I activated GuardDuty in my environment, but GuardDuty didn't generate any finding types.

Last updated: 2022-08-05

I activated an Amazon GuardDuty account but I haven't received any finding types. How can I troubleshoot this?

Short description

Activating GuardDuty immediately begins to monitor for security threats. If GuardDuty discovers a security issue, then a finding type is generated. If GuardDuty doesn't detect security threats, then finding types aren't generated.

Resolution

To troubleshoot why GuardDuty hasn't generated any finding types, check the following configurations:

Data sources

GuardDuty uses its data sources to detect unauthorized and unexpected activity with resource types for some AWS services. The data sources include:

  • AWS CloudTrail management event logs.
  • Virtual Private Cloud (Amazon VPC) flow logs.
  • DNS logs.
  • CloudTrail data events for Amazon Simple Storage Service (Amazon S3)
  • Kubernetes audit log
  • Amazon Elastic Block Store (Amazon EBS) volume data

It's a best practice to activate GuardDuty Kubernetes Protection, Amazon S3 protection, and Malware Protection which aren't activated by default.

Note: GuardDuty only processes DNS logs if you use the default VPC DNS resolver. All other types of DNS resolvers won't generated DNS based findings.

GuardDuty status

GuardDuty must be activated for finding types to generate. If GuardDuty is suspended or disabled, then no finding types are generated. It's a best practice to activate GuardDuty in all supported AWS Regions. This allows GuardDuty to generate finding types for unauthorized or unusual activity even in Regions that you aren't actively using.

Trusted IP lists

You can add IP addresses that you trust to communicate in your AWS environment to trusted IP lists. Trusted IP lists prevent GuardDuty from generating finding types for events that occurred from trusted IP addresses.

It's a best practice to use a suppression rule instead of a trusted IP list to for awareness of detected issues in your environment. The suppression rule reduces the notifications from finding types. A suppression rule automatically archives new findings generated by GuardDuty that match specific criteria. You can review suppressed findings from the GuardDuty console by changing the Findings view dropdown menu from Current to Archived.

To create GuardDuty findings for testing, do one of the following:

For more information, see How do I set up a trusted IP address list for GuardDuty?