How Aws GuardDuty Works?
GuardDuty is a monitoring service that analyzes different Logs and Events in your Aws Account, and generates security findings(Threats) of your account .
It can monitor Below Services:
- AWS CloudTrail management events
- AWS CloudTrail data events
- VPC flow logs,
- DNS logs,
- EKS audit logs .etc.
Any user with administrator privileges in an AWS Account can enable GuardDuty. Once GuardDuty is enabled, it starts monitoring your environment immediately. GuardDuty can be disabled at any time to stop it from processing all logs and Events.
GuardDuty is a Regional service, meaning any of the configuration procedures you make in one region , needs to be done in each region that you want to monitor with GuardDuty.
When GuardDuty discovers a security issue it generates a finding. A GuardDuty finding is a data set containing details relating to that unique security issue. The finding’s details can be used to help you investigate the issue.
export your findings to an S3 bucket for indefinite storage beyond the GuardDuty 90-day storage limit. This allows you to keep records of findings or track issues within your environment over time.
GuardDuty integrates with Amazon EventBridge which can be used to send findings data to other applications and services for processing. With EventBridge you can use GuardDuty findings to trigger automatic responses to your findings by connecting finding events to targets such as AWS Lambda functions, Amazon EC2 Systems Manager automation, Amazon Simple Notification Service (SNS)
Whenever you receive a new finding, you can find information, including remediation recommendations about that finding, by selecting Learn more from the finding description in the finding details pane, or by searching for the finding name on the Finding types page.
You can see Finding Types like Below Screenshot:
