LogForge Logo LogForge
Home Vendors Search Download Login
Vendors Amazon Web Services AWS GuardDuty GuardDuty Lambda Protection Finding Types
Amazon Web Services Logo

GuardDuty Lambda Protection Finding Types

Threat detection for AWS Lambda functions

AWS GuardDuty Lambda Protection finding types detecting threats against AWS Lambda functions through network activity monitoring, including command and control communications, cryptocurrency mining, trojan activity, malicious IP access, and Tor network usage

lambda serverless function network-activity threat-detection
JSON Format 18 Fields Medium Frequency Generator
Preview Sample View Schema

Overview

Lambda Protection monitors network activity from AWS Lambda functions to detect malicious behavior including command and control communications, cryptocurrency mining, trojan activity, malicious IP access, and Tor network usage. Uses threat intelligence and network pattern analysis to identify suspicious Lambda function behavior.

When Generated:

  • Lambda function queries IP address associated with known command and control server
  • Lambda function queries IP address associated with cryptocurrency-related activity
  • Lambda function exhibits blackhole traffic pattern
  • Lambda function exhibits drop point trojan activity
  • Lambda function makes connections to known malicious IP address (custom threat list)
  • Lambda function makes connections to Tor Guard or Authority node
  • Lambda function acts as Tor relay

Security Relevance:

High

Compliance:

PCI-DSS 11.4 HIPAA 164.312(b) SOC 2 CC7.2 ISO 27001 A.12.4.1 NIST CSF PR.DS-5, DE.AE-3 CIS AWS Foundations 4.1-4.16

Frequency Notes:

Lambda Protection findings frequency depends on Lambda function network activity and threat landscape. Production environments typically see 5-30 findings per day. C&C and cryptocurrency findings are high-severity but lower frequency (2-15 per day). Trojan activity findings are medium-severity (5-20 per day). Malicious IP and Tor findings indicate active attacks (3-15 per day during attacks). All Lambda Protection findings have High default severity (8.0).

Resources

Tools

Generation Configuration

Base Frequency: 20 events/hour
Time Patterns:
business_hours night_hours weekend
Business Hours Multiplier: 2.0x
Night Hours Multiplier: 1.5x
Weekend Multiplier: 1.0x

Field Definitions

Complete field reference for this event type with data types, descriptions, and example values.

Field Name Type Required Format Description Example Possible Values
detail.type
Source: random_choice() of 7 Lambda Protection finding types
 String Required Lambda Protection finding type indicating attack category and detection method Backdoor:Lambda/C&CActivity.B
Backdoor:Lambda/C&CActivity.B — Lambda function querying IP associated with known C&C server (severity: High)
CryptoCurrency:Lambda/BitcoinTool.B — Lambda function querying IP associated with cryptocurrency activity (severity: High)
Trojan:Lambda/BlackholeTraffic — Lambda function blackhole traffic pattern detected (severity: High)
Trojan:Lambda/DropPoint — Lambda function drop point trojan activity detected (severity: High)
UnauthorizedAccess:Lambda/MaliciousIPCaller.Custom — Lambda function making connections to known malicious IP (custom threat list) (severity: High)
UnauthorizedAccess:Lambda/TorClient — Lambda function making connections to Tor Guard or Authority node (severity: High)
UnauthorizedAccess:Lambda/TorRelay — Lambda function acting as Tor relay (severity: High)
detail.resource.resourceType
Source: Fixed value: 'Lambda'
 String Required Type of resource (always Lambda for Lambda Protection findings) Lambda
Lambda — AWS Lambda function
detail.resource.lambdaDetails
Source: Lambda function metadata from GuardDuty
 Object Required Details about the Lambda function where activity was detected {functionArn, functionName, description, runtime, handler, role, vpcConfig}
detail.resource.lambdaDetails.functionArn
Source: Lambda function ARN from GuardDuty
 String Required AWS Lambda function ARN Amazon Resource Name (ARN) of the Lambda function arn:aws:lambda:us-east-1:123456789012:function:api-handler
detail.resource.lambdaDetails.functionName
Source: Lambda function name from GuardDuty
 String Required Lambda function name Name of the Lambda function api-handler
detail.resource.lambdaDetails.runtime
Source: random_choice() of Lambda runtime environments
 String Required Lambda runtime identifier Runtime environment for the Lambda function python3.11
python3.11 — Python 3.11
python3.12 — Python 3.12
nodejs20.x — Node.js 20.x
nodejs18.x — Node.js 18.x
java17 — Java 17
java21 — Java 21
go1.x — Go 1.x
ruby3.2 — Ruby 3.2
dotnet8 — .NET 8
detail.resource.lambdaDetails.handler
Source: random_choice() of common Lambda handlers
 String Required Handler identifier Lambda function handler (entry point) index.handler
detail.resource.lambdaDetails.role
Source: Lambda execution role ARN
 String Required IAM role ARN IAM role ARN used by the Lambda function arn:aws:iam::123456789012:role/lambda-execution-role
detail.resource.lambdaDetails.vpcConfig
Source: VPC configuration from Lambda function metadata
 Object Optional VPC configuration for Lambda function (if function is in VPC) {vpcId, subnetIds, securityGroupIds}
detail.service.action.actionType
Source: random_choice(['NETWORK_CONNECTION', 'DNS_REQUEST'])
 String Required Type of action that triggered the finding NETWORK_CONNECTION
NETWORK_CONNECTION — Network connection from Lambda function
DNS_REQUEST — DNS query from Lambda function
detail.service.action.networkConnectionAction.connectionDirection
Source: random_choice(['OUTBOUND', 'INBOUND'])
 String Required Direction of network connection (usually OUTBOUND for Lambda) OUTBOUND
OUTBOUND — Lambda function initiated connection to remote host
INBOUND — Remote host initiated connection to Lambda function (rare)
detail.service.action.networkConnectionAction.remoteIpDetails.ipAddressV4
Source: random_public_ip()
 String Required IPv4 address Remote IP address that Lambda function connected to 203.0.113.42
detail.service.action.networkConnectionAction.remotePortDetails.port
Source: random_choice() of common service ports
 Integer Required Integer (1-65535) Remote port number that Lambda function connected to 443
80 — HTTP
443 — HTTPS
8333 — Bitcoin P2P
8332 — Bitcoin RPC
4444 — Common backdoor port
8080 — HTTP alternate
detail.service.action.networkConnectionAction.protocol
Source: random_choice(['TCP', 'UDP'])
 String Required Network protocol used TCP
TCP — Transmission Control Protocol
UDP — User Datagram Protocol
detail.service.action.dnsRequestAction.domain
Source: random_choice() of test and malicious domains
 String Optional Domain name Domain name queried by Lambda function (for DNS-based findings) guarddutyc2activityb.com
detail.service.additionalInfo.threatListName
Source: random_choice() of threat intelligence list names
 String Optional Threat list name Name of threat intelligence list that matched ProofPoint
ProofPoint — ProofPoint threat intelligence feed
Custom Threat List — Custom user-defined threat list (for MaliciousIPCaller.Custom)
AWS Threat Intelligence — AWS managed threat intelligence
Tor Exit Nodes — Tor exit node list
Amazon — Amazon threat intelligence (includes Log4j-related threats)
detail.service.additionalInfo.threatName
Source: random_choice() of threat names
 String Optional Threat name Name of the specific threat identified C&C Server
C&C Server — Command and control server
Bitcoin Mining — Cryptocurrency mining activity
Tor Network — Tor network node
Log4j Related — Log4j vulnerability exploitation
Malicious Domain — Known malicious domain
detail.severity
Source: random_choice([8, 8, 8]) - default is High
 Integer Required Finding severity level (all Lambda Protection findings have High default severity) 8
8 — High severity (7.0-8.9) - default for all Lambda Protection findings

Details

18
Fields
Medium
Frequency
5
Tags
lambda_prote...
Event Type
Tags:
lambda serverless function network-activity threat-detection

Feedback

No ratings yet