2020/09/03 - Amazon GuardDuty - 1 updated api methods
Changes GuardDuty findings triggered by failed events now include the error code name within the AwsApiCallAction section.
{'Findings': {'Service': {'Action': {'AwsApiCallAction': {'ErrorCode': 'string'}}}}}
Describes Amazon GuardDuty findings specified by finding IDs.
See also: AWS API Documentation
Request Syntax
client.get_findings(
DetectorId='string',
FindingIds=[
'string',
],
SortCriteria={
'AttributeName': 'string',
'OrderBy': 'ASC'|'DESC'
}
)
string
[REQUIRED]
The ID of the detector that specifies the GuardDuty service whose findings you want to retrieve.
list
[REQUIRED]
The IDs of the findings that you want to retrieve.
(string) --
dict
Represents the criteria used for sorting findings.
AttributeName (string) --
Represents the finding attribute (for example, accountId) to sort findings by.
OrderBy (string) --
The order by which the sorted findings are to be displayed.
dict
Response Syntax
{
'Findings': [
{
'AccountId': 'string',
'Arn': 'string',
'Confidence': 123.0,
'CreatedAt': 'string',
'Description': 'string',
'Id': 'string',
'Partition': 'string',
'Region': 'string',
'Resource': {
'AccessKeyDetails': {
'AccessKeyId': 'string',
'PrincipalId': 'string',
'UserName': 'string',
'UserType': 'string'
},
'S3BucketDetails': [
{
'Arn': 'string',
'Name': 'string',
'Type': 'string',
'CreatedAt': datetime(2015, 1, 1),
'Owner': {
'Id': 'string'
},
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'DefaultServerSideEncryption': {
'EncryptionType': 'string',
'KmsMasterKeyArn': 'string'
},
'PublicAccess': {
'PermissionConfiguration': {
'BucketLevelPermissions': {
'AccessControlList': {
'AllowsPublicReadAccess': True|False,
'AllowsPublicWriteAccess': True|False
},
'BucketPolicy': {
'AllowsPublicReadAccess': True|False,
'AllowsPublicWriteAccess': True|False
},
'BlockPublicAccess': {
'IgnorePublicAcls': True|False,
'RestrictPublicBuckets': True|False,
'BlockPublicAcls': True|False,
'BlockPublicPolicy': True|False
}
},
'AccountLevelPermissions': {
'BlockPublicAccess': {
'IgnorePublicAcls': True|False,
'RestrictPublicBuckets': True|False,
'BlockPublicAcls': True|False,
'BlockPublicPolicy': True|False
}
}
},
'EffectivePermission': 'string'
}
},
],
'InstanceDetails': {
'AvailabilityZone': 'string',
'IamInstanceProfile': {
'Arn': 'string',
'Id': 'string'
},
'ImageDescription': 'string',
'ImageId': 'string',
'InstanceId': 'string',
'InstanceState': 'string',
'InstanceType': 'string',
'OutpostArn': 'string',
'LaunchTime': 'string',
'NetworkInterfaces': [
{
'Ipv6Addresses': [
'string',
],
'NetworkInterfaceId': 'string',
'PrivateDnsName': 'string',
'PrivateIpAddress': 'string',
'PrivateIpAddresses': [
{
'PrivateDnsName': 'string',
'PrivateIpAddress': 'string'
},
],
'PublicDnsName': 'string',
'PublicIp': 'string',
'SecurityGroups': [
{
'GroupId': 'string',
'GroupName': 'string'
},
],
'SubnetId': 'string',
'VpcId': 'string'
},
],
'Platform': 'string',
'ProductCodes': [
{
'Code': 'string',
'ProductType': 'string'
},
],
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
},
'ResourceType': 'string'
},
'SchemaVersion': 'string',
'Service': {
'Action': {
'ActionType': 'string',
'AwsApiCallAction': {
'Api': 'string',
'CallerType': 'string',
'DomainDetails': {
'Domain': 'string'
},
'ErrorCode': 'string',
'RemoteIpDetails': {
'City': {
'CityName': 'string'
},
'Country': {
'CountryCode': 'string',
'CountryName': 'string'
},
'GeoLocation': {
'Lat': 123.0,
'Lon': 123.0
},
'IpAddressV4': 'string',
'Organization': {
'Asn': 'string',
'AsnOrg': 'string',
'Isp': 'string',
'Org': 'string'
}
},
'ServiceName': 'string'
},
'DnsRequestAction': {
'Domain': 'string'
},
'NetworkConnectionAction': {
'Blocked': True|False,
'ConnectionDirection': 'string',
'LocalPortDetails': {
'Port': 123,
'PortName': 'string'
},
'Protocol': 'string',
'LocalIpDetails': {
'IpAddressV4': 'string'
},
'RemoteIpDetails': {
'City': {
'CityName': 'string'
},
'Country': {
'CountryCode': 'string',
'CountryName': 'string'
},
'GeoLocation': {
'Lat': 123.0,
'Lon': 123.0
},
'IpAddressV4': 'string',
'Organization': {
'Asn': 'string',
'AsnOrg': 'string',
'Isp': 'string',
'Org': 'string'
}
},
'RemotePortDetails': {
'Port': 123,
'PortName': 'string'
}
},
'PortProbeAction': {
'Blocked': True|False,
'PortProbeDetails': [
{
'LocalPortDetails': {
'Port': 123,
'PortName': 'string'
},
'LocalIpDetails': {
'IpAddressV4': 'string'
},
'RemoteIpDetails': {
'City': {
'CityName': 'string'
},
'Country': {
'CountryCode': 'string',
'CountryName': 'string'
},
'GeoLocation': {
'Lat': 123.0,
'Lon': 123.0
},
'IpAddressV4': 'string',
'Organization': {
'Asn': 'string',
'AsnOrg': 'string',
'Isp': 'string',
'Org': 'string'
}
}
},
]
}
},
'Evidence': {
'ThreatIntelligenceDetails': [
{
'ThreatListName': 'string',
'ThreatNames': [
'string',
]
},
]
},
'Archived': True|False,
'Count': 123,
'DetectorId': 'string',
'EventFirstSeen': 'string',
'EventLastSeen': 'string',
'ResourceRole': 'string',
'ServiceName': 'string',
'UserFeedback': 'string'
},
'Severity': 123.0,
'Title': 'string',
'Type': 'string',
'UpdatedAt': 'string'
},
]
}
Response Structure
(dict) --
Findings (list) --
A list of findings.
(dict) --
Contains information about the finding, which is generated when abnormal or suspicious activity is detected.
AccountId (string) --
The ID of the account in which the finding was generated.
Arn (string) --
The ARN of the finding.
Confidence (float) --
The confidence score for the finding.
CreatedAt (string) --
The time and date when the finding was created.
Description (string) --
The description of the finding.
Id (string) --
The ID of the finding.
Partition (string) --
The partition associated with the finding.
Region (string) --
The Region where the finding was generated.
Resource (dict) --
Contains information about the AWS resource associated with the activity that prompted GuardDuty to generate a finding.
AccessKeyDetails (dict) --
The IAM access key details (IAM user information) of a user that engaged in the activity that prompted GuardDuty to generate a finding.
AccessKeyId (string) --
The access key ID of the user.
PrincipalId (string) --
The principal ID of the user.
UserName (string) --
The name of the user.
UserType (string) --
The type of the user.
S3BucketDetails (list) --
Contains information on the S3 bucket.
(dict) --
Contains information on the S3 bucket.
Arn (string) --
The Amazon Resource Name (ARN) of the S3 bucket.
Name (string) --
The name of the S3 bucket.
Type (string) --
Describes whether the bucket is a source or destination bucket.
CreatedAt (datetime) --
The date and time the bucket was created at.
Owner (dict) --
The owner of the S3 bucket.
Id (string) --
The canonical user ID of the bucket owner. For information about locating your canonical user ID see Finding Your Account Canonical User ID.
Tags (list) --
All tags attached to the S3 bucket
(dict) --
Contains information about a tag associated with the EC2 instance.
Key (string) --
The EC2 instance tag key.
Value (string) --
The EC2 instance tag value.
DefaultServerSideEncryption (dict) --
Describes the server side encryption method used in the S3 bucket.
EncryptionType (string) --
The type of encryption used for objects within the S3 bucket.
KmsMasterKeyArn (string) --
The Amazon Resource Name (ARN) of the KMS encryption key. Only available if the bucket EncryptionType is aws:kms .
PublicAccess (dict) --
Describes the public access policies that apply to the S3 bucket.
PermissionConfiguration (dict) --
Contains information about how permissions are configured for the S3 bucket.
BucketLevelPermissions (dict) --
Contains information about the bucket level permissions for the S3 bucket.
AccessControlList (dict) --
Contains information on how Access Control Policies are applied to the bucket.
AllowsPublicReadAccess (boolean) --
A value that indicates whether public read access for the bucket is enabled through an Access Control List (ACL).
AllowsPublicWriteAccess (boolean) --
A value that indicates whether public write access for the bucket is enabled through an Access Control List (ACL).
BucketPolicy (dict) --
Contains information on the bucket policies for the S3 bucket.
AllowsPublicReadAccess (boolean) --
A value that indicates whether public read access for the bucket is enabled through a bucket policy.
AllowsPublicWriteAccess (boolean) --
A value that indicates whether public write access for the bucket is enabled through a bucket policy.
BlockPublicAccess (dict) --
Contains information on which account level S3 Block Public Access settings are applied to the S3 bucket.
IgnorePublicAcls (boolean) --
Indicates if S3 Block Public Access is set to IgnorePublicAcls .
RestrictPublicBuckets (boolean) --
Indicates if S3 Block Public Access is set to RestrictPublicBuckets .
BlockPublicAcls (boolean) --
Indicates if S3 Block Public Access is set to BlockPublicAcls .
BlockPublicPolicy (boolean) --
Indicates if S3 Block Public Access is set to BlockPublicPolicy .
AccountLevelPermissions (dict) --
Contains information about the account level permissions on the S3 bucket.
BlockPublicAccess (dict) --
Describes the S3 Block Public Access settings of the bucket's parent account.
IgnorePublicAcls (boolean) --
Indicates if S3 Block Public Access is set to IgnorePublicAcls .
RestrictPublicBuckets (boolean) --
Indicates if S3 Block Public Access is set to RestrictPublicBuckets .
BlockPublicAcls (boolean) --
Indicates if S3 Block Public Access is set to BlockPublicAcls .
BlockPublicPolicy (boolean) --
Indicates if S3 Block Public Access is set to BlockPublicPolicy .
EffectivePermission (string) --
Describes the effective permission on this bucket after factoring all attached policies.
InstanceDetails (dict) --
The information about the EC2 instance associated with the activity that prompted GuardDuty to generate a finding.
AvailabilityZone (string) --
The Availability Zone of the EC2 instance.
IamInstanceProfile (dict) --
The profile information of the EC2 instance.
Arn (string) --
The profile ARN of the EC2 instance.
Id (string) --
The profile ID of the EC2 instance.
ImageDescription (string) --
The image description of the EC2 instance.
ImageId (string) --
The image ID of the EC2 instance.
InstanceId (string) --
The ID of the EC2 instance.
InstanceState (string) --
The state of the EC2 instance.
InstanceType (string) --
The type of the EC2 instance.
OutpostArn (string) --
The Amazon Resource Name (ARN) of the AWS Outpost. Only applicable to AWS Outposts instances.
LaunchTime (string) --
The launch time of the EC2 instance.
NetworkInterfaces (list) --
The elastic network interface information of the EC2 instance.
(dict) --
Contains information about the elastic network interface of the EC2 instance.
Ipv6Addresses (list) --
A list of IPv6 addresses for the EC2 instance.
(string) --
NetworkInterfaceId (string) --
The ID of the network interface.
PrivateDnsName (string) --
The private DNS name of the EC2 instance.
PrivateIpAddress (string) --
The private IP address of the EC2 instance.
PrivateIpAddresses (list) --
Other private IP address information of the EC2 instance.
(dict) --
Contains other private IP address information of the EC2 instance.
PrivateDnsName (string) --
The private DNS name of the EC2 instance.
PrivateIpAddress (string) --
The private IP address of the EC2 instance.
PublicDnsName (string) --
The public DNS name of the EC2 instance.
PublicIp (string) --
The public IP address of the EC2 instance.
SecurityGroups (list) --
The security groups associated with the EC2 instance.
(dict) --
Contains information about the security groups associated with the EC2 instance.
GroupId (string) --
The security group ID of the EC2 instance.
GroupName (string) --
The security group name of the EC2 instance.
SubnetId (string) --
The subnet ID of the EC2 instance.
VpcId (string) --
The VPC ID of the EC2 instance.
Platform (string) --
The platform of the EC2 instance.
ProductCodes (list) --
The product code of the EC2 instance.
(dict) --
Contains information about the product code for the EC2 instance.
Code (string) --
The product code information.
ProductType (string) --
The product code type.
Tags (list) --
The tags of the EC2 instance.
(dict) --
Contains information about a tag associated with the EC2 instance.
Key (string) --
The EC2 instance tag key.
Value (string) --
The EC2 instance tag value.
ResourceType (string) --
The type of AWS resource.
SchemaVersion (string) --
The version of the schema used for the finding.
Service (dict) --
Contains additional information about the generated finding.
Action (dict) --
Information about the activity that is described in a finding.
ActionType (string) --
The GuardDuty finding activity type.
AwsApiCallAction (dict) --
Information about the AWS_API_CALL action described in this finding.
Api (string) --
The AWS API name.
CallerType (string) --
The AWS API caller type.
DomainDetails (dict) --
The domain information for the AWS API call.
Domain (string) --
The domain information for the AWS API call.
ErrorCode (string) --
The error code of the failed AWS API action.
RemoteIpDetails (dict) --
The remote IP information of the connection that initiated the AWS API call.
City (dict) --
The city information of the remote IP address.
CityName (string) --
The city name of the remote IP address.
Country (dict) --
The country code of the remote IP address.
CountryCode (string) --
The country code of the remote IP address.
CountryName (string) --
The country name of the remote IP address.
GeoLocation (dict) --
The location information of the remote IP address.
Lat (float) --
The latitude information of the remote IP address.
Lon (float) --
The longitude information of the remote IP address.
IpAddressV4 (string) --
The IPv4 remote address of the connection.
Organization (dict) --
The ISP organization information of the remote IP address.
Asn (string) --
The Autonomous System Number (ASN) of the internet provider of the remote IP address.
AsnOrg (string) --
The organization that registered this ASN.
Isp (string) --
The ISP information for the internet provider.
Org (string) --
The name of the internet provider.
ServiceName (string) --
The AWS service name whose API was invoked.
DnsRequestAction (dict) --
Information about the DNS_REQUEST action described in this finding.
Domain (string) --
The domain information for the API request.
NetworkConnectionAction (dict) --
Information about the NETWORK_CONNECTION action described in this finding.
Blocked (boolean) --
Indicates whether EC2 blocked the network connection to your instance.
ConnectionDirection (string) --
The network connection direction.
LocalPortDetails (dict) --
The local port information of the connection.
Port (integer) --
The port number of the local connection.
PortName (string) --
The port name of the local connection.
Protocol (string) --
The network connection protocol.
LocalIpDetails (dict) --
The local IP information of the connection.
IpAddressV4 (string) --
The IPv4 local address of the connection.
RemoteIpDetails (dict) --
The remote IP information of the connection.
City (dict) --
The city information of the remote IP address.
CityName (string) --
The city name of the remote IP address.
Country (dict) --
The country code of the remote IP address.
CountryCode (string) --
The country code of the remote IP address.
CountryName (string) --
The country name of the remote IP address.
GeoLocation (dict) --
The location information of the remote IP address.
Lat (float) --
The latitude information of the remote IP address.
Lon (float) --
The longitude information of the remote IP address.
IpAddressV4 (string) --
The IPv4 remote address of the connection.
Organization (dict) --
The ISP organization information of the remote IP address.
Asn (string) --
The Autonomous System Number (ASN) of the internet provider of the remote IP address.
AsnOrg (string) --
The organization that registered this ASN.
Isp (string) --
The ISP information for the internet provider.
Org (string) --
The name of the internet provider.
RemotePortDetails (dict) --
The remote port information of the connection.
Port (integer) --
The port number of the remote connection.
PortName (string) --
The port name of the remote connection.
PortProbeAction (dict) --
Information about the PORT_PROBE action described in this finding.
Blocked (boolean) --
Indicates whether EC2 blocked the port probe to the instance, such as with an ACL.
PortProbeDetails (list) --
A list of objects related to port probe details.
(dict) --
Contains information about the port probe details.
LocalPortDetails (dict) --
The local port information of the connection.
Port (integer) --
The port number of the local connection.
PortName (string) --
The port name of the local connection.
LocalIpDetails (dict) --
The local IP information of the connection.
IpAddressV4 (string) --
The IPv4 local address of the connection.
RemoteIpDetails (dict) --
The remote IP information of the connection.
City (dict) --
The city information of the remote IP address.
CityName (string) --
The city name of the remote IP address.
Country (dict) --
The country code of the remote IP address.
CountryCode (string) --
The country code of the remote IP address.
CountryName (string) --
The country name of the remote IP address.
GeoLocation (dict) --
The location information of the remote IP address.
Lat (float) --
The latitude information of the remote IP address.
Lon (float) --
The longitude information of the remote IP address.
IpAddressV4 (string) --
The IPv4 remote address of the connection.
Organization (dict) --
The ISP organization information of the remote IP address.
Asn (string) --
The Autonomous System Number (ASN) of the internet provider of the remote IP address.
AsnOrg (string) --
The organization that registered this ASN.
Isp (string) --
The ISP information for the internet provider.
Org (string) --
The name of the internet provider.
Evidence (dict) --
An evidence object associated with the service.
ThreatIntelligenceDetails (list) --
A list of threat intelligence details related to the evidence.
(dict) --
An instance of a threat intelligence detail that constitutes evidence for the finding.
ThreatListName (string) --
The name of the threat intelligence list that triggered the finding.
ThreatNames (list) --
A list of names of the threats in the threat intelligence list that triggered the finding.
(string) --
Archived (boolean) --
Indicates whether this finding is archived.
Count (integer) --
The total count of the occurrences of this finding type.
DetectorId (string) --
The detector ID for the GuardDuty service.
EventFirstSeen (string) --
The first-seen timestamp of the activity that prompted GuardDuty to generate this finding.
EventLastSeen (string) --
The last-seen timestamp of the activity that prompted GuardDuty to generate this finding.
ResourceRole (string) --
The resource role information for this finding.
ServiceName (string) --
The name of the AWS service (GuardDuty) that generated a finding.
UserFeedback (string) --
Feedback that was submitted about the finding.
Severity (float) --
The severity of the finding.
Title (string) --
The title of the finding.
Type (string) --
The type of finding.
UpdatedAt (string) --
The time and date when the finding was last updated.