By using AWS re:Post, you agree to the Terms of Use
/GuardDuty False Positive Rates/

GuardDuty False Positive Rates

0

Hello All,

Does anyone experience False Positives with GuardDuty? If yes, what do you do to tune or update false positive findings? What options do customers have?

Recently, i've notice a lot of false positives with C&C findings in that they are simply triggered by a an DNS lookup (dig or nslookup) it seems and domain reputations in the threat lists that Guard Duty is using are not up to date.

1 Answers
0

I encountered a Guard Duty false positive before, but it was regarding an IP address that I use. I followed this document to add it as a trusted IP: https://aws.amazon.com/premiumsupport/knowledge-center/guardduty-trusted-ip-list/

You can also try Suppression rules to filter false-positive findings: https://docs.aws.amazon.com/guardduty/latest/ug/findings_suppression-rule.html

answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions