Events

Each row in the table shows: the UTC timestamp, the finding type identifier, a color-coded severity badge (Critical / High / Medium / Low), the actor summary (source IP or IAM principal), and a short description. Events are sorted newest-first. The table is paginated at 25 rows per page.

Use the Previous and Next buttons at the bottom of the table to navigate between pages of 25 events. The system uses DynamoDB cursor-based pagination, meaning pages are not numbered — you navigate forward and backward through a chronological cursor. Very old events may no longer appear if TTL has expired them.

Native GuardDuty findings are labeled with the GuardDuty service badge. They include the full finding metadata: finding ID, account ID, region, resource ARN, and the actor who triggered the finding. The finding ID can be used to look up the original finding in the GuardDuty console for deeper analysis.

Events generated by the ThreatReaction sliding-window detector are labeled with the ThreatReaction service badge. They include the operation type (GetObject, PutObject, DeleteObject, ListObjects), the actor (IP or IAM principal), the number of operations in the detection window, and the total bytes transferred. These events indicate that an entity's S3 activity exceeded the anomaly threshold for the registered bucket.

Events are stored in DynamoDB with a TTL (time-to-live). By default, events expire after 90 days. This keeps storage costs low while retaining enough history for incident response and trend analysis. If you need longer retention, export findings to S3 using the SAVE action on the Threats page.

The Refresh button in the app header reloads the current page of events from DynamoDB. Threat Reaction does not auto-poll — use Refresh to check for new activity since you last loaded the page.