AWS GuardDuty

What is AWS GuardDuty?

AWS GuardDuty is Amazon's managed threat detection service for cloud environments. It continuously analyzes CloudTrail event logs, VPC Flow Logs, and DNS query logs using a combination of machine learning models, anomaly detection, and curated threat intelligence feeds. GuardDuty identifies behaviors that indicate compromised EC2 instances, credential theft, cryptocurrency mining, unusual data exfiltration patterns, and reconnaissance activity targeting AWS resources. Because it operates at the account level without requiring any agents or sensors, it provides broad coverage across the entire AWS environment with minimal operational overhead. The findings it generates are structured, severity-rated, and ready to feed directly into SIEM or SOAR pipelines for further investigation.

How does AWS GuardDuty work with Qevlar?

GuardDuty findings flow into Qevlar's investigation engine, allowing automated triage of cloud security alerts. When GuardDuty flags a compromised instance or an unusual API call pattern, Qevlar can correlate that finding with identity data, network logs, and endpoint telemetry to determine the true scope and impact without manual analyst intervention.