AWS CloudTrail Insights vs GuardDuty
Question
CloudTrail Insights identifies any anomalies in the CloudTrail Events. And out of all the inputs to the GuardDuty, CloudTrail Events is one of it. Looks like both CloudTrail Insights and GuardDuty provide similar service.
Would like to know the differences between the two. AWS provides a lot of similar services.
1 answers
solution1
0 2021-07-04 13:49:58
There are a few categories of data that GuardDuty will look at that won't be by CloudTrail Insights including VPC Flow Logs and DNS Logs (if you are using VPC DNS resolution). That means alerts for things like port scanners (even if originating within and destinations within in your VPCs) and DNS lookups that might indicate a compromise. It can also produce alerts for things like 'known-bad' actors interacting (or trying to) your machines. Of course, there are false positives for all of these, but these are things that GuardDuty can do that CloudTrail Insights won't.
It is a bit unclear if the machine learning for 'anomalies' that CloudTrail Insights applies is the same or different than the machine learning it applies to GuardDuty on CloudTrail logs. However, it generally appears that GuardDuty is more tilted towards indications of actual compromise whereas insights is more just 'unusual' API activity.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.