GuardDuty finding segregation

Question

I have checked below link and I came to know that default behavior of GuardDuty findings is aggregation of new information.

https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html#:~:text=GuardDuty%20finding%20aggregation,within%20your%20account.

https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html

we do not want to aggregate the information.

Could anyone confirm if we can do finding segregation to do not update new information.

Answer

Why do you not want to aggregate the information?

If GD was to raise separate findings customers would quickly be overwhelmed with findings and would find it hard to address the issue. By having a single finding and then updating it continuously, it is easier for you to then see which findings to fix (you can see which findings have been open for the longest time for example), then when you fix the issue you can close that single finding down.

It is not currently possible to have new findings raised for the same security issue on the same instance - that is by design.

GuardDuty finding segregation

相关内容