0
0
AWScloud~20 mins

GuardDuty for threat detection in AWS - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Challenge - 5 Problems
🎖️
GuardDuty Mastery
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
2:00remaining
How does AWS GuardDuty detect threats?

AWS GuardDuty analyzes data from various sources to detect threats. Which data source is NOT used by GuardDuty for threat detection?

AVPC Flow Logs
BAWS CloudTrail event logs
CDNS logs
DAmazon S3 bucket contents
Attempts:
2 left
💡 Hint

Think about what GuardDuty monitors automatically without needing to scan stored files.

service_behavior
intermediate
2:00remaining
GuardDuty finding behavior on EC2 instance compromise

Which GuardDuty finding type would most likely indicate that an EC2 instance is compromised and communicating with a known malicious IP?

ARecon:EC2/PortProbeUnprotectedPort
BBackdoor:EC2/C&CActivity
CUnauthorizedAccess:EC2/SSHBruteForce
DCryptoCurrency:EC2/BitcoinTool
Attempts:
2 left
💡 Hint

Look for findings that indicate command and control activity.

Architecture
advanced
2:00remaining
GuardDuty multi-account architecture

You want to enable GuardDuty across multiple AWS accounts in your organization. What is the recommended architecture to centralize threat findings?

AUse AWS Organizations to designate a GuardDuty master account to manage findings from member accounts.
BEnable GuardDuty independently in each account without a master account.
CDeploy GuardDuty only in the root account and rely on CloudTrail aggregation for others.
DUse AWS Config rules to forward GuardDuty findings to a central S3 bucket.
Attempts:
2 left
💡 Hint

Think about how AWS Organizations integrates with GuardDuty for centralized management.

security
advanced
2:00remaining
GuardDuty finding suppression and security best practice

You receive frequent GuardDuty findings for a known benign IP address communicating with your environment. What is the best security practice to handle these findings?

AAdd the IP address to a trusted IP list in GuardDuty to reduce false positives.
BDisable GuardDuty to stop receiving these findings.
CCreate a suppression rule in GuardDuty to ignore findings from that IP.
DInvestigate and whitelist the IP address in your firewall to prevent alerts.
Attempts:
2 left
💡 Hint

Consider how to reduce noise without disabling threat detection.

Configuration
expert
2:00remaining
GuardDuty finding JSON analysis

Given this GuardDuty finding snippet, what is the value of service.action.actionType?

{
  "service": {
    "action": {
      "actionType": "NETWORK_CONNECTION",
      "networkConnectionAction": {
        "remoteIpDetails": {
          "ipAddressV4": "203.0.113.25",
          "organization": {
            "asn": 12345,
            "asnOrg": "ExampleOrg"
          }
        },
        "protocol": "TCP",
        "localPortDetails": {
          "port": 443
        },
        "remotePortDetails": {
          "port": 8080
        }
      }
    }
  }
}
A"NETWORK_CONNECTION"
B"DNS_REQUEST"
C"PORT_PROBE"
D"API_CALL"
Attempts:
2 left
💡 Hint

Look carefully at the JSON key actionType inside service.action.