# GuardDuty

* It is a managed threat detection service
* Continuously monitors multiple AWS accounts for malicious activity or unusual behavior
* Detection types
  * Reconnaissance attacks - brute force, port scans, port probes, etc
  * Instance compromises - malicious communications, spambot activities, outbound SSH brute force attacks, EC2 credential exfiltration, etc
  * Account compromises - malicious API calls, disabled CloudTrail, password compromises
* Simple dashboard view
* CloudWatch event triggers, with further partner integrations: Splunk, CrowdStrike, SumoLogic, etc.
* Behavioral anomalies
* Monitors CloudTrail, VPC flow logs and more
* Continually updated
  * Public Security intelligence feeds
  * Malicious IP addresses
  * Partner intelligence feeds
  * Machine learning models
  * Abnormal behavior