Dashboard

Four metric cards at the top of the page summarize the current state of your environment: total active (enabled) threat rules, GuardDuty events captured in the last 24 hours, entities currently blocked by an active BLOCK policy, and IAM credentials that have been revoked. These numbers update each time you load the page.

A donut chart breaking down all processed findings into Critical, High, Medium, and Low severity buckets. A healthy environment has the vast majority of findings in Low/Medium, with zero or very few Critical items. If Critical findings are accumulating, check the Threats page to ensure those finding types are set to BLOCK or REVOKE rather than REPORT.

A second donut chart showing what fraction of your configured threat rules are set to each action: IGNORE, REPORT, BLOCK, REVOKE, SAVE. This gives a quick read on your response coverage. Ideally, all Critical-severity rules should be on BLOCK or REVOKE, and nothing should be on IGNORE unless you have a deliberate reason.

A table of the 10 most recent security events, newest first. Each row shows the timestamp (UTC), finding type, severity badge, and actor summary. Click any row to navigate to the Events page. This panel is most useful for spotting brand-new activity without leaving the dashboard.

A ranked list of the most frequently triggered finding types. A finding type appearing here hundreds of times may indicate either a noisy low-value detector (consider IGNORE) or a real persistent threat (consider BLOCK). Cross-reference with the severity and actor details in the Events page to decide which.

Append ?showDemoData=true to the app URL to populate the dashboard with synthetic sample data. Useful for onboarding new team members or testing the UI before GuardDuty has produced real findings.