{"schemaVersion":"2.0","accountId":"905783683962","region":"us-east-2","partition":"aws","id":"3ebd9fa0a40242eccbab3d923966b7d8","arn":"arn:aws:guardduty:us-east-2:905783683962:detector/e6b69355a1114885723f6b2a95241195/finding/3ebd9fa0a40242eccbab3d923966b7d8","type":"CryptoCurrency:EC2/BitcoinTool.B","resource":{"resourceType":"Instance","instanceDetails":{"instanceId":"i-99999999","instanceType":"m3.xlarge","outpostArn":"arn:aws:outposts:us-west-2:123456789000:outpost/op-0fbc006e9abbc73c3","launchTime":"2016-08-02T02:05:06Z","platform":null,"productCodes":[{"productCodeId":"GeneratedFindingProductCodeId","productCodeType":"GeneratedFindingProductCodeType"}],"iamInstanceProfile":{"arn":"arn:aws:iam::905783683962:example/instance/profile","id":"GeneratedFindingInstanceProfileId"},"networkInterfaces":[{"ipv6Addresses":[],"networkInterfaceId":"eni-bfcffe88","privateDnsName":"GeneratedFindingPrivateDnsName","privateIpAddress":"10.0.0.1","privateIpAddresses":[{"privateDnsName":"GeneratedFindingPrivateName","privateIpAddress":"10.0.0.1"}],"subnetId":"GeneratedFindingSubnetId","vpcId":"GeneratedFindingVPCId","securityGroups":[{"groupName":"GeneratedFindingSecurityGroupName","groupId":"GeneratedFindingSecurityId"}],"publicDnsName":"GeneratedFindingPublicDNSName","publicIp":"198.51.100.0"}],"tags":[{"key":"GeneratedFindingInstaceTag1","value":"GeneratedFindingInstaceValue1"},{"key":"GeneratedFindingInstaceTag2","value":"GeneratedFindingInstaceTagValue2"},{"key":"GeneratedFindingInstaceTag3","value":"GeneratedFindingInstaceTagValue3"},{"key":"GeneratedFindingInstaceTag4","value":"GeneratedFindingInstaceTagValue4"},{"key":"GeneratedFindingInstaceTag5","value":"GeneratedFindingInstaceTagValue5"},{"key":"GeneratedFindingInstaceTag6","value":"GeneratedFindingInstaceTagValue6"},{"key":"GeneratedFindingInstaceTag7","value":"GeneratedFindingInstaceTagValue7"},{"key":"GeneratedFindingInstaceTag8","value":"GeneratedFindingInstaceTagValue8"},{"key":"GeneratedFindingInstaceTag9","value":"GeneratedFindingInstaceTagValue9"}],"instanceState":"running","availabilityZone":"GeneratedFindingInstaceAvailabilityZone","imageId":"ami-99999999","imageDescription":"GeneratedFindingInstaceImageDescription"}},"service":{"serviceName":"guardduty","detectorId":"e6b69355a1114885723f6b2a95241195","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"connectionDirection":"OUTBOUND","localIpDetails":{"ipAddressV4":"10.0.0.23"},"remoteIpDetails":{"ipAddressV4":"198.51.100.0","organization":{"asn":"-1","asnOrg":"GeneratedFindingASNOrg","isp":"GeneratedFindingISP","org":"GeneratedFindingORG"},"country":{"countryName":"United States"},"city":{"cityName":"GeneratedFindingCityName"},"geoLocation":{"lat":0,"lon":0}},"remotePortDetails":{"port":8333,"portName":"Unknown"},"localPortDetails":{"port":2000,"portName":"Unknown"},"protocol":"TCP","blocked":false}},"resourceRole":"TARGET","additionalInfo":{"threatListName":"GeneratedFindingThreatListName","sample":true},"evidence":{"threatIntelligenceDetails":[{"threatListName":"GeneratedFindingThreatListName","threatNames":["GeneratedFindingThreatName"]}]},"eventFirstSeen":"2021-08-13T11:24:08Z","eventLastSeen":"2021-08-31T05:38:23Z","archived":false,"count":2},"severity":8,"createdAt":"2021-08-13T11:24:08.068Z","updatedAt":"2021-08-31T05:38:23.959Z","title":"EC2 instance i-99999999 communicating with a known Bitcoin-related IP Address.","description":"EC2 instance i-99999999 is communicating outbound with a known Bitcoin-related IP address 198.51.100.0."}
{"schemaVersion":"2.0","accountId":"905783683962","region":"us-east-2","partition":"aws","id":"30bd9fa0a40358feff516c7ef408a2bb","arn":"arn:aws:guardduty:us-east-2:905783683962:detector/e6b69355a1114885723f6b2a95241195/finding/30bd9fa0a40358feff516c7ef408a2bb","type":"Backdoor:EC2/DenialOfService.Udp","resource":{"resourceType":"Instance","instanceDetails":{"instanceId":"i-99999999","instanceType":"m3.xlarge","outpostArn":"arn:aws:outposts:us-west-2:123456789000:outpost/op-0fbc006e9abbc73c3","launchTime":"2016-08-02T02:05:06Z","platform":null,"productCodes":[{"productCodeId":"GeneratedFindingProductCodeId","productCodeType":"GeneratedFindingProductCodeType"}],"iamInstanceProfile":{"arn":"arn:aws:iam::905783683962:example/instance/profile","id":"GeneratedFindingInstanceProfileId"},"networkInterfaces":[{"ipv6Addresses":[],"networkInterfaceId":"eni-bfcffe88","privateDnsName":"GeneratedFindingPrivateDnsName","privateIpAddress":"10.0.0.1","privateIpAddresses":[{"privateDnsName":"GeneratedFindingPrivateName","privateIpAddress":"10.0.0.1"}],"subnetId":"GeneratedFindingSubnetId","vpcId":"GeneratedFindingVPCId","securityGroups":[{"groupName":"GeneratedFindingSecurityGroupName","groupId":"GeneratedFindingSecurityId"}],"publicDnsName":"GeneratedFindingPublicDNSName","publicIp":"198.51.100.0"}],"tags":[{"key":"GeneratedFindingInstaceTag1","value":"GeneratedFindingInstaceValue1"},{"key":"GeneratedFindingInstaceTag2","value":"GeneratedFindingInstaceTagValue2"},{"key":"GeneratedFindingInstaceTag3","value":"GeneratedFindingInstaceTagValue3"},{"key":"GeneratedFindingInstaceTag4","value":"GeneratedFindingInstaceTagValue4"},{"key":"GeneratedFindingInstaceTag5","value":"GeneratedFindingInstaceTagValue5"},{"key":"GeneratedFindingInstaceTag6","value":"GeneratedFindingInstaceTagValue6"},{"key":"GeneratedFindingInstaceTag7","value":"GeneratedFindingInstaceTagValue7"},{"key":"GeneratedFindingInstaceTag8","value":"GeneratedFindingInstaceTagValue8"},{"key":"GeneratedFindingInstaceTag9","value":"GeneratedFindingInstaceTagValue9"}],"instanceState":"running","availabilityZone":"GeneratedFindingInstaceAvailabilityZone","imageId":"ami-99999999","imageDescription":"GeneratedFindingInstaceImageDescription"}},"service":{"serviceName":"guardduty","detectorId":"e6b69355a1114885723f6b2a95241195","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"connectionDirection":"OUTBOUND","localIpDetails":{"ipAddressV4":"10.0.0.23"},"remoteIpDetails":{"ipAddressV4":"198.51.100.0","organization":{"asn":"-1","asnOrg":"GeneratedFindingASNOrg","isp":"GeneratedFindingISP","org":"GeneratedFindingORG"},"country":{"countryName":"GeneratedFindingCountryName"},"city":{"cityName":"GeneratedFindingCityName"},"geoLocation":{"lat":0,"lon":0}},"remotePortDetails":{"port":80,"portName":"HTTP"},"localPortDetails":{"port":24198,"portName":"Unknown"},"protocol":"UDP","blocked":false}},"resourceRole":"ACTOR","additionalInfo":{"sample":true},"eventFirstSeen":"2021-08-13T11:24:08Z","eventLastSeen":"2021-08-31T05:38:23Z","archived":false,"count":2},"severity":8,"createdAt":"2021-08-13T11:24:08.070Z","updatedAt":"2021-08-31T05:38:23.961Z","title":"EC2 instance i-99999999 is behaving in a manner that may indicate it is being used to perform a Denial of Service (DoS) attack using UDP protocol.","description":"EC2 instance i-99999999 is behaving in a manner that may indicate it is being used to perform a Denial of Service (DoS) attack using UDP protocol."}
{"schemaVersion":"2.0","accountId":"905783683962","region":"us-east-2","partition":"aws","id":"98bd9fa0a4035df962ec2a2e9dacbe24","arn":"arn:aws:guardduty:us-east-2:905783683962:detector/e6b69355a1114885723f6b2a95241195/finding/98bd9fa0a4035df962ec2a2e9dacbe24","type":"UnauthorizedAccess:EC2/RDPBruteForce","resource":{"resourceType":"Instance","instanceDetails":{"instanceId":"i-99999999","instanceType":"m3.xlarge","outpostArn":"arn:aws:outposts:us-west-2:123456789000:outpost/op-0fbc006e9abbc73c3","launchTime":"2016-08-02T02:05:06Z","platform":null,"productCodes":[{"productCodeId":"GeneratedFindingProductCodeId","productCodeType":"GeneratedFindingProductCodeType"}],"iamInstanceProfile":{"arn":"arn:aws:iam::905783683962:example/instance/profile","id":"GeneratedFindingInstanceProfileId"},"networkInterfaces":[{"ipv6Addresses":[],"networkInterfaceId":"eni-bfcffe88","privateDnsName":"GeneratedFindingPrivateDnsName","privateIpAddress":"10.0.0.1","privateIpAddresses":[{"privateDnsName":"GeneratedFindingPrivateName","privateIpAddress":"10.0.0.1"}],"subnetId":"GeneratedFindingSubnetId","vpcId":"GeneratedFindingVPCId","securityGroups":[{"groupName":"GeneratedFindingSecurityGroupName","groupId":"GeneratedFindingSecurityId"}],"publicDnsName":"GeneratedFindingPublicDNSName","publicIp":"198.51.100.0"}],"tags":[{"key":"GeneratedFindingInstaceTag1","value":"GeneratedFindingInstaceValue1"},{"key":"GeneratedFindingInstaceTag2","value":"GeneratedFindingInstaceTagValue2"},{"key":"GeneratedFindingInstaceTag3","value":"GeneratedFindingInstaceTagValue3"},{"key":"GeneratedFindingInstaceTag4","value":"GeneratedFindingInstaceTagValue4"},{"key":"GeneratedFindingInstaceTag5","value":"GeneratedFindingInstaceTagValue5"},{"key":"GeneratedFindingInstaceTag6","value":"GeneratedFindingInstaceTagValue6"},{"key":"GeneratedFindingInstaceTag7","value":"GeneratedFindingInstaceTagValue7"},{"key":"GeneratedFindingInstaceTag8","value":"GeneratedFindingInstaceTagValue8"},{"key":"GeneratedFindingInstaceTag9","value":"GeneratedFindingInstaceTagValue9"}],"instanceState":"running","availabilityZone":"GeneratedFindingInstaceAvailabilityZone","imageId":"ami-99999999","imageDescription":"GeneratedFindingInstaceImageDescription"}},"service":{"serviceName":"guardduty","detectorId":"e6b69355a1114885723f6b2a95241195","action":{"actionType":"NETWORK_CONNECTION","networkConnectionAction":{"connectionDirection":"INBOUND","localIpDetails":{"ipAddressV4":"10.0.0.23"},"remoteIpDetails":{"ipAddressV4":"198.51.100.0","organization":{"asn":"-1","asnOrg":"GeneratedFindingASNOrg","isp":"GeneratedFindingISP","org":"GeneratedFindingORG"},"country":{"countryName":"GeneratedFindingCountryName"},"city":{"cityName":"GeneratedFindingCityName"},"geoLocation":{"lat":0,"lon":0}},"remotePortDetails":{"port":1067,"portName":"Unknown"},"localPortDetails":{"port":3389,"portName":"RDP"},"protocol":"TCP","blocked":false}},"resourceRole":"TARGET","additionalInfo":{"sample":true},"eventFirstSeen":"2021-08-13T11:24:08Z","eventLastSeen":"2021-08-31T05:38:23Z","archived":false,"count":2},"severity":2,"createdAt":"2021-08-13T11:24:08.070Z","updatedAt":"2021-08-31T05:38:23.961Z","title":"198.51.100.0 is performing RDP brute force attacks against i-99999999.","description":"198.51.100.0 is performing RDP brute force attacks against i-99999999. Brute force attacks are used to gain unauthorized access to your instance by guessing the RDP password."}
{"schemaVersion":"2.0","accountId":"905783683962","region":"us-east-2","partition":"aws","id":"febd9fa0a402d34b6c38c56749f2958a","arn":"arn:aws:guardduty:us-east-2:905783683962:detector/e6b69355a1114885723f6b2a95241195/finding/febd9fa0a402d34b6c38c56749f2958a","type":"Recon:EC2/PortProbeEMRUnprotectedPort","resource":{"resourceType":"Instance","instanceDetails":{"instanceId":"i-99999999","instanceType":"m3.xlarge","outpostArn":"arn:aws:outposts:us-west-2:123456789000:outpost/op-0fbc006e9abbc73c3","launchTime":"2016-08-02T02:05:06Z","platform":null,"productCodes":[{"productCodeId":"GeneratedFindingProductCodeId","productCodeType":"GeneratedFindingProductCodeType"}],"iamInstanceProfile":{"arn":"arn:aws:iam::905783683962:example/instance/profile","id":"GeneratedFindingInstanceProfileId"},"networkInterfaces":[{"ipv6Addresses":[],"networkInterfaceId":"eni-bfcffe88","privateDnsName":"GeneratedFindingPrivateDnsName","privateIpAddress":"10.0.0.1","privateIpAddresses":[{"privateDnsName":"GeneratedFindingPrivateName","privateIpAddress":"10.0.0.1"}],"subnetId":"GeneratedFindingSubnetId","vpcId":"GeneratedFindingVPCId","securityGroups":[{"groupName":"GeneratedFindingSecurityGroupName","groupId":"GeneratedFindingSecurityId"}],"publicDnsName":"GeneratedFindingPublicDNSName","publicIp":"198.51.100.0"}],"tags":[{"key":"GeneratedFindingInstaceTag1","value":"GeneratedFindingInstaceValue1"},{"key":"GeneratedFindingInstaceTag2","value":"GeneratedFindingInstaceTagValue2"},{"key":"GeneratedFindingInstaceTag3","value":"GeneratedFindingInstaceTagValue3"},{"key":"GeneratedFindingInstaceTag4","value":"GeneratedFindingInstaceTagValue4"},{"key":"GeneratedFindingInstaceTag5","value":"GeneratedFindingInstaceTagValue5"},{"key":"GeneratedFindingInstaceTag6","value":"GeneratedFindingInstaceTagValue6"},{"key":"GeneratedFindingInstaceTag7","value":"GeneratedFindingInstaceTagValue7"},{"key":"GeneratedFindingInstaceTag8","value":"GeneratedFindingInstaceTagValue8"},{"key":"GeneratedFindingInstaceTag9","value":"GeneratedFindingInstaceTagValue9"}],"instanceState":"running","availabilityZone":"GeneratedFindingInstaceAvailabilityZone","imageId":"ami-99999999","imageDescription":"GeneratedFindingInstaceImageDescription"}},"service":{"serviceName":"guardduty","detectorId":"e6b69355a1114885723f6b2a95241195","action":{"actionType":"PORT_PROBE","portProbeAction":{"portProbeDetails":[{"localPortDetails":{"port":22,"portName":"SSH"},"localIpDetails":{"ipAddressV4":"10.0.0.23"},"remoteIpDetails":{"ipAddressV4":"198.51.100.0","organization":{"asn":"-1","asnOrg":"GeneratedFindingASNOrg","isp":"GeneratedFindingISP","org":"GeneratedFindingORG"},"country":{"countryName":"GeneratedFindingCountryName"},"city":{"cityName":"GeneratedFindingCityName"},"geoLocation":{"lat":0,"lon":0}}}],"blocked":false}},"resourceRole":"TARGET","additionalInfo":{"threatName":"GeneratedFindingThreatName","threatListName":"GeneratedFindingThreatListName","sample":true},"evidence":{"threatIntelligenceDetails":[{"threatListName":"GeneratedFindingThreatListName","threatNames":["GeneratedFindingThreatName"]}]},"eventFirstSeen":"2021-08-13T11:24:08Z","eventLastSeen":"2021-08-31T05:38:23Z","archived":false,"count":2},"severity":8,"createdAt":"2021-08-13T11:24:08.069Z","updatedAt":"2021-08-31T05:38:23.960Z","title":"Unprotected EMR-related port on EC2 instance i-99999999 is being probed.","description":"EC2 instance has an unprotected EMR-related port which is being probed by a known malicious host."}
{"schemaVersion":"2.0","accountId":"905783683962","region":"us-east-2","partition":"aws","id":"5cbd9fa0a40340e061eb7b03e4871fe5","arn":"arn:aws:guardduty:us-east-2:905783683962:detector/e6b69355a1114885723f6b2a95241195/finding/5cbd9fa0a40340e061eb7b03e4871fe5","type":"Recon:EC2/PortProbeUnprotectedPort","resource":{"resourceType":"Instance","instanceDetails":{"instanceId":"i-99999999","instanceType":"m3.xlarge","outpostArn":"arn:aws:outposts:us-west-2:123456789000:outpost/op-0fbc006e9abbc73c3","launchTime":"2016-08-02T02:05:06Z","platform":null,"productCodes":[{"productCodeId":"GeneratedFindingProductCodeId","productCodeType":"GeneratedFindingProductCodeType"}],"iamInstanceProfile":{"arn":"arn:aws:iam::905783683962:example/instance/profile","id":"GeneratedFindingInstanceProfileId"},"networkInterfaces":[{"ipv6Addresses":[],"networkInterfaceId":"eni-bfcffe88","privateDnsName":"GeneratedFindingPrivateDnsName","privateIpAddress":"10.0.0.1","privateIpAddresses":[{"privateDnsName":"GeneratedFindingPrivateName","privateIpAddress":"10.0.0.1"}],"subnetId":"GeneratedFindingSubnetId","vpcId":"GeneratedFindingVPCId","securityGroups":[{"groupName":"GeneratedFindingSecurityGroupName","groupId":"GeneratedFindingSecurityId"}],"publicDnsName":"GeneratedFindingPublicDNSName","publicIp":"198.51.100.0"}],"tags":[{"key":"GeneratedFindingInstaceTag1","value":"GeneratedFindingInstaceValue1"},{"key":"GeneratedFindingInstaceTag2","value":"GeneratedFindingInstaceTagValue2"},{"key":"GeneratedFindingInstaceTag3","value":"GeneratedFindingInstaceTagValue3"},{"key":"GeneratedFindingInstaceTag4","value":"GeneratedFindingInstaceTagValue4"},{"key":"GeneratedFindingInstaceTag5","value":"GeneratedFindingInstaceTagValue5"},{"key":"GeneratedFindingInstaceTag6","value":"GeneratedFindingInstaceTagValue6"},{"key":"GeneratedFindingInstaceTag7","value":"GeneratedFindingInstaceTagValue7"},{"key":"GeneratedFindingInstaceTag8","value":"GeneratedFindingInstaceTagValue8"},{"key":"GeneratedFindingInstaceTag9","value":"GeneratedFindingInstaceTagValue9"}],"instanceState":"running","availabilityZone":"GeneratedFindingInstaceAvailabilityZone","imageId":"ami-99999999","imageDescription":"GeneratedFindingInstaceImageDescription"}},"service":{"serviceName":"guardduty","detectorId":"e6b69355a1114885723f6b2a95241195","action":{"actionType":"PORT_PROBE","portProbeAction":{"portProbeDetails":[{"localPortDetails":{"port":80,"portName":"HTTP"},"localIpDetails":{"ipAddressV4":"10.0.0.23"},"remoteIpDetails":{"country":{"countryName":"GeneratedFindingCountryName1"},"city":{"cityName":"GeneratedFindingCityName1"},"geoLocation":{"lon":0,"lat":0},"organization":{"asnOrg":"GeneratedFindingASNOrg1","org":"GeneratedFindingORG1","isp":"GeneratedFindingISP1","asn":"9808"},"ipAddressV4":"198.51.100.0"}},{"localPortDetails":{"port":443,"portName":"HTTPS"},"localIpDetails":{"ipAddressV4":"10.0.0.23"},"remoteIpDetails":{"country":{"countryName":"GeneratedFindingCountryName2"},"city":{"cityName":"GeneratedFindingCityName2"},"geoLocation":{"lon":0,"lat":0},"organization":{"asnOrg":"GeneratedFindingASNOrg2","org":"GeneratedFindingORG2","isp":"GeneratedFindingISP2","asn":"29073"},"ipAddressV4":"198.51.100.1"}}],"blocked":false}},"resourceRole":"TARGET","additionalInfo":{"threatName":"GeneratedFindingThreatName","threatListName":"GeneratedFindingThreatListName","sample":true},"evidence":{"threatIntelligenceDetails":[{"threatListName":"GeneratedFindingThreatListName","threatNames":["GeneratedFindingThreatName"]}]},"eventFirstSeen":"2021-08-13T11:24:08Z","eventLastSeen":"2021-08-31T05:38:23Z","archived":false,"count":2},"severity":2,"createdAt":"2021-08-13T11:24:08.070Z","updatedAt":"2021-08-31T05:38:23.961Z","title":"Unprotected port on EC2 instance i-99999999 is being probed.","description":"EC2 instance has an unprotected port which is being probed by a known malicious host."}
{"schemaVersion":"2.0","accountId":"905783683962","region":"us-east-2","partition":"aws","id":"e0bd9fa0a3fdbee6a99a62f42ad38225","arn":"arn:aws:guardduty:us-east-2:905783683962:detector/e6b69355a1114885723f6b2a95241195/finding/e0bd9fa0a3fdbee6a99a62f42ad38225","type":"CredentialAccess:IAMUser/AnomalousBehavior","resource":{"resourceType":"AccessKey","accessKeyDetails":{"accessKeyId":"GeneratedFindingAccessKeyId","principalId":"GeneratedFindingPrincipalId","userType":"GeneratedFindingUserType","userName":"GeneratedFindingUserName"},"instanceDetails":{"instanceId":"i-99999999","instanceType":"m3.xlarge","outpostArn":"arn:aws:outposts:us-west-2:123456789000:outpost/op-0fbc006e9abbc73c3","launchTime":"2016-08-02T02:05:06Z","platform":null,"productCodes":[{"productCodeId":"GeneratedFindingProductCodeId","productCodeType":"GeneratedFindingProductCodeType"}],"iamInstanceProfile":{"arn":"arn:aws:iam::905783683962:example/instance/profile","id":"GeneratedFindingInstanceProfileId"},"networkInterfaces":[{"ipv6Addresses":[],"networkInterfaceId":"eni-bfcffe88","privateDnsName":"GeneratedFindingPrivateDnsName","privateIpAddress":"10.0.0.1","privateIpAddresses":[{"privateDnsName":"GeneratedFindingPrivateName","privateIpAddress":"10.0.0.1"}],"subnetId":"GeneratedFindingSubnetId","vpcId":"GeneratedFindingVPCId","securityGroups":[{"groupName":"GeneratedFindingSecurityGroupName","groupId":"GeneratedFindingSecurityId"}],"publicDnsName":"GeneratedFindingPublicDNSName","publicIp":"198.51.100.0"}],"tags":[{"key":"GeneratedFindingInstaceTag1","value":"GeneratedFindingInstaceValue1"},{"key":"GeneratedFindingInstaceTag2","value":"GeneratedFindingInstaceTagValue2"},{"key":"GeneratedFindingInstaceTag3","value":"GeneratedFindingInstaceTagValue3"},{"key":"GeneratedFindingInstaceTag4","value":"GeneratedFindingInstaceTagValue4"},{"key":"GeneratedFindingInstaceTag5","value":"GeneratedFindingInstaceTagValue5"},{"key":"GeneratedFindingInstaceTag6","value":"GeneratedFindingInstaceTagValue6"},{"key":"GeneratedFindingInstaceTag7","value":"GeneratedFindingInstaceTagValue7"},{"key":"GeneratedFindingInstaceTag8","value":"GeneratedFindingInstaceTagValue8"},{"key":"GeneratedFindingInstaceTag9","value":"GeneratedFindingInstaceTagValue9"}],"instanceState":"running","availabilityZone":"GeneratedFindingInstaceAvailabilityZone","imageId":"ami-99999999","imageDescription":"GeneratedFindingInstaceImageDescription"}},"service":{"serviceName":"guardduty","detectorId":"e6b69355a1114885723f6b2a95241195","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"api":"GeneratedFindingAPIName","serviceName":"GeneratedFindingAPIServiceName","callerType":"Remote IP","errorCode":"AccessDenied","remoteIpDetails":{"ipAddressV4":"198.51.100.0","organization":{"asn":"-1","asnOrg":"GeneratedFindingASNOrg","isp":"GeneratedFindingISP","org":"GeneratedFindingOrg"},"country":{"countryName":"GeneratedFindingCountryName"},"city":{"cityName":"GeneratedFindingCityName"},"geoLocation":{"lat":0,"lon":0}},"affectedResources":{}}},"resourceRole":"TARGET","additionalInfo":{"userAgent":{"fullUserAgent":"GeneratedFindingFullUserAgent","userAgentCategory":"GeneratedFindingUserAgentCategory"},"anomalies":{"anomalousAPIs":"GeneratedFindingAPIServiceName:[GeneratedFindingAPIName:AccessDenied , GeneratedFindingAPINameTwo:AccessDenied] , GeneratedFindingAPIServiceNameThree:[GeneratedFindingAPINameThree:success] , GeneratedFindingAPIServiceNameFour:[GeneratedFindingAPINameFour:success]"},"profiledBehavior":{"rareProfiledAPIsAccountProfiling":"GeneratedFindingAPINameTwo , GeneratedFindingAPINameThree","infrequentProfiledAPIsAccountProfiling":"GeneratedFindingAPINameFour","frequentProfiledAPIsAccountProfiling":"GeneratedFindingAPINameFive , GeneratedFindingAPINameSix","rareProfiledAPIsUserIdentityProfiling":"GeneratedFindingAPINameTwo","infrequentProfiledAPIsUserIdentityProfiling":"GeneratedFindingAPINameSix","frequentProfiledAPIsUserIdentityProfiling":"GeneratedFindingAPINameFive","rareProfiledUserTypesAccountProfiling":"GeneratedFindingUserType","infrequentProfiledUserTypesAccountProfiling":"","frequentProfiledUserTypesAccountProfiling":"ASSUMED_ROLE","rareProfiledUserNamesAccountProfiling":"GeneratedFindingUserName , GeneratedFindingUserNameTwo","infrequentProfiledUserNamesAccountProfiling":"","frequentProfiledUserNamesAccountProfiling":"GeneratedFindingUserNameTwoThree","rareProfiledASNsAccountProfiling":"","infrequentProfiledASNsAccountProfiling":"","frequentProfiledASNsAccountProfiling":"asnNumber: GeneratedFindingASNOne asnOrg: GeneratedFindingASNOrgOne","rareProfiledASNsUserIdentityProfiling":"asnNumber: GeneratedFindingASNOne asnOrg: GeneratedFindingASNOrgOne","infrequentProfiledASNsUserIdentityProfiling":"","frequentProfiledASNsUserIdentityProfiling":"","rareProfiledUserAgentsAccountProfiling":"GeneratedFindingUserAgentOne , GeneratedFindingUserAgentTwo , GeneratedFindingUserAgentThree","infrequentProfiledUserAgentsAccountProfiling":"","frequentProfiledUserAgentsAccountProfiling":"AWS Service , AWS Internal","rareProfiledUserAgentsUserIdentityProfiling":"GeneratedFindingUserAgentOne","infrequentProfiledUserAgentsUserIdentityProfiling":"","frequentProfiledUserAgentsUserIdentityProfiling":""},"unusualBehavior":{"unusualAPIsAccountProfiling":"GeneratedFindingAPIName","unusualAPIsUserIdentityProfiling":"GeneratedFindingAPIName","unusualUserTypesAccountProfiling":"","unusualUserNamesAccountProfiling":"","unusualASNsAccountProfiling":"asnNumber: -1 asnOrg: GeneratedFindingASNOrg","unusualASNsUserIdentityProfiling":"asnNumber: -1 asnOrg: GeneratedFindingASNOrg","unusualUserAgentsAccountProfiling":"GeneratedFindingUserAgentCategory","unusualUserAgentsUserIdentityProfiling":"GeneratedFindingUserAgentCategory","isUnusualUserIdentity":"false"},"sample":true},"evidence":null,"eventFirstSeen":"2021-08-13T11:24:08Z","eventLastSeen":"2021-08-31T05:38:23Z","archived":false,"count":2},"severity":5,"createdAt":"2021-08-13T11:24:08.059Z","updatedAt":"2021-08-31T05:38:23.949Z","title":"User GeneratedFindingUserType : GeneratedFindingUserName is anomalously invoking APIs commonly used in CredentialAccess tactics.","description":"APIs commonly used in CredentialAccess tactics were invoked by user GeneratedFindingUserType : GeneratedFindingUserName, under anomalous circumstances. Such activity is not typically seen from this user."}
{"schemaVersion":"2.0","accountId":"905783683962","region":"us-east-2","partition":"aws","id":"e4bd9fa0a4013366a7ef592bd54155fb","arn":"arn:aws:guardduty:us-east-2:905783683962:detector/e6b69355a1114885723f6b2a95241195/finding/e4bd9fa0a4013366a7ef592bd54155fb","type":"Impact:EC2/SuspiciousDomainRequest.Reputation","resource":{"resourceType":"Instance","instanceDetails":{"instanceId":"i-99999999","instanceType":"m3.xlarge","outpostArn":"arn:aws:outposts:us-west-2:123456789000:outpost/op-0fbc006e9abbc73c3","launchTime":"2016-08-02T02:05:06Z","platform":null,"productCodes":[{"productCodeId":"GeneratedFindingProductCodeId","productCodeType":"GeneratedFindingProductCodeType"}],"iamInstanceProfile":{"arn":"arn:aws:iam::905783683962:example/instance/profile","id":"GeneratedFindingInstanceProfileId"},"networkInterfaces":[{"ipv6Addresses":[],"networkInterfaceId":"eni-bfcffe88","privateDnsName":"GeneratedFindingPrivateDnsName","privateIpAddress":"10.0.0.1","privateIpAddresses":[{"privateDnsName":"GeneratedFindingPrivateName","privateIpAddress":"10.0.0.1"}],"subnetId":"GeneratedFindingSubnetId","vpcId":"GeneratedFindingVPCId","securityGroups":[{"groupName":"GeneratedFindingSecurityGroupName","groupId":"GeneratedFindingSecurityId"}],"publicDnsName":"GeneratedFindingPublicDNSName","publicIp":"198.51.100.0"}],"tags":[{"key":"GeneratedFindingInstaceTag1","value":"GeneratedFindingInstaceValue1"},{"key":"GeneratedFindingInstaceTag2","value":"GeneratedFindingInstaceTagValue2"},{"key":"GeneratedFindingInstaceTag3","value":"GeneratedFindingInstaceTagValue3"},{"key":"GeneratedFindingInstaceTag4","value":"GeneratedFindingInstaceTagValue4"},{"key":"GeneratedFindingInstaceTag5","value":"GeneratedFindingInstaceTagValue5"},{"key":"GeneratedFindingInstaceTag6","value":"GeneratedFindingInstaceTagValue6"},{"key":"GeneratedFindingInstaceTag7","value":"GeneratedFindingInstaceTagValue7"},{"key":"GeneratedFindingInstaceTag8","value":"GeneratedFindingInstaceTagValue8"},{"key":"GeneratedFindingInstaceTag9","value":"GeneratedFindingInstaceTagValue9"}],"instanceState":"running","availabilityZone":"GeneratedFindingInstaceAvailabilityZone","imageId":"ami-99999999","imageDescription":"GeneratedFindingInstaceImageDescription"}},"service":{"serviceName":"guardduty","detectorId":"e6b69355a1114885723f6b2a95241195","action":{"actionType":"DNS_REQUEST","dnsRequestAction":{"domain":"GeneratedFindingDomainName","protocol":"UDP","blocked":true}},"resourceRole":"TARGET","additionalInfo":{"threatListName":"GeneratedFindingThreatListName","sample":true},"evidence":{"threatIntelligenceDetails":[{"threatListName":"GeneratedFindingThreatListName","threatNames":["GeneratedFindingThreatName"]}]},"eventFirstSeen":"2021-08-13T11:24:08Z","eventLastSeen":"2021-08-31T05:38:23Z","archived":false,"count":2},"severity":2,"createdAt":"2021-08-13T11:24:08.066Z","updatedAt":"2021-08-31T05:38:23.957Z","title":"Domain similar to known malicious domains queried by EC2 instance i-99999999.","description":"EC2 instance i-99999999 is querying a low reputation domain that is suspicious in nature due to its age, low popularity, or similarity to other known malicious domains."}
{"schemaVersion":"2.0","accountId":"905783683962","region":"us-east-2","partition":"aws","id":"f4bd9fa0a403fb8f0b51ca0a165bca68","arn":"arn:aws:guardduty:us-east-2:905783683962:detector/e6b69355a1114885723f6b2a95241195/finding/f4bd9fa0a403fb8f0b51ca0a165bca68","type":"Discovery:S3/TorIPCaller","resource":{"resourceType":"S3Bucket","accessKeyDetails":{"accessKeyId":"GeneratedFindingAccessKeyId","principalId":"GeneratedFindingPrincipalId","userType":"IAMUser","userName":"GeneratedFindingUserName"},"s3BucketDetails":[{"arn":"arn:aws:s3:::bucketName","name":"bucketName","type":"Destination","createdAt":1.513612691551E9,"owner":{"id":"CanonicalId of Owner"},"tags":[{"key":"foo","value":"bar"}],"defaultServerSideEncryption":{"encryptionType":"SSEAlgorithm","kmsMasterKeyArn":"arn:aws:kms:region:123456789012:key/key-id"},"publicAccess":{"permissionConfiguration":{"bucketLevelPermissions":{"accessControlList":{"allowsPublicReadAccess":false,"allowsPublicWriteAccess":false},"bucketPolicy":{"allowsPublicReadAccess":false,"allowsPublicWriteAccess":false},"blockPublicAccess":{"ignorePublicAcls":false,"restrictPublicBuckets":false,"blockPublicAcls":false,"blockPublicPolicy":false}},"accountLevelPermissions":{"blockPublicAccess":{"ignorePublicAcls":false,"restrictPublicBuckets":false,"blockPublicAcls":false,"blockPublicPolicy":false}}},"effectivePermission":"NOT_PUBLIC"}}],"instanceDetails":{"instanceId":"i-99999999","instanceType":"m3.xlarge","outpostArn":"arn:aws:outposts:us-west-2:123456789000:outpost/op-0fbc006e9abbc73c3","launchTime":"2016-08-02T02:05:06Z","platform":null,"productCodes":[{"productCodeId":"GeneratedFindingProductCodeId","productCodeType":"GeneratedFindingProductCodeType"}],"iamInstanceProfile":{"arn":"arn:aws:iam::905783683962:example/instance/profile","id":"GeneratedFindingInstanceProfileId"},"networkInterfaces":[{"ipv6Addresses":[],"networkInterfaceId":"eni-bfcffe88","privateDnsName":"GeneratedFindingPrivateDnsName","privateIpAddress":"10.0.0.1","privateIpAddresses":[{"privateDnsName":"GeneratedFindingPrivateName","privateIpAddress":"10.0.0.1"}],"subnetId":"GeneratedFindingSubnetId","vpcId":"GeneratedFindingVPCId","securityGroups":[{"groupName":"GeneratedFindingSecurityGroupName","groupId":"GeneratedFindingSecurityId"}],"publicDnsName":"GeneratedFindingPublicDNSName","publicIp":"198.51.100.0"}],"tags":[{"key":"GeneratedFindingInstaceTag1","value":"GeneratedFindingInstaceValue1"},{"key":"GeneratedFindingInstaceTag2","value":"GeneratedFindingInstaceTagValue2"},{"key":"GeneratedFindingInstaceTag3","value":"GeneratedFindingInstaceTagValue3"},{"key":"GeneratedFindingInstaceTag4","value":"GeneratedFindingInstaceTagValue4"},{"key":"GeneratedFindingInstaceTag5","value":"GeneratedFindingInstaceTagValue5"},{"key":"GeneratedFindingInstaceTag6","value":"GeneratedFindingInstaceTagValue6"},{"key":"GeneratedFindingInstaceTag7","value":"GeneratedFindingInstaceTagValue7"},{"key":"GeneratedFindingInstaceTag8","value":"GeneratedFindingInstaceTagValue8"},{"key":"GeneratedFindingInstaceTag9","value":"GeneratedFindingInstaceTagValue9"}],"instanceState":"running","availabilityZone":"GeneratedFindingInstaceAvailabilityZone","imageId":"ami-99999999","imageDescription":"GeneratedFindingInstaceImageDescription"}},"service":{"serviceName":"guardduty","detectorId":"e6b69355a1114885723f6b2a95241195","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"api":"GeneratedFindingAPIName","serviceName":"GeneratedFindingAPIServiceName","callerType":"Remote IP","errorCode":"AccessDenied","remoteIpDetails":{"ipAddressV4":"198.51.100.0","organization":{"asn":"-1","asnOrg":"GeneratedFindingASNOrg","isp":"GeneratedFindingISP","org":"GeneratedFindingORG"},"country":{"countryName":"GeneratedFindingCountryName"},"city":{"cityName":"GeneratedFindingCityName"},"geoLocation":{"lat":0,"lon":0}},"affectedResources":{"AWS::S3::Bucket":"GeneratedFindingS3Bucket"}}},"resourceRole":"TARGET","additionalInfo":{"unusual":{"hoursOfDay":[1513609200000],"userNames":["GeneratedFindingUserName"]},"sample":true},"eventFirstSeen":"2021-08-13T11:24:08Z","eventLastSeen":"2021-08-31T05:38:23Z","archived":false,"count":2},"severity":5,"createdAt":"2021-08-13T11:24:08.071Z","updatedAt":"2021-08-31T05:38:23.962Z","title":"Resource discovery API GeneratedFindingAPIName was invoked from a Tor exit node.","description":"API GeneratedFindingAPIName, commonly used in resource discovery, was used to access bucket GeneratedFindingS3Bucket from Tor exit node IP address 198.51.100.0. Unauthorized actors perform such activity to gather information about your Amazon S3 buckets and objects in order to further tailor the attack."}
{"schemaVersion":"2.0","accountId":"905783683962","region":"us-east-2","partition":"aws","id":"aebd9fa0a4041a0197509a47204e249a","arn":"arn:aws:guardduty:us-east-2:905783683962:detector/e6b69355a1114885723f6b2a95241195/finding/aebd9fa0a4041a0197509a47204e249a","type":"PenTest:S3/ParrotLinux","resource":{"resourceType":"S3Bucket","accessKeyDetails":{"accessKeyId":"GeneratedFindingAccessKeyId","principalId":"GeneratedFindingPrincipalId","userType":"IAMUser","userName":"GeneratedFindingUserName"},"s3BucketDetails":[{"arn":"arn:aws:s3:::bucketName","name":"bucketName","type":"Destination","createdAt":1.513612691551E9,"owner":{"id":"CanonicalId of Owner"},"tags":[{"key":"foo","value":"bar"}],"defaultServerSideEncryption":{"encryptionType":"SSEAlgorithm","kmsMasterKeyArn":"arn:aws:kms:region:123456789012:key/key-id"},"publicAccess":{"permissionConfiguration":{"bucketLevelPermissions":{"accessControlList":{"allowsPublicReadAccess":false,"allowsPublicWriteAccess":false},"bucketPolicy":{"allowsPublicReadAccess":false,"allowsPublicWriteAccess":false},"blockPublicAccess":{"ignorePublicAcls":false,"restrictPublicBuckets":false,"blockPublicAcls":false,"blockPublicPolicy":false}},"accountLevelPermissions":{"blockPublicAccess":{"ignorePublicAcls":false,"restrictPublicBuckets":false,"blockPublicAcls":false,"blockPublicPolicy":false}}},"effectivePermission":"NOT_PUBLIC"}}],"instanceDetails":{"instanceId":"i-99999999","instanceType":"m3.xlarge","outpostArn":"arn:aws:outposts:us-west-2:123456789000:outpost/op-0fbc006e9abbc73c3","launchTime":"2016-08-02T02:05:06Z","platform":null,"productCodes":[{"productCodeId":"GeneratedFindingProductCodeId","productCodeType":"GeneratedFindingProductCodeType"}],"iamInstanceProfile":{"arn":"arn:aws:iam::905783683962:example/instance/profile","id":"GeneratedFindingInstanceProfileId"},"networkInterfaces":[{"ipv6Addresses":[],"networkInterfaceId":"eni-bfcffe88","privateDnsName":"GeneratedFindingPrivateDnsName","privateIpAddress":"10.0.0.1","privateIpAddresses":[{"privateDnsName":"GeneratedFindingPrivateName","privateIpAddress":"10.0.0.1"}],"subnetId":"GeneratedFindingSubnetId","vpcId":"GeneratedFindingVPCId","securityGroups":[{"groupName":"GeneratedFindingSecurityGroupName","groupId":"GeneratedFindingSecurityId"}],"publicDnsName":"GeneratedFindingPublicDNSName","publicIp":"198.51.100.0"}],"tags":[{"key":"GeneratedFindingInstaceTag1","value":"GeneratedFindingInstaceValue1"},{"key":"GeneratedFindingInstaceTag2","value":"GeneratedFindingInstaceTagValue2"},{"key":"GeneratedFindingInstaceTag3","value":"GeneratedFindingInstaceTagValue3"},{"key":"GeneratedFindingInstaceTag4","value":"GeneratedFindingInstaceTagValue4"},{"key":"GeneratedFindingInstaceTag5","value":"GeneratedFindingInstaceTagValue5"},{"key":"GeneratedFindingInstaceTag6","value":"GeneratedFindingInstaceTagValue6"},{"key":"GeneratedFindingInstaceTag7","value":"GeneratedFindingInstaceTagValue7"},{"key":"GeneratedFindingInstaceTag8","value":"GeneratedFindingInstaceTagValue8"},{"key":"GeneratedFindingInstaceTag9","value":"GeneratedFindingInstaceTagValue9"}],"instanceState":"running","availabilityZone":"GeneratedFindingInstaceAvailabilityZone","imageId":"ami-99999999","imageDescription":"GeneratedFindingInstaceImageDescription"}},"service":{"serviceName":"guardduty","detectorId":"e6b69355a1114885723f6b2a95241195","action":{"actionType":"AWS_API_CALL","awsApiCallAction":{"api":"GeneratedFindingAPIName","serviceName":"GeneratedFindingAPIServiceName","callerType":"Remote IP","errorCode":"AccessDenied","remoteIpDetails":{"ipAddressV4":"198.51.100.0","organization":{"asn":"-1","asnOrg":"GeneratedFindingASNOrg","isp":"GeneratedFindingISP","org":"GeneratedFindingORG"},"country":{"countryName":"GeneratedFindingCountryName"},"city":{"cityName":"GeneratedFindingCityName"},"geoLocation":{"lat":0,"lon":0}},"affectedResources":{"AWS::S3::Bucket":"GeneratedFindingS3Bucket"}}},"resourceRole":"TARGET","additionalInfo":{"unusual":{"hoursOfDay":[1513609200000],"userNames":["GeneratedFindingUserName"]},"sample":true},"eventFirstSeen":"2021-08-13T11:24:08Z","eventLastSeen":"2021-08-31T05:38:23Z","archived":false,"count":2},"severity":5,"createdAt":"2021-08-13T11:24:08.072Z","updatedAt":"2021-08-31T05:38:23.963Z","title":"API GeneratedFindingAPIName was invoked from a remote host potentially running Parrot Security Linux.","description":"API GeneratedFindingAPIName was used to access S3 Bucket GeneratedFindingS3Bucket from a remote host with IP address 198.51.100.0 that is potentially running the Parrot Security Linux penetration testing tool."}