기계 번역으로 제공되는 번역입니다. 제공된 번역과 원본 영어의 내용이 상충하는 경우에는 영어 버전이 우선합니다.
# GuardDuty와 AWS 보안 서비스 통합
GuardDuty는 다른 AWS 보안 서비스와 통합할 수 있습니다. 이러한 서비스를 통해 GuardDuty에서 데이터를 수집하여 새로운 방식으로 결과를 확인할 수 있습니다. GuardDuty에서 사용하도록 각 서비스를 설정하는 방식에 대해 자세히 알아보려면 다음 통합 옵션을 검토하세요.
## GuardDuty와 통합 AWS Security Hub CSPM
AWS Security Hub CSPM 는 AWS 계정, 서비스 및 지원되는 타사 파트너 제품 전체에서 보안 데이터를 수집하여 업계 표준 및 모범 사례에 따라 환경의 보안 상태를 평가합니다. Security Hub CSPM은 보안 태세를 평가하는 것 외에도 모든 통합 AWS 서비스 및 AWS 파트너 제품에서 조사 결과를 확인할 수 있는 중앙 위치를 생성합니다. GuardDuty에서 Security Hub CSPM을 활성화하면 Security Hub CSPM에서 GuardDuty 결과 데이터를 자동으로 수집할 수 있습니다.
GuardDuty에서 Security Hub CSPM을 사용하는 방법에 대한 자세한 내용은 섹션을 참조하세요[과 AWS Security Hub CSPM통합](securityhub-integration.md).
## Amazon Detective와의 GuardDuty 통합
Amazon Detective는 AWS 계정 전반의 로그 데이터를 사용하여 환경과 상호 작용하는 리소스 및 IP 주소에 대한 데이터 시각화를 생성합니다. Detective의 시각화를 통해 보안 문제를 빠르고 쉽게 조사할 수 있습니다. 두 서비스가 모두 활성화되면 GuardDuty 결과 세부 정보를 Detective 콘솔의 정보로 피벗할 수 있습니다.
GuardDuty에서의 Detective 사용에 대한 자세한 내용은 [Amazon Detective와 통합](detective-integration.md) 섹션을 참조하세요.
# 과 AWS Security Hub CSPM통합
[AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html)에서는 AWS 에서 보안 상태를 포괄적으로 파악할 수 있으며 보안 업계 표준 및 모범 사례와 비교하여 환경을 확인할 수 있습니다. Security Hub CSPM은 AWS 계정, 서비스 및 지원되는 타사 파트너 제품 전반에서 보안 데이터를 수집하고 보안 추세를 분석하고 우선순위가 가장 높은 보안 문제를 식별하는 데 도움이 됩니다.
Amazon GuardDuty와 Security Hub CSPM의 통합을 통해 GuardDuty에서 Security Hub CSPM으로 조사 결과를 전송할 수 있습니다. 그런 다음 Security Hub CSPM은 이러한 결과를 보안 태세 분석에 포함할 수 있습니다.
**Contents**
+ [Amazon GuardDuty가 결과를 로 보내는 방법 AWS Security Hub CSPM](#securityhub-integration-sending-findings)
+ [GuardDuty가 Security Hub CSPM으로 보내는 조사 결과 유형](#securityhub-integration-finding-types)
+ [새 조사 결과 전송 지연 시간](#securityhub-integration-finding-latency)
+ [Security Hub CSPM을 사용할 수 없을 때 다시 시도](#securityhub-integration-retry-send)
+ [Security Hub CSPM에서 기존 조사 결과 업데이트](#securityhub-integration-finding-updates)
+ [에서 GuardDuty 결과 보기 AWS Security Hub CSPM](#findings-in-securityhub)
+ [에서 GuardDuty 결과 이름 해석 AWS Security Hub CSPM](#interpreting-findings-in-securityhub)
+ [GuardDuty의 일반적인 결과](#securityhub-integration-finding-example)
+ [통합 활성화 및 구성](#securityhub-integration-enable)
+ [Security Hub CSPM에서 GuardDuty 제어 사용](#securityhub-integration-using-guardduty-controls)
+ [Security Hub CSPM으로의 조사 결과 게시 중지](#securityhub-integration-disable)
## Amazon GuardDuty가 결과를 로 보내는 방법 AWS Security Hub CSPM
에서 AWS Security Hub CSPM보안 문제는 조사 결과로 추적됩니다. 일부 결과는 다른 AWS 서비스 또는 타사 파트너가 감지한 문제에서 비롯됩니다. Security Hub CSPM에는 보안 문제를 감지하고 조사 결과를 생성하는 데 사용하는 규칙 집합도 있습니다.
Security Hub CSPM은 이러한 모든 출처를 총망라하여 조사 결과를 관리할 도구를 제공합니다. 사용자는 조사 결과 목록을 조회하고 필터링할 수 있으며 주어진 조사 결과의 세부 정보를 조회할 수도 있습니다. 자세한 내용은 *AWS Security Hub User Guide*의 [Viewing findings](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-viewing.html)를 참조하세요. 또한 주어진 조사 결과에 대한 조사 상태를 추적할 수도 있습니다. 자세한 내용은 *AWS Security Hub User Guide*의 [Taking action on findings](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-taking-action.html)를 참조하세요.
Security Hub CSPM의 모든 결과는 AWS Security Finding Format(ASFF)이라는 표준 JSON 형식을 사용합니다. ASFF에는 문제의 출처, 영향을 받은 리소스와 결과의 현재 상태 등에 관한 세부 정보가 포함됩니다. *AWS Security Hub 사용 설명서*에서 [AWS Security Finding 형식(ASFF)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html)을 참조하세요.
Amazon GuardDuty는 Security Hub CSPM으로 조사 결과를 전송하는 AWS 서비스 중 하나입니다.
### GuardDuty가 Security Hub CSPM으로 보내는 조사 결과 유형
동일한 내의 동일한 계정에서 GuardDuty 및 Security Hub CSPM을 활성화하면 AWS 리전 GuardDuty는 생성된 모든 결과를 Security Hub CSPM으로 보내기 시작합니다. 이러한 결과는 Security [AWS Finding Format(ASFF)을 사용하여 Security](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) Hub CSPM으로 전송됩니다. ASFF의 경우, `Types` 필드가 조사 결과 유형을 제공합니다.
#### 새 조사 결과 전송 지연 시간
GuardDuty가 새 결과를 생성하면 일반적으로 5분 이내에 Security Hub CSPM으로 전송됩니다.
#### Security Hub CSPM을 사용할 수 없을 때 다시 시도
Security Hub CSPM을 사용할 수 없는 경우 GuardDuty는 결과를 수신할 때까지 결과 전송을 재시도합니다.
#### Security Hub CSPM에서 기존 조사 결과 업데이트
Security Hub CSPM으로 조사 결과를 전송한 후 GuardDuty는 Security Hub CSPM으로 조사 결과 활동에 대한 추가 관찰 결과를 반영하도록 업데이트를 전송합니다. 이러한 조사 결과의 새로운 관찰 결과는의 [5단계 - 조사 결과 내보내기 빈도](guardduty_exportfindings.md#guardduty_exportfindings-frequency) 설정에 따라 Security Hub CSPM으로 전송됩니다 AWS 계정.
결과를 아카이브하거나 아카이브 해제하면 GuardDuty는 해당 결과를 Security Hub CSPM으로 보내지 않습니다. 나중에 GuardDuty에서 활성화되는 아카이브되지 않은 수동 결과는 Security Hub CSPM으로 전송되지 않습니다.
## 에서 GuardDuty 결과 보기 AWS Security Hub CSPM
에 로그인 AWS Management Console 하고 [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/) AWS Security Hub CSPM 콘솔을 엽니다.
이제 다음 방법 중 하나를 사용하여 Security Hub CSPM 콘솔에서 GuardDuty 결과를 볼 수 있습니다.
**옵션 1: Security Hub CSPM에서 *통합* 사용**
1. 왼쪽 탐색 창에서 **통합**을 선택합니다.
1. **통합** 페이지에서 **Amazon: GuardDuty**의 **상태**를 확인합니다.
+ **상태**가 **조사 결과 수락**인 경우 **조사 결과 수락** 옆의 **조사 결과 보기**를 선택합니다.
+ 그렇지 않은 경우 **통합** 작동 방식에 대한 자세한 내용은 *AWS Security Hub 사용 설명서*의 [Security Hub CSPM 통합을 참조하세요](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-providers.html).
**옵션 2: Security Hub CSPM에서 *조사 결과* 사용**
1. 왼쪽 탐색 창에서 **조사 결과**를 선택합니다.
1. **조사 결과** 페이지에서 필터 **제품 이름**을 추가하고 **GuardDuty**를 입력하여 GuardDuty 조사 결과만 봅니다.
### 에서 GuardDuty 결과 이름 해석 AWS Security Hub CSPM
GuardDuty는 Security [AWS Finding 형식(ASFF)을 사용하여 결과를 Security](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) Hub CSPM으로 전송합니다. ASFF의 경우, `Types` 필드가 조사 결과 유형을 제공합니다. ASFF 유형은 GuardDuty와는 다른 명명 체계를 사용합니다. 아래 표에는 Security Hub CSPM에 표시되는 ASFF와 일치하는 모든 GuardDuty 결과 유형이 자세히 나와 있습니다.
**참고**
일부 GuardDuty 결과 유형의 경우 Security Hub CSPM은 결과 세부 정보의 **리소스 역할**이 **ACTOR**인지 **TARGET**인지에 따라 다른 ASFF 결과 이름을 할당합니다. 자세한 내용은 [결과 세부 정보](guardduty_findings-summary.md)을 참조하세요.
| GuardDuty 결과 유형 | ASFF 조사 결과 유형 |
| --- | --- |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-attack-sequence-finding-types.html#attack-sequence-iam-compromised-credentials](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-attack-sequence-finding-types.html#attack-sequence-iam-compromised-credentials) | TTPs/AttackSequence:IAM/CompromisedCredentials |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-attack-sequence-finding-types.html#attack-sequence-s3-compromised-data](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-attack-sequence-finding-types.html#attack-sequence-s3-compromised-data) | TTPs/AttackSequence:S3/CompromisedData |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-ccactivityb](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-ccactivityb) | TTPs/Command and Control/Backdoor:EC2-C&CActivity.B |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-ccactivitybdns](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-ccactivitybdns) | TTPs/Command and Control/Backdoor:EC2-C&CActivity.B\$1DNS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofservicedns](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofservicedns) | TTPs/Command and Control/Backdoor:EC2-DenialOfService.Dns |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofservicetcp](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofservicetcp) | TTPs/Command and Control/Backdoor:EC2-DenialOfService.Tcp |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofserviceudp](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofserviceudp) | TTPs/Command and Control/Backdoor:EC2-DenialOfService.Udp |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofserviceudpontcpports](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofserviceudpontcpports) | TTPs/Command and Control/Backdoor:EC2-DenialOfService.UdpOnTcpPorts |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofserviceunusualprotocol](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-denialofserviceunusualprotocol) | TTPs/Command and Control/Backdoor:EC2-DenialOfService.UnusualProtocol |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-spambot](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#backdoor-ec2-spambot) | TTPs/Command and Control/Backdoor:EC2-Spambot |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#behavior-ec2-networkportunusual](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#behavior-ec2-networkportunusual) | Unusual Behaviors/VM/Behavior:EC2-NetworkPortUnusual |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#behavior-ec2-trafficvolumeunusual](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#behavior-ec2-trafficvolumeunusual) | Unusual Behaviors/VM/Behavior:EC2-TrafficVolumeUnusual |
| [https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection-finding-types.html#backdoor-lambda-ccactivity-b](https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection-finding-types.html#backdoor-lambda-ccactivity-b) | TTPs/Command and Control/Backdoor:Lambda-C&CActivity.B |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#backdoor-runtime-ccactivityb](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#backdoor-runtime-ccactivityb) | TTPs/Command and Control/Backdoor:Runtime-C&CActivity.B |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#backdoor-runtime-ccactivitybdns](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#backdoor-runtime-ccactivitybdns) | TTPs/Command and Control/Backdoor:Runtime-C&CActivity.B\$1DNS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#credentialaccess-iam-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#credentialaccess-iam-anomalousbehavior) | TTPs/Credential Access/IAMUser-AnomalousBehavior |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#credaccess-kubernetes-anomalousbehavior-secretsaccessed](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#credaccess-kubernetes-anomalousbehavior-secretsaccessed) | TTPs/AnomalousBehavior/CredentialAccess:Kubernetes-SecretsAccessed |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#credentialaccess-kubernetes-maliciousipcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#credentialaccess-kubernetes-maliciousipcaller) | TTPs/CredentialAccess/CredentialAccess:Kubernetes-MaliciousIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#credentialaccess-kubernetes-maliciousipcallercustom](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#credentialaccess-kubernetes-maliciousipcallercustom) | TTPs/CredentialAccess/CredentialAccess:Kubernetes-MaliciousIPCaller.Custom |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#credentialaccess-kubernetes-successfulanonymousaccess](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#credentialaccess-kubernetes-successfulanonymousaccess) | TTPs/CredentialAccess/CredentialAccess:Kubernetes-SuccessfulAnonymousAccess |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#credentialaccess-kubernetes-toripcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#credentialaccess-kubernetes-toripcaller) | TTPs/CredentialAccess/CredentialAccess:Kubernetes-TorIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#credaccess-rds-anombehavior-failedlogin](https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#credaccess-rds-anombehavior-failedlogin) | TTPs/Credential Access/CredentialAccess:RDS-AnomalousBehavior.FailedLogin |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#credaccess-rds-anombehavior-successfulbruteforce](https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#credaccess-rds-anombehavior-successfulbruteforce) | TTPs/Credential Access/CredentialAccess:RDS-AnomalousBehavior.SuccessfulBruteForce |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#credaccess-rds-anombehavior-successlogin](https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#credaccess-rds-anombehavior-successlogin) | TTPs/Credential Access/CredentialAccess:RDS-AnomalousBehavior.SuccessfulLogin |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#credaccess-rds-maliciousipcaller-failedlogin](https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#credaccess-rds-maliciousipcaller-failedlogin) | TTPs/Credential Access/CredentialAccess:RDS-MaliciousIPCaller.FailedLogin |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#credaccess-rds-maliciousipcaller-successfullogin](https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#credaccess-rds-maliciousipcaller-successfullogin) | TTPs/Credential Access/CredentialAccess:RDS-MaliciousIPCaller.SuccessfulLogin |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#credaccess-rds-toripcaller-failedlogin](https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#credaccess-rds-toripcaller-failedlogin) | TTPs/Credential Access/CredentialAccess:RDS-TorIPCaller.FailedLogin |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#credaccess-rds-toripcaller-successfullogin](https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#credaccess-rds-toripcaller-successfullogin) | TTPs/Credential Access/CredentialAccess:RDS-TorIPCaller.SuccessfulLogin |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#cryptocurrency-ec2-bitcointoolb](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#cryptocurrency-ec2-bitcointoolb) | TTPs/Command and Control/CryptoCurrency:EC2-BitcoinTool.B |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#cryptocurrency-ec2-bitcointoolbdns](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#cryptocurrency-ec2-bitcointoolbdns) | TTPs/Command and Control/CryptoCurrency:EC2-BitcoinTool.B\$1DNS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection-finding-types.html#cryptocurrency-lambda-bitcointool-b](https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection-finding-types.html#cryptocurrency-lambda-bitcointool-b) | TTPs/Command and Control/CryptoCurrency:Lambda-BitcoinTool.B Effects/Resource Consumption/CryptoCurrency:Lambda-BitcoinTool.B |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#cryptocurrency-runtime-bitcointoolb](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#cryptocurrency-runtime-bitcointoolb) | TTPs/Command and Control/CryptoCurrency:Runtime-BitcoinTool.B |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#cryptocurrency-runtime-bitcointoolbdns](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#cryptocurrency-runtime-bitcointoolbdns) | TTPs/Command and Control/CryptoCurrency:Runtime-BitcoinTool.B\$1DNS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#defenseevasion-ec2-unusualdnsresolver](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#defenseevasion-ec2-unusualdnsresolver) | TTPs/DefenseEvasion/EC2:Unusual-DNS-Resolver |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#defenseevasion-ec2-unsualdohactivity](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#defenseevasion-ec2-unsualdohactivity) | TTPs/DefenseEvasion/EC2:Unusual-DoH-Activity |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#defenseevasion-ec2-unusualdotactivity](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#defenseevasion-ec2-unusualdotactivity) | TTPs/DefenseEvasion/EC2:Unusual-DoT-Activity |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#defenseevasion-iam-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#defenseevasion-iam-anomalousbehavior) | TTPs/Defense Evasion/IAMUser-AnomalousBehavior |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#defenseevasion-iam-bedrockloggingdisabled](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#defenseevasion-iam-bedrockloggingdisabled) | TTPs/Defense Evasion/DefenseEvasion:IAMUser-BedrockLoggingDisabled |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#defenseevasion-kubernetes-maliciousipcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#defenseevasion-kubernetes-maliciousipcaller) | TTPs/DefenseEvasion/DefenseEvasion:Kubernetes-MaliciousIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#defenseevasion-kubernetes-maliciousipcallercustom](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#defenseevasion-kubernetes-maliciousipcallercustom) | TTPs/DefenseEvasion/DefenseEvasion:Kubernetes-MaliciousIPCaller.Custom |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#defenseevasion-kubernetes-successfulanonymousaccess](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#defenseevasion-kubernetes-successfulanonymousaccess) | TTPs/DefenseEvasion/DefenseEvasion:Kubernetes-SuccessfulAnonymousAccess |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#defenseevasion-kubernetes-toripcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#defenseevasion-kubernetes-toripcaller) | TTPs/DefenseEvasion/DefenseEvasion:Kubernetes-TorIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#defenseeva-runtime-filelessexecution](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#defenseeva-runtime-filelessexecution) | TTPs/Defense Evasion/DefenseEvasion:Runtime-FilelessExecution |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#defenseevasion-runtime-kernelmoduleloaded](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#defenseevasion-runtime-kernelmoduleloaded) | TTPs/Defense Evasion/DefenseEvasion:Runtime-KernelModuleLoaded |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#defenseeva-runtime-processinjectionproc](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#defenseeva-runtime-processinjectionproc) | TTPs/Defense Evasion/DefenseEvasion:Runtime-ProcessInjection.Proc |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#defenseeva-runtime-processinjectionptrace](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#defenseeva-runtime-processinjectionptrace) | TTPs/Defense Evasion/DefenseEvasion:Runtime-ProcessInjection.Ptrace |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#defenseeva-runtime-processinjectionvirtualmemw](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#defenseeva-runtime-processinjectionvirtualmemw) | TTPs/Defense Evasion/DefenseEvasion:Runtime-ProcessInjection.VirtualMemoryWrite |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#defenseevasion-runtime-ptrace-anti-debug](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#defenseevasion-runtime-ptrace-anti-debug) | TTPs/DefenseEvasion/DefenseEvasion:Runtime-PtraceAntiDebugging |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#defenseevasion-runtime-suspicious-command](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#defenseevasion-runtime-suspicious-command) | TTPs/DefenseEvasion/DefenseEvasion:Runtime-SuspiciousCommand |
| [Discovery:IAMUser/AnomalousBehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#discovery-iam-anomalousbehavior) | TTPs/Discovery/IAMUser-AnomalousBehavior |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#discovery-kubernetes-anomalousbehavrior-permissionchecked](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#discovery-kubernetes-anomalousbehavrior-permissionchecked) | TTPs/AnomalousBehavior/Discovery:Kubernetes-PermissionChecked |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#discovery-kubernetes-maliciousipcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#discovery-kubernetes-maliciousipcaller) | TTPs/Discovery/Discovery:Kubernetes-MaliciousIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#discovery-kubernetes-maliciousipcallercustom](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#discovery-kubernetes-maliciousipcallercustom) | TTPs/Discovery/Discovery:Kubernetes-MaliciousIPCaller.Custom |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#discovery-kubernetes-successfulanonymousaccess](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#discovery-kubernetes-successfulanonymousaccess) | TTPs/Discovery/Discovery:Kubernetes-SuccessfulAnonymousAccess |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#discovery-kubernetes-toripcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#discovery-kubernetes-toripcaller) | TTPs/Discovery/Discovery:Kubernetes-TorIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#discovery-rds-maliciousipcaller](https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#discovery-rds-maliciousipcaller) | TTPs/Discovery/RDS-MaliciousIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#discovery-rds-toripcaller](https://docs.aws.amazon.com/guardduty/latest/ug/findings-rds-protection.html#discovery-rds-toripcaller) | TTPs/Discovery/RDS-TorIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#discovery-runtime-suspicious-command](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#discovery-runtime-suspicious-command) | TTPs/Discovery/Discovery:Runtime-SuspiciousCommand |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#discovery-s3-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#discovery-s3-anomalousbehavior) | TTPs/Discovery:S3-AnomalousBehavior |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#discovery-s3-bucketenumerationunusual](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#discovery-s3-bucketenumerationunusual) | TTPs/Discovery:S3-BucketEnumeration.Unusual |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#discovery-s3-maliciousipcallercustom.title](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#discovery-s3-maliciousipcallercustom.title) | TTPs/Discovery:S3-MaliciousIPCaller.Custom |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#discovery-s3-toripcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#discovery-s3-toripcaller) | TTPs/Discovery:S3-TorIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#discovery-s3-maliciousipcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#discovery-s3-maliciousipcaller) | TTPs/Discovery:S3-MaliciousIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#exfiltration-iam-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#exfiltration-iam-anomalousbehavior) | TTPs/Exfiltration/IAMUser-AnomalousBehavior |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#execution-kubernetes-execinkubesystempod](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#execution-kubernetes-execinkubesystempod) | TTPs/Execution/Execution:Kubernetes-ExecInKubeSystemPod |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#execution-kubernetes-anomalousbehvaior-execinprod](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#execution-kubernetes-anomalousbehvaior-execinprod) | TTPs/AnomalousBehavior/Execution:Kubernetes-ExecInPod |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#exec-kubernetes-anomalousbehavior-workloaddeployed](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#exec-kubernetes-anomalousbehavior-workloaddeployed) | TTPs/AnomalousBehavior/Execution:Kubernetes-WorkloadDeployed |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-maliciousdomainrequest-custom](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-maliciousdomainrequest-custom) | TTPs/Impact/Impact:EC2-MaliciousDomainRequest.Custom |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#impact-kubernetes-maliciousipcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#impact-kubernetes-maliciousipcaller) | TTPs/Impact/Impact:Kubernetes-MaliciousIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#impact-kubernetes-maliciousipcallercustom](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#impact-kubernetes-maliciousipcallercustom) | TTPs/Impact/Impact:Kubernetes-MaliciousIPCaller.Custom |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#impact-kubernetes-successfulanonymousaccess](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#impact-kubernetes-successfulanonymousaccess) | TTPs/Impact/Impact:Kubernetes-SuccessfulAnonymousAccess |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#impact-kubernetes-toripcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#impact-kubernetes-toripcaller) | TTPs/Impact/Impact:Kubernetes-TorIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#persistence-kubernetes-containerwithsensitivemount](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#persistence-kubernetes-containerwithsensitivemount) | TTPs/Persistence/Persistence:Kubernetes-ContainerWithSensitiveMount |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#privesc-kubernetes-anomalousbehavior-workloaddeployed-containerwithsensitivemount](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#privesc-kubernetes-anomalousbehavior-workloaddeployed-containerwithsensitivemount) | TTPs/AnomalousBehavior/Persistence:Kubernetes-WorkloadDeployed\$1ContainerWithSensitiveMount |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#privesc-kubernetes-anomalousbehavior-workloaddeployed-privcontainer](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#privesc-kubernetes-anomalousbehavior-workloaddeployed-privcontainer) | TTPs/AnomalousBehavior/PrivilegeEscalation:Kubernetes-WorkloadDeployed\$1PrivilegedContainer |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#persistence-kubernetes-maliciousipcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#persistence-kubernetes-maliciousipcaller) | TTPs/Persistence/Persistence:Kubernetes-MaliciousIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#persistence-kubernetes-maliciousipcallercustom](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#persistence-kubernetes-maliciousipcallercustom) | TTPs/Persistence/Persistence:Kubernetes-MaliciousIPCaller.Custom |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#persistence-kubernetes-successfulanonymousaccess](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#persistence-kubernetes-successfulanonymousaccess) | TTPs/Persistence/Persistence:Kubernetes-SuccessfulAnonymousAccess |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#persistence-kubernetes-toripcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#persistence-kubernetes-toripcaller) | TTPs/Persistence/Persistence:Kubernetes-TorIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-malware-ec2-maliciousfile](https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-malware-ec2-maliciousfile) | TTPs/Execution/Execution:EC2-MaliciousFile |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-malware-ecs-maliciousfile](https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-malware-ecs-maliciousfile) | TTPs/Execution/Execution:ECS-MaliciousFile |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-malware-kubernetes-maliciousfile](https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-malware-kubernetes-maliciousfile) | TTPs/Execution/Execution:Kubernetes-MaliciousFile |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-malware-container-maliciousfile](https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-malware-container-maliciousfile) | TTPs/Execution/Execution:Container-MaliciousFile |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-malware-ec2-suspiciousfile](https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-malware-ec2-suspiciousfile) | TTPs/Execution/Execution:EC2-SuspiciousFile |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-malware-ecs-suspiciousfile](https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-malware-ecs-suspiciousfile) | TTPs/Execution/Execution:ECS-SuspiciousFile |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-malware-kubernetes-suspiciousfile](https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-malware-kubernetes-suspiciousfile) | TTPs/Execution/Execution:Kubernetes-SuspiciousFile |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-malware-container-suspiciousfile](https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-malware-container-suspiciousfile) | TTPs/Execution/Execution:Container-SuspiciousFile |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection-backup.html#execution-malware-ec2-maliciousfile-snapshot](https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection-backup.html#execution-malware-ec2-maliciousfile-snapshot) | TTPs/Execution/Execution:EC2-MaliciousFile\$1Snapshot |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection-backup.html#execution-malware-ec2-maliciousfile-ami](https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection-backup.html#execution-malware-ec2-maliciousfile-ami) | TTPs/Execution/Execution:EC2-MaliciousFile\$1AMI |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection-backup.html#execution-malware-ec2-maliciousfile-recoverypoint](https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection-backup.html#execution-malware-ec2-maliciousfile-recoverypoint) | TTPs/Execution/Execution:EC2-MaliciousFile\$1RecoveryPoint |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection-backup.html#execution-malware-s3-maliciousfile-recoverypoint](https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection-backup.html#execution-malware-s3-maliciousfile-recoverypoint) | TTPs/Execution/Execution:S3-MaliciousFile\$1RecoveryPoint |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-runtime-malicious-file-executed](https://docs.aws.amazon.com/guardduty/latest/ug/findings-malware-protection.html#execution-runtime-malicious-file-executed) | TTPs/Execution/Execution:Runtime-MaliciousFileExecuted |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#execution-runtime-newbinaryexecuted](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#execution-runtime-newbinaryexecuted) | TTPs/Execution/Execution:Runtime-NewBinaryExecuted |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#execution-runtime-newlibraryloaded](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#execution-runtime-newlibraryloaded) | TTPs/Execution/Execution:Runtime-NewLibraryLoaded |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#execution-runtime-reverseshell](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#execution-runtime-reverseshell) | TTPs/Execution/Execution:Runtime-ReverseShell |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#execution-runtime-suspiciouscommand](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#execution-runtime-suspiciouscommand) | TTPs/Execution/Execution:Runtime-SuspiciousCommand |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#execution-runtime-suspicious-shell-created](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#execution-runtime-suspicious-shell-created) | TTPs/Execution/Execution:Runtime-SuspiciousShellCreated |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#execution-runtime-suspicioustool](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#execution-runtime-suspicioustool) | TTPs/Execution/Execution:Runtime-SuspiciousTool |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#exfiltration-s3-anomalousbehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#exfiltration-s3-anomalousbehavior) | TTPs/Exfiltration:S3-AnomalousBehavior |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#exfiltration-s3-objectreadunusual](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#exfiltration-s3-objectreadunusual) | TTPs/Exfiltration:S3-ObjectRead.Unusual |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#exfiltration-s3-maliciousipcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#exfiltration-s3-maliciousipcaller) | TTPs/Exfiltration:S3-MaliciousIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-abuseddomainrequestreputation](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-abuseddomainrequestreputation) | TTPs/Impact:EC2-AbusedDomainRequest.Reputation |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-bitcoindomainrequestreputation](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-bitcoindomainrequestreputation) | TTPs/Impact:EC2-BitcoinDomainRequest.Reputation |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-maliciousdomainrequestreputation](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-maliciousdomainrequestreputation) | TTPs/Impact:EC2-MaliciousDomainRequest.Reputation |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-portsweep](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-portsweep) | TTPs/Impact/Impact:EC2-PortSweep |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-suspiciousdomainrequestreputation](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-suspiciousdomainrequestreputation) | TTPs/Impact:EC2-SuspiciousDomainRequest.Reputation |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-winrmbruteforce](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#impact-ec2-winrmbruteforce) | TTPs/Impact/Impact:EC2-WinRMBruteForce |
| [Impact:IAMUser/AnomalousBehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#impact-iam-anomalousbehavior) | TTPs/Impact/IAMUser-AnomalousBehavior |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#impact-runtime-abuseddomainrequestreputation](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#impact-runtime-abuseddomainrequestreputation) | TTPs/Impact/Impact:Runtime-AbusedDomainRequest.Reputation |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#impact-runtime-bitcoindomainrequestreputation](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#impact-runtime-bitcoindomainrequestreputation) | TTPs/Impact/Impact:Runtime-BitcoinDomainRequest.Reputation |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#impact-runtime-cryptominerexecuted](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#impact-runtime-cryptominerexecuted) | TTPs/Impact/Impact:Runtime-CryptoMinerExecuted |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#impact-runtime-maliciousdomainrequestreputation](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#impact-runtime-maliciousdomainrequestreputation) | TTPs/Impact/Impact:Runtime-MaliciousDomainRequest.Reputation |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#impact-runtime-suspiciousdomainrequestreputation](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#impact-runtime-suspiciousdomainrequestreputation) | TTPs/Impact/Impact:Runtime-SuspiciousDomainRequest.Reputatio |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-delete](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-delete) | TTPs/Impact:S3-AnomalousBehavior.Delete |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-permission](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-permission) | TTPs/Impact:S3-AnomalousBehavior.Permission |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-write](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-anomalousbehavior-write) | TTPs/Impact:S3-AnomalousBehavior.Write |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#impact-s3-objectdeleteunusual](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#impact-s3-objectdeleteunusual) | TTPs/Impact:S3-ObjectDelete.Unusual |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#impact-s3-permissionsmodificationunusual](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#impact-s3-permissionsmodificationunusual) | TTPs/Impact:S3-PermissionsModification.Unusual |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-maliciousipcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#impact-s3-maliciousipcaller) | TTPs/Impact:S3-MaliciousIPCaller |
| [InitialAccess:IAMUser/AnomalousBehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#initialaccess-iam-anomalousbehavior) | TTPs/Initial Access/IAMUser-AnomalousBehavior |
| [https://docs.aws.amazon.com/guardduty/latest/ug/gdu-malware-protection-s3-finding-types.html#s3-object-s3-malicious-file](https://docs.aws.amazon.com/guardduty/latest/ug/gdu-malware-protection-s3-finding-types.html#s3-object-s3-malicious-file) | TTPs/Object/Object:S3-MaliciousFile |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#pentest-iam-kalilinux](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#pentest-iam-kalilinux) | TTPs/PenTest:IAMUser/KaliLinux |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#pentest-iam-parrotlinux](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#pentest-iam-parrotlinux) | TTPs/PenTest:IAMUser/ParrotLinux |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#pentest-iam-pentoolinux](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#pentest-iam-pentoolinux) | TTPs/PenTest:IAMUser/PentooLinux |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#pentest-iam-kalilinux](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#pentest-iam-kalilinux) | TTPs/PenTest:S3-KaliLinux |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#pentest-s3-parrotlinux](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#pentest-s3-parrotlinux) | TTPs/PenTest:S3-ParrotLinux |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#pentest-s3-pentoolinux](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#pentest-s3-pentoolinux) | TTPs/PenTest:S3-PentooLinux |
| [Persistence:IAMUser/AnomalousBehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#persistence-iam-anomalousbehavior) | TTPs/Persistence/IAMUser-AnomalousBehavior |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#persistence-iam-networkpermissions](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#persistence-iam-networkpermissions) | TTPs/Persistence/Persistence:IAMUser-NetworkPermissions |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#persistence-iam-resourcepermissions](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#persistence-iam-resourcepermissions) | TTPs/Persistence/Persistence:IAMUser-ResourcePermissions |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#persistence-iam-userpermissions](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#persistence-iam-userpermissions) | TTPs/Persistence/Persistence:IAMUser-UserPermissions |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#persistence-runtime-suspicious-command](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#persistence-runtime-suspicious-command) | TTPs/Persistence/Persistence:Runtime-SuspiciousCommand |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#policy-iam-rootcredentialusage](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#policy-iam-rootcredentialusage) | TTPs/Policy:IAMUser-RootCredentialUsage |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#policy-iam-user-short-term-root-credential-usage](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#policy-iam-user-short-term-root-credential-usage) | TTPs/Policy:IAMUser-ShortTermRootCredentialUsage |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#policy-kubernetes-adminaccesstodefaultserviceaccount](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#policy-kubernetes-adminaccesstodefaultserviceaccount) | Software and Configuration Checks/AWS Security Best Practices/Policy:Kubernetes-AdminAccessToDefaultServiceAccount |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#policy-kubernetes-anonymousaccessgranted](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#policy-kubernetes-anonymousaccessgranted) | Software and Configuration Checks/AWS Security Best Practices/Policy:Kubernetes-AnonymousAccessGranted |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#policy-kubernetes-exposeddashboard](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#policy-kubernetes-exposeddashboard) | Software and Configuration Checks/AWS Security Best Practices/Policy:Kubernetes-ExposedDashboard |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#policy-kubernetes-kubeflowdashboardexposed](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#policy-kubernetes-kubeflowdashboardexposed) | Software and Configuration Checks/AWS Security Best Practices/Policy:Kubernetes-KubeflowDashboardExposed |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#policy-s3-accountblockpublicaccessdisabled](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#policy-s3-accountblockpublicaccessdisabled) | TTPs/Policy:S3-AccountBlockPublicAccessDisabled |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#policy-s3-bucketanonymousaccessgranted](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#policy-s3-bucketanonymousaccessgranted) | TTPs/Policy:S3-BucketAnonymousAccessGranted |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#policy-s3-bucketblockpublicaccessdisabled](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#policy-s3-bucketblockpublicaccessdisabled) | Effects/Data Exposure/Policy:S3-BucketBlockPublicAccessDisabled |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#policy-s3-bucketpublicaccessgranted](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#policy-s3-bucketpublicaccessgranted) | TTPs/Policy:S3-BucketPublicAccessGranted |
| [PrivilegeEscalation:IAMUser/AnomalousBehavior](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#privilegeescalation-iam-anomalousbehavior) | TTPs/Privilege Escalation/IAMUser-AnomalousBehavior |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#privilegeescalation-iam-administrativepermissions](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#privilegeescalation-iam-administrativepermissions) | TTPs/Privilege Escalation/PrivilegeEscalation:IAMUser-AdministrativePermissions |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#privesc-kubernetes-anomalousbehavior-rolebindingcreated](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#privesc-kubernetes-anomalousbehavior-rolebindingcreated) | TTPs/AnomalousBehavior/PrivilegeEscalation:Kubernetes-RoleBindingCreated |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#privesc-kubernetes-anomalousbehavior-rolecreated](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#privesc-kubernetes-anomalousbehavior-rolecreated) | TTPs/AnomalousBehavior/PrivilegeEscalation:Kubernetes-RoleCreated |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#privilegeescalation-kubernetes-privilegedcontainer](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-finding-types-eks-audit-logs.html#privilegeescalation-kubernetes-privilegedcontainer) | TTPs/PrivilegeEscalation/PrivilegeEscalation:Kubernetes-PrivilegedContainer |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#privilegeesc-runtime-containermountshostdirectory](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#privilegeesc-runtime-containermountshostdirectory) | TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-ContainerMountsHostDirectory |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#privilegeesc-runtime-cgroupsreleaseagentmodified](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#privilegeesc-runtime-cgroupsreleaseagentmodified) | TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-CGroupsReleaseAgentModified |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#privilegeesc-runtime-dockersocketaccessed](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#privilegeesc-runtime-dockersocketaccessed) | TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-DockerSocketAccessed |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#privilegeesc-runtime-elevation-to-root](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#privilegeesc-runtime-elevation-to-root) | TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-ElevationToRoot |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#privilegeesc-runtime-runccontainerescape](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#privilegeesc-runtime-runccontainerescape) | TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-RuncContainerEscape |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#privilege-escalation-runtime-suspicious-command](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#privilege-escalation-runtime-suspicious-command) | Software and Configuration Checks/PrivilegeEscalation:Runtime-SuspiciousCommand |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#privilegeesc-runtime-userfaultfdusage](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#privilegeesc-runtime-userfaultfdusage) | TTPs/Privilege Escalation/PrivilegeEscalation:Runtime-UserfaultfdUsage |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portprobeemrunprotectedport](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portprobeemrunprotectedport) | TTPs/Discovery/Recon:EC2-PortProbeEMRUnprotectedPort |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portprobeunprotectedport](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portprobeunprotectedport) | TTPs/Discovery/Recon:EC2-PortProbeUnprotectedPort |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan) | TTPs/Discovery/Recon:EC2-Portscan |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#recon-iam-maliciousipcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#recon-iam-maliciousipcaller) | TTPs/Discovery/Recon:IAMUser-MaliciousIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#recon-iam-maliciousipcallercustom](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#recon-iam-maliciousipcallercustom) | TTPs/Discovery/Recon:IAMUser-MaliciousIPCaller.Custom |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#recon-iam-networkpermissions](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#recon-iam-networkpermissions) | TTPs/Discovery/Recon:IAMUser-NetworkPermissions |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#recon-iam-resourcepermissions](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#recon-iam-resourcepermissions) | TTPs/Discovery/Recon:IAMUser-ResourcePermissions |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#recon-iam-toripcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#recon-iam-toripcaller) | TTPs/Discovery/Recon:IAMUser-TorIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#recon-iam-userpermissions](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#recon-iam-userpermissions) | TTPs/Discovery/Recon:IAMUser-UserPermissions |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#resourceconsumption-iam-computeresources](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#resourceconsumption-iam-computeresources) | Unusual Behaviors/User/ResourceConsumption:IAMUser-ComputeResources |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#stealth-iam-cloudtrailloggingdisabled](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#stealth-iam-cloudtrailloggingdisabled) | TTPs/Defense Evasion/Stealth:IAMUser-CloudTrailLoggingDisabled |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#stealth-iam-loggingconfigurationmodified](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#stealth-iam-loggingconfigurationmodified) | TTPs/Defense Evasion/Stealth:IAMUser-LoggingConfigurationModified |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#stealth-iam-passwordpolicychange](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#stealth-iam-passwordpolicychange) | TTPs/Defense Evasion/Stealth:IAMUser-PasswordPolicyChange |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#stealth-s3-serveraccessloggingdisabled](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#stealth-s3-serveraccessloggingdisabled) | TTPs/Defense Evasion/Stealth:S3-ServerAccessLoggingDisabled |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-blackholetraffic](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-blackholetraffic) | TTPs/Command and Control/Trojan:EC2-BlackholeTraffic |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-blackholetrafficdns](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-blackholetrafficdns) | TTPs/Command and Control/Trojan:EC2-BlackholeTraffic\$1DNS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-dgadomainrequestb](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-dgadomainrequestb) | TTPs/Command and Control/Trojan:EC2-DGADomainRequest.B |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-dgadomainrequestcdns](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-dgadomainrequestcdns) | TTPs/Command and Control/Trojan:EC2-DGADomainRequest.C\$1DNS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-dnsdataexfiltration](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-dnsdataexfiltration) | TTPs/Command and Control/Trojan:EC2-DNSDataExfiltration |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-drivebysourcetrafficdns](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-drivebysourcetrafficdns) | TTPs/Initial Access/Trojan:EC2-DriveBySourceTraffic\$1DNS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-droppoint](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-droppoint) | Effects/Data Exfiltration/Trojan:EC2-DropPoint |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-droppointdns](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-droppointdns) | Effects/Data Exfiltration/Trojan:EC2-DropPoint\$1DNS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-phishingdomainrequestdns](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#trojan-ec2-phishingdomainrequestdns) | TTPs/Command and Control/Trojan:EC2-PhishingDomainRequest\$1DNS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection-finding-types.html#trojan-lambda-blackhole-traffic](https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection-finding-types.html#trojan-lambda-blackhole-traffic) | TTPs/Command and Control/Trojan:Lambda-BlackholeTraffic |
| [https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection-finding-types.html#trojan-lambda-drop-point](https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection-finding-types.html#trojan-lambda-drop-point) | Effects/Data Exfiltration/Trojan:Lambda-DropPoint |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#trojan-runtime-blackholetraffic](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#trojan-runtime-blackholetraffic) | TTPs/Command and Control/Trojan:Runtime-BlackholeTraffic |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#trojan-runtime-blackholetrafficdns](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#trojan-runtime-blackholetrafficdns) | TTPs/Command and Control/Trojan:Runtime-BlackholeTraffic\$1DNS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#trojan-runtime-dgadomainrequestcdns](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#trojan-runtime-dgadomainrequestcdns) | TTPs/Command and Control/Trojan:Runtime-DGADomainRequest.C\$1DNS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#trojan-runtime-drivebysourcetrafficdns](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#trojan-runtime-drivebysourcetrafficdns) | TTPs/Initial Access/Trojan:Runtime-DriveBySourceTraffic\$1DNS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#trojan-runtime-droppoint](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#trojan-runtime-droppoint) | Effects/Data Exfiltration/Trojan:Runtime-DropPoint |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#trojan-runtime-droppointdns](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#trojan-runtime-droppointdns) | Effects/Data Exfiltration/Trojan:Runtime-DropPoint\$1DNS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#trojan-runtime-phishingdomainrequestdns](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#trojan-runtime-phishingdomainrequestdns) | TTPs/Command and Control/Trojan:Runtime-PhishingDomainRequest\$1DNS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-maliciousipcallercustom](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-maliciousipcallercustom) | TTPs/Command and Control/UnauthorizedAccess:EC2-MaliciousIPCaller.Custom |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-metadatadnsrebind](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-metadatadnsrebind) | TTPs/UnauthorizedAccess:EC2-MetadataDNSRebind |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-rdpbruteforce](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-rdpbruteforce) | TTPs/Initial Access/UnauthorizedAccess:EC2-RDPBruteForce |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-sshbruteforce](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-sshbruteforce) | TTPs/Initial Access/UnauthorizedAccess:EC2-SSHBruteForce |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-torclient](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-torclient) | Effects/Resource Consumption/UnauthorizedAccess:EC2-TorClient |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-torrelay](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#unauthorizedaccess-ec2-torrelay) | Effects/Resource Consumption/UnauthorizedAccess:EC2-TorRelay |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#unauthorizedaccess-iam-consolelogin](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-retired.html#unauthorizedaccess-iam-consolelogin) | Unusual Behaviors/User/UnauthorizedAccess:IAMUser-ConsoleLogin |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-consoleloginsuccessb](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-consoleloginsuccessb) | TTPs/UnauthorizedAccess:IAMUser-ConsoleLoginSuccess.B |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationinsideaws](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationinsideaws) | Effects/Data Exfiltration/UnauthorizedAccess:IAMUser-InstanceCredentialExfiltration.InsideAWS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationoutsideaws](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-instancecredentialexfiltrationoutsideaws) | Effects/Data Exfiltration/UnauthorizedAccess:IAMUser-InstanceCredentialExfiltration.OutsideAWS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-maliciousipcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-maliciousipcaller) | TTPs/UnauthorizedAccess:IAMUser-MaliciousIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-maliciousipcallercustom](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-maliciousipcallercustom) | TTPs/UnauthorizedAccess:IAMUser-MaliciousIPCaller.Custom |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-resourcecredentialexfiltrationoutsideaws](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-resourcecredentialexfiltrationoutsideaws) | Effects/Data Exfiltration/UnauthorizedAccess:IAMUser-ResourceCredentialExfiltration.OutsideAWS |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-toripcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-iam.html#unauthorizedaccess-iam-toripcaller) | TTPs/Command and Control/UnauthorizedAccess:IAMUser-TorIPCaller |
| [https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection-finding-types.html#unauthorized-access-lambda-maliciousIPcaller-custom](https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection-finding-types.html#unauthorized-access-lambda-maliciousIPcaller-custom) | TTPs/Command and Control/UnauthorizedAccess:Lambda-MaliciousIPCaller.Custom |
| [https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection-finding-types.html#unauthorized-access-lambda-tor-client](https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection-finding-types.html#unauthorized-access-lambda-tor-client) | Effects/Resource Consumption/UnauthorizedAccess:Lambda-TorClient |
| [https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection-finding-types.html#unauthorized-access-lambda-tor-relay](https://docs.aws.amazon.com/guardduty/latest/ug/lambda-protection-finding-types.html#unauthorized-access-lambda-tor-relay) | Effects/Resource Consumption/UnauthorizedAccess:Lambda-TorRelay |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#unauthorizedaccess-runtime-metadatadnsrebind](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#unauthorizedaccess-runtime-metadatadnsrebind) | TTPs/UnauthorizedAccess:Runtime-MetadataDNSRebind |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#unauthorizedaccess-runtime-torrelay](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#unauthorizedaccess-runtime-torrelay) | Effects/Resource Consumption/UnauthorizedAccess:Runtime-TorRelay |
| [https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#unauthorizedaccess-runtime-torclient](https://docs.aws.amazon.com/guardduty/latest/ug/findings-runtime-monitoring.html#unauthorizedaccess-runtime-torclient) | Effects/Resource Consumption/UnauthorizedAccess:Runtime-TorClient |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#unauthorizedaccess-s3-maliciousipcallercustom](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#unauthorizedaccess-s3-maliciousipcallercustom) | TTPs/UnauthorizedAccess:S3-MaliciousIPCaller.Custom |
| [https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#unauthorizedaccess-s3-toripcaller](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-s3.html#unauthorizedaccess-s3-toripcaller) | TTPs/UnauthorizedAccess:S3-TorIPCaller |
### GuardDuty의 일반적인 결과
GuardDuty는 Security [AWS Finding 형식(ASFF)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html)을 사용하여 Security Hub CSPM으로 조사 결과를 전송합니다.
다음은 GuardDuty의 일반적인 결과 예시입니다.
```
{
"SchemaVersion": "2018-10-08",
"Id": "arn:aws:guardduty:us-east-1:193043430472:detector/d4b040365221be2b54a6264dc9a4bc64/finding/46ba0ac2845071e23ccdeb2ae03bfdea",
"ProductArn": "arn:aws:securityhub:us-east-1:product/aws/guardduty",
"GeneratorId": "arn:aws:guardduty:us-east-1:193043430472:detector/d4b040365221be2b54a6264dc9a4bc64",
"AwsAccountId": "193043430472",
"Types": [
"TTPs/Initial Access/UnauthorizedAccess:EC2-SSHBruteForce"
],
"FirstObservedAt": "2020-08-22T09:15:57Z",
"LastObservedAt": "2020-09-30T11:56:49Z",
"CreatedAt": "2020-08-22T09:34:34.146Z",
"UpdatedAt": "2020-09-30T12:14:00.206Z",
"Severity": {
"Product": 2,
"Label": "MEDIUM",
"Normalized": 40
},
"Title": "199.241.229.197 is performing SSH brute force attacks against i-0c10c2c7863d1a356.",
"Description": "199.241.229.197 is performing SSH brute force attacks against i-0c10c2c7863d1a356. Brute force attacks are used to gain unauthorized access to your instance by guessing the SSH password.",
"SourceUrl": "https://us-east-1.console.aws.amazon.com/guardduty/home?region=us-east-1#/findings?macros=current&fId=46ba0ac2845071e23ccdeb2ae03bfdea",
"ProductFields": {
"aws/guardduty/service/action/networkConnectionAction/remotePortDetails/portName": "Unknown",
"aws/guardduty/service/archived": "false",
"aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/asnOrg": "CENTURYLINK-US-LEGACY-QWEST",
"aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/geoLocation/lat": "42.5122",
"aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/ipAddressV4": "199.241.229.197",
"aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/geoLocation/lon": "-90.7384",
"aws/guardduty/service/action/networkConnectionAction/blocked": "false",
"aws/guardduty/service/action/networkConnectionAction/remotePortDetails/port": "46717",
"aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/country/countryName": "United States",
"aws/guardduty/service/serviceName": "guardduty",
"aws/guardduty/service/evidence": "",
"aws/guardduty/service/action/networkConnectionAction/localIpDetails/ipAddressV4": "172.31.43.6",
"aws/guardduty/service/detectorId": "d4b040365221be2b54a6264dc9a4bc64",
"aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/org": "CenturyLink",
"aws/guardduty/service/action/networkConnectionAction/connectionDirection": "INBOUND",
"aws/guardduty/service/eventFirstSeen": "2020-08-22T09:15:57Z",
"aws/guardduty/service/eventLastSeen": "2020-09-30T11:56:49Z",
"aws/guardduty/service/action/networkConnectionAction/localPortDetails/portName": "SSH",
"aws/guardduty/service/action/actionType": "NETWORK_CONNECTION",
"aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/city/cityName": "Dubuque",
"aws/guardduty/service/additionalInfo": "",
"aws/guardduty/service/resourceRole": "TARGET",
"aws/guardduty/service/action/networkConnectionAction/localPortDetails/port": "22",
"aws/guardduty/service/action/networkConnectionAction/protocol": "TCP",
"aws/guardduty/service/count": "74",
"aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/asn": "209",
"aws/guardduty/service/action/networkConnectionAction/remoteIpDetails/organization/isp": "CenturyLink",
"aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/guardduty/arn:aws:guardduty:us-east-1:193043430472:detector/d4b040365221be2b54a6264dc9a4bc64/finding/46ba0ac2845071e23ccdeb2ae03bfdea",
"aws/securityhub/ProductName": "GuardDuty",
"aws/securityhub/CompanyName": "Amazon"
},
"Resources": [
{
"Type": "AwsEc2Instance",
"Id": "arn:aws:ec2:us-east-1:193043430472:instance/i-0c10c2c7863d1a356",
"Partition": "aws",
"Region": "us-east-1",
"Tags": {
"Name": "kubectl"
},
"Details": {
"AwsEc2Instance": {
"Type": "t2.micro",
"ImageId": "ami-02354e95b39ca8dec",
"IpV4Addresses": [
"18.234.130.16",
"172.31.43.6"
],
"VpcId": "vpc-a0c2d7c7",
"SubnetId": "subnet-4975b475",
"LaunchedAt": "2020-08-03T23:21:57Z"
}
}
}
],
"WorkflowState": "NEW",
"Workflow": {
"Status": "NEW"
},
"RecordState": "ACTIVE"
}
```
## 통합 활성화 및 구성
와의 통합을 사용하려면 Security Hub CSPM AWS Security Hub CSPM을 활성화해야 합니다. Security Hub CSPM을 활성화하는 방법에 대한 자세한 내용은 *AWS Security Hub 사용 설명서*의 [Security Hub 설정](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-settingup.html)을 참조하세요.
GuardDuty와 Security Hub CSPM을 모두 활성화하면 통합이 자동으로 활성화됩니다. GuardDuty는 즉시 Security Hub CSPM으로 조사 결과를 전송하기 시작합니다.
## Security Hub CSPM에서 GuardDuty 제어 사용
AWS Security Hub CSPM 는 보안 제어를 사용하여 AWS 리소스를 평가하고 보안 업계 표준 및 모범 사례에 대한 규정 준수를 확인합니다. GuardDuty 리소스 및 선택한 보호 플랜과 관련된 제어 기능을 사용할 수 있습니다. 자세한 내용은 *AWS Security Hub 사용 설명서*의 [Amazon GuardDuty 컨트롤](https://docs.aws.amazon.com/securityhub/latest/userguide/guardduty-controls.html)을 참조하세요.
AWS 서비스 및 리소스 전반의 모든 제어 목록은 *AWS Security Hub 사용 설명서*의 [Security Hub CSPM 제어 참조](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-controls-reference.html)를 참조하세요.
## Security Hub CSPM으로의 조사 결과 게시 중지
Security Hub CSPM으로 조사 결과를 전송하는 작업을 중지하려면 Security Hub CSPM 콘솔 또는 API를 사용하면 됩니다.
*AWS Security Hub 사용 설명서*[의 통합에서 조사 결과 흐름 비활성화 및 활성화(콘솔)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-integrations-managing.html#securityhub-integration-findings-flow-console) 또는 [통합에서 조사 결과 흐름 비활성화(Security Hub API, AWS CLI)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-integrations-managing.html#securityhub-integration-findings-flow-disable-api)를 참조하세요.
# Amazon Detective와 통합
[Amazon Detective](https://docs.aws.amazon.com/detective/latest/userguide/what-is-detective.html)는 시간이 지남에 따라 리소스가 동작하고 상호 작용하는 방식을 나타내는 데이터 시각화를 생성하여 하나 이상의 AWS 계정에서 보안 이벤트를 신속하게 분석하고 조사하는 데 도움이 됩니다. Detective는 GuardDuty 결과의 시각화를 생성합니다.
Detective는 모든 결과 유형에 대해 결과 세부 정보를 수집하고, 엔터티 프로파일에 대한 액세스를 제공하여 결과와 관련된 다양한 엔터티를 조사합니다. 엔터티는 AWS 계정, 계정 내 AWS 리소스 또는 리소스와 상호 작용한 외부 IP 주소일 수 있습니다. GuardDuty 콘솔은 결과 유형에 따라 IAM 역할, 사용자 또는 역할 세션 AWS 계정, 사용자 에이전트, 페더레이션 사용자, Amazon EC2 인스턴스 또는 IP 주소에서 Amazon Detective로의 피벗을 지원합니다.
**Contents**
+ [통합 활성화](#detective-integration-enable)
+ [GuardDuty 결과에서 Amazon Detective로 피벗](#pivot-to-detective)
+ [GuardDuty 다중 계정 환경과의 통합 사용](#detective-integration-multiaccount)
## 통합 활성화
GuardDuty에서 Amazon Detective를 사용하려면 먼저 Amazon Detective를 활성화해야 합니다. Detective를 활성화하는 방법에 대한 자세한 내용은 *Amazon Detective 사용 설명서*의 [Geting started with Amazon Detective](https://docs.aws.amazon.com/detective/latest/userguide/detective-setup.html)를 참조하세요.
GuardDuty와 Detective를 모두 활성화하면 통합이 자동으로 활성화됩니다. 활성화되면 Detective는 GuardDuty 결과 데이터를 즉시 수집합니다.
**참고**
GuardDuty는 GuardDuty 결과 내보내기 빈도에 따라 결과를 Detective로 보냅니다. 기본적으로 기존 결과 업데이트의 내보내기 빈도는 6시간입니다. Detective가 결과에 대한 최신 업데이트를 받을 수 있도록 하려면 GuardDuty에서 Detective를 사용하는 각 리전의 내보내기 빈도를 15분으로 변경하는 것이 좋습니다. 자세한 내용은 [5단계 - 업데이트된 활성 조사 결과 내보내기 빈도 설정하기](guardduty_exportfindings.md#guardduty_exportfindings-frequency)을 참조하세요.
## GuardDuty 결과에서 Amazon Detective로 피벗
1. [https://console.aws.amazon.com/guardduty/](https://console.aws.amazon.com/guardduty/) 콘솔에 로그인합니다.
1. 결과 표에서 단일 결과를 선택합니다.
1. 결과 세부 정보 창에서 **Detective를 통해 조사**를 선택합니다.
1. Amazon Detective를 통해 조사할 결과의 부분을 선택합니다. 그러면 해당 결과 또는 엔터티에 대한 Detective 콘솔이 열립니다.
피벗이 예상대로 작동하지 않는 경우 Amazon Detective 사용 설명서**의 [피벗 문제 해결](https://docs.aws.amazon.com/detective/latest/userguide/profile-pivot-from-service.html#profile-pivot-troubleshooting)을 참조하세요.
**참고**
Detective 콘솔에 GuardDuty 결과를 보관하는 경우 해당 결과는 GuardDuty 콘솔에도 보관됩니다.
## GuardDuty 다중 계정 환경과의 통합 사용
GuardDuty에서 다중 계정 환경을 관리하는 경우 Amazon Detective에 멤버 계정을 추가해야 해당 계정의 조사 결과 및 엔터티에 대한 Detective 데이터 시각화를 볼 수 있습니다.
Detective의 관리자 계정과 동일한 GuardDuty 관리자 계정을 사용하는 것이 좋습니다. Detective에서 멤버 계정을 추가하는 방법에 대한 자세한 내용은 *Amazon Detective 사용 설명서*의 [Managing accounts](https://docs.aws.amazon.com/detective/latest/userguide/accounts.html)를 참조하세요.
**참고**
Detective는 리전 서비스이므로 Detective를 활성화하고 통합을 사용하려는 각 리전에 멤버 계정을 추가해야 합니다.