2024/03/28 - Amazon GuardDuty - 9 updated api methods
Changes Add EC2 support for GuardDuty Runtime Monitoring auto management.
{'Features': {'AdditionalConfiguration': {'Name': {'EC2_AGENT_MANAGEMENT'}}}}
Creates a single GuardDuty detector. A detector is a resource that represents the GuardDuty service. To start using GuardDuty, you must create a detector in each Region where you enable the service. You can have only one detector per account per Region. All data sources are enabled in a new detector by default.
When you don't specify any features , with an exception to RUNTIME_MONITORING , all the optional features are enabled by default.
When you specify some of the features , any feature that is not specified in the API call gets enabled by default, with an exception to RUNTIME_MONITORING .
Specifying both EKS Runtime Monitoring (EKS_RUNTIME_MONITORING ) and Runtime Monitoring (RUNTIME_MONITORING ) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring .
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints .
See also: AWS API Documentation
Request Syntax
client.create_detector( Enable=True|False, ClientToken='string', FindingPublishingFrequency='FIFTEEN_MINUTES'|'ONE_HOUR'|'SIX_HOURS', DataSources={ 'S3Logs': { 'Enable': True|False }, 'Kubernetes': { 'AuditLogs': { 'Enable': True|False } }, 'MalwareProtection': { 'ScanEc2InstanceWithFindings': { 'EbsVolumes': True|False } } }, Tags={ 'string': 'string' }, Features=[ { 'Name': 'S3_DATA_EVENTS'|'EKS_AUDIT_LOGS'|'EBS_MALWARE_PROTECTION'|'RDS_LOGIN_EVENTS'|'EKS_RUNTIME_MONITORING'|'LAMBDA_NETWORK_LOGS'|'RUNTIME_MONITORING', 'Status': 'ENABLED'|'DISABLED', 'AdditionalConfiguration': [ { 'Name': 'EKS_ADDON_MANAGEMENT'|'ECS_FARGATE_AGENT_MANAGEMENT'|'EC2_AGENT_MANAGEMENT', 'Status': 'ENABLED'|'DISABLED' }, ] }, ] )
boolean
[REQUIRED]
A Boolean value that specifies whether the detector is to be enabled.
string
The idempotency token for the create request.
This field is autopopulated if not provided.
string
A value that specifies how frequently updated findings are exported.
dict
Describes which data sources will be enabled for the detector.
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints .
S3Logs (dict) --
Describes whether S3 data event logs are enabled as a data source.
Enable (boolean) -- [REQUIRED]
The status of S3 data event logs as a data source.
Kubernetes (dict) --
Describes whether any Kubernetes logs are enabled as data sources.
AuditLogs (dict) -- [REQUIRED]
The status of Kubernetes audit logs as a data source.
Enable (boolean) -- [REQUIRED]
The status of Kubernetes audit logs as a data source.
MalwareProtection (dict) --
Describes whether Malware Protection is enabled as a data source.
ScanEc2InstanceWithFindings (dict) --
Describes the configuration of Malware Protection for EC2 instances with findings.
EbsVolumes (boolean) --
Describes the configuration for scanning EBS volumes as data source.
dict
The tags to be added to a new detector resource.
(string) --
(string) --
list
A list of features that will be configured for the detector.
(dict) --
Contains information about a GuardDuty feature.
Specifying both EKS Runtime Monitoring (EKS_RUNTIME_MONITORING ) and Runtime Monitoring (RUNTIME_MONITORING ) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring .
Name (string) --
The name of the feature.
Status (string) --
The status of the feature.
AdditionalConfiguration (list) --
Additional configuration for a resource.
(dict) --
Information about the additional configuration for a feature in your GuardDuty account.
Name (string) --
Name of the additional configuration.
Status (string) --
Status of the additional configuration.
dict
Response Syntax
{ 'DetectorId': 'string', 'UnprocessedDataSources': { 'MalwareProtection': { 'ScanEc2InstanceWithFindings': { 'EbsVolumes': { 'Status': 'ENABLED'|'DISABLED', 'Reason': 'string' } }, 'ServiceRole': 'string' } } }
Response Structure
(dict) --
DetectorId (string) --
The unique ID of the created detector.
UnprocessedDataSources (dict) --
Specifies the data sources that couldn't be enabled when GuardDuty was enabled for the first time.
MalwareProtection (dict) --
An object that contains information on the status of all Malware Protection data sources.
ScanEc2InstanceWithFindings (dict) --
Describes the configuration of Malware Protection for EC2 instances with findings.
EbsVolumes (dict) --
Describes the configuration of scanning EBS volumes as a data source.
Status (string) --
Describes whether scanning EBS volumes is enabled as a data source.
Reason (string) --
Specifies the reason why scanning EBS volumes (Malware Protection) was not enabled as a data source.
ServiceRole (string) --
The GuardDuty Malware Protection service role.
{'Features': {'AdditionalConfiguration': {'Name': {'EC2_AGENT_MANAGEMENT'}}}}
Returns information about the account selected as the delegated administrator for GuardDuty.
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints .
See also: AWS API Documentation
Request Syntax
client.describe_organization_configuration( DetectorId='string', MaxResults=123, NextToken='string' )
string
[REQUIRED]
The ID of the detector to retrieve information about the delegated administrator from.
integer
You can use this parameter to indicate the maximum number of items that you want in the response.
string
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
dict
Response Syntax
{ 'AutoEnable': True|False, 'MemberAccountLimitReached': True|False, 'DataSources': { 'S3Logs': { 'AutoEnable': True|False }, 'Kubernetes': { 'AuditLogs': { 'AutoEnable': True|False } }, 'MalwareProtection': { 'ScanEc2InstanceWithFindings': { 'EbsVolumes': { 'AutoEnable': True|False } } } }, 'Features': [ { 'Name': 'S3_DATA_EVENTS'|'EKS_AUDIT_LOGS'|'EBS_MALWARE_PROTECTION'|'RDS_LOGIN_EVENTS'|'EKS_RUNTIME_MONITORING'|'LAMBDA_NETWORK_LOGS'|'RUNTIME_MONITORING', 'AutoEnable': 'NEW'|'NONE'|'ALL', 'AdditionalConfiguration': [ { 'Name': 'EKS_ADDON_MANAGEMENT'|'ECS_FARGATE_AGENT_MANAGEMENT'|'EC2_AGENT_MANAGEMENT', 'AutoEnable': 'NEW'|'NONE'|'ALL' }, ] }, ], 'NextToken': 'string', 'AutoEnableOrganizationMembers': 'NEW'|'ALL'|'NONE' }
Response Structure
(dict) --
AutoEnable (boolean) --
Indicates whether GuardDuty is automatically enabled for accounts added to the organization.
Even though this is still supported, we recommend using AutoEnableOrganizationMembers to achieve the similar results.
MemberAccountLimitReached (boolean) --
Indicates whether the maximum number of allowed member accounts are already associated with the delegated administrator account for your organization.
DataSources (dict) --
Describes which data sources are enabled automatically for member accounts.
S3Logs (dict) --
Describes whether S3 data event logs are enabled as a data source.
AutoEnable (boolean) --
A value that describes whether S3 data event logs are automatically enabled for new members of the organization.
Kubernetes (dict) --
Describes the configuration of Kubernetes data sources.
AuditLogs (dict) --
The current configuration of Kubernetes audit logs as a data source for the organization.
AutoEnable (boolean) --
Whether Kubernetes audit logs data source should be auto-enabled for new members joining the organization.
MalwareProtection (dict) --
Describes the configuration of Malware Protection data source for an organization.
ScanEc2InstanceWithFindings (dict) --
Describes the configuration for scanning EC2 instances with findings for an organization.
EbsVolumes (dict) --
Describes the configuration for scanning EBS volumes for an organization.
AutoEnable (boolean) --
An object that contains the status of whether scanning EBS volumes should be auto-enabled for new members joining the organization.
Features (list) --
A list of features that are configured for this organization.
(dict) --
A list of features which will be configured for the organization.
Name (string) --
The name of the feature that is configured for the member accounts within the organization.
AutoEnable (string) --
Describes the status of the feature that is configured for the member accounts within the organization.
NEW : Indicates that when a new account joins the organization, they will have the feature enabled automatically.
ALL : Indicates that all accounts in the organization have the feature enabled automatically. This includes NEW accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty.
NONE : Indicates that the feature will not be automatically enabled for any account in the organization. In this case, each account will be managed individually by the administrator.
AdditionalConfiguration (list) --
The additional configuration that is configured for the member accounts within the organization.
(dict) --
A list of additional configuration which will be configured for the organization.
Name (string) --
The name of the additional configuration that is configured for the member accounts within the organization.
AutoEnable (string) --
Describes the status of the additional configuration that is configured for the member accounts within the organization. One of the following values is the status for the entire organization:
NEW : Indicates that when a new account joins the organization, they will have the additional configuration enabled automatically.
ALL : Indicates that all accounts in the organization have the additional configuration enabled automatically. This includes NEW accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty. It may take up to 24 hours to update the configuration for all the member accounts.
NONE : Indicates that the additional configuration will not be automatically enabled for any account in the organization. The administrator must manage the additional configuration for each account individually.
NextToken (string) --
The pagination parameter to be used on the next list operation to retrieve more items.
AutoEnableOrganizationMembers (string) --
Indicates the auto-enablement configuration of GuardDuty or any of the corresponding protection plans for the member accounts in the organization.
NEW : Indicates that when a new account joins the organization, they will have GuardDuty or any of the corresponding protection plans enabled automatically.
ALL : Indicates that all accounts in the organization have GuardDuty and any of the corresponding protection plans enabled automatically. This includes NEW accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty.
NONE : Indicates that GuardDuty or any of the corresponding protection plans will not be automatically enabled for any account in the organization. The administrator must manage GuardDuty for each account in the organization individually. When you update the auto-enable setting from ALL or NEW to NONE , this action doesn't disable the corresponding option for your existing accounts. This configuration will apply to the new accounts that join the organization. After you update the auto-enable settings, no new account will have the corresponding option as enabled.
{'Features': {'AdditionalConfiguration': {'Name': {'EC2_AGENT_MANAGEMENT'}}}}
Retrieves an Amazon GuardDuty detector specified by the detectorId.
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints .
See also: AWS API Documentation
Request Syntax
client.get_detector( DetectorId='string' )
string
[REQUIRED]
The unique ID of the detector that you want to get.
dict
Response Syntax
{ 'CreatedAt': 'string', 'FindingPublishingFrequency': 'FIFTEEN_MINUTES'|'ONE_HOUR'|'SIX_HOURS', 'ServiceRole': 'string', 'Status': 'ENABLED'|'DISABLED', 'UpdatedAt': 'string', 'DataSources': { 'CloudTrail': { 'Status': 'ENABLED'|'DISABLED' }, 'DNSLogs': { 'Status': 'ENABLED'|'DISABLED' }, 'FlowLogs': { 'Status': 'ENABLED'|'DISABLED' }, 'S3Logs': { 'Status': 'ENABLED'|'DISABLED' }, 'Kubernetes': { 'AuditLogs': { 'Status': 'ENABLED'|'DISABLED' } }, 'MalwareProtection': { 'ScanEc2InstanceWithFindings': { 'EbsVolumes': { 'Status': 'ENABLED'|'DISABLED', 'Reason': 'string' } }, 'ServiceRole': 'string' } }, 'Tags': { 'string': 'string' }, 'Features': [ { 'Name': 'FLOW_LOGS'|'CLOUD_TRAIL'|'DNS_LOGS'|'S3_DATA_EVENTS'|'EKS_AUDIT_LOGS'|'EBS_MALWARE_PROTECTION'|'RDS_LOGIN_EVENTS'|'EKS_RUNTIME_MONITORING'|'LAMBDA_NETWORK_LOGS'|'RUNTIME_MONITORING', 'Status': 'ENABLED'|'DISABLED', 'UpdatedAt': datetime(2015, 1, 1), 'AdditionalConfiguration': [ { 'Name': 'EKS_ADDON_MANAGEMENT'|'ECS_FARGATE_AGENT_MANAGEMENT'|'EC2_AGENT_MANAGEMENT', 'Status': 'ENABLED'|'DISABLED', 'UpdatedAt': datetime(2015, 1, 1) }, ] }, ] }
Response Structure
(dict) --
CreatedAt (string) --
The timestamp of when the detector was created.
FindingPublishingFrequency (string) --
The publishing frequency of the finding.
ServiceRole (string) --
The GuardDuty service role.
Status (string) --
The detector status.
UpdatedAt (string) --
The last-updated timestamp for the detector.
DataSources (dict) --
Describes which data sources are enabled for the detector.
CloudTrail (dict) --
An object that contains information on the status of CloudTrail as a data source.
Status (string) --
Describes whether CloudTrail is enabled as a data source for the detector.
DNSLogs (dict) --
An object that contains information on the status of DNS logs as a data source.
Status (string) --
Denotes whether DNS logs is enabled as a data source.
FlowLogs (dict) --
An object that contains information on the status of VPC flow logs as a data source.
Status (string) --
Denotes whether VPC flow logs is enabled as a data source.
S3Logs (dict) --
An object that contains information on the status of S3 Data event logs as a data source.
Status (string) --
A value that describes whether S3 data event logs are automatically enabled for new members of the organization.
Kubernetes (dict) --
An object that contains information on the status of all Kubernetes data sources.
AuditLogs (dict) --
Describes whether Kubernetes audit logs are enabled as a data source.
Status (string) --
A value that describes whether Kubernetes audit logs are enabled as a data source.
MalwareProtection (dict) --
Describes the configuration of Malware Protection data sources.
ScanEc2InstanceWithFindings (dict) --
Describes the configuration of Malware Protection for EC2 instances with findings.
EbsVolumes (dict) --
Describes the configuration of scanning EBS volumes as a data source.
Status (string) --
Describes whether scanning EBS volumes is enabled as a data source.
Reason (string) --
Specifies the reason why scanning EBS volumes (Malware Protection) was not enabled as a data source.
ServiceRole (string) --
The GuardDuty Malware Protection service role.
Tags (dict) --
The tags of the detector resource.
(string) --
(string) --
Features (list) --
Describes the features that have been enabled for the detector.
(dict) --
Contains information about a GuardDuty feature.
Specifying both EKS Runtime Monitoring (EKS_RUNTIME_MONITORING ) and Runtime Monitoring (RUNTIME_MONITORING ) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring .
Name (string) --
Indicates the name of the feature that can be enabled for the detector.
Status (string) --
Indicates the status of the feature that is enabled for the detector.
UpdatedAt (datetime) --
The timestamp at which the feature object was updated.
AdditionalConfiguration (list) --
Additional configuration for a resource.
(dict) --
Information about the additional configuration.
Name (string) --
Name of the additional configuration.
Status (string) --
Status of the additional configuration.
UpdatedAt (datetime) --
The timestamp at which the additional configuration was last updated. This is in UTC format.
{'Findings': {'Service': {'Evidence': {'ThreatIntelligenceDetails': {'ThreatFileSha256': 'string'}}, 'RuntimeDetails': {'Context': {'CommandLineExample': 'string', 'ServiceName': 'string', 'ThreatFilePath': 'string', 'ToolCategory': 'string', 'ToolName': 'string'}}}}}
Describes Amazon GuardDuty findings specified by finding IDs.
See also: AWS API Documentation
Request Syntax
client.get_findings( DetectorId='string', FindingIds=[ 'string', ], SortCriteria={ 'AttributeName': 'string', 'OrderBy': 'ASC'|'DESC' } )
string
[REQUIRED]
The ID of the detector that specifies the GuardDuty service whose findings you want to retrieve.
list
[REQUIRED]
The IDs of the findings that you want to retrieve.
(string) --
dict
Represents the criteria used for sorting findings.
AttributeName (string) --
Represents the finding attribute, such as accountId , that sorts the findings.
OrderBy (string) --
The order by which the sorted findings are to be displayed.
dict
Response Syntax
{ 'Findings': [ { 'AccountId': 'string', 'Arn': 'string', 'Confidence': 123.0, 'CreatedAt': 'string', 'Description': 'string', 'Id': 'string', 'Partition': 'string', 'Region': 'string', 'Resource': { 'AccessKeyDetails': { 'AccessKeyId': 'string', 'PrincipalId': 'string', 'UserName': 'string', 'UserType': 'string' }, 'S3BucketDetails': [ { 'Arn': 'string', 'Name': 'string', 'Type': 'string', 'CreatedAt': datetime(2015, 1, 1), 'Owner': { 'Id': 'string' }, 'Tags': [ { 'Key': 'string', 'Value': 'string' }, ], 'DefaultServerSideEncryption': { 'EncryptionType': 'string', 'KmsMasterKeyArn': 'string' }, 'PublicAccess': { 'PermissionConfiguration': { 'BucketLevelPermissions': { 'AccessControlList': { 'AllowsPublicReadAccess': True|False, 'AllowsPublicWriteAccess': True|False }, 'BucketPolicy': { 'AllowsPublicReadAccess': True|False, 'AllowsPublicWriteAccess': True|False }, 'BlockPublicAccess': { 'IgnorePublicAcls': True|False, 'RestrictPublicBuckets': True|False, 'BlockPublicAcls': True|False, 'BlockPublicPolicy': True|False } }, 'AccountLevelPermissions': { 'BlockPublicAccess': { 'IgnorePublicAcls': True|False, 'RestrictPublicBuckets': True|False, 'BlockPublicAcls': True|False, 'BlockPublicPolicy': True|False } } }, 'EffectivePermission': 'string' } }, ], 'InstanceDetails': { 'AvailabilityZone': 'string', 'IamInstanceProfile': { 'Arn': 'string', 'Id': 'string' }, 'ImageDescription': 'string', 'ImageId': 'string', 'InstanceId': 'string', 'InstanceState': 'string', 'InstanceType': 'string', 'OutpostArn': 'string', 'LaunchTime': 'string', 'NetworkInterfaces': [ { 'Ipv6Addresses': [ 'string', ], 'NetworkInterfaceId': 'string', 'PrivateDnsName': 'string', 'PrivateIpAddress': 'string', 'PrivateIpAddresses': [ { 'PrivateDnsName': 'string', 'PrivateIpAddress': 'string' }, ], 'PublicDnsName': 'string', 'PublicIp': 'string', 'SecurityGroups': [ { 'GroupId': 'string', 'GroupName': 'string' }, ], 'SubnetId': 'string', 'VpcId': 'string' }, ], 'Platform': 'string', 'ProductCodes': [ { 'Code': 'string', 'ProductType': 'string' }, ], 'Tags': [ { 'Key': 'string', 'Value': 'string' }, ] }, 'EksClusterDetails': { 'Name': 'string', 'Arn': 'string', 'VpcId': 'string', 'Status': 'string', 'Tags': [ { 'Key': 'string', 'Value': 'string' }, ], 'CreatedAt': datetime(2015, 1, 1) }, 'KubernetesDetails': { 'KubernetesUserDetails': { 'Username': 'string', 'Uid': 'string', 'Groups': [ 'string', ], 'SessionName': [ 'string', ], 'ImpersonatedUser': { 'Username': 'string', 'Groups': [ 'string', ] } }, 'KubernetesWorkloadDetails': { 'Name': 'string', 'Type': 'string', 'Uid': 'string', 'Namespace': 'string', 'HostNetwork': True|False, 'Containers': [ { 'ContainerRuntime': 'string', 'Id': 'string', 'Name': 'string', 'Image': 'string', 'ImagePrefix': 'string', 'VolumeMounts': [ { 'Name': 'string', 'MountPath': 'string' }, ], 'SecurityContext': { 'Privileged': True|False, 'AllowPrivilegeEscalation': True|False } }, ], 'Volumes': [ { 'Name': 'string', 'HostPath': { 'Path': 'string' } }, ], 'ServiceAccountName': 'string', 'HostIPC': True|False, 'HostPID': True|False } }, 'ResourceType': 'string', 'EbsVolumeDetails': { 'ScannedVolumeDetails': [ { 'VolumeArn': 'string', 'VolumeType': 'string', 'DeviceName': 'string', 'VolumeSizeInGB': 123, 'EncryptionType': 'string', 'SnapshotArn': 'string', 'KmsKeyArn': 'string' }, ], 'SkippedVolumeDetails': [ { 'VolumeArn': 'string', 'VolumeType': 'string', 'DeviceName': 'string', 'VolumeSizeInGB': 123, 'EncryptionType': 'string', 'SnapshotArn': 'string', 'KmsKeyArn': 'string' }, ] }, 'EcsClusterDetails': { 'Name': 'string', 'Arn': 'string', 'Status': 'string', 'ActiveServicesCount': 123, 'RegisteredContainerInstancesCount': 123, 'RunningTasksCount': 123, 'Tags': [ { 'Key': 'string', 'Value': 'string' }, ], 'TaskDetails': { 'Arn': 'string', 'DefinitionArn': 'string', 'Version': 'string', 'TaskCreatedAt': datetime(2015, 1, 1), 'StartedAt': datetime(2015, 1, 1), 'StartedBy': 'string', 'Tags': [ { 'Key': 'string', 'Value': 'string' }, ], 'Volumes': [ { 'Name': 'string', 'HostPath': { 'Path': 'string' } }, ], 'Containers': [ { 'ContainerRuntime': 'string', 'Id': 'string', 'Name': 'string', 'Image': 'string', 'ImagePrefix': 'string', 'VolumeMounts': [ { 'Name': 'string', 'MountPath': 'string' }, ], 'SecurityContext': { 'Privileged': True|False, 'AllowPrivilegeEscalation': True|False } }, ], 'Group': 'string' } }, 'ContainerDetails': { 'ContainerRuntime': 'string', 'Id': 'string', 'Name': 'string', 'Image': 'string', 'ImagePrefix': 'string', 'VolumeMounts': [ { 'Name': 'string', 'MountPath': 'string' }, ], 'SecurityContext': { 'Privileged': True|False, 'AllowPrivilegeEscalation': True|False } }, 'RdsDbInstanceDetails': { 'DbInstanceIdentifier': 'string', 'Engine': 'string', 'EngineVersion': 'string', 'DbClusterIdentifier': 'string', 'DbInstanceArn': 'string', 'Tags': [ { 'Key': 'string', 'Value': 'string' }, ] }, 'RdsDbUserDetails': { 'User': 'string', 'Application': 'string', 'Database': 'string', 'Ssl': 'string', 'AuthMethod': 'string' }, 'LambdaDetails': { 'FunctionArn': 'string', 'FunctionName': 'string', 'Description': 'string', 'LastModifiedAt': datetime(2015, 1, 1), 'RevisionId': 'string', 'FunctionVersion': 'string', 'Role': 'string', 'VpcConfig': { 'SubnetIds': [ 'string', ], 'VpcId': 'string', 'SecurityGroups': [ { 'GroupId': 'string', 'GroupName': 'string' }, ] }, 'Tags': [ { 'Key': 'string', 'Value': 'string' }, ] } }, 'SchemaVersion': 'string', 'Service': { 'Action': { 'ActionType': 'string', 'AwsApiCallAction': { 'Api': 'string', 'CallerType': 'string', 'DomainDetails': { 'Domain': 'string' }, 'ErrorCode': 'string', 'UserAgent': 'string', 'RemoteIpDetails': { 'City': { 'CityName': 'string' }, 'Country': { 'CountryCode': 'string', 'CountryName': 'string' }, 'GeoLocation': { 'Lat': 123.0, 'Lon': 123.0 }, 'IpAddressV4': 'string', 'Organization': { 'Asn': 'string', 'AsnOrg': 'string', 'Isp': 'string', 'Org': 'string' } }, 'ServiceName': 'string', 'RemoteAccountDetails': { 'AccountId': 'string', 'Affiliated': True|False }, 'AffectedResources': { 'string': 'string' } }, 'DnsRequestAction': { 'Domain': 'string', 'Protocol': 'string', 'Blocked': True|False, 'DomainWithSuffix': 'string' }, 'NetworkConnectionAction': { 'Blocked': True|False, 'ConnectionDirection': 'string', 'LocalPortDetails': { 'Port': 123, 'PortName': 'string' }, 'Protocol': 'string', 'LocalIpDetails': { 'IpAddressV4': 'string' }, 'RemoteIpDetails': { 'City': { 'CityName': 'string' }, 'Country': { 'CountryCode': 'string', 'CountryName': 'string' }, 'GeoLocation': { 'Lat': 123.0, 'Lon': 123.0 }, 'IpAddressV4': 'string', 'Organization': { 'Asn': 'string', 'AsnOrg': 'string', 'Isp': 'string', 'Org': 'string' } }, 'RemotePortDetails': { 'Port': 123, 'PortName': 'string' } }, 'PortProbeAction': { 'Blocked': True|False, 'PortProbeDetails': [ { 'LocalPortDetails': { 'Port': 123, 'PortName': 'string' }, 'LocalIpDetails': { 'IpAddressV4': 'string' }, 'RemoteIpDetails': { 'City': { 'CityName': 'string' }, 'Country': { 'CountryCode': 'string', 'CountryName': 'string' }, 'GeoLocation': { 'Lat': 123.0, 'Lon': 123.0 }, 'IpAddressV4': 'string', 'Organization': { 'Asn': 'string', 'AsnOrg': 'string', 'Isp': 'string', 'Org': 'string' } } }, ] }, 'KubernetesApiCallAction': { 'RequestUri': 'string', 'Verb': 'string', 'SourceIps': [ 'string', ], 'UserAgent': 'string', 'RemoteIpDetails': { 'City': { 'CityName': 'string' }, 'Country': { 'CountryCode': 'string', 'CountryName': 'string' }, 'GeoLocation': { 'Lat': 123.0, 'Lon': 123.0 }, 'IpAddressV4': 'string', 'Organization': { 'Asn': 'string', 'AsnOrg': 'string', 'Isp': 'string', 'Org': 'string' } }, 'StatusCode': 123, 'Parameters': 'string', 'Resource': 'string', 'Subresource': 'string', 'Namespace': 'string', 'ResourceName': 'string' }, 'RdsLoginAttemptAction': { 'RemoteIpDetails': { 'City': { 'CityName': 'string' }, 'Country': { 'CountryCode': 'string', 'CountryName': 'string' }, 'GeoLocation': { 'Lat': 123.0, 'Lon': 123.0 }, 'IpAddressV4': 'string', 'Organization': { 'Asn': 'string', 'AsnOrg': 'string', 'Isp': 'string', 'Org': 'string' } }, 'LoginAttributes': [ { 'User': 'string', 'Application': 'string', 'FailedLoginAttempts': 123, 'SuccessfulLoginAttempts': 123 }, ] }, 'KubernetesPermissionCheckedDetails': { 'Verb': 'string', 'Resource': 'string', 'Namespace': 'string', 'Allowed': True|False }, 'KubernetesRoleBindingDetails': { 'Kind': 'string', 'Name': 'string', 'Uid': 'string', 'RoleRefName': 'string', 'RoleRefKind': 'string' }, 'KubernetesRoleDetails': { 'Kind': 'string', 'Name': 'string', 'Uid': 'string' } }, 'Evidence': { 'ThreatIntelligenceDetails': [ { 'ThreatListName': 'string', 'ThreatNames': [ 'string', ], 'ThreatFileSha256': 'string' }, ] }, 'Archived': True|False, 'Count': 123, 'DetectorId': 'string', 'EventFirstSeen': 'string', 'EventLastSeen': 'string', 'ResourceRole': 'string', 'ServiceName': 'string', 'UserFeedback': 'string', 'AdditionalInfo': { 'Value': 'string', 'Type': 'string' }, 'FeatureName': 'string', 'EbsVolumeScanDetails': { 'ScanId': 'string', 'ScanStartedAt': datetime(2015, 1, 1), 'ScanCompletedAt': datetime(2015, 1, 1), 'TriggerFindingId': 'string', 'Sources': [ 'string', ], 'ScanDetections': { 'ScannedItemCount': { 'TotalGb': 123, 'Files': 123, 'Volumes': 123 }, 'ThreatsDetectedItemCount': { 'Files': 123 }, 'HighestSeverityThreatDetails': { 'Severity': 'string', 'ThreatName': 'string', 'Count': 123 }, 'ThreatDetectedByName': { 'ItemCount': 123, 'UniqueThreatNameCount': 123, 'Shortened': True|False, 'ThreatNames': [ { 'Name': 'string', 'Severity': 'string', 'ItemCount': 123, 'FilePaths': [ { 'FilePath': 'string', 'VolumeArn': 'string', 'Hash': 'string', 'FileName': 'string' }, ] }, ] } }, 'ScanType': 'GUARDDUTY_INITIATED'|'ON_DEMAND' }, 'RuntimeDetails': { 'Process': { 'Name': 'string', 'ExecutablePath': 'string', 'ExecutableSha256': 'string', 'NamespacePid': 123, 'Pwd': 'string', 'Pid': 123, 'StartTime': datetime(2015, 1, 1), 'Uuid': 'string', 'ParentUuid': 'string', 'User': 'string', 'UserId': 123, 'Euid': 123, 'Lineage': [ { 'StartTime': datetime(2015, 1, 1), 'NamespacePid': 123, 'UserId': 123, 'Name': 'string', 'Pid': 123, 'Uuid': 'string', 'ExecutablePath': 'string', 'Euid': 123, 'ParentUuid': 'string' }, ] }, 'Context': { 'ModifyingProcess': { 'Name': 'string', 'ExecutablePath': 'string', 'ExecutableSha256': 'string', 'NamespacePid': 123, 'Pwd': 'string', 'Pid': 123, 'StartTime': datetime(2015, 1, 1), 'Uuid': 'string', 'ParentUuid': 'string', 'User': 'string', 'UserId': 123, 'Euid': 123, 'Lineage': [ { 'StartTime': datetime(2015, 1, 1), 'NamespacePid': 123, 'UserId': 123, 'Name': 'string', 'Pid': 123, 'Uuid': 'string', 'ExecutablePath': 'string', 'Euid': 123, 'ParentUuid': 'string' }, ] }, 'ModifiedAt': datetime(2015, 1, 1), 'ScriptPath': 'string', 'LibraryPath': 'string', 'LdPreloadValue': 'string', 'SocketPath': 'string', 'RuncBinaryPath': 'string', 'ReleaseAgentPath': 'string', 'MountSource': 'string', 'MountTarget': 'string', 'FileSystemType': 'string', 'Flags': [ 'string', ], 'ModuleName': 'string', 'ModuleFilePath': 'string', 'ModuleSha256': 'string', 'ShellHistoryFilePath': 'string', 'TargetProcess': { 'Name': 'string', 'ExecutablePath': 'string', 'ExecutableSha256': 'string', 'NamespacePid': 123, 'Pwd': 'string', 'Pid': 123, 'StartTime': datetime(2015, 1, 1), 'Uuid': 'string', 'ParentUuid': 'string', 'User': 'string', 'UserId': 123, 'Euid': 123, 'Lineage': [ { 'StartTime': datetime(2015, 1, 1), 'NamespacePid': 123, 'UserId': 123, 'Name': 'string', 'Pid': 123, 'Uuid': 'string', 'ExecutablePath': 'string', 'Euid': 123, 'ParentUuid': 'string' }, ] }, 'AddressFamily': 'string', 'IanaProtocolNumber': 123, 'MemoryRegions': [ 'string', ], 'ToolName': 'string', 'ToolCategory': 'string', 'ServiceName': 'string', 'CommandLineExample': 'string', 'ThreatFilePath': 'string' } }, 'Detection': { 'Anomaly': { 'Profiles': { 'string': { 'string': [ { 'ProfileType': 'FREQUENCY', 'ProfileSubtype': 'FREQUENT'|'INFREQUENT'|'UNSEEN'|'RARE', 'Observations': { 'Text': [ 'string', ] } }, ] } }, 'Unusual': { 'Behavior': { 'string': { 'string': { 'ProfileType': 'FREQUENCY', 'ProfileSubtype': 'FREQUENT'|'INFREQUENT'|'UNSEEN'|'RARE', 'Observations': { 'Text': [ 'string', ] } } } } } } } }, 'Severity': 123.0, 'Title': 'string', 'Type': 'string', 'UpdatedAt': 'string' }, ] }
Response Structure
(dict) --
Findings (list) --
A list of findings.
(dict) --
Contains information about the finding that is generated when abnormal or suspicious activity is detected.
AccountId (string) --
The ID of the account in which the finding was generated.
Arn (string) --
The ARN of the finding.
Confidence (float) --
The confidence score for the finding.
CreatedAt (string) --
The time and date when the finding was created.
Description (string) --
The description of the finding.
Id (string) --
The ID of the finding.
Partition (string) --
The partition associated with the finding.
Region (string) --
The Region where the finding was generated.
Resource (dict) --
Contains information about the Amazon Web Services resource associated with the activity that prompted GuardDuty to generate a finding.
AccessKeyDetails (dict) --
The IAM access key details (user information) of a user that engaged in the activity that prompted GuardDuty to generate a finding.
AccessKeyId (string) --
The access key ID of the user.
PrincipalId (string) --
The principal ID of the user.
UserName (string) --
The name of the user.
UserType (string) --
The type of the user.
S3BucketDetails (list) --
Contains information on the S3 bucket.
(dict) --
Contains information on the S3 bucket.
Arn (string) --
The Amazon Resource Name (ARN) of the S3 bucket.
Name (string) --
The name of the S3 bucket.
Type (string) --
Describes whether the bucket is a source or destination bucket.
CreatedAt (datetime) --
The date and time the bucket was created at.
Owner (dict) --
The owner of the S3 bucket.
Id (string) --
The canonical user ID of the bucket owner. For information about locating your canonical user ID see Finding Your Account Canonical User ID.
Tags (list) --
All tags attached to the S3 bucket
(dict) --
Contains information about a tag associated with the EC2 instance.
Key (string) --
The EC2 instance tag key.
Value (string) --
The EC2 instance tag value.
DefaultServerSideEncryption (dict) --
Describes the server side encryption method used in the S3 bucket.
EncryptionType (string) --
The type of encryption used for objects within the S3 bucket.
KmsMasterKeyArn (string) --
The Amazon Resource Name (ARN) of the KMS encryption key. Only available if the bucket EncryptionType is aws:kms .
PublicAccess (dict) --
Describes the public access policies that apply to the S3 bucket.
PermissionConfiguration (dict) --
Contains information about how permissions are configured for the S3 bucket.
BucketLevelPermissions (dict) --
Contains information about the bucket level permissions for the S3 bucket.
AccessControlList (dict) --
Contains information on how Access Control Policies are applied to the bucket.
AllowsPublicReadAccess (boolean) --
A value that indicates whether public read access for the bucket is enabled through an Access Control List (ACL).
AllowsPublicWriteAccess (boolean) --
A value that indicates whether public write access for the bucket is enabled through an Access Control List (ACL).
BucketPolicy (dict) --
Contains information on the bucket policies for the S3 bucket.
AllowsPublicReadAccess (boolean) --
A value that indicates whether public read access for the bucket is enabled through a bucket policy.
AllowsPublicWriteAccess (boolean) --
A value that indicates whether public write access for the bucket is enabled through a bucket policy.
BlockPublicAccess (dict) --
Contains information on which account level S3 Block Public Access settings are applied to the S3 bucket.
IgnorePublicAcls (boolean) --
Indicates if S3 Block Public Access is set to IgnorePublicAcls .
RestrictPublicBuckets (boolean) --
Indicates if S3 Block Public Access is set to RestrictPublicBuckets .
BlockPublicAcls (boolean) --
Indicates if S3 Block Public Access is set to BlockPublicAcls .
BlockPublicPolicy (boolean) --
Indicates if S3 Block Public Access is set to BlockPublicPolicy .
AccountLevelPermissions (dict) --
Contains information about the account level permissions on the S3 bucket.
BlockPublicAccess (dict) --
Describes the S3 Block Public Access settings of the bucket's parent account.
IgnorePublicAcls (boolean) --
Indicates if S3 Block Public Access is set to IgnorePublicAcls .
RestrictPublicBuckets (boolean) --
Indicates if S3 Block Public Access is set to RestrictPublicBuckets .
BlockPublicAcls (boolean) --
Indicates if S3 Block Public Access is set to BlockPublicAcls .
BlockPublicPolicy (boolean) --
Indicates if S3 Block Public Access is set to BlockPublicPolicy .
EffectivePermission (string) --
Describes the effective permission on this bucket after factoring all attached policies.
InstanceDetails (dict) --
The information about the EC2 instance associated with the activity that prompted GuardDuty to generate a finding.
AvailabilityZone (string) --
The Availability Zone of the EC2 instance.
IamInstanceProfile (dict) --
The profile information of the EC2 instance.
Arn (string) --
The profile ARN of the EC2 instance.
Id (string) --
The profile ID of the EC2 instance.
ImageDescription (string) --
The image description of the EC2 instance.
ImageId (string) --
The image ID of the EC2 instance.
InstanceId (string) --
The ID of the EC2 instance.
InstanceState (string) --
The state of the EC2 instance.
InstanceType (string) --
The type of the EC2 instance.
OutpostArn (string) --
The Amazon Resource Name (ARN) of the Amazon Web Services Outpost. Only applicable to Amazon Web Services Outposts instances.
LaunchTime (string) --
The launch time of the EC2 instance.
NetworkInterfaces (list) --
The elastic network interface information of the EC2 instance.
(dict) --
Contains information about the elastic network interface of the EC2 instance.
Ipv6Addresses (list) --
A list of IPv6 addresses for the EC2 instance.
(string) --
NetworkInterfaceId (string) --
The ID of the network interface.
PrivateDnsName (string) --
The private DNS name of the EC2 instance.
PrivateIpAddress (string) --
The private IP address of the EC2 instance.
PrivateIpAddresses (list) --
Other private IP address information of the EC2 instance.
(dict) --
Contains other private IP address information of the EC2 instance.
PrivateDnsName (string) --
The private DNS name of the EC2 instance.
PrivateIpAddress (string) --
The private IP address of the EC2 instance.
PublicDnsName (string) --
The public DNS name of the EC2 instance.
PublicIp (string) --
The public IP address of the EC2 instance.
SecurityGroups (list) --
The security groups associated with the EC2 instance.
(dict) --
Contains information about the security groups associated with the EC2 instance.
GroupId (string) --
The security group ID of the EC2 instance.
GroupName (string) --
The security group name of the EC2 instance.
SubnetId (string) --
The subnet ID of the EC2 instance.
VpcId (string) --
The VPC ID of the EC2 instance.
Platform (string) --
The platform of the EC2 instance.
ProductCodes (list) --
The product code of the EC2 instance.
(dict) --
Contains information about the product code for the EC2 instance.
Code (string) --
The product code information.
ProductType (string) --
The product code type.
Tags (list) --
The tags of the EC2 instance.
(dict) --
Contains information about a tag associated with the EC2 instance.
Key (string) --
The EC2 instance tag key.
Value (string) --
The EC2 instance tag value.
EksClusterDetails (dict) --
Details about the EKS cluster involved in a Kubernetes finding.
Name (string) --
EKS cluster name.
Arn (string) --
EKS cluster ARN.
VpcId (string) --
The VPC ID to which the EKS cluster is attached.
Status (string) --
The EKS cluster status.
Tags (list) --
The EKS cluster tags.
(dict) --
Contains information about a tag associated with the EC2 instance.
Key (string) --
The EC2 instance tag key.
Value (string) --
The EC2 instance tag value.
CreatedAt (datetime) --
The timestamp when the EKS cluster was created.
KubernetesDetails (dict) --
Details about the Kubernetes user and workload involved in a Kubernetes finding.
KubernetesUserDetails (dict) --
Details about the Kubernetes user involved in a Kubernetes finding.
Username (string) --
The username of the user who called the Kubernetes API.
Uid (string) --
The user ID of the user who called the Kubernetes API.
Groups (list) --
The groups that include the user who called the Kubernetes API.
(string) --
SessionName (list) --
Entity that assumes the IAM role when Kubernetes RBAC permissions are assigned to that role.
(string) --
ImpersonatedUser (dict) --
Information about the impersonated user.
Username (string) --
Information about the username that was being impersonated.
Groups (list) --
The group to which the user name belongs.
(string) --
KubernetesWorkloadDetails (dict) --
Details about the Kubernetes workload involved in a Kubernetes finding.
Name (string) --
Kubernetes workload name.
Type (string) --
Kubernetes workload type (e.g. Pod, Deployment, etc.).
Uid (string) --
Kubernetes workload ID.
Namespace (string) --
Kubernetes namespace that the workload is part of.
HostNetwork (boolean) --
Whether the hostNetwork flag is enabled for the pods included in the workload.
Containers (list) --
Containers running as part of the Kubernetes workload.
(dict) --
Details of a container.
ContainerRuntime (string) --
The container runtime (such as, Docker or containerd) used to run the container.
Id (string) --
Container ID.
Name (string) --
Container name.
Image (string) --
Container image.
ImagePrefix (string) --
Part of the image name before the last slash. For example, imagePrefix for public.ecr.aws/amazonlinux/amazonlinux:latest would be public.ecr.aws/amazonlinux. If the image name is relative and does not have a slash, this field is empty.
VolumeMounts (list) --
Container volume mounts.
(dict) --
Container volume mount.
Name (string) --
Volume mount name.
MountPath (string) --
Volume mount path.
SecurityContext (dict) --
Container security context.
Privileged (boolean) --
Whether the container is privileged.
AllowPrivilegeEscalation (boolean) --
Whether or not a container or a Kubernetes pod is allowed to gain more privileges than its parent process.
Volumes (list) --
Volumes used by the Kubernetes workload.
(dict) --
Volume used by the Kubernetes workload.
Name (string) --
Volume name.
HostPath (dict) --
Represents a pre-existing file or directory on the host machine that the volume maps to.
Path (string) --
Path of the file or directory on the host that the volume maps to.
ServiceAccountName (string) --
The service account name that is associated with a Kubernetes workload.
HostIPC (boolean) --
Whether the host IPC flag is enabled for the pods in the workload.
HostPID (boolean) --
Whether the host PID flag is enabled for the pods in the workload.
ResourceType (string) --
The type of Amazon Web Services resource.
EbsVolumeDetails (dict) --
Contains list of scanned and skipped EBS volumes with details.
ScannedVolumeDetails (list) --
List of EBS volumes that were scanned.
(dict) --
Contains EBS volume details.
VolumeArn (string) --
EBS volume Arn information.
VolumeType (string) --
The EBS volume type.
DeviceName (string) --
The device name for the EBS volume.
VolumeSizeInGB (integer) --
EBS volume size in GB.
EncryptionType (string) --
EBS volume encryption type.
SnapshotArn (string) --
Snapshot Arn of the EBS volume.
KmsKeyArn (string) --
KMS key Arn used to encrypt the EBS volume.
SkippedVolumeDetails (list) --
List of EBS volumes that were skipped from the malware scan.
(dict) --
Contains EBS volume details.
VolumeArn (string) --
EBS volume Arn information.
VolumeType (string) --
The EBS volume type.
DeviceName (string) --
The device name for the EBS volume.
VolumeSizeInGB (integer) --
EBS volume size in GB.
EncryptionType (string) --
EBS volume encryption type.
SnapshotArn (string) --
Snapshot Arn of the EBS volume.
KmsKeyArn (string) --
KMS key Arn used to encrypt the EBS volume.
EcsClusterDetails (dict) --
Contains information about the details of the ECS Cluster.
Name (string) --
The name of the ECS Cluster.
Arn (string) --
The Amazon Resource Name (ARN) that identifies the cluster.
Status (string) --
The status of the ECS cluster.
ActiveServicesCount (integer) --
The number of services that are running on the cluster in an ACTIVE state.
RegisteredContainerInstancesCount (integer) --
The number of container instances registered into the cluster.
RunningTasksCount (integer) --
The number of tasks in the cluster that are in the RUNNING state.
Tags (list) --
The tags of the ECS Cluster.
(dict) --
Contains information about a tag associated with the EC2 instance.
Key (string) --
The EC2 instance tag key.
Value (string) --
The EC2 instance tag value.
TaskDetails (dict) --
Contains information about the details of the ECS Task.
Arn (string) --
The Amazon Resource Name (ARN) of the task.
DefinitionArn (string) --
The ARN of the task definition that creates the task.
Version (string) --
The version counter for the task.
TaskCreatedAt (datetime) --
The Unix timestamp for the time when the task was created.
StartedAt (datetime) --
The Unix timestamp for the time when the task started.
StartedBy (string) --
Contains the tag specified when a task is started.
Tags (list) --
The tags of the ECS Task.
(dict) --
Contains information about a tag associated with the EC2 instance.
Key (string) --
The EC2 instance tag key.
Value (string) --
The EC2 instance tag value.
Volumes (list) --
The list of data volume definitions for the task.
(dict) --
Volume used by the Kubernetes workload.
Name (string) --
Volume name.
HostPath (dict) --
Represents a pre-existing file or directory on the host machine that the volume maps to.
Path (string) --
Path of the file or directory on the host that the volume maps to.
Containers (list) --
The containers that's associated with the task.
(dict) --
Details of a container.
ContainerRuntime (string) --
The container runtime (such as, Docker or containerd) used to run the container.
Id (string) --
Container ID.
Name (string) --
Container name.
Image (string) --
Container image.
ImagePrefix (string) --
Part of the image name before the last slash. For example, imagePrefix for public.ecr.aws/amazonlinux/amazonlinux:latest would be public.ecr.aws/amazonlinux. If the image name is relative and does not have a slash, this field is empty.
VolumeMounts (list) --
Container volume mounts.
(dict) --
Container volume mount.
Name (string) --
Volume mount name.
MountPath (string) --
Volume mount path.
SecurityContext (dict) --
Container security context.
Privileged (boolean) --
Whether the container is privileged.
AllowPrivilegeEscalation (boolean) --
Whether or not a container or a Kubernetes pod is allowed to gain more privileges than its parent process.
Group (string) --
The name of the task group that's associated with the task.
ContainerDetails (dict) --
Details of a container.
ContainerRuntime (string) --
The container runtime (such as, Docker or containerd) used to run the container.
Id (string) --
Container ID.
Name (string) --
Container name.
Image (string) --
Container image.
ImagePrefix (string) --
Part of the image name before the last slash. For example, imagePrefix for public.ecr.aws/amazonlinux/amazonlinux:latest would be public.ecr.aws/amazonlinux. If the image name is relative and does not have a slash, this field is empty.
VolumeMounts (list) --
Container volume mounts.
(dict) --
Container volume mount.
Name (string) --
Volume mount name.
MountPath (string) --
Volume mount path.
SecurityContext (dict) --
Container security context.
Privileged (boolean) --
Whether the container is privileged.
AllowPrivilegeEscalation (boolean) --
Whether or not a container or a Kubernetes pod is allowed to gain more privileges than its parent process.
RdsDbInstanceDetails (dict) --
Contains information about the database instance to which an anomalous login attempt was made.
DbInstanceIdentifier (string) --
The identifier associated to the database instance that was involved in the finding.
Engine (string) --
The database engine of the database instance involved in the finding.
EngineVersion (string) --
The version of the database engine that was involved in the finding.
DbClusterIdentifier (string) --
The identifier of the database cluster that contains the database instance ID involved in the finding.
DbInstanceArn (string) --
The Amazon Resource Name (ARN) that identifies the database instance involved in the finding.
Tags (list) --
Instance tag key-value pairs associated with the database instance ID.
(dict) --
Contains information about a tag associated with the EC2 instance.
Key (string) --
The EC2 instance tag key.
Value (string) --
The EC2 instance tag value.
RdsDbUserDetails (dict) --
Contains information about the user details through which anomalous login attempt was made.
User (string) --
The user name used in the anomalous login attempt.
Application (string) --
The application name used in the anomalous login attempt.
Database (string) --
The name of the database instance involved in the anomalous login attempt.
Ssl (string) --
The version of the Secure Socket Layer (SSL) used for the network.
AuthMethod (string) --
The authentication method used by the user involved in the finding.
LambdaDetails (dict) --
Contains information about the Lambda function that was involved in a finding.
FunctionArn (string) --
Amazon Resource Name (ARN) of the Lambda function.
FunctionName (string) --
Name of the Lambda function.
Description (string) --
Description of the Lambda function.
LastModifiedAt (datetime) --
The timestamp when the Lambda function was last modified. This field is in the UTC date string format (2023-03-22T19:37:20.168Z) .
RevisionId (string) --
The revision ID of the Lambda function version.
FunctionVersion (string) --
The version of the Lambda function.
Role (string) --
The execution role of the Lambda function.
VpcConfig (dict) --
Amazon Virtual Private Cloud configuration details associated with your Lambda function.
SubnetIds (list) --
The identifiers of the subnets that are associated with your Lambda function.
(string) --
VpcId (string) --
The identifier of the Amazon Virtual Private Cloud.
SecurityGroups (list) --
The identifier of the security group attached to the Lambda function.
(dict) --
Contains information about the security groups associated with the EC2 instance.
GroupId (string) --
The security group ID of the EC2 instance.
GroupName (string) --
The security group name of the EC2 instance.
Tags (list) --
A list of tags attached to this resource, listed in the format of key :value pair.
(dict) --
Contains information about a tag associated with the EC2 instance.
Key (string) --
The EC2 instance tag key.
Value (string) --
The EC2 instance tag value.
SchemaVersion (string) --
The version of the schema used for the finding.
Service (dict) --
Contains additional information about the generated finding.
Action (dict) --
Information about the activity that is described in a finding.
ActionType (string) --
The GuardDuty finding activity type.
AwsApiCallAction (dict) --
Information about the AWS_API_CALL action described in this finding.
Api (string) --
The Amazon Web Services API name.
CallerType (string) --
The Amazon Web Services API caller type.
DomainDetails (dict) --
The domain information for the Amazon Web Services API call.
Domain (string) --
The domain information for the Amazon Web Services API call.
ErrorCode (string) --
The error code of the failed Amazon Web Services API action.
UserAgent (string) --
The agent through which the API request was made.
RemoteIpDetails (dict) --
The remote IP information of the connection that initiated the Amazon Web Services API call.
City (dict) --
The city information of the remote IP address.
CityName (string) --
The city name of the remote IP address.
Country (dict) --
The country code of the remote IP address.
CountryCode (string) --
The country code of the remote IP address.
CountryName (string) --
The country name of the remote IP address.
GeoLocation (dict) --
The location information of the remote IP address.
Lat (float) --
The latitude information of the remote IP address.
Lon (float) --
The longitude information of the remote IP address.
IpAddressV4 (string) --
The IPv4 remote address of the connection.
Organization (dict) --
The ISP organization information of the remote IP address.
Asn (string) --
The Autonomous System Number (ASN) of the internet provider of the remote IP address.
AsnOrg (string) --
The organization that registered this ASN.
Isp (string) --
The ISP information for the internet provider.
Org (string) --
The name of the internet provider.
ServiceName (string) --
The Amazon Web Services service name whose API was invoked.
RemoteAccountDetails (dict) --
The details of the Amazon Web Services account that made the API call. This field appears if the call was made from outside your account.
AccountId (string) --
The Amazon Web Services account ID of the remote API caller.
Affiliated (boolean) --
Details on whether the Amazon Web Services account of the remote API caller is related to your GuardDuty environment. If this value is True the API caller is affiliated to your account in some way. If it is False the API caller is from outside your environment.
AffectedResources (dict) --
The details of the Amazon Web Services account that made the API call. This field identifies the resources that were affected by this API call.
(string) --
(string) --
DnsRequestAction (dict) --
Information about the DNS_REQUEST action described in this finding.
Domain (string) --
The domain information for the DNS query.
Protocol (string) --
The network connection protocol observed in the activity that prompted GuardDuty to generate the finding.
Blocked (boolean) --
Indicates whether the targeted port is blocked.
DomainWithSuffix (string) --
The second and top level domain involved in the activity that potentially prompted GuardDuty to generate this finding. For a list of top-level and second-level domains, see public suffix list .
NetworkConnectionAction (dict) --
Information about the NETWORK_CONNECTION action described in this finding.
Blocked (boolean) --
Indicates whether EC2 blocked the network connection to your instance.
ConnectionDirection (string) --
The network connection direction.
LocalPortDetails (dict) --
The local port information of the connection.
Port (integer) --
The port number of the local connection.
PortName (string) --
The port name of the local connection.
Protocol (string) --
The network connection protocol.
LocalIpDetails (dict) --
The local IP information of the connection.
IpAddressV4 (string) --
The IPv4 local address of the connection.
RemoteIpDetails (dict) --
The remote IP information of the connection.
City (dict) --
The city information of the remote IP address.
CityName (string) --
The city name of the remote IP address.
Country (dict) --
The country code of the remote IP address.
CountryCode (string) --
The country code of the remote IP address.
CountryName (string) --
The country name of the remote IP address.
GeoLocation (dict) --
The location information of the remote IP address.
Lat (float) --
The latitude information of the remote IP address.
Lon (float) --
The longitude information of the remote IP address.
IpAddressV4 (string) --
The IPv4 remote address of the connection.
Organization (dict) --
The ISP organization information of the remote IP address.
Asn (string) --
The Autonomous System Number (ASN) of the internet provider of the remote IP address.
AsnOrg (string) --
The organization that registered this ASN.
Isp (string) --
The ISP information for the internet provider.
Org (string) --
The name of the internet provider.
RemotePortDetails (dict) --
The remote port information of the connection.
Port (integer) --
The port number of the remote connection.
PortName (string) --
The port name of the remote connection.
PortProbeAction (dict) --
Information about the PORT_PROBE action described in this finding.
Blocked (boolean) --
Indicates whether EC2 blocked the port probe to the instance, such as with an ACL.
PortProbeDetails (list) --
A list of objects related to port probe details.
(dict) --
Contains information about the port probe details.
LocalPortDetails (dict) --
The local port information of the connection.
Port (integer) --
The port number of the local connection.
PortName (string) --
The port name of the local connection.
LocalIpDetails (dict) --
The local IP information of the connection.
IpAddressV4 (string) --
The IPv4 local address of the connection.
RemoteIpDetails (dict) --
The remote IP information of the connection.
City (dict) --
The city information of the remote IP address.
CityName (string) --
The city name of the remote IP address.
Country (dict) --
The country code of the remote IP address.
CountryCode (string) --
The country code of the remote IP address.
CountryName (string) --
The country name of the remote IP address.
GeoLocation (dict) --
The location information of the remote IP address.
Lat (float) --
The latitude information of the remote IP address.
Lon (float) --
The longitude information of the remote IP address.
IpAddressV4 (string) --
The IPv4 remote address of the connection.
Organization (dict) --
The ISP organization information of the remote IP address.
Asn (string) --
The Autonomous System Number (ASN) of the internet provider of the remote IP address.
AsnOrg (string) --
The organization that registered this ASN.
Isp (string) --
The ISP information for the internet provider.
Org (string) --
The name of the internet provider.
KubernetesApiCallAction (dict) --
Information about the Kubernetes API call action described in this finding.
RequestUri (string) --
The Kubernetes API request URI.
Verb (string) --
The Kubernetes API request HTTP verb.
SourceIps (list) --
The IP of the Kubernetes API caller and the IPs of any proxies or load balancers between the caller and the API endpoint.
(string) --
UserAgent (string) --
The user agent of the caller of the Kubernetes API.
RemoteIpDetails (dict) --
Contains information about the remote IP address of the connection.
City (dict) --
The city information of the remote IP address.
CityName (string) --
The city name of the remote IP address.
Country (dict) --
The country code of the remote IP address.
CountryCode (string) --
The country code of the remote IP address.
CountryName (string) --
The country name of the remote IP address.
GeoLocation (dict) --
The location information of the remote IP address.
Lat (float) --
The latitude information of the remote IP address.
Lon (float) --
The longitude information of the remote IP address.
IpAddressV4 (string) --
The IPv4 remote address of the connection.
Organization (dict) --
The ISP organization information of the remote IP address.
Asn (string) --
The Autonomous System Number (ASN) of the internet provider of the remote IP address.
AsnOrg (string) --
The organization that registered this ASN.
Isp (string) --
The ISP information for the internet provider.
Org (string) --
The name of the internet provider.
StatusCode (integer) --
The resulting HTTP response code of the Kubernetes API call action.
Parameters (string) --
Parameters related to the Kubernetes API call action.
Resource (string) --
The resource component in the Kubernetes API call action.
Subresource (string) --
The name of the sub-resource in the Kubernetes API call action.
Namespace (string) --
The name of the namespace where the Kubernetes API call action takes place.
ResourceName (string) --
The name of the resource in the Kubernetes API call action.
RdsLoginAttemptAction (dict) --
Information about RDS_LOGIN_ATTEMPT action described in this finding.
RemoteIpDetails (dict) --
Contains information about the remote IP address of the connection.
City (dict) --
The city information of the remote IP address.
CityName (string) --
The city name of the remote IP address.
Country (dict) --
The country code of the remote IP address.
CountryCode (string) --
The country code of the remote IP address.
CountryName (string) --
The country name of the remote IP address.
GeoLocation (dict) --
The location information of the remote IP address.
Lat (float) --
The latitude information of the remote IP address.
Lon (float) --
The longitude information of the remote IP address.
IpAddressV4 (string) --
The IPv4 remote address of the connection.
Organization (dict) --
The ISP organization information of the remote IP address.
Asn (string) --
The Autonomous System Number (ASN) of the internet provider of the remote IP address.
AsnOrg (string) --
The organization that registered this ASN.
Isp (string) --
The ISP information for the internet provider.
Org (string) --
The name of the internet provider.
LoginAttributes (list) --
Indicates the login attributes used in the login attempt.
(dict) --
Information about the login attempts.
User (string) --
Indicates the user name which attempted to log in.
Application (string) --
Indicates the application name used to attempt log in.
FailedLoginAttempts (integer) --
Represents the sum of failed (unsuccessful) login attempts made to establish a connection to the database instance.
SuccessfulLoginAttempts (integer) --
Represents the sum of successful connections (a correct combination of login attributes) made to the database instance by the actor.
KubernetesPermissionCheckedDetails (dict) --
Information whether the user has the permission to use a specific Kubernetes API.
Verb (string) --
The verb component of the Kubernetes API call. For example, when you check whether or not you have the permission to call the CreatePod API, the verb component will be Create .
Resource (string) --
The Kubernetes resource with which your Kubernetes API call will interact.
Namespace (string) --
The namespace where the Kubernetes API action will take place.
Allowed (boolean) --
Information whether the user has the permission to call the Kubernetes API.
KubernetesRoleBindingDetails (dict) --
Information about the role binding that grants the permission defined in a Kubernetes role.
Kind (string) --
The kind of the role. For role binding, this value will be RoleBinding .
Name (string) --
The name of the RoleBinding .
Uid (string) --
The unique identifier of the role binding.
RoleRefName (string) --
The name of the role being referenced. This must match the name of the Role or ClusterRole that you want to bind to.
RoleRefKind (string) --
The type of the role being referenced. This could be either Role or ClusterRole .
KubernetesRoleDetails (dict) --
Information about the Kubernetes role name and role type.
Kind (string) --
The kind of role. For this API, the value of kind will be Role .
Name (string) --
The name of the Kubernetes role.
Uid (string) --
The unique identifier of the Kubernetes role name.
Evidence (dict) --
An evidence object associated with the service.
ThreatIntelligenceDetails (list) --
A list of threat intelligence details related to the evidence.
(dict) --
An instance of a threat intelligence detail that constitutes evidence for the finding.
ThreatListName (string) --
The name of the threat intelligence list that triggered the finding.
ThreatNames (list) --
A list of names of the threats in the threat intelligence list that triggered the finding.
(string) --
ThreatFileSha256 (string) --
SHA256 of the file that generated the finding.
Archived (boolean) --
Indicates whether this finding is archived.
Count (integer) --
The total count of the occurrences of this finding type.
DetectorId (string) --
The detector ID for the GuardDuty service.
EventFirstSeen (string) --
The first-seen timestamp of the activity that prompted GuardDuty to generate this finding.
EventLastSeen (string) --
The last-seen timestamp of the activity that prompted GuardDuty to generate this finding.
ResourceRole (string) --
The resource role information for this finding.
ServiceName (string) --
The name of the Amazon Web Services service (GuardDuty) that generated a finding.
UserFeedback (string) --
Feedback that was submitted about the finding.
AdditionalInfo (dict) --
Contains additional information about the generated finding.
Value (string) --
This field specifies the value of the additional information.
Type (string) --
Describes the type of the additional information.
FeatureName (string) --
The name of the feature that generated a finding.
EbsVolumeScanDetails (dict) --
Returns details from the malware scan that created a finding.
ScanId (string) --
Unique Id of the malware scan that generated the finding.
ScanStartedAt (datetime) --
Returns the start date and time of the malware scan.
ScanCompletedAt (datetime) --
Returns the completion date and time of the malware scan.
TriggerFindingId (string) --
GuardDuty finding ID that triggered a malware scan.
Sources (list) --
Contains list of threat intelligence sources used to detect threats.
(string) --
ScanDetections (dict) --
Contains a complete view providing malware scan result details.
ScannedItemCount (dict) --
Total number of scanned files.
TotalGb (integer) --
Total GB of files scanned for malware.
Files (integer) --
Number of files scanned.
Volumes (integer) --
Total number of scanned volumes.
ThreatsDetectedItemCount (dict) --
Total number of infected files.
Files (integer) --
Total number of infected files.
HighestSeverityThreatDetails (dict) --
Details of the highest severity threat detected during malware scan and number of infected files.
Severity (string) --
Severity level of the highest severity threat detected.
ThreatName (string) --
Threat name of the highest severity threat detected as part of the malware scan.
Count (integer) --
Total number of infected files with the highest severity threat detected.
ThreatDetectedByName (dict) --
Contains details about identified threats organized by threat name.
ItemCount (integer) --
Total number of infected files identified.
UniqueThreatNameCount (integer) --
Total number of unique threats by name identified, as part of the malware scan.
Shortened (boolean) --
Flag to determine if the finding contains every single infected file-path and/or every threat.
ThreatNames (list) --
List of identified threats with details, organized by threat name.
(dict) --
Contains files infected with the given threat providing details of malware name and severity.
Name (string) --
The name of the identified threat.
Severity (string) --
Severity of threat identified as part of the malware scan.
ItemCount (integer) --
Total number of files infected with given threat.
FilePaths (list) --
List of infected files in EBS volume with details.
(dict) --
Contains details of infected file including name, file path and hash.
FilePath (string) --
The file path of the infected file.
VolumeArn (string) --
EBS volume Arn details of the infected file.
Hash (string) --
The hash value of the infected file.
FileName (string) --
File name of the infected file.
ScanType (string) --
Specifies the scan type that invoked the malware scan.
RuntimeDetails (dict) --
Information about the process and any required context values for a specific finding
Process (dict) --
Information about the observed process.
Name (string) --
The name of the process.
ExecutablePath (string) --
The absolute path of the process executable file.
ExecutableSha256 (string) --
The SHA256 hash of the process executable.
NamespacePid (integer) --
The ID of the child process.
Pwd (string) --
The present working directory of the process.
Pid (integer) --
The ID of the process.
StartTime (datetime) --
The time when the process started. This is in UTC format.
Uuid (string) --
The unique ID assigned to the process by GuardDuty.
ParentUuid (string) --
The unique ID of the parent process. This ID is assigned to the parent process by GuardDuty.
User (string) --
The user that executed the process.
UserId (integer) --
The unique ID of the user that executed the process.
Euid (integer) --
The effective user ID of the user that executed the process.
Lineage (list) --
Information about the process's lineage.
(dict) --
Information about the runtime process details.
StartTime (datetime) --
The time when the process started. This is in UTC format.
NamespacePid (integer) --
The process ID of the child process.
UserId (integer) --
The user ID of the user that executed the process.
Name (string) --
The name of the process.
Pid (integer) --
The ID of the process.
Uuid (string) --
The unique ID assigned to the process by GuardDuty.
ExecutablePath (string) --
The absolute path of the process executable file.
Euid (integer) --
The effective user ID that was used to execute the process.
ParentUuid (string) --
The unique ID of the parent process. This ID is assigned to the parent process by GuardDuty.
Context (dict) --
Additional information about the suspicious activity.
ModifyingProcess (dict) --
Information about the process that modified the current process. This is available for multiple finding types.
Name (string) --
The name of the process.
ExecutablePath (string) --
The absolute path of the process executable file.
ExecutableSha256 (string) --
The SHA256 hash of the process executable.
NamespacePid (integer) --
The ID of the child process.
Pwd (string) --
The present working directory of the process.
Pid (integer) --
The ID of the process.
StartTime (datetime) --
The time when the process started. This is in UTC format.
Uuid (string) --
The unique ID assigned to the process by GuardDuty.
ParentUuid (string) --
The unique ID of the parent process. This ID is assigned to the parent process by GuardDuty.
User (string) --
The user that executed the process.
UserId (integer) --
The unique ID of the user that executed the process.
Euid (integer) --
The effective user ID of the user that executed the process.
Lineage (list) --
Information about the process's lineage.
(dict) --
Information about the runtime process details.
StartTime (datetime) --
The time when the process started. This is in UTC format.
NamespacePid (integer) --
The process ID of the child process.
UserId (integer) --
The user ID of the user that executed the process.
Name (string) --
The name of the process.
Pid (integer) --
The ID of the process.
Uuid (string) --
The unique ID assigned to the process by GuardDuty.
ExecutablePath (string) --
The absolute path of the process executable file.
Euid (integer) --
The effective user ID that was used to execute the process.
ParentUuid (string) --
The unique ID of the parent process. This ID is assigned to the parent process by GuardDuty.
ModifiedAt (datetime) --
The timestamp at which the process modified the current process. The timestamp is in UTC date string format.
ScriptPath (string) --
The path to the script that was executed.
LibraryPath (string) --
The path to the new library that was loaded.
LdPreloadValue (string) --
The value of the LD_PRELOAD environment variable.
SocketPath (string) --
The path to the docket socket that was accessed.
RuncBinaryPath (string) --
The path to the leveraged runc implementation.
ReleaseAgentPath (string) --
The path in the container that modified the release agent file.
MountSource (string) --
The path on the host that is mounted by the container.
MountTarget (string) --
The path in the container that is mapped to the host directory.
FileSystemType (string) --
Represents the type of mounted fileSystem.
Flags (list) --
Represents options that control the behavior of a runtime operation or action. For example, a filesystem mount operation may contain a read-only flag.
(string) --
ModuleName (string) --
The name of the module loaded into the kernel.
ModuleFilePath (string) --
The path to the module loaded into the kernel.
ModuleSha256 (string) --
The SHA256 hash of the module.
ShellHistoryFilePath (string) --
The path to the modified shell history file.
TargetProcess (dict) --
Information about the process that had its memory overwritten by the current process.
Name (string) --
The name of the process.
ExecutablePath (string) --
The absolute path of the process executable file.
ExecutableSha256 (string) --
The SHA256 hash of the process executable.
NamespacePid (integer) --
The ID of the child process.
Pwd (string) --
The present working directory of the process.
Pid (integer) --
The ID of the process.
StartTime (datetime) --
The time when the process started. This is in UTC format.
Uuid (string) --
The unique ID assigned to the process by GuardDuty.
ParentUuid (string) --
The unique ID of the parent process. This ID is assigned to the parent process by GuardDuty.
User (string) --
The user that executed the process.
UserId (integer) --
The unique ID of the user that executed the process.
Euid (integer) --
The effective user ID of the user that executed the process.
Lineage (list) --
Information about the process's lineage.
(dict) --
Information about the runtime process details.
StartTime (datetime) --
The time when the process started. This is in UTC format.
NamespacePid (integer) --
The process ID of the child process.
UserId (integer) --
The user ID of the user that executed the process.
Name (string) --
The name of the process.
Pid (integer) --
The ID of the process.
Uuid (string) --
The unique ID assigned to the process by GuardDuty.
ExecutablePath (string) --
The absolute path of the process executable file.
Euid (integer) --
The effective user ID that was used to execute the process.
ParentUuid (string) --
The unique ID of the parent process. This ID is assigned to the parent process by GuardDuty.
AddressFamily (string) --
Represents the communication protocol associated with the address. For example, the address family AF_INET is used for IP version of 4 protocol.
IanaProtocolNumber (integer) --
Specifies a particular protocol within the address family. Usually there is a single protocol in address families. For example, the address family AF_INET only has the IP protocol.
MemoryRegions (list) --
Specifies the Region of a process's address space such as stack and heap.
(string) --
ToolName (string) --
Name of the potentially suspicious tool.
ToolCategory (string) --
Category that the tool belongs to. Some of the examples are Backdoor Tool, Pentest Tool, Network Scanner, and Network Sniffer.
ServiceName (string) --
Name of the security service that has been potentially disabled.
CommandLineExample (string) --
Example of the command line involved in the suspicious activity.
ThreatFilePath (string) --
The suspicious file path for which the threat intelligence details were found.
Detection (dict) --
Contains information about the detected unusual behavior.
Anomaly (dict) --
The details about the anomalous activity that caused GuardDuty to generate the finding.
Profiles (dict) --
Information about the types of profiles.
(string) --
(dict) --
(string) --
(list) --
(dict) --
Contains information about the unusual anomalies.
ProfileType (string) --
The type of behavior of the profile.
ProfileSubtype (string) --
The frequency of the anomaly.
Observations (dict) --
The recorded value.
Text (list) --
The text that was unusual.
(string) --
Unusual (dict) --
Information about the behavior of the anomalies.
Behavior (dict) --
The behavior of the anomalous activity that caused GuardDuty to generate the finding.
(string) --
(dict) --
(string) --
(dict) --
Contains information about the unusual anomalies.
ProfileType (string) --
The type of behavior of the profile.
ProfileSubtype (string) --
The frequency of the anomaly.
Observations (dict) --
The recorded value.
Text (list) --
The text that was unusual.
(string) --
Severity (float) --
The severity of the finding.
Title (string) --
The title of the finding.
Type (string) --
The type of finding.
UpdatedAt (string) --
The time and date when the finding was last updated.
{'MemberDataSourceConfigurations': {'Features': {'AdditionalConfiguration': {'Name': {'EC2_AGENT_MANAGEMENT'}}}}}
Describes which data sources are enabled for the member account's detector.
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints .
See also: AWS API Documentation
Request Syntax
client.get_member_detectors( DetectorId='string', AccountIds=[ 'string', ] )
string
[REQUIRED]
The detector ID for the administrator account.
list
[REQUIRED]
The account ID of the member account.
(string) --
dict
Response Syntax
{ 'MemberDataSourceConfigurations': [ { 'AccountId': 'string', 'DataSources': { 'CloudTrail': { 'Status': 'ENABLED'|'DISABLED' }, 'DNSLogs': { 'Status': 'ENABLED'|'DISABLED' }, 'FlowLogs': { 'Status': 'ENABLED'|'DISABLED' }, 'S3Logs': { 'Status': 'ENABLED'|'DISABLED' }, 'Kubernetes': { 'AuditLogs': { 'Status': 'ENABLED'|'DISABLED' } }, 'MalwareProtection': { 'ScanEc2InstanceWithFindings': { 'EbsVolumes': { 'Status': 'ENABLED'|'DISABLED', 'Reason': 'string' } }, 'ServiceRole': 'string' } }, 'Features': [ { 'Name': 'S3_DATA_EVENTS'|'EKS_AUDIT_LOGS'|'EBS_MALWARE_PROTECTION'|'RDS_LOGIN_EVENTS'|'EKS_RUNTIME_MONITORING'|'LAMBDA_NETWORK_LOGS'|'RUNTIME_MONITORING', 'Status': 'ENABLED'|'DISABLED', 'UpdatedAt': datetime(2015, 1, 1), 'AdditionalConfiguration': [ { 'Name': 'EKS_ADDON_MANAGEMENT'|'ECS_FARGATE_AGENT_MANAGEMENT'|'EC2_AGENT_MANAGEMENT', 'Status': 'ENABLED'|'DISABLED', 'UpdatedAt': datetime(2015, 1, 1) }, ] }, ] }, ], 'UnprocessedAccounts': [ { 'AccountId': 'string', 'Result': 'string' }, ] }
Response Structure
(dict) --
MemberDataSourceConfigurations (list) --
An object that describes which data sources are enabled for a member account.
(dict) --
Contains information on which data sources are enabled for a member account.
AccountId (string) --
The account ID for the member account.
DataSources (dict) --
Contains information on the status of data sources for the account.
CloudTrail (dict) --
An object that contains information on the status of CloudTrail as a data source.
Status (string) --
Describes whether CloudTrail is enabled as a data source for the detector.
DNSLogs (dict) --
An object that contains information on the status of DNS logs as a data source.
Status (string) --
Denotes whether DNS logs is enabled as a data source.
FlowLogs (dict) --
An object that contains information on the status of VPC flow logs as a data source.
Status (string) --
Denotes whether VPC flow logs is enabled as a data source.
S3Logs (dict) --
An object that contains information on the status of S3 Data event logs as a data source.
Status (string) --
A value that describes whether S3 data event logs are automatically enabled for new members of the organization.
Kubernetes (dict) --
An object that contains information on the status of all Kubernetes data sources.
AuditLogs (dict) --
Describes whether Kubernetes audit logs are enabled as a data source.
Status (string) --
A value that describes whether Kubernetes audit logs are enabled as a data source.
MalwareProtection (dict) --
Describes the configuration of Malware Protection data sources.
ScanEc2InstanceWithFindings (dict) --
Describes the configuration of Malware Protection for EC2 instances with findings.
EbsVolumes (dict) --
Describes the configuration of scanning EBS volumes as a data source.
Status (string) --
Describes whether scanning EBS volumes is enabled as a data source.
Reason (string) --
Specifies the reason why scanning EBS volumes (Malware Protection) was not enabled as a data source.
ServiceRole (string) --
The GuardDuty Malware Protection service role.
Features (list) --
Contains information about the status of the features for the member account.
(dict) --
Contains information about the features for the member account.
Name (string) --
Indicates the name of the feature that is enabled for the detector.
Status (string) --
Indicates the status of the feature that is enabled for the detector.
UpdatedAt (datetime) --
The timestamp at which the feature object was updated.
AdditionalConfiguration (list) --
Indicates the additional configuration of the feature that is configured for the member account.
(dict) --
Information about the additional configuration for the member account.
Name (string) --
Indicates the name of the additional configuration that is set for the member account.
Status (string) --
Indicates the status of the additional configuration that is set for the member account.
UpdatedAt (datetime) --
The timestamp at which the additional configuration was set for the member account. This is in UTC format.
UnprocessedAccounts (list) --
A list of member account IDs that were unable to be processed along with an explanation for why they were not processed.
(dict) --
Contains information about the accounts that weren't processed.
AccountId (string) --
The Amazon Web Services account ID.
Result (string) --
A reason why the account hasn't been processed.
{'OrganizationDetails': {'OrganizationStatistics': {'CountByFeature': {'AdditionalConfiguration': {'Name': {'EC2_AGENT_MANAGEMENT'}}}}}}
Retrieves how many active member accounts have each feature enabled within GuardDuty. Only a delegated GuardDuty administrator of an organization can run this API.
When you create a new organization, it might take up to 24 hours to generate the statistics for the entire organization.
See also: AWS API Documentation
Request Syntax
client.get_organization_statistics()
dict
Response Syntax
{ 'OrganizationDetails': { 'UpdatedAt': datetime(2015, 1, 1), 'OrganizationStatistics': { 'TotalAccountsCount': 123, 'MemberAccountsCount': 123, 'ActiveAccountsCount': 123, 'EnabledAccountsCount': 123, 'CountByFeature': [ { 'Name': 'S3_DATA_EVENTS'|'EKS_AUDIT_LOGS'|'EBS_MALWARE_PROTECTION'|'RDS_LOGIN_EVENTS'|'EKS_RUNTIME_MONITORING'|'LAMBDA_NETWORK_LOGS'|'RUNTIME_MONITORING', 'EnabledAccountsCount': 123, 'AdditionalConfiguration': [ { 'Name': 'EKS_ADDON_MANAGEMENT'|'ECS_FARGATE_AGENT_MANAGEMENT'|'EC2_AGENT_MANAGEMENT', 'EnabledAccountsCount': 123 }, ] }, ] } } }
Response Structure
(dict) --
OrganizationDetails (dict) --
Information about the statistics report for your organization.
UpdatedAt (datetime) --
The timestamp at which the organization statistics was last updated. This is in UTC format.
OrganizationStatistics (dict) --
Information about the GuardDuty coverage statistics for members in your Amazon Web Services organization.
TotalAccountsCount (integer) --
Total number of accounts in your Amazon Web Services organization.
MemberAccountsCount (integer) --
Total number of accounts in your Amazon Web Services organization that are associated with GuardDuty.
ActiveAccountsCount (integer) --
Total number of active accounts in your Amazon Web Services organization that are associated with GuardDuty.
EnabledAccountsCount (integer) --
Total number of accounts that have enabled GuardDuty.
CountByFeature (list) --
Retrieves the coverage statistics for each feature.
(dict) --
Information about the number of accounts that have enabled a specific feature.
Name (string) --
Name of the feature.
EnabledAccountsCount (integer) --
Total number of accounts that have enabled a specific feature.
AdditionalConfiguration (list) --
Name of the additional configuration.
(dict) --
Information about the coverage statistic for the additional configuration of the feature.
Name (string) --
Name of the additional configuration within a feature.
EnabledAccountsCount (integer) --
Total number of accounts that have enabled the additional configuration.
{'Features': {'AdditionalConfiguration': {'Name': {'EC2_AGENT_MANAGEMENT'}}}}
Updates the GuardDuty detector specified by the detector ID.
Specifying both EKS Runtime Monitoring (EKS_RUNTIME_MONITORING ) and Runtime Monitoring (RUNTIME_MONITORING ) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring .
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints .
See also: AWS API Documentation
Request Syntax
client.update_detector( DetectorId='string', Enable=True|False, FindingPublishingFrequency='FIFTEEN_MINUTES'|'ONE_HOUR'|'SIX_HOURS', DataSources={ 'S3Logs': { 'Enable': True|False }, 'Kubernetes': { 'AuditLogs': { 'Enable': True|False } }, 'MalwareProtection': { 'ScanEc2InstanceWithFindings': { 'EbsVolumes': True|False } } }, Features=[ { 'Name': 'S3_DATA_EVENTS'|'EKS_AUDIT_LOGS'|'EBS_MALWARE_PROTECTION'|'RDS_LOGIN_EVENTS'|'EKS_RUNTIME_MONITORING'|'LAMBDA_NETWORK_LOGS'|'RUNTIME_MONITORING', 'Status': 'ENABLED'|'DISABLED', 'AdditionalConfiguration': [ { 'Name': 'EKS_ADDON_MANAGEMENT'|'ECS_FARGATE_AGENT_MANAGEMENT'|'EC2_AGENT_MANAGEMENT', 'Status': 'ENABLED'|'DISABLED' }, ] }, ] )
string
[REQUIRED]
The unique ID of the detector to update.
boolean
Specifies whether the detector is enabled or not enabled.
string
An enum value that specifies how frequently findings are exported, such as to CloudWatch Events.
dict
Describes which data sources will be updated.
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints .
S3Logs (dict) --
Describes whether S3 data event logs are enabled as a data source.
Enable (boolean) -- [REQUIRED]
The status of S3 data event logs as a data source.
Kubernetes (dict) --
Describes whether any Kubernetes logs are enabled as data sources.
AuditLogs (dict) -- [REQUIRED]
The status of Kubernetes audit logs as a data source.
Enable (boolean) -- [REQUIRED]
The status of Kubernetes audit logs as a data source.
MalwareProtection (dict) --
Describes whether Malware Protection is enabled as a data source.
ScanEc2InstanceWithFindings (dict) --
Describes the configuration of Malware Protection for EC2 instances with findings.
EbsVolumes (boolean) --
Describes the configuration for scanning EBS volumes as data source.
list
Provides the features that will be updated for the detector.
(dict) --
Contains information about a GuardDuty feature.
Specifying both EKS Runtime Monitoring (EKS_RUNTIME_MONITORING ) and Runtime Monitoring (RUNTIME_MONITORING ) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring .
Name (string) --
The name of the feature.
Status (string) --
The status of the feature.
AdditionalConfiguration (list) --
Additional configuration for a resource.
(dict) --
Information about the additional configuration for a feature in your GuardDuty account.
Name (string) --
Name of the additional configuration.
Status (string) --
Status of the additional configuration.
dict
Response Syntax
{}
Response Structure
(dict) --
{'Features': {'AdditionalConfiguration': {'Name': {'EC2_AGENT_MANAGEMENT'}}}}
Contains information on member accounts to be updated.
Specifying both EKS Runtime Monitoring (EKS_RUNTIME_MONITORING ) and Runtime Monitoring (RUNTIME_MONITORING ) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring .
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints .
See also: AWS API Documentation
Request Syntax
client.update_member_detectors( DetectorId='string', AccountIds=[ 'string', ], DataSources={ 'S3Logs': { 'Enable': True|False }, 'Kubernetes': { 'AuditLogs': { 'Enable': True|False } }, 'MalwareProtection': { 'ScanEc2InstanceWithFindings': { 'EbsVolumes': True|False } } }, Features=[ { 'Name': 'S3_DATA_EVENTS'|'EKS_AUDIT_LOGS'|'EBS_MALWARE_PROTECTION'|'RDS_LOGIN_EVENTS'|'EKS_RUNTIME_MONITORING'|'LAMBDA_NETWORK_LOGS'|'RUNTIME_MONITORING', 'Status': 'ENABLED'|'DISABLED', 'AdditionalConfiguration': [ { 'Name': 'EKS_ADDON_MANAGEMENT'|'ECS_FARGATE_AGENT_MANAGEMENT'|'EC2_AGENT_MANAGEMENT', 'Status': 'ENABLED'|'DISABLED' }, ] }, ] )
string
[REQUIRED]
The detector ID of the administrator account.
list
[REQUIRED]
A list of member account IDs to be updated.
(string) --
dict
Describes which data sources will be updated.
S3Logs (dict) --
Describes whether S3 data event logs are enabled as a data source.
Enable (boolean) -- [REQUIRED]
The status of S3 data event logs as a data source.
Kubernetes (dict) --
Describes whether any Kubernetes logs are enabled as data sources.
AuditLogs (dict) -- [REQUIRED]
The status of Kubernetes audit logs as a data source.
Enable (boolean) -- [REQUIRED]
The status of Kubernetes audit logs as a data source.
MalwareProtection (dict) --
Describes whether Malware Protection is enabled as a data source.
ScanEc2InstanceWithFindings (dict) --
Describes the configuration of Malware Protection for EC2 instances with findings.
EbsVolumes (boolean) --
Describes the configuration for scanning EBS volumes as data source.
list
A list of features that will be updated for the specified member accounts.
(dict) --
Contains information about the features for the member account.
Name (string) --
The name of the feature.
Status (string) --
The status of the feature.
AdditionalConfiguration (list) --
Additional configuration of the feature for the member account.
(dict) --
Information about the additional configuration for the member account.
Name (string) --
Name of the additional configuration.
Status (string) --
Status of the additional configuration.
dict
Response Syntax
{ 'UnprocessedAccounts': [ { 'AccountId': 'string', 'Result': 'string' }, ] }
Response Structure
(dict) --
UnprocessedAccounts (list) --
A list of member account IDs that were unable to be processed along with an explanation for why they were not processed.
(dict) --
Contains information about the accounts that weren't processed.
AccountId (string) --
The Amazon Web Services account ID.
Result (string) --
A reason why the account hasn't been processed.
{'Features': {'AdditionalConfiguration': {'Name': {'EC2_AGENT_MANAGEMENT'}}}}
Configures the delegated administrator account with the provided values. You must provide a value for either autoEnableOrganizationMembers or autoEnable , but not both.
Specifying both EKS Runtime Monitoring (EKS_RUNTIME_MONITORING ) and Runtime Monitoring (RUNTIME_MONITORING ) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring .
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints .
See also: AWS API Documentation
Request Syntax
client.update_organization_configuration( DetectorId='string', AutoEnable=True|False, DataSources={ 'S3Logs': { 'AutoEnable': True|False }, 'Kubernetes': { 'AuditLogs': { 'AutoEnable': True|False } }, 'MalwareProtection': { 'ScanEc2InstanceWithFindings': { 'EbsVolumes': { 'AutoEnable': True|False } } } }, Features=[ { 'Name': 'S3_DATA_EVENTS'|'EKS_AUDIT_LOGS'|'EBS_MALWARE_PROTECTION'|'RDS_LOGIN_EVENTS'|'EKS_RUNTIME_MONITORING'|'LAMBDA_NETWORK_LOGS'|'RUNTIME_MONITORING', 'AutoEnable': 'NEW'|'NONE'|'ALL', 'AdditionalConfiguration': [ { 'Name': 'EKS_ADDON_MANAGEMENT'|'ECS_FARGATE_AGENT_MANAGEMENT'|'EC2_AGENT_MANAGEMENT', 'AutoEnable': 'NEW'|'NONE'|'ALL' }, ] }, ], AutoEnableOrganizationMembers='NEW'|'ALL'|'NONE' )
string
[REQUIRED]
The ID of the detector that configures the delegated administrator.
boolean
Represents whether or not to automatically enable member accounts in the organization.
Even though this is still supported, we recommend using AutoEnableOrganizationMembers to achieve the similar results. You must provide a value for either autoEnableOrganizationMembers or autoEnable .
dict
Describes which data sources will be updated.
S3Logs (dict) --
Describes whether S3 data event logs are enabled for new members of the organization.
AutoEnable (boolean) -- [REQUIRED]
A value that contains information on whether S3 data event logs will be enabled automatically as a data source for the organization.
Kubernetes (dict) --
Describes the configuration of Kubernetes data sources for new members of the organization.
AuditLogs (dict) -- [REQUIRED]
Whether Kubernetes audit logs data source should be auto-enabled for new members joining the organization.
AutoEnable (boolean) -- [REQUIRED]
A value that contains information on whether Kubernetes audit logs should be enabled automatically as a data source for the organization.
MalwareProtection (dict) --
Describes the configuration of Malware Protection for new members of the organization.
ScanEc2InstanceWithFindings (dict) --
Whether Malware Protection for EC2 instances with findings should be auto-enabled for new members joining the organization.
EbsVolumes (dict) --
Whether scanning EBS volumes should be auto-enabled for new members joining the organization.
AutoEnable (boolean) --
Whether scanning EBS volumes should be auto-enabled for new members joining the organization.
list
A list of features that will be configured for the organization.
(dict) --
A list of features which will be configured for the organization.
Name (string) --
The name of the feature that will be configured for the organization.
AutoEnable (string) --
Describes the status of the feature that is configured for the member accounts within the organization. One of the following values is the status for the entire organization:
NEW : Indicates that when a new account joins the organization, they will have the feature enabled automatically.
ALL : Indicates that all accounts in the organization have the feature enabled automatically. This includes NEW accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty. It may take up to 24 hours to update the configuration for all the member accounts.
NONE : Indicates that the feature will not be automatically enabled for any account in the organization. The administrator must manage the feature for each account individually.
AdditionalConfiguration (list) --
The additional information that will be configured for the organization.
(dict) --
A list of additional configurations which will be configured for the organization.
Name (string) --
The name of the additional configuration that will be configured for the organization.
AutoEnable (string) --
The status of the additional configuration that will be configured for the organization. Use one of the following values to configure the feature status for the entire organization:
NEW : Indicates that when a new account joins the organization, they will have the additional configuration enabled automatically.
ALL : Indicates that all accounts in the organization have the additional configuration enabled automatically. This includes NEW accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty. It may take up to 24 hours to update the configuration for all the member accounts.
NONE : Indicates that the additional configuration will not be automatically enabled for any account in the organization. The administrator must manage the additional configuration for each account individually.
string
Indicates the auto-enablement configuration of GuardDuty for the member accounts in the organization. You must provide a value for either autoEnableOrganizationMembers or autoEnable .
Use one of the following configuration values for autoEnableOrganizationMembers :
NEW : Indicates that when a new account joins the organization, they will have GuardDuty enabled automatically.
ALL : Indicates that all accounts in the organization have GuardDuty enabled automatically. This includes NEW accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty. It may take up to 24 hours to update the configuration for all the member accounts.
NONE : Indicates that GuardDuty will not be automatically enabled for any account in the organization. The administrator must manage GuardDuty for each account in the organization individually. When you update the auto-enable setting from ALL or NEW to NONE , this action doesn't disable the corresponding option for your existing accounts. This configuration will apply to the new accounts that join the organization. After you update the auto-enable settings, no new account will have the corresponding option as enabled.
dict
Response Syntax
{}
Response Structure
(dict) --