I activated GuardDuty in my environment, but GuardDuty didn't generate any finding types

3 minute read

I activated an Amazon GuardDuty account but I haven't received any finding types. How can I troubleshoot this?

Short description

Activating GuardDuty immediately begins to monitor for security threats. If GuardDuty discovers a security issue, then a finding type is generated. If GuardDuty doesn't detect security threats, then finding types aren't generated.

Resolution

To troubleshoot why GuardDuty hasn't generated any finding types, check the following configurations:

The data sources
The GuardDuty status
The trusted IP lists

Data sources

GuardDuty uses its data sources to detect unauthorized and unexpected activity with resource types for some AWS services. The data sources include:

AWS CloudTrail management event logs.
Virtual Private Cloud (Amazon VPC) flow logs.
DNS logs.
CloudTrail data events for Amazon Simple Storage Service (Amazon S3)
Kubernetes audit log
Amazon Elastic Block Store (Amazon EBS) volume data

It's a best practice to activate GuardDuty Kubernetes Protection, Amazon S3 protection, and Malware Protection which aren't activated by default.

Note: GuardDuty only processes DNS logs if you use the default VPC DNS resolver. All other types of DNS resolvers won't generated DNS based findings.

GuardDuty status

GuardDuty must be activated for finding types to generate. If GuardDuty is suspended or disabled, then no finding types are generated. It's a best practice to activate GuardDuty in all supported AWS Regions. This allows GuardDuty to generate finding types for unauthorized or unusual activity even in Regions that you aren't actively using.

Trusted IP lists

You can add IP addresses that you trust to communicate in your AWS environment to trusted IP lists. Trusted IP lists prevent GuardDuty from generating finding types for events that occurred from trusted IP addresses.

It's a best practice to use a suppression rule instead of a trusted IP list to for awareness of detected issues in your environment. The suppression rule reduces the notifications from finding types. A suppression rule automatically archives new findings generated by GuardDuty that match specific criteria. You can review suppressed findings from the GuardDuty console by changing the Findings view dropdown menu from Current to Archived.

To create GuardDuty findings for testing, do one of the following:

Create sample findings from the GuardDuty console or API.
Generate common GuardDuty findings automatically using the guardduty_tester.sh script.

For more information, see How do I set up a trusted IP address list for GuardDuty?

Related information

Getting started with GuardDuty

Why did GuardDuty send me alert findings for a trusted IP list address?

Topics

Security, Identity, & Compliance

Relevant content

AWS GuardDuty - finding logs location
Orlando
asked 6 months ago
Additional information on GuardDuty DNS Findings
MaxEB
asked 2 years ago
GuardDuty finding segregation
AWS-User-6176623
asked 2 years ago
EC2 GuardDuty Runtime monitor what type of findings should we expect?
davec
asked 2 months ago
GuardDuty Findings not published to eventbridge rule
DM
asked 5 months ago
Why did I receive an Amazon GuardDuty CryptoCurrency:EC2/BitcoinTool.B!DNS finding type for my Amazon EC2 instance?
AWS OFFICIALUpdated 2 years ago
Why did I receive the GuardDuty finding type alert UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.OutsideAWS for my Amazon EC2 instance?
AWS OFFICIALUpdated 9 days ago
Why did I receive the GuardDuty finding type alert Recon:EC2/PortProbeUnprotectedPort for my Amazon EC2 instance?
AWS OFFICIALUpdated 2 years ago
Why did I receive an Amazon GuardDuty Denial of Service (DoS) finding type for my Amazon EC2 instance?
AWS OFFICIALUpdated a year ago
A First Look at AWS CloudFormation IaC Generator
EXPERT
Patrick Kremer
published 2 months ago