2019/06/13 - Amazon GuardDuty - 3 new 8 updated api methods
Changes Support for tagging functionality in Create and Get operations for Detector, IP Set, Threat Intel Set, and Finding Filter resources and 3 new tagging APIs: ListTagsForResource, TagResource, and UntagResource.
Removes tags from a resource.
See also: AWS API Documentation
Request Syntax
client.untag_resource(
ResourceArn='string',
TagKeys=[
'string',
]
)
string
[REQUIRED]
The Amazon Resource Name (ARN) for the given GuardDuty resource
list
[REQUIRED]
The tag keys to remove from a resource.
(string) --
dict
Response Syntax
{}
Response Structure
(dict) --
Lists tags for a resource. Tagging is currently supported for detectors, finding filters, IP sets, and Threat Intel sets, with a limit of 50 tags per resource. When invoked, this operation returns all assigned tags for a given resource..
See also: AWS API Documentation
Request Syntax
client.list_tags_for_resource(
ResourceArn='string'
)
string
[REQUIRED]
The Amazon Resource Name (ARN) for the given GuardDuty resource
dict
Response Syntax
{
'Tags': {
'string': 'string'
}
}
Response Structure
(dict) --
Tags (dict) --
(string) --
(string) --
Adds tags to a resource.
See also: AWS API Documentation
Request Syntax
client.tag_resource(
ResourceArn='string',
Tags={
'string': 'string'
}
)
string
[REQUIRED]
The Amazon Resource Name (ARN) for the given GuardDuty resource
dict
[REQUIRED]
The tags to be added to a resource.
(string) --
(string) --
dict
Response Syntax
{}
Response Structure
(dict) --
{'Tags': {'string': 'string'}}
Creates a single Amazon GuardDuty detector. A detector is an object that represents the GuardDuty service. A detector must be created in order for GuardDuty to become operational.
See also: AWS API Documentation
Request Syntax
client.create_detector(
Enable=True|False,
ClientToken='string',
FindingPublishingFrequency='FIFTEEN_MINUTES'|'ONE_HOUR'|'SIX_HOURS',
Tags={
'string': 'string'
}
)
boolean
[REQUIRED]
A boolean value that specifies whether the detector is to be enabled.
string
The idempotency token for the create request.
This field is autopopulated if not provided.
string
A enum value that specifies how frequently customer got Finding updates published.
dict
The tags to be added to a new detector resource.
(string) --
(string) --
dict
Response Syntax
{
'DetectorId': 'string'
}
Response Structure
(dict) --
DetectorId (string) --
The unique ID of the created detector.
{'Tags': {'string': 'string'}}
Creates a filter using the specified finding criteria.
See also: AWS API Documentation
Request Syntax
client.create_filter(
DetectorId='string',
Name='string',
Description='string',
Action='NOOP'|'ARCHIVE',
Rank=123,
FindingCriteria={
'Criterion': {
'string': {
'Eq': [
'string',
],
'Neq': [
'string',
],
'Gt': 123,
'Gte': 123,
'Lt': 123,
'Lte': 123,
'Equals': [
'string',
],
'NotEquals': [
'string',
],
'GreaterThan': 123,
'GreaterThanOrEqual': 123,
'LessThan': 123,
'LessThanOrEqual': 123
}
}
},
ClientToken='string',
Tags={
'string': 'string'
}
)
string
[REQUIRED]
The unique ID of the detector of the GuardDuty account for which you want to create a filter.
string
[REQUIRED]
The name of the filter.
string
The description of the filter.
string
Specifies the action that is to be applied to the findings that match the filter.
integer
Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
dict
[REQUIRED]
Represents the criteria to be used in the filter for querying findings.
Criterion (dict) --
Represents a map of finding properties that match specified conditions and values when querying findings.
(string) --
(dict) --
Eq (list) --
Represents the equal condition to be applied to a single field when querying for findings.
(string) --
Neq (list) --
Represents the not equal condition to be applied to a single field when querying for findings.
(string) --
Gt (integer) --
Represents a greater than condition to be applied to a single field when querying for findings.
Gte (integer) --
Represents a greater than equal condition to be applied to a single field when querying for findings.
Lt (integer) --
Represents a less than condition to be applied to a single field when querying for findings.
Lte (integer) --
Represents a less than equal condition to be applied to a single field when querying for findings.
Equals (list) --
(string) --
NotEquals (list) --
(string) --
GreaterThan (integer) --
Represents a greater than condition to be applied to a single field when querying for findings.
GreaterThanOrEqual (integer) --
Represents a greater than equal condition to be applied to a single field when querying for findings.
LessThan (integer) --
Represents a less than condition to be applied to a single field when querying for findings.
LessThanOrEqual (integer) --
Represents a less than equal condition to be applied to a single field when querying for findings.
string
The idempotency token for the create request.
This field is autopopulated if not provided.
dict
The tags to be added to a new filter resource.
(string) --
(string) --
dict
Response Syntax
{
'Name': 'string'
}
Response Structure
(dict) --
Name (string) --
The name of the successfully created filter.
{'Tags': {'string': 'string'}}
Creates a new IPSet - a list of trusted IP addresses that have been whitelisted for secure communication with AWS infrastructure and applications.
See also: AWS API Documentation
Request Syntax
client.create_ip_set(
DetectorId='string',
Name='string',
Format='TXT'|'STIX'|'OTX_CSV'|'ALIEN_VAULT'|'PROOF_POINT'|'FIRE_EYE',
Location='string',
Activate=True|False,
ClientToken='string',
Tags={
'string': 'string'
}
)
string
[REQUIRED]
The unique ID of the detector of the GuardDuty account for which you want to create an IPSet.
string
[REQUIRED]
The user friendly name to identify the IPSet. This name is displayed in all findings that are triggered by activity that involves IP addresses included in this IPSet.
string
[REQUIRED]
The format of the file that contains the IPSet.
string
[REQUIRED]
The URI of the file that contains the IPSet. For example (https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key)
boolean
[REQUIRED]
A boolean value that indicates whether GuardDuty is to start using the uploaded IPSet.
string
The idempotency token for the create request.
This field is autopopulated if not provided.
dict
The tags to be added to a new IP set resource.
(string) --
(string) --
dict
Response Syntax
{
'IpSetId': 'string'
}
Response Structure
(dict) --
IpSetId (string) --
The ID of the IPSet resource.
{'Tags': {'string': 'string'}}
Create a new ThreatIntelSet. ThreatIntelSets consist of known malicious IP addresses. GuardDuty generates findings based on ThreatIntelSets.
See also: AWS API Documentation
Request Syntax
client.create_threat_intel_set(
DetectorId='string',
Name='string',
Format='TXT'|'STIX'|'OTX_CSV'|'ALIEN_VAULT'|'PROOF_POINT'|'FIRE_EYE',
Location='string',
Activate=True|False,
ClientToken='string',
Tags={
'string': 'string'
}
)
string
[REQUIRED]
The unique ID of the detector of the GuardDuty account for which you want to create a threatIntelSet.
string
[REQUIRED]
A user-friendly ThreatIntelSet name that is displayed in all finding generated by activity that involves IP addresses included in this ThreatIntelSet.
string
[REQUIRED]
The format of the file that contains the ThreatIntelSet.
string
[REQUIRED]
The URI of the file that contains the ThreatIntelSet. For example (https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key).
boolean
[REQUIRED]
A boolean value that indicates whether GuardDuty is to start using the uploaded ThreatIntelSet.
string
The idempotency token for the create request.
This field is autopopulated if not provided.
dict
The tags to be added to a new Threat List resource.
(string) --
(string) --
dict
Response Syntax
{
'ThreatIntelSetId': 'string'
}
Response Structure
(dict) --
ThreatIntelSetId (string) --
The ID of the ThreatIntelSet resource.
{'Tags': {'string': 'string'}}
Retrieves an Amazon GuardDuty detector specified by the detectorId.
See also: AWS API Documentation
Request Syntax
client.get_detector(
DetectorId='string'
)
string
[REQUIRED]
The unique ID of the detector that you want to get.
dict
Response Syntax
{
'CreatedAt': 'string',
'FindingPublishingFrequency': 'FIFTEEN_MINUTES'|'ONE_HOUR'|'SIX_HOURS',
'ServiceRole': 'string',
'Status': 'ENABLED'|'DISABLED',
'UpdatedAt': 'string',
'Tags': {
'string': 'string'
}
}
Response Structure
(dict) --
CreatedAt (string) --
Detector creation timestamp.
FindingPublishingFrequency (string) --
Finding publishing frequency.
ServiceRole (string) --
The GuardDuty service role.
Status (string) --
The detector status.
UpdatedAt (string) --
Detector last update timestamp.
Tags (dict) --
The tags of the detector resource.
(string) --
(string) --
{'Tags': {'string': 'string'}}
Returns the details of the filter specified by the filter name.
See also: AWS API Documentation
Request Syntax
client.get_filter(
DetectorId='string',
FilterName='string'
)
string
[REQUIRED]
The unique ID of the detector the filter is associated with.
string
[REQUIRED]
The name of the filter you want to get.
dict
Response Syntax
{
'Name': 'string',
'Description': 'string',
'Action': 'NOOP'|'ARCHIVE',
'Rank': 123,
'FindingCriteria': {
'Criterion': {
'string': {
'Eq': [
'string',
],
'Neq': [
'string',
],
'Gt': 123,
'Gte': 123,
'Lt': 123,
'Lte': 123,
'Equals': [
'string',
],
'NotEquals': [
'string',
],
'GreaterThan': 123,
'GreaterThanOrEqual': 123,
'LessThan': 123,
'LessThanOrEqual': 123
}
}
},
'Tags': {
'string': 'string'
}
}
Response Structure
(dict) --
Name (string) --
The name of the filter.
Description (string) --
The description of the filter.
Action (string) --
Specifies the action that is to be applied to the findings that match the filter.
Rank (integer) --
Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
FindingCriteria (dict) --
Represents the criteria to be used in the filter for querying findings.
Criterion (dict) --
Represents a map of finding properties that match specified conditions and values when querying findings.
(string) --
(dict) --
Eq (list) --
Represents the equal condition to be applied to a single field when querying for findings.
(string) --
Neq (list) --
Represents the not equal condition to be applied to a single field when querying for findings.
(string) --
Gt (integer) --
Represents a greater than condition to be applied to a single field when querying for findings.
Gte (integer) --
Represents a greater than equal condition to be applied to a single field when querying for findings.
Lt (integer) --
Represents a less than condition to be applied to a single field when querying for findings.
Lte (integer) --
Represents a less than equal condition to be applied to a single field when querying for findings.
Equals (list) --
(string) --
NotEquals (list) --
(string) --
GreaterThan (integer) --
Represents a greater than condition to be applied to a single field when querying for findings.
GreaterThanOrEqual (integer) --
Represents a greater than equal condition to be applied to a single field when querying for findings.
LessThan (integer) --
Represents a less than condition to be applied to a single field when querying for findings.
LessThanOrEqual (integer) --
Represents a less than equal condition to be applied to a single field when querying for findings.
Tags (dict) --
The tags of the filter resource.
(string) --
(string) --
{'Tags': {'string': 'string'}}
Retrieves the IPSet specified by the IPSet ID.
See also: AWS API Documentation
Request Syntax
client.get_ip_set(
DetectorId='string',
IpSetId='string'
)
string
[REQUIRED]
The unique ID of the detector the ipSet is associated with.
string
[REQUIRED]
The unique ID of the ipSet you want to get.
dict
Response Syntax
{
'Name': 'string',
'Format': 'TXT'|'STIX'|'OTX_CSV'|'ALIEN_VAULT'|'PROOF_POINT'|'FIRE_EYE',
'Location': 'string',
'Status': 'INACTIVE'|'ACTIVATING'|'ACTIVE'|'DEACTIVATING'|'ERROR'|'DELETE_PENDING'|'DELETED',
'Tags': {
'string': 'string'
}
}
Response Structure
(dict) --
Name (string) --
The user friendly name to identify the IPSet. This name is displayed in all findings that are triggered by activity that involves IP addresses included in this IPSet.
Format (string) --
The format of the file that contains the IPSet.
Location (string) --
The URI of the file that contains the IPSet. For example (https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key)
Status (string) --
The status of ipSet file uploaded.
Tags (dict) --
The tags of the IP set resource.
(string) --
(string) --
{'Tags': {'string': 'string'}}
Retrieves the ThreatIntelSet that is specified by the ThreatIntelSet ID.
See also: AWS API Documentation
Request Syntax
client.get_threat_intel_set(
DetectorId='string',
ThreatIntelSetId='string'
)
string
[REQUIRED]
The unique ID of the detector the threatIntelSet is associated with.
string
[REQUIRED]
The unique ID of the threatIntelSet you want to get.
dict
Response Syntax
{
'Name': 'string',
'Format': 'TXT'|'STIX'|'OTX_CSV'|'ALIEN_VAULT'|'PROOF_POINT'|'FIRE_EYE',
'Location': 'string',
'Status': 'INACTIVE'|'ACTIVATING'|'ACTIVE'|'DEACTIVATING'|'ERROR'|'DELETE_PENDING'|'DELETED',
'Tags': {
'string': 'string'
}
}
Response Structure
(dict) --
Name (string) --
A user-friendly ThreatIntelSet name that is displayed in all finding generated by activity that involves IP addresses included in this ThreatIntelSet.
Format (string) --
The format of the threatIntelSet.
Location (string) --
The URI of the file that contains the ThreatIntelSet. For example (https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key).
Status (string) --
The status of threatIntelSet file uploaded.
Tags (dict) --
The tags of the Threat List resource.
(string) --
(string) --