/
GuardDuty Threat SQS Collector
Document toolboxDocument toolbox

GuardDuty Threat SQS Collector

Owned by Laszlo Frazer, created
Last updated: Jan 27, 2025
2 min read
[ 1 Purpose ] [ 2 Example tables ] [ 3 Authorize It ] [ 4 Run It ] [ 5 Secure It ] [ 6 Monitor It ]

Purpose

An analyst wants to detect malicious behavior in AWS.  Using the GuardDuty SQS collector to send findings to Devo, the analyst will obtain preanalyzed threats.  As a result, the analyst will use GuardDuty’s threat intelligence to initiate investigations of CloudTrail logs in Devo.

GuardDuty and CloudTrail should be used together to get the highest quality information from AWS.

Example tables

Table

Description

Table

Description

cloud.aws.guardduty.findings

Threats identified by GuardDuty.

Authorize It

  1. Authorize SQS Data Access.

  2. Enable GuardDuty following the AWS documentation. When you you reach the step “Replace Amazon S3 bucket ARN with the Amazon Resource Name (ARN) of the Amazon S3 bucket.” then use the S3 bucket you already authorized in Step 1.

Run It

In the Cloud Collector App, create an SQS Collector instance using this parameters template, replacing the values enclosed in < >.

{ "inputs": { "sqs_collector": { "id": "<FIVE_UNIQUE_DIGITS>", "services": { "aws_sqs_guard_duty": {} }, "credentials": { "aws_cross_account_role": "arn:<PARTITION>:iam::<YOUR_AWS_ACCOUNT_NUMBER>:role/<YOUR_ROLE>", "aws_external_id": "<EXTERNAL_ID>" }, "region": "<REGION>", "base_url": "https://sqs.<REGION>.amazonaws.com/<YOUR_AWS_ACCOUNT_NUMBER>/<QUEUE_NAME>" } } }

Secure It

Privilege escalation

/* GuardDuty has identified a threat where a malicious entity created a role. */ from cloud.aws.guardduty.findings where eq(type,"PrivilegeEscalation:Kubernetes/AnomalousBehavior.RoleCreated")

Unauthorized access

/* GuardDuty has identified unauthorized access to AWS services. Possible services include EC2 (compute), IAM (access management), and S3 (storage) */ from cloud.aws.guardduty.findings where startswith(type,"UnauthorizedAccess:")

A typical result might be a credential exfiltration or an SSH brute force attack.

Reconnaissance

A typical result would be a port scan. If an entity conducts a port scan and also accesses resources, this may be an indication of malicious access.

Malicious IP address

For example, if an IP has been identified as accessing credentials, it may be important to know that it also exfiltrated data from S3 and escalated privileges in Kubernetes to determine which resources have been penetrated.

Credential with indicator of compromise

For example, if an access key is being used through Tor, you may wish to rotate the credential.

Monitor It

AWS Essential Alerts includes an alert that detects deletion of a GuardDuty detector. GuardDuty configuration changes can be monitored with the CloudTrail Devo service.

Create an inactivity alert to detect interruptions of transfer of data from the source to the SQS queue using the query

Set the inactivity alert to keep track of the collector_id. It is not unusual to have inactivity because GuardDuty frequently has no findings.