Why didn't GuardDuty generate any finding types after I activated GuardDuty in my environment?

2 minute read

I activated an Amazon GuardDuty account but I haven't received any finding types.

Resolution

Check GuardDuty status

Make sure that you activated GuardDuty. If you suspended or turned off GuardDuty, then GuardDuty doesn't generate any finding types. It's a best practice to activate GuardDuty in all supported AWS Regions. This allows GuardDuty to generate finding types for unauthorized or unusual activity even in Regions that you aren't actively using.

Note: If GuardDuty doesn't detect security threats, then it doesn't generate a finding type.

Activate data sources

GuardDuty uses data sources to detect unauthorized and unexpected activity with resource types for some AWS services. Confirm that you activated all data sources.

It's a best practice to activate the following protections:

If GuardDuty doesn't detect a malicious file as malware, then check that you turned on the necessary protections. Confirm the malware status of the files.

Note: GuardDuty only processes DNS logs when you use the default virtual private cloud (VPC) DNS resolver. Other types of DNS resolvers won't generate DNS based findings.

Review suppressed findings from trusted IP address lists

If you set up trusted IP address lists, then they can prevent the generation of finding types for events that occur from trusted IP addresses.

It's a best practice to use a suppression rule instead of a trusted IP address list for awareness of detected issues in your environment. You can review suppressed findings from the GuardDuty console by changing the Findings view menu from Current to Archived.

Test sample findings

To create sample GuardDuty findings to test, take one of the following actions:

Create sample findings from the GuardDuty console or API.
Run tester scripts to generate findings.

Related information

Getting started with GuardDuty

Why did GuardDuty send me alert findings for a trusted IP list address?

Topics: Security, Identity, & Compliance
Tags: Amazon GuardDuty
Language: English

AWS OFFICIALUpdated 4 months ago

No comments

Relevant content

EC2 GuardDuty Runtime monitor what type of findings should we expect?
davec
asked 2 years ago
GuardDuty Findings not published to eventbridge rule
DM
asked 2 years ago
Additional information on GuardDuty DNS Findings
MaxEB
asked 4 years ago
GuardDuty EC2 Findings after Instance shutdown
Accepted Answer
AlexM
asked a month ago
Using GuardDuty sample findings to test Detective
Accepted Answer
rePost-User-3737468
asked a year ago
Why did I receive a GuardDuty CryptoCurrency:EC2/BitcoinTool.B!DNS finding type for my Amazon EC2 instance?
AWS OFFICIALUpdated 2 years ago
Why did I receive a GuardDuty Denial of Service (DoS) finding type for my Amazon EC2 instance?
AWS OFFICIALUpdated 2 years ago
Why did I receive the GuardDuty finding type alert UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS for my Amazon EC2 instance?
AWS OFFICIALUpdated 2 years ago
Why did I receive the GuardDuty finding type alert "Recon:EC2/PortProbeUnprotectedPort" for my Amazon EC2 instance?
AWS OFFICIALUpdated a year ago
Best Practices for an Amazon GuardDuty Proof of Concept (PoC)
EXPERT
Ahmed Adekunle
published a year ago