By using AWS re:Post, you agree to the Terms of Use
/GuardDuty False Positive Rates/

GuardDuty False Positive Rates


Hello All,

Does anyone experience False Positives with GuardDuty? If yes, what do you do to tune or update false positive findings? What options do customers have?

Recently, i've notice a lot of false positives with C&C findings in that they are simply triggered by a an DNS lookup (dig or nslookup) it seems and domain reputations in the threat lists that Guard Duty is using are not up to date.

1 Answers

I encountered a Guard Duty false positive before, but it was regarding an IP address that I use. I followed this document to add it as a trusted IP:

You can also try Suppression rules to filter false-positive findings:

answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions