GuardDuty is a security monitoring service that analyses and processes VPC Flow events, CloudTrail and DNS logs. It uses threat intelligence feeds and machine learning to identify unexpected and potentially unauthorised and malicious activity within your environment such as escalation of privileges, or communication with malicious IPs, URLs, or domains. It can detect compromised EC2 instances serving malware or mining bitcoin, monitoring access behaviour for signs of compromise such as unauthorised infrastructure deployments or unusual API calls.
This article shows you how to enable GuardDuty then run a DNS query against a known bad DNS server to trigger an alert.
Pricing
A free 30 day trial can be used to get an understanding of the service after this the pricing varies depending on the region you are in and the data you are analysing from CloudTrail events and the VPC/DNS Logs. For estimated daily costs please see the last section of this article.
For full details of pricing see https://aws.amazon.com/guardduty/pricing/
Enable Amazon GuardDuty
Within the AWS Console, search for GuardDuty then select Get started
Review the service role permissions to see what permissions are given select Enable GuardDuty
Once enabled you will be taken to the findings screen which should be empty but is where issues/abnormalities will appear when they occur, if findings are highlighted already here it is recommended you review and action each one individually.
Sample Findings
A nice feature within the settings screen is an option to generate sample findings which populates the findings screen and gives you insight to the types of alerts that you are likely to see.
Select Findings on the left hand screen to show the sample generated findings
To clear this list select all with prepended with [SAMPLE] then select Action > Archive
On the lists page, trusted IP's and threat lists can be added for example if certain IP's were being classified incorrectly.
Trigger a finding from your estate
On a Linux EC2 run the following DNS dig query command to a known fake domain that is used to generate a known finding within GuardDuty
dig GuardDutyC2ActivityB.com anyFor additional tests see https://github.com/awslabs/amazon-guardduty-tesT
This DNS query should return the following finding within GuardDuty
Expanding this out will reveal further details of the finding, i.e.
Estimated Daily Cost after free trial
Once GuardDuty has been running for a week or so you can see the estimated daily cost after the free trial ends by selecting the free trial option on the left hand menu.
