Finding Specific Actions in CloudTrail

0

Hi, all, New to the community so will do my best to follow the dos and don't but a bit of a AWS novice so bear with me. It was noticed that the new "Malware Protection" trial had started in our AWS environment. However, nobody knows who did it, whether it was set up to continue after, etc. I went to CloudTrail to try and search for any indicators and all I can see is where folks have looked at the service page, but not necessarily enabled the service or activated the trial. Does anyone know of the correct attributes/parameters to use to determine this? Thank you!

1 Answer
1

Hi and welcome to the community!

You can search for the updateDetector event name to find who updated the Guard Duty configuration.

Enter image description here

In particular you should search to see if scanEc2InstanceWithFindings is set to true.

    "requestParameters": {
        "detectorId": "56bf249c0b2004c6e5f32f00b3cfda80",
        "enable": true,
        "findingPublishingFrequency": "SIX_HOURS",
        "dataSources": {
            "malwareProtection": {
                "scanEc2InstanceWithFindings": {
                    "ebsVolumes": true
                }
            }
        }
    },
AWS
answered a year ago
  • Thanks. I followed your guidance and it isn't showing me any events. I know we have logging enabled as a user search shows events. Does logging need to be enabled separately for the config changes?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions