Vendors Amazon Web Services AWS GuardDuty GuardDuty Attack Sequence Finding Types

GuardDuty Attack Sequence Finding Types

Extended Threat Detection for multi-stage attacks

AWS GuardDuty Extended Threat Detection attack sequence findings detecting multi-stage attacks across EKS, ECS, EC2, IAM, and S3 resources using proprietary correlation algorithms

attack-sequence extended-threat-detection multi-stage-attack critical-severity

JSON Format 6 Fields Critical Frequency Generator

Preview Sample View Schema

Overview

GuardDuty Extended Threat Detection automatically identifies multi-stage attacks spanning resources, data sources, and time within 24-hour rolling windows. Uses proprietary correlation algorithms to detect sophisticated attack patterns including credential misuse, data compromise in S3, and container/Kubernetes compromises.

When Generated:

Sequence of suspicious actions by compromised EKS cluster (container exploit, token theft, secret access)
Compromised ECS cluster with malicious processes and C2 communication
EC2 instance group compromise with malware, suspicious network, credential misuse
IAM credentials used for suspicious API sequences impacting multiple resources
S3 data compromise attempts including exfiltration or destruction patterns

Security Relevance:

Critical

Compliance:

PCI-DSS 11.4 HIPAA 164.312(b) SOC 2 CC7.2 ISO 27001 A.12.4 NIST CSF DE.AE-2

Frequency Notes:

Attack sequences are rare but critical - expect 2-20 per day in active threat environments. All attack sequences have Critical severity (10/10). Generated when GuardDuty correlates weak signals into high-confidence threat patterns within 24-hour windows.

Resources

Documentation

Attack Sequence Finding Types official
Extended Threat Detection official

Generation Configuration

Base Frequency: 5 events/hour

Time Patterns:

business_hours night_hours weekend

Business Hours Multiplier: 1.5x

Night Hours Multiplier: 2.0x

Weekend Multiplier: 1.2x

Field Definitions

Complete field reference for this event type with data types, descriptions, and example values.

Field Name	Type	Required	Format	Description	Example	Possible Values
detail.type	String	Required	—	Attack sequence finding type	`AttackSequence:EKS/CompromisedCluster`	`AttackSequence:EKS/CompromisedCluster` — Sequence indicating compromised EKS cluster `AttackSequence:ECS/CompromisedCluster` — Sequence indicating compromised ECS cluster `AttackSequence:EC2/CompromisedInstanceGroup` — Sequence indicating compromised EC2 instance group `AttackSequence:IAM/CompromisedCredentials` — Sequence of API requests using compromised IAM credentials `AttackSequence:S3/CompromisedData` — Sequence indicating S3 data exfiltration or destruction
detail.service.attackSequence.signals	Array	Required	—	Timeline of events (findings and API activities) correlated into attack sequence	`[{uid, type: 'FINDING', name, createdAt, count}]`	—
detail.service.attackSequence.actors	Array	Required	—	Actors involved in attack sequence	`[{id: 'user-name', type: 'AWS_USER'}]`	—
detail.service.attackSequence.indicators	Array	Required	—	Indicators explaining why GuardDuty identified suspicious activity	—	`HIGH_RISK_API` — Action commonly used by threat actors `SUSPICIOUS_NETWORK` — Communication with suspicious endpoints `CREDENTIAL_ANOMALY` — Unusual credential usage pattern
detail.service.attackSequence.mitreTactics	Array	Required	—	MITRE ATT&CK tactics observed in attack sequence	`["InitialAccess", "PrivilegeEscalation", "Exfiltration"]`	—
detail.severity	Integer	Required	—	Always 10 (Critical) for attack sequences	`10`	—

Details

Fields

Critical

Frequency

Feedback

No ratings yet