By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

GuardDuty False Positive Rates

0

Hello All,

Does anyone experience False Positives with GuardDuty? If yes, what do you do to tune or update false positive findings? What options do customers have?

Recently, i've notice a lot of false positives with C&C findings in that they are simply triggered by a an DNS lookup (dig or nslookup) it seems and domain reputations in the threat lists that Guard Duty is using are not up to date.

Topics
Security, Identity, & ComplianceAWS Well-Architected Framework
Tags
Amazon GuardDutyThreat DetectionSecurity
Language
English
AWS-User-2792197
asked 2 years ago733 views
1 Answer
1

I encountered a Guard Duty false positive before, but it was regarding an IP address that I use. I followed this document to add it as a trusted IP: https://aws.amazon.com/premiumsupport/knowledge-center/guardduty-trusted-ip-list/

You can also try Suppression rules to filter false-positive findings: https://docs.aws.amazon.com/guardduty/latest/ug/findings_suppression-rule.html

profile picture
joahna
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content