AWS guardduty medium security documentation change
Summary
Reorganized security indicators and added new cryptomining-related detection types (CRYPTOMINING_*) along with enhanced container/Kubernetes threat indicators
Security assessment
The addition of cryptomining-specific detection types and enhanced container environment monitoring addresses emerging threat vectors. These changes demonstrate proactive security measures against unauthorized cryptocurrency mining and container-based attacks.
Diff
diff --git a/guardduty/latest/ug/guardduty_findings-summary.md b/guardduty/latest/ug/guardduty_findings-summary.md index 327cb4858..8ebc38dbb 100644 --- a//guardduty/latest/ug/guardduty_findings-summary.md +++ b//guardduty/latest/ug/guardduty_findings-summary.md @@ -436,5 +435,0 @@ Indicator name | Description -`SUSPICIOUS_USER_AGENT` | The user agent is associated with potentially known suspicious or exploited applications, such as Amazon S3 clients and attack tools. -`SUSPICIOUS_NETWORK` | The network is associated with known low reputation scores, such as risky virtual private network (VPN) providers and proxy services. -`MALICIOUS_IP` | The IP address has confirmed threat intelligence indicating malicious intent. -`TOR_IP` | The IP address is associated with a Tor exit node. -`HIGH_RISK_API` | The AWS API that includes the AWS service name and `eventName` indicates an action commonly used by threat actors, or is a sensitive action that may cause potential impact to an AWS account, such as credential access or resource modification. @@ -442,0 +438,11 @@ Indicator name | Description +`CRYPTOMINING_DOMAIN` | Indicates a domain name associated with cryptocurrency mining pools or infrastructure. For example, DNS queries or connections to these domains from container or Kubernetes environments may indicate unauthorized cryptomining activity. Indicates that the Autonomous System Number (ASN) was identified as anomalous, based on the user's historical baseline. For more information, see Anomalous behavior. +`CRYPTOMINING_IP` | Indicates an IP address associated with cryptocurrency mining pools or infrastructure. For example, connections to these addresses from container or Kubernetes environments may indicate unauthorized cryptomining activity. Indicates that the Autonomous System Number (ASN) was identified as anomalous, based on the user's historical baseline. For more information, see Anomalous behavior. +`CRYPTOMINING_PROCESS` | Indicates a process identified as cryptocurrency mining software running within container or Kubernetes environments. For example, these processes may consume excessive CPU resources. Indicates that the Autonomous System Number (ASN) was identified as anomalous, based on the user's historical baseline. For more information, see Anomalous behavior. +`HIGH_RISK_API` | The AWS API that includes the AWS service name and `eventName` indicates an action commonly used by threat actors, or is a sensitive action that may cause potential impact to an AWS account, such as credential access or resource modification. +`MALICIOUS_DOMAIN` | Indicates a domain name with suspected threat intelligence indicating malicious intent. For example, this includes command and control (C&C) servers, malware distribution sites, or phishing domains contacted from container or Kubernetes environments. Indicates that the Autonomous System Number (ASN) was identified as anomalous, based on the user's historical baseline. For more information, see Anomalous behavior. +`MALICIOUS_IP` | The IP address has confirmed threat intelligence indicating malicious intent. +`MALICIOUS_PROCESS` | Indicates a process suspected to be malicious based on threat intelligence or behavioral analysis. For example, this includes known malware, backdoors, or unauthorized tools executing within container or Kubernetes environments with malicious intent. Indicates that the Autonomous System Number (ASN) was identified as anomalous, based on the user's historical baseline. For more information, see Anomalous behavior. +`SUSPICIOUS_NETWORK` | The network is associated with known low reputation scores, such as risky virtual private network (VPN) providers and proxy services. +`SUSPICIOUS_PROCESS` | Indicates that the Autonomous System Number (ASN) was identified as anomalous, based on the user's historical baseline. For more information, see Anomalous behavior. +`SUSPICIOUS_USER_AGENT` | The user agent is associated with potentially known suspicious or exploited applications, such as Amazon S3 clients and attack tools. +`TOR_IP` | The IP address is associated with a Tor exit node.