Home
Mapping Frameworks
AWS Home
Amazon GuardDuty

AWS amazon_guardduty Mappings

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3. The service uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats. GuardDuty analyzes tens of billions of events across multiple AWS data sources, such as AWS CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs.

Mappings

Capability ID	Capability Description	Category	Value	ATT&CK ID	ATT&CK Name
amazon_guardduty	Amazon GuardDuty	detect	partial	T1595	Active Scanning
amazon_guardduty	Amazon GuardDuty	detect	partial	T1595.001	Scanning IP Blocks
amazon_guardduty	Amazon GuardDuty	detect	partial	T1595.002	Vulnerability Scanning
amazon_guardduty	Amazon GuardDuty	detect	partial	T1189	Drive-by Compromise
amazon_guardduty	Amazon GuardDuty	detect	minimal	T1190	Exploit Public-Facing Application
amazon_guardduty	Amazon GuardDuty	detect	partial	T1566	Phishing
amazon_guardduty	Amazon GuardDuty	detect	partial	T1566.001	Spearphishing Attachment
amazon_guardduty	Amazon GuardDuty	detect	partial	T1566.002	Spearphishing Link
amazon_guardduty	Amazon GuardDuty	detect	partial	T1566.003	Spearphishing via Service
amazon_guardduty	Amazon GuardDuty	detect	partial	T1078	Valid Accounts
amazon_guardduty	Amazon GuardDuty	detect	partial	T1078.001	Default Accounts
amazon_guardduty	Amazon GuardDuty	detect	partial	T1078.004	Cloud Accounts
amazon_guardduty	Amazon GuardDuty	detect	partial	T1098	Account Manipulation
amazon_guardduty	Amazon GuardDuty	detect	partial	T1098.001	Additional Cloud Credentials
amazon_guardduty	Amazon GuardDuty	detect	partial	T1098.004	SSH Authorized Keys
amazon_guardduty	Amazon GuardDuty	detect	partial	T1562	Impair Defenses
amazon_guardduty	Amazon GuardDuty	detect	partial	T1562.008	Disable Cloud Logs
amazon_guardduty	Amazon GuardDuty	detect	partial	T1562.006	Indicator Blocking
amazon_guardduty	Amazon GuardDuty	detect	partial	T1562.001	Disable or Modify Tools
amazon_guardduty	Amazon GuardDuty	detect	minimal	T1110	Brute Force
amazon_guardduty	Amazon GuardDuty	detect	minimal	T1110.001	Password Guessing
amazon_guardduty	Amazon GuardDuty	detect	minimal	T1110.003	Password Spraying
amazon_guardduty	Amazon GuardDuty	detect	minimal	T1110.004	Credential Stuffing
amazon_guardduty	Amazon GuardDuty	detect	minimal	T1552	Unsecured Credentials
amazon_guardduty	Amazon GuardDuty	detect	partial	T1552.001	Credentials In Files
amazon_guardduty	Amazon GuardDuty	detect	minimal	T1552.005	Cloud Instance Metadata API
amazon_guardduty	Amazon GuardDuty	detect	partial	T1580	Cloud Infrastructure Discovery
amazon_guardduty	Amazon GuardDuty	detect	partial	T1526	Cloud Service Discovery
amazon_guardduty	Amazon GuardDuty	detect	partial	T1046	Network Service Scanning
amazon_guardduty	Amazon GuardDuty	detect	partial	T1530	Data from Cloud Storage Object
amazon_guardduty	Amazon GuardDuty	detect	partial	T1071	Application Layer Protocol
amazon_guardduty	Amazon GuardDuty	detect	partial	T1071.001	Web Protocols
amazon_guardduty	Amazon GuardDuty	detect	partial	T1071.002	File Transfer Protocols
amazon_guardduty	Amazon GuardDuty	detect	partial	T1071.003	Mail Protocols
amazon_guardduty	Amazon GuardDuty	detect	partial	T1071.004	DNS
amazon_guardduty	Amazon GuardDuty	detect	partial	T1568	Dynamic Resolution
amazon_guardduty	Amazon GuardDuty	detect	partial	T1568.002	Domain Generation Algorithms
amazon_guardduty	Amazon GuardDuty	detect	partial	T1571	Non-Standard Port
amazon_guardduty	Amazon GuardDuty	detect	minimal	T1090	Proxy
amazon_guardduty	Amazon GuardDuty	detect	minimal	T1090.001	Internal Proxy
amazon_guardduty	Amazon GuardDuty	detect	minimal	T1090.002	External Proxy
amazon_guardduty	Amazon GuardDuty	detect	minimal	T1090.003	Multi-hop Proxy
amazon_guardduty	Amazon GuardDuty	detect	partial	T1020	Automated Exfiltration
amazon_guardduty	Amazon GuardDuty	detect	minimal	T1029	Scheduled Transfer
amazon_guardduty	Amazon GuardDuty	detect	minimal	T1041	Exfiltration Over C2 Channel
amazon_guardduty	Amazon GuardDuty	detect	partial	T1048	Exfiltration Over Alternative Protocol
amazon_guardduty	Amazon GuardDuty	detect	partial	T1048.003	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
amazon_guardduty	Amazon GuardDuty	detect	partial	T1567	Exfiltration Over Web Service
amazon_guardduty	Amazon GuardDuty	detect	partial	T1567.001	Exfiltration to Code Repository
amazon_guardduty	Amazon GuardDuty	detect	partial	T1567.002	Exfiltration to Cloud Storage
amazon_guardduty	Amazon GuardDuty	detect	partial	T1531	Account Access Removal
amazon_guardduty	Amazon GuardDuty	detect	partial	T1485	Data Destruction
amazon_guardduty	Amazon GuardDuty	detect	partial	T1486	Data Encrypted for Impact
amazon_guardduty	Amazon GuardDuty	detect	partial	T1565	Data Manipulation
amazon_guardduty	Amazon GuardDuty	detect	partial	T1565.001	Stored Data Manipulation
amazon_guardduty	Amazon GuardDuty	detect	partial	T1498	Network Denial of Service
amazon_guardduty	Amazon GuardDuty	detect	partial	T1498.001	Direct Network Flood
amazon_guardduty	Amazon GuardDuty	detect	partial	T1498.002	Reflection Amplification
amazon_guardduty	Amazon GuardDuty	detect	partial	T1496	Resource Hijacking
amazon_guardduty	Amazon GuardDuty	detect	partial	T1491	Defacement
amazon_guardduty	Amazon GuardDuty	detect	partial	T1491.002	External Defacement
amazon_guardduty	Amazon GuardDuty	detect	partial	T1491.001	Internal Defacement