SYSTEM Cited by 1 source
Amazon GuardDuty¶
Amazon GuardDuty is AWS's managed threat-detection service: a continuously-running analytics engine over security-relevant signals (CloudTrail, VPC Flow Logs, DNS logs, EKS audit logs, container runtime activity) that produces findings mapped to known attack patterns. Stub page — expand on future GuardDuty-internals sources.
Capabilities named in ingested sources¶
Extended Threat Detection (EKS)¶
Correlates four signal streams into consolidated multistage attack chains with MITRE ATT&CK tactic/technique annotations:
- Amazon EKS audit logs — control-plane API calls against the K8s API server.
- Runtime behaviours — process / network / file-system activity inside containers (via an eBPF agent or the GuardDuty agent).
- Malware execution — process / file detection of known malware patterns.
- AWS API activity — CloudTrail data, for lateral movement that crosses from the workload back into the AWS control plane.
"Identify sophisticated multistage attacks that traditional monitoring approaches often miss." Patterns explicitly called out by Generali:
- Container exploitation
- Privilege escalation
- Unauthorized lateral movement within Kubernetes
Findings include timelines mapped to MITRE ATT&CK tactics and techniques — an investigation-grade format rather than a raw alert stream.
Runtime monitoring¶
Adds the container-runtime signal stream (the "runtime behaviours" bullet above) — without this, GuardDuty can see API-level attacks but not in-container execution.
Role in EKS security architectures¶
Generali's stack pairs GuardDuty with three orthogonal controls:
- Amazon Inspector — what vulnerabilities are running (prevent).
- GuardDuty — what attacks are happening (detect).
- AWS Network Firewall — what outbound traffic is allowed (contain).
Business outcomes (as framed by Generali)¶
- "Reduced investigation time through consolidated security insights."
- "Rapid assessment of which containerized infrastructure components require immediate attention."
- "Ability to prioritize remediation efforts on the most critical affected resources while minimizing the potential blast radius."
No quantified numbers (false-positive rate, MTTD, alert volume) were disclosed in the source.
Seen in¶
- sources/2026-03-23-aws-generali-malaysia-eks-auto-mode — both GuardDuty EKS protection and runtime monitoring enabled; the detection tier of Generali Malaysia's EKS security stack.
Related¶
- systems/aws-eks
- systems/amazon-inspector — the vulnerability-scanning complement
- systems/aws-network-firewall — the egress-filtering complement