Understanding and generating Amazon GuardDuty findings
A GuardDuty finding represents a potential security issue detected within AWS accounts, workloads, and data. GuardDuty generates a finding whenever it detects unexpected and potentially malicious activity in your AWS environment.
You can view and manage your GuardDuty findings on the Findings page in the GuardDuty console, or by using the AWS CLI or API operations. For information on how you can manage GuardDuty findings, see Managing Amazon GuardDuty findings.
Topics:
- GuardDuty finding format
-
Understand the format of GuardDuty finding types and different threat purposes that GuardDuty tracks.
- Sample findings
-
Generate sample findings in the GuardDuty console, or by using GuardDuty API or AWS CLI commands. The generated sample findings include fictitious details to help you understand the finding details associated with each GuardDuty finding. These findings are marked with a prefix [SAMPLE].
- Test GuardDuty findings in dedicated accounts
-
You can test specific GuardDuty findings in your environment. Run
guardduty-tester
script in a dedicated non-production AWS account. For GuardDuty to detect and simulate findings, it will deploy certain resources in your environment. This experience is different than generating sample findings. - Viewing generated findings in GuardDuty console
-
Learn how to review the generated findings in the GuardDuty console.
- Severity levels of GuardDuty findings
-
Each GuardDuty finding has an associated severity level that reflects the potential risk in your AWS environment. This section explains what each severity level signify.
- Finding details
-
Learn about the details associated with GuardDuty findings that get generated in your account. This topic includes the details associated with foundational threat detection, Extended Threat Detection, and dedicated protection plans in GuardDuty.
- GuardDuty finding aggregation
-
Learn how GuardDuty handles multiple occurrences of the same finding type. By aggregating detected same finding types, GuardDuty updates the original finding type with the latest details.
- GuardDuty finding types
-
This section enlists GuardDuty finding types by the associated Foundational data sources or Mapped GuardDuty feature. To learn about each finding type, select that finding for further details, such as its description and potential steps to remediate the finding.