GuardDuty - Findings

A GuardDuty finding represents a potential security issue detected within your network. GuardDuty generates a finding whenever it detects unexpected and potentially malicious activity in your AWS environment. You can view and manage your GuardDuty findings on the Findings page in the GuardDuty console or by using the GuardDuty CLI or API operations.

Review a GuarDuty finding

1. Navigate to Findings in Amazon GuardDuty by clicking Findings in the left hand navigation. Here is findings in the AWS Workshop account:

2. Select one of the findings on the page by clicking on the row. This will open the finding summary on the right side of the page. Finding details vary based on finding type.

Check another finding in the workshop:

3. Review the finding that you opened.

Understanding GuardDuty finding severity

4. Find the Severity of the finding you selected.

5. If you want to view or download the finding in JSON form, you can click the Finding ID at the top of the finding summary.

6. Click the X in the top right of the finding summary to close it.

Searching and Filtering GuardDuty Findings

7. Click on the Search bar where it says Add filter criteria.

8. Type Severity in the search bar and click on Severity, which then opens to a sub-menu with Low, Medium, and High options.

9. Check the box for High and click Apply. This will then update the list of displayed findings accordingly.

Managing GuardDuty findings

10. With a finding selected, click the Actions dropdown (top right of the page). Click “Archive” to archive the finding.

11. Archiving the finding will hide it from the list of Current findings. To view it, click the “Current” dropdown, and select “Archived” to see the finding you just archived.

Result:

12. To unarchive the finding, select it, and then click the Actions dropdown again (top right of the page). This time, click “Unarchive” to unarchive the finding.