Managing Amazon GuardDuty findings

GuardDuty offers several important features to help you sort, store, and manage your findings. These features will help you tailor findings to your specific environment, reduce noise from low value findings, and help you focus on threats to your unique AWS environment. Review the topics on this page to understand how you can use these features to increase the value of GuardDuty's findings.

Topics:

Filtering findings: Learn how to filter GuardDuty findings based on criteria you specify.
Suppression rules: Learn how to automatically filter the findings GuardDuty alerts you to through suppression rules. Suppression rules automatically archive findings based on filters.
Working with trusted IP lists and threat lists: Customize the GuardDuty monitoring scope using IP Lists and Threat Lists based on publicly-routable IP addresses. Trusted IP lists prevent non-DNS findings from being generated from IP's you consider trusted, while Threat Intel Lists will cause GuardDuty to alert you of activity from user-defined IPs.
Exporting findings: Configure automatic exporting of your findings to an S3 Bucket so you can maintain records past 90-day findings retention period. This historical data can be used to track suspicious activity in your account and help you evaluate whether your remediation actions were successful.
Creating custom responses to GuardDuty findings with Amazon CloudWatch Events: Set up automatic notifications for GuardDuty findings through Amazon CloudWatch events. You can also automate other tasks through CloudWatch Events to help you respond to findings.
Understanding CloudWatch Logs and reasons for skipping resources during Malware Protection scan: Learn how you can audit the CloudWatch Logs for GuardDuty Malware Protection and what are the reasons because of which your impacted Amazon EC2 instance or Amazon EBS volumes may have been skipped during the scanning process.
Reporting false positives in GuardDuty Malware Protection: Learn about the false positive experience in GuardDuty Malware Protection and how you can report false positive threat detections.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Retired finding types

Filtering findings