Closed bgeesaman closed 6 years ago
After seeing this: https://www.slideshare.net/AmazonWebServices/guardduty-handson-lab I see now that these findings may be a part of the behavioral detection which takes 7-14 days to create a baseline for. The threat list hits, though, seem odd that they aren't signature based.
Whoa, ok. So, I just got this after roughly 90 mins:
Severity | Finding Type | Instance | Last | Count |
---|---|---|---|---|
High | Trojan:EC2/DNSDataExfiltration | Instance: I-0e074acf904a90a45 | 2 hours ago | 3 |
And a few mins later:
Severity | Finding Type | Instance | Last | Count |
---|---|---|---|---|
Medium | CryptoCurrency:EC2/BitcoinTool.B!DNS | Instance: i-0e074acf904a90a45 | 2 hours ago | 2 |
So, after a good amount of delay in my case, all of them eventually appeared. Thanks again for this lab!
I was expecting to see these by now:
I've run Tests 4 through 6 several times, but nothing has shown up.
Also, I uploaded an
ip.txt
to a bucket with the contents of:And attempting to reach them via icmp and several ports to trigger the threat list finding.
Am I missing something?