Icon

AWS GuardDuty (version v1.*.*)

accept_invitation

Accepts the invitation to be monitored by a master GuardDuty account.

Parameters

detectorId (required)

The unique ID of the detector of the GuardDuty member account.

Type: string

$body

Type: object

{
"MasterId" : "The account ID of the master GuardDuty account whose invitation you're accepting.",
"InvitationId" : "This value is used to validate the master account to the member account."
}

archive_findings

Archives GuardDuty findings specified by the list of finding IDs.
Only the master account can archive findings. Member accounts do not have permission to archive findings from their accounts.

Parameters

detectorId (required)

The ID of the detector that specifies the GuardDuty service whose findings you want to archive.

Type: string

$body

Type: object

{
"FindingIds" : [ "string" ]
}

create_detector

Creates a single Amazon GuardDuty detector. A detector is a resource that represents the GuardDuty service. To start using GuardDuty, you must create a detector in each region that you enable the service. You can have only one detector per account per region.

Parameters

$body

Type: object

{
"enable" : "A boolean value that specifies whether the detector is to be enabled.",
"clientToken" : "The idempotency token for the create request.",
"findingPublishingFrequency" : "A enum value that specifies how frequently customer got Finding updates published.",
"tags" : "The tags to be added to a new detector resource."
}

create_filter

Creates a filter using the specified finding criteria.

Parameters

detectorId (required)

The unique ID of the detector of the GuardDuty account for which you want to create a filter.

Type: string

$body

Type: object

{
"Action" : "Specifies the action that is to be applied to the findings that match the filter.",
"Description" : "The description of the filter.",
"FindingCriteria" : {
"criterion" : "Represents a map of finding properties that match specified conditions and values when querying findings."
},
"Rank" : "Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.",
"ClientToken" : "The idempotency token for the create request.",
"Tags" : "The tags to be added to a new filter resource.",
"Name" : "The name of the filter."
}

create_ip_set

Creates a new IPSet, called Trusted IP list in the consoler user interface. An IPSet is a list IP addresses trusted for secure communication with AWS infrastructure and applications. GuardDuty does not generate findings for IP addresses included in IPSets. Only users from the master account can use this operation.

Parameters

detectorId (required)

The unique ID of the detector of the GuardDuty account for which you want to create an IPSet.

Type: string

$body

Type: object

{
"Format" : "The format of the file that contains the IPSet.",
"Activate" : "A boolean value that indicates whether GuardDuty is to start using the uploaded IPSet.",
"ClientToken" : "The idempotency token for the create request.",
"Tags" : "The tags to be added to a new IP set resource.",
"Name" : "The user friendly name to identify the IPSet. This name is displayed in all findings that are triggered by activity that involves IP addresses included in this IPSet.",
"Location" : "The URI of the file that contains the IPSet. For example (https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key)"
}

create_members

Creates member accounts of the current AWS account by specifying a list of AWS account IDs. The current AWS account can then invite these members to manage GuardDuty in their accounts.

Parameters

detectorId (required)

The unique ID of the detector of the GuardDuty account with which you want to associate member accounts.

Type: string

$body

Type: object

{
"AccountDetails" : [ {
"accountId" : "Member account ID.",
"email" : "Member account's email address."
} ]
}

create_publishing_destination

Creates a publishing destination to send findings to. The resource to send findings to must exist before you use this operation.

Parameters

detectorId (required)

The ID of the GuardDuty detector associated with the publishing destination.

Type: string

$body

Type: object

{
"DestinationProperties" : {
"destinationArn" : "The ARN of the resource to publish to.",
"kmsKeyArn" : "The ARN of the KMS key to use for encryption."
},
"DestinationType" : "The type of resource for the publishing destination. Currently only S3 is supported.",
"ClientToken" : "The idempotency token for the request."
}

create_sample_findings

Generates example findings of types specified by the list of finding types. If 'NULL' is specified for findingTypes, the API generates example findings of all supported finding types.

Parameters

detectorId (required)

The ID of the detector to create sample findings for.

Type: string

$body

Type: object

{
"FindingTypes" : [ "string" ]
}

create_threat_intel_set

Create a new ThreatIntelSet. ThreatIntelSets consist of known malicious IP addresses. GuardDuty generates findings based on ThreatIntelSets. Only users of the master account can use this operation.

Parameters

detectorId (required)

The unique ID of the detector of the GuardDuty account for which you want to create a threatIntelSet.

Type: string

$body

Type: object

{
"Format" : "The format of the file that contains the ThreatIntelSet.",
"Activate" : "A boolean value that indicates whether GuardDuty is to start using the uploaded ThreatIntelSet.",
"ClientToken" : "The idempotency token for the create request.",
"Tags" : "The tags to be added to a new Threat List resource.",
"Name" : "A user-friendly ThreatIntelSet name that is displayed in all finding generated by activity that involves IP addresses included in this ThreatIntelSet.",
"Location" : "The URI of the file that contains the ThreatIntelSet. For example (https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key)."
}

decline_invitations

Declines invitations sent to the current member account by AWS account specified by their account IDs.

Parameters

$body

Type: object

{
"accountIds" : [ "string" ]
}

delete_detector

Deletes a Amazon GuardDuty detector specified by the detector ID.

Parameters

detectorId (required)

The unique ID of the detector that you want to delete.

Type: string

delete_filter

Deletes the filter specified by the filter name.

Parameters

detectorId (required)

The unique ID of the detector the filter is associated with.

Type: string

filterName (required)

The name of the filter you want to delete.

Type: string

delete_invitations

Deletes invitations sent to the current member account by AWS accounts specified by their account IDs.

Parameters

$body

Type: object

{
"accountIds" : [ "string" ]
}

delete_ip_set

Deletes the IPSet specified by the ipSetId. IPSets are called Trusted IP lists in the console user interface.

Parameters

detectorId (required)

The unique ID of the detector associated with the IPSet.

Type: string

ipSetId (required)

The unique ID of the IPSet to delete.

Type: string

delete_members

Deletes GuardDuty member accounts (to the current GuardDuty master account) specified by the account IDs.

Parameters

detectorId (required)

The unique ID of the detector of the GuardDuty account whose members you want to delete.

Type: string

$body

Type: object

{
"AccountIds" : [ "string" ]
}

delete_publishing_destination

Deletes the publishing definition with the specified destinationId.

Parameters

destinationId (required)

The ID of the publishing destination to delete.

Type: string

detectorId (required)

The unique ID of the detector associated with the publishing destination to delete.

Type: string

delete_threat_intel_set

Deletes ThreatIntelSet specified by the ThreatIntelSet ID.

Parameters

detectorId (required)

The unique ID of the detector the threatIntelSet is associated with.

Type: string

threatIntelSetId (required)

The unique ID of the threatIntelSet you want to delete.

Type: string

describe_publishing_destination

Returns information about the publishing destination specified by the provided destinationId.

Parameters

destinationId (required)

The ID of the publishing destination to retrieve.

Type: string

detectorId (required)

The unique ID of the detector associated with the publishing destination to retrieve.

Type: string

disassociate_from_master_account

Disassociates the current GuardDuty member account from its master account.

Parameters

detectorId (required)

The unique ID of the detector of the GuardDuty member account.

Type: string

disassociate_members

Disassociates GuardDuty member accounts (to the current GuardDuty master account) specified by the account IDs.

Parameters

detectorId (required)

The unique ID of the detector of the GuardDuty account whose members you want to disassociate from master.

Type: string

$body

Type: object

{
"AccountIds" : [ "string" ]
}

get_detector

Retrieves an Amazon GuardDuty detector specified by the detectorId.

Parameters

detectorId (required)

The unique ID of the detector that you want to get.

Type: string

get_filter

Returns the details of the filter specified by the filter name.

Parameters

detectorId (required)

The unique ID of the detector the filter is associated with.

Type: string

filterName (required)

The name of the filter you want to get.

Type: string

get_findings

Describes Amazon GuardDuty findings specified by finding IDs.

Parameters

detectorId (required)

The ID of the detector that specifies the GuardDuty service whose findings you want to retrieve.

Type: string

$body

Type: object

{
"SortCriteria" : {
"orderBy" : "Order by which the sorted findings are to be displayed.",
"attributeName" : "Represents the finding attribute (for example, accountId) by which to sort findings."
},
"FindingIds" : [ "string" ]
}

get_findings_statistics

Lists Amazon GuardDuty findings' statistics for the specified detector ID.

Parameters

detectorId (required)

The ID of the detector that specifies the GuardDuty service whose findings' statistics you want to retrieve.

Type: string

$body

Type: object

{
"FindingCriteria" : {
"criterion" : "Represents a map of finding properties that match specified conditions and values when querying findings."
},
"FindingStatisticTypes" : [ "string. Possible values: COUNT_BY_SEVERITY" ]
}

get_invitations_count

Returns the count of all GuardDuty membership invitations that were sent to the current member account except the currently accepted invitation.

Parameters

$body

Type: object

{ }

get_ip_set

Retrieves the IPSet specified by the ipSetId.

Parameters

detectorId (required)

The unique ID of the detector the ipSet is associated with.

Type: string

ipSetId (required)

The unique ID of the IPSet to retrieve.

Type: string

get_master_account

Provides the details for the GuardDuty master account associated with the current GuardDuty member account.

Parameters

detectorId (required)

The unique ID of the detector of the GuardDuty member account.

Type: string

get_members

Retrieves GuardDuty member accounts (to the current GuardDuty master account) specified by the account IDs.

Parameters

detectorId (required)

The unique ID of the detector of the GuardDuty account whose members you want to retrieve.

Type: string

$body

Type: object

{
"AccountIds" : [ "string" ]
}

get_threat_intel_set

Retrieves the ThreatIntelSet that is specified by the ThreatIntelSet ID.

Parameters

detectorId (required)

The unique ID of the detector the threatIntelSet is associated with.

Type: string

threatIntelSetId (required)

The unique ID of the threatIntelSet you want to get.

Type: string

invite_members

Invites other AWS accounts (created as members of the current AWS account by CreateMembers) to enable GuardDuty and allow the current AWS account to view and manage these accounts' GuardDuty findings on their behalf as the master account.

Parameters

detectorId (required)

The unique ID of the detector of the GuardDuty account with which you want to invite members.

Type: string

$body

Type: object

{
"AccountIds" : [ "string" ],
"Message" : "The invitation message that you want to send to the accounts that you’re inviting to GuardDuty as members.",
"DisableEmailNotification" : "A boolean value that specifies whether you want to disable email notification to the accounts that you’re inviting to GuardDuty as members."
}

list_detectors

Lists detectorIds of all the existing Amazon GuardDuty detector resources.

This operation has no parameters

list_filters

Returns a paginated list of the current filters.

Parameters

detectorId (required)

The unique ID of the detector the filter is associated with.

Type: string

list_findings

Lists Amazon GuardDuty findings for the specified detector ID.

Parameters

detectorId (required)

The ID of the detector that specifies the GuardDuty service whose findings you want to list.

Type: string

$body

Type: object

{
"SortCriteria" : {
"orderBy" : "Order by which the sorted findings are to be displayed.",
"attributeName" : "Represents the finding attribute (for example, accountId) by which to sort findings."
},
"FindingCriteria" : {
"criterion" : "Represents a map of finding properties that match specified conditions and values when querying findings."
}
}

list_invitations

Lists all GuardDuty membership invitations that were sent to the current AWS account.

This operation has no parameters

list_ip_sets

Lists the IPSets of the GuardDuty service specified by the detector ID. If you use this operation from a member account, the IPSets returned are the IPSets from the associated master account.

Parameters

detectorId (required)

The unique ID of the detector the ipSet is associated with.

Type: string

list_members

Lists details about all member accounts for the current GuardDuty master account.

Parameters

detectorId (required)

The unique ID of the detector the member is associated with.

Type: string

onlyAssociated

Specifies whether to only return associated members or to return all members (including members which haven't been invited yet or have been disassociated).

Type: string

list_publishing_destinations

Returns a list of publishing destinations associated with the specified dectectorId.

Parameters

detectorId (required)

The ID of the detector to retrieve publishing destinations for.

Type: string

maxResults

The maximum number of results to return in the response.

Type: integer

nextToken

A token to use for paginating results returned in the repsonse. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the NextToken value returned from the previous request to continue listing results after the first page.

Type: string

list_tags_for_resource

Lists tags for a resource. Tagging is currently supported for detectors, finding filters, IP sets, and Threat Intel sets, with a limit of 50 tags per resource. When invoked, this operation returns all assigned tags for a given resource..

Parameters

resourceArn (required)

The Amazon Resource Name (ARN) for the given GuardDuty resource

Type: string

list_threat_intel_sets

Lists the ThreatIntelSets of the GuardDuty service specified by the detector ID. If you use this operation from a member account, the ThreatIntelSets associated with the master account are returned.

Parameters

detectorId (required)

The unique ID of the detector the threatIntelSet is associated with.

Type: string

start_monitoring_members

Turns on GuardDuty monitoring of the specified member accounts. Use this operation to restart monitoring of accounts that you stopped monitoring with the StopMonitoringMembers operation.

Parameters

detectorId (required)

The unique ID of the detector of the GuardDuty master account associated with the member accounts to monitor.

Type: string

$body

Type: object

{
"AccountIds" : [ "string" ]
}

stop_monitoring_members

Stops GuardDuty monitoring for the specified member accounnts. Use the StartMonitoringMembers to restart monitoring for those accounts.

Parameters

detectorId (required)

The unique ID of the detector of the GuardDuty account that you want to stop from monitor members' findings.

Type: string

$body

Type: object

{
"AccountIds" : [ "string" ]
}

tag_resource

Adds tags to a resource.

Parameters

resourceArn (required)

The Amazon Resource Name (ARN) for the GuardDuty resource to apply a tag to.

Type: string

$body

Type: object

{
"Tags" : "The tags to be added to a resource."
}

unarchive_findings

Unarchives GuardDuty findings specified by the findingIds.

Parameters

detectorId (required)

The ID of the detector associated with the findings to unarchive.

Type: string

$body

Type: object

{
"FindingIds" : [ "string" ]
}

untag_resource

Removes tags from a resource.

Parameters

resourceArn (required)

The Amazon Resource Name (ARN) for the resource to remove tags from.

Type: string

tagKeys (required)

The tag keys to remove from the resource.

Type: array

[ "string" ]

update_detector

Updates the Amazon GuardDuty detector specified by the detectorId.

Parameters

detectorId (required)

The unique ID of the detector to update.

Type: string

$body

Type: object

{
"FindingPublishingFrequency" : "A enum value that specifies how frequently findings are exported, such as to CloudWatch Events.",
"Enable" : "Specifies whether the detector is enabled or not enabled."
}

update_filter

Updates the filter specified by the filter name.

Parameters

detectorId (required)

The unique ID of the detector that specifies the GuardDuty service where you want to update a filter.

Type: string

filterName (required)

The name of the filter.

Type: string

$body

Type: object

{
"Action" : "Specifies the action that is to be applied to the findings that match the filter.",
"Description" : "The description of the filter.",
"FindingCriteria" : {
"criterion" : "Represents a map of finding properties that match specified conditions and values when querying findings."
},
"Rank" : "Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings."
}

update_findings_feedback

Marks the specified GuardDuty findings as useful or not useful.

Parameters

detectorId (required)

The ID of the detector associated with the findings to update feedback for.

Type: string

$body

Type: object

{
"Feedback" : "The feedback for the finding.",
"Comments" : "Additional feedback about the GuardDuty findings.",
"FindingIds" : [ "string" ]
}

update_ip_set

Updates the IPSet specified by the IPSet ID.

Parameters

detectorId (required)

The detectorID that specifies the GuardDuty service whose IPSet you want to update.

Type: string

ipSetId (required)

The unique ID that specifies the IPSet that you want to update.

Type: string

$body

Type: object

{
"Activate" : "The updated boolean value that specifies whether the IPSet is active or not.",
"Name" : "The unique ID that specifies the IPSet that you want to update.",
"Location" : "The updated URI of the file that contains the IPSet. For example (https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key)."
}

update_publishing_destination

Updates information about the publishing destination specified by the destinationId.

Parameters

destinationId (required)

The ID of the detector associated with the publishing destinations to update.

Type: string

detectorId (required)

The ID of the

Type: string

$body

Type: object

{
"DestinationProperties" : {
"destinationArn" : "The ARN of the resource to publish to.",
"kmsKeyArn" : "The ARN of the KMS key to use for encryption."
}
}

update_threat_intel_set

Updates the ThreatIntelSet specified by ThreatIntelSet ID.

Parameters

detectorId (required)

The detectorID that specifies the GuardDuty service whose ThreatIntelSet you want to update.

Type: string

threatIntelSetId (required)

The unique ID that specifies the ThreatIntelSet that you want to update.

Type: string

$body

Type: object

{
"Activate" : "The updated boolean value that specifies whether the ThreateIntelSet is active or not.",
"Name" : "The unique ID that specifies the ThreatIntelSet that you want to update.",
"Location" : "The updated URI of the file that contains the ThreateIntelSet. For example (https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key)"
}