2020/06/02 - Amazon GuardDuty - 1 updated api methods
Changes Amazon GuardDuty findings now include S3 bucket details under the resource section if an S3 Bucket was one of the affected resources
{'Findings': {'Resource': {'S3BucketDetails': [{'Arn': 'string', 'CreatedAt': 'timestamp', 'DefaultServerSideEncryption': {'EncryptionType': 'string', 'KmsMasterKeyArn': 'string'}, 'Name': 'string', 'Owner': {'Id': 'string'}, 'PublicAccess': {'EffectivePermission': 'string', 'PermissionConfiguration': {'AccountLevelPermissions': {'BlockPublicAccess': {'BlockPublicAcls': 'boolean', 'BlockPublicPolicy': 'boolean', 'IgnorePublicAcls': 'boolean', 'RestrictPublicBuckets': 'boolean'}}, 'BucketLevelPermissions': {'AccessControlList': {'AllowsPublicReadAccess': 'boolean', 'AllowsPublicWriteAccess': 'boolean'}, 'BlockPublicAccess': {'BlockPublicAcls': 'boolean', 'BlockPublicPolicy': 'boolean', 'IgnorePublicAcls': 'boolean', 'RestrictPublicBuckets': 'boolean'}, 'BucketPolicy': {'AllowsPublicReadAccess': 'boolean', 'AllowsPublicWriteAccess': 'boolean'}}}}, 'Tags': [{'Key': 'string', 'Value': 'string'}], 'Type': 'string'}]}}}
Describes Amazon GuardDuty findings specified by finding IDs.
See also: AWS API Documentation
Request Syntax
client.get_findings( DetectorId='string', FindingIds=[ 'string', ], SortCriteria={ 'AttributeName': 'string', 'OrderBy': 'ASC'|'DESC' } )
string
[REQUIRED]
The ID of the detector that specifies the GuardDuty service whose findings you want to retrieve.
list
[REQUIRED]
The IDs of the findings that you want to retrieve.
(string) --
dict
Represents the criteria used for sorting findings.
AttributeName (string) --
Represents the finding attribute (for example, accountId) to sort findings by.
OrderBy (string) --
The order by which the sorted findings are to be displayed.
dict
Response Syntax
{ 'Findings': [ { 'AccountId': 'string', 'Arn': 'string', 'Confidence': 123.0, 'CreatedAt': 'string', 'Description': 'string', 'Id': 'string', 'Partition': 'string', 'Region': 'string', 'Resource': { 'AccessKeyDetails': { 'AccessKeyId': 'string', 'PrincipalId': 'string', 'UserName': 'string', 'UserType': 'string' }, 'S3BucketDetails': [ { 'Arn': 'string', 'Name': 'string', 'Type': 'string', 'CreatedAt': datetime(2015, 1, 1), 'Owner': { 'Id': 'string' }, 'Tags': [ { 'Key': 'string', 'Value': 'string' }, ], 'DefaultServerSideEncryption': { 'EncryptionType': 'string', 'KmsMasterKeyArn': 'string' }, 'PublicAccess': { 'PermissionConfiguration': { 'BucketLevelPermissions': { 'AccessControlList': { 'AllowsPublicReadAccess': True|False, 'AllowsPublicWriteAccess': True|False }, 'BucketPolicy': { 'AllowsPublicReadAccess': True|False, 'AllowsPublicWriteAccess': True|False }, 'BlockPublicAccess': { 'IgnorePublicAcls': True|False, 'RestrictPublicBuckets': True|False, 'BlockPublicAcls': True|False, 'BlockPublicPolicy': True|False } }, 'AccountLevelPermissions': { 'BlockPublicAccess': { 'IgnorePublicAcls': True|False, 'RestrictPublicBuckets': True|False, 'BlockPublicAcls': True|False, 'BlockPublicPolicy': True|False } } }, 'EffectivePermission': 'string' } }, ], 'InstanceDetails': { 'AvailabilityZone': 'string', 'IamInstanceProfile': { 'Arn': 'string', 'Id': 'string' }, 'ImageDescription': 'string', 'ImageId': 'string', 'InstanceId': 'string', 'InstanceState': 'string', 'InstanceType': 'string', 'OutpostArn': 'string', 'LaunchTime': 'string', 'NetworkInterfaces': [ { 'Ipv6Addresses': [ 'string', ], 'NetworkInterfaceId': 'string', 'PrivateDnsName': 'string', 'PrivateIpAddress': 'string', 'PrivateIpAddresses': [ { 'PrivateDnsName': 'string', 'PrivateIpAddress': 'string' }, ], 'PublicDnsName': 'string', 'PublicIp': 'string', 'SecurityGroups': [ { 'GroupId': 'string', 'GroupName': 'string' }, ], 'SubnetId': 'string', 'VpcId': 'string' }, ], 'Platform': 'string', 'ProductCodes': [ { 'Code': 'string', 'ProductType': 'string' }, ], 'Tags': [ { 'Key': 'string', 'Value': 'string' }, ] }, 'ResourceType': 'string' }, 'SchemaVersion': 'string', 'Service': { 'Action': { 'ActionType': 'string', 'AwsApiCallAction': { 'Api': 'string', 'CallerType': 'string', 'DomainDetails': { 'Domain': 'string' }, 'RemoteIpDetails': { 'City': { 'CityName': 'string' }, 'Country': { 'CountryCode': 'string', 'CountryName': 'string' }, 'GeoLocation': { 'Lat': 123.0, 'Lon': 123.0 }, 'IpAddressV4': 'string', 'Organization': { 'Asn': 'string', 'AsnOrg': 'string', 'Isp': 'string', 'Org': 'string' } }, 'ServiceName': 'string' }, 'DnsRequestAction': { 'Domain': 'string' }, 'NetworkConnectionAction': { 'Blocked': True|False, 'ConnectionDirection': 'string', 'LocalPortDetails': { 'Port': 123, 'PortName': 'string' }, 'Protocol': 'string', 'LocalIpDetails': { 'IpAddressV4': 'string' }, 'RemoteIpDetails': { 'City': { 'CityName': 'string' }, 'Country': { 'CountryCode': 'string', 'CountryName': 'string' }, 'GeoLocation': { 'Lat': 123.0, 'Lon': 123.0 }, 'IpAddressV4': 'string', 'Organization': { 'Asn': 'string', 'AsnOrg': 'string', 'Isp': 'string', 'Org': 'string' } }, 'RemotePortDetails': { 'Port': 123, 'PortName': 'string' } }, 'PortProbeAction': { 'Blocked': True|False, 'PortProbeDetails': [ { 'LocalPortDetails': { 'Port': 123, 'PortName': 'string' }, 'LocalIpDetails': { 'IpAddressV4': 'string' }, 'RemoteIpDetails': { 'City': { 'CityName': 'string' }, 'Country': { 'CountryCode': 'string', 'CountryName': 'string' }, 'GeoLocation': { 'Lat': 123.0, 'Lon': 123.0 }, 'IpAddressV4': 'string', 'Organization': { 'Asn': 'string', 'AsnOrg': 'string', 'Isp': 'string', 'Org': 'string' } } }, ] } }, 'Evidence': { 'ThreatIntelligenceDetails': [ { 'ThreatListName': 'string', 'ThreatNames': [ 'string', ] }, ] }, 'Archived': True|False, 'Count': 123, 'DetectorId': 'string', 'EventFirstSeen': 'string', 'EventLastSeen': 'string', 'ResourceRole': 'string', 'ServiceName': 'string', 'UserFeedback': 'string' }, 'Severity': 123.0, 'Title': 'string', 'Type': 'string', 'UpdatedAt': 'string' }, ] }
Response Structure
(dict) --
Findings (list) --
A list of findings.
(dict) --
Contains information about the finding, which is generated when abnormal or suspicious activity is detected.
AccountId (string) --
The ID of the account in which the finding was generated.
Arn (string) --
The ARN of the finding.
Confidence (float) --
The confidence score for the finding.
CreatedAt (string) --
The time and date when the finding was created.
Description (string) --
The description of the finding.
Id (string) --
The ID of the finding.
Partition (string) --
The partition associated with the finding.
Region (string) --
The Region where the finding was generated.
Resource (dict) --
Contains information about the AWS resource associated with the activity that prompted GuardDuty to generate a finding.
AccessKeyDetails (dict) --
The IAM access key details (IAM user information) of a user that engaged in the activity that prompted GuardDuty to generate a finding.
AccessKeyId (string) --
The access key ID of the user.
PrincipalId (string) --
The principal ID of the user.
UserName (string) --
The name of the user.
UserType (string) --
The type of the user.
S3BucketDetails (list) --
Contains information on the S3 bucket.
(dict) --
Arn (string) --
The Amazon Resource Name (ARN) of the S3 bucket.
Name (string) --
The name of the S3 bucket.
Type (string) --
Describes whether the bucket is a source or destination bucket.
CreatedAt (datetime) --
The date and time the bucket was created at.
Owner (dict) --
The owner of the S3 bucket.
Id (string) --
The canonical user ID of the bucket owner. For information about locating your canonical user ID see Finding Your Account Canonical User ID.
Tags (list) --
All tags attached to the S3 bucket
(dict) --
Contains information about a tag associated with the EC2 instance.
Key (string) --
The EC2 instance tag key.
Value (string) --
The EC2 instance tag value.
DefaultServerSideEncryption (dict) --
Describes the server side encryption method used in the S3 bucket.
EncryptionType (string) --
The type of encryption used for objects within the S3 bucket.
KmsMasterKeyArn (string) --
The Amazon Resource Name (ARN) of the KMS encryption key. Only available if the bucket EncryptionType is aws:kms .
PublicAccess (dict) --
Describes the public access policies that apply to the S3 bucket.
PermissionConfiguration (dict) --
Contains information about how permissions are configured for the S3 bucket.
BucketLevelPermissions (dict) --
Contains information about the bucket level permissions for the S3 bucket.
AccessControlList (dict) --
Contains information on how Access Control Policies are applied to the bucket.
AllowsPublicReadAccess (boolean) --
A value that indicates whether public read access for the bucket is enabled through an Access Control List (ACL).
AllowsPublicWriteAccess (boolean) --
A value that indicates whether public write access for the bucket is enabled through an Access Control List (ACL).
BucketPolicy (dict) --
Contains information on the bucket policies for the S3 bucket.
AllowsPublicReadAccess (boolean) --
A value that indicates whether public read access for the bucket is enabled through a bucket policy.
AllowsPublicWriteAccess (boolean) --
A value that indicates whether public write access for the bucket is enabled through a bucket policy.
BlockPublicAccess (dict) --
Contains information on which account level S3 Block Public Access settings are applied to the S3 bucket.
IgnorePublicAcls (boolean) --
Indicates if S3 Block Public Access is set to IgnorePublicAcls .
RestrictPublicBuckets (boolean) --
Indicates if S3 Block Public Access is set to RestrictPublicBuckets .
BlockPublicAcls (boolean) --
Indicates if S3 Block Public Access is set to BlockPublicAcls .
BlockPublicPolicy (boolean) --
Indicates if S3 Block Public Access is set to BlockPublicPolicy .
AccountLevelPermissions (dict) --
Contains information about the account level permissions on the S3 bucket.
BlockPublicAccess (dict) --
Describes the S3 Block Public Access settings of the bucket's parent account.
IgnorePublicAcls (boolean) --
Indicates if S3 Block Public Access is set to IgnorePublicAcls .
RestrictPublicBuckets (boolean) --
Indicates if S3 Block Public Access is set to RestrictPublicBuckets .
BlockPublicAcls (boolean) --
Indicates if S3 Block Public Access is set to BlockPublicAcls .
BlockPublicPolicy (boolean) --
Indicates if S3 Block Public Access is set to BlockPublicPolicy .
EffectivePermission (string) --
Describes the effective permission on this bucket after factoring all attached policies.
InstanceDetails (dict) --
The information about the EC2 instance associated with the activity that prompted GuardDuty to generate a finding.
AvailabilityZone (string) --
The Availability Zone of the EC2 instance.
IamInstanceProfile (dict) --
The profile information of the EC2 instance.
Arn (string) --
The profile ARN of the EC2 instance.
Id (string) --
The profile ID of the EC2 instance.
ImageDescription (string) --
The image description of the EC2 instance.
ImageId (string) --
The image ID of the EC2 instance.
InstanceId (string) --
The ID of the EC2 instance.
InstanceState (string) --
The state of the EC2 instance.
InstanceType (string) --
The type of the EC2 instance.
OutpostArn (string) --
The Amazon Resource Name (ARN) of the AWS Outpost. Only applicable to AWS Outposts instances.
LaunchTime (string) --
The launch time of the EC2 instance.
NetworkInterfaces (list) --
The elastic network interface information of the EC2 instance.
(dict) --
Contains information about the elastic network interface of the EC2 instance.
Ipv6Addresses (list) --
A list of IPv6 addresses for the EC2 instance.
(string) --
NetworkInterfaceId (string) --
The ID of the network interface.
PrivateDnsName (string) --
The private DNS name of the EC2 instance.
PrivateIpAddress (string) --
The private IP address of the EC2 instance.
PrivateIpAddresses (list) --
Other private IP address information of the EC2 instance.
(dict) --
Contains other private IP address information of the EC2 instance.
PrivateDnsName (string) --
The private DNS name of the EC2 instance.
PrivateIpAddress (string) --
The private IP address of the EC2 instance.
PublicDnsName (string) --
The public DNS name of the EC2 instance.
PublicIp (string) --
The public IP address of the EC2 instance.
SecurityGroups (list) --
The security groups associated with the EC2 instance.
(dict) --
Contains information about the security groups associated with the EC2 instance.
GroupId (string) --
The security group ID of the EC2 instance.
GroupName (string) --
The security group name of the EC2 instance.
SubnetId (string) --
The subnet ID of the EC2 instance.
VpcId (string) --
The VPC ID of the EC2 instance.
Platform (string) --
The platform of the EC2 instance.
ProductCodes (list) --
The product code of the EC2 instance.
(dict) --
Contains information about the product code for the EC2 instance.
Code (string) --
The product code information.
ProductType (string) --
The product code type.
Tags (list) --
The tags of the EC2 instance.
(dict) --
Contains information about a tag associated with the EC2 instance.
Key (string) --
The EC2 instance tag key.
Value (string) --
The EC2 instance tag value.
ResourceType (string) --
The type of AWS resource.
SchemaVersion (string) --
The version of the schema used for the finding.
Service (dict) --
Contains additional information about the generated finding.
Action (dict) --
Information about the activity that is described in a finding.
ActionType (string) --
The GuardDuty finding activity type.
AwsApiCallAction (dict) --
Information about the AWS_API_CALL action described in this finding.
Api (string) --
The AWS API name.
CallerType (string) --
The AWS API caller type.
DomainDetails (dict) --
The domain information for the AWS API call.
Domain (string) --
The domain information for the AWS API call.
RemoteIpDetails (dict) --
The remote IP information of the connection.
City (dict) --
The city information of the remote IP address.
CityName (string) --
The city name of the remote IP address.
Country (dict) --
The country code of the remote IP address.
CountryCode (string) --
The country code of the remote IP address.
CountryName (string) --
The country name of the remote IP address.
GeoLocation (dict) --
The location information of the remote IP address.
Lat (float) --
The latitude information of the remote IP address.
Lon (float) --
The longitude information of the remote IP address.
IpAddressV4 (string) --
The IPv4 remote address of the connection.
Organization (dict) --
The ISP organization information of the remote IP address.
Asn (string) --
The Autonomous System Number (ASN) of the internet provider of the remote IP address.
AsnOrg (string) --
The organization that registered this ASN.
Isp (string) --
The ISP information for the internet provider.
Org (string) --
The name of the internet provider.
ServiceName (string) --
The AWS service name whose API was invoked.
DnsRequestAction (dict) --
Information about the DNS_REQUEST action described in this finding.
Domain (string) --
The domain information for the API request.
NetworkConnectionAction (dict) --
Information about the NETWORK_CONNECTION action described in this finding.
Blocked (boolean) --
Indicates whether EC2 blocked the network connection to your instance.
ConnectionDirection (string) --
The network connection direction.
LocalPortDetails (dict) --
The local port information of the connection.
Port (integer) --
The port number of the local connection.
PortName (string) --
The port name of the local connection.
Protocol (string) --
The network connection protocol.
LocalIpDetails (dict) --
The local IP information of the connection.
IpAddressV4 (string) --
The IPv4 local address of the connection.
RemoteIpDetails (dict) --
The remote IP information of the connection.
City (dict) --
The city information of the remote IP address.
CityName (string) --
The city name of the remote IP address.
Country (dict) --
The country code of the remote IP address.
CountryCode (string) --
The country code of the remote IP address.
CountryName (string) --
The country name of the remote IP address.
GeoLocation (dict) --
The location information of the remote IP address.
Lat (float) --
The latitude information of the remote IP address.
Lon (float) --
The longitude information of the remote IP address.
IpAddressV4 (string) --
The IPv4 remote address of the connection.
Organization (dict) --
The ISP organization information of the remote IP address.
Asn (string) --
The Autonomous System Number (ASN) of the internet provider of the remote IP address.
AsnOrg (string) --
The organization that registered this ASN.
Isp (string) --
The ISP information for the internet provider.
Org (string) --
The name of the internet provider.
RemotePortDetails (dict) --
The remote port information of the connection.
Port (integer) --
The port number of the remote connection.
PortName (string) --
The port name of the remote connection.
PortProbeAction (dict) --
Information about the PORT_PROBE action described in this finding.
Blocked (boolean) --
Indicates whether EC2 blocked the port probe to the instance, such as with an ACL.
PortProbeDetails (list) --
A list of objects related to port probe details.
(dict) --
Contains information about the port probe details.
LocalPortDetails (dict) --
The local port information of the connection.
Port (integer) --
The port number of the local connection.
PortName (string) --
The port name of the local connection.
LocalIpDetails (dict) --
The local IP information of the connection.
IpAddressV4 (string) --
The IPv4 local address of the connection.
RemoteIpDetails (dict) --
The remote IP information of the connection.
City (dict) --
The city information of the remote IP address.
CityName (string) --
The city name of the remote IP address.
Country (dict) --
The country code of the remote IP address.
CountryCode (string) --
The country code of the remote IP address.
CountryName (string) --
The country name of the remote IP address.
GeoLocation (dict) --
The location information of the remote IP address.
Lat (float) --
The latitude information of the remote IP address.
Lon (float) --
The longitude information of the remote IP address.
IpAddressV4 (string) --
The IPv4 remote address of the connection.
Organization (dict) --
The ISP organization information of the remote IP address.
Asn (string) --
The Autonomous System Number (ASN) of the internet provider of the remote IP address.
AsnOrg (string) --
The organization that registered this ASN.
Isp (string) --
The ISP information for the internet provider.
Org (string) --
The name of the internet provider.
Evidence (dict) --
An evidence object associated with the service.
ThreatIntelligenceDetails (list) --
A list of threat intelligence details related to the evidence.
(dict) --
An instance of a threat intelligence detail that constitutes evidence for the finding.
ThreatListName (string) --
The name of the threat intelligence list that triggered the finding.
ThreatNames (list) --
A list of names of the threats in the threat intelligence list that triggered the finding.
(string) --
Archived (boolean) --
Indicates whether this finding is archived.
Count (integer) --
The total count of the occurrences of this finding type.
DetectorId (string) --
The detector ID for the GuardDuty service.
EventFirstSeen (string) --
The first-seen timestamp of the activity that prompted GuardDuty to generate this finding.
EventLastSeen (string) --
The last-seen timestamp of the activity that prompted GuardDuty to generate this finding.
ResourceRole (string) --
The resource role information for this finding.
ServiceName (string) --
The name of the AWS service (GuardDuty) that generated a finding.
UserFeedback (string) --
Feedback that was submitted about the finding.
Severity (float) --
The severity of the finding.
Title (string) --
The title of the finding.
Type (string) --
The type of finding.
UpdatedAt (string) --
The time and date when the finding was last updated.