After Runtime Monitoring configuration - Amazon GuardDuty
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

After Runtime Monitoring configuration

Assess runtime coverage

After you enable Runtime Monitoring and deploy the GuardDuty security agent, we recommend you to continuously1 assess the coverage status of the resource where you have deployed the security agent. The coverage status could be either Healthy or Unhealthy. A Healthy coverage status indicates that GuardDuty is receiving the runtime events from the corresponding resource when there is an operating system-level activity.

When the coverage status becomes Healthy for the resource, GuardDuty is able to receive the runtime events and analyze them for threat detection. When GuardDuty detects a potential security threat in the tasks or applications running in your container workloads and instances, GuardDuty generates one or more Runtime Monitoring finding types.

1 You can also configure an Amazon EventBridge (EventBridge) to receive a notification when the coverage status changes from Unhealthy to Healthy and otherwise.

For more information, see Assessing runtime coverage for your resources.

GuardDuty detects potential threats

As GuardDuty starts to receive the runtime events for your resource, it starts analyzing those events. When GuardDuty detects a potential security threat in any of your Amazon EC2 instances, Amazon ECS clusters, or Amazon EKS clusters, it generates one or more Runtime Monitoring finding types. You can access the finding details to view the impacted resource details.