GuardDuty¶
By enabling the GuardDuty data source, you can collect the results analyzed by GuardDuty in AWS.
What is GuardDuty?
- AWS GuardDuty is a security service for threat detection provided by AWS.
- Refer to the official documentation for the supported services in GuardDuty.
Format¶
When importing data to RISKEN, the following metadata is added:
| Field | Description |
|---|---|
DataSource |
aws:guard-duty (fixed) |
ResourceName |
GuardDuty Finding ARN |
Description |
Description |
Score |
See Scoring in GuardDuty documentation |
Tag |
aws guard-duty {type} {account ID} |
Scoring¶
GuardDuty has a default scoring based on Severity (1.0 to 10.0). Therefore, this value is standardized to RISKEN's scoring range of 0.0 to 1.0 and imported.
graph TD
A[Start] --> B{{Active status?}};
B -->|NO| C[Score: 0.1]:::low;
B -->|YES| D[Score: <Severity>]:::unknown;
classDef unknown fill:#FFFFFF,stroke:#BDBDBD,stroke-width:4px;
classDef low fill:#FFFFFF,stroke:#4DB6AC,stroke-width:4px;