Understanding Amazon GuardDuty findings
A GuardDuty finding represents a potential security issue detected within your network. GuardDuty generates a finding whenever it detects unexpected and potentially malicious activity in your AWS environment.
You can view and manage your GuardDuty findings on the Findings page in the GuardDuty console or by using the AWS CLI or API operations. For an overview of the ways you can manage findings see Managing Amazon GuardDuty findings.
Topics:
- GuardDuty finding format
-
Understand the format of GuardDuty finding types and the different threat purposes tracked by GuardDuty.
- Sample findings
-
Try generating sample findings to test and understand GuardDuty findings and associated details. These findings are marked with a prefix [SAMPLE].
- Test GuardDuty findings in dedicated accounts
-
Run a
guardduty-testerscript in a dedicated non-production AWS account to generate selected GuardDuty findings in your AWS environment. - Finding details
-
Learn about the details associated with GuardDuty findings that get generated in your account.
- Finding types
-
View and search all available GuardDuty finding by type. Each finding type entry includes an explanation of that finding as well as tips and suggestions for remediation.
Severity levels for GuardDuty findings
Each GuardDuty finding has an assigned severity level and value that reflects the potential risk the finding could have to your network as determined by our security engineers. The value of the severity can fall anywhere within the 1.0 to 8.9 range, with higher values indicating greater security risk. To help you determine a response to a potential security issue that is highlighted by a finding, GuardDuty breaks down this range into, High, Medium, and Low severity levels.
Note
Values 0 and between 9.0 and 10.0 are reserved for future use.
The following are the presently defined severity levels and values for the GuardDuty findings as well as general recommendations for each:
| Severity level | Value range |
|---|---|
High |
7.0 - 8.9 |
A High severity level indicates that the resource in question (an EC2 instance or a set of IAM user sign-in credentials) is compromised and is actively being used for unauthorized purposes. We recommend that you treat any High severity finding security issue as a priority and take immediate remediation steps to prevent further unauthorized use of your resources. For example, clean up your EC2 instance or terminate it, or rotate the IAM credentials. See Remediation Steps for more details. |
|
Medium |
4.0 - 6.9 |
A Medium severity level indicates suspicious activity that deviates from normally observed behavior and, depending on your use case, may be indicative of a resource compromise. We recommend that you investigate the implicated resource at your earliest convenience. Remediation steps will vary by resource and Finding family, but in general, you should be looking to confirm that the activity is authorized and consistent with your use case. If you cannot identify the cause, or confirm the activity was authorized, you should consider the resource compromised and follow Remediation Steps to secure the resource. Here are some things to consider when reviewing a Medium level finding:
|
|
Low |
1.0 - 3.9 |
A low severity level indicates attempted suspicious activity that did not compromise your network, for example, a port scan or a failed intrusion attempt. There is no immediate recommended action, but it is worth making note of this information as it may indicate someone is looking for weak points in your network. |
|
Javascript is disabled or is unavailable in your browser.
To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.