Hub
Cloud

AWS GuardDuty Findings

AWS GuardDuty threat detection findings across EC2, IAM, and S3 resources. Covers 8 categories — Recon, UnauthorizedAccess, Policy, Trojan, Impact, CryptoCurrency, Stealth, and Backdoor — with 27 finding types, 10 threat actor IPs, and geo/ASN enrichment.

View on GitHub

Quick Start

uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
  --path generators/cloud-aws-guardduty/generator.yml \
  --id guardduty \
  --live-mode true

Event Types

Event IDDescriptionFrequencyCategory
Recon:EC2/PortProbeUnprotectedPortUnprotected port being probed by malicious host~15%recon
Recon:IAMUser/TorIPCallerAPI invoked from Tor exit node or malicious IP~10%recon
UnauthorizedAccess:EC2/MaliciousIPCaller.CustomEC2 instance communicating with disallowed IP~12%unauthorized-access
UnauthorizedAccess:IAMUser/ConsoleLoginSuccess.BUnusual console login from new principal~8%unauthorized-access
Policy:S3/BucketBlockPublicAccessDisabledS3 bucket public access block disabled~10%policy
Trojan:EC2/DGADomainRequest.BEC2 querying algorithmically generated domains~5%trojan
CryptoCurrency:EC2/BitcoinTool.B!DNSEC2 querying Bitcoin mining pool domains~4%cryptocurrency
Backdoor:EC2/DenialOfService.TcpEC2 may be participating in TCP DDoS attack~2.5%backdoor

Realism Features

  • Jinja2 macros eliminate boilerplate across 16 templates
  • 8 finding categories — Recon (25%), UnauthorizedAccess (20%), Policy (15%), Trojan (10%), Impact (10%), CryptoCurrency (8%), Stealth (7%), Backdoor (5%)
  • 3 resource types — Instance (EC2), AccessKey (IAM), S3Bucket with complete metadata
  • 4 action types — NETWORK_CONNECTION, PORT_PROBE, AWS_API_CALL, DNS_REQUEST
  • Multi-account environment — 3 AWS accounts (production, staging, development)
  • 15 EC2 instances with private/public IPs, VPC/subnet/security group details
  • 10 threat actor IPs from 8 countries with ASN/ISP/geo data, including Tor exit nodes
  • 14 malicious DNS domains — DGA-generated, crypto mining pools, C&C servers
  • Temporal realism — first_seen/last_seen windows spanning 1-72 hours
  • ECS rule fields — rule.category, rule.name, rule.ruleset for SIEM correlation

Sample Output

{
    "@timestamp": "2026-03-04T18:45:12.000Z",
    "aws": {
        "guardduty": {
            "account_id": "123456789012",
            "description": "EC2 instance i-0a1b2c3d4e5f67890 has an unprotected port which is being probed by a known malicious host.",
            "resource": {
                "instance_details": {
                    "instance_id": "i-0a1b2c3d4e5f67890",
                    "instance_type": "t3.medium",
                    "iam_instance_profile": {
                        "arn": "arn:aws:iam::123456789012:instance-profile/web-server-prod",
                        "id": "AIPA1A2B3C4D5E6F7G8H9"
                    },
                    "platform": null
                },
                "type": "Instance"
            },
            "service": {
                "action": {
                    "port_probe_action": {
                        "blocked": false,
                        "port_probe_details": [{
                            "local_port_details": {"port": 22, "port_name": "SSH"},
                            "remote_ip_details": {
                                "ip_address_v4": "198.51.100.200",
                                "organization": {"asn": "12389", "asnorg": "Rostelecom", "isp": "Rostelecom", "org": "Rostelecom"}
                            }
                        }]
                    },
                    "type": "PORT_PROBE"
                }
            },
            "confidence": 4.2,
            "severity": {"code": 2, "value": "Low"},
            "type": "Recon:EC2/PortProbeUnprotectedPort"
        }
    },
    "cloud": {
        "account": {"id": "123456789012"},
        "provider": "aws",
        "region": "us-east-1",
        "service": {"name": "guardduty"}
    },
    "event": {
        "action": "PORT_PROBE",
        "dataset": "aws.guardduty",
        "kind": "event",
        "module": "aws",
        "severity": 2,
        "type": ["info"]
    },
    "rule": {
        "category": "Recon",
        "name": "Recon:EC2/PortProbeUnprotectedPort",
        "ruleset": "Recon:EC2"
    }
}

Parameters

ParameterDefaultDescription
agent_idb2c3d4e5-...Filebeat agent UUID
agent_version8.17.0Elastic Agent version

Related Generators

Cloud

AWS CloudTrail Management Events

AWS CloudTrail audit trail — API calls across EC2, IAM, STS, and S3 from a multi-account organization. Includes console logins, role assumptions, error injection, and 4 identity types.

Cloud

AWS VPC Flow Logs

AWS VPC Flow Logs (v5) — network traffic records across multiple accounts, VPCs, and subnets. TCP/UDP/ICMP flows with ACCEPT/REJECT actions, NAT gateway traffic, and realistic byte/packet distributions.

Cloud

Azure Activity Log

Azure Monitor Activity Log — control plane operations across VMs, storage, networking, and RBAC. Covers all 7 log categories: Administrative, Security, Service Health, Alert, Autoscale, Policy, and Recommendation.