Generating sample findings in GuardDuty - Amazon GuardDuty
Generating sample findings through the GuardDuty console or API
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Generating sample findings in GuardDuty

You can generate sample findings with Amazon GuardDuty to help you visualize and understand the various finding types that GuardDuty can generate. When you generate sample findings, GuardDuty populates your current findings list with one sample finding for each supported finding type.

The generated samples are approximations populated with placeholder values. These samples may look different from real findings for your environment, but you can use them to test various configurations for GuardDuty, such as your EventBridge events or filters. For a list of available values for finding types, see Finding types table.

Generating sample findings through the GuardDuty console or API

Choose your preferred access method to generate sample findings.

Note

The console method generates one of each finding type. Single sample findings can only be generated through the API.

Console

Use the following procedure to generate sample findings. This process generates one sample finding for each GuardDuty finding type.

  1. Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.

  2. In the navigation pane, choose Settings.

  3. On the Settings page, under Sample findings, choose Generate sample findings.

  4. In the navigation pane, choose Findings. The sample findings are displayed on the Current findings page with the prefix [SAMPLE].

API/CLI

You can generate a single sample finding matching any of the GuardDuty finding types through the CreateSampleFindings API, the available values for finding types are listed in Finding types table.

This is useful for the testing of CloudWatch Events rules or automation based on findings. The following example shows how to generate a single sample finding of the Backdoor:EC2/DenialOfService.Tcp type using the Amazon CLI.

To find the detectorId for your account and current Region, see the Settings page in the https://console.amazonaws.cn/guardduty/ console, or run the ListDetectors API

aws guardduty create-sample-findings --detector-id 12abc34d567e8fa901bc2d34e56789f0 --finding-types Backdoor:EC2/DenialOfService.Tcp

The title of sample findings generated through these methods always begins with [SAMPLE] in the console. Sample findings have a value of "sample": true in the additionalInfo section of the finding JSON details.

To generate some common findings based on a simulated activity in a dedicated and isolated Amazon Web Services account within your environment, see Test GuardDuty findings in dedicated accounts.