GuardDuty monitors your AWS infrastructures on a continuous basis to detect malicious or unauthorized behavior and creates records based on such findings. If you have subscribed to GuardDuty for the first time, you see no findings in the list. You can click Generate sample findings under Settings and get some samples. Then several dummy findings marked as “[SAMPLE]” are created. As long as you have set up the Lambda function and CloudWatch correctly, some of those sample findings trigger the CloudWatch event rule to run the Lambda function. A few new IP addresses eventually appear in the ip_blocklist.