more information, see AWS GuardDuty finding types.
3. "Severity" – a finding's assigned severity level of either High, Medium or Low.
4. "AccountId" – the ID of the AWS account in which the activity took place that prompted the service to generate the finding.
5. "Resource" – the details about the AWS resource against which the activity took place that prompted the service to generate the finding.
6. "Description" – a concise yet readable description of the potential security issue.
7. "ActionType" – the finding activity type. This value can be one of the following: NETWORK_CONNECTION (when traffic was exchanged between the identified instance and the remote host), AWS_API_CALL (when an AWS API is invoked), PORT_PROBE (when a remote host probed the identified instance on multiple open ports) or DNS_REQUEST (when the identified instance queried a domain name).

08 Based on the information returned at the previous step you can analyze the selected finding and make a plan to implement the recommended fix (see Remediation/Resolution section).

09 Repeat steps no. 5 – 7 to check and analyze other Amazon GuardDuty findings available in the current region.

10 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 9 to perform the audit process for other regions.

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under NETWORK & SECURITY section, choose Security Groups.

04 Select the security group associated with the compromised EC2 instance, identified by the selected GuardDuty finding (see Audit section part I to identify the right EC2 resource).

05 Select the Inbound tab from the dashboard bottom panel and click the Edit button.

06 In the Edit inbound rules dialog box, change the traffic Source for the inbound rule that allows unrestricted access through TCP port 22 by performing one of the following actions:

1. Select My IP from the Source dropdown list to allow inbound traffic only from your machine (from your IP address).
2. Select Custom from the Source dropdown list and enter one of the following options based on your access requirements:
   • A specific (trusted) IP address (IPv4) with the suffix set to /32, e.g. 192.168.100.54/32.
   • An IP address range (IPv4) in CIDR notation, for example 192.168.100.0/24.
   • The name or ID of another trusted security group available in the same AWS region.

07 Click Save to apply the changes. The SSH access is now restricted to the specific IP address/range or security group.

01 First, run revoke-security-group-ingress command (OSX/Linux/UNIX) to remove the inbound rule that allows unrestricted access through TCP port 22, from the security group associated with the compromised EC2 instance, identified by the selected GuardDuty finding (the command does not return an output):

aws ec2 revoke-security-group-ingress
	--region us-east-1
	--group-name cc-staging-env-sg
	--protocol tcp
	--port 22
	--cidr 0.0.0.0/0

02 Run authorize-security-group-ingress command (OSX/Linux/UNIX) to add the inbound rule removed at the previous step with a different set of parameters in order to restrict SSH access to specific entities. To add custom inbound rules to the selected security group, use one of the following options (the command does not return an output):

• Add an inbound rule that allows SSH access to a specific IP address (IPv4) via port 22:
  aws ec2 authorize-security-group-ingress
  	--region us-east-1
  	--group-name cc-staging-env-sg
  	--protocol tcp
  	--port 22
  	--cidr 192.168.100.54/32
  

• Add an inbound rule that allows SSH access to a specific IP address range (IPv4) via port 22:
  aws ec2 authorize-security-group-ingress
  	--region us-east-1
  	--group-name cc-staging-env-sg
  	--protocol tcp
  	--port 22
  	--cidr 192.168.100.0/24
  

• Add an inbound rule that allows SSH access to another (trusted) EC2 security group in the same AWS region via port 22:
  aws ec2 authorize-security-group-ingress
  	--region us-east-1
  	--group-name cc-staging-env-sg
  	--protocol tcp
  	--port 22
  	--source-group cc-new-staging-sg