It is a managed threat detection service

Continuously monitors multiple AWS accounts for malicious activity or unusual behavior

Detection types

• Reconnaissance attacks - brute force, port scans, port probes, etc

• Instance compromises - malicious communications, spambot activities, outbound SSH brute force attacks, EC2 credential exfiltration, etc

• Account compromises - malicious API calls, disabled CloudTrail, password compromises

Simple dashboard view

CloudWatch event triggers, with further partner integrations: Splunk, CrowdStrike, SumoLogic, etc.

Behavioral anomalies

Monitors CloudTrail, VPC flow logs and more

Continually updated

• Public Security intelligence feeds

• Malicious IP addresses

• Partner intelligence feeds

• Machine learning models

• Abnormal behavior