Understanding and generating Amazon GuardDuty findings - Amazon GuardDuty

Understanding and generating Amazon GuardDuty findings

A GuardDuty finding represents a potential security issue detected within AWS accounts, workloads, and data. GuardDuty generates a finding whenever it detects unexpected and potentially malicious activity in your AWS environment.

You can view and manage your GuardDuty findings on the Findings page in the GuardDuty console, or by using the AWS CLI or API operations. For information on how you can manage GuardDuty findings, see Managing Amazon GuardDuty findings.

Topics:

GuardDuty finding format

Understand the format of GuardDuty finding types and different threat purposes that GuardDuty tracks.

Sample findings

Generate sample findings in the GuardDuty console, or by using GuardDuty API or AWS CLI commands. The generated sample findings include fictitious details to help you understand the finding details associated with each GuardDuty finding. These findings are marked with a prefix [SAMPLE].

Test GuardDuty findings in dedicated accounts

You can test specific GuardDuty findings in your environment. Run guardduty-tester script in a dedicated non-production AWS account. For GuardDuty to detect and simulate findings, it will deploy certain resources in your environment. This experience is different than generating sample findings.

Viewing generated findings in GuardDuty console

Learn how to review the generated findings in the GuardDuty console.

Severity levels of GuardDuty findings

Each GuardDuty finding has an associated severity level that reflects the potential risk in your AWS environment. This section explains what each severity level signify.

Finding details

Learn about the details associated with GuardDuty findings that get generated in your account. This topic includes the details associated with foundational threat detection, Extended Threat Detection, and dedicated protection plans in GuardDuty.

GuardDuty finding aggregation

Learn how GuardDuty handles multiple occurrences of the same finding type. By aggregating detected same finding types, GuardDuty updates the original finding type with the latest details.

GuardDuty finding types

This section enlists GuardDuty finding types by the associated Foundational data sources or Mapped GuardDuty feature. To learn about each finding type, select that finding for further details, such as its description and potential steps to remediate the finding.