Amazon GuardDuty Enhanced Findings

Guard duty enhanced findings header 63da667b

Amazon’s native security tool, GuardDuty, allows you to monitor and detect threats in your AWS network in near real time. Our goal is to make these findings more actionable and arm your security operations team with the information they need to effectively remediate and identify the threat.

Global View

Amazon GuardDuty is a regional service. When multiple accounts are enabled and multiple regions are used, the Amazon GuardDuty security findings remain in the same regions where the underlying data was generated. In our integration, you can view all your findings across different regions in a single interface.

Enhanced Findings with Seclytics Global Threat Intelligence

In the following example report of a host (q514429667[.]xicp[.]net) used for Command & Control, combining our global threat intelligence, we give more context around the finding which helps the admin identify what is happening. For this host there are a couple file hashes associated with the IOC so now an admin can look for those files during remediation.

Amazon GuardDuty enhanced report of Command and Control host

IOC Focused

Most security professionals prefer to focus on the IOC (Indicator of Compromise) which in the case of GuardDuty would be the malicious host or IP. In the Seclytics interface, reports are aggregated by IOC and the IOC is the visible from the overview table.

Guard Duty Findings withtout Seclytics Screen Shot
GuardDuty findings enhanced with Selcytics Screen Shot

We plan on to continue to improve our interface and build off the great work the Amazon team has done in building GuardyDuty.

To start enhancing your GuardDuty findings today, just sign up via our dashboard.