AWS GuardDuty Findings

Cloud & SaaSCloud InfrastructureAWSGuardDutyCloud Control PlaneSIEM / Log Aggregator

Location

Amazon GuardDuty detector findings and delegated administrator exports

Description

Managed threat-detection findings generated from AWS foundational data sources such as CloudTrail management events, VPC Flow Logs, Route 53 Resolver query logs, EKS audit telemetry, and related protection plans.

Forensic Value

GuardDuty findings accelerate scoping by surfacing suspicious identities, anomalous API behavior, credential misuse, crypto-mining, exfiltration patterns, and EKS threats that might otherwise require manual multi-source correlation. Findings also preserve service-side context like detector IDs, resource types, severity, and evidence linkage for triage and reporting.

Tools Required

AWS ConsoleAWS CLISIEM

Collection Commands

AWS CLI

aws guardduty list-detectors --output json > guardduty_detectors.json

AWS CLI

aws guardduty list-findings --detector-id <detector-id> --output json > guardduty_finding_ids.json

AWS CLI

aws guardduty get-findings --detector-id <detector-id> --finding-ids <finding-id-1> <finding-id-2> > guardduty_findings.json

Collection Constraints

•GuardDuty findings are summarized detections, not raw telemetry, and must be validated with the underlying logs.
•Coverage depends on which GuardDuty protections and foundational data sources were enabled before the incident.

MITRE ATT&CK Techniques

T1078.004T1041T1496T1525

References

GuardDuty foundational data sources GuardDuty EKS Protection

Used in Procedures

Map Exfiltration Channels (HTTP, DNS, Cloud Sync)

analyze

Related Blockers

Cloud or Container Logging Coverage Missing

The investigation depends on cloud-control-plane or container telemetry that was never enabled, was retained too briefly, or was routed to an unavailable destination. This creates blind spots around identity misuse, cluster administration, and workload behavior.

Acquisition Methods

AWS GuardDuty Finding Export

linux — cloud