AWS GuardDuty Critical Severity Finding

Severity: critical
Log types: AWS.GuardDuty
Tags: AWS, Threat Detection, Automated Security, Anomaly Detection, GuardDuty, Machine Learning
Reference: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html#guardduty_findings-severity
Source: github.com/panther-labs/panther-analysis

Detects critical-severity findings (9.0/9.0) from AWS GuardDuty indicating active compromise, imminent data loss, or ongoing attacks. GuardDuty uses machine learning and threat intelligence to identify compromised credentials, cryptocurrency mining, data exfiltration, and connections to malicious infrastructure. This rule filters out sample data and alerts only on genuine critical threats requiring immediate investigation.

MITRE ATT&CK coverage

Tactic	Techniques
Initial Access	`T1078` Valid Accounts

Rule body yaml

AnalysisType: rule
Filename: aws_guardduty_critical_sev_findings.py
RuleID: "AWS.GuardDuty.CriticalSeverityFinding"
DisplayName: "AWS GuardDuty Critical Severity Finding"
Enabled: true
LogTypes:
  - AWS.GuardDuty
Tags:
  - AWS
  - Threat Detection
  - Automated Security
  - Anomaly Detection
  - GuardDuty
  - Machine Learning
Severity: Critical
Reports:
  MITRE ATT&CK:
    - TA0001:T1078
DedupPeriodMinutes: 15
Description: >
  Detects critical-severity findings (9.0/9.0) from AWS GuardDuty indicating active compromise, imminent data loss, or ongoing attacks. GuardDuty uses machine learning and threat intelligence to identify compromised credentials, cryptocurrency mining, data exfiltration, and connections to malicious infrastructure. This rule filters out sample data and alerts only on genuine critical threats requiring immediate investigation.
Runbook: |
  1. Look up the finding type in AWS GuardDuty documentation at https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html, then query CloudTrail for all API calls by the affected principal or resource between service.eventFirstSeen and service.eventLastSeen
  2. For AttackSequence findings, review the description field to identify all MITRE ATT&CK tactics, techniques, and sensitive APIs called, then search for each of these API calls in CloudTrail to understand the full attack chain
  3. Search VPC Flow Logs and S3 access logs for connections from the source IPs mentioned in the GuardDuty finding during the timeframe to identify data exfiltration, lateral movement, or persistence mechanisms
Reference: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html#guardduty_findings-severity
SummaryAttributes:
  - severity
  - type
  - title
  - p_any_domain_names
  - p_any_aws_arns
  - p_any_aws_account_ids
Tests:
  - Name: Critical Sev Finding
    ExpectedResult: true
    Log:
      {
        "accountId": "123456789012",
        "arn": "arn:aws:guardduty:us-east-1:123456789012:detector/111111bbbbbbbbbb5555555551111111/finding/8c258d654378414b9bc26f61a93eb816",
        "createdAt": "2025-02-25 20:40:06.721",
        "description": "A sequence of actions involving 4 signals indicating a possible credential compromise was observed for IAMUser/john_doe with principalId AIDA3UBBJ2K3TVEXAMPLE in account 111122223333\nbetween eventFirstSeen and eventLastSeen with the following behaviors:\n  - 5 MITRE ATT&CK tactics observed: Persistence, Privilege Escalation, Defense Evasion, Discovery, Initial Access\n  - 5 MITRE ATT&CK techniques observed: T1562.008 - Impair Defenses: Disable or Modify Cloud Logs, T1098.003 - Account Manipulation: Additional Cloud Roles, T1078.004 - Valid Accounts: Cloud Accounts, T1087.004 - Account Discovery: Cloud Account, T1098 - Account Manipulation\n  - Connected from a known Tor Exit Node: 10.0.0.1\n  - 4 sensitive APIs called: cloudtrail:DeleteTrail, iam:AttachRolePolicy, iam:CreateRole, iam:ListUsers\n",
        "id": "8c258d654378414b9bc26f61a93eb816",
        "partition": "aws",
        "region": "us-east-1",
        "resource": {
          "resourceType": "AttackSequence"
        },
        "schemaVersion": "2.0",
        "service": {
          "additionalInfo": {},
          "archived": false,
          "count": 1,
          "detectorId": "111111bbbbbbbbbb5555555551111111",
          "eventFirstSeen": "2025-02-25 20:40:06.000000000",
          "eventLastSeen": "2025-02-25 20:40:06.000000000",
          "featureName": "Correlation",
          "resourceRole": "TARGET",
          "serviceName": "guardduty"
        },
        "severity": 9,
        "title": "Potential credential compromise of IAMUser/john_doe indicated by a sequence of actions.",
        "type": "AttackSequence:IAM/CompromisedCredentials",
        "updatedAt": "2025-02-25 20:40:06.721"
      }
  - Name: Critical Sev Finding As Sample Data
    ExpectedResult: false
    Log:
      {
        "accountId": "123456789012",
        "arn": "arn:aws:guardduty:us-east-1:123456789012:detector/111111bbbbbbbbbb5555555551111111/finding/b174b38d16e34da0a4c66012083bd8f7",
        "createdAt": "2025-02-25 20:40:06.765",
        "description": "A sequence of actions involving 14 signals indicating a possible credential compromise one or more S3 bucket(s) was observed for IAMUser/john_doe with principalId AIDA3UBBJ2K3TVEXAMPLE in account 111122223333\nbetween eventFirstSeen and eventLastSeen with the following behaviors:\n  - 5 MITRE ATT&CK tactics observed: Exfiltration, Impact, Persistence, Defense Evasion, Discovery\n  - 5 MITRE ATT&CK techniques observed: T1526 - Cloud Service Discovery, T1098 - Account Manipulation, T1078.004 - Valid Accounts: Cloud Accounts, T1485 - Data Destruction, T1530 - Data from Cloud Storage\n  - Connected from a known Tor Exit Node: 10.0.0.1\n  - 7 sensitive APIs called: s3:DeleteObject, s3:GetObject, s3:PutBucketPublicAccessBlock, cloudtrail:DeleteTrail, iam:AttachUserPolicy, s3:ListObjects, s3:ListBuckets\n",
        "id": "b174b38d16e34da0a4c66012083bd8f7",
        "partition": "aws",
        "region": "us-east-1",
        "resource": {
          "resourceType": "AttackSequence"
        },
        "schemaVersion": "2.0",
        "service": {
          "additionalInfo": {
            "sample": true,
            "type": "default",
            "value": "{\"sample\":true}"
          },
          "archived": false,
          "count": 1,
          "detectorId": "111111bbbbbbbbbb5555555551111111",
          "eventFirstSeen": "2025-02-25 20:40:06.000000000",
          "eventLastSeen": "2025-02-25 20:40:06.000000000",
          "featureName": "Correlation",
          "resourceRole": "TARGET",
          "serviceName": "guardduty"
        },
        "severity": 9,
        "title": "Potential data compromise of one or more S3 buckets involving a sequence of actions associated with IAMUser/john_doe.",
        "type": "AttackSequence:S3/CompromisedData",
        "updatedAt": "2025-02-25 20:40:06.765"
      }

Detection logic

Condition

service.additionalInfo.sample is_null
severity ge "9.0"
severity le "10.0"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`service.additionalInfo.sample`	is_null	(no value, null check)
`severity`	ge	`9.0`
`severity`	le	`10.0`

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

Field
`description`
`severity`
`id`
`type`
`resource`
`service`
`accountId`
`title`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)