GuardDuty False Positive Rates
Hello All,
Does anyone experience False Positives with GuardDuty? If yes, what do you do to tune or update false positive findings? What options do customers have?
Recently, i've notice a lot of false positives with C&C findings in that they are simply triggered by a an DNS lookup (dig or nslookup) it seems and domain reputations in the threat lists that Guard Duty is using are not up to date.
I encountered a Guard Duty false positive before, but it was regarding an IP address that I use. I followed this document to add it as a trusted IP: https://aws.amazon.com/premiumsupport/knowledge-center/guardduty-trusted-ip-list/
You can also try Suppression rules to filter false-positive findings: https://docs.aws.amazon.com/guardduty/latest/ug/findings_suppression-rule.html
Relevant questions
False positive in ECR container image detected by AWS Inspector v2 related with com.fasterxml.jackson.core:jackson-databind?
asked 6 months agoCannot configure Guardduty 'findings export options' to an S3 bucket
asked 2 months agoWhat AWS native service for AWS account anomaly detection and intrusion detection?
Accepted AnswerGuardDuty finding segregation
asked 4 months agoGuardDuty Customers! - Anyone with experience using partner GuardDuty threat lists?
asked 18 days agoHow does GuardDuty work in a Shared VPC?
Accepted AnswerBest method to send guardduty logs to opensearch
asked 5 months agoFalse positive from Inspector2
asked 4 months agoGuardDuty False Positive Rates
asked 3 months agoAdditional information on GuardDuty DNS Findings
asked 7 months ago