AWS Security ChangesHomeSearch

AWS guardduty documentation change

Service: guardduty · 2026-03-13 · Documentation low

File: guardduty/latest/ug/guardduty_findings-summary.md

Summary

Updated descriptions for several GuardDuty indicator types, including ATTACK_TACTIC, CRYPTOMINING_DOMAIN, CRYPTOMINING_IP, CRYPTOMINING_PROCESS, MALICIOUS_DOMAIN, MALICIOUS_PROCESS, and SUSPICIOUS_PROCESS. Added a new MALICIOUS_FILE indicator. Removed repetitive text about Autonomous System Number (ASN) anomalies from multiple entries.

Security assessment

This change improves documentation for security-related findings in AWS GuardDuty, a security monitoring service. It clarifies threat detection indicators and adds documentation for a new MALICIOUS_FILE indicator. While this enhances security documentation, there's no evidence it addresses a specific security vulnerability or incident; it appears to be routine documentation improvement and clarification.

Diff

diff --git a/guardduty/latest/ug/guardduty_findings-summary.md b/guardduty/latest/ug/guardduty_findings-summary.md
index 628be5a41..42641cb50 100644
--- a//guardduty/latest/ug/guardduty_findings-summary.md
+++ b//guardduty/latest/ug/guardduty_findings-summary.md
@@ -436 +436 @@ Indicator name | Description
-`ATTACK_TACTIC` |  The MITRE tactics, such as **Discovery** and **Impact**.  
+`ATTACK_TACTIC` |  The MITRE tactics used by the threat actor in an attack sequence. Examples include **Discovery** and **Impact**.  
@@ -438,3 +438,3 @@ Indicator name | Description
-`CRYPTOMINING_DOMAIN` |  Indicates a domain name associated with cryptocurrency mining pools or infrastructure. For example, DNS queries or connections to these domains from container or Kubernetes environments may indicate unauthorized cryptomining activity. Indicates that the Autonomous System Number (ASN) was identified as anomalous, based on the user's historical baseline. For more information, see Anomalous behavior.  
-`CRYPTOMINING_IP` |  Indicates an IP address associated with cryptocurrency mining pools or infrastructure. For example, connections to these addresses from container or Kubernetes environments may indicate unauthorized cryptomining activity. Indicates that the Autonomous System Number (ASN) was identified as anomalous, based on the user's historical baseline. For more information, see Anomalous behavior.  
-`CRYPTOMINING_PROCESS` |  Indicates a process identified as cryptocurrency mining software running within container or Kubernetes environments. For example, these processes may consume excessive CPU resources. Indicates that the Autonomous System Number (ASN) was identified as anomalous, based on the user's historical baseline. For more information, see Anomalous behavior.  
+`CRYPTOMINING_DOMAIN` |  Indicates a domain name associated with cryptocurrency mining pools or infrastructure. For example, DNS queries or connections to these domains from container or Kubernetes environments may indicate unauthorized cryptomining activity.  
+`CRYPTOMINING_IP` |  Indicates an IP address associated with cryptocurrency mining pools or infrastructure. For example, connections to these addresses from container or Kubernetes environments may indicate unauthorized cryptomining activity.  
+`CRYPTOMINING_PROCESS` |  Indicates a process identified as cryptocurrency mining software running within container or Kubernetes environments. For example, these processes may consume excessive CPU resources.  
@@ -442 +442,2 @@ Indicator name | Description
-`MALICIOUS_DOMAIN` |  Indicates a domain name with suspected threat intelligence indicating malicious intent. For example, this includes command and control (C&C) servers, malware distribution sites, or phishing domains contacted from container or Kubernetes environments. Indicates that the Autonomous System Number (ASN) was identified as anomalous, based on the user's historical baseline. For more information, see Anomalous behavior.  
+`MALICIOUS_DOMAIN` |  Indicates a domain name with suspected threat intelligence indicating malicious intent. For example, this includes command and control (C&C) servers, malware distribution sites, or phishing domains contacted from container or Kubernetes environments.  
+`MALICIOUS_FILE` |  Indicates a file suspected to be malicious based on threat intelligence or behavioral analysis. For example, this includes known malware binaries, malicious scripts, or unauthorized executables.  
@@ -444 +445 @@ Indicator name | Description
-`MALICIOUS_PROCESS` |  Indicates a process suspected to be malicious based on threat intelligence or behavioral analysis. For example, this includes known malware, backdoors, or unauthorized tools executing within container or Kubernetes environments with malicious intent. Indicates that the Autonomous System Number (ASN) was identified as anomalous, based on the user's historical baseline. For more information, see Anomalous behavior.  
+`MALICIOUS_PROCESS` |  Indicates a process suspected to be malicious based on threat intelligence or behavioral analysis. For example, this includes known malware, backdoors, or unauthorized tools executing within an instance or container environment.  
@@ -446 +447 @@ Indicator name | Description
-`SUSPICIOUS_PROCESS` |  Indicates that the Autonomous System Number (ASN) was identified as anomalous, based on the user's historical baseline. For more information, see Anomalous behavior.  
+`SUSPICIOUS_PROCESS` |  Indicates a suspicious process identified as anomalous based on based on threat intelligence or behavioral analysis. For example, this includes unusual process execution patterns, unexpected parent-child relationships, or processes with suspicious characteristics within an instance, or container environment.