# Analyzing findings in Amazon Detective
<a name="analyzing-findings"></a>

A finding is an instance of potentially malicious activity or other risk that was detected. Amazon GuardDuty and AWS security findings are loaded into Amazon Detective so that you can use Detective to investigate the activity associated with the involved entities. GuardDuty findings are part of the Detective core package and are ingested by default. All other AWS security findings that are aggregated by Security Hub CSPM are ingested as an optional data source. See [Source data used in a behavior graph](https://docs.aws.amazon.com//detective/latest/userguide/detective-source-data-about.html) for more details.

A Detective finding overview provides detailed information about the finding. It also displays a summary of the involved entities, with links to the associated entity profiles.

If a finding is correlated to a larger activity, Detective notifies you to **Go to finding group**. We recommend using finding groups to continue your investigation, as finding groups enable you to examine multiple activities that relate to a potential security event. See [Analyzing finding groups](groups-about.md).

Amazon Detective provides an interactive visualization of finding groups. This visualization is designed to help you investigate issues faster and more thoroughly with less effort. The finding group **Visualization** panel displays the findings and entities involved in a finding group. You can use this interactive visualization to analyze, understand, and triage the impact of the finding group. This panel helps visualize the information presented in the **Involved entities** and **Involved findings** table. From the visual presentation, you can select findings or entities for further analysis. See [Finding group visualization](https://docs.aws.amazon.com/detective/latest/userguide/group-visual-finding-group.html).

**Topics**
+ [Analyzing a finding overview in Detective](finding-overview.md)
+ [Analyzing finding groups](groups-about.md)
+ [Finding group summary powered by generative AI](finding-group-summary.md)
+ [Archiving an Amazon GuardDuty finding](finding-update-status.md)

# Analyzing a finding overview in Detective
<a name="finding-overview"></a>

A Detective finding overview provides detailed information about the finding. It also displays a summary of the involved entities, with links to the associated entity profiles.

## Scope time used for the finding overview
<a name="finding-overview-scope-time"></a>

The scope time for a finding overview is set to the finding time window. The finding time window reflects the first and last time that the finding activity was observed.

## Finding details
<a name="finding-overview-finding-details"></a>

The panel at the right contains the details for the finding. These are the details provided by the finding provider.

From the finding details, you can also archive the finding. For more details, see [Archiving an Amazon GuardDuty finding](https://docs.aws.amazon.com//detective/latest/userguide/finding-update-status.html).

## Related entities
<a name="finding-overview-entities"></a>

The finding overview contains a list of entities that are involved in the finding. For each entity, the list provides overview information about the entity. This information reflects the information on the entity details profile panel on the corresponding entity profile.

You can filter the list based on entity type. You can also filter the list based on text in the entity identifier.

To pivot to the profile for an entity, choose **See profile**. When you pivot to the entity profile, the following occurs:
+ The scope time is set to the finding time window.
+ On the **Associated findings** panel for the entity, the finding is selected. The finding details remain displayed at the right of the entity profile.

## Troubleshooting 'Page not found'
<a name="finding-troubleshooting"></a>

When you navigate to an entity or a finding in Detective, you may see a **Page not found** error message. 

To resolve this, do one of the following: 
+ Make sure that the entity or finding belongs to one of your member accounts. For information on how to review member accounts, see [Viewing the list of accounts](https://docs.aws.amazon.com/detective/latest/userguide/accounts-view-list.html).
+ Make sure your administrator account is aligned with GuardDuty and/or Security Hub CSPM to pivot to Detective from these services. For the recommendations, see [Recommended alignment with GuardDuty and Security Hub CSPM](https://docs.aws.amazon.com/detective/latest/userguide/detective-setup.html#detective-recommendations).
+ Verify that the finding occurred after the member account accepted your invitation.
+ Verify the Detective behavior graph is ingesting data from an optional data source package. For more information about source data used in Detective behavior graphs, see [Source data used in a behavior graph](https://docs.aws.amazon.com/detective/latest/userguide/detective-source-data-about.html).
+ To allow Detective to ingest data from Security Hub CSPM and add that data to your behavior graph, you must enable Detective for AWS security findings as a data source package. For more information, see [AWS security findings](https://docs.aws.amazon.com//detective/latest/userguide/source-data-types-asff.html).
+ If you are navigating to an entity profile or finding overview in Detective, make sure that the URL is in the right format. For details on the formation of a profile URL, see [Navigating to an entity profile or finding overview using URL](https://docs.aws.amazon.com/detective/latest/userguide/profile-navigate-url.html).

# Analyzing finding groups
<a name="groups-about"></a>

Amazon Detective finding groups let you examine multiple activities as they relate to a potential security event. A finding group in Amazon Detective is created when Detective detects a pattern or relationship among multiple findings that suggest they are related to the same potential security incident. This grouping helps in managing and investigating related findings more efficiently.

You can analyze the root cause for high severity GuardDuty findings using finding groups. If a threat actor is attempting to compromise your AWS environment, they typically perform a sequence of actions that lead to multiple security findings and unusual behaviors. These actions are often spread across time and entities. When security findings are investigated in isolation, it can lead to a misinterpretation of their significance, and difficulty in finding the root cause. Amazon Detective addresses this problem by applying a graph analysis technique that infers relationships between findings and entities, and groups them together. We recommend treating finding groups as the starting point for investigating the involved entities and findings.

Detective analyzes data from findings and groups them with other findings that are likely to be related based on resources they share. For example, findings related to actions taken by the same IAM role sessions or originating from the same IP address are very likely to be part of the same underlying activity. It's valuable to investigate findings and evidence as a group, even if the associations made by Detective aren't related.

Finding groups are created based on the following criteria.
+ Temporal Proximity – Findings that occur within a close time frame are often grouped together, as they are likely related to the same incident.
+ Common Entities – Findings involving the same entities, such as IP addresses, users, or resources, are grouped together. This helps in understanding the scope of the incident across different parts of the environment.
+ Patterns and Behaviors – Detective analyzes patterns and behaviors in the findings, such as similar types of attacks or suspicious activities, to determine relationships and group them accordingly.
+ Tactics, Techniques, and Procedures (TTPs) – Findings that share similar TTPs, as described in frameworks like MITRE ATT&CK, are grouped together to highlight potential coordinated attacks.

These criteria help streamline the investigation process so you can focus on correlated findings that likely represent the same security incident.

In addition to findings, each group includes entities involved in the findings. The entities can include resources outside of AWS such as IP Addresses or user agents.

**Note**  
After an initial GuardDuty finding occurs that is related to another finding, the finding group with all related findings and all involved entities is created within 48 hours. 

# Understanding the finding groups page
<a name="understanding-groups"></a>

The finding groups page lists all the finding groups collected by Amazon Detective from your behavior graph. Take note of the following attributes of finding groups:

**Severity of a group**  
Each finding group is assigned a severity based on the AWS Security Finding Format (ASFF) severity of the associated findings. ASFF finding severity values are **Critical**, **High**, **Medium**, **Low**, or **Informational** from most to least severe. The severity of a grouping is equal to the highest severity finding among the findings in that grouping.   
Groups that consist of **Critical** or **High** severity findings that impact a large number of entities should be prioritized for investigations, as they are more likely to represent high-impact security issues.

**Group title**  
In the **Title** column, each group has a unique ID and a non-unique title. These are based on the ASFF type namespace for the group and the number of findings within that namespace in the cluster. For example, if a grouping has the title: Group with: **TTP (2), Effect (1), and Unusual behavior (2)** it includes five total findings consisting of two findings in the **TTP** namespace, one finding in the **Effect** namespace, and two findings in the **Unusual Behavior** namespace. For a complete list of namespaces, see [Types taxonomy for ASFF](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format-type-taxonomy.html).

**Tactics in a group**  
The **Tactics** column in a group details which tactics category the activity falls into. The tactics, techniques, and procedures categories in the following list align to the [MITRE ATT&CK matrix](https://attack.mitre.org/matrices/enterprise/).  
You can select a tactic on the chain to see a description of the tactic. Following the chain is a list of the tactics detected within the group. These categories and the activities they typically represent are as follows:  
+ **Initial Access** – An adversary is trying to get into someone else’s network.
+ **Execution** – An adversary is trying to get into someone else’s network.
+ **Persistence** – An adversary is trying to maintain their foothold.
+ **Privilege Escalation** – An adversary is trying to gain higher-level permissions.
+ **Defense Evasion** – An adversary is trying to avoid being detected.
+ **Credential Access** – An adversary is trying to steal account names and passwords.
+ **Discovery** – An adversary is trying to understand and learn about an environment.
+ **Lateral Movement** – An adversary is trying to move through an environment.
+ **Collection** – An adversary is trying to gather data of interest to their goal.
+ **Command and Control** – An adversary is trying to get into someone else’s network.
+ **Exfiltration** – An adversary is trying to steal data.
+ **Impact** – An adversary is trying to manipulate, interrupt, or destroy your systems and data.
+ **Other** – Indicates activity from a finding that does not align with tactics listed in the matrix.

**Entities within a group**  
The **Entities** column contains details on the specific entities detected within this grouping. Select this value for a breakdown of entities based on the categories: **Identity**, **Network**, **Storage**, and **Compute**. Examples of entities in each category are:  
+ **Identity** – IAM principals and AWS accounts, such as user and role
+ **Network ** – IP address or other networking and VPC entities
+ **Storage** – Amazon S3 buckets or DDBs
+ **Compute** Amazon EC2 instances or Kubernetes containers

**Accounts within a group**  
The **Accounts** column tells you what AWS accounts own entities involved with the findings in the group. The AWS Accounts are listed by name and AWS ID so you can prioritize investigations of activity involving critical accounts. 

**Findings within a group**  
The **Findings** column has a lists the entities within a group by severity. The findings include Amazon GuardDuty findings, Amazon Inspector findings, AWS security findings, and evidence from Detective. You can select the graph to see an exact count of findings by severity.  
GuardDuty findings are part of the Detective core package and are ingested by default. All other AWS security findings that are aggregated by Security Hub CSPM are ingested as an optional data source. See [Source data used in a behavior graph](https://docs.aws.amazon.com//detective/latest/userguide/detective-source-data-about.html) for more details.

# Informational findings in finding groups
<a name="group-evidence"></a>

Amazon Detective identifies additional information related to a finding group based on data in your behavior graph collected within the last 45 days. Detective presents this information as a finding with the **Informational** severity. Evidence provides supporting information that highlights an unusual activity or unknown behavior that is potentially suspicious when viewed within a finding group. This might include newly observed geolocations or API calls observed within the scope time of a finding. Evidence findings are only viewable in Detective and are not sent to AWS Security Hub CSPM.

Detective determines the location of requests using MaxMind GeoIP databases. MaxMind reports very high accuracy of their data at the country level, although accuracy varies according to factors such as country and type of IP. For more information about MaxMind, see [MaxMind IP Geolocation](https://support.maxmind.com/hc/en-us/sections/4407519834267-IP-Geolocation). If you think any of the GeoIP data is incorrect, you can submit a correction request to Maxmind at [MaxMind Correct GeoIP2 Data](https://support.maxmind.com/hc/en-us/articles/4408252036123-GeoIP-Correction).

You can observe evidence for different principal types (such as IAM user or IAM role). For some evidence types, you can observe evidence for **all accounts**. This means evidences affect your entire behavior graph. If an evidence finding is observed for all accounts, you will also see at least one additional informational evidence finding of the same type for an individual IAM role. For example, if you see a **New geolocation observed for all accounts** finding, you will see another for **New geolocation observed for a principal**.

****Types of evidence in finding groups****
+ New geolocation observed
+ New Autonomous System Organization (ASO) observed
+ New user agent observed
+ New API call issued
+ New geolocation observed for all accounts
+ New IAM principal observed for all accounts

# Finding group profiles
<a name="group-profile"></a>

When you select a group title, a finding group profile opens with additional details about that group. The details panel in the finding groups profile page supports the display of up to 1000 entities and findings for finding groups parent and children.

The group profile page displays the set **Scope time** of the group. This is the date and time from the earliest finding or evidence included in the group to the most recently updated finding or evidence in a group. You can also see the **Finding group severity**, which is equal to the highest severity category among findings in the group. Other details within this profile panel include:
+ The **Involved tactics** chain shows you which tactics, are attributed to the findings in the group. Tactics are based on the [MITRE ATT&CK Matrix for Enterprise](https://attack.mitre.org/matrices/enterprise/). The tactics are shown as a chain of colored dots that represents the typical progression of an attack from the earliest to latest stages. This means the leftmost circles on the chain typically represent less severe activities where an adversary is trying to gain or maintain access your environment. Conversely, activities toward the right are the most severe and can include data tampering or destruction. 
+ The relationships that this group has with other groups. Occasionally, one or more previously unconnected groups of findings could be merged into a new group based on a newly discovered link, for example, a finding that involves entities from the existing groups. In this case, Amazon Detective deactivates the parent groups and creates a child group. You can trace the lineage for any group back to its parent groups. Groups can have the following relationships:
  + **Child finding group** – A finding group created when a finding involved in two other finding groups is involved in a new finding. The parent groups of the finding are listed for any child group.
  + **Parent finding group** – A finding group is a parent when a child group has been created from it. If a finding group is a parent, the related children are listed with it. A parent group's status becomes **Inactive** when it's merged into an **Active** child group.

There are two information tabs that open profile panels. Using the **Involved entities** and **Involved findings** tabs, you can view further details about the group. 

Use **Run investigation** to generate an investigation report. The generated report details anomalous behavior that indicates compromise. .

## Profile within groups
<a name="group-profile-panels"></a>

**Involved entities**  
Focuses on the entities in the finding group, including what findings within the group each entity is linked to. The tags attached to each entity are also displayed so you can quickly identify important entities based on tagging. Select an entity to view its entity profile. 

**Involved findings**  
Has details about each finding, including finding severity, each entity involved, and when that finding was first and last seen. Select a finding type in the list to open a finding details panel with additional information about that finding. As part of the **Involved findings** panel, you may see **Informational** findings based on Detective evidence from your behavior graph. 

# Finding group visualization
<a name="group-visual-finding-group"></a>

Amazon Detective provides an interactive visualization of finding groups. This visualization is designed to help you investigate issues faster and more thoroughly with less effort. The finding group **Visualization** panel displays the findings and entities involved in a finding group. You can use this interactive visualization to analyze, understand, and triage the impact of the finding group. This panel helps visualize the information presented in the **Involved entities** and **Involved findings** table. From the visual presentation, you can select findings or entities for further analysis.

Detective finding groups with aggregated findings are a cluster of findings that are connected to the same type of resource. With aggregated findings, you can quickly assess the makeup of a finding group and interpret security issues faster. In the finding groups details panel, similar findings are combined and you can expand the findings to view relatively similar findings together. For example, an evidence node, which has informational findings and medium findings of the same type are aggregated. Currently, you can view the title, source, type, and severity of finding groups with aggregated findings.

From this interactive panel, you can:
+ Use **Run investigation** to generate an investigation report. The generated report details anomalous behavior that indicates compromise. For more details, see [Detective Investigations](https://docs.aws.amazon.com//detective/latest/userguide/investigations-about.html).
+ View more details on finding groups with aggregated findings to analyze the involved evidence, entities, and findings. 
+ View the labels for the entities and findings to identify the affected entities with potential security issues. You can toggle off the **Label**. 
+ Rearrange the entities and findings to better understand their interconnectedness. Isolate entities and findings from a group by moving the selected item in the finding group.
+ Select the evidences, entities, and findings to view more details about them. To select multiple items, choose **command/control** and either choose the items, or drag and drop them using your pointer.
+  Adjust the layout to fit all entities and findings into the finding group window. View what entity types are prevalent in a finding group. 

**Note**  
The finding group **Visualization** panel supports the display of finding groups with up to 100 entities and findings.

You can use the drop-down to view the findings and entities in a **Radial**, **Circle**, **Force-directed**, or **Grid** layout. The **Radial** layout provides improved visualization for easier data interpretation. The **Force-directed** layout positions the entities and findings so that links are a consistent length between items and the links are distributed evenly. This helps to reduce overlapping. The layout that you select defines the placement of findings in the **Visualization** panel.

## Timeline layout
<a name="graphviz-timeline"></a>

The timeline layout provides a dynamic way to visualize how your finding groups evolve over time. This allows you to see the progression of events, helping you to better understand the sequence and potential causality of security incidents using Detective.

Use the timeline slider at the bottom of the visualization panel to select a specific point in time. The visualization will update to show the state of your finding group at that moment. The play button that allows you to automatically progress through the timeline. Click the play button to start the animation. The visualization will update in real-time, showing how the finding group changes over time. Use the pause button to stop the animation at any point.

You can now filter findings based on their severity level using the Filter dropdown. When you apply a filter, the visualization will update to show only the findings that match your selected severity level. The filter only affects the findings shown in the timeline, not in the full Finding Group visualization. This allows you to quickly focus on high-priority issues or investigate specific types of findings.

You can use the filtering feature in combination with the Timeline Layout to see how findings of different severity levels emerge and evolve over time.

**Enhanced Investigation Workflow**

With the addition of the Timeline Layout and filtering capabilities, you can now conduct even more comprehensive investigations:

1. Start by viewing the entire finding group using one of the static layouts (Radial, Circle, Force-directed, or Grid).

1. Use timelines to understand how the situation developed over time.

1. Use the play button to automatically progress through the timeline, watching for key moments or patterns.

1. Pause at significant points to investigate further.

1. Apply filters to focus on findings of specific severity levels.

1. Use the keyboard shortcuts and selection tools to dive deeper into entities and findings of interest.

This enhanced workflow allows for a more nuanced and thorough investigation of complex security scenarios. You can conduct more efficient and effective security investigations, leading to faster incident resolution and improved overall security posture.

## Keyboard shortcuts
<a name="graphviz-shortcuts"></a>

You can use the following keyboard shortcuts to interact with the finding group Visualization panel:
+ Click – Selects a single node, deselects all other nodes, deselects all nodes if white space is clicked.
+ Ctrl \$1 Click – Selects a single node, does not deselect other nodes.
+ Drag – Pans the view.
+ Ctrl \$1 Drag – Marquee selects, does not deselect other nodes.
+  Shift \$1 Drag – Marquee selects, deselects all other nodes.
+ Arrow keys – Changes the focus between nodes.
+ Ctrl \$1 Space – Selects or deselects the currently focused node.
+ Shift \$1 Arrow keys – Changes the focus between nodes and selects them.

The dynamic **Legend** changes based on the entities and findings in your current graph. It helps you identify what each visual element represents.

# Finding group summary powered by generative AI
<a name="finding-group-summary"></a>

By default, Amazon Detective automatically provides summaries of an individual finding group. The summaries are powered by generative artificial intelligence (generative AI) models hosted on [Amazon Bedrock](https://docs.aws.amazon.com//bedrock/latest/userguide/what-is-bedrock.html). Finding Group Summary is available at no extra cost if Detective is enabled. 

**Note**  
Beginning February 16th, 2026, Detective's Finding Group Summary feature will automatically select the optimal AWS region (from a grouping of regional endpoints within your geography) to process your finding group data and generate summaries using [Cross-region inference](#fg-summary-cross-region-inference).  
If you do not wish to use this feature, you can disable it from Detective's console or by using deny permissions on the IAM role used to access Detective's console. See [Opting out of finding group summary](#fg-summary-disable).

By using finding groups, you can examine multiple security findings, as they relate to a potential security event, and identify potential threat actors. Finding group summaries for finding groups builds upon these capabilities. Finding group summaries consume the data for a finding group, rapidly analyze relationships between the findings and affected resources, and then summarize potential threats in natural language. You can leverage these summaries to identify larger security threats, improve investigation efficiency, and shorten the response timelines. 

**Note**  
Finding group summaries powered by generative AI may and not always provide completely accurate information. See [AWS Responsible AI Policy](https://aws.amazon.com//machine-learning/responsible-ai/policy/) for more information.

## Reviewing finding group summary
<a name="using-fg-summary"></a>

The finding group summary for a finding group gives you a clear, detailed explanation of a security event. In natural language, the explanation includes a succinct title, a summary of the resources involved, and curated information about those resources. 

**To review a finding group summary**

1. Open the Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. In the navigation pane, choose **Finding groups**.

1. In the **Finding groups** table, choose the finding group that you want to display a summary of. A details page appears. 

On the details page, you can use the **Summary** pane to review a generated, descriptive summary of the top findings in the finding group. You can also review an analysis of the top threat events in the finding group, which you can then investigate further. To add the generated summary to your notes or a ticketing system, choose the copy icon in the pane. This copies the summary to your clipboard. You can also share your feedback about the finding group summary output in the summary, which can provide a better experience in the future. To share your feedback, choose the thumbs up or thumbs down icon, depending on the nature of your feedback. 

**Note**  
If you provide feedback about the finding group summary, your feedback is not used for model tuning. We use it only to help facilitate that the prompts in Detective are crafted effectively.

![\[The Summary pane, with a generated descriptive summary of the top findings in a finding group and an analysis of the top threat events in the group.\]](http://docs.aws.amazon.com/detective/latest/userguide/images/Detective-assistant.png)


## Opting out of finding group summary
<a name="fg-summary-disable"></a>

By default, finding group summary is enabled for finding groups. Customers who do not wish to use the finding group summary feature can opt out at the user level, or via the IAM role being used to access the AWS Management Console.

### User-level opt-out
<a name="fg-summary-disable-user"></a>

Each user accessing Detective can set their individual preference to opt out of the finding group summary feature. Opting out of the summary will prevent the finding group data from being processed via cross-region inference.

**To opt out of finding group summary**

1. Open the Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. In the navigation pane, choose **Preferences**.

1. Under **Finding group summary**, choose **Edit**. 

1. Turn off **Enabled**.

1.  Choose **Save**. 

### IAM role-based opt-out
<a name="fg-summary-disable-iam"></a>

Multiple users can be opted out of the finding group summary feature by modifying the IAM role being used to access Detective. Adding a Deny statement for the `detective:InvokeAssistant` permission on the role will prevent all users accessing Detective via that role from using the finding group summary feature, preventing the processing of finding group data via cross-region inference. Users can then individually follow the user-level opt-out steps to prevent the summary pane from appearing.

**To opt out of finding group summary using IAM**

1. Identify the IAM roles being used for accessing Amazon Detective.

1. Add an IAM policy statement with the `Deny` effect for the `detective:InvokeAssistant` action to the role.

## Enabling finding group summary
<a name="fg-summary-reenable"></a>

If you previously opted out of finding group summary for finding groups, you can enable them again at any time. 

**To enable finding group summary**

1. Open the Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. In the navigation pane, choose **Preferences**.

1. Under **Finding group summary**, choose **Edit**. 

1. Turn on **Enabled**.

1. Choose **Save**. 

## Cross-region inference
<a name="fg-summary-cross-region-inference"></a>

Detective automatically selects the optimal AWS Region within your geography to process your finding group data and generate summaries. This maximizes available compute resources, model availability, and delivers the best customer experience. Your finding group data remains stored only in the Region where the summary request originates, however, finding group data and summary results may be processed outside that Region. All data is transmitted encrypted across Amazon's secure network.

Detective securely routes your inference requests to available compute resources within the geographic area where the request originated, as shown in the following table.


**Cross-region inference routing**  
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/detective/latest/userguide/finding-group-summary.html)

## Supported Regions
<a name="fg-summary-supported-regions"></a>

**Finding group summary** is available in the following AWS Regions. 
+ US East (N. Virginia) 
+ US West (Oregon)
+ Asia Pacific (Tokyo)
+ Europe (Frankfurt)

# Archiving an Amazon GuardDuty finding
<a name="finding-update-status"></a>

When you complete your investigation of an Amazon GuardDuty finding, you can archive the finding from Amazon Detective. This saves you the trouble of having to return to GuardDuty to make the update. Archiving a finding indicates that you have finished your investigation of it.

You can only archive a GuardDuty finding from within Detective if you are also the GuardDuty administrator account for the account associated with the finding. If you are not a GuardDuty administrator account and you attempt to archive a finding, GuardDuty displays an error.

**To archive a GuardDuty finding**

1. Sign in to the AWS Management Console. Then open the Detective console at [https://console.aws.amazon.com/detective/](https://console.aws.amazon.com/detective/).

1. In the Detective console, in the finding details panel, choose **Archive finding**.

1. When prompted to confirm, choose **Archive**.

You can view archived GuardDuty findings in the GuardDuty console. The archived finding is stored in GuardDuty for 90-days and can be viewed at any time during that period. You can view suppressed findings in the GuardDuty console by selecting Archived from the findings table, or through the GuardDuty API using the [ListFindings API](https://docs.aws.amazon.com//guardduty/latest/APIReference/API_ListFindings.html) with a findingCriteria criterion of service.archived equal to true. To learn more, see [Suppression Rules](https://docs.aws.amazon.com//guardduty/latest/ug/findings_suppression-rule.html) in the *Amazon GuardDuty User Guide*.