Vendors Amazon Web Services AWS GuardDuty GuardDuty EKS Protection Finding Types

GuardDuty EKS Protection Finding Types

Threat detection for Amazon EKS clusters

AWS GuardDuty EKS Protection finding types detecting threats against Amazon EKS clusters through Kubernetes audit logs analysis, including malicious file execution, privilege escalation, credential access, container escape, cluster deletion, and defense evasion activities

eks kubernetes container-security cluster-protection threat-detection

JSON Format 13 Fields High Frequency Generator

Preview Sample View Schema

Overview

EKS Protection monitors Kubernetes audit logs from Amazon EKS clusters to detect malicious activity including malicious file execution, privilege escalation, credential access, container escape, cluster deletion, defense evasion, and unauthorized access attempts. Uses ML anomaly detection and threat intelligence to identify suspicious Kubernetes API activity patterns.

When Generated:

Malicious file execution detected in EKS cluster through Kubernetes audit logs
Container information discovery for defense evasion (ML-detected)
Unauthorized cluster query indicating reconnaissance activity
Kubernetes credential access attempts (ML-detected)
Backdoor container detected in cluster
Privilege escalation to cluster admin role (ML-detected)
EKS cluster deletion attempt detected
Namespace or workload deletion attempts
Unauthorized data access from EKS cluster (ML-detected)
Secret access from EKS cluster (ML-detected)
Container escape attempts
EKS audit logging disabled to evade detection

Security Relevance:

Critical

Compliance:

PCI-DSS 6.5.8 HIPAA 164.308(a)(1) SOC 2 CC7.2 ISO 27001 A.12.4.1 NIST CSF PR.DS-5 CIS Kubernetes Benchmark 5.1.1-5.7.4 NIST SP 800-190

Frequency Notes:

EKS Protection findings vary based on cluster activity and security posture. Production clusters typically see 10-50 findings per day. Frequency scales with Kubernetes API volume, cluster size, and workload activity. Privilege escalation and credential access findings are high-severity but lower frequency (5-20 per day). Malicious file execution and cluster deletion attempts are critical but rare (1-5 per day). Container escape and defense evasion activities indicate active attacks (5-30 per day during incidents).

Resources

Documentation

EKS Protection Finding Types official
Remediating Compromised EKS Cluster official
Enabling EKS Protection official
Kubernetes Audit Logs reference

Tools

AWS EKS
Amazon Elastic Kubernetes Service
kubectl
Kubernetes command-line tool
CIS Kubernetes Benchmark
Security best practices for Kubernetes

Generation Configuration

Base Frequency: 30 events/hour

Time Patterns:

business_hours night_hours weekend

Business Hours Multiplier: 2.5x

Night Hours Multiplier: 2.0x

Weekend Multiplier: 1.5x

Field Definitions

Complete field reference for this event type with data types, descriptions, and example values.

Field Name	Type	Required	Format	Description	Example	Possible Values
detail.type Source: random_choice() of 15 EKS finding types	String	Required	—	EKS Protection finding type indicating attack tactic and Kubernetes resource	`Execution:EKS/MaliciousFileExecution`	`Execution:EKS/MaliciousFileExecution` — Malicious file execution detected in EKS cluster `DefenseEvasion:EKS/ContainerInfoDiscovery` — Container information discovery for defense evasion `Discovery:EKS/ClusterQuery` — Unauthorized cluster query indicating reconnaissance `InitialAccess:EKS/KubernetesCredentialAccess` — Kubernetes credential access attempt `Persistence:EKS/BackdoorContainer` — Backdoor container detected in cluster `PrivilegeEscalation:EKS/ClusterAdminAccess` — Privilege escalation to cluster admin role `Impact:EKS/ClusterDelete` — EKS cluster deletion attempt detected `Impact:EKS/NamespaceDelete` — Namespace deletion attempt detected `Impact:EKS/WorkloadDelete` — Workload deletion attempt detected `Exfiltration:EKS/DataAccess` — Unauthorized data access from EKS cluster `CredentialAccess:EKS/SecretAccess` — Unauthorized access to Kubernetes secrets `Recon:EKS/ClusterQuery` — Reconnaissance activity against cluster `Recon:EKS/NodeQuery` — Reconnaissance activity against nodes `LateralMovement:EKS/ContainerEscape` — Container escape attempt detected `Stealth:EKS/AuditLoggingDisabled` — EKS audit logging disabled to evade detection
detail.resource.eksClusterDetails Source: EKS cluster metadata from AWS	Object	Required	—	Details about the EKS cluster involved in finding	`{name, arn, vpcId, subnetIds, createdAt, status, tags, kubernetesVersion}`	—
detail.resource.eksClusterDetails.name Source: random_choice() of cluster names	String	Required	`EKS cluster name`	Name of the EKS cluster	`production-cluster-1234`	—
detail.resource.eksClusterDetails.arn Source: Constructed from region, account ID, and cluster name	String	Required	`AWS ARN format`	Amazon Resource Name (ARN) of the EKS cluster	`arn:aws:eks:us-east-1:123456789012:cluster/production-cluster-1234`	—
detail.resource.eksClusterDetails.kubernetesVersion Source: random_choice(['1.28', '1.27', '1.26', '1.25', '1.24'])	String	Required	`Semantic version (major.minor)`	Kubernetes version running on the cluster	`1.28`	`1.28` — Kubernetes version 1.28 `1.27` — Kubernetes version 1.27 `1.26` — Kubernetes version 1.26
detail.service.action.kubernetesApiCallAction.requestUri Source: random_choice() of common Kubernetes API paths	String	Required	`Kubernetes API path`	Kubernetes API endpoint that was called	`/api/v1/namespaces/default/secrets`	—
detail.service.action.kubernetesApiCallAction.verb Source: random_choice(['get', 'list', 'create', 'update', 'patch', 'delete', 'watch', 'exec', 'portforward'])	String	Required	`Kubernetes API verb`	Kubernetes API verb (HTTP method equivalent)	`get`	`get` — Retrieve a single resource `list` — List multiple resources `create` — Create a new resource `update` — Update an existing resource `patch` — Partially update a resource `delete` — Delete a resource `watch` — Watch for changes to resources `exec` — Execute a command in a container `portforward` — Forward ports to a pod
detail.service.action.kubernetesApiCallAction.userIdentity.userName Source: random_choice() from registry users or Kubernetes system identities	String	Required	`Kubernetes identity format`	Kubernetes user or service account name that made the API call	`system:serviceaccount:default:default`	—
detail.service.action.kubernetesApiCallAction.namespace Source: random_choice() of common namespaces	String	Required	`Kubernetes namespace name`	Kubernetes namespace where the API call was made	`default`	—
detail.service.action.kubernetesApiCallAction.resource Source: random_choice(['pods', 'secrets', 'configmaps', 'deployments', 'services', 'nodes', 'roles', 'clusterroles', 'serviceaccounts'])	String	Required	`Kubernetes resource type (plural)`	Kubernetes resource type that was accessed	`pods`	—
detail.service.action.kubernetesApiCallAction.responseStatusCode Source: random_choice([200, 201, 403, 404, 500])	Integer	Required	`HTTP status code`	HTTP status code returned by the Kubernetes API	`200`	`200` — Success (OK) `201` — Success (Created) `403` — Forbidden (authorization failed) `404` — Not Found (resource does not exist) `500` — Internal Server Error
detail.service.additionalInfo.unusual.kubernetesApiCall Source: Object with unusual behavior flags for ML-detected anomalies	Object	Optional	—	ML model analysis of unusual behaviors for anomalous Kubernetes API calls	`{"verb": "anomalous", "resource": "not historical", "namespace": "infrequent"}`	—
detail.severity Source: random_choice([2, 5, 5, 5, 8, 8, 8])	Integer	Required	—	Finding severity level (0-10)	`8`	`2` — Low severity (1.0-3.9) `5` — Medium severity (4.0-6.9) `8` — High severity (7.0-8.9)

Details

Fields

High

Frequency

Feedback

No ratings yet