Reviewing GuardDuty findings in GuardDuty console
When GuardDuty detects a potentially suspicious or malicious activity, it generates a finding. This finding type is associated with a resource type that may have been compromised during this activity. You can view the details associated with each finding type.
If you are using a GuardDuty administrator account, you can view the generated findings on behalf of the member accounts. However, a member account can view the findings generated in their own account. A member account can't view the findings generated in another member account.
Perform the following procedure to review and understand the generated findings in GuardDuty console.
To review GuardDuty findings
Open the GuardDuty console at https://console.aws.amazon.com/guardduty/
. -
Choose Findings and then select a specific finding to view its details.
The details for each finding will differ depending on the Finding type, resources involved, and nature of the activity. For more information on available finding fields see Finding details.
-
(Optional) If you want to archive a finding, select it from the list of your findings, and then choose the Actions menu. Then choose Archive.
Archived findings can be viewed by choosing Archived from the Current dropdown.
Notes
-
If you archive a finding manually by using the procedure above, all subsequent occurrences of this finding (generated after the archiving is complete) are added to the list of your current findings. To never see this finding in your current list, you can auto-archive it. For more information, see Suppression rules in GuardDuty.
-
If you are a member account, you may not be able to perform some of these steps. For more information, see Understanding the relationship between GuardDuty administrator account and member accounts.
-
-
(Optional) To download a finding, select it from the list of your findings and then choose the Actions menu. Then choose Export. When you Export a finding, you can see its full JSON document.
Note
In some cases, GuardDuty becomes aware that certain findings are false positives after they have been generated. GuardDuty provides a Confidence field in the finding's JSON, and sets its value to zero. This way GuardDuty lets you know that you can safely ignore such findings.
