AWS Guard Duty Support

Guard Duty is a basic, easy-to-use intrusion detection system provided by Amazon Web services. The main benefit of Guard Duty is that is extremely easy to setup (one click). Over time, the user can customize the detection and prevention rules to make the AWS findings more useful.

One big draw back of Guard Duty is that it provides very little forensic and correlation capabilities. As with most intrusion detection systems, the user can only look at single events in isolation without the ability of investigating why they where generated within a more general security context. Without this deeper understanding, single events are not very useful and, more importantly, by themselves may fail to reveal more important security insights.

MetaFlows now supports the analysis and correlation of AWS Guard Duty events thus providing a more advanced forensic capability through the MetaFlows Security System (which includes full packet logging, pcap generation and a number of advanced forensic tools) .


Guard Duty only works within each availability zone; therefore you will need a MetaFlows sensor running in the same availability zone where you want to run Guard Duty.

Below are the steps necessary to forward guard duty events to a MetaFlows sensor.

  • Enable Guard Duty.
  • Find out your Guard Duty MetaFlows port for the sensor to which you want to export Guard Duty events. Please contact MetaFlows’ support on how to find this value
  • Go to the Amazon SNS service and create a topic called guardduty Note: The Amazon SNS topic must be in the same Region as your AWS Guard Duty service.
  • Open the CloudWatch console.
  • In the navigation pane, choose Rules, and then choose Create rule.
  • From the Service Name menu, choose GuardDuty.
  • From the Event Type menu, choose GuardDuty Finding.
  • In Targets, choose Add target.
  • In Select Target, choose SNS topic.
  • In Select Topic, choose your SNS topic guardduty
  • Click configure details and enter a mnemonic name like Guarddutytometaflows
  • Go back to the SNS console and select the topic guardduty
  • Click on Create subscription
  • Select HTTPS protocol
  • Under endpoint enter<port> where <port> is the port number that you obtained in step 2 and click on Create subscription
  • Click on Subscriptions and verify the new subscription status is Confirmed

After the subscription is confirmed, you will start receiving Guard Duty Events in the MetaFlows system such as the ones below:

Samaple Guard Duty Events
Forensic Analysis Menu

As any other event type, Guard Duty events are aggregated by IP addresses, ports and classes so you can easily explore the event types hierarchically and correlate them with other MetaFlows events that share the same IP addresses. Importantly (as shown here) you can also run several forensic tools on the events including inspecting the payloads associated with the network activity that triggered the events. You can also easily start blocking the servers or the clients with our IPS system as well as initiate vulnerability scanning.

If you are interested in exploring how MetaFlows can augment AWS Guard Duty or other AWS security products, do not hesitate contacting us.

Thanks and Happy Hunting!

Cloud Agents Statistics

Many of you use the MetaFlows Security System to monitor cloud-based instances. Agents running on the instances send their network packets to the sensor for inspection. We now report the real time bandwidth each agent produces.

The sensors which receive network traffic from agents will now have a clickable button that reveals the agents’ statistics.

Clicking on the button, will open a table with each agent IP address, the source port being used and the Kbps being sent. These stats change in real time.

Hovering will reveal some passive host discovery information (DNS, MAC, DHCP info, HTTP Agents, Proxies, etc). Clicking on each agent IP will open up an historical report for that IP to see what that instance has been up to in the last day or so.

And, ho, yeah.. we added some links on the dashboard. One can be used to rate us for Amazon (30 seconds survey) and one for Gertner (this will take you 10-15 minutes or so but they give you a $25 gift card). We would appreciate if you could give us feedback.


Feel free to contact us if you have any questions. Happy Hunting!

The Next Layer of Defense is Here!

The researchers from the article below “…expect their findings to be beneficial to enterprises and other organizations in developing the next layer of defense.”

The next layer of defense is already here. The MetaFlows Security System uses behavioral analysis (along with the traditional signature detection) in order to catch even the stealthiest of Malware. It can even catch things that were in the network before it was deployed!
Read the TechNewsWorld article below to find out more about why, regardless of company size, having the most intelligent network protection is key. Then go to to find out how to get the most intelligent network protection.

An IPS on Steroids

“An IPS on Steroids: MetaFlows Security System”

The secret behind the MetaFlows Security System (MSS) is that it really is a hybrid application. It collects data on the network and acts on malicious activity. So far, this is just about the same as any intrusion prevention system (IPS). But don’t be fooled. This is not just any IPS. Because it is a hybrid application – local and cloud-based – users get a lot of benefit from the cloud piece that are not available from a standard IPS. For example, a typical IPS gets its updates at whatever update interval the vendor determines. The updates usually are based on the efforts of the vendor’s threat assessment laboratory. Not so for MSS.
Peter Stephenson’s First Look at the MSS