Vendors Amazon Web Services AWS GuardDuty GuardDuty EC2 Finding Types

GuardDuty EC2 Finding Types

Threat detection for Amazon EC2 instances

AWS GuardDuty EC2 finding types including backdoor communications, cryptocurrency mining, brute force attacks, port scans, malicious domain queries, Tor network usage, and defense evasion activities

ec2 threat-detection network-security compute instance-compromise

JSON Format 13 Fields Medium Frequency Generator

Preview Sample View Schema

Overview

GuardDuty generates EC2 findings when it detects suspicious activity on EC2 instances including command-and-control communications, cryptocurrency mining, brute force attacks, port scans, Tor network usage, and various malicious behaviors. These findings are based on VPC Flow Logs and DNS logs analysis.

When Generated:

EC2 instance queries known command-and-control servers
Cryptocurrency mining or Bitcoin-related activity detected
Brute force SSH or RDP authentication attempts
Port scanning or port probe activity detected
Communication with Tor network nodes
DNS queries for malicious, phishing, or DGA domains
Unusual network port or DNS resolver usage
Denial of Service (DoS) attack behavior
DNS data exfiltration attempts
Backdoor or trojan communications

Security Relevance:

High

Compliance:

PCI-DSS 11.4 HIPAA 164.312(b) SOC 2 CC7.2 ISO 27001 A.12.4.1 NIST CSF PR.DS-5 CIS AWS Foundations 4.1-4.16

Frequency Notes:

EC2 findings are the most common GuardDuty finding type. Frequency varies based on environment size, threat landscape, and security posture. Production environments typically see 50-200 EC2 findings per hour. Malicious activity often increases during nights and weekends when security monitoring may be reduced. Brute force attacks and port scans are continuous throughout the day.

Resources

Documentation

GuardDuty EC2 Finding Types official
Remediating Compromised EC2 Instances official
GuardDuty Foundational Data Sources official

Tools

AWS GuardDuty Console
Web interface for viewing and managing EC2 findings
AWS Security Hub
Centralized security findings including GuardDuty EC2 findings

Generation Configuration

Base Frequency: 50 events/hour

Time Patterns:

business_hours night_hours weekend

Business Hours Multiplier: 2.5x

Night Hours Multiplier: 2.0x

Weekend Multiplier: 1.2x

Field Definitions

Complete field reference for this event type with data types, descriptions, and example values.

Field Name	Type	Required	Format	Description	Example	Possible Values
detail.type Source: random_choice() of 40 EC2 finding types	String	Required	—	GuardDuty EC2 finding type indicating threat category and detection method	`UnauthorizedAccess:EC2/SSHBruteForce`	`Backdoor:EC2/C&CActivity.B` — Instance querying IP of known C&C server (VPC Flow Logs) `Backdoor:EC2/C&CActivity.B!DNS` — Instance querying domain of known C&C server (DNS Logs) `Backdoor:EC2/DenialOfService.Dns` — Instance performing DNS-based DoS attack `Backdoor:EC2/DenialOfService.Tcp` — Instance performing TCP-based DoS attack `Backdoor:EC2/DenialOfService.Udp` — Instance performing UDP-based DoS attack `Backdoor:EC2/Spambot` — Instance communicating on port 25 (SMTP) for spam `Behavior:EC2/NetworkPortUnusual` — Instance communicating on unusual port with no prior history `Behavior:EC2/TrafficVolumeUnusual` — Instance generating unusually large traffic volume `CryptoCurrency:EC2/BitcoinTool.B` — Instance querying Bitcoin-related IP addresses `CryptoCurrency:EC2/BitcoinTool.B!DNS` — Instance querying Bitcoin-related domain names `DefenseEvasion:EC2/UnusualDNSResolver` — Instance communicating with unusual public DNS resolver `DefenseEvasion:EC2/UnusualDoHActivity` — Instance performing DNS over HTTPS (DoH) communication `DefenseEvasion:EC2/UnusualDoTActivity` — Instance performing DNS over TLS (DoT) communication `Impact:EC2/MaliciousDomainRequest.Reputation` — Instance querying low reputation malicious domain `Impact:EC2/PortSweep` — Instance probing port on large number of IPs `Recon:EC2/PortProbeUnprotectedPort` — Instance has unprotected port being probed by scanner `Recon:EC2/Portscan` — Instance performing outbound port scan `Trojan:EC2/DNSDataExfiltration` — Instance exfiltrating data through DNS queries `Trojan:EC2/DGADomainRequest.B` — Instance querying algorithmically generated domains `Trojan:EC2/PhishingDomainRequest!DNS` — Instance querying domains involved in phishing `UnauthorizedAccess:EC2/SSHBruteForce` — Instance involved in SSH brute force attack `UnauthorizedAccess:EC2/RDPBruteForce` — Instance involved in RDP brute force attack `UnauthorizedAccess:EC2/TorClient` — Instance making connections to Tor Guard or Authority node `UnauthorizedAccess:EC2/TorRelay` — Instance acting as Tor relay `UnauthorizedAccess:EC2/MetadataDNSRebind` — Instance performing DNS lookups resolving to metadata service
detail.resource.instanceDetails.instanceId Source: random_hex(17, 17) with 'i-' prefix	String	Required	`i-{17 hex chars}`	EC2 instance identifier	`i-1234567890abcdef0`	—
detail.resource.instanceDetails.instanceType Source: random_choice() of common instance types	String	Required	—	EC2 instance type	`t3.medium`	—
detail.resource.instanceDetails.imageDescription Source: random_choice() of common OS images	String	Required	—	AMI description for the instance	`Amazon Linux 2023`	—
detail.service.action.actionType Source: random_choice(['NETWORK_CONNECTION', 'PORT_PROBE', 'DNS_REQUEST'])	String	Required	—	Type of action that triggered the finding	`NETWORK_CONNECTION`	`NETWORK_CONNECTION` — Network traffic exchanged between instance and remote host `PORT_PROBE` — Port on instance being probed by external scanner `DNS_REQUEST` — Instance queried a domain name
detail.service.action.networkConnectionAction.connectionDirection Source: random_choice(['OUTBOUND', 'INBOUND'])	String	Optional	—	Direction of network connection	`OUTBOUND`	`OUTBOUND` — Instance initiated connection to remote host `INBOUND` — Remote host initiated connection to instance
detail.service.action.networkConnectionAction.remoteIpDetails.ipAddressV4 Source: random_public_ip()	String	Optional	`IPv4`	Remote IP address involved in the activity	`203.0.113.42`	—
detail.service.action.networkConnectionAction.remotePortDetails.port Source: random_choice() of common service ports	Integer	Optional	—	Remote port number	`22`	—
detail.service.action.networkConnectionAction.protocol Source: random_choice(['TCP', 'UDP', 'ICMP'])	String	Optional	—	Network protocol used	`TCP`	—
detail.service.action.dnsRequestAction.domain Source: random_choice() of test and malicious domains	String	Optional	—	Domain name queried by the instance	`guarddutyc2activityb.com`	—
detail.service.resourceRole Source: random_choice(['TARGET', 'ACTOR'])	String	Required	—	Role of the resource in the finding	`TARGET`	`TARGET` — Instance was the target of malicious activity `ACTOR` — Instance was performing malicious activity
detail.service.additionalInfo.threatListName Source: random_choice() of threat list names	String	Optional	—	Name of threat intelligence list that matched	`ProofPoint`	—
detail.severity Source: random_choice([2, 2, 5, 5, 5, 8, 8])	Integer	Required	—	Finding severity level (0-10)	`8`	`2` — Low severity (1.0-3.9) `5` — Medium severity (4.0-6.9) `8` — High severity (7.0-8.9)

Details

Fields

Medium

Frequency

Feedback

No ratings yet