Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Using GuardDuty sample findings to test Detective

0

I'm trying to test the investigation capabilities of Detective in a test environment and was wondering if the sample findings you can generate in GuardDuty have good enough data, or if I should try to create some actual findings to get more accurate data like in this article?

Topics
AWS MarketplaceSecurity, Identity, & ComplianceAWS Well-Architected Framework
Tags
AWS Security Incident ResponseAmazon DetectiveAmazon GuardDutySecurity, Identity, & ComplianceSecurity
Language
English
asked a year ago248 views
2 Answers
1
Accepted Answer

While GuardDuty sample findings can be useful for initial familiarization with the service, they may not provide the most comprehensive data for testing Amazon Detective's investigation capabilities. Here's why:

  1. Sample findings are approximations with placeholder values and may not closely resemble real findings in your specific environment.

  2. These sample findings are primarily designed to help you understand various finding types and get acquainted with GuardDuty's functionality.

  3. They lack the contextual depth and interconnected data that real security events would generate across your AWS environment.

For a more thorough and accurate test of Detective's investigation capabilities, it's recommended to use the GuardDuty Tester. This approach offers several advantages:

  1. It generates findings against actual test resources deployed in your AWS account, providing a more realistic scenario.

  2. The GuardDuty Tester covers over 100 unique finding types and resource combinations, offering a broader range of security scenarios to investigate.

  3. It simulates various types of findings including AttackSequence, Backdoor, CryptoCurrency, Impact, Recon, Trojan, UnauthorizedAccess, and more.

  4. This method allows you to see how the finding details look for actual resources in your account, which is crucial for understanding Detective's data correlation and investigation features.

  5. The tester script can be run with different parameters, allowing you to generate specific types of findings relevant to your testing needs.

By using the GuardDuty Tester in a dedicated test environment, you'll be able to create a more realistic set of security events and data. This will provide a much more accurate representation of how Detective would perform in analyzing and correlating real security incidents, giving you a better assessment of its investigation capabilities.

Remember to deploy and run these tests in a non-production environment to avoid any potential impact on your actual workloads.

Sources
Generating sample findings in GuardDuty - Amazon GuardDuty
Getting started with GuardDuty - Amazon GuardDuty
Testing and evaluating GuardDuty detections | AWS Security Blog
Test GuardDuty findings in dedicated accounts - Amazon GuardDuty

answered a year ago
EXPERT
reviewed a year ago
0

While GuardDuty sample findings can be useful for initial familiarization with the service, they may not provide the most comprehensive data for testing Amazon Detective's investigation capabilities. Here's why:

answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content