AWS amazon_guardduty Mappings

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3. The service uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats. GuardDuty analyzes tens of billions of events across multiple AWS data sources, such as AWS CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs.

Mappings

Capability ID Capability Description Category Value ATT&CK ID ATT&CK Name
amazon_guardduty Amazon GuardDuty detect partial T1020 Automated Exfiltration
amazon_guardduty Amazon GuardDuty detect partial T1021.008 Direct Cloud VM Connections
amazon_guardduty Amazon GuardDuty detect minimal T1029 Scheduled Transfer
amazon_guardduty Amazon GuardDuty detect minimal T1041 Exfiltration Over C2 Channel
amazon_guardduty Amazon GuardDuty detect partial T1046 Network Service Scanning
amazon_guardduty Amazon GuardDuty detect partial T1048 Exfiltration Over Alternative Protocol
amazon_guardduty Amazon GuardDuty detect partial T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
amazon_guardduty Amazon GuardDuty detect partial T1059.009 Cloud API
amazon_guardduty Amazon GuardDuty detect partial T1071 Application Layer Protocol
amazon_guardduty Amazon GuardDuty detect partial T1071.001 Web Protocols
amazon_guardduty Amazon GuardDuty detect partial T1071.002 File Transfer Protocols
amazon_guardduty Amazon GuardDuty detect partial T1071.003 Mail Protocols
amazon_guardduty Amazon GuardDuty detect partial T1071.004 DNS
amazon_guardduty Amazon GuardDuty detect partial T1078 Valid Accounts
amazon_guardduty Amazon GuardDuty detect partial T1078.001 Default Accounts
amazon_guardduty Amazon GuardDuty detect partial T1078.004 Cloud Accounts
amazon_guardduty Amazon GuardDuty detect minimal T1090 Proxy
amazon_guardduty Amazon GuardDuty detect minimal T1090.001 Internal Proxy
amazon_guardduty Amazon GuardDuty detect minimal T1090.002 External Proxy
amazon_guardduty Amazon GuardDuty detect minimal T1090.003 Multi-hop Proxy
amazon_guardduty Amazon GuardDuty detect partial T1098 Account Manipulation
amazon_guardduty Amazon GuardDuty detect partial T1098.001 Additional Cloud Credentials
amazon_guardduty Amazon GuardDuty detect partial T1098.004 SSH Authorized Keys
amazon_guardduty Amazon GuardDuty detect minimal T1110 Brute Force
amazon_guardduty Amazon GuardDuty detect minimal T1110.001 Password Guessing
amazon_guardduty Amazon GuardDuty detect minimal T1110.003 Password Spraying
amazon_guardduty Amazon GuardDuty detect minimal T1110.004 Credential Stuffing
amazon_guardduty Amazon GuardDuty detect partial T1189 Drive-by Compromise
amazon_guardduty Amazon GuardDuty detect minimal T1190 Exploit Public-Facing Application
amazon_guardduty Amazon GuardDuty detect partial T1485 Data Destruction
amazon_guardduty Amazon GuardDuty detect partial T1486 Data Encrypted for Impact
amazon_guardduty Amazon GuardDuty detect partial T1491 Defacement
amazon_guardduty Amazon GuardDuty detect partial T1491.001 Internal Defacement
amazon_guardduty Amazon GuardDuty detect partial T1491.002 External Defacement
amazon_guardduty Amazon GuardDuty detect partial T1496 Resource Hijacking
amazon_guardduty Amazon GuardDuty detect partial T1498 Network Denial of Service
amazon_guardduty Amazon GuardDuty detect partial T1498.001 Direct Network Flood
amazon_guardduty Amazon GuardDuty detect partial T1498.002 Reflection Amplification
amazon_guardduty Amazon GuardDuty detect partial T1526 Cloud Service Discovery
amazon_guardduty Amazon GuardDuty detect partial T1530 Data from Cloud Storage Object
amazon_guardduty Amazon GuardDuty detect partial T1531 Account Access Removal
amazon_guardduty Amazon GuardDuty detect minimal T1552 Unsecured Credentials
amazon_guardduty Amazon GuardDuty detect partial T1552.001 Credentials In Files
amazon_guardduty Amazon GuardDuty detect minimal T1552.005 Cloud Instance Metadata API
amazon_guardduty Amazon GuardDuty detect partial T1562 Impair Defenses
amazon_guardduty Amazon GuardDuty detect partial T1562.001 Disable or Modify Tools
amazon_guardduty Amazon GuardDuty detect partial T1562.006 Indicator Blocking
amazon_guardduty Amazon GuardDuty detect partial T1562.008 Disable Cloud Logs
amazon_guardduty Amazon GuardDuty detect partial T1565 Data Manipulation
amazon_guardduty Amazon GuardDuty detect partial T1565.001 Stored Data Manipulation
amazon_guardduty Amazon GuardDuty detect partial T1566 Phishing
amazon_guardduty Amazon GuardDuty detect partial T1566.001 Spearphishing Attachment
amazon_guardduty Amazon GuardDuty detect partial T1566.002 Spearphishing Link
amazon_guardduty Amazon GuardDuty detect partial T1566.003 Spearphishing via Service
amazon_guardduty Amazon GuardDuty detect partial T1567 Exfiltration Over Web Service
amazon_guardduty Amazon GuardDuty detect partial T1567.001 Exfiltration to Code Repository
amazon_guardduty Amazon GuardDuty detect partial T1567.002 Exfiltration to Cloud Storage
amazon_guardduty Amazon GuardDuty detect partial T1567.003 Exfiltration to Text Storage Sites
amazon_guardduty Amazon GuardDuty detect partial T1567.004 Exfiltration Over Webhook
amazon_guardduty Amazon GuardDuty detect partial T1568 Dynamic Resolution
amazon_guardduty Amazon GuardDuty detect partial T1568.002 Domain Generation Algorithms
amazon_guardduty Amazon GuardDuty detect partial T1571 Non-Standard Port
amazon_guardduty Amazon GuardDuty detect partial T1580 Cloud Infrastructure Discovery
amazon_guardduty Amazon GuardDuty detect partial T1595 Active Scanning
amazon_guardduty Amazon GuardDuty detect partial T1595.001 Scanning IP Blocks
amazon_guardduty Amazon GuardDuty detect partial T1595.002 Vulnerability Scanning
amazon_guardduty Amazon GuardDuty detect partial T1619 Cloud Storage Object Discovery
amazon_guardduty Amazon GuardDuty detect partial T1622 Debugger Evasion
amazon_guardduty Amazon GuardDuty detect partial T1649 Steal or Forge Authentication Certificates