Finding Specific Actions in CloudTrail

Question

Hi, all,
New to the community so will do my best to follow the dos and don't but a bit of a AWS novice so bear with me. 
It was noticed that the new "Malware Protection" trial had started in our AWS environment. However, nobody knows who did it, whether it was set up to continue after, etc. I went to CloudTrail to try and search for any indicators and all I can see is where folks have looked at the service page, but not necessarily enabled the service or activated the trial. Does anyone know of the correct attributes/parameters to use to determine this?
Thank you!

Answer

Hi and welcome to the community!

You can search for the [updateDetector](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateDetector.html) event name to find who updated the Guard Duty configuration.

![Enter image description here](/media/postImages/original/IMpYAhrYlhSgGyQcEI-3S9LQ)

In particular you should search to see if `scanEc2InstanceWithFindings` is set to true.
```
    "requestParameters": {
        "detectorId": "56bf249c0b2004c6e5f32f00b3cfda80",
        "enable": true,
        "findingPublishingFrequency": "SIX_HOURS",
        "dataSources": {
            "malwareProtection": {
                "scanEc2InstanceWithFindings": {
                    "ebsVolumes": true
                }
            }
        }
    },
```

Finding Specific Actions in CloudTrail

관련 콘텐츠