Generating sample findings in GuardDuty - Amazon GuardDuty
Generating sample findings through the GuardDuty console or APIAutomatically generating common GuardDuty findings

Generating sample findings in GuardDuty

You can generate sample findings with Amazon GuardDuty to help you visualize and understand the various finding types that GuardDuty can generate. When you generate sample findings, GuardDuty populates your current findings list with one sample finding for each supported finding type.

The generated samples are approximations populated with placeholder values. These samples may look different from real findings for your environment, but you can use them to test various configurations for GuardDuty, such as your CloudWatch Events or filters. For a list of available values for finding types are listed in Finding types table.

To generate some common findings based on simulated activity within your environment see Automatically generating common GuardDuty findings below.

Generating sample findings through the GuardDuty console or API

Choose your preferred access method to generate sample findings.

Note

The console method generates one of each finding type. Single sample findings can only be generated through the API.

Console

Use the following procedure to generate sample findings. This process generates one sample finding for each GuardDuty finding type.

  1. Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

  2. In the navigation pane, choose Settings.

  3. On the Settings page, under Sample findings, choose Generate sample findings.

  4. In the navigation pane, choose Findings. The sample findings are displayed on the Current findings page with the prefix [SAMPLE].

API/CLI

You can generate a single sample finding matching any of the GuardDuty finding types through the CreateSampleFindings API, the available values for finding types are listed in Finding types table.

This is useful for the testing of CloudWatch Events rules or automation based on findings. The following example shows how to generate a single sample finding of the Backdoor:EC2/DenialOfService.Tcp type using the AWS CLI.

To find the detectorId for your account and current Region, see Settings page in the https://console.aws.amazon.com/guardduty/ console.

aws guardduty create-sample-findings --detector-id 12abc34d567e8fa901bc2d34e56789f0 --finding-types Backdoor:EC2/DenialOfService.Tcp

The title of sample findings generated through these methods always begins with [SAMPLE] in the console. Sample findings have a value of "sample": true in the additionalInfo section of the finding JSON details.

Automatically generating common GuardDuty findings

You can use the following scripts to automatically generate several common GuardDuty findings. The guardduty-tester.template uses AWS CloudFormation to create an isolated environment with a bastion host, a tester Amazon EC2 instance that you can access through SSH, and two target EC2 instances. Then you can run guardduty_tester.sh to start an interaction between the tester EC2 instance, the target Windows EC2 instance, and the target Linux EC2 instance, to simulate five types of common attacks that GuardDuty can detect and notify you about with generated findings.

  1. As a prerequisite, you must enable GuardDuty in the account and Region in which you want to run guardduty-tester.template and guardduty_tester.sh. For more information about enabling GuardDuty, see Getting started with GuardDuty.

    You must also generate a new or use an existing EC2 key pair in each Region in which you want to run these scripts. This EC2 key pair is used as a parameter in the guardduty-tester.template script that you use to create a new CloudFormation stack. For more information about generating key pairs, see Amazon EC2 key pairs.

  2. Create a new CloudFormation stack using guardduty-tester.template. For detailed instructions about creating a stack, see Creating a stack. Before you run guardduty-tester.template, modify it with values for the following parameters: Stack Name to identify your new stack, Availability Zone where you want to run the stack, and Key Pair that you can use to launch the EC2 instances. Then you can use the corresponding private key to access EC2 instances through SSH.

    The guardduty-tester.template takes around 10 minutes to run and complete. It creates your environment and copies guardduty_tester.sh onto your tester EC2 instance.

  3. In the AWS CloudFormation console, choose the checkbox next to your new running AWS CloudFormation stack. In the displayed set of tabs, select the Output tab. Note the IP addresses assigned to the bastion host and the tester EC2 instance. You need both of these IP addresses in order to access the tester EC2 instance through SSH.

  4. Create the following entry in your ~/.ssh/config file to log into your instance through the bastion host.

    Host bastion
        HostName {Elastic IP Address of Bastion}
        User ec2-user
        IdentityFile ~/.ssh/{your-ssh-key.pem}
Host tester
        ForwardAgent yes
        HostName {Local IP Address of RedTeam Instance}
        User ec2-user
        IdentityFile ~/.ssh/{your-ssh-key.pem}
        ProxyCommand ssh bastion nc %h %p
        ServerAliveInterval 240

    Now you can call $ ssh tester to log into your target EC2 instance. For more information about configuring and connecting to EC2 instances through bastion hosts, see https://aws.amazon.com/blogs/security/securely-connect-to-linux-instances-running-in-a-private-amazon-vpc/.

  5. After you connect to the tester EC2 instance, run guardduty_tester.sh to initiate interaction between your tester and target EC2 instances, simulate attacks, and generate GuardDuty findings.