翻訳は機械翻訳により提供されています。提供された翻訳内容と英語版の間で齟齬、不一致または矛盾がある場合、英語版が優先します。
# GuardDuty と AWS セキュリティサービスとの統合
GuardDuty は他の AWS セキュリティサービスと統合できます。これらのサービスは GuardDuty からデータを取り込み、新しい方法で検出結果を表示できるようにします。次の統合オプションを参照して、そのサービスが GuardDuty でどのように動作するように設定されているかについての詳細を確認してください。
## GuardDuty と の統合 AWS Security Hub CSPM
AWS Security Hub CSPM は、 AWS アカウント、サービス、およびサポートされているサードパーティーパートナー製品全体からセキュリティデータを収集し、業界標準とベストプラクティスに従って環境のセキュリティ状態を評価します。セキュリティ体制の評価に加えて、Security Hub CSPM は、統合されたすべての AWS サービスと AWS パートナー製品にわたる検出結果のための一元的な場所を作成します。GuardDuty で Security Hub CSPM を有効にすると、GuardDuty の検出結果データが Security Hub CSPM によって自動的に取り込まれます。
GuardDuty で Security Hub CSPM を使用する方法の詳細については、「」を参照してください[との統合 AWS Security Hub CSPM](securityhub-integration.md)。
## GuardDuty と Amazon Detective の統合
Amazon Detective は、 AWS アカウント全体のログデータを使用して、環境とやり取りするリソースと IP アドレスのデータ可視化を作成します。Detective のビジュアライゼーションは、セキュリティ問題をすばやく簡単に調査するのに役立ちます。両方のサービスが有効化されると、GuardDuty の検出結果の詳細から Detective コンソール内の情報にピボットできます。
GuardDuty で Detective を使用する方法については、「[Amazon Detective との統合](detective-integration.md)」を参照してください。
# との統合 AWS Security Hub CSPM
[AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html) では、 AWS のセキュリティ状態を総合的に把握することができ、セキュリティ業界標準およびベストプラクティスに照らし合わせて環境をチェックすることができます。Security Hub CSPM は、複数の AWS アカウント、サービス、サポートされているサードパーティーパートナー製品からセキュリティデータを収集し、セキュリティの傾向を分析し、最も優先度の高いセキュリティ問題を特定するのに役立ちます。
Amazon GuardDuty と Security Hub CSPM の統合により、GuardDuty から Security Hub CSPM に検出結果を送信できます。Security Hub CSPM は、これらの検出結果をセキュリティ体制の分析に含めることができます。
**Contents**
+ [Amazon GuardDuty が検出結果を に送信する方法 AWS Security Hub CSPM](#securityhub-integration-sending-findings)
+ [GuardDuty が Security Hub CSPM に送信する検出結果のタイプ](#securityhub-integration-finding-types)
+ [新しい検出結果が送信されるまでのレイテンシー](#securityhub-integration-finding-latency)
+ [Security Hub CSPM が使用できない場合の再試行](#securityhub-integration-retry-send)
+ [Security Hub CSPM の既存の検出結果を更新する](#securityhub-integration-finding-updates)
+ [での GuardDuty の検出結果の表示 AWS Security Hub CSPM](#findings-in-securityhub)
+ [での GuardDuty の検出結果名の解釈 AWS Security Hub CSPM](#interpreting-findings-in-securityhub)
+ [GuardDuty からの一般的な検出結果](#securityhub-integration-finding-example)
+ [統合の有効化と構成](#securityhub-integration-enable)
+ [Security Hub CSPM での GuardDuty コントロールの使用](#securityhub-integration-using-guardduty-controls)
+ [検出結果の Security Hub CSPM への公開の停止](#securityhub-integration-disable)
## Amazon GuardDuty が検出結果を に送信する方法 AWS Security Hub CSPM
では AWS Security Hub CSPM、セキュリティの問題は検出結果として追跡されます。一部の検出結果は、他の AWS サービスまたはサードパーティーパートナーによって検出された問題から発生します。Security Hub CSPM には、セキュリティの問題を検出し、検出結果を生成するために使用する一連のルールもあります。
Security Hub CSPM には、これらすべてのソースからの検出結果を管理するためのツールが用意されています。検出結果の一覧を表示およびフィルタリングして、検出結果の詳細を表示できます。詳細については、*AWS Security Hub ユーザーガイド*の「[検出結果の表示](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-viewing.html)」を参照してください。検出結果の調査状況を追跡することもできます 詳細については、*AWS Security Hub ユーザーガイド*の「[検出結果に対するアクションの実行](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-taking-action.html)」を参照してください。
Security Hub CSPM のすべての検出結果は、 AWS Security Finding Format (ASFF) と呼ばれる標準 JSON 形式を使用します。ASFF には、問題のソース、影響を受けるリソース、および検出結果の現在のステータスに関する詳細が含まれます。 [AWS ユーザーガイド](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) の「*AWS Security Hub Security Finding 形式 (ASFF)*」を参照してください 。
Amazon GuardDuty は、Security Hub CSPM に結果を送信する AWS サービスの 1 つです。
### GuardDuty が Security Hub CSPM に送信する検出結果のタイプ
同じアカウント内で同じアカウントで GuardDuty と Security Hub CSPM を有効にすると AWS リージョン、GuardDuty は生成されたすべての検出結果を Security Hub CSPM に送信し始めます。これらの検出結果は、Security [AWS Finding 形式 (ASFF) を使用して Security](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) Hub CSPM に送信されます。ASFF では、`Types` フィールドが検出結果タイプを提供します。
#### 新しい検出結果が送信されるまでのレイテンシー
GuardDuty が新しい検出結果を作成すると、通常は 5 分以内に Security Hub CSPM に送信されます。
#### Security Hub CSPM が使用できない場合の再試行
Security Hub CSPM が使用できない場合、GuardDuty は結果を受信するまで結果の送信を再試行します。
#### Security Hub CSPM の既存の検出結果を更新する
Security Hub CSPM に検出結果を送信すると、GuardDuty は検出結果アクティビティの追加観測を反映する更新を Security Hub CSPM に送信します。これらの検出結果の新しい観測結果は、 [ステップ 5 – 検出結果をエクスポートする頻度](guardduty_exportfindings.md#guardduty_exportfindings-frequency)の設定に基づいて Security Hub CSPM に送信されます AWS アカウント。
検出結果をアーカイブまたはアーカイブ解除すると、GuardDuty はその検出結果を Security Hub CSPM に送信しません。GuardDuty で後でアクティブになる手動でアーカイブ解除された検出結果は、Security Hub CSPM に送信されません。
## での GuardDuty の検出結果の表示 AWS Security Hub CSPM
にサインイン AWS マネジメントコンソール し、[https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/) で AWS Security Hub CSPM コンソールを開きます。
次のいずれかの方法を使用して、Security Hub CSPM コンソールで GuardDuty の検出結果を表示できるようになりました。
**オプション 1: Security Hub CSPM *で統合*を使用する**
1. 左側のナビゲーションペインから、**[統合]** を選択します。
1. **[統合]** ページで、**Amazon: GuardDuty** の **ステータス** を確認します。
+ **ステータス**が **[検出結果を受け入る]** の場合は、**[検出結果を受け入れる]** の横にある **[検出結果を参照]** を選択します。
+ そうでない場合は、**統合の仕組みの詳細については、***AWS Security Hub 「 ユーザーガイド*」の[「Security Hub CSPM 統合](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-providers.html)」を参照してください。
**オプション 2: Security Hub CSPM で*の結果*の使用**
1. 左のナビゲーションペインで **[検出結果]** を選択します。
1. **[検出結果]** ページで、**[製品名]** のフィルターを追加し、**GuardDuty** と入力して GuardDuty の検出結果のみを表示します。
### での GuardDuty の検出結果名の解釈 AWS Security Hub CSPM
GuardDuty は、Security [AWS Finding 形式 (ASFF)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) を使用して Security Hub CSPM に結果を送信します。ASFF では、`Types` フィールドが検出結果タイプを提供します。ASFF タイプは、GuardDuty のタイプとは異なる命名規則を使用します。次の表は、Security Hub CSPM に表示されるすべての GuardDuty 検出結果タイプとその ASFF タイプの詳細を示しています。
**注記**
一部の GuardDuty 検出結果タイプでは、Security Hub CSPM は、検出結果の詳細の**リソースロール**が **ACTOR** か **TARGET** かに応じて、異なる ASFF 検出結果名を割り当てます。詳細については、「[検出結果の詳細](guardduty_findings-summary.md)」を参照してください。
| GuardDuty の検出結果タイプ | ASFF 検出結果タイプ |
| --- | --- |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-attack-sequence-finding-types.html#attack-sequence-iam-compromised-credentials](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-attack-sequence-finding-types.html#attack-sequence-iam-compromised-credentials) | TTPs/AttackSequence:IAM/CompromisedCredentials |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-attack-sequence-finding-types.html#attack-sequence-s3-compromised-data](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-attack-sequence-finding-types.html#attack-sequence-s3-compromised-data) | TTPs/AttackSequence:S3/CompromisedData |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-ccactivityb](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-ccactivityb) | TTPs/Command and Control/Backdoor:EC2-C&CActivity.B |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-ccactivitybdns](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-ccactivitybdns) | TTPs/Command and Control/Backdoor:EC2-C&CActivity.B\$1DNS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofservicedns](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofservicedns) | TTPs/Command and Control/Backdoor:EC2-DenialOfService.Dns |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofservicetcp](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofservicetcp) | TTPs/Command and Control/Backdoor:EC2-DenialOfService.Tcp |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofserviceudp](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofserviceudp) | TTPs/Command and Control/Backdoor:EC2-DenialOfService.Udp |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofserviceudpontcpports](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofserviceudpontcpports) | TTPs/Command and Control/Backdoor:EC2-DenialOfService.UdpOnTcpPorts |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofserviceunusualprotocol](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofserviceunusualprotocol) | TTPs/Command and Control/Backdoor:EC2-DenialOfService.UnusualProtocol |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-spambot](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-spambot) | TTPs/Command and Control/Backdoor:EC2-Spambot |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#behavior-ec2-networkportunusual](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#behavior-ec2-networkportunusual) | Unusual Behaviors/VM/Behavior:EC2-NetworkPortUnusual |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#behavior-ec2-trafficvolumeunusual](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#behavior-ec2-trafficvolumeunusual) | Unusual Behaviors/VM/Behavior:EC2-TrafficVolumeUnusual |
| [https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection-finding-types.html#backdoor-lambda-ccactivity-b](https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection-finding-types.html#backdoor-lambda-ccactivity-b) | TTPs/Command and Control/Backdoor:Lambda-C&CActivity.B |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#backdoor-runtime-ccactivityb](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#backdoor-runtime-ccactivityb) | TTPs/Command and Control/Backdoor:Runtime-C&CActivity.B |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#backdoor-runtime-ccactivitybdns](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#backdoor-runtime-ccactivitybdns) | TTPs/Command and Control/Backdoor:Runtime-C&CActivity.B\$1DNS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#credentialaccess-iam-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#credentialaccess-iam-anomalousbehavior) | TTPs/Credential Access/IAMUser-AnomalousBehavior |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#credaccess-kubernetes-anomalousbehavior-secretsaccessed](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#credaccess-kubernetes-anomalousbehavior-secretsaccessed) | TTPs/AnomalousBehavior/CredentialAccess:Kubernetes-SecretsAccessed |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#credentialaccess-kubernetes-maliciousipcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#credentialaccess-kubernetes-maliciousipcaller) | TTPs/CredentialAccess/CredentialAccess:Kubernetes-MaliciousIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#credentialaccess-kubernetes-maliciousipcallercustom](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#credentialaccess-kubernetes-maliciousipcallercustom) | TTPs/CredentialAccess/CredentialAccess:Kubernetes-MaliciousIPCaller.Custom |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#credentialaccess-kubernetes-successfulanonymousaccess](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#credentialaccess-kubernetes-successfulanonymousaccess) | TTPs/CredentialAccess/CredentialAccess:Kubernetes-SuccessfulAnonymousAccess |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#credentialaccess-kubernetes-toripcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#credentialaccess-kubernetes-toripcaller) | TTPs/CredentialAccess/CredentialAccess:Kubernetes-TorIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#credaccess-rds-anombehavior-failedlogin](https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#credaccess-rds-anombehavior-failedlogin) | TTPs/Credential Access/CredentialAccess:RDS-AnomalousBehavior.FailedLogin |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#credaccess-rds-anombehavior-successfulbruteforce](https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#credaccess-rds-anombehavior-successfulbruteforce) | TTPs/Credential Access/CredentialAccess:RDS-AnomalousBehavior.SuccessfulBruteForce |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#credaccess-rds-anombehavior-successlogin](https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#credaccess-rds-anombehavior-successlogin) | TTPs/Credential Access/CredentialAccess:RDS-AnomalousBehavior.SuccessfulLogin |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#credaccess-rds-maliciousipcaller-failedlogin](https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#credaccess-rds-maliciousipcaller-failedlogin) | TTPs/Credential Access/CredentialAccess:RDS-MaliciousIPCaller.FailedLogin |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#credaccess-rds-maliciousipcaller-successfullogin](https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#credaccess-rds-maliciousipcaller-successfullogin) | TTPs/Credential Access/CredentialAccess:RDS-MaliciousIPCaller.SuccessfulLogin |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#credaccess-rds-toripcaller-failedlogin](https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#credaccess-rds-toripcaller-failedlogin) | TTPs/Credential Access/CredentialAccess:RDS-TorIPCaller.FailedLogin |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#credaccess-rds-toripcaller-successfullogin](https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#credaccess-rds-toripcaller-successfullogin) | TTPs/Credential Access/CredentialAccess:RDS-TorIPCaller.SuccessfulLogin |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#cryptocurrency-ec2-bitcointoolb](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#cryptocurrency-ec2-bitcointoolb) | TTPs/Command and Control/CryptoCurrency:EC2-BitcoinTool.B |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#cryptocurrency-ec2-bitcointoolbdns](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#cryptocurrency-ec2-bitcointoolbdns) | TTPs/Command and Control/CryptoCurrency:EC2-BitcoinTool.B\$1DNS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection-finding-types.html#cryptocurrency-lambda-bitcointool-b](https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection-finding-types.html#cryptocurrency-lambda-bitcointool-b) | TTPs/Command and Control/CryptoCurrency:Lambda-BitcoinTool.B Effects/Resource Consumption/CryptoCurrency:Lambda-BitcoinTool.B |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#cryptocurrency-runtime-bitcointoolb](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#cryptocurrency-runtime-bitcointoolb) | TTPs/Command and Control/CryptoCurrency:Runtime-BitcoinTool.B |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#cryptocurrency-runtime-bitcointoolbdns](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#cryptocurrency-runtime-bitcointoolbdns) | TTPs/Command and Control/CryptoCurrency:Runtime-BitcoinTool.B\$1DNS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#defenseevasion-ec2-unusualdnsresolver](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#defenseevasion-ec2-unusualdnsresolver) | TTPs/DefenseEvasion/EC2:Unusual-DNS-Resolver |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#defenseevasion-ec2-unsualdohactivity](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#defenseevasion-ec2-unsualdohactivity) | TTPs/DefenseEvasion/EC2:Unusual-DoH-Activity |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#defenseevasion-ec2-unusualdotactivity](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#defenseevasion-ec2-unusualdotactivity) | TTPs/DefenseEvasion/EC2:Unusual-DoT-Activity |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#defenseevasion-iam-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#defenseevasion-iam-anomalousbehavior) | TTPs/Defense Evasion/IAMUser-AnomalousBehavior |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#defenseevasion-iam-bedrockloggingdisabled](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#defenseevasion-iam-bedrockloggingdisabled) | TTPs/Defense Evasion/DefenseEvasion:IAMUser-BedrockLoggingDisabled |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#defenseevasion-kubernetes-maliciousipcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#defenseevasion-kubernetes-maliciousipcaller) | TTPs/DefenseEvasion/DefenseEvasion:Kubernetes-MaliciousIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#defenseevasion-kubernetes-maliciousipcallercustom](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#defenseevasion-kubernetes-maliciousipcallercustom) | TTPs/DefenseEvasion/DefenseEvasion:Kubernetes-MaliciousIPCaller.Custom |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#defenseevasion-kubernetes-successfulanonymousaccess](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#defenseevasion-kubernetes-successfulanonymousaccess) | TTPs/DefenseEvasion/DefenseEvasion:Kubernetes-SuccessfulAnonymousAccess |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#defenseevasion-kubernetes-toripcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#defenseevasion-kubernetes-toripcaller) | TTPs/DefenseEvasion/DefenseEvasion:Kubernetes-TorIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#defenseeva-runtime-filelessexecution](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#defenseeva-runtime-filelessexecution) | TTPs/Defense Evasion/DefenseEvasion:Runtime-FilelessExecution |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#defenseevasion-runtime-kernelmoduleloaded](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#defenseevasion-runtime-kernelmoduleloaded) | TTPs/Defense Evasion/DefenseEvasion:Runtime-KernelModuleLoaded |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#defenseeva-runtime-processinjectionproc](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#defenseeva-runtime-processinjectionproc) | TTPs/Defense Evasion/DefenseEvasion:Runtime-ProcessInjection.Proc |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#defenseeva-runtime-processinjectionptrace](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#defenseeva-runtime-processinjectionptrace) | TTPs/Defense Evasion/DefenseEvasion:Runtime-ProcessInjection.Ptrace |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#defenseeva-runtime-processinjectionvirtualmemw](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#defenseeva-runtime-processinjectionvirtualmemw) | TTPs/Defense Evasion/DefenseEvasion:Runtime-ProcessInjection.VirtualMemoryWrite |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#defenseevasion-runtime-ptrace-anti-debug](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#defenseevasion-runtime-ptrace-anti-debug) | TTPs/DefenseEvasion/DefenseEvasion:Runtime-PtraceAntiDebugging |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#defenseevasion-runtime-suspicious-command](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#defenseevasion-runtime-suspicious-command) | TTPs/DefenseEvasion/DefenseEvasion:Runtime-SuspiciousCommand |
| [Discovery:IAMUser/AnomalousBehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#discovery-iam-anomalousbehavior) | TTPs/Discovery/IAMUser-AnomalousBehavior |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#discovery-kubernetes-anomalousbehavrior-permissionchecked](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#discovery-kubernetes-anomalousbehavrior-permissionchecked) | TTPs/AnomalousBehavior/Discovery:Kubernetes-PermissionChecked |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#discovery-kubernetes-maliciousipcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#discovery-kubernetes-maliciousipcaller) | TTPs/Discovery/Discovery:Kubernetes-MaliciousIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#discovery-kubernetes-maliciousipcallercustom](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#discovery-kubernetes-maliciousipcallercustom) | TTPs/Discovery/Discovery:Kubernetes-MaliciousIPCaller.Custom |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#discovery-kubernetes-successfulanonymousaccess](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#discovery-kubernetes-successfulanonymousaccess) | TTPs/Discovery/Discovery:Kubernetes-SuccessfulAnonymousAccess |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#discovery-kubernetes-toripcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#discovery-kubernetes-toripcaller) | TTPs/Discovery/Discovery:Kubernetes-TorIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#discovery-rds-maliciousipcaller](https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#discovery-rds-maliciousipcaller) | TTPs/Discovery/RDS-MaliciousIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#discovery-rds-toripcaller](https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#discovery-rds-toripcaller) | TTPs/Discovery/RDS-TorIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#discovery-runtime-suspicious-command](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#discovery-runtime-suspicious-command) | TTPs/Discovery/Discovery:Runtime-SuspiciousCommand |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#discovery-s3-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#discovery-s3-anomalousbehavior) | TTPs/Discovery:S3-AnomalousBehavior |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#discovery-s3-bucketenumerationunusual](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#discovery-s3-bucketenumerationunusual) | TTPs/Discovery:S3-BucketEnumeration.Unusual |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#discovery-s3-maliciousipcallercustom.title](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#discovery-s3-maliciousipcallercustom.title) | TTPs/Discovery:S3-MaliciousIPCaller.Custom |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#discovery-s3-toripcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#discovery-s3-toripcaller) | TTPs/Discovery:S3-TorIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#discovery-s3-maliciousipcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#discovery-s3-maliciousipcaller) | TTPs/Discovery:S3-MaliciousIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#exfiltration-iam-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#exfiltration-iam-anomalousbehavior) | TTPs/Exfiltration/IAMUser-AnomalousBehavior |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#execution-kubernetes-execinkubesystempod](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#execution-kubernetes-execinkubesystempod) | TTPs/Execution/Execution:Kubernetes-ExecInKubeSystemPod |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#execution-kubernetes-anomalousbehvaior-execinprod](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#execution-kubernetes-anomalousbehvaior-execinprod) | TTPs/AnomalousBehavior/Execution:Kubernetes-ExecInPod |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#exec-kubernetes-anomalousbehavior-workloaddeployed](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#exec-kubernetes-anomalousbehavior-workloaddeployed) | TTPs/AnomalousBehavior/Execution:Kubernetes-WorkloadDeployed |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-maliciousdomainrequest-custom](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-maliciousdomainrequest-custom) | TTPs/Impact/Impact:EC2-MaliciousDomainRequest.Custom |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#impact-kubernetes-maliciousipcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#impact-kubernetes-maliciousipcaller) | TTPs/Impact/Impact:Kubernetes-MaliciousIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#impact-kubernetes-maliciousipcallercustom](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#impact-kubernetes-maliciousipcallercustom) | TTPs/Impact/Impact:Kubernetes-MaliciousIPCaller.Custom |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#impact-kubernetes-successfulanonymousaccess](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#impact-kubernetes-successfulanonymousaccess) | TTPs/Impact/Impact:Kubernetes-SuccessfulAnonymousAccess |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#impact-kubernetes-toripcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#impact-kubernetes-toripcaller) | TTPs/Impact/Impact:Kubernetes-TorIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#persistence-kubernetes-containerwithsensitivemount](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#persistence-kubernetes-containerwithsensitivemount) | TTPs/Persistence/Persistence:Kubernetes-ContainerWithSensitiveMount |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#privesc-kubernetes-anomalousbehavior-workloaddeployed-containerwithsensitivemount](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#privesc-kubernetes-anomalousbehavior-workloaddeployed-containerwithsensitivemount) | TTPs/AnomalousBehavior/Persistence:Kubernetes-WorkloadDeployed\$1ContainerWithSensitiveMount |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#privesc-kubernetes-anomalousbehavior-workloaddeployed-privcontainer](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#privesc-kubernetes-anomalousbehavior-workloaddeployed-privcontainer) | TTPs/AnomalousBehavior/PrivilegeEscalation:Kubernetes-WorkloadDeployed\$1PrivilegedContainer |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#persistence-kubernetes-maliciousipcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#persistence-kubernetes-maliciousipcaller) | TTPs/Persistence/Persistence:Kubernetes-MaliciousIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#persistence-kubernetes-maliciousipcallercustom](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#persistence-kubernetes-maliciousipcallercustom) | TTPs/Persistence/Persistence:Kubernetes-MaliciousIPCaller.Custom |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#persistence-kubernetes-successfulanonymousaccess](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#persistence-kubernetes-successfulanonymousaccess) | TTPs/Persistence/Persistence:Kubernetes-SuccessfulAnonymousAccess |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#persistence-kubernetes-toripcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#persistence-kubernetes-toripcaller) | TTPs/Persistence/Persistence:Kubernetes-TorIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-malware-ec2-maliciousfile](https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-malware-ec2-maliciousfile) | TTPs/Execution/Execution:EC2-MaliciousFile |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-malware-ecs-maliciousfile](https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-malware-ecs-maliciousfile) | TTPs/Execution/Execution:ECS-MaliciousFile |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-malware-kubernetes-maliciousfile](https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-malware-kubernetes-maliciousfile) | TTPs/Execution/Execution:Kubernetes-MaliciousFile |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-malware-container-maliciousfile](https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-malware-container-maliciousfile) | TTPs/Execution/Execution:Container-MaliciousFile |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-malware-ec2-suspiciousfile](https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-malware-ec2-suspiciousfile) | TTPs/Execution/Execution:EC2-SuspiciousFile |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-malware-ecs-suspiciousfile](https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-malware-ecs-suspiciousfile) | TTPs/Execution/Execution:ECS-SuspiciousFile |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-malware-kubernetes-suspiciousfile](https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-malware-kubernetes-suspiciousfile) | TTPs/Execution/Execution:Kubernetes-SuspiciousFile |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-malware-container-suspiciousfile](https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-malware-container-suspiciousfile) | TTPs/Execution/Execution:Container-SuspiciousFile |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection-backup.html#execution-malware-ec2-maliciousfile-snapshot](https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection-backup.html#execution-malware-ec2-maliciousfile-snapshot) | TTPs/Execution/Execution:EC2-MaliciousFile\$1Snapshot |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection-backup.html#execution-malware-ec2-maliciousfile-ami](https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection-backup.html#execution-malware-ec2-maliciousfile-ami) | TTPs/Execution/Execution:EC2-MaliciousFile\$1AMI |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection-backup.html#execution-malware-ec2-maliciousfile-recoverypoint](https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection-backup.html#execution-malware-ec2-maliciousfile-recoverypoint) | TTPs/Execution/Execution:EC2-MaliciousFile\$1RecoveryPoint |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection-backup.html#execution-malware-s3-maliciousfile-recoverypoint](https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection-backup.html#execution-malware-s3-maliciousfile-recoverypoint) | TTPs/Execution/Execution:S3-MaliciousFile\$1RecoveryPoint |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-runtime-malicious-file-executed](https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-runtime-malicious-file-executed) | TTPs/Execution/Execution:Runtime-MaliciousFileExecuted |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#execution-runtime-newbinaryexecuted](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#execution-runtime-newbinaryexecuted) | TTPs/Execution/Execution:Runtime-NewBinaryExecuted |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#execution-runtime-newlibraryloaded](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#execution-runtime-newlibraryloaded) | TTPs/Execution/Execution:Runtime-NewLibraryLoaded |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#execution-runtime-reverseshell](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#execution-runtime-reverseshell) | TTPs/Execution/Execution:Runtime-ReverseShell |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#execution-runtime-suspiciouscommand](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#execution-runtime-suspiciouscommand) | TTPs/Execution/Execution:Runtime-SuspiciousCommand |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#execution-runtime-suspicious-shell-created](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#execution-runtime-suspicious-shell-created) | TTPs/Execution/Execution:Runtime-SuspiciousShellCreated |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#execution-runtime-suspicioustool](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#execution-runtime-suspicioustool) | TTPs/Execution/Execution:Runtime-SuspiciousTool |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#exfiltration-s3-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#exfiltration-s3-anomalousbehavior) | TTPs/Exfiltration:S3-AnomalousBehavior |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#exfiltration-s3-objectreadunusual](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#exfiltration-s3-objectreadunusual) | TTPs/Exfiltration:S3-ObjectRead.Unusual |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#exfiltration-s3-maliciousipcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#exfiltration-s3-maliciousipcaller) | TTPs/Exfiltration:S3-MaliciousIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-abuseddomainrequestreputation](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-abuseddomainrequestreputation) | TTPs/Impact:EC2-AbusedDomainRequest.Reputation |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-bitcoindomainrequestreputation](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-bitcoindomainrequestreputation) | TTPs/Impact:EC2-BitcoinDomainRequest.Reputation |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-maliciousdomainrequestreputation](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-maliciousdomainrequestreputation) | TTPs/Impact:EC2-MaliciousDomainRequest.Reputation |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-portsweep](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-portsweep) | TTPs/Impact/Impact:EC2-PortSweep |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-suspiciousdomainrequestreputation](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-suspiciousdomainrequestreputation) | TTPs/Impact:EC2-SuspiciousDomainRequest.Reputation |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-winrmbruteforce](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-winrmbruteforce) | TTPs/Impact/Impact:EC2-WinRMBruteForce |
| [Impact:IAMUser/AnomalousBehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#impact-iam-anomalousbehavior) | TTPs/Impact/IAMUser-AnomalousBehavior |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#impact-runtime-abuseddomainrequestreputation](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#impact-runtime-abuseddomainrequestreputation) | TTPs/Impact/Impact:Runtime-AbusedDomainRequest.Reputation |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#impact-runtime-bitcoindomainrequestreputation](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#impact-runtime-bitcoindomainrequestreputation) | TTPs/Impact/Impact:Runtime-BitcoinDomainRequest.Reputation |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#impact-runtime-cryptominerexecuted](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#impact-runtime-cryptominerexecuted) | TTPs/Impact/Impact:Runtime-CryptoMinerExecuted |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#impact-runtime-maliciousdomainrequestreputation](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#impact-runtime-maliciousdomainrequestreputation) | TTPs/Impact/Impact:Runtime-MaliciousDomainRequest.Reputation |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#impact-runtime-suspiciousdomainrequestreputation](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#impact-runtime-suspiciousdomainrequestreputation) | TTPs/Impact/Impact:Runtime-SuspiciousDomainRequest.Reputatio |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-delete](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-delete) | TTPs/Impact:S3-AnomalousBehavior.Delete |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-permission](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-permission) | TTPs/Impact:S3-AnomalousBehavior.Permission |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-write](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-write) | TTPs/Impact:S3-AnomalousBehavior.Write |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#impact-s3-objectdeleteunusual](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#impact-s3-objectdeleteunusual) | TTPs/Impact:S3-ObjectDelete.Unusual |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#impact-s3-permissionsmodificationunusual](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#impact-s3-permissionsmodificationunusual) | TTPs/Impact:S3-PermissionsModification.Unusual |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-maliciousipcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-maliciousipcaller) | TTPs/Impact:S3-MaliciousIPCaller |
| [InitialAccess:IAMUser/AnomalousBehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#initialaccess-iam-anomalousbehavior) | TTPs/Initial Access/IAMUser-AnomalousBehavior |
| [https://docs.aws.amazon.com/guardduty/latest/ug/gdu-malware-protection-s3-finding-types.html#s3-object-s3-malicious-file](https://docs.aws.amazon.com/guardduty/latest/ug/gdu-malware-protection-s3-finding-types.html#s3-object-s3-malicious-file) | TTPs/Object/Object:S3-MaliciousFile |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#pentest-iam-kalilinux](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#pentest-iam-kalilinux) | TTPs/PenTest:IAMUser/KaliLinux |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#pentest-iam-parrotlinux](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#pentest-iam-parrotlinux) | TTPs/PenTest:IAMUser/ParrotLinux |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#pentest-iam-pentoolinux](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#pentest-iam-pentoolinux) | TTPs/PenTest:IAMUser/PentooLinux |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#pentest-iam-kalilinux](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#pentest-iam-kalilinux) | TTPs/PenTest:S3-KaliLinux |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#pentest-s3-parrotlinux](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#pentest-s3-parrotlinux) | TTPs/PenTest:S3-ParrotLinux |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#pentest-s3-pentoolinux](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#pentest-s3-pentoolinux) | TTPs/PenTest:S3-PentooLinux |
| [Persistence:IAMUser/AnomalousBehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#persistence-iam-anomalousbehavior) | TTPs/Persistence/IAMUser-AnomalousBehavior |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#persistence-iam-networkpermissions](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#persistence-iam-networkpermissions) | TTPs/Persistence/Persistence:IAMUser-NetworkPermissions |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#persistence-iam-resourcepermissions](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#persistence-iam-resourcepermissions) | TTPs/Persistence/Persistence:IAMUser-ResourcePermissions |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#persistence-iam-userpermissions](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#persistence-iam-userpermissions) | TTPs/Persistence/Persistence:IAMUser-UserPermissions |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#persistence-runtime-suspicious-command](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#persistence-runtime-suspicious-command) | TTPs/Persistence/Persistence:Runtime-SuspiciousCommand |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#policy-iam-rootcredentialusage](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#policy-iam-rootcredentialusage) | TTPs/Policy:IAMUser-RootCredentialUsage |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#policy-iam-user-short-term-root-credential-usage](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#policy-iam-user-short-term-root-credential-usage) | TTPs/Policy:IAMUser-ShortTermRootCredentialUsage |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#policy-kubernetes-adminaccesstodefaultserviceaccount](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#policy-kubernetes-adminaccesstodefaultserviceaccount) | Software and Configuration Checks/AWS Security Best Practices/Policy:Kubernetes-AdminAccessToDefaultServiceAccount |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#policy-kubernetes-anonymousaccessgranted](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#policy-kubernetes-anonymousaccessgranted) | Software and Configuration Checks/AWS Security Best Practices/Policy:Kubernetes-AnonymousAccessGranted |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#policy-kubernetes-exposeddashboard](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#policy-kubernetes-exposeddashboard) | Software and Configuration Checks/AWS Security Best Practices/Policy:Kubernetes-ExposedDashboard |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#policy-kubernetes-kubeflowdashboardexposed](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#policy-kubernetes-kubeflowdashboardexposed) | Software and Configuration Checks/AWS Security Best Practices/Policy:Kubernetes-KubeflowDashboardExposed |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#policy-s3-accountblockpublicaccessdisabled](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#policy-s3-accountblockpublicaccessdisabled) | TTPs/Policy:S3-AccountBlockPublicAccessDisabled |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#policy-s3-bucketanonymousaccessgranted](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#policy-s3-bucketanonymousaccessgranted) | TTPs/Policy:S3-BucketAnonymousAccessGranted |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#policy-s3-bucketblockpublicaccessdisabled](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#policy-s3-bucketblockpublicaccessdisabled) | Effects/Data Exposure/Policy:S3-BucketBlockPublicAccessDisabled |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#policy-s3-bucketpublicaccessgranted](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#policy-s3-bucketpublicaccessgranted) | TTPs/Policy:S3-BucketPublicAccessGranted |
| [PrivilegeEscalation:IAMUser/AnomalousBehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#privilegeescalation-iam-anomalousbehavior) | TTPs/Privilege Escalation/IAMUser-AnomalousBehavior |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#privilegeescalation-iam-administrativepermissions](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#privilegeescalation-iam-administrativepermissions) | TTPs/Privilege Escalation/PrivilegeEscalation:IAMUser-AdministrativePermissions |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#privesc-kubernetes-anomalousbehavior-rolebindingcreated](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#privesc-kubernetes-anomalousbehavior-rolebindingcreated) | TTPs/AnomalousBehavior/PrivilegeEscalation:Kubernetes-RoleBindingCreated |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#privesc-kubernetes-anomalousbehavior-rolecreated](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#privesc-kubernetes-anomalousbehavior-rolecreated) | TTPs/AnomalousBehavior/PrivilegeEscalation:Kubernetes-RoleCreated |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#privilegeescalation-kubernetes-privilegedcontainer](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#privilegeescalation-kubernetes-privilegedcontainer) | TTPs/PrivilegeEscalation/PrivilegeEscalation:Kubernetes-PrivilegedContainer |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#privilegeesc-runtime-containermountshostdirectory](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#privilegeesc-runtime-containermountshostdirectory) | TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-ContainerMountsHostDirectory |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#privilegeesc-runtime-cgroupsreleaseagentmodified](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#privilegeesc-runtime-cgroupsreleaseagentmodified) | TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-CGroupsReleaseAgentModified |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#privilegeesc-runtime-dockersocketaccessed](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#privilegeesc-runtime-dockersocketaccessed) | TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-DockerSocketAccessed |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#privilegeesc-runtime-elevation-to-root](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#privilegeesc-runtime-elevation-to-root) | TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-ElevationToRoot |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#privilegeesc-runtime-runccontainerescape](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#privilegeesc-runtime-runccontainerescape) | TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-RuncContainerEscape |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#privilege-escalation-runtime-suspicious-command](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#privilege-escalation-runtime-suspicious-command) | Software and Configuration Checks/PrivilegeEscalation:Runtime-SuspiciousCommand |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#privilegeesc-runtime-userfaultfdusage](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#privilegeesc-runtime-userfaultfdusage) | TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-UserfaultfdUsage |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portprobeemrunprotectedport](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portprobeemrunprotectedport) | TTPs/Discovery/Recon:EC2-PortProbeEMRUnprotectedPort |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portprobeunprotectedport](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portprobeunprotectedport) | TTPs/Discovery/Recon:EC2-PortProbeUnprotectedPort |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan) | TTPs/Discovery/Recon:EC2-Portscan |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#recon-iam-maliciousipcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#recon-iam-maliciousipcaller) | TTPs/Discovery/Recon:IAMUser-MaliciousIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#recon-iam-maliciousipcallercustom](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#recon-iam-maliciousipcallercustom) | TTPs/Discovery/Recon:IAMUser-MaliciousIPCaller.Custom |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#recon-iam-networkpermissions](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#recon-iam-networkpermissions) | TTPs/Discovery/Recon:IAMUser-NetworkPermissions |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#recon-iam-resourcepermissions](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#recon-iam-resourcepermissions) | TTPs/Discovery/Recon:IAMUser-ResourcePermissions |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#recon-iam-toripcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#recon-iam-toripcaller) | TTPs/Discovery/Recon:IAMUser-TorIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#recon-iam-userpermissions](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#recon-iam-userpermissions) | TTPs/Discovery/Recon:IAMUser-UserPermissions |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#resourceconsumption-iam-computeresources](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#resourceconsumption-iam-computeresources) | Unusual Behaviors/User/ResourceConsumption:IAMUser-ComputeResources |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#stealth-iam-cloudtrailloggingdisabled](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#stealth-iam-cloudtrailloggingdisabled) | TTPs/Defense Evasion/Stealth:IAMUser-CloudTrailLoggingDisabled |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#stealth-iam-loggingconfigurationmodified](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#stealth-iam-loggingconfigurationmodified) | TTPs/Defense Evasion/Stealth:IAMUser-LoggingConfigurationModified |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#stealth-iam-passwordpolicychange](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#stealth-iam-passwordpolicychange) | TTPs/Defense Evasion/Stealth:IAMUser-PasswordPolicyChange |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#stealth-s3-serveraccessloggingdisabled](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#stealth-s3-serveraccessloggingdisabled) | TTPs/Defense Evasion/Stealth:S3-ServerAccessLoggingDisabled |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-blackholetraffic](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-blackholetraffic) | TTPs/Command and Control/Trojan:EC2-BlackholeTraffic |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-blackholetrafficdns](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-blackholetrafficdns) | TTPs/Command and Control/Trojan:EC2-BlackholeTraffic\$1DNS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-dgadomainrequestb](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-dgadomainrequestb) | TTPs/Command and Control/Trojan:EC2-DGADomainRequest.B |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-dgadomainrequestcdns](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-dgadomainrequestcdns) | TTPs/Command and Control/Trojan:EC2-DGADomainRequest.C\$1DNS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-dnsdataexfiltration](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-dnsdataexfiltration) | TTPs/Command and Control/Trojan:EC2-DNSDataExfiltration |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-drivebysourcetrafficdns](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-drivebysourcetrafficdns) | TTPs/Initial Access/Trojan:EC2-DriveBySourceTraffic\$1DNS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-droppoint](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-droppoint) | Effects/Data Exfiltration/Trojan:EC2-DropPoint |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-droppointdns](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-droppointdns) | Effects/Data Exfiltration/Trojan:EC2-DropPoint\$1DNS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-phishingdomainrequestdns](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-phishingdomainrequestdns) | TTPs/Command and Control/Trojan:EC2-PhishingDomainRequest\$1DNS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection-finding-types.html#trojan-lambda-blackhole-traffic](https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection-finding-types.html#trojan-lambda-blackhole-traffic) | TTPs/Command and Control/Trojan:Lambda-BlackholeTraffic |
| [https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection-finding-types.html#trojan-lambda-drop-point](https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection-finding-types.html#trojan-lambda-drop-point) | Effects/Data Exfiltration/Trojan:Lambda-DropPoint |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#trojan-runtime-blackholetraffic](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#trojan-runtime-blackholetraffic) | TTPs/Command and Control/Trojan:Runtime-BlackholeTraffic |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#trojan-runtime-blackholetrafficdns](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#trojan-runtime-blackholetrafficdns) | TTPs/Command and Control/Trojan:Runtime-BlackholeTraffic\$1DNS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#trojan-runtime-dgadomainrequestcdns](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#trojan-runtime-dgadomainrequestcdns) | TTPs/Command and Control/Trojan:Runtime-DGADomainRequest.C\$1DNS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#trojan-runtime-drivebysourcetrafficdns](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#trojan-runtime-drivebysourcetrafficdns) | TTPs/Initial Access/Trojan:Runtime-DriveBySourceTraffic\$1DNS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#trojan-runtime-droppoint](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#trojan-runtime-droppoint) | Effects/Data Exfiltration/Trojan:Runtime-DropPoint |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#trojan-runtime-droppointdns](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#trojan-runtime-droppointdns) | Effects/Data Exfiltration/Trojan:Runtime-DropPoint\$1DNS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#trojan-runtime-phishingdomainrequestdns](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#trojan-runtime-phishingdomainrequestdns) | TTPs/Command and Control/Trojan:Runtime-PhishingDomainRequest\$1DNS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-maliciousipcallercustom](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-maliciousipcallercustom) | TTPs/Command and Control/UnauthorizedAccess:EC2-MaliciousIPCaller.Custom |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-metadatadnsrebind](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-metadatadnsrebind) | TTPs/UnauthorizedAccess:EC2-MetadataDNSRebind |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-rdpbruteforce](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-rdpbruteforce) | TTPs/Initial Access/UnauthorizedAccess:EC2-RDPBruteForce |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-sshbruteforce](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-sshbruteforce) | TTPs/Initial Access/UnauthorizedAccess:EC2-SSHBruteForce |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-torclient](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-torclient) | Effects/Resource Consumption/UnauthorizedAccess:EC2-TorClient |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-torrelay](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-torrelay) | Effects/Resource Consumption/UnauthorizedAccess:EC2-TorRelay |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#unauthorizedaccess-iam-consolelogin](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#unauthorizedaccess-iam-consolelogin) | Unusual Behaviors/User/UnauthorizedAccess:IAMUser-ConsoleLogin |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-consoleloginsuccessb](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-consoleloginsuccessb) | TTPs/UnauthorizedAccess:IAMUser-ConsoleLoginSuccess.B |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationinsideaws](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationinsideaws) | Effects/Data Exfiltration/UnauthorizedAccess:IAMUser-InstanceCredentialExfiltration.InsideAWS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationoutsideaws](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationoutsideaws) | Effects/Data Exfiltration/UnauthorizedAccess:IAMUser-InstanceCredentialExfiltration.OutsideAWS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-maliciousipcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-maliciousipcaller) | TTPs/UnauthorizedAccess:IAMUser-MaliciousIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-maliciousipcallercustom](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-maliciousipcallercustom) | TTPs/UnauthorizedAccess:IAMUser-MaliciousIPCaller.Custom |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-resourcecredentialexfiltrationoutsideaws](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-resourcecredentialexfiltrationoutsideaws) | Effects/Data Exfiltration/UnauthorizedAccess:IAMUser-ResourceCredentialExfiltration.OutsideAWS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-toripcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-toripcaller) | TTPs/Command and Control/UnauthorizedAccess:IAMUser-TorIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection-finding-types.html#unauthorized-access-lambda-maliciousIPcaller-custom](https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection-finding-types.html#unauthorized-access-lambda-maliciousIPcaller-custom) | TTPs/Command and Control/UnauthorizedAccess:Lambda-MaliciousIPCaller.Custom |
| [https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection-finding-types.html#unauthorized-access-lambda-tor-client](https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection-finding-types.html#unauthorized-access-lambda-tor-client) | Effects/Resource Consumption/UnauthorizedAccess:Lambda-TorClient |
| [https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection-finding-types.html#unauthorized-access-lambda-tor-relay](https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection-finding-types.html#unauthorized-access-lambda-tor-relay) | Effects/Resource Consumption/UnauthorizedAccess:Lambda-TorRelay |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#unauthorizedaccess-runtime-metadatadnsrebind](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#unauthorizedaccess-runtime-metadatadnsrebind) | TTPs/UnauthorizedAccess:Runtime-MetadataDNSRebind |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#unauthorizedaccess-runtime-torrelay](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#unauthorizedaccess-runtime-torrelay) | Effects/Resource Consumption/UnauthorizedAccess:Runtime-TorRelay |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#unauthorizedaccess-runtime-torclient](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#unauthorizedaccess-runtime-torclient) | Effects/Resource Consumption/UnauthorizedAccess:Runtime-TorClient |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#unauthorizedaccess-s3-maliciousipcallercustom](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#unauthorizedaccess-s3-maliciousipcallercustom) | TTPs/UnauthorizedAccess:S3-MaliciousIPCaller.Custom |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#unauthorizedaccess-s3-toripcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#unauthorizedaccess-s3-toripcaller) | TTPs/UnauthorizedAccess:S3-TorIPCaller |
### GuardDuty からの一般的な検出結果
GuardDuty は、Security [AWS Finding 形式 (ASFF)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) を使用して Security Hub CSPM に結果を送信します。
次に、GuardDuty からの一般的な検出結果の例を示します。
```
{
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:guardduty:us-east-1:193043430472:detector/d4b040365221be2b54a6264dc9a4bc64/finding/46ba0ac2845071e23ccdeb2ae03bfdea",
"ProductArn": "arn:aws:securityhub:us-east-1:product/aws/guardduty",
"GeneratorId": "arn:aws:guardduty:us-east-1:193043430472:detector/d4b040365221be2b54a6264dc9a4bc64",
"AwsAccountId": "193043430472",
"Types": [
"TTPs/Initial Access/UnauthorizedAccess:EC2-SSHBruteForce"
],
"FirstObservedAt": "2020-08-22T09:15:57Z",
"LastObservedAt": "2020-09-30T11:56:49Z",
"CreatedAt": "2020-08-22T09:34:34.146Z",
"UpdatedAt": "2020-09-30T12:14:00.206Z",
"Severity": {
"Product": 2,
"Label": "MEDIUM",
"Normalized": 40
},
"Title": "199.241.229.197 is performing SSH brute force attacks against i-0c10c2c7863d1a356.",
"Description": "199.241.229.197 is performing SSH brute force attacks against i-0c10c2c7863d1a356. Brute force attacks are used to gain unauthorized access to your instance by guessing the SSH password.",
"SourceUrl": "https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=46ba0ac2845071e23ccdeb2ae03bfdea",
"ProductFields": {
"aws/guardduty/service/action/networkConnectionAction/remotePortDetails/portName": "Unknown",
"aws/guardduty/service/archived": "false",
"aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/asnOrg": "CENTURYLINK-US-LEGACY-QWEST",
"aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/geoLocation/lat": "42.5122",
"aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/ipAddressV4": "199.241.229.197",
"aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/geoLocation/lon": "-90.7384",
"aws/guardduty/service/action/networkConnectionAction/blocked": "false",
"aws/guardduty/service/action/networkConnectionAction/remotePortDetails/port": "46717",
"aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/country/countryName": "United States",
"aws/guardduty/service/serviceName": "guardduty",
"aws/guardduty/service/evidence": "",
"aws/guardduty/service/action/networkConnectionAction/localIpDetails/ipAddressV4": "172.31.43.6",
"aws/guardduty/service/detectorId": "d4b040365221be2b54a6264dc9a4bc64",
"aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/org": "CenturyLink",
"aws/guardduty/service/action/networkConnectionAction/connectionDirection": "INBOUND",
"aws/guardduty/service/eventFirstSeen": "2020-08-22T09:15:57Z",
"aws/guardduty/service/eventLastSeen": "2020-09-30T11:56:49Z",
"aws/guardduty/service/action/networkConnectionAction/localPortDetails/portName": "SSH",
"aws/guardduty/service/action/actionType": "NETWORK_CONNECTION",
"aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/city/cityName": "Dubuque",
"aws/guardduty/service/additionalInfo": "",
"aws/guardduty/service/resourceRole": "TARGET",
"aws/guardduty/service/action/networkConnectionAction/localPortDetails/port": "22",
"aws/guardduty/service/action/networkConnectionAction/protocol": "TCP",
"aws/guardduty/service/count": "74",
"aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/asn": "209",
"aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/isp": "CenturyLink",
"aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/guardduty/arn:aws:guardduty:us-east-1:193043430472:detector/d4b040365221be2b54a6264dc9a4bc64/finding/46ba0ac2845071e23ccdeb2ae03bfdea",
"aws/securityhub/ProductName": "GuardDuty",
"aws/securityhub/CompanyName": "Amazon"
},
"Resources": [
{
"Type": "AwsEc2Instance",
"Id": "arn:aws:ec2:us-east-1:193043430472:instance/i-0c10c2c7863d1a356",
"Partition": "aws",
"Region": "us-east-1",
"Tags": {
"Name": "kubectl"
},
"Details": {
"AwsEc2Instance": {
"Type": "t2.micro",
"ImageId": "ami-02354e95b39ca8dec",
"IpV4Addresses": [
"18.234.130.16",
"172.31.43.6"
],
"VpcId": "vpc-a0c2d7c7",
"SubnetId": "subnet-4975b475",
"LaunchedAt": "2020-08-03T23:21:57Z"
}
}
}
],
"WorkflowState": "NEW",
"Workflow": {
"Status": "NEW"
},
"RecordState": "ACTIVE"
}
```
## 統合の有効化と構成
との統合を使用するには AWS Security Hub CSPM、Security Hub CSPM を有効にする必要があります。Security Hub CSPM を有効にする方法については、「*AWS Security Hub ユーザーガイド*」の「[Setting up Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html)」(Security Hub の設定) を参照してください。
GuardDuty と Security Hub CSPM の両方を有効にすると、統合は自動的に有効になります。GuardDuty は、直ちに検出結果を Security Hub CSPM に送信し始めます。
## Security Hub CSPM での GuardDuty コントロールの使用
AWS Security Hub CSPM はセキュリティコントロールを使用して AWS リソースを評価し、セキュリティ業界標準とベストプラクティスに照らしてコンプライアンスをチェックします。GuardDuty リソースおよび選択されている保護プランに関連するコントロールを使用できます。詳細については、「*AWS Security Hub ユーザーガイド*」の「[Amazon GuardDuty のコントロール](https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html)」を参照してください。
AWS サービスおよびリソース全体のすべてのコントロールのリストについては、「 *AWS Security Hub ユーザーガイド*」の[「Security Hub CSPM コントロールリファレンス](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html)」を参照してください。
## 検出結果の Security Hub CSPM への公開の停止
Security Hub CSPM への結果の送信を停止するには、Security Hub CSPM コンソールまたは API を使用できます。
*AWS Security Hub ユーザーガイド*の[「統合からの検出結果フローの無効化と有効化 (コンソール)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-integrations-managing.html#securityhub-integration-findings-flow-console)」または[「統合からの検出結果フローの無効化 (Security Hub API、 AWS CLI)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-integrations-managing.html#securityhub-integration-findings-flow-disable-api)」を参照してください。
# Amazon Detective との統合
[Amazon Detective](https://docs.aws.amazon.com/detective/latest/userguide/what-is-detective.html) は、リソースが時間の経過とともにどのように動作し、やり取りするかを表すデータ視覚化を生成することで、1 つ以上の AWS アカウントのセキュリティイベントを迅速に分析および調査するのに役立ちます。Detective は、GuardDuty の検出結果の可視化を作成します。
Detective は、すべての検出結果タイプの検出結果の詳細を取り込み、検出結果に関連するさまざまなエンティティを調査するためにエンティティプロファイルへのアクセスを提供します。エンティティは AWS アカウント、、 アカウント内の AWS リソース、または リソースとやり取りした外部 IP アドレスです。GuardDuty コンソールは、検出結果のタイプ、IAM ロール、ユーザー、またはロールセッション AWS アカウント、ユーザーエージェント、フェデレーティッドユーザー、Amazon EC2 インスタンス、または IP アドレスに応じて、次のエンティティから Amazon Detective へのピボットをサポートします。
**Contents**
+ [統合の有効化](#detective-integration-enable)
+ [GuardDuty の検出結果から Amazon Detective へのピボット](#pivot-to-detective)
+ [GuardDuty マルチアカウント環境との統合を使用します。](#detective-integration-multiaccount)
## 統合の有効化
GuardDuty で Amazon Detective を使用するには、まず Amazon Detective を有効にする必要があります。Detective を有効にする方法については、「*Amazon Detective ユーザーガイド*」の「[Amazon Detective の開始方法](https://docs.aws.amazon.com/detective/latest/userguide/detective-setup.html)」を参照してください。
GuardDuty と Detective の両方を有効にすると、統合は自動的に有効になります。有効にすると、Detective はすぐに GuardDuty の検出結果データを取り込みます。
**注記**
GuardDuty は、GuardDuty の検出結果エクスポート頻度に基づいて Detective に検出結果を送信します。デフォルトで、既存の検出結果の更新用のエクスポート頻度は 6 時間です。Detective が最新の更新検出結果を受信できるように、GuardDuty で Detective を使用する各リージョンで、エクスポート頻度を 15 分に変更することをお勧めします。詳細については、「[ステップ 5 – 更新されたアクティブな検出結果をエクスポートする頻度を設定する](guardduty_exportfindings.md#guardduty_exportfindings-frequency)」を参照してください。
## GuardDuty の検出結果から Amazon Detective へのピボット
1. [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) コンソールにログインします。
1. 検出結果テーブルから 1 つの検出結果を選択します。
1. 検出結果詳細ペインで、**[Investigate with Detective]** (Detective で調査する) を選択します。
1. Amazon Detective で検出結果のアスペクトを選択します。これにより、その検出結果またはエンティティの Detective コンソールが開きます。
ピボットが正常に動作しない場合は、「*Amazon Detective ユーザーガイド*」の「[ピボットのトラブルシューティング](https://docs.aws.amazon.com/detective/latest/userguide/profile-pivot-from-service.html#profile-pivot-troubleshooting)」を参照してください。
**注記**
Detective コンソールで GuardDuty の検出結果をアーカイブすると、その検出結果は GuardDuty コンソールでもアーカイブされます。
## GuardDuty マルチアカウント環境との統合を使用します。
GuardDuty でマルチアカウント環境を管理している場合、アカウントの検出結果とエンティティの Detective データ可視化を表示するために、メンバーアカウントを Amazon Detective に追加する必要があります。
Detective の管理者アカウントと同じ GuardDuty 管理者アカウントを使用することをお勧めします。Detective でメンバーアカウントを追加する方法の詳細については、「*Amazon Detective ユーザーガイド*」の「[アカウントの管理](https://docs.aws.amazon.com/detective/latest/userguide/accounts.html)」を参照してください。
**注記**
Detective はリージョンレベルのサービスなので、Detective を有効にして、統合を使用したいリージョンごとにメンバーアカウントを追加する必要があります。