Here are some of the things that GuardDuty can detect:
- EC2 instance compromise
- Account compromise
- Connections from geographic locations that are not associated with routine use
- Unusual API calls
- DNS queries that are not associated with normal account activity
- Connections to external IP addresses that are known to be associated with bad actors
- Failed login requests
- Port scanning