Understanding and generating Amazon GuardDuty findings

Understand the format of GuardDuty finding types and different threat purposes that GuardDuty tracks.

Generate sample findings in the GuardDuty console, or by using GuardDuty API or AWS CLI commands. The generated sample findings include fictitious details to help you understand the finding details associated with each GuardDuty finding. These findings are marked with a prefix [SAMPLE].

You can test specific GuardDuty findings in your environment. Run guardduty-tester script in a dedicated non-production AWS account. For GuardDuty to detect and simulate findings, it will deploy certain resources in your environment. This experience is different than generating sample findings.

Learn about the procedure for how to review the generated findings in the GuardDuty console.

Each GuardDuty finding has an associated severity level that reflects the potential risk in your AWS environment. This section explains what each severity level signify.

Learn about the details associated with GuardDuty findings that get generated in your account. This topic includes the details associated with foundational threat detection as well as dedicated protection plans in GuardDuty.

Learn how GuardDuty handles multiple occurrences of the same finding type. By aggregating detected same finding types, GuardDuty updates the original finding type with the latest details.

This section enlists GuardDuty finding types by the associated Foundational data sources or Mapped GuardDuty feature. To learn about each finding type, select that finding for further details, such as its description and potential steps to remediate the finding.