SDK for PHP 3.x

Client: Aws\GuardDuty\GuardDutyClient
Service ID: guardduty
Version: 2017-11-28

This page describes the parameters and results for the operations of the Amazon GuardDuty (2017-11-28), and shows how to use the Aws\GuardDuty\GuardDutyClient object to call the described operations. This documentation is specific to the 2017-11-28 API version of the service.

Operation Summary

Each of the following operations can be created from a client using $client->getCommand('CommandName'), where "CommandName" is the name of one of the following operations. Note: a command is a value that encapsulates an operation and the parameters used to create an HTTP request.

You can also create and send a command immediately using the magic methods available on a client object: $client->commandName(/* parameters */). You can send the command asynchronously (returning a promise) by appending the word "Async" to the operation name: $client->commandNameAsync(/* parameters */).

AcceptAdministratorInvitation ( array $params = [] )
Accepts the invitation to be a member account and get monitored by a GuardDuty administrator account that sent the invitation.
AcceptInvitation ( array $params = [] )
Accepts the invitation to be monitored by a GuardDuty administrator account.
ArchiveFindings ( array $params = [] )
Archives GuardDuty findings that are specified by the list of finding IDs.
CreateDetector ( array $params = [] )
Creates a single GuardDuty detector.
CreateFilter ( array $params = [] )
Creates a filter using the specified finding criteria.
CreateIPSet ( array $params = [] )
Creates a new IPSet, which is called a trusted IP list in the console user interface.
CreateMalwareProtectionPlan ( array $params = [] )
Creates a new Malware Protection plan for the protected resource.
CreateMembers ( array $params = [] )
Creates member accounts of the current Amazon Web Services account by specifying a list of Amazon Web Services account IDs.
CreatePublishingDestination ( array $params = [] )
Creates a publishing destination where you can export your GuardDuty findings.
CreateSampleFindings ( array $params = [] )
Generates sample findings of types specified by the list of finding types.
CreateThreatIntelSet ( array $params = [] )
Creates a new ThreatIntelSet.
DeclineInvitations ( array $params = [] )
Declines invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs.
DeleteDetector ( array $params = [] )
Deletes an Amazon GuardDuty detector that is specified by the detector ID.
DeleteFilter ( array $params = [] )
Deletes the filter specified by the filter name.
DeleteIPSet ( array $params = [] )
Deletes the IPSet specified by the ipSetId.
DeleteInvitations ( array $params = [] )
Deletes invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs.
DeleteMalwareProtectionPlan ( array $params = [] )
Deletes the Malware Protection plan ID associated with the Malware Protection plan resource.
DeleteMembers ( array $params = [] )
Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.
DeletePublishingDestination ( array $params = [] )
Deletes the publishing definition with the specified destinationId.
DeleteThreatIntelSet ( array $params = [] )
Deletes the ThreatIntelSet specified by the ThreatIntelSet ID.
DescribeMalwareScans ( array $params = [] )
Returns a list of malware scans.
DescribeOrganizationConfiguration ( array $params = [] )
Returns information about the account selected as the delegated administrator for GuardDuty.
DescribePublishingDestination ( array $params = [] )
Returns information about the publishing destination specified by the provided destinationId.
DisableOrganizationAdminAccount ( array $params = [] )
Removes the existing GuardDuty delegated administrator of the organization.
DisassociateFromAdministratorAccount ( array $params = [] )
Disassociates the current GuardDuty member account from its administrator account.
DisassociateFromMasterAccount ( array $params = [] )
Disassociates the current GuardDuty member account from its administrator account.
DisassociateMembers ( array $params = [] )
Disassociates GuardDuty member accounts (from the current administrator account) specified by the account IDs.
EnableOrganizationAdminAccount ( array $params = [] )
Designates an Amazon Web Services account within the organization as your GuardDuty delegated administrator.
GetAdministratorAccount ( array $params = [] )
Provides the details of the GuardDuty administrator account associated with the current GuardDuty member account.
GetCoverageStatistics ( array $params = [] )
Retrieves aggregated statistics for your account.
GetDetector ( array $params = [] )
Retrieves a GuardDuty detector specified by the detectorId.
GetFilter ( array $params = [] )
Returns the details of the filter specified by the filter name.
GetFindings ( array $params = [] )
Describes Amazon GuardDuty findings specified by finding IDs.
GetFindingsStatistics ( array $params = [] )
Lists GuardDuty findings statistics for the specified detector ID.
GetIPSet ( array $params = [] )
Retrieves the IPSet specified by the ipSetId.
GetInvitationsCount ( array $params = [] )
Returns the count of all GuardDuty membership invitations that were sent to the current member account except the currently accepted invitation.
GetMalwareProtectionPlan ( array $params = [] )
Retrieves the Malware Protection plan details associated with a Malware Protection plan ID.
GetMalwareScanSettings ( array $params = [] )
Returns the details of the malware scan settings.
GetMasterAccount ( array $params = [] )
Provides the details for the GuardDuty administrator account associated with the current GuardDuty member account.
GetMemberDetectors ( array $params = [] )
Describes which data sources are enabled for the member account's detector.
GetMembers ( array $params = [] )
Retrieves GuardDuty member accounts (of the current GuardDuty administrator account) specified by the account IDs.
GetOrganizationStatistics ( array $params = [] )
Retrieves how many active member accounts have each feature enabled within GuardDuty.
GetRemainingFreeTrialDays ( array $params = [] )
Provides the number of days left for each data source used in the free trial period.
GetThreatIntelSet ( array $params = [] )
Retrieves the ThreatIntelSet that is specified by the ThreatIntelSet ID.
GetUsageStatistics ( array $params = [] )
Lists Amazon GuardDuty usage statistics over the last 30 days for the specified detector ID.
InviteMembers ( array $params = [] )
Invites Amazon Web Services accounts to become members of an organization administered by the Amazon Web Services account that invokes this API.
ListCoverage ( array $params = [] )
Lists coverage details for your GuardDuty account.
ListDetectors ( array $params = [] )
Lists detectorIds of all the existing Amazon GuardDuty detector resources.
ListFilters ( array $params = [] )
Returns a paginated list of the current filters.
ListFindings ( array $params = [] )
Lists GuardDuty findings for the specified detector ID.
ListIPSets ( array $params = [] )
Lists the IPSets of the GuardDuty service specified by the detector ID.
ListInvitations ( array $params = [] )
Lists all GuardDuty membership invitations that were sent to the current Amazon Web Services account.
ListMalwareProtectionPlans ( array $params = [] )
Lists the Malware Protection plan IDs associated with the protected resources in your Amazon Web Services account.
ListMembers ( array $params = [] )
Lists details about all member accounts for the current GuardDuty administrator account.
ListOrganizationAdminAccounts ( array $params = [] )
Lists the accounts designated as GuardDuty delegated administrators.
ListPublishingDestinations ( array $params = [] )
Returns a list of publishing destinations associated with the specified detectorId.
ListTagsForResource ( array $params = [] )
Lists tags for a resource.
ListThreatIntelSets ( array $params = [] )
Lists the ThreatIntelSets of the GuardDuty service specified by the detector ID.
StartMalwareScan ( array $params = [] )
Initiates the malware scan.
StartMonitoringMembers ( array $params = [] )
Turns on GuardDuty monitoring of the specified member accounts.
StopMonitoringMembers ( array $params = [] )
Stops GuardDuty monitoring for the specified member accounts.
TagResource ( array $params = [] )
Adds tags to a resource.
UnarchiveFindings ( array $params = [] )
Unarchives GuardDuty findings specified by the findingIds.
UntagResource ( array $params = [] )
Removes tags from a resource.
UpdateDetector ( array $params = [] )
Updates the GuardDuty detector specified by the detector ID.
UpdateFilter ( array $params = [] )
Updates the filter specified by the filter name.
UpdateFindingsFeedback ( array $params = [] )
Marks the specified GuardDuty findings as useful or not useful.
UpdateIPSet ( array $params = [] )
Updates the IPSet specified by the IPSet ID.
UpdateMalwareProtectionPlan ( array $params = [] )
Updates an existing Malware Protection plan resource.
UpdateMalwareScanSettings ( array $params = [] )
Updates the malware scan settings.
UpdateMemberDetectors ( array $params = [] )
Contains information on member accounts to be updated.
UpdateOrganizationConfiguration ( array $params = [] )
Configures the delegated administrator account with the provided values.
UpdatePublishingDestination ( array $params = [] )
Updates information about the publishing destination specified by the destinationId.
UpdateThreatIntelSet ( array $params = [] )
Updates the ThreatIntelSet specified by the ThreatIntelSet ID.

Paginators

Paginators handle automatically iterating over paginated API results. Paginators are associated with specific API operations, and they accept the parameters that the corresponding API operation accepts. You can get a paginator from a client class using getPaginator($paginatorName, $operationParameters). This client supports the following paginators:

DescribeMalwareScans
DescribeOrganizationConfiguration
GetUsageStatistics
ListCoverage
ListDetectors
ListFilters
ListFindings
ListIPSets
ListInvitations
ListMembers
ListOrganizationAdminAccounts
ListPublishingDestinations
ListThreatIntelSets

Operations

AcceptAdministratorInvitation

$result = $client->acceptAdministratorInvitation([/* ... */]);
$promise = $client->acceptAdministratorInvitationAsync([/* ... */]);

Accepts the invitation to be a member account and get monitored by a GuardDuty administrator account that sent the invitation.

Parameter Syntax

$result = $client->acceptAdministratorInvitation([
    'AdministratorId' => '<string>', // REQUIRED
    'DetectorId' => '<string>', // REQUIRED
    'InvitationId' => '<string>', // REQUIRED
]);

Parameter Details

Members
AdministratorId
Required: Yes
Type: string

The account ID of the GuardDuty administrator account whose invitation you're accepting.

DetectorId
Required: Yes
Type: string

The unique ID of the detector of the GuardDuty member account.

InvitationId
Required: Yes
Type: string

The value that is used to validate the administrator account to the member account.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

AcceptInvitation

$result = $client->acceptInvitation([/* ... */]);
$promise = $client->acceptInvitationAsync([/* ... */]);

Accepts the invitation to be monitored by a GuardDuty administrator account.

Parameter Syntax

$result = $client->acceptInvitation([
    'DetectorId' => '<string>', // REQUIRED
    'InvitationId' => '<string>', // REQUIRED
    'MasterId' => '<string>', // REQUIRED
]);

Parameter Details

Members
DetectorId
Required: Yes
Type: string

The unique ID of the detector of the GuardDuty member account.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

InvitationId
Required: Yes
Type: string

The value that is used to validate the administrator account to the member account.

MasterId
Required: Yes
Type: string

The account ID of the GuardDuty administrator account whose invitation you're accepting.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

ArchiveFindings

$result = $client->archiveFindings([/* ... */]);
$promise = $client->archiveFindingsAsync([/* ... */]);

Archives GuardDuty findings that are specified by the list of finding IDs.

Only the administrator account can archive findings. Member accounts don't have permission to archive findings from their accounts.

Parameter Syntax

$result = $client->archiveFindings([
    'DetectorId' => '<string>', // REQUIRED
    'FindingIds' => ['<string>', ...], // REQUIRED
]);

Parameter Details

Members
DetectorId
Required: Yes
Type: string

The ID of the detector that specifies the GuardDuty service whose findings you want to archive.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

FindingIds
Required: Yes
Type: Array of strings

The IDs of the findings that you want to archive.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

CreateDetector

$result = $client->createDetector([/* ... */]);
$promise = $client->createDetectorAsync([/* ... */]);

Creates a single GuardDuty detector. A detector is a resource that represents the GuardDuty service. To start using GuardDuty, you must create a detector in each Region where you enable the service. You can have only one detector per account per Region. All data sources are enabled in a new detector by default.

  • When you don't specify any features, with an exception to RUNTIME_MONITORING, all the optional features are enabled by default.

  • When you specify some of the features, any feature that is not specified in the API call gets enabled by default, with an exception to RUNTIME_MONITORING.

Specifying both EKS Runtime Monitoring (EKS_RUNTIME_MONITORING) and Runtime Monitoring (RUNTIME_MONITORING) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

Parameter Syntax

$result = $client->createDetector([
    'ClientToken' => '<string>',
    'DataSources' => [
        'Kubernetes' => [
            'AuditLogs' => [ // REQUIRED
                'Enable' => true || false, // REQUIRED
            ],
        ],
        'MalwareProtection' => [
            'ScanEc2InstanceWithFindings' => [
                'EbsVolumes' => true || false,
            ],
        ],
        'S3Logs' => [
            'Enable' => true || false, // REQUIRED
        ],
    ],
    'Enable' => true || false, // REQUIRED
    'Features' => [
        [
            'AdditionalConfiguration' => [
                [
                    'Name' => 'EKS_ADDON_MANAGEMENT|ECS_FARGATE_AGENT_MANAGEMENT|EC2_AGENT_MANAGEMENT',
                    'Status' => 'ENABLED|DISABLED',
                ],
                // ...
            ],
            'Name' => 'S3_DATA_EVENTS|EKS_AUDIT_LOGS|EBS_MALWARE_PROTECTION|RDS_LOGIN_EVENTS|EKS_RUNTIME_MONITORING|LAMBDA_NETWORK_LOGS|RUNTIME_MONITORING',
            'Status' => 'ENABLED|DISABLED',
        ],
        // ...
    ],
    'FindingPublishingFrequency' => 'FIFTEEN_MINUTES|ONE_HOUR|SIX_HOURS',
    'Tags' => ['<string>', ...],
]);

Parameter Details

Members
ClientToken
Type: string

The idempotency token for the create request.

DataSources
Type: DataSourceConfigurations structure

Describes which data sources will be enabled for the detector.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

Enable
Required: Yes
Type: boolean

A Boolean value that specifies whether the detector is to be enabled.

Features
Type: Array of DetectorFeatureConfiguration structures

A list of features that will be configured for the detector.

FindingPublishingFrequency
Type: string

A value that specifies how frequently updated findings are exported.

Tags
Type: Associative array of custom strings keys (TagKey) to strings

The tags to be added to a new detector resource.

Result Syntax

[
    'DetectorId' => '<string>',
    'UnprocessedDataSources' => [
        'MalwareProtection' => [
            'ScanEc2InstanceWithFindings' => [
                'EbsVolumes' => [
                    'Reason' => '<string>',
                    'Status' => 'ENABLED|DISABLED',
                ],
            ],
            'ServiceRole' => '<string>',
        ],
    ],
]

Result Details

Members
DetectorId
Type: string

The unique ID of the created detector.

UnprocessedDataSources

Specifies the data sources that couldn't be enabled when GuardDuty was enabled for the first time.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

CreateFilter

$result = $client->createFilter([/* ... */]);
$promise = $client->createFilterAsync([/* ... */]);

Creates a filter using the specified finding criteria. The maximum number of saved filters per Amazon Web Services account per Region is 100. For more information, see Quotas for GuardDuty.

Parameter Syntax

$result = $client->createFilter([
    'Action' => 'NOOP|ARCHIVE',
    'ClientToken' => '<string>',
    'Description' => '<string>',
    'DetectorId' => '<string>', // REQUIRED
    'FindingCriteria' => [ // REQUIRED
        'Criterion' => [
            '<String>' => [
                'Eq' => ['<string>', ...],
                'Equals' => ['<string>', ...],
                'GreaterThan' => <integer>,
                'GreaterThanOrEqual' => <integer>,
                'Gt' => <integer>,
                'Gte' => <integer>,
                'LessThan' => <integer>,
                'LessThanOrEqual' => <integer>,
                'Lt' => <integer>,
                'Lte' => <integer>,
                'Neq' => ['<string>', ...],
                'NotEquals' => ['<string>', ...],
            ],
            // ...
        ],
    ],
    'Name' => '<string>', // REQUIRED
    'Rank' => <integer>,
    'Tags' => ['<string>', ...],
]);

Parameter Details

Members
Action
Type: string

Specifies the action that is to be applied to the findings that match the filter.

ClientToken
Type: string

The idempotency token for the create request.

Description
Type: string

The description of the filter. Valid characters include alphanumeric characters, and special characters such as hyphen, period, colon, underscore, parentheses ({ }, [ ], and ( )), forward slash, horizontal tab, vertical tab, newline, form feed, return, and whitespace.

DetectorId
Required: Yes
Type: string

The detector ID associated with the GuardDuty account for which you want to create a filter.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

FindingCriteria
Required: Yes
Type: FindingCriteria structure

Represents the criteria to be used in the filter for querying findings.

You can only use the following attributes to query findings:

  • accountId

  • id

  • region

  • severity

    To filter on the basis of severity, the API and CLI use the following input list for the FindingCriteria condition:

    • Low: ["1", "2", "3"]

    • Medium: ["4", "5", "6"]

    • High: ["7", "8"]

    • Critical: ["9", "10"]

    For more information, see Findings severity levels in the Amazon GuardDuty User Guide.

  • type

  • updatedAt

    Type: ISO 8601 string format: YYYY-MM-DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds.

  • resource.accessKeyDetails.accessKeyId

  • resource.accessKeyDetails.principalId

  • resource.accessKeyDetails.userName

  • resource.accessKeyDetails.userType

  • resource.instanceDetails.iamInstanceProfile.id

  • resource.instanceDetails.imageId

  • resource.instanceDetails.instanceId

  • resource.instanceDetails.tags.key

  • resource.instanceDetails.tags.value

  • resource.instanceDetails.networkInterfaces.ipv6Addresses

  • resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress

  • resource.instanceDetails.networkInterfaces.publicDnsName

  • resource.instanceDetails.networkInterfaces.publicIp

  • resource.instanceDetails.networkInterfaces.securityGroups.groupId

  • resource.instanceDetails.networkInterfaces.securityGroups.groupName

  • resource.instanceDetails.networkInterfaces.subnetId

  • resource.instanceDetails.networkInterfaces.vpcId

  • resource.instanceDetails.outpostArn

  • resource.resourceType

  • resource.s3BucketDetails.publicAccess.effectivePermissions

  • resource.s3BucketDetails.name

  • resource.s3BucketDetails.tags.key

  • resource.s3BucketDetails.tags.value

  • resource.s3BucketDetails.type

  • service.action.actionType

  • service.action.awsApiCallAction.api

  • service.action.awsApiCallAction.callerType

  • service.action.awsApiCallAction.errorCode

  • service.action.awsApiCallAction.remoteIpDetails.city.cityName

  • service.action.awsApiCallAction.remoteIpDetails.country.countryName

  • service.action.awsApiCallAction.remoteIpDetails.ipAddressV4

  • service.action.awsApiCallAction.remoteIpDetails.ipAddressV6

  • service.action.awsApiCallAction.remoteIpDetails.organization.asn

  • service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg

  • service.action.awsApiCallAction.serviceName

  • service.action.dnsRequestAction.domain

  • service.action.dnsRequestAction.domainWithSuffix

  • service.action.networkConnectionAction.blocked

  • service.action.networkConnectionAction.connectionDirection

  • service.action.networkConnectionAction.localPortDetails.port

  • service.action.networkConnectionAction.protocol

  • service.action.networkConnectionAction.remoteIpDetails.city.cityName

  • service.action.networkConnectionAction.remoteIpDetails.country.countryName

  • service.action.networkConnectionAction.remoteIpDetails.ipAddressV4

  • service.action.networkConnectionAction.remoteIpDetails.ipAddressV6

  • service.action.networkConnectionAction.remoteIpDetails.organization.asn

  • service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg

  • service.action.networkConnectionAction.remotePortDetails.port

  • service.action.awsApiCallAction.remoteAccountDetails.affiliated

  • service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4

  • service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV6

  • service.action.kubernetesApiCallAction.namespace

  • service.action.kubernetesApiCallAction.remoteIpDetails.organization.asn

  • service.action.kubernetesApiCallAction.requestUri

  • service.action.kubernetesApiCallAction.statusCode

  • service.action.networkConnectionAction.localIpDetails.ipAddressV4

  • service.action.networkConnectionAction.localIpDetails.ipAddressV6

  • service.action.networkConnectionAction.protocol

  • service.action.awsApiCallAction.serviceName

  • service.action.awsApiCallAction.remoteAccountDetails.accountId

  • service.additionalInfo.threatListName

  • service.resourceRole

  • resource.eksClusterDetails.name

  • resource.kubernetesDetails.kubernetesWorkloadDetails.name

  • resource.kubernetesDetails.kubernetesWorkloadDetails.namespace

  • resource.kubernetesDetails.kubernetesUserDetails.username

  • resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image

  • resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix

  • service.ebsVolumeScanDetails.scanId

  • service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name

  • service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity

  • service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash

  • resource.ecsClusterDetails.name

  • resource.ecsClusterDetails.taskDetails.containers.image

  • resource.ecsClusterDetails.taskDetails.definitionArn

  • resource.containerDetails.image

  • resource.rdsDbInstanceDetails.dbInstanceIdentifier

  • resource.rdsDbInstanceDetails.dbClusterIdentifier

  • resource.rdsDbInstanceDetails.engine

  • resource.rdsDbUserDetails.user

  • resource.rdsDbInstanceDetails.tags.key

  • resource.rdsDbInstanceDetails.tags.value

  • service.runtimeDetails.process.executableSha256

  • service.runtimeDetails.process.name

  • service.runtimeDetails.process.name

  • resource.lambdaDetails.functionName

  • resource.lambdaDetails.functionArn

  • resource.lambdaDetails.tags.key

  • resource.lambdaDetails.tags.value

Name
Required: Yes
Type: string

The name of the filter. Valid characters include period (.), underscore (_), dash (-), and alphanumeric characters. A whitespace is considered to be an invalid character.

Rank
Type: int

Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.

Tags
Type: Associative array of custom strings keys (TagKey) to strings

The tags to be added to a new filter resource.

Result Syntax

[
    'Name' => '<string>',
]

Result Details

Members
Name
Required: Yes
Type: string

The name of the successfully created filter.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

CreateIPSet

$result = $client->createIPSet([/* ... */]);
$promise = $client->createIPSetAsync([/* ... */]);

Creates a new IPSet, which is called a trusted IP list in the console user interface. An IPSet is a list of IP addresses that are trusted for secure communication with Amazon Web Services infrastructure and applications. GuardDuty doesn't generate findings for IP addresses that are included in IPSets. Only users from the administrator account can use this operation.

Parameter Syntax

$result = $client->createIPSet([
    'Activate' => true || false, // REQUIRED
    'ClientToken' => '<string>',
    'DetectorId' => '<string>', // REQUIRED
    'Format' => 'TXT|STIX|OTX_CSV|ALIEN_VAULT|PROOF_POINT|FIRE_EYE', // REQUIRED
    'Location' => '<string>', // REQUIRED
    'Name' => '<string>', // REQUIRED
    'Tags' => ['<string>', ...],
]);

Parameter Details

Members
Activate
Required: Yes
Type: boolean

A Boolean value that indicates whether GuardDuty is to start using the uploaded IPSet.

ClientToken
Type: string

The idempotency token for the create request.

DetectorId
Required: Yes
Type: string

The unique ID of the detector of the GuardDuty account for which you want to create an IPSet.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

Format
Required: Yes
Type: string

The format of the file that contains the IPSet.

Location
Required: Yes
Type: string

The URI of the file that contains the IPSet.

Name
Required: Yes
Type: string

The user-friendly name to identify the IPSet.

Allowed characters are alphanumeric, whitespace, dash (-), and underscores (_).

Tags
Type: Associative array of custom strings keys (TagKey) to strings

The tags to be added to a new IP set resource.

Result Syntax

[
    'IpSetId' => '<string>',
]

Result Details

Members
IpSetId
Required: Yes
Type: string

The ID of the IPSet resource.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

CreateMalwareProtectionPlan

$result = $client->createMalwareProtectionPlan([/* ... */]);
$promise = $client->createMalwareProtectionPlanAsync([/* ... */]);

Creates a new Malware Protection plan for the protected resource.

When you create a Malware Protection plan, the Amazon Web Services service terms for GuardDuty Malware Protection apply. For more information, see Amazon Web Services service terms for GuardDuty Malware Protection.

Parameter Syntax

$result = $client->createMalwareProtectionPlan([
    'Actions' => [
        'Tagging' => [
            'Status' => 'ENABLED|DISABLED',
        ],
    ],
    'ClientToken' => '<string>',
    'ProtectedResource' => [ // REQUIRED
        'S3Bucket' => [
            'BucketName' => '<string>',
            'ObjectPrefixes' => ['<string>', ...],
        ],
    ],
    'Role' => '<string>', // REQUIRED
    'Tags' => ['<string>', ...],
]);

Parameter Details

Members
Actions

Information about whether the tags will be added to the S3 object after scanning.

ClientToken
Type: string

The idempotency token for the create request.

ProtectedResource
Required: Yes
Type: CreateProtectedResource structure

Information about the protected resource that is associated with the created Malware Protection plan. Presently, S3Bucket is the only supported protected resource.

Role
Required: Yes
Type: string

Amazon Resource Name (ARN) of the IAM role that has the permissions to scan and add tags to the associated protected resource.

Tags
Type: Associative array of custom strings keys (TagKey) to strings

Tags added to the Malware Protection plan resource.

Result Syntax

[
    'MalwareProtectionPlanId' => '<string>',
]

Result Details

Members
MalwareProtectionPlanId
Type: string

A unique identifier associated with the Malware Protection plan resource.

Errors

BadRequestException:

A bad request exception object.

AccessDeniedException:

An access denied exception object.

ConflictException:

A request conflict exception object.

InternalServerErrorException:

An internal server error exception object.

CreateMembers

$result = $client->createMembers([/* ... */]);
$promise = $client->createMembersAsync([/* ... */]);

Creates member accounts of the current Amazon Web Services account by specifying a list of Amazon Web Services account IDs. This step is a prerequisite for managing the associated member accounts either by invitation or through an organization.

As a delegated administrator, using CreateMembers will enable GuardDuty in the added member accounts, with the exception of the organization delegated administrator account. A delegated administrator must enable GuardDuty prior to being added as a member.

When you use CreateMembers as an Organizations delegated administrator, GuardDuty applies your organization's auto-enable settings to the member accounts in this request, irrespective of the accounts being new or existing members. For more information about the existing auto-enable settings for your organization, see DescribeOrganizationConfiguration.

If you disassociate a member account that was added by invitation, the member account details obtained from this API, including the associated email addresses, will be retained. This is done so that the delegated administrator can invoke the InviteMembers API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the DeleteMembers API.

When the member accounts added through Organizations are later disassociated, you (administrator) can't invite them by calling the InviteMembers API. You can create an association with these member accounts again only by calling the CreateMembers API.

Parameter Syntax

$result = $client->createMembers([
    'AccountDetails' => [ // REQUIRED
        [
            'AccountId' => '<string>', // REQUIRED
            'Email' => '<string>', // REQUIRED
        ],
        // ...
    ],
    'DetectorId' => '<string>', // REQUIRED
]);

Parameter Details

Members
AccountDetails
Required: Yes
Type: Array of AccountDetail structures

A list of account ID and email address pairs of the accounts that you want to associate with the GuardDuty administrator account.

DetectorId
Required: Yes
Type: string

The unique ID of the detector of the GuardDuty account for which you want to associate member accounts.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

Result Syntax

[
    'UnprocessedAccounts' => [
        [
            'AccountId' => '<string>',
            'Result' => '<string>',
        ],
        // ...
    ],
]

Result Details

Members
UnprocessedAccounts
Required: Yes
Type: Array of UnprocessedAccount structures

A list of objects that include the accountIds of the unprocessed accounts and a result string that explains why each was unprocessed.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

CreatePublishingDestination

$result = $client->createPublishingDestination([/* ... */]);
$promise = $client->createPublishingDestinationAsync([/* ... */]);

Creates a publishing destination where you can export your GuardDuty findings. Before you start exporting the findings, the destination resource must exist.

Parameter Syntax

$result = $client->createPublishingDestination([
    'ClientToken' => '<string>',
    'DestinationProperties' => [ // REQUIRED
        'DestinationArn' => '<string>',
        'KmsKeyArn' => '<string>',
    ],
    'DestinationType' => 'S3', // REQUIRED
    'DetectorId' => '<string>', // REQUIRED
]);

Parameter Details

Members
ClientToken
Type: string

The idempotency token for the request.

DestinationProperties
Required: Yes
Type: DestinationProperties structure

The properties of the publishing destination, including the ARNs for the destination and the KMS key used for encryption.

DestinationType
Required: Yes
Type: string

The type of resource for the publishing destination. Currently only Amazon S3 buckets are supported.

DetectorId
Required: Yes
Type: string

The ID of the GuardDuty detector associated with the publishing destination.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

Result Syntax

[
    'DestinationId' => '<string>',
]

Result Details

Members
DestinationId
Required: Yes
Type: string

The ID of the publishing destination that is created.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

CreateSampleFindings

$result = $client->createSampleFindings([/* ... */]);
$promise = $client->createSampleFindingsAsync([/* ... */]);

Generates sample findings of types specified by the list of finding types. If 'NULL' is specified for findingTypes, the API generates sample findings of all supported finding types.

Parameter Syntax

$result = $client->createSampleFindings([
    'DetectorId' => '<string>', // REQUIRED
    'FindingTypes' => ['<string>', ...],
]);

Parameter Details

Members
DetectorId
Required: Yes
Type: string

The ID of the detector for which you need to create sample findings.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

FindingTypes
Type: Array of strings

The types of sample findings to generate.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

CreateThreatIntelSet

$result = $client->createThreatIntelSet([/* ... */]);
$promise = $client->createThreatIntelSetAsync([/* ... */]);

Creates a new ThreatIntelSet. ThreatIntelSets consist of known malicious IP addresses. GuardDuty generates findings based on ThreatIntelSets. Only users of the administrator account can use this operation.

Parameter Syntax

$result = $client->createThreatIntelSet([
    'Activate' => true || false, // REQUIRED
    'ClientToken' => '<string>',
    'DetectorId' => '<string>', // REQUIRED
    'Format' => 'TXT|STIX|OTX_CSV|ALIEN_VAULT|PROOF_POINT|FIRE_EYE', // REQUIRED
    'Location' => '<string>', // REQUIRED
    'Name' => '<string>', // REQUIRED
    'Tags' => ['<string>', ...],
]);

Parameter Details

Members
Activate
Required: Yes
Type: boolean

A Boolean value that indicates whether GuardDuty is to start using the uploaded ThreatIntelSet.

ClientToken
Type: string

The idempotency token for the create request.

DetectorId
Required: Yes
Type: string

The unique ID of the detector of the GuardDuty account for which you want to create a ThreatIntelSet.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

Format
Required: Yes
Type: string

The format of the file that contains the ThreatIntelSet.

Location
Required: Yes
Type: string

The URI of the file that contains the ThreatIntelSet.

Name
Required: Yes
Type: string

A user-friendly ThreatIntelSet name displayed in all findings that are generated by activity that involves IP addresses included in this ThreatIntelSet.

Tags
Type: Associative array of custom strings keys (TagKey) to strings

The tags to be added to a new threat list resource.

Result Syntax

[
    'ThreatIntelSetId' => '<string>',
]

Result Details

Members
ThreatIntelSetId
Required: Yes
Type: string

The ID of the ThreatIntelSet resource.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

DeclineInvitations

$result = $client->declineInvitations([/* ... */]);
$promise = $client->declineInvitationsAsync([/* ... */]);

Declines invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs.

Parameter Syntax

$result = $client->declineInvitations([
    'AccountIds' => ['<string>', ...], // REQUIRED
]);

Parameter Details

Members
AccountIds
Required: Yes
Type: Array of strings

A list of account IDs of the Amazon Web Services accounts that sent invitations to the current member account that you want to decline invitations from.

Result Syntax

[
    'UnprocessedAccounts' => [
        [
            'AccountId' => '<string>',
            'Result' => '<string>',
        ],
        // ...
    ],
]

Result Details

Members
UnprocessedAccounts
Required: Yes
Type: Array of UnprocessedAccount structures

A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

DeleteDetector

$result = $client->deleteDetector([/* ... */]);
$promise = $client->deleteDetectorAsync([/* ... */]);

Deletes an Amazon GuardDuty detector that is specified by the detector ID.

Parameter Syntax

$result = $client->deleteDetector([
    'DetectorId' => '<string>', // REQUIRED
]);

Parameter Details

Members
DetectorId
Required: Yes
Type: string

The unique ID of the detector that you want to delete.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

DeleteFilter

$result = $client->deleteFilter([/* ... */]);
$promise = $client->deleteFilterAsync([/* ... */]);

Deletes the filter specified by the filter name.

Parameter Syntax

$result = $client->deleteFilter([
    'DetectorId' => '<string>', // REQUIRED
    'FilterName' => '<string>', // REQUIRED
]);

Parameter Details

Members
DetectorId
Required: Yes
Type: string

The unique ID of the detector that is associated with the filter.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

FilterName
Required: Yes
Type: string

The name of the filter that you want to delete.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

DeleteIPSet

$result = $client->deleteIPSet([/* ... */]);
$promise = $client->deleteIPSetAsync([/* ... */]);

Deletes the IPSet specified by the ipSetId. IPSets are called trusted IP lists in the console user interface.

Parameter Syntax

$result = $client->deleteIPSet([
    'DetectorId' => '<string>', // REQUIRED
    'IpSetId' => '<string>', // REQUIRED
]);

Parameter Details

Members
DetectorId
Required: Yes
Type: string

The unique ID of the detector associated with the IPSet.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

IpSetId
Required: Yes
Type: string

The unique ID of the IPSet to delete.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

DeleteInvitations

$result = $client->deleteInvitations([/* ... */]);
$promise = $client->deleteInvitationsAsync([/* ... */]);

Deletes invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs.

Parameter Syntax

$result = $client->deleteInvitations([
    'AccountIds' => ['<string>', ...], // REQUIRED
]);

Parameter Details

Members
AccountIds
Required: Yes
Type: Array of strings

A list of account IDs of the Amazon Web Services accounts that sent invitations to the current member account that you want to delete invitations from.

Result Syntax

[
    'UnprocessedAccounts' => [
        [
            'AccountId' => '<string>',
            'Result' => '<string>',
        ],
        // ...
    ],
]

Result Details

Members
UnprocessedAccounts
Required: Yes
Type: Array of UnprocessedAccount structures

A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

DeleteMalwareProtectionPlan

$result = $client->deleteMalwareProtectionPlan([/* ... */]);
$promise = $client->deleteMalwareProtectionPlanAsync([/* ... */]);

Deletes the Malware Protection plan ID associated with the Malware Protection plan resource. Use this API only when you no longer want to protect the resource associated with this Malware Protection plan ID.

Parameter Syntax

$result = $client->deleteMalwareProtectionPlan([
    'MalwareProtectionPlanId' => '<string>', // REQUIRED
]);

Parameter Details

Members
MalwareProtectionPlanId
Required: Yes
Type: string

A unique identifier associated with Malware Protection plan resource.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

BadRequestException:

A bad request exception object.

AccessDeniedException:

An access denied exception object.

InternalServerErrorException:

An internal server error exception object.

ResourceNotFoundException:

The requested resource can't be found.

DeleteMembers

$result = $client->deleteMembers([/* ... */]);
$promise = $client->deleteMembersAsync([/* ... */]);

Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.

With autoEnableOrganizationMembers configuration for your organization set to ALL, you'll receive an error if you attempt to disable GuardDuty for a member account in your organization.

Parameter Syntax

$result = $client->deleteMembers([
    'AccountIds' => ['<string>', ...], // REQUIRED
    'DetectorId' => '<string>', // REQUIRED
]);

Parameter Details

Members
AccountIds
Required: Yes
Type: Array of strings

A list of account IDs of the GuardDuty member accounts that you want to delete.

DetectorId
Required: Yes
Type: string

The unique ID of the detector of the GuardDuty account whose members you want to delete.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

Result Syntax

[
    'UnprocessedAccounts' => [
        [
            'AccountId' => '<string>',
            'Result' => '<string>',
        ],
        // ...
    ],
]

Result Details

Members
UnprocessedAccounts
Required: Yes
Type: Array of UnprocessedAccount structures

The accounts that could not be processed.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

DeletePublishingDestination

$result = $client->deletePublishingDestination([/* ... */]);
$promise = $client->deletePublishingDestinationAsync([/* ... */]);

Deletes the publishing definition with the specified destinationId.

Parameter Syntax

$result = $client->deletePublishingDestination([
    'DestinationId' => '<string>', // REQUIRED
    'DetectorId' => '<string>', // REQUIRED
]);

Parameter Details

Members
DestinationId
Required: Yes
Type: string

The ID of the publishing destination to delete.

DetectorId
Required: Yes
Type: string

The unique ID of the detector associated with the publishing destination to delete.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

DeleteThreatIntelSet

$result = $client->deleteThreatIntelSet([/* ... */]);
$promise = $client->deleteThreatIntelSetAsync([/* ... */]);

Deletes the ThreatIntelSet specified by the ThreatIntelSet ID.

Parameter Syntax

$result = $client->deleteThreatIntelSet([
    'DetectorId' => '<string>', // REQUIRED
    'ThreatIntelSetId' => '<string>', // REQUIRED
]);

Parameter Details

Members
DetectorId
Required: Yes
Type: string

The unique ID of the detector that is associated with the threatIntelSet.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

ThreatIntelSetId
Required: Yes
Type: string

The unique ID of the threatIntelSet that you want to delete.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

DescribeMalwareScans

$result = $client->describeMalwareScans([/* ... */]);
$promise = $client->describeMalwareScansAsync([/* ... */]);

Returns a list of malware scans. Each member account can view the malware scans for their own accounts. An administrator can view the malware scans for all the member accounts.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

Parameter Syntax

$result = $client->describeMalwareScans([
    'DetectorId' => '<string>', // REQUIRED
    'FilterCriteria' => [
        'FilterCriterion' => [
            [
                'CriterionKey' => 'EC2_INSTANCE_ARN|SCAN_ID|ACCOUNT_ID|GUARDDUTY_FINDING_ID|SCAN_START_TIME|SCAN_STATUS|SCAN_TYPE',
                'FilterCondition' => [
                    'EqualsValue' => '<string>',
                    'GreaterThan' => <integer>,
                    'LessThan' => <integer>,
                ],
            ],
            // ...
        ],
    ],
    'MaxResults' => <integer>,
    'NextToken' => '<string>',
    'SortCriteria' => [
        'AttributeName' => '<string>',
        'OrderBy' => 'ASC|DESC',
    ],
]);

Parameter Details

Members
DetectorId
Required: Yes
Type: string

The unique ID of the detector that the request is associated with.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

FilterCriteria
Type: FilterCriteria structure

Represents the criteria to be used in the filter for describing scan entries.

MaxResults
Type: int

You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.

NextToken
Type: string

You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.

SortCriteria
Type: SortCriteria structure

Represents the criteria used for sorting scan entries. The attributeName is required and it must be scanStartTime.

Result Syntax

[
    'NextToken' => '<string>',
    'Scans' => [
        [
            'AccountId' => '<string>',
            'AdminDetectorId' => '<string>',
            'AttachedVolumes' => [
                [
                    'DeviceName' => '<string>',
                    'EncryptionType' => '<string>',
                    'KmsKeyArn' => '<string>',
                    'SnapshotArn' => '<string>',
                    'VolumeArn' => '<string>',
                    'VolumeSizeInGB' => <integer>,
                    'VolumeType' => '<string>',
                ],
                // ...
            ],
            'DetectorId' => '<string>',
            'FailureReason' => '<string>',
            'FileCount' => <integer>,
            'ResourceDetails' => [
                'InstanceArn' => '<string>',
            ],
            'ScanEndTime' => <DateTime>,
            'ScanId' => '<string>',
            'ScanResultDetails' => [
                'ScanResult' => 'CLEAN|INFECTED',
            ],
            'ScanStartTime' => <DateTime>,
            'ScanStatus' => 'RUNNING|COMPLETED|FAILED|SKIPPED',
            'ScanType' => 'GUARDDUTY_INITIATED|ON_DEMAND',
            'TotalBytes' => <integer>,
            'TriggerDetails' => [
                'Description' => '<string>',
                'GuardDutyFindingId' => '<string>',
            ],
        ],
        // ...
    ],
]

Result Details

Members
NextToken
Type: string

The pagination parameter to be used on the next list operation to retrieve more items.

Scans
Required: Yes
Type: Array of Scan structures

Contains information about malware scans associated with GuardDuty Malware Protection for EC2.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

DescribeOrganizationConfiguration

$result = $client->describeOrganizationConfiguration([/* ... */]);
$promise = $client->describeOrganizationConfigurationAsync([/* ... */]);

Returns information about the account selected as the delegated administrator for GuardDuty.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

Parameter Syntax

$result = $client->describeOrganizationConfiguration([
    'DetectorId' => '<string>', // REQUIRED
    'MaxResults' => <integer>,
    'NextToken' => '<string>',
]);

Parameter Details

Members
DetectorId
Required: Yes
Type: string

The detector ID of the delegated administrator for which you need to retrieve the information.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

MaxResults
Type: int

You can use this parameter to indicate the maximum number of items that you want in the response.

NextToken
Type: string

You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.

Result Syntax

[
    'AutoEnable' => true || false,
    'AutoEnableOrganizationMembers' => 'NEW|ALL|NONE',
    'DataSources' => [
        'Kubernetes' => [
            'AuditLogs' => [
                'AutoEnable' => true || false,
            ],
        ],
        'MalwareProtection' => [
            'ScanEc2InstanceWithFindings' => [
                'EbsVolumes' => [
                    'AutoEnable' => true || false,
                ],
            ],
        ],
        'S3Logs' => [
            'AutoEnable' => true || false,
        ],
    ],
    'Features' => [
        [
            'AdditionalConfiguration' => [
                [
                    'AutoEnable' => 'NEW|NONE|ALL',
                    'Name' => 'EKS_ADDON_MANAGEMENT|ECS_FARGATE_AGENT_MANAGEMENT|EC2_AGENT_MANAGEMENT',
                ],
                // ...
            ],
            'AutoEnable' => 'NEW|NONE|ALL',
            'Name' => 'S3_DATA_EVENTS|EKS_AUDIT_LOGS|EBS_MALWARE_PROTECTION|RDS_LOGIN_EVENTS|EKS_RUNTIME_MONITORING|LAMBDA_NETWORK_LOGS|RUNTIME_MONITORING',
        ],
        // ...
    ],
    'MemberAccountLimitReached' => true || false,
    'NextToken' => '<string>',
]

Result Details

Members
AutoEnable
Type: boolean

Indicates whether GuardDuty is automatically enabled for accounts added to the organization.

Even though this is still supported, we recommend using AutoEnableOrganizationMembers to achieve the similar results.

AutoEnableOrganizationMembers
Type: string

Indicates the auto-enablement configuration of GuardDuty or any of the corresponding protection plans for the member accounts in the organization.

  • NEW: Indicates that when a new account joins the organization, they will have GuardDuty or any of the corresponding protection plans enabled automatically.

  • ALL: Indicates that all accounts in the organization have GuardDuty and any of the corresponding protection plans enabled automatically. This includes NEW accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty.

  • NONE: Indicates that GuardDuty or any of the corresponding protection plans will not be automatically enabled for any account in the organization. The administrator must manage GuardDuty for each account in the organization individually.

    When you update the auto-enable setting from ALL or NEW to NONE, this action doesn't disable the corresponding option for your existing accounts. This configuration will apply to the new accounts that join the organization. After you update the auto-enable settings, no new account will have the corresponding option as enabled.

DataSources

Describes which data sources are enabled automatically for member accounts.

Features
Type: Array of OrganizationFeatureConfigurationResult structures

A list of features that are configured for this organization.

MemberAccountLimitReached
Required: Yes
Type: boolean

Indicates whether the maximum number of allowed member accounts are already associated with the delegated administrator account for your organization.

NextToken
Type: string

The pagination parameter to be used on the next list operation to retrieve more items.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

DescribePublishingDestination

$result = $client->describePublishingDestination([/* ... */]);
$promise = $client->describePublishingDestinationAsync([/* ... */]);

Returns information about the publishing destination specified by the provided destinationId.

Parameter Syntax

$result = $client->describePublishingDestination([
    'DestinationId' => '<string>', // REQUIRED
    'DetectorId' => '<string>', // REQUIRED
]);

Parameter Details

Members
DestinationId
Required: Yes
Type: string

The ID of the publishing destination to retrieve.

DetectorId
Required: Yes
Type: string

The unique ID of the detector associated with the publishing destination to retrieve.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

Result Syntax

[
    'DestinationId' => '<string>',
    'DestinationProperties' => [
        'DestinationArn' => '<string>',
        'KmsKeyArn' => '<string>',
    ],
    'DestinationType' => 'S3',
    'PublishingFailureStartTimestamp' => <integer>,
    'Status' => 'PENDING_VERIFICATION|PUBLISHING|UNABLE_TO_PUBLISH_FIX_DESTINATION_PROPERTY|STOPPED',
]

Result Details

Members
DestinationId
Required: Yes
Type: string

The ID of the publishing destination.

DestinationProperties
Required: Yes
Type: DestinationProperties structure

A DestinationProperties object that includes the DestinationArn and KmsKeyArn of the publishing destination.

DestinationType
Required: Yes
Type: string

The type of publishing destination. Currently, only Amazon S3 buckets are supported.

PublishingFailureStartTimestamp
Required: Yes
Type: long (int|float)

The time, in epoch millisecond format, at which GuardDuty was first unable to publish findings to the destination.

Status
Required: Yes
Type: string

The status of the publishing destination.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

DisableOrganizationAdminAccount

$result = $client->disableOrganizationAdminAccount([/* ... */]);
$promise = $client->disableOrganizationAdminAccountAsync([/* ... */]);

Removes the existing GuardDuty delegated administrator of the organization. Only the organization's management account can run this API operation.

Parameter Syntax

$result = $client->disableOrganizationAdminAccount([
    'AdminAccountId' => '<string>', // REQUIRED
]);

Parameter Details

Members
AdminAccountId
Required: Yes
Type: string

The Amazon Web Services Account ID for the organizations account to be disabled as a GuardDuty delegated administrator.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

DisassociateFromAdministratorAccount

$result = $client->disassociateFromAdministratorAccount([/* ... */]);
$promise = $client->disassociateFromAdministratorAccountAsync([/* ... */]);

Disassociates the current GuardDuty member account from its administrator account.

When you disassociate an invited member from a GuardDuty delegated administrator, the member account details obtained from the CreateMembers API, including the associated email addresses, are retained. This is done so that the delegated administrator can invoke the InviteMembers API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the DeleteMembers API.

With autoEnableOrganizationMembers configuration for your organization set to ALL, you'll receive an error if you attempt to disable GuardDuty in a member account.

Parameter Syntax

$result = $client->disassociateFromAdministratorAccount([
    'DetectorId' => '<string>', // REQUIRED
]);

Parameter Details

Members
DetectorId
Required: Yes
Type: string

The unique ID of the detector of the GuardDuty member account.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

DisassociateFromMasterAccount

$result = $client->disassociateFromMasterAccount([/* ... */]);
$promise = $client->disassociateFromMasterAccountAsync([/* ... */]);

Disassociates the current GuardDuty member account from its administrator account.

When you disassociate an invited member from a GuardDuty delegated administrator, the member account details obtained from the CreateMembers API, including the associated email addresses, are retained. This is done so that the delegated administrator can invoke the InviteMembers API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the DeleteMembers API.

Parameter Syntax

$result = $client->disassociateFromMasterAccount([
    'DetectorId' => '<string>', // REQUIRED
]);

Parameter Details

Members
DetectorId
Required: Yes
Type: string

The unique ID of the detector of the GuardDuty member account.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

DisassociateMembers

$result = $client->disassociateMembers([/* ... */]);
$promise = $client->disassociateMembersAsync([/* ... */]);

Disassociates GuardDuty member accounts (from the current administrator account) specified by the account IDs.

When you disassociate an invited member from a GuardDuty delegated administrator, the member account details obtained from the CreateMembers API, including the associated email addresses, are retained. This is done so that the delegated administrator can invoke the InviteMembers API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the DeleteMembers API.

With autoEnableOrganizationMembers configuration for your organization set to ALL, you'll receive an error if you attempt to disassociate a member account before removing them from your organization.

If you disassociate a member account that was added by invitation, the member account details obtained from this API, including the associated email addresses, will be retained. This is done so that the delegated administrator can invoke the InviteMembers API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the DeleteMembers API.

When the member accounts added through Organizations are later disassociated, you (administrator) can't invite them by calling the InviteMembers API. You can create an association with these member accounts again only by calling the CreateMembers API.

Parameter Syntax

$result = $client->disassociateMembers([
    'AccountIds' => ['<string>', ...], // REQUIRED
    'DetectorId' => '<string>', // REQUIRED
]);

Parameter Details

Members
AccountIds
Required: Yes
Type: Array of strings

A list of account IDs of the GuardDuty member accounts that you want to disassociate from the administrator account.

DetectorId
Required: Yes
Type: string

The unique ID of the detector of the GuardDuty account whose members you want to disassociate from the administrator account.

Result Syntax

[
    'UnprocessedAccounts' => [
        [
            'AccountId' => '<string>',
            'Result' => '<string>',
        ],
        // ...
    ],
]

Result Details

Members
UnprocessedAccounts
Required: Yes
Type: Array of UnprocessedAccount structures

A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

EnableOrganizationAdminAccount

$result = $client->enableOrganizationAdminAccount([/* ... */]);
$promise = $client->enableOrganizationAdminAccountAsync([/* ... */]);

Designates an Amazon Web Services account within the organization as your GuardDuty delegated administrator. Only the organization's management account can run this API operation.

Parameter Syntax

$result = $client->enableOrganizationAdminAccount([
    'AdminAccountId' => '<string>', // REQUIRED
]);

Parameter Details

Members
AdminAccountId
Required: Yes
Type: string

The Amazon Web Services account ID for the organization account to be enabled as a GuardDuty delegated administrator.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

GetAdministratorAccount

$result = $client->getAdministratorAccount([/* ... */]);
$promise = $client->getAdministratorAccountAsync([/* ... */]);

Provides the details of the GuardDuty administrator account associated with the current GuardDuty member account.

If the organization's management account or a delegated administrator runs this API, it will return success (HTTP 200) but no content.

Parameter Syntax

$result = $client->getAdministratorAccount([
    'DetectorId' => '<string>', // REQUIRED
]);

Parameter Details

Members
DetectorId
Required: Yes
Type: string

The unique ID of the detector of the GuardDuty member account.

Result Syntax

[
    'Administrator' => [
        'AccountId' => '<string>',
        'InvitationId' => '<string>',
        'InvitedAt' => '<string>',
        'RelationshipStatus' => '<string>',
    ],
]

Result Details

Members
Administrator
Required: Yes
Type: Administrator structure

The administrator account details.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

GetCoverageStatistics

$result = $client->getCoverageStatistics([/* ... */]);
$promise = $client->getCoverageStatisticsAsync([/* ... */]);

Retrieves aggregated statistics for your account. If you are a GuardDuty administrator, you can retrieve the statistics for all the resources associated with the active member accounts in your organization who have enabled Runtime Monitoring and have the GuardDuty security agent running on their resources.

Parameter Syntax

$result = $client->getCoverageStatistics([
    'DetectorId' => '<string>', // REQUIRED
    'FilterCriteria' => [
        'FilterCriterion' => [
            [
                'CriterionKey' => 'ACCOUNT_ID|CLUSTER_NAME|RESOURCE_TYPE|COVERAGE_STATUS|ADDON_VERSION|MANAGEMENT_TYPE|EKS_CLUSTER_NAME|ECS_CLUSTER_NAME|AGENT_VERSION|INSTANCE_ID|CLUSTER_ARN',
                'FilterCondition' => [
                    'Equals' => ['<string>', ...],
                    'NotEquals' => ['<string>', ...],
                ],
            ],
            // ...
        ],
    ],
    'StatisticsType' => ['<string>', ...], // REQUIRED
]);

Parameter Details

Members
DetectorId
Required: Yes
Type: string

The unique ID of the GuardDuty detector.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

FilterCriteria
Type: CoverageFilterCriteria structure

Represents the criteria used to filter the coverage statistics.

StatisticsType
Required: Yes
Type: Array of strings

Represents the statistics type used to aggregate the coverage details.

Result Syntax

[
    'CoverageStatistics' => [
        'CountByCoverageStatus' => [<integer>, ...],
        'CountByResourceType' => [<integer>, ...],
    ],
]

Result Details

Members
CoverageStatistics
Type: CoverageStatistics structure

Represents the count aggregated by the statusCode and resourceType.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

GetDetector

$result = $client->getDetector([/* ... */]);
$promise = $client->getDetectorAsync([/* ... */]);

Retrieves a GuardDuty detector specified by the detectorId.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

Parameter Syntax

$result = $client->getDetector([
    'DetectorId' => '<string>', // REQUIRED
]);

Parameter Details

Members
DetectorId
Required: Yes
Type: string

The unique ID of the detector that you want to get.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

Result Syntax

[
    'CreatedAt' => '<string>',
    'DataSources' => [
        'CloudTrail' => [
            'Status' => 'ENABLED|DISABLED',
        ],
        'DNSLogs' => [
            'Status' => 'ENABLED|DISABLED',
        ],
        'FlowLogs' => [
            'Status' => 'ENABLED|DISABLED',
        ],
        'Kubernetes' => [
            'AuditLogs' => [
                'Status' => 'ENABLED|DISABLED',
            ],
        ],
        'MalwareProtection' => [
            'ScanEc2InstanceWithFindings' => [
                'EbsVolumes' => [
                    'Reason' => '<string>',
                    'Status' => 'ENABLED|DISABLED',
                ],
            ],
            'ServiceRole' => '<string>',
        ],
        'S3Logs' => [
            'Status' => 'ENABLED|DISABLED',
        ],
    ],
    'Features' => [
        [
            'AdditionalConfiguration' => [
                [
                    'Name' => 'EKS_ADDON_MANAGEMENT|ECS_FARGATE_AGENT_MANAGEMENT|EC2_AGENT_MANAGEMENT',
                    'Status' => 'ENABLED|DISABLED',
                    'UpdatedAt' => <DateTime>,
                ],
                // ...
            ],
            'Name' => 'FLOW_LOGS|CLOUD_TRAIL|DNS_LOGS|S3_DATA_EVENTS|EKS_AUDIT_LOGS|EBS_MALWARE_PROTECTION|RDS_LOGIN_EVENTS|EKS_RUNTIME_MONITORING|LAMBDA_NETWORK_LOGS|RUNTIME_MONITORING',
            'Status' => 'ENABLED|DISABLED',
            'UpdatedAt' => <DateTime>,
        ],
        // ...
    ],
    'FindingPublishingFrequency' => 'FIFTEEN_MINUTES|ONE_HOUR|SIX_HOURS',
    'ServiceRole' => '<string>',
    'Status' => 'ENABLED|DISABLED',
    'Tags' => ['<string>', ...],
    'UpdatedAt' => '<string>',
]

Result Details

Members
CreatedAt
Type: string

The timestamp of when the detector was created.

DataSources

Describes which data sources are enabled for the detector.

Features
Type: Array of DetectorFeatureConfigurationResult structures

Describes the features that have been enabled for the detector.

FindingPublishingFrequency
Type: string

The publishing frequency of the finding.

ServiceRole
Required: Yes
Type: string

The GuardDuty service role.

Status
Required: Yes
Type: string

The detector status.

Tags
Type: Associative array of custom strings keys (TagKey) to strings

The tags of the detector resource.

UpdatedAt
Type: string

The last-updated timestamp for the detector.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

GetFilter

$result = $client->getFilter([/* ... */]);
$promise = $client->getFilterAsync([/* ... */]);

Returns the details of the filter specified by the filter name.

Parameter Syntax

$result = $client->getFilter([
    'DetectorId' => '<string>', // REQUIRED
    'FilterName' => '<string>', // REQUIRED
]);

Parameter Details

Members
DetectorId
Required: Yes
Type: string

The unique ID of the detector that is associated with this filter.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

FilterName
Required: Yes
Type: string

The name of the filter you want to get.

Result Syntax

[
    'Action' => 'NOOP|ARCHIVE',
    'Description' => '<string>',
    'FindingCriteria' => [
        'Criterion' => [
            '<String>' => [
                'Eq' => ['<string>', ...],
                'Equals' => ['<string>', ...],
                'GreaterThan' => <integer>,
                'GreaterThanOrEqual' => <integer>,
                'Gt' => <integer>,
                'Gte' => <integer>,
                'LessThan' => <integer>,
                'LessThanOrEqual' => <integer>,
                'Lt' => <integer>,
                'Lte' => <integer>,
                'Neq' => ['<string>', ...],
                'NotEquals' => ['<string>', ...],
            ],
            // ...
        ],
    ],
    'Name' => '<string>',
    'Rank' => <integer>,
    'Tags' => ['<string>', ...],
]

Result Details

Members
Action
Required: Yes
Type: string

Specifies the action that is to be applied to the findings that match the filter.

Description
Type: string

The description of the filter.

FindingCriteria
Required: Yes
Type: FindingCriteria structure

Represents the criteria to be used in the filter for querying findings.

Name
Required: Yes
Type: string

The name of the filter.

Rank
Type: int

Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.

Tags
Type: Associative array of custom strings keys (TagKey) to strings

The tags of the filter resource.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

GetFindings

$result = $client->getFindings([/* ... */]);
$promise = $client->getFindingsAsync([/* ... */]);

Describes Amazon GuardDuty findings specified by finding IDs.

Parameter Syntax

$result = $client->getFindings([
    'DetectorId' => '<string>', // REQUIRED
    'FindingIds' => ['<string>', ...], // REQUIRED
    'SortCriteria' => [
        'AttributeName' => '<string>',
        'OrderBy' => 'ASC|DESC',
    ],
]);

Parameter Details

Members
DetectorId
Required: Yes
Type: string

The ID of the detector that specifies the GuardDuty service whose findings you want to retrieve.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

FindingIds
Required: Yes
Type: Array of strings

The IDs of the findings that you want to retrieve.

SortCriteria
Type: SortCriteria structure

Represents the criteria used for sorting findings.

Result Syntax

[
    'Findings' => [
        [
            'AccountId' => '<string>',
            'Arn' => '<string>',
            'AssociatedAttackSequenceArn' => '<string>',
            'Confidence' => <float>,
            'CreatedAt' => '<string>',
            'Description' => '<string>',
            'Id' => '<string>',
            'Partition' => '<string>',
            'Region' => '<string>',
            'Resource' => [
                'AccessKeyDetails' => [
                    'AccessKeyId' => '<string>',
                    'PrincipalId' => '<string>',
                    'UserName' => '<string>',
                    'UserType' => '<string>',
                ],
                'ContainerDetails' => [
                    'ContainerRuntime' => '<string>',
                    'Id' => '<string>',
                    'Image' => '<string>',
                    'ImagePrefix' => '<string>',
                    'Name' => '<string>',
                    'SecurityContext' => [
                        'AllowPrivilegeEscalation' => true || false,
                        'Privileged' => true || false,
                    ],
                    'VolumeMounts' => [
                        [
                            'MountPath' => '<string>',
                            'Name' => '<string>',
                        ],
                        // ...
                    ],
                ],
                'EbsVolumeDetails' => [
                    'ScannedVolumeDetails' => [
                        [
                            'DeviceName' => '<string>',
                            'EncryptionType' => '<string>',
                            'KmsKeyArn' => '<string>',
                            'SnapshotArn' => '<string>',
                            'VolumeArn' => '<string>',
                            'VolumeSizeInGB' => <integer>,
                            'VolumeType' => '<string>',
                        ],
                        // ...
                    ],
                    'SkippedVolumeDetails' => [
                        [
                            'DeviceName' => '<string>',
                            'EncryptionType' => '<string>',
                            'KmsKeyArn' => '<string>',
                            'SnapshotArn' => '<string>',
                            'VolumeArn' => '<string>',
                            'VolumeSizeInGB' => <integer>,
                            'VolumeType' => '<string>',
                        ],
                        // ...
                    ],
                ],
                'EcsClusterDetails' => [
                    'ActiveServicesCount' => <integer>,
                    'Arn' => '<string>',
                    'Name' => '<string>',
                    'RegisteredContainerInstancesCount' => <integer>,
                    'RunningTasksCount' => <integer>,
                    'Status' => '<string>',
                    'Tags' => [
                        [
                            'Key' => '<string>',
                            'Value' => '<string>',
                        ],
                        // ...
                    ],
                    'TaskDetails' => [
                        'Arn' => '<string>',
                        'Containers' => [
                            [
                                'ContainerRuntime' => '<string>',
                                'Id' => '<string>',
                                'Image' => '<string>',
                                'ImagePrefix' => '<string>',
                                'Name' => '<string>',
                                'SecurityContext' => [
                                    'AllowPrivilegeEscalation' => true || false,
                                    'Privileged' => true || false,
                                ],
                                'VolumeMounts' => [
                                    [
                                        'MountPath' => '<string>',
                                        'Name' => '<string>',
                                    ],
                                    // ...
                                ],
                            ],
                            // ...
                        ],
                        'DefinitionArn' => '<string>',
                        'Group' => '<string>',
                        'LaunchType' => '<string>',
                        'StartedAt' => <DateTime>,
                        'StartedBy' => '<string>',
                        'Tags' => [
                            [
                                'Key' => '<string>',
                                'Value' => '<string>',
                            ],
                            // ...
                        ],
                        'TaskCreatedAt' => <DateTime>,
                        'Version' => '<string>',
                        'Volumes' => [
                            [
                                'HostPath' => [
                                    'Path' => '<string>',
                                ],
                                'Name' => '<string>',
                            ],
                            // ...
                        ],
                    ],
                ],
                'EksClusterDetails' => [
                    'Arn' => '<string>',
                    'CreatedAt' => <DateTime>,
                    'Name' => '<string>',
                    'Status' => '<string>',
                    'Tags' => [
                        [
                            'Key' => '<string>',
                            'Value' => '<string>',
                        ],
                        // ...
                    ],
                    'VpcId' => '<string>',
                ],
                'InstanceDetails' => [
                    'AvailabilityZone' => '<string>',
                    'IamInstanceProfile' => [
                        'Arn' => '<string>',
                        'Id' => '<string>',
                    ],
                    'ImageDescription' => '<string>',
                    'ImageId' => '<string>',
                    'InstanceId' => '<string>',
                    'InstanceState' => '<string>',
                    'InstanceType' => '<string>',
                    'LaunchTime' => '<string>',
                    'NetworkInterfaces' => [
                        [
                            'Ipv6Addresses' => ['<string>', ...],
                            'NetworkInterfaceId' => '<string>',
                            'PrivateDnsName' => '<string>',
                            'PrivateIpAddress' => '<string>',
                            'PrivateIpAddresses' => [
                                [
                                    'PrivateDnsName' => '<string>',
                                    'PrivateIpAddress' => '<string>',
                                ],
                                // ...
                            ],
                            'PublicDnsName' => '<string>',
                            'PublicIp' => '<string>',
                            'SecurityGroups' => [
                                [
                                    'GroupId' => '<string>',
                                    'GroupName' => '<string>',
                                ],
                                // ...
                            ],
                            'SubnetId' => '<string>',
                            'VpcId' => '<string>',
                        ],
                        // ...
                    ],
                    'OutpostArn' => '<string>',
                    'Platform' => '<string>',
                    'ProductCodes' => [
                        [
                            'Code' => '<string>',
                            'ProductType' => '<string>',
                        ],
                        // ...
                    ],
                    'Tags' => [
                        [
                            'Key' => '<string>',
                            'Value' => '<string>',
                        ],
                        // ...
                    ],
                ],
                'KubernetesDetails' => [
                    'KubernetesUserDetails' => [
                        'Groups' => ['<string>', ...],
                        'ImpersonatedUser' => [
                            'Groups' => ['<string>', ...],
                            'Username' => '<string>',
                        ],
                        'SessionName' => ['<string>', ...],
                        'Uid' => '<string>',
                        'Username' => '<string>',
                    ],
                    'KubernetesWorkloadDetails' => [
                        'Containers' => [
                            [
                                'ContainerRuntime' => '<string>',
                                'Id' => '<string>',
                                'Image' => '<string>',
                                'ImagePrefix' => '<string>',
                                'Name' => '<string>',
                                'SecurityContext' => [
                                    'AllowPrivilegeEscalation' => true || false,
                                    'Privileged' => true || false,
                                ],
                                'VolumeMounts' => [
                                    [
                                        'MountPath' => '<string>',
                                        'Name' => '<string>',
                                    ],
                                    // ...
                                ],
                            ],
                            // ...
                        ],
                        'HostIPC' => true || false,
                        'HostNetwork' => true || false,
                        'HostPID' => true || false,
                        'Name' => '<string>',
                        'Namespace' => '<string>',
                        'ServiceAccountName' => '<string>',
                        'Type' => '<string>',
                        'Uid' => '<string>',
                        'Volumes' => [
                            [
                                'HostPath' => [
                                    'Path' => '<string>',
                                ],
                                'Name' => '<string>',
                            ],
                            // ...
                        ],
                    ],
                ],
                'LambdaDetails' => [
                    'Description' => '<string>',
                    'FunctionArn' => '<string>',
                    'FunctionName' => '<string>',
                    'FunctionVersion' => '<string>',
                    'LastModifiedAt' => <DateTime>,
                    'RevisionId' => '<string>',
                    'Role' => '<string>',
                    'Tags' => [
                        [
                            'Key' => '<string>',
                            'Value' => '<string>',
                        ],
                        // ...
                    ],
                    'VpcConfig' => [
                        'SecurityGroups' => [
                            [
                                'GroupId' => '<string>',
                                'GroupName' => '<string>',
                            ],
                            // ...
                        ],
                        'SubnetIds' => ['<string>', ...],
                        'VpcId' => '<string>',
                    ],
                ],
                'RdsDbInstanceDetails' => [
                    'DbClusterIdentifier' => '<string>',
                    'DbInstanceArn' => '<string>',
                    'DbInstanceIdentifier' => '<string>',
                    'Engine' => '<string>',
                    'EngineVersion' => '<string>',
                    'Tags' => [
                        [
                            'Key' => '<string>',
                            'Value' => '<string>',
                        ],
                        // ...
                    ],
                ],
                'RdsDbUserDetails' => [
                    'Application' => '<string>',
                    'AuthMethod' => '<string>',
                    'Database' => '<string>',
                    'Ssl' => '<string>',
                    'User' => '<string>',
                ],
                'RdsLimitlessDbDetails' => [
                    'DbClusterIdentifier' => '<string>',
                    'DbShardGroupArn' => '<string>',
                    'DbShardGroupIdentifier' => '<string>',
                    'DbShardGroupResourceId' => '<string>',
                    'Engine' => '<string>',
                    'EngineVersion' => '<string>',
                    'Tags' => [
                        [
                            'Key' => '<string>',
                            'Value' => '<string>',
                        ],
                        // ...
                    ],
                ],
                'ResourceType' => '<string>',
                'S3BucketDetails' => [
                    [
                        'Arn' => '<string>',
                        'CreatedAt' => <DateTime>,
                        'DefaultServerSideEncryption' => [
                            'EncryptionType' => '<string>',
                            'KmsMasterKeyArn' => '<string>',
                        ],
                        'Name' => '<string>',
                        'Owner' => [
                            'Id' => '<string>',
                        ],
                        'PublicAccess' => [
                            'EffectivePermission' => '<string>',
                            'PermissionConfiguration' => [
                                'AccountLevelPermissions' => [
                                    'BlockPublicAccess' => [
                                        'BlockPublicAcls' => true || false,
                                        'BlockPublicPolicy' => true || false,
                                        'IgnorePublicAcls' => true || false,
                                        'RestrictPublicBuckets' => true || false,
                                    ],
                                ],
                                'BucketLevelPermissions' => [
                                    'AccessControlList' => [
                                        'AllowsPublicReadAccess' => true || false,
                                        'AllowsPublicWriteAccess' => true || false,
                                    ],
                                    'BlockPublicAccess' => [
                                        'BlockPublicAcls' => true || false,
                                        'BlockPublicPolicy' => true || false,
                                        'IgnorePublicAcls' => true || false,
                                        'RestrictPublicBuckets' => true || false,
                                    ],
                                    'BucketPolicy' => [
                                        'AllowsPublicReadAccess' => true || false,
                                        'AllowsPublicWriteAccess' => true || false,
                                    ],
                                ],
                            ],
                        ],
                        'S3ObjectDetails' => [
                            [
                                'ETag' => '<string>',
                                'Hash' => '<string>',
                                'Key' => '<string>',
                                'ObjectArn' => '<string>',
                                'VersionId' => '<string>',
                            ],
                            // ...
                        ],
                        'Tags' => [
                            [
                                'Key' => '<string>',
                                'Value' => '<string>',
                            ],
                            // ...
                        ],
                        'Type' => '<string>',
                    ],
                    // ...
                ],
            ],
            'SchemaVersion' => '<string>',
            'Service' => [
                'Action' => [
                    'ActionType' => '<string>',
                    'AwsApiCallAction' => [
                        'AffectedResources' => ['<string>', ...],
                        'Api' => '<string>',
                        'CallerType' => '<string>',
                        'DomainDetails' => [
                            'Domain' => '<string>',
                        ],
                        'ErrorCode' => '<string>',
                        'RemoteAccountDetails' => [
                            'AccountId' => '<string>',
                            'Affiliated' => true || false,
                        ],
                        'RemoteIpDetails' => [
                            'City' => [
                                'CityName' => '<string>',
                            ],
                            'Country' => [
                                'CountryCode' => '<string>',
                                'CountryName' => '<string>',
                            ],
                            'GeoLocation' => [
                                'Lat' => <float>,
                                'Lon' => <float>,
                            ],
                            'IpAddressV4' => '<string>',
                            'IpAddressV6' => '<string>',
                            'Organization' => [
                                'Asn' => '<string>',
                                'AsnOrg' => '<string>',
                                'Isp' => '<string>',
                                'Org' => '<string>',
                            ],
                        ],
                        'ServiceName' => '<string>',
                        'UserAgent' => '<string>',
                    ],
                    'DnsRequestAction' => [
                        'Blocked' => true || false,
                        'Domain' => '<string>',
                        'DomainWithSuffix' => '<string>',
                        'Protocol' => '<string>',
                    ],
                    'KubernetesApiCallAction' => [
                        'Namespace' => '<string>',
                        'Parameters' => '<string>',
                        'RemoteIpDetails' => [
                            'City' => [
                                'CityName' => '<string>',
                            ],
                            'Country' => [
                                'CountryCode' => '<string>',
                                'CountryName' => '<string>',
                            ],
                            'GeoLocation' => [
                                'Lat' => <float>,
                                'Lon' => <float>,
                            ],
                            'IpAddressV4' => '<string>',
                            'IpAddressV6' => '<string>',
                            'Organization' => [
                                'Asn' => '<string>',
                                'AsnOrg' => '<string>',
                                'Isp' => '<string>',
                                'Org' => '<string>',
                            ],
                        ],
                        'RequestUri' => '<string>',
                        'Resource' => '<string>',
                        'ResourceName' => '<string>',
                        'SourceIps' => ['<string>', ...],
                        'StatusCode' => <integer>,
                        'Subresource' => '<string>',
                        'UserAgent' => '<string>',
                        'Verb' => '<string>',
                    ],
                    'KubernetesPermissionCheckedDetails' => [
                        'Allowed' => true || false,
                        'Namespace' => '<string>',
                        'Resource' => '<string>',
                        'Verb' => '<string>',
                    ],
                    'KubernetesRoleBindingDetails' => [
                        'Kind' => '<string>',
                        'Name' => '<string>',
                        'RoleRefKind' => '<string>',
                        'RoleRefName' => '<string>',
                        'Uid' => '<string>',
                    ],
                    'KubernetesRoleDetails' => [
                        'Kind' => '<string>',
                        'Name' => '<string>',
                        'Uid' => '<string>',
                    ],
                    'NetworkConnectionAction' => [
                        'Blocked' => true || false,
                        'ConnectionDirection' => '<string>',
                        'LocalIpDetails' => [
                            'IpAddressV4' => '<string>',
                            'IpAddressV6' => '<string>',
                        ],
                        'LocalNetworkInterface' => '<string>',
                        'LocalPortDetails' => [
                            'Port' => <integer>,
                            'PortName' => '<string>',
                        ],
                        'Protocol' => '<string>',
                        'RemoteIpDetails' => [
                            'City' => [
                                'CityName' => '<string>',
                            ],
                            'Country' => [
                                'CountryCode' => '<string>',
                                'CountryName' => '<string>',
                            ],
                            'GeoLocation' => [
                                'Lat' => <float>,
                                'Lon' => <float>,
                            ],
                            'IpAddressV4' => '<string>',
                            'IpAddressV6' => '<string>',
                            'Organization' => [
                                'Asn' => '<string>',
                                'AsnOrg' => '<string>',
                                'Isp' => '<string>',
                                'Org' => '<string>',
                            ],
                        ],
                        'RemotePortDetails' => [
                            'Port' => <integer>,
                            'PortName' => '<string>',
                        ],
                    ],
                    'PortProbeAction' => [
                        'Blocked' => true || false,
                        'PortProbeDetails' => [
                            [
                                'LocalIpDetails' => [
                                    'IpAddressV4' => '<string>',
                                    'IpAddressV6' => '<string>',
                                ],
                                'LocalPortDetails' => [
                                    'Port' => <integer>,
                                    'PortName' => '<string>',
                                ],
                                'RemoteIpDetails' => [
                                    'City' => [
                                        'CityName' => '<string>',
                                    ],
                                    'Country' => [
                                        'CountryCode' => '<string>',
                                        'CountryName' => '<string>',
                                    ],
                                    'GeoLocation' => [
                                        'Lat' => <float>,
                                        'Lon' => <float>,
                                    ],
                                    'IpAddressV4' => '<string>',
                                    'IpAddressV6' => '<string>',
                                    'Organization' => [
                                        'Asn' => '<string>',
                                        'AsnOrg' => '<string>',
                                        'Isp' => '<string>',
                                        'Org' => '<string>',
                                    ],
                                ],
                            ],
                            // ...
                        ],
                    ],
                    'RdsLoginAttemptAction' => [
                        'LoginAttributes' => [
                            [
                                'Application' => '<string>',
                                'FailedLoginAttempts' => <integer>,
                                'SuccessfulLoginAttempts' => <integer>,
                                'User' => '<string>',
                            ],
                            // ...
                        ],
                        'RemoteIpDetails' => [
                            'City' => [
                                'CityName' => '<string>',
                            ],
                            'Country' => [
                                'CountryCode' => '<string>',
                                'CountryName' => '<string>',
                            ],
                            'GeoLocation' => [
                                'Lat' => <float>,
                                'Lon' => <float>,
                            ],
                            'IpAddressV4' => '<string>',
                            'IpAddressV6' => '<string>',
                            'Organization' => [
                                'Asn' => '<string>',
                                'AsnOrg' => '<string>',
                                'Isp' => '<string>',
                                'Org' => '<string>',
                            ],
                        ],
                    ],
                ],
                'AdditionalInfo' => [
                    'Type' => '<string>',
                    'Value' => '<string>',
                ],
                'Archived' => true || false,
                'Count' => <integer>,
                'Detection' => [
                    'Anomaly' => [
                        'Profiles' => [
                            '<String>' => [
                                '<String>' => [
                                    [
                                        'Observations' => [
                                            'Text' => ['<string>', ...],
                                        ],
                                        'ProfileSubtype' => 'FREQUENT|INFREQUENT|UNSEEN|RARE',
                                        'ProfileType' => 'FREQUENCY',
                                    ],
                                    // ...
                                ],
                                // ...
                            ],
                            // ...
                        ],
                        'Unusual' => [
                            'Behavior' => [
                                '<String>' => [
                                    '<String>' => [
                                        'Observations' => [
                                            'Text' => ['<string>', ...],
                                        ],
                                        'ProfileSubtype' => 'FREQUENT|INFREQUENT|UNSEEN|RARE',
                                        'ProfileType' => 'FREQUENCY',
                                    ],
                                    // ...
                                ],
                                // ...
                            ],
                        ],
                    ],
                    'Sequence' => [
                        'Actors' => [
                            [
                                'Id' => '<string>',
                                'Session' => [
                                    'CreatedTime' => <DateTime>,
                                    'Issuer' => '<string>',
                                    'MfaStatus' => 'ENABLED|DISABLED',
                                    'Uid' => '<string>',
                                ],
                                'User' => [
                                    'Account' => [
                                        'Name' => '<string>',
                                        'Uid' => '<string>',
                                    ],
                                    'CredentialUid' => '<string>',
                                    'Name' => '<string>',
                                    'Type' => '<string>',
                                    'Uid' => '<string>',
                                ],
                            ],
                            // ...
                        ],
                        'Description' => '<string>',
                        'Endpoints' => [
                            [
                                'AutonomousSystem' => [
                                    'Name' => '<string>',
                                    'Number' => <integer>,
                                ],
                                'Connection' => [
                                    'Direction' => 'INBOUND|OUTBOUND',
                                ],
                                'Domain' => '<string>',
                                'Id' => '<string>',
                                'Ip' => '<string>',
                                'Location' => [
                                    'City' => '<string>',
                                    'Country' => '<string>',
                                    'Latitude' => <float>,
                                    'Longitude' => <float>,
                                ],
                                'Port' => <integer>,
                            ],
                            // ...
                        ],
                        'Resources' => [
                            [
                                'AccountId' => '<string>',
                                'CloudPartition' => '<string>',
                                'Data' => [
                                    'AccessKey' => [
                                        'PrincipalId' => '<string>',
                                        'UserName' => '<string>',
                                        'UserType' => '<string>',
                                    ],
                                    'Ec2Instance' => [
                                        'AvailabilityZone' => '<string>',
                                        'Ec2NetworkInterfaceUids' => ['<string>', ...],
                                        'IamInstanceProfile' => [
                                            'Arn' => '<string>',
                                            'Id' => '<string>',
                                        ],
                                        'ImageDescription' => '<string>',
                                        'InstanceState' => '<string>',
                                        'InstanceType' => '<string>',
                                        'OutpostArn' => '<string>',
                                        'Platform' => '<string>',
                                        'ProductCodes' => [
                                            [
                                                'Code' => '<string>',
                                                'ProductType' => '<string>',
                                            ],
                                            // ...
                                        ],
                                    ],
                                    'Ec2NetworkInterface' => [
                                        'Ipv6Addresses' => ['<string>', ...],
                                        'PrivateIpAddresses' => [
                                            [
                                                'PrivateDnsName' => '<string>',
                                                'PrivateIpAddress' => '<string>',
                                            ],
                                            // ...
                                        ],
                                        'PublicIp' => '<string>',
                                        'SecurityGroups' => [
                                            [
                                                'GroupId' => '<string>',
                                                'GroupName' => '<string>',
                                            ],
                                            // ...
                                        ],
                                        'SubNetId' => '<string>',
                                        'VpcId' => '<string>',
                                    ],
                                    'S3Bucket' => [
                                        'AccountPublicAccess' => [
                                            'PublicAclAccess' => 'BLOCKED|ALLOWED',
                                            'PublicAclIgnoreBehavior' => 'IGNORED|NOT_IGNORED',
                                            'PublicBucketRestrictBehavior' => 'RESTRICTED|NOT_RESTRICTED',
                                            'PublicPolicyAccess' => 'BLOCKED|ALLOWED',
                                        ],
                                        'BucketPublicAccess' => [
                                            'PublicAclAccess' => 'BLOCKED|ALLOWED',
                                            'PublicAclIgnoreBehavior' => 'IGNORED|NOT_IGNORED',
                                            'PublicBucketRestrictBehavior' => 'RESTRICTED|NOT_RESTRICTED',
                                            'PublicPolicyAccess' => 'BLOCKED|ALLOWED',
                                        ],
                                        'CreatedAt' => <DateTime>,
                                        'EffectivePermission' => '<string>',
                                        'EncryptionKeyArn' => '<string>',
                                        'EncryptionType' => '<string>',
                                        'OwnerId' => '<string>',
                                        'PublicReadAccess' => 'BLOCKED|ALLOWED',
                                        'PublicWriteAccess' => 'BLOCKED|ALLOWED',
                                        'S3ObjectUids' => ['<string>', ...],
                                    ],
                                    'S3Object' => [
                                        'ETag' => '<string>',
                                        'Key' => '<string>',
                                        'VersionId' => '<string>',
                                    ],
                                ],
                                'Name' => '<string>',
                                'Region' => '<string>',
                                'ResourceType' => 'EC2_INSTANCE|EC2_NETWORK_INTERFACE|S3_BUCKET|S3_OBJECT|ACCESS_KEY',
                                'Service' => '<string>',
                                'Tags' => [
                                    [
                                        'Key' => '<string>',
                                        'Value' => '<string>',
                                    ],
                                    // ...
                                ],
                                'Uid' => '<string>',
                            ],
                            // ...
                        ],
                        'SequenceIndicators' => [
                            [
                                'Key' => 'SUSPICIOUS_USER_AGENT|SUSPICIOUS_NETWORK|MALICIOUS_IP|TOR_IP|ATTACK_TACTIC|HIGH_RISK_API|ATTACK_TECHNIQUE|UNUSUAL_API_FOR_ACCOUNT|UNUSUAL_ASN_FOR_ACCOUNT|UNUSUAL_ASN_FOR_USER',
                                'Title' => '<string>',
                                'Values' => ['<string>', ...],
                            ],
                            // ...
                        ],
                        'Signals' => [
                            [
                                'ActorIds' => ['<string>', ...],
                                'Count' => <integer>,
                                'CreatedAt' => <DateTime>,
                                'Description' => '<string>',
                                'EndpointIds' => ['<string>', ...],
                                'FirstSeenAt' => <DateTime>,
                                'LastSeenAt' => <DateTime>,
                                'Name' => '<string>',
                                'ResourceUids' => ['<string>', ...],
                                'Severity' => <float>,
                                'SignalIndicators' => [
                                    [
                                        'Key' => 'SUSPICIOUS_USER_AGENT|SUSPICIOUS_NETWORK|MALICIOUS_IP|TOR_IP|ATTACK_TACTIC|HIGH_RISK_API|ATTACK_TECHNIQUE|UNUSUAL_API_FOR_ACCOUNT|UNUSUAL_ASN_FOR_ACCOUNT|UNUSUAL_ASN_FOR_USER',
                                        'Title' => '<string>',
                                        'Values' => ['<string>', ...],
                                    ],
                                    // ...
                                ],
                                'Type' => 'FINDING|CLOUD_TRAIL|S3_DATA_EVENTS',
                                'Uid' => '<string>',
                                'UpdatedAt' => <DateTime>,
                            ],
                            // ...
                        ],
                        'Uid' => '<string>',
                    ],
                ],
                'DetectorId' => '<string>',
                'EbsVolumeScanDetails' => [
                    'ScanCompletedAt' => <DateTime>,
                    'ScanDetections' => [
                        'HighestSeverityThreatDetails' => [
                            'Count' => <integer>,
                            'Severity' => '<string>',
                            'ThreatName' => '<string>',
                        ],
                        'ScannedItemCount' => [
                            'Files' => <integer>,
                            'TotalGb' => <integer>,
                            'Volumes' => <integer>,
                        ],
                        'ThreatDetectedByName' => [
                            'ItemCount' => <integer>,
                            'Shortened' => true || false,
                            'ThreatNames' => [
                                [
                                    'FilePaths' => [
                                        [
                                            'FileName' => '<string>',
                                            'FilePath' => '<string>',
                                            'Hash' => '<string>',
                                            'VolumeArn' => '<string>',
                                        ],
                                        // ...
                                    ],
                                    'ItemCount' => <integer>,
                                    'Name' => '<string>',
                                    'Severity' => '<string>',
                                ],
                                // ...
                            ],
                            'UniqueThreatNameCount' => <integer>,
                        ],
                        'ThreatsDetectedItemCount' => [
                            'Files' => <integer>,
                        ],
                    ],
                    'ScanId' => '<string>',
                    'ScanStartedAt' => <DateTime>,
                    'ScanType' => 'GUARDDUTY_INITIATED|ON_DEMAND',
                    'Sources' => ['<string>', ...],
                    'TriggerFindingId' => '<string>',
                ],
                'EventFirstSeen' => '<string>',
                'EventLastSeen' => '<string>',
                'Evidence' => [
                    'ThreatIntelligenceDetails' => [
                        [
                            'ThreatFileSha256' => '<string>',
                            'ThreatListName' => '<string>',
                            'ThreatNames' => ['<string>', ...],
                        ],
                        // ...
                    ],
                ],
                'FeatureName' => '<string>',
                'MalwareScanDetails' => [
                    'Threats' => [
                        [
                            'ItemPaths' => [
                                [
                                    'Hash' => '<string>',
                                    'NestedItemPath' => '<string>',
                                ],
                                // ...
                            ],
                            'Name' => '<string>',
                            'Source' => '<string>',
                        ],
                        // ...
                    ],
                ],
                'ResourceRole' => '<string>',
                'RuntimeDetails' => [
                    'Context' => [
                        'AddressFamily' => '<string>',
                        'CommandLineExample' => '<string>',
                        'FileSystemType' => '<string>',
                        'Flags' => ['<string>', ...],
                        'IanaProtocolNumber' => <integer>,
                        'LdPreloadValue' => '<string>',
                        'LibraryPath' => '<string>',
                        'MemoryRegions' => ['<string>', ...],
                        'ModifiedAt' => <DateTime>,
                        'ModifyingProcess' => [
                            'Euid' => <integer>,
                            'ExecutablePath' => '<string>',
                            'ExecutableSha256' => '<string>',
                            'Lineage' => [
                                [
                                    'Euid' => <integer>,
                                    'ExecutablePath' => '<string>',
                                    'Name' => '<string>',
                                    'NamespacePid' => <integer>,
                                    'ParentUuid' => '<string>',
                                    'Pid' => <integer>,
                                    'StartTime' => <DateTime>,
                                    'UserId' => <integer>,
                                    'Uuid' => '<string>',
                                ],
                                // ...
                            ],
                            'Name' => '<string>',
                            'NamespacePid' => <integer>,
                            'ParentUuid' => '<string>',
                            'Pid' => <integer>,
                            'Pwd' => '<string>',
                            'StartTime' => <DateTime>,
                            'User' => '<string>',
                            'UserId' => <integer>,
                            'Uuid' => '<string>',
                        ],
                        'ModuleFilePath' => '<string>',
                        'ModuleName' => '<string>',
                        'ModuleSha256' => '<string>',
                        'MountSource' => '<string>',
                        'MountTarget' => '<string>',
                        'ReleaseAgentPath' => '<string>',
                        'RuncBinaryPath' => '<string>',
                        'ScriptPath' => '<string>',
                        'ServiceName' => '<string>',
                        'ShellHistoryFilePath' => '<string>',
                        'SocketPath' => '<string>',
                        'TargetProcess' => [
                            'Euid' => <integer>,
                            'ExecutablePath' => '<string>',
                            'ExecutableSha256' => '<string>',
                            'Lineage' => [
                                [
                                    'Euid' => <integer>,
                                    'ExecutablePath' => '<string>',
                                    'Name' => '<string>',
                                    'NamespacePid' => <integer>,
                                    'ParentUuid' => '<string>',
                                    'Pid' => <integer>,
                                    'StartTime' => <DateTime>,
                                    'UserId' => <integer>,
                                    'Uuid' => '<string>',
                                ],
                                // ...
                            ],
                            'Name' => '<string>',
                            'NamespacePid' => <integer>,
                            'ParentUuid' => '<string>',
                            'Pid' => <integer>,
                            'Pwd' => '<string>',
                            'StartTime' => <DateTime>,
                            'User' => '<string>',
                            'UserId' => <integer>,
                            'Uuid' => '<string>',
                        ],
                        'ThreatFilePath' => '<string>',
                        'ToolCategory' => '<string>',
                        'ToolName' => '<string>',
                    ],
                    'Process' => [
                        'Euid' => <integer>,
                        'ExecutablePath' => '<string>',
                        'ExecutableSha256' => '<string>',
                        'Lineage' => [
                            [
                                'Euid' => <integer>,
                                'ExecutablePath' => '<string>',
                                'Name' => '<string>',
                                'NamespacePid' => <integer>,
                                'ParentUuid' => '<string>',
                                'Pid' => <integer>,
                                'StartTime' => <DateTime>,
                                'UserId' => <integer>,
                                'Uuid' => '<string>',
                            ],
                            // ...
                        ],
                        'Name' => '<string>',
                        'NamespacePid' => <integer>,
                        'ParentUuid' => '<string>',
                        'Pid' => <integer>,
                        'Pwd' => '<string>',
                        'StartTime' => <DateTime>,
                        'User' => '<string>',
                        'UserId' => <integer>,
                        'Uuid' => '<string>',
                    ],
                ],
                'ServiceName' => '<string>',
                'UserFeedback' => '<string>',
            ],
            'Severity' => <float>,
            'Title' => '<string>',
            'Type' => '<string>',
            'UpdatedAt' => '<string>',
        ],
        // ...
    ],
]

Result Details

Members
Findings
Required: Yes
Type: Array of Finding structures

A list of findings.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

GetFindingsStatistics

$result = $client->getFindingsStatistics([/* ... */]);
$promise = $client->getFindingsStatisticsAsync([/* ... */]);

Lists GuardDuty findings statistics for the specified detector ID.

You must provide either findingStatisticTypes or groupBy parameter, and not both. You can use the maxResults and orderBy parameters only when using groupBy.

There might be regional differences because some flags might not be available in all the Regions where GuardDuty is currently supported. For more information, see Regions and endpoints.

Parameter Syntax

$result = $client->getFindingsStatistics([
    'DetectorId' => '<string>', // REQUIRED
    'FindingCriteria' => [
        'Criterion' => [
            '<String>' => [
                'Eq' => ['<string>', ...],
                'Equals' => ['<string>', ...],
                'GreaterThan' => <integer>,
                'GreaterThanOrEqual' => <integer>,
                'Gt' => <integer>,
                'Gte' => <integer>,
                'LessThan' => <integer>,
                'LessThanOrEqual' => <integer>,
                'Lt' => <integer>,
                'Lte' => <integer>,
                'Neq' => ['<string>', ...],
                'NotEquals' => ['<string>', ...],
            ],
            // ...
        ],
    ],
    'FindingStatisticTypes' => ['<string>', ...],
    'GroupBy' => 'ACCOUNT|DATE|FINDING_TYPE|RESOURCE|SEVERITY',
    'MaxResults' => <integer>,
    'OrderBy' => 'ASC|DESC',
]);

Parameter Details

Members
DetectorId
Required: Yes
Type: string

The ID of the detector whose findings statistics you want to retrieve.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

FindingCriteria
Type: FindingCriteria structure

Represents the criteria that is used for querying findings.

FindingStatisticTypes
Type: Array of strings

The types of finding statistics to retrieve.

GroupBy
Type: string

Displays the findings statistics grouped by one of the listed valid values.

MaxResults
Type: int

The maximum number of results to be returned in the response. The default value is 25.

You can use this parameter only with the groupBy parameter.

OrderBy
Type: string

Displays the sorted findings in the requested order. The default value of orderBy is DESC.

You can use this parameter only with the groupBy parameter.

Result Syntax

[
    'FindingStatistics' => [
        'CountBySeverity' => [<integer>, ...],
        'GroupedByAccount' => [
            [
                'AccountId' => '<string>',
                'LastGeneratedAt' => <DateTime>,
                'TotalFindings' => <integer>,
            ],
            // ...
        ],
        'GroupedByDate' => [
            [
                'Date' => <DateTime>,
                'LastGeneratedAt' => <DateTime>,
                'Severity' => <float>,
                'TotalFindings' => <integer>,
            ],
            // ...
        ],
        'GroupedByFindingType' => [
            [
                'FindingType' => '<string>',
                'LastGeneratedAt' => <DateTime>,
                'TotalFindings' => <integer>,
            ],
            // ...
        ],
        'GroupedByResource' => [
            [
                'AccountId' => '<string>',
                'LastGeneratedAt' => <DateTime>,
                'ResourceId' => '<string>',
                'ResourceType' => '<string>',
                'TotalFindings' => <integer>,
            ],
            // ...
        ],
        'GroupedBySeverity' => [
            [
                'LastGeneratedAt' => <DateTime>,
                'Severity' => <float>,
                'TotalFindings' => <integer>,
            ],
            // ...
        ],
    ],
    'NextToken' => '<string>',
]

Result Details

Members
FindingStatistics
Required: Yes
Type: FindingStatistics structure

The finding statistics object.

NextToken
Type: string

The pagination parameter to be used on the next list operation to retrieve more items.

This parameter is currently not supported.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

GetIPSet

$result = $client->getIPSet([/* ... */]);
$promise = $client->getIPSetAsync([/* ... */]);

Retrieves the IPSet specified by the ipSetId.

Parameter Syntax

$result = $client->getIPSet([
    'DetectorId' => '<string>', // REQUIRED
    'IpSetId' => '<string>', // REQUIRED
]);

Parameter Details

Members
DetectorId
Required: Yes
Type: string

The unique ID of the detector that is associated with the IPSet.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

IpSetId
Required: Yes
Type: string

The unique ID of the IPSet to retrieve.

Result Syntax

[
    'Format' => 'TXT|STIX|OTX_CSV|ALIEN_VAULT|PROOF_POINT|FIRE_EYE',
    'Location' => '<string>',
    'Name' => '<string>',
    'Status' => 'INACTIVE|ACTIVATING|ACTIVE|DEACTIVATING|ERROR|DELETE_PENDING|DELETED',
    'Tags' => ['<string>', ...],
]

Result Details

Members
Format
Required: Yes
Type: string

The format of the file that contains the IPSet.

Location
Required: Yes
Type: string

The URI of the file that contains the IPSet.

Name
Required: Yes
Type: string

The user-friendly name for the IPSet.

Status
Required: Yes
Type: string

The status of IPSet file that was uploaded.

Tags
Type: Associative array of custom strings keys (TagKey) to strings

The tags of the IPSet resource.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

GetInvitationsCount

$result = $client->getInvitationsCount([/* ... */]);
$promise = $client->getInvitationsCountAsync([/* ... */]);

Returns the count of all GuardDuty membership invitations that were sent to the current member account except the currently accepted invitation.

Parameter Syntax

$result = $client->getInvitationsCount([
]);

Parameter Details

Members

Result Syntax

[
    'InvitationsCount' => <integer>,
]

Result Details

Members
InvitationsCount
Type: int

The number of received invitations.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

GetMalwareProtectionPlan

$result = $client->getMalwareProtectionPlan([/* ... */]);
$promise = $client->getMalwareProtectionPlanAsync([/* ... */]);

Retrieves the Malware Protection plan details associated with a Malware Protection plan ID.

Parameter Syntax

$result = $client->getMalwareProtectionPlan([
    'MalwareProtectionPlanId' => '<string>', // REQUIRED
]);

Parameter Details

Members
MalwareProtectionPlanId
Required: Yes
Type: string

A unique identifier associated with Malware Protection plan resource.

Result Syntax

[
    'Actions' => [
        'Tagging' => [
            'Status' => 'ENABLED|DISABLED',
        ],
    ],
    'Arn' => '<string>',
    'CreatedAt' => <DateTime>,
    'ProtectedResource' => [
        'S3Bucket' => [
            'BucketName' => '<string>',
            'ObjectPrefixes' => ['<string>', ...],
        ],
    ],
    'Role' => '<string>',
    'Status' => 'ACTIVE|WARNING|ERROR',
    'StatusReasons' => [
        [
            'Code' => '<string>',
            'Message' => '<string>',
        ],
        // ...
    ],
    'Tags' => ['<string>', ...],
]

Result Details

Members
Actions

Information about whether the tags will be added to the S3 object after scanning.

Arn
Type: string

Amazon Resource Name (ARN) of the protected resource.

CreatedAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

The timestamp when the Malware Protection plan resource was created.

ProtectedResource
Type: CreateProtectedResource structure

Information about the protected resource that is associated with the created Malware Protection plan. Presently, S3Bucket is the only supported protected resource.

Role
Type: string

Amazon Resource Name (ARN) of the IAM role that includes the permissions to scan and add tags to the associated protected resource.

Status
Type: string

Malware Protection plan status.

StatusReasons
Type: Array of MalwareProtectionPlanStatusReason structures

Information about the issue code and message associated to the status of your Malware Protection plan.

Tags
Type: Associative array of custom strings keys (TagKey) to strings

Tags added to the Malware Protection plan resource.

Errors

BadRequestException:

A bad request exception object.

AccessDeniedException:

An access denied exception object.

InternalServerErrorException:

An internal server error exception object.

ResourceNotFoundException:

The requested resource can't be found.

GetMalwareScanSettings

$result = $client->getMalwareScanSettings([/* ... */]);
$promise = $client->getMalwareScanSettingsAsync([/* ... */]);

Returns the details of the malware scan settings.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

Parameter Syntax

$result = $client->getMalwareScanSettings([
    'DetectorId' => '<string>', // REQUIRED
]);

Parameter Details

Members
DetectorId
Required: Yes
Type: string

The unique ID of the detector that is associated with this scan.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

Result Syntax

[
    'EbsSnapshotPreservation' => 'NO_RETENTION|RETENTION_WITH_FINDING',
    'ScanResourceCriteria' => [
        'Exclude' => [
            '<ScanCriterionKey>' => [
                'MapEquals' => [
                    [
                        'Key' => '<string>',
                        'Value' => '<string>',
                    ],
                    // ...
                ],
            ],
            // ...
        ],
        'Include' => [
            '<ScanCriterionKey>' => [
                'MapEquals' => [
                    [
                        'Key' => '<string>',
                        'Value' => '<string>',
                    ],
                    // ...
                ],
            ],
            // ...
        ],
    ],
]

Result Details

Members
EbsSnapshotPreservation
Type: string

An enum value representing possible snapshot preservation settings.

ScanResourceCriteria
Type: ScanResourceCriteria structure

Represents the criteria to be used in the filter for scanning resources.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

GetMasterAccount

$result = $client->getMasterAccount([/* ... */]);
$promise = $client->getMasterAccountAsync([/* ... */]);

Provides the details for the GuardDuty administrator account associated with the current GuardDuty member account.

Parameter Syntax

$result = $client->getMasterAccount([
    'DetectorId' => '<string>', // REQUIRED
]);

Parameter Details

Members
DetectorId
Required: Yes
Type: string

The unique ID of the detector of the GuardDuty member account.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

Result Syntax

[
    'Master' => [
        'AccountId' => '<string>',
        'InvitationId' => '<string>',
        'InvitedAt' => '<string>',
        'RelationshipStatus' => '<string>',
    ],
]

Result Details

Members
Master
Required: Yes
Type: Master structure

The administrator account details.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

GetMemberDetectors

$result = $client->getMemberDetectors([/* ... */]);
$promise = $client->getMemberDetectorsAsync([/* ... */]);

Describes which data sources are enabled for the member account's detector.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

Parameter Syntax

$result = $client->getMemberDetectors([
    'AccountIds' => ['<string>', ...], // REQUIRED
    'DetectorId' => '<string>', // REQUIRED
]);

Parameter Details

Members
AccountIds
Required: Yes
Type: Array of strings

A list of member account IDs.

DetectorId
Required: Yes
Type: string

The detector ID for the administrator account.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

Result Syntax

[
    'MemberDataSourceConfigurations' => [
        [
            'AccountId' => '<string>',
            'DataSources' => [
                'CloudTrail' => [
                    'Status' => 'ENABLED|DISABLED',
                ],
                'DNSLogs' => [
                    'Status' => 'ENABLED|DISABLED',
                ],
                'FlowLogs' => [
                    'Status' => 'ENABLED|DISABLED',
                ],
                'Kubernetes' => [
                    'AuditLogs' => [
                        'Status' => 'ENABLED|DISABLED',
                    ],
                ],
                'MalwareProtection' => [
                    'ScanEc2InstanceWithFindings' => [
                        'EbsVolumes' => [
                            'Reason' => '<string>',
                            'Status' => 'ENABLED|DISABLED',
                        ],
                    ],
                    'ServiceRole' => '<string>',
                ],
                'S3Logs' => [
                    'Status' => 'ENABLED|DISABLED',
                ],
            ],
            'Features' => [
                [
                    'AdditionalConfiguration' => [
                        [
                            'Name' => 'EKS_ADDON_MANAGEMENT|ECS_FARGATE_AGENT_MANAGEMENT|EC2_AGENT_MANAGEMENT',
                            'Status' => 'ENABLED|DISABLED',
                            'UpdatedAt' => <DateTime>,
                        ],
                        // ...
                    ],
                    'Name' => 'S3_DATA_EVENTS|EKS_AUDIT_LOGS|EBS_MALWARE_PROTECTION|RDS_LOGIN_EVENTS|EKS_RUNTIME_MONITORING|LAMBDA_NETWORK_LOGS|RUNTIME_MONITORING',
                    'Status' => 'ENABLED|DISABLED',
                    'UpdatedAt' => <DateTime>,
                ],
                // ...
            ],
        ],
        // ...
    ],
    'UnprocessedAccounts' => [
        [
            'AccountId' => '<string>',
            'Result' => '<string>',
        ],
        // ...
    ],
]

Result Details

Members
MemberDataSourceConfigurations
Required: Yes
Type: Array of MemberDataSourceConfiguration structures

An object that describes which data sources are enabled for a member account.

UnprocessedAccounts
Required: Yes
Type: Array of UnprocessedAccount structures

A list of member account IDs that were unable to be processed along with an explanation for why they were not processed.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

GetMembers

$result = $client->getMembers([/* ... */]);
$promise = $client->getMembersAsync([/* ... */]);

Retrieves GuardDuty member accounts (of the current GuardDuty administrator account) specified by the account IDs.

Parameter Syntax

$result = $client->getMembers([
    'AccountIds' => ['<string>', ...], // REQUIRED
    'DetectorId' => '<string>', // REQUIRED
]);

Parameter Details

Members
AccountIds
Required: Yes
Type: Array of strings

A list of account IDs of the GuardDuty member accounts that you want to describe.

DetectorId
Required: Yes
Type: string

The unique ID of the detector of the GuardDuty account whose members you want to retrieve.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

Result Syntax

[
    'Members' => [
        [
            'AccountId' => '<string>',
            'AdministratorId' => '<string>',
            'DetectorId' => '<string>',
            'Email' => '<string>',
            'InvitedAt' => '<string>',
            'MasterId' => '<string>',
            'RelationshipStatus' => '<string>',
            'UpdatedAt' => '<string>',
        ],
        // ...
    ],
    'UnprocessedAccounts' => [
        [
            'AccountId' => '<string>',
            'Result' => '<string>',
        ],
        // ...
    ],
]

Result Details

Members
Members
Required: Yes
Type: Array of Member structures

A list of members.

UnprocessedAccounts
Required: Yes
Type: Array of UnprocessedAccount structures

A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

GetOrganizationStatistics

$result = $client->getOrganizationStatistics([/* ... */]);
$promise = $client->getOrganizationStatisticsAsync([/* ... */]);

Retrieves how many active member accounts have each feature enabled within GuardDuty. Only a delegated GuardDuty administrator of an organization can run this API.

When you create a new organization, it might take up to 24 hours to generate the statistics for the entire organization.

Parameter Syntax

$result = $client->getOrganizationStatistics([
]);

Parameter Details

Members

Result Syntax

[
    'OrganizationDetails' => [
        'OrganizationStatistics' => [
            'ActiveAccountsCount' => <integer>,
            'CountByFeature' => [
                [
                    'AdditionalConfiguration' => [
                        [
                            'EnabledAccountsCount' => <integer>,
                            'Name' => 'EKS_ADDON_MANAGEMENT|ECS_FARGATE_AGENT_MANAGEMENT|EC2_AGENT_MANAGEMENT',
                        ],
                        // ...
                    ],
                    'EnabledAccountsCount' => <integer>,
                    'Name' => 'S3_DATA_EVENTS|EKS_AUDIT_LOGS|EBS_MALWARE_PROTECTION|RDS_LOGIN_EVENTS|EKS_RUNTIME_MONITORING|LAMBDA_NETWORK_LOGS|RUNTIME_MONITORING',
                ],
                // ...
            ],
            'EnabledAccountsCount' => <integer>,
            'MemberAccountsCount' => <integer>,
            'TotalAccountsCount' => <integer>,
        ],
        'UpdatedAt' => <DateTime>,
    ],
]

Result Details

Members
OrganizationDetails
Type: OrganizationDetails structure

Information about the statistics report for your organization.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

GetRemainingFreeTrialDays

$result = $client->getRemainingFreeTrialDays([/* ... */]);
$promise = $client->getRemainingFreeTrialDaysAsync([/* ... */]);

Provides the number of days left for each data source used in the free trial period.

Parameter Syntax

$result = $client->getRemainingFreeTrialDays([
    'AccountIds' => ['<string>', ...],
    'DetectorId' => '<string>', // REQUIRED
]);

Parameter Details

Members
AccountIds
Type: Array of strings

A list of account identifiers of the GuardDuty member account.

DetectorId
Required: Yes
Type: string

The unique ID of the detector of the GuardDuty member account.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

Result Syntax

[
    'Accounts' => [
        [
            'AccountId' => '<string>',
            'DataSources' => [
                'CloudTrail' => [
                    'FreeTrialDaysRemaining' => <integer>,
                ],
                'DnsLogs' => [
                    'FreeTrialDaysRemaining' => <integer>,
                ],
                'FlowLogs' => [
                    'FreeTrialDaysRemaining' => <integer>,
                ],
                'Kubernetes' => [
                    'AuditLogs' => [
                        'FreeTrialDaysRemaining' => <integer>,
                    ],
                ],
                'MalwareProtection' => [
                    'ScanEc2InstanceWithFindings' => [
                        'FreeTrialDaysRemaining' => <integer>,
                    ],
                ],
                'S3Logs' => [
                    'FreeTrialDaysRemaining' => <integer>,
                ],
            ],
            'Features' => [
                [
                    'FreeTrialDaysRemaining' => <integer>,
                    'Name' => 'FLOW_LOGS|CLOUD_TRAIL|DNS_LOGS|S3_DATA_EVENTS|EKS_AUDIT_LOGS|EBS_MALWARE_PROTECTION|RDS_LOGIN_EVENTS|EKS_RUNTIME_MONITORING|LAMBDA_NETWORK_LOGS|FARGATE_RUNTIME_MONITORING|EC2_RUNTIME_MONITORING',
                ],
                // ...
            ],
        ],
        // ...
    ],
    'UnprocessedAccounts' => [
        [
            'AccountId' => '<string>',
            'Result' => '<string>',
        ],
        // ...
    ],
]

Result Details

Members
Accounts
Type: Array of AccountFreeTrialInfo structures

The member accounts which were included in a request and were processed successfully.

UnprocessedAccounts
Type: Array of UnprocessedAccount structures

The member account that was included in a request but for which the request could not be processed.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

GetThreatIntelSet

$result = $client->getThreatIntelSet([/* ... */]);
$promise = $client->getThreatIntelSetAsync([/* ... */]);

Retrieves the ThreatIntelSet that is specified by the ThreatIntelSet ID.

Parameter Syntax

$result = $client->getThreatIntelSet([
    'DetectorId' => '<string>', // REQUIRED
    'ThreatIntelSetId' => '<string>', // REQUIRED
]);

Parameter Details

Members
DetectorId
Required: Yes
Type: string

The unique ID of the detector that is associated with the threatIntelSet.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

ThreatIntelSetId
Required: Yes
Type: string

The unique ID of the threatIntelSet that you want to get.

Result Syntax

[
    'Format' => 'TXT|STIX|OTX_CSV|ALIEN_VAULT|PROOF_POINT|FIRE_EYE',
    'Location' => '<string>',
    'Name' => '<string>',
    'Status' => 'INACTIVE|ACTIVATING|ACTIVE|DEACTIVATING|ERROR|DELETE_PENDING|DELETED',
    'Tags' => ['<string>', ...],
]

Result Details

Members
Format
Required: Yes
Type: string

The format of the threatIntelSet.

Location
Required: Yes
Type: string

The URI of the file that contains the ThreatIntelSet.

Name
Required: Yes
Type: string

A user-friendly ThreatIntelSet name displayed in all findings that are generated by activity that involves IP addresses included in this ThreatIntelSet.

Status
Required: Yes
Type: string

The status of threatIntelSet file uploaded.

Tags
Type: Associative array of custom strings keys (TagKey) to strings

The tags of the threat list resource.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

GetUsageStatistics

$result = $client->getUsageStatistics([/* ... */]);
$promise = $client->getUsageStatisticsAsync([/* ... */]);

Lists Amazon GuardDuty usage statistics over the last 30 days for the specified detector ID. For newly enabled detectors or data sources, the cost returned will include only the usage so far under 30 days. This may differ from the cost metrics in the console, which project usage over 30 days to provide a monthly cost estimate. For more information, see Understanding How Usage Costs are Calculated.

Parameter Syntax

$result = $client->getUsageStatistics([
    'DetectorId' => '<string>', // REQUIRED
    'MaxResults' => <integer>,
    'NextToken' => '<string>',
    'Unit' => '<string>',
    'UsageCriteria' => [ // REQUIRED
        'AccountIds' => ['<string>', ...],
        'DataSources' => ['<string>', ...],
        'Features' => ['<string>', ...],
        'Resources' => ['<string>', ...],
    ],
    'UsageStatisticType' => 'SUM_BY_ACCOUNT|SUM_BY_DATA_SOURCE|SUM_BY_RESOURCE|TOP_RESOURCES|SUM_BY_FEATURES|TOP_ACCOUNTS_BY_FEATURE', // REQUIRED
]);

Parameter Details

Members
DetectorId
Required: Yes
Type: string

The ID of the detector that specifies the GuardDuty service whose usage statistics you want to retrieve.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

MaxResults
Type: int

The maximum number of results to return in the response.

NextToken
Type: string

A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the NextToken value returned from the previous request to continue listing results after the first page.

Unit
Type: string

The currency unit you would like to view your usage statistics in. Current valid values are USD.

UsageCriteria
Required: Yes
Type: UsageCriteria structure

Represents the criteria used for querying usage.

UsageStatisticType
Required: Yes
Type: string

The type of usage statistics to retrieve.

Result Syntax

[
    'NextToken' => '<string>',
    'UsageStatistics' => [
        'SumByAccount' => [
            [
                'AccountId' => '<string>',
                'Total' => [
                    'Amount' => '<string>',
                    'Unit' => '<string>',
                ],
            ],
            // ...
        ],
        'SumByDataSource' => [
            [
                'DataSource' => 'FLOW_LOGS|CLOUD_TRAIL|DNS_LOGS|S3_LOGS|KUBERNETES_AUDIT_LOGS|EC2_MALWARE_SCAN',
                'Total' => [
                    'Amount' => '<string>',
                    'Unit' => '<string>',
                ],
            ],
            // ...
        ],
        'SumByFeature' => [
            [
                'Feature' => 'FLOW_LOGS|CLOUD_TRAIL|DNS_LOGS|S3_DATA_EVENTS|EKS_AUDIT_LOGS|EBS_MALWARE_PROTECTION|RDS_LOGIN_EVENTS|LAMBDA_NETWORK_LOGS|EKS_RUNTIME_MONITORING|FARGATE_RUNTIME_MONITORING|EC2_RUNTIME_MONITORING|RDS_DBI_PROTECTION_PROVISIONED|RDS_DBI_PROTECTION_SERVERLESS',
                'Total' => [
                    'Amount' => '<string>',
                    'Unit' => '<string>',
                ],
            ],
            // ...
        ],
        'SumByResource' => [
            [
                'Resource' => '<string>',
                'Total' => [
                    'Amount' => '<string>',
                    'Unit' => '<string>',
                ],
            ],
            // ...
        ],
        'TopAccountsByFeature' => [
            [
                'Accounts' => [
                    [
                        'AccountId' => '<string>',
                        'Total' => [
                            'Amount' => '<string>',
                            'Unit' => '<string>',
                        ],
                    ],
                    // ...
                ],
                'Feature' => 'FLOW_LOGS|CLOUD_TRAIL|DNS_LOGS|S3_DATA_EVENTS|EKS_AUDIT_LOGS|EBS_MALWARE_PROTECTION|RDS_LOGIN_EVENTS|LAMBDA_NETWORK_LOGS|EKS_RUNTIME_MONITORING|FARGATE_RUNTIME_MONITORING|EC2_RUNTIME_MONITORING|RDS_DBI_PROTECTION_PROVISIONED|RDS_DBI_PROTECTION_SERVERLESS',
            ],
            // ...
        ],
        'TopResources' => [
            [
                'Resource' => '<string>',
                'Total' => [
                    'Amount' => '<string>',
                    'Unit' => '<string>',
                ],
            ],
            // ...
        ],
    ],
]

Result Details

Members
NextToken
Type: string

The pagination parameter to be used on the next list operation to retrieve more items.

UsageStatistics
Type: UsageStatistics structure

The usage statistics object. If a UsageStatisticType was provided, the objects representing other types will be null.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

InviteMembers

$result = $client->inviteMembers([/* ... */]);
$promise = $client->inviteMembersAsync([/* ... */]);

Invites Amazon Web Services accounts to become members of an organization administered by the Amazon Web Services account that invokes this API. If you are using Amazon Web Services Organizations to manage your GuardDuty environment, this step is not needed. For more information, see Managing accounts with organizations.

To invite Amazon Web Services accounts, the first step is to ensure that GuardDuty has been enabled in the potential member accounts. You can now invoke this API to add accounts by invitation. The invited accounts can either accept or decline the invitation from their GuardDuty accounts. Each invited Amazon Web Services account can choose to accept the invitation from only one Amazon Web Services account. For more information, see Managing GuardDuty accounts by invitation.

After the invite has been accepted and you choose to disassociate a member account (by using DisassociateMembers) from your account, the details of the member account obtained by invoking CreateMembers, including the associated email addresses, will be retained. This is done so that you can invoke InviteMembers without the need to invoke CreateMembers again. To remove the details associated with a member account, you must also invoke DeleteMembers.

If you disassociate a member account that was added by invitation, the member account details obtained from this API, including the associated email addresses, will be retained. This is done so that the delegated administrator can invoke the InviteMembers API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the DeleteMembers API.

When the member accounts added through Organizations are later disassociated, you (administrator) can't invite them by calling the InviteMembers API. You can create an association with these member accounts again only by calling the CreateMembers API.

Parameter Syntax

$result = $client->inviteMembers([
    'AccountIds' => ['<string>', ...], // REQUIRED
    'DetectorId' => '<string>', // REQUIRED
    'DisableEmailNotification' => true || false,
    'Message' => '<string>',
]);

Parameter Details

Members
AccountIds
Required: Yes
Type: Array of strings

A list of account IDs of the accounts that you want to invite to GuardDuty as members.

DetectorId
Required: Yes
Type: string

The unique ID of the detector of the GuardDuty account with which you want to invite members.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

DisableEmailNotification
Type: boolean

A Boolean value that specifies whether you want to disable email notification to the accounts that you are inviting to GuardDuty as members.

Message
Type: string

The invitation message that you want to send to the accounts that you're inviting to GuardDuty as members.

Result Syntax

[
    'UnprocessedAccounts' => [
        [
            'AccountId' => '<string>',
            'Result' => '<string>',
        ],
        // ...
    ],
]

Result Details

Members
UnprocessedAccounts
Required: Yes
Type: Array of UnprocessedAccount structures

A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

ListCoverage

$result = $client->listCoverage([/* ... */]);
$promise = $client->listCoverageAsync([/* ... */]);

Lists coverage details for your GuardDuty account. If you're a GuardDuty administrator, you can retrieve all resources associated with the active member accounts in your organization.

Make sure the accounts have Runtime Monitoring enabled and GuardDuty agent running on their resources.

Parameter Syntax

$result = $client->listCoverage([
    'DetectorId' => '<string>', // REQUIRED
    'FilterCriteria' => [
        'FilterCriterion' => [
            [
                'CriterionKey' => 'ACCOUNT_ID|CLUSTER_NAME|RESOURCE_TYPE|COVERAGE_STATUS|ADDON_VERSION|MANAGEMENT_TYPE|EKS_CLUSTER_NAME|ECS_CLUSTER_NAME|AGENT_VERSION|INSTANCE_ID|CLUSTER_ARN',
                'FilterCondition' => [
                    'Equals' => ['<string>', ...],
                    'NotEquals' => ['<string>', ...],
                ],
            ],
            // ...
        ],
    ],
    'MaxResults' => <integer>,
    'NextToken' => '<string>',
    'SortCriteria' => [
        'AttributeName' => 'ACCOUNT_ID|CLUSTER_NAME|COVERAGE_STATUS|ISSUE|ADDON_VERSION|UPDATED_AT|EKS_CLUSTER_NAME|ECS_CLUSTER_NAME|INSTANCE_ID',
        'OrderBy' => 'ASC|DESC',
    ],
]);

Parameter Details

Members
DetectorId
Required: Yes
Type: string

The unique ID of the detector whose coverage details you want to retrieve.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

FilterCriteria
Type: CoverageFilterCriteria structure

Represents the criteria used to filter the coverage details.

MaxResults
Type: int

The maximum number of results to return in the response.

NextToken
Type: string

A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the NextToken value returned from the previous request to continue listing results after the first page.

SortCriteria
Type: CoverageSortCriteria structure

Represents the criteria used to sort the coverage details.

Result Syntax

[
    'NextToken' => '<string>',
    'Resources' => [
        [
            'AccountId' => '<string>',
            'CoverageStatus' => 'HEALTHY|UNHEALTHY',
            'DetectorId' => '<string>',
            'Issue' => '<string>',
            'ResourceDetails' => [
                'Ec2InstanceDetails' => [
                    'AgentDetails' => [
                        'Version' => '<string>',
                    ],
                    'ClusterArn' => '<string>',
                    'InstanceId' => '<string>',
                    'InstanceType' => '<string>',
                    'ManagementType' => 'AUTO_MANAGED|MANUAL|DISABLED',
                ],
                'EcsClusterDetails' => [
                    'ClusterName' => '<string>',
                    'ContainerInstanceDetails' => [
                        'CompatibleContainerInstances' => <integer>,
                        'CoveredContainerInstances' => <integer>,
                    ],
                    'FargateDetails' => [
                        'Issues' => ['<string>', ...],
                        'ManagementType' => 'AUTO_MANAGED|MANUAL|DISABLED',
                    ],
                ],
                'EksClusterDetails' => [
                    'AddonDetails' => [
                        'AddonStatus' => '<string>',
                        'AddonVersion' => '<string>',
                    ],
                    'ClusterName' => '<string>',
                    'CompatibleNodes' => <integer>,
                    'CoveredNodes' => <integer>,
                    'ManagementType' => 'AUTO_MANAGED|MANUAL|DISABLED',
                ],
                'ResourceType' => 'EKS|ECS|EC2',
            ],
            'ResourceId' => '<string>',
            'UpdatedAt' => <DateTime>,
        ],
        // ...
    ],
]

Result Details

Members
NextToken
Type: string

The pagination parameter to be used on the next list operation to retrieve more items.

Resources
Required: Yes
Type: Array of CoverageResource structures

A list of resources and their attributes providing cluster details.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

ListDetectors

$result = $client->listDetectors([/* ... */]);
$promise = $client->listDetectorsAsync([/* ... */]);

Lists detectorIds of all the existing Amazon GuardDuty detector resources.

Parameter Syntax

$result = $client->listDetectors([
    'MaxResults' => <integer>,
    'NextToken' => '<string>',
]);

Parameter Details

Members
MaxResults
Type: int

You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.

NextToken
Type: string

You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.

Result Syntax

[
    'DetectorIds' => ['<string>', ...],
    'NextToken' => '<string>',
]

Result Details

Members
DetectorIds
Required: Yes
Type: Array of strings

A list of detector IDs.

NextToken
Type: string

The pagination parameter to be used on the next list operation to retrieve more items.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

ListFilters

$result = $client->listFilters([/* ... */]);
$promise = $client->listFiltersAsync([/* ... */]);

Returns a paginated list of the current filters.

Parameter Syntax

$result = $client->listFilters([
    'DetectorId' => '<string>', // REQUIRED
    'MaxResults' => <integer>,
    'NextToken' => '<string>',
]);

Parameter Details

Members
DetectorId
Required: Yes
Type: string

The unique ID of the detector that is associated with the filter.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

MaxResults
Type: int

You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.

NextToken
Type: string

You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.

Result Syntax

[
    'FilterNames' => ['<string>', ...],
    'NextToken' => '<string>',
]

Result Details

Members
FilterNames
Required: Yes
Type: Array of strings

A list of filter names.

NextToken
Type: string

The pagination parameter to be used on the next list operation to retrieve more items.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

ListFindings

$result = $client->listFindings([/* ... */]);
$promise = $client->listFindingsAsync([/* ... */]);

Lists GuardDuty findings for the specified detector ID.

There might be regional differences because some flags might not be available in all the Regions where GuardDuty is currently supported. For more information, see Regions and endpoints.

Parameter Syntax

$result = $client->listFindings([
    'DetectorId' => '<string>', // REQUIRED
    'FindingCriteria' => [
        'Criterion' => [
            '<String>' => [
                'Eq' => ['<string>', ...],
                'Equals' => ['<string>', ...],
                'GreaterThan' => <integer>,
                'GreaterThanOrEqual' => <integer>,
                'Gt' => <integer>,
                'Gte' => <integer>,
                'LessThan' => <integer>,
                'LessThanOrEqual' => <integer>,
                'Lt' => <integer>,
                'Lte' => <integer>,
                'Neq' => ['<string>', ...],
                'NotEquals' => ['<string>', ...],
            ],
            // ...
        ],
    ],
    'MaxResults' => <integer>,
    'NextToken' => '<string>',
    'SortCriteria' => [
        'AttributeName' => '<string>',
        'OrderBy' => 'ASC|DESC',
    ],
]);

Parameter Details

Members
DetectorId
Required: Yes
Type: string

The ID of the detector that specifies the GuardDuty service whose findings you want to list.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

FindingCriteria
Type: FindingCriteria structure

Represents the criteria used for querying findings. Valid values include:

  • JSON field name

  • accountId

  • region

  • confidence

  • id

  • resource.accessKeyDetails.accessKeyId

  • resource.accessKeyDetails.principalId

  • resource.accessKeyDetails.userName

  • resource.accessKeyDetails.userType

  • resource.instanceDetails.iamInstanceProfile.id

  • resource.instanceDetails.imageId

  • resource.instanceDetails.instanceId

  • resource.instanceDetails.networkInterfaces.ipv6Addresses

  • resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress

  • resource.instanceDetails.networkInterfaces.publicDnsName

  • resource.instanceDetails.networkInterfaces.publicIp

  • resource.instanceDetails.networkInterfaces.securityGroups.groupId

  • resource.instanceDetails.networkInterfaces.securityGroups.groupName

  • resource.instanceDetails.networkInterfaces.subnetId

  • resource.instanceDetails.networkInterfaces.vpcId

  • resource.instanceDetails.tags.key

  • resource.instanceDetails.tags.value

  • resource.resourceType

  • service.action.actionType

  • service.action.awsApiCallAction.api

  • service.action.awsApiCallAction.callerType

  • service.action.awsApiCallAction.remoteIpDetails.city.cityName

  • service.action.awsApiCallAction.remoteIpDetails.country.countryName

  • service.action.awsApiCallAction.remoteIpDetails.ipAddressV4

  • service.action.awsApiCallAction.remoteIpDetails.organization.asn

  • service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg

  • service.action.awsApiCallAction.serviceName

  • service.action.dnsRequestAction.domain

  • service.action.dnsRequestAction.domainWithSuffix

  • service.action.networkConnectionAction.blocked

  • service.action.networkConnectionAction.connectionDirection

  • service.action.networkConnectionAction.localPortDetails.port

  • service.action.networkConnectionAction.protocol

  • service.action.networkConnectionAction.remoteIpDetails.country.countryName

  • service.action.networkConnectionAction.remoteIpDetails.ipAddressV4

  • service.action.networkConnectionAction.remoteIpDetails.organization.asn

  • service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg

  • service.action.networkConnectionAction.remotePortDetails.port

  • service.additionalInfo.threatListName

  • service.archived

    When this attribute is set to 'true', only archived findings are listed. When it's set to 'false', only unarchived findings are listed. When this attribute is not set, all existing findings are listed.

  • service.ebsVolumeScanDetails.scanId

  • service.resourceRole

  • severity

  • type

  • updatedAt

    Type: Timestamp in Unix Epoch millisecond format: 1486685375000

MaxResults
Type: int

You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50.

NextToken
Type: string

You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.

SortCriteria
Type: SortCriteria structure

Represents the criteria used for sorting findings.

Result Syntax

[
    'FindingIds' => ['<string>', ...],
    'NextToken' => '<string>',
]

Result Details

Members
FindingIds
Required: Yes
Type: Array of strings

The IDs of the findings that you're listing.

NextToken
Type: string

The pagination parameter to be used on the next list operation to retrieve more items.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

ListIPSets

$result = $client->listIPSets([/* ... */]);
$promise = $client->listIPSetsAsync([/* ... */]);

Lists the IPSets of the GuardDuty service specified by the detector ID. If you use this operation from a member account, the IPSets returned are the IPSets from the associated administrator account.

Parameter Syntax

$result = $client->listIPSets([
    'DetectorId' => '<string>', // REQUIRED
    'MaxResults' => <integer>,
    'NextToken' => '<string>',
]);

Parameter Details

Members
DetectorId
Required: Yes
Type: string

The unique ID of the detector that is associated with IPSet.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

MaxResults
Type: int

You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50.

NextToken
Type: string

You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.

Result Syntax

[
    'IpSetIds' => ['<string>', ...],
    'NextToken' => '<string>',
]

Result Details

Members
IpSetIds
Required: Yes
Type: Array of strings

The IDs of the IPSet resources.

NextToken
Type: string

The pagination parameter to be used on the next list operation to retrieve more items.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

ListInvitations

$result = $client->listInvitations([/* ... */]);
$promise = $client->listInvitationsAsync([/* ... */]);

Lists all GuardDuty membership invitations that were sent to the current Amazon Web Services account.

Parameter Syntax

$result = $client->listInvitations([
    'MaxResults' => <integer>,
    'NextToken' => '<string>',
]);

Parameter Details

Members
MaxResults
Type: int

You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.

NextToken
Type: string

You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.

Result Syntax

[
    'Invitations' => [
        [
            'AccountId' => '<string>',
            'InvitationId' => '<string>',
            'InvitedAt' => '<string>',
            'RelationshipStatus' => '<string>',
        ],
        // ...
    ],
    'NextToken' => '<string>',
]

Result Details

Members
Invitations
Type: Array of Invitation structures

A list of invitation descriptions.

NextToken
Type: string

The pagination parameter to be used on the next list operation to retrieve more items.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

ListMalwareProtectionPlans

$result = $client->listMalwareProtectionPlans([/* ... */]);
$promise = $client->listMalwareProtectionPlansAsync([/* ... */]);

Lists the Malware Protection plan IDs associated with the protected resources in your Amazon Web Services account.

Parameter Syntax

$result = $client->listMalwareProtectionPlans([
    'NextToken' => '<string>',
]);

Parameter Details

Members
NextToken
Type: string

You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.

Result Syntax

[
    'MalwareProtectionPlans' => [
        [
            'MalwareProtectionPlanId' => '<string>',
        ],
        // ...
    ],
    'NextToken' => '<string>',
]

Result Details

Members
MalwareProtectionPlans
Type: Array of MalwareProtectionPlanSummary structures

A list of unique identifiers associated with each Malware Protection plan.

NextToken
Type: string

You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.

Errors

BadRequestException:

A bad request exception object.

AccessDeniedException:

An access denied exception object.

InternalServerErrorException:

An internal server error exception object.

ListMembers

$result = $client->listMembers([/* ... */]);
$promise = $client->listMembersAsync([/* ... */]);

Lists details about all member accounts for the current GuardDuty administrator account.

Parameter Syntax

$result = $client->listMembers([
    'DetectorId' => '<string>', // REQUIRED
    'MaxResults' => <integer>,
    'NextToken' => '<string>',
    'OnlyAssociated' => '<string>',
]);

Parameter Details

Members
DetectorId
Required: Yes
Type: string

The unique ID of the detector that is associated with the member.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

MaxResults
Type: int

You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50.

NextToken
Type: string

You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.

OnlyAssociated
Type: string

Specifies whether to only return associated members or to return all members (including members who haven't been invited yet or have been disassociated). Member accounts must have been previously associated with the GuardDuty administrator account using Create Members .

Result Syntax

[
    'Members' => [
        [
            'AccountId' => '<string>',
            'AdministratorId' => '<string>',
            'DetectorId' => '<string>',
            'Email' => '<string>',
            'InvitedAt' => '<string>',
            'MasterId' => '<string>',
            'RelationshipStatus' => '<string>',
            'UpdatedAt' => '<string>',
        ],
        // ...
    ],
    'NextToken' => '<string>',
]

Result Details

Members
Members
Type: Array of Member structures

A list of members.

The values for email and invitedAt are available only if the member accounts are added by invitation.

NextToken
Type: string

The pagination parameter to be used on the next list operation to retrieve more items.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

ListOrganizationAdminAccounts

$result = $client->listOrganizationAdminAccounts([/* ... */]);
$promise = $client->listOrganizationAdminAccountsAsync([/* ... */]);

Lists the accounts designated as GuardDuty delegated administrators. Only the organization's management account can run this API operation.

Parameter Syntax

$result = $client->listOrganizationAdminAccounts([
    'MaxResults' => <integer>,
    'NextToken' => '<string>',
]);

Parameter Details

Members
MaxResults
Type: int

The maximum number of results to return in the response.

NextToken
Type: string

A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the NextToken value returned from the previous request to continue listing results after the first page.

Result Syntax

[
    'AdminAccounts' => [
        [
            'AdminAccountId' => '<string>',
            'AdminStatus' => 'ENABLED|DISABLE_IN_PROGRESS',
        ],
        // ...
    ],
    'NextToken' => '<string>',
]

Result Details

Members
AdminAccounts
Type: Array of AdminAccount structures

A list of accounts configured as GuardDuty delegated administrators.

NextToken
Type: string

The pagination parameter to be used on the next list operation to retrieve more items.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

ListPublishingDestinations

$result = $client->listPublishingDestinations([/* ... */]);
$promise = $client->listPublishingDestinationsAsync([/* ... */]);

Returns a list of publishing destinations associated with the specified detectorId.

Parameter Syntax

$result = $client->listPublishingDestinations([
    'DetectorId' => '<string>', // REQUIRED
    'MaxResults' => <integer>,
    'NextToken' => '<string>',
]);

Parameter Details

Members
DetectorId
Required: Yes
Type: string

The detector ID for which you want to retrieve the publishing destination.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

MaxResults
Type: int

The maximum number of results to return in the response.

NextToken
Type: string

A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the NextToken value returned from the previous request to continue listing results after the first page.

Result Syntax

[
    'Destinations' => [
        [
            'DestinationId' => '<string>',
            'DestinationType' => 'S3',
            'Status' => 'PENDING_VERIFICATION|PUBLISHING|UNABLE_TO_PUBLISH_FIX_DESTINATION_PROPERTY|STOPPED',
        ],
        // ...
    ],
    'NextToken' => '<string>',
]

Result Details

Members
Destinations
Required: Yes
Type: Array of Destination structures

A Destinations object that includes information about each publishing destination returned.

NextToken
Type: string

A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the NextToken value returned from the previous request to continue listing results after the first page.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

ListTagsForResource

$result = $client->listTagsForResource([/* ... */]);
$promise = $client->listTagsForResourceAsync([/* ... */]);

Lists tags for a resource. Tagging is currently supported for detectors, finding filters, IP sets, threat intel sets, and publishing destination, with a limit of 50 tags per resource. When invoked, this operation returns all assigned tags for a given resource.

Parameter Syntax

$result = $client->listTagsForResource([
    'ResourceArn' => '<string>', // REQUIRED
]);

Parameter Details

Members
ResourceArn
Required: Yes
Type: string

The Amazon Resource Name (ARN) for the given GuardDuty resource.

Result Syntax

[
    'Tags' => ['<string>', ...],
]

Result Details

Members
Tags
Type: Associative array of custom strings keys (TagKey) to strings

The tags associated with the resource.

Errors

BadRequestException:

A bad request exception object.

AccessDeniedException:

An access denied exception object.

InternalServerErrorException:

An internal server error exception object.

ListThreatIntelSets

$result = $client->listThreatIntelSets([/* ... */]);
$promise = $client->listThreatIntelSetsAsync([/* ... */]);

Lists the ThreatIntelSets of the GuardDuty service specified by the detector ID. If you use this operation from a member account, the ThreatIntelSets associated with the administrator account are returned.

Parameter Syntax

$result = $client->listThreatIntelSets([
    'DetectorId' => '<string>', // REQUIRED
    'MaxResults' => <integer>,
    'NextToken' => '<string>',
]);

Parameter Details

Members
DetectorId
Required: Yes
Type: string

The unique ID of the detector that is associated with the threatIntelSet.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

MaxResults
Type: int

You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.

NextToken
Type: string

You can use this parameter to paginate results in the response. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.

Result Syntax

[
    'NextToken' => '<string>',
    'ThreatIntelSetIds' => ['<string>', ...],
]

Result Details

Members
NextToken
Type: string

The pagination parameter to be used on the next list operation to retrieve more items.

ThreatIntelSetIds
Required: Yes
Type: Array of strings

The IDs of the ThreatIntelSet resources.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

StartMalwareScan

$result = $client->startMalwareScan([/* ... */]);
$promise = $client->startMalwareScanAsync([/* ... */]);

Initiates the malware scan. Invoking this API will automatically create the Service-linked role in the corresponding account.

When the malware scan starts, you can use the associated scan ID to track the status of the scan. For more information, see DescribeMalwareScans.

Parameter Syntax

$result = $client->startMalwareScan([
    'ResourceArn' => '<string>', // REQUIRED
]);

Parameter Details

Members
ResourceArn
Required: Yes
Type: string

Amazon Resource Name (ARN) of the resource for which you invoked the API.

Result Syntax

[
    'ScanId' => '<string>',
]

Result Details

Members
ScanId
Type: string

A unique identifier that gets generated when you invoke the API without any error. Each malware scan has a corresponding scan ID. Using this scan ID, you can monitor the status of your malware scan.

Errors

BadRequestException:

A bad request exception object.

ConflictException:

A request conflict exception object.

InternalServerErrorException:

An internal server error exception object.

StartMonitoringMembers

$result = $client->startMonitoringMembers([/* ... */]);
$promise = $client->startMonitoringMembersAsync([/* ... */]);

Turns on GuardDuty monitoring of the specified member accounts. Use this operation to restart monitoring of accounts that you stopped monitoring with the StopMonitoringMembers operation.

Parameter Syntax

$result = $client->startMonitoringMembers([
    'AccountIds' => ['<string>', ...], // REQUIRED
    'DetectorId' => '<string>', // REQUIRED
]);

Parameter Details

Members
AccountIds
Required: Yes
Type: Array of strings

A list of account IDs of the GuardDuty member accounts to start monitoring.

DetectorId
Required: Yes
Type: string

The unique ID of the detector of the GuardDuty administrator account associated with the member accounts to monitor.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

Result Syntax

[
    'UnprocessedAccounts' => [
        [
            'AccountId' => '<string>',
            'Result' => '<string>',
        ],
        // ...
    ],
]

Result Details

Members
UnprocessedAccounts
Required: Yes
Type: Array of UnprocessedAccount structures

A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

StopMonitoringMembers

$result = $client->stopMonitoringMembers([/* ... */]);
$promise = $client->stopMonitoringMembersAsync([/* ... */]);

Stops GuardDuty monitoring for the specified member accounts. Use the StartMonitoringMembers operation to restart monitoring for those accounts.

With autoEnableOrganizationMembers configuration for your organization set to ALL, you'll receive an error if you attempt to stop monitoring the member accounts in your organization.

Parameter Syntax

$result = $client->stopMonitoringMembers([
    'AccountIds' => ['<string>', ...], // REQUIRED
    'DetectorId' => '<string>', // REQUIRED
]);

Parameter Details

Members
AccountIds
Required: Yes
Type: Array of strings

A list of account IDs for the member accounts to stop monitoring.

DetectorId
Required: Yes
Type: string

The unique ID of the detector associated with the GuardDuty administrator account that is monitoring member accounts.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

Result Syntax

[
    'UnprocessedAccounts' => [
        [
            'AccountId' => '<string>',
            'Result' => '<string>',
        ],
        // ...
    ],
]

Result Details

Members
UnprocessedAccounts
Required: Yes
Type: Array of UnprocessedAccount structures

A list of objects that contain an accountId for each account that could not be processed, and a result string that indicates why the account was not processed.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

TagResource

$result = $client->tagResource([/* ... */]);
$promise = $client->tagResourceAsync([/* ... */]);

Adds tags to a resource.

Parameter Syntax

$result = $client->tagResource([
    'ResourceArn' => '<string>', // REQUIRED
    'Tags' => ['<string>', ...], // REQUIRED
]);

Parameter Details

Members
ResourceArn
Required: Yes
Type: string

The Amazon Resource Name (ARN) for the GuardDuty resource to apply a tag to.

Tags
Required: Yes
Type: Associative array of custom strings keys (TagKey) to strings

The tags to be added to a resource.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

BadRequestException:

A bad request exception object.

AccessDeniedException:

An access denied exception object.

InternalServerErrorException:

An internal server error exception object.

UnarchiveFindings

$result = $client->unarchiveFindings([/* ... */]);
$promise = $client->unarchiveFindingsAsync([/* ... */]);

Unarchives GuardDuty findings specified by the findingIds.

Parameter Syntax

$result = $client->unarchiveFindings([
    'DetectorId' => '<string>', // REQUIRED
    'FindingIds' => ['<string>', ...], // REQUIRED
]);

Parameter Details

Members
DetectorId
Required: Yes
Type: string

The ID of the detector associated with the findings to unarchive.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

FindingIds
Required: Yes
Type: Array of strings

The IDs of the findings to unarchive.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

UntagResource

$result = $client->untagResource([/* ... */]);
$promise = $client->untagResourceAsync([/* ... */]);

Removes tags from a resource.

Parameter Syntax

$result = $client->untagResource([
    'ResourceArn' => '<string>', // REQUIRED
    'TagKeys' => ['<string>', ...], // REQUIRED
]);

Parameter Details

Members
ResourceArn
Required: Yes
Type: string

The Amazon Resource Name (ARN) for the resource to remove tags from.

TagKeys
Required: Yes
Type: Array of strings

The tag keys to remove from the resource.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

BadRequestException:

A bad request exception object.

AccessDeniedException:

An access denied exception object.

InternalServerErrorException:

An internal server error exception object.

UpdateDetector

$result = $client->updateDetector([/* ... */]);
$promise = $client->updateDetectorAsync([/* ... */]);

Updates the GuardDuty detector specified by the detector ID.

Specifying both EKS Runtime Monitoring (EKS_RUNTIME_MONITORING) and Runtime Monitoring (RUNTIME_MONITORING) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

Parameter Syntax

$result = $client->updateDetector([
    'DataSources' => [
        'Kubernetes' => [
            'AuditLogs' => [ // REQUIRED
                'Enable' => true || false, // REQUIRED
            ],
        ],
        'MalwareProtection' => [
            'ScanEc2InstanceWithFindings' => [
                'EbsVolumes' => true || false,
            ],
        ],
        'S3Logs' => [
            'Enable' => true || false, // REQUIRED
        ],
    ],
    'DetectorId' => '<string>', // REQUIRED
    'Enable' => true || false,
    'Features' => [
        [
            'AdditionalConfiguration' => [
                [
                    'Name' => 'EKS_ADDON_MANAGEMENT|ECS_FARGATE_AGENT_MANAGEMENT|EC2_AGENT_MANAGEMENT',
                    'Status' => 'ENABLED|DISABLED',
                ],
                // ...
            ],
            'Name' => 'S3_DATA_EVENTS|EKS_AUDIT_LOGS|EBS_MALWARE_PROTECTION|RDS_LOGIN_EVENTS|EKS_RUNTIME_MONITORING|LAMBDA_NETWORK_LOGS|RUNTIME_MONITORING',
            'Status' => 'ENABLED|DISABLED',
        ],
        // ...
    ],
    'FindingPublishingFrequency' => 'FIFTEEN_MINUTES|ONE_HOUR|SIX_HOURS',
]);

Parameter Details

Members
DataSources
Type: DataSourceConfigurations structure

Describes which data sources will be updated.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

DetectorId
Required: Yes
Type: string

The unique ID of the detector to update.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

Enable
Type: boolean

Specifies whether the detector is enabled or not enabled.

Features
Type: Array of DetectorFeatureConfiguration structures

Provides the features that will be updated for the detector.

FindingPublishingFrequency
Type: string

An enum value that specifies how frequently findings are exported, such as to CloudWatch Events.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

UpdateFilter

$result = $client->updateFilter([/* ... */]);
$promise = $client->updateFilterAsync([/* ... */]);

Updates the filter specified by the filter name.

Parameter Syntax

$result = $client->updateFilter([
    'Action' => 'NOOP|ARCHIVE',
    'Description' => '<string>',
    'DetectorId' => '<string>', // REQUIRED
    'FilterName' => '<string>', // REQUIRED
    'FindingCriteria' => [
        'Criterion' => [
            '<String>' => [
                'Eq' => ['<string>', ...],
                'Equals' => ['<string>', ...],
                'GreaterThan' => <integer>,
                'GreaterThanOrEqual' => <integer>,
                'Gt' => <integer>,
                'Gte' => <integer>,
                'LessThan' => <integer>,
                'LessThanOrEqual' => <integer>,
                'Lt' => <integer>,
                'Lte' => <integer>,
                'Neq' => ['<string>', ...],
                'NotEquals' => ['<string>', ...],
            ],
            // ...
        ],
    ],
    'Rank' => <integer>,
]);

Parameter Details

Members
Action
Type: string

Specifies the action that is to be applied to the findings that match the filter.

Description
Type: string

The description of the filter. Valid characters include alphanumeric characters, and special characters such as hyphen, period, colon, underscore, parentheses ({ }, [ ], and ( )), forward slash, horizontal tab, vertical tab, newline, form feed, return, and whitespace.

DetectorId
Required: Yes
Type: string

The unique ID of the detector that specifies the GuardDuty service where you want to update a filter.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

FilterName
Required: Yes
Type: string

The name of the filter.

FindingCriteria
Type: FindingCriteria structure

Represents the criteria to be used in the filter for querying findings.

Rank
Type: int

Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.

Result Syntax

[
    'Name' => '<string>',
]

Result Details

Members
Name
Required: Yes
Type: string

The name of the filter.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

UpdateFindingsFeedback

$result = $client->updateFindingsFeedback([/* ... */]);
$promise = $client->updateFindingsFeedbackAsync([/* ... */]);

Marks the specified GuardDuty findings as useful or not useful.

Parameter Syntax

$result = $client->updateFindingsFeedback([
    'Comments' => '<string>',
    'DetectorId' => '<string>', // REQUIRED
    'Feedback' => 'USEFUL|NOT_USEFUL', // REQUIRED
    'FindingIds' => ['<string>', ...], // REQUIRED
]);

Parameter Details

Members
Comments
Type: string

Additional feedback about the GuardDuty findings.

DetectorId
Required: Yes
Type: string

The ID of the detector that is associated with the findings for which you want to update the feedback.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

Feedback
Required: Yes
Type: string

The feedback for the finding.

FindingIds
Required: Yes
Type: Array of strings

The IDs of the findings that you want to mark as useful or not useful.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

UpdateIPSet

$result = $client->updateIPSet([/* ... */]);
$promise = $client->updateIPSetAsync([/* ... */]);

Updates the IPSet specified by the IPSet ID.

Parameter Syntax

$result = $client->updateIPSet([
    'Activate' => true || false,
    'DetectorId' => '<string>', // REQUIRED
    'IpSetId' => '<string>', // REQUIRED
    'Location' => '<string>',
    'Name' => '<string>',
]);

Parameter Details

Members
Activate
Type: boolean

The updated Boolean value that specifies whether the IPSet is active or not.

DetectorId
Required: Yes
Type: string

The detectorID that specifies the GuardDuty service whose IPSet you want to update.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

IpSetId
Required: Yes
Type: string

The unique ID that specifies the IPSet that you want to update.

Location
Type: string

The updated URI of the file that contains the IPSet.

Name
Type: string

The unique ID that specifies the IPSet that you want to update.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

UpdateMalwareProtectionPlan

$result = $client->updateMalwareProtectionPlan([/* ... */]);
$promise = $client->updateMalwareProtectionPlanAsync([/* ... */]);

Updates an existing Malware Protection plan resource.

Parameter Syntax

$result = $client->updateMalwareProtectionPlan([
    'Actions' => [
        'Tagging' => [
            'Status' => 'ENABLED|DISABLED',
        ],
    ],
    'MalwareProtectionPlanId' => '<string>', // REQUIRED
    'ProtectedResource' => [
        'S3Bucket' => [
            'ObjectPrefixes' => ['<string>', ...],
        ],
    ],
    'Role' => '<string>',
]);

Parameter Details

Members
Actions

Information about whether the tags will be added to the S3 object after scanning.

MalwareProtectionPlanId
Required: Yes
Type: string

A unique identifier associated with the Malware Protection plan.

ProtectedResource
Type: UpdateProtectedResource structure

Information about the protected resource that is associated with the created Malware Protection plan. Presently, S3Bucket is the only supported protected resource.

Role
Type: string

Amazon Resource Name (ARN) of the IAM role with permissions to scan and add tags to the associated protected resource.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

BadRequestException:

A bad request exception object.

AccessDeniedException:

An access denied exception object.

ResourceNotFoundException:

The requested resource can't be found.

InternalServerErrorException:

An internal server error exception object.

UpdateMalwareScanSettings

$result = $client->updateMalwareScanSettings([/* ... */]);
$promise = $client->updateMalwareScanSettingsAsync([/* ... */]);

Updates the malware scan settings.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

Parameter Syntax

$result = $client->updateMalwareScanSettings([
    'DetectorId' => '<string>', // REQUIRED
    'EbsSnapshotPreservation' => 'NO_RETENTION|RETENTION_WITH_FINDING',
    'ScanResourceCriteria' => [
        'Exclude' => [
            '<ScanCriterionKey>' => [
                'MapEquals' => [ // REQUIRED
                    [
                        'Key' => '<string>', // REQUIRED
                        'Value' => '<string>',
                    ],
                    // ...
                ],
            ],
            // ...
        ],
        'Include' => [
            '<ScanCriterionKey>' => [
                'MapEquals' => [ // REQUIRED
                    [
                        'Key' => '<string>', // REQUIRED
                        'Value' => '<string>',
                    ],
                    // ...
                ],
            ],
            // ...
        ],
    ],
]);

Parameter Details

Members
DetectorId
Required: Yes
Type: string

The unique ID of the detector that specifies the GuardDuty service where you want to update scan settings.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

EbsSnapshotPreservation
Type: string

An enum value representing possible snapshot preservation settings.

ScanResourceCriteria
Type: ScanResourceCriteria structure

Represents the criteria to be used in the filter for selecting resources to scan.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

UpdateMemberDetectors

$result = $client->updateMemberDetectors([/* ... */]);
$promise = $client->updateMemberDetectorsAsync([/* ... */]);

Contains information on member accounts to be updated.

Specifying both EKS Runtime Monitoring (EKS_RUNTIME_MONITORING) and Runtime Monitoring (RUNTIME_MONITORING) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

Parameter Syntax

$result = $client->updateMemberDetectors([
    'AccountIds' => ['<string>', ...], // REQUIRED
    'DataSources' => [
        'Kubernetes' => [
            'AuditLogs' => [ // REQUIRED
                'Enable' => true || false, // REQUIRED
            ],
        ],
        'MalwareProtection' => [
            'ScanEc2InstanceWithFindings' => [
                'EbsVolumes' => true || false,
            ],
        ],
        'S3Logs' => [
            'Enable' => true || false, // REQUIRED
        ],
    ],
    'DetectorId' => '<string>', // REQUIRED
    'Features' => [
        [
            'AdditionalConfiguration' => [
                [
                    'Name' => 'EKS_ADDON_MANAGEMENT|ECS_FARGATE_AGENT_MANAGEMENT|EC2_AGENT_MANAGEMENT',
                    'Status' => 'ENABLED|DISABLED',
                ],
                // ...
            ],
            'Name' => 'S3_DATA_EVENTS|EKS_AUDIT_LOGS|EBS_MALWARE_PROTECTION|RDS_LOGIN_EVENTS|EKS_RUNTIME_MONITORING|LAMBDA_NETWORK_LOGS|RUNTIME_MONITORING',
            'Status' => 'ENABLED|DISABLED',
        ],
        // ...
    ],
]);

Parameter Details

Members
AccountIds
Required: Yes
Type: Array of strings

A list of member account IDs to be updated.

DataSources
Type: DataSourceConfigurations structure

Describes which data sources will be updated.

DetectorId
Required: Yes
Type: string

The detector ID of the administrator account.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

Features
Type: Array of MemberFeaturesConfiguration structures

A list of features that will be updated for the specified member accounts.

Result Syntax

[
    'UnprocessedAccounts' => [
        [
            'AccountId' => '<string>',
            'Result' => '<string>',
        ],
        // ...
    ],
]

Result Details

Members
UnprocessedAccounts
Required: Yes
Type: Array of UnprocessedAccount structures

A list of member account IDs that were unable to be processed along with an explanation for why they were not processed.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

UpdateOrganizationConfiguration

$result = $client->updateOrganizationConfiguration([/* ... */]);
$promise = $client->updateOrganizationConfigurationAsync([/* ... */]);

Configures the delegated administrator account with the provided values. You must provide a value for either autoEnableOrganizationMembers or autoEnable, but not both.

Specifying both EKS Runtime Monitoring (EKS_RUNTIME_MONITORING) and Runtime Monitoring (RUNTIME_MONITORING) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

Parameter Syntax

$result = $client->updateOrganizationConfiguration([
    'AutoEnable' => true || false,
    'AutoEnableOrganizationMembers' => 'NEW|ALL|NONE',
    'DataSources' => [
        'Kubernetes' => [
            'AuditLogs' => [ // REQUIRED
                'AutoEnable' => true || false, // REQUIRED
            ],
        ],
        'MalwareProtection' => [
            'ScanEc2InstanceWithFindings' => [
                'EbsVolumes' => [
                    'AutoEnable' => true || false,
                ],
            ],
        ],
        'S3Logs' => [
            'AutoEnable' => true || false, // REQUIRED
        ],
    ],
    'DetectorId' => '<string>', // REQUIRED
    'Features' => [
        [
            'AdditionalConfiguration' => [
                [
                    'AutoEnable' => 'NEW|NONE|ALL',
                    'Name' => 'EKS_ADDON_MANAGEMENT|ECS_FARGATE_AGENT_MANAGEMENT|EC2_AGENT_MANAGEMENT',
                ],
                // ...
            ],
            'AutoEnable' => 'NEW|NONE|ALL',
            'Name' => 'S3_DATA_EVENTS|EKS_AUDIT_LOGS|EBS_MALWARE_PROTECTION|RDS_LOGIN_EVENTS|EKS_RUNTIME_MONITORING|LAMBDA_NETWORK_LOGS|RUNTIME_MONITORING',
        ],
        // ...
    ],
]);

Parameter Details

Members
AutoEnable
Type: boolean

Represents whether to automatically enable member accounts in the organization. This applies to only new member accounts, not the existing member accounts. When a new account joins the organization, the chosen features will be enabled for them by default.

Even though this is still supported, we recommend using AutoEnableOrganizationMembers to achieve the similar results. You must provide a value for either autoEnableOrganizationMembers or autoEnable.

AutoEnableOrganizationMembers
Type: string

Indicates the auto-enablement configuration of GuardDuty for the member accounts in the organization. You must provide a value for either autoEnableOrganizationMembers or autoEnable.

Use one of the following configuration values for autoEnableOrganizationMembers:

  • NEW: Indicates that when a new account joins the organization, they will have GuardDuty enabled automatically.

  • ALL: Indicates that all accounts in the organization have GuardDuty enabled automatically. This includes NEW accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty.

    It may take up to 24 hours to update the configuration for all the member accounts.

  • NONE: Indicates that GuardDuty will not be automatically enabled for any account in the organization. The administrator must manage GuardDuty for each account in the organization individually.

    When you update the auto-enable setting from ALL or NEW to NONE, this action doesn't disable the corresponding option for your existing accounts. This configuration will apply to the new accounts that join the organization. After you update the auto-enable settings, no new account will have the corresponding option as enabled.

DataSources

Describes which data sources will be updated.

DetectorId
Required: Yes
Type: string

The ID of the detector that configures the delegated administrator.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

Features
Type: Array of OrganizationFeatureConfiguration structures

A list of features that will be configured for the organization.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

UpdatePublishingDestination

$result = $client->updatePublishingDestination([/* ... */]);
$promise = $client->updatePublishingDestinationAsync([/* ... */]);

Updates information about the publishing destination specified by the destinationId.

Parameter Syntax

$result = $client->updatePublishingDestination([
    'DestinationId' => '<string>', // REQUIRED
    'DestinationProperties' => [
        'DestinationArn' => '<string>',
        'KmsKeyArn' => '<string>',
    ],
    'DetectorId' => '<string>', // REQUIRED
]);

Parameter Details

Members
DestinationId
Required: Yes
Type: string

The ID of the publishing destination to update.

DestinationProperties
Type: DestinationProperties structure

A DestinationProperties object that includes the DestinationArn and KmsKeyArn of the publishing destination.

DetectorId
Required: Yes
Type: string

The ID of the detector associated with the publishing destinations to update.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

UpdateThreatIntelSet

$result = $client->updateThreatIntelSet([/* ... */]);
$promise = $client->updateThreatIntelSetAsync([/* ... */]);

Updates the ThreatIntelSet specified by the ThreatIntelSet ID.

Parameter Syntax

$result = $client->updateThreatIntelSet([
    'Activate' => true || false,
    'DetectorId' => '<string>', // REQUIRED
    'Location' => '<string>',
    'Name' => '<string>',
    'ThreatIntelSetId' => '<string>', // REQUIRED
]);

Parameter Details

Members
Activate
Type: boolean

The updated Boolean value that specifies whether the ThreateIntelSet is active or not.

DetectorId
Required: Yes
Type: string

The detectorID that specifies the GuardDuty service whose ThreatIntelSet you want to update.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

Location
Type: string

The updated URI of the file that contains the ThreateIntelSet.

Name
Type: string

The unique ID that specifies the ThreatIntelSet that you want to update.

ThreatIntelSetId
Required: Yes
Type: string

The unique ID that specifies the ThreatIntelSet that you want to update.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

BadRequestException:

A bad request exception object.

InternalServerErrorException:

An internal server error exception object.

Shapes

AccessControlList

Description

Contains information on the current access control policies for the bucket.

Members
AllowsPublicReadAccess
Type: boolean

A value that indicates whether public read access for the bucket is enabled through an Access Control List (ACL).

AllowsPublicWriteAccess
Type: boolean

A value that indicates whether public write access for the bucket is enabled through an Access Control List (ACL).

AccessDeniedException

Description

An access denied exception object.

Members
Message
Type: string

The error message.

Type
Type: string

The error type.

AccessKey

Description

Contains information about the access keys.

Members
PrincipalId
Type: string

Principal ID of the user.

UserName
Type: string

Name of the user.

UserType
Type: string

Type of the user.

AccessKeyDetails

Description

Contains information about the access keys.

Members
AccessKeyId
Type: string

The access key ID of the user.

PrincipalId
Type: string

The principal ID of the user.

UserName
Type: string

The name of the user.

UserType
Type: string

The type of the user.

Account

Description

Contains information about the account.

Members
Name
Type: string

Name of the member's Amazon Web Services account.

Uid
Required: Yes
Type: string

ID of the member's Amazon Web Services account

AccountDetail

Description

Contains information about the account.

Members
AccountId
Required: Yes
Type: string

The member account ID.

Email
Required: Yes
Type: string

The email address of the member account.

AccountFreeTrialInfo

Description

Provides details of the GuardDuty member account that uses a free trial service.

Members
AccountId
Type: string

The account identifier of the GuardDuty member account.

DataSources
Type: DataSourcesFreeTrial structure

Describes the data source enabled for the GuardDuty member account.

Features
Type: Array of FreeTrialFeatureConfigurationResult structures

A list of features enabled for the GuardDuty account.

AccountLevelPermissions

Description

Contains information about the account level permissions on the S3 bucket.

Members
BlockPublicAccess
Type: BlockPublicAccess structure

Describes the S3 Block Public Access settings of the bucket's parent account.

AccountStatistics

Description

Represents a list of map of accounts with the number of findings associated with each account.

Members
AccountId
Type: string

The ID of the Amazon Web Services account.

LastGeneratedAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

The timestamp at which the finding for this account was last generated.

TotalFindings
Type: int

The total number of findings associated with an account.

Action

Description

Contains information about actions.

Members
ActionType
Type: string

The GuardDuty finding activity type.

AwsApiCallAction
Type: AwsApiCallAction structure

Information about the AWS_API_CALL action described in this finding.

DnsRequestAction
Type: DnsRequestAction structure

Information about the DNS_REQUEST action described in this finding.

KubernetesApiCallAction
Type: KubernetesApiCallAction structure

Information about the Kubernetes API call action described in this finding.

KubernetesPermissionCheckedDetails

Information whether the user has the permission to use a specific Kubernetes API.

KubernetesRoleBindingDetails

Information about the role binding that grants the permission defined in a Kubernetes role.

KubernetesRoleDetails
Type: KubernetesRoleDetails structure

Information about the Kubernetes role name and role type.

NetworkConnectionAction
Type: NetworkConnectionAction structure

Information about the NETWORK_CONNECTION action described in this finding.

PortProbeAction
Type: PortProbeAction structure

Information about the PORT_PROBE action described in this finding.

RdsLoginAttemptAction
Type: RdsLoginAttemptAction structure

Information about RDS_LOGIN_ATTEMPT action described in this finding.

Actor

Description

Information about the actors involved in an attack sequence.

Members
Id
Required: Yes
Type: string

ID of the threat actor.

Session
Type: Session structure

Contains information about the user session where the activity initiated.

User
Type: User structure

Contains information about the user credentials used by the threat actor.

AddonDetails

Description

Information about the installed EKS add-on (GuardDuty security agent).

Members
AddonStatus
Type: string

Status of the installed EKS add-on.

AddonVersion
Type: string

Version of the installed EKS add-on.

AdminAccount

Description

The account within the organization specified as the GuardDuty delegated administrator.

Members
AdminAccountId
Type: string

The Amazon Web Services account ID for the account.

AdminStatus
Type: string

Indicates whether the account is enabled as the delegated administrator.

Administrator

Description

Contains information about the administrator account and invitation.

Members
AccountId
Type: string

The ID of the account used as the administrator account.

InvitationId
Type: string

The value that is used to validate the administrator account to the member account.

InvitedAt
Type: string

The timestamp when the invitation was sent.

RelationshipStatus
Type: string

The status of the relationship between the administrator and member accounts.

AgentDetails

Description

Information about the installed GuardDuty security agent.

Members
Version
Type: string

Version of the installed GuardDuty security agent.

Anomaly

Description

Contains information about the anomalies.

Members
Profiles
Type: Associative array of custom strings keys (String) to maps

Information about the types of profiles.

Unusual
Type: AnomalyUnusual structure

Information about the behavior of the anomalies.

AnomalyObject

Description

Contains information about the unusual anomalies.

Members
Observations
Type: Observations structure

The recorded value.

ProfileSubtype
Type: string

The frequency of the anomaly.

ProfileType
Type: string

The type of behavior of the profile.

AnomalyUnusual

Description

Contains information about the behavior of the anomaly that is new to GuardDuty.

Members
Behavior
Type: Associative array of custom strings keys (String) to AnomalyObject structuress

The behavior of the anomalous activity that caused GuardDuty to generate the finding.

AutonomousSystem

Description

Contains information about the Autonomous System (AS) associated with the network endpoints involved in an attack sequence.

Members
Name
Required: Yes
Type: string

Name associated with the Autonomous System (AS).

Number
Required: Yes
Type: int

The unique number that identifies the Autonomous System (AS).

AwsApiCallAction

Description

Contains information about the API action.

Members
AffectedResources
Type: Associative array of custom strings keys (String) to strings

The details of the Amazon Web Services account that made the API call. This field identifies the resources that were affected by this API call.

Api
Type: string

The Amazon Web Services API name.

CallerType
Type: string

The Amazon Web Services API caller type.

DomainDetails
Type: DomainDetails structure

The domain information for the Amazon Web Services API call.

ErrorCode
Type: string

The error code of the failed Amazon Web Services API action.

RemoteAccountDetails
Type: RemoteAccountDetails structure

The details of the Amazon Web Services account that made the API call. This field appears if the call was made from outside your account.

RemoteIpDetails
Type: RemoteIpDetails structure

The remote IP information of the connection that initiated the Amazon Web Services API call.

ServiceName
Type: string

The Amazon Web Services service name whose API was invoked.

UserAgent
Type: string

The agent through which the API request was made.

BadRequestException

Description

A bad request exception object.

Members
Message
Type: string

The error message.

Type
Type: string

The error type.

BlockPublicAccess

Description

Contains information on how the bucker owner's S3 Block Public Access settings are being applied to the S3 bucket. See S3 Block Public Access for more information.

Members
BlockPublicAcls
Type: boolean

Indicates if S3 Block Public Access is set to BlockPublicAcls.

BlockPublicPolicy
Type: boolean

Indicates if S3 Block Public Access is set to BlockPublicPolicy.

IgnorePublicAcls
Type: boolean

Indicates if S3 Block Public Access is set to IgnorePublicAcls.

RestrictPublicBuckets
Type: boolean

Indicates if S3 Block Public Access is set to RestrictPublicBuckets.

BucketLevelPermissions

Description

Contains information about the bucket level permissions for the S3 bucket.

Members
AccessControlList
Type: AccessControlList structure

Contains information on how Access Control Policies are applied to the bucket.

BlockPublicAccess
Type: BlockPublicAccess structure

Contains information on which account level S3 Block Public Access settings are applied to the S3 bucket.

BucketPolicy
Type: BucketPolicy structure

Contains information on the bucket policies for the S3 bucket.

BucketPolicy

Description

Contains information on the current bucket policies for the S3 bucket.

Members
AllowsPublicReadAccess
Type: boolean

A value that indicates whether public read access for the bucket is enabled through a bucket policy.

AllowsPublicWriteAccess
Type: boolean

A value that indicates whether public write access for the bucket is enabled through a bucket policy.

City

Description

Contains information about the city associated with the IP address.

Members
CityName
Type: string

The city name of the remote IP address.

CloudTrailConfigurationResult

Description

Contains information on the status of CloudTrail as a data source for the detector.

Members
Status
Required: Yes
Type: string

Describes whether CloudTrail is enabled as a data source for the detector.

Condition

Description

Contains information about the condition.

Members
Eq
Type: Array of strings

Represents the equal condition to be applied to a single field when querying for findings.

Equals
Type: Array of strings

Represents an equal condition to be applied to a single field when querying for findings.

GreaterThan
Type: long (int|float)

Represents a greater than condition to be applied to a single field when querying for findings.

GreaterThanOrEqual
Type: long (int|float)

Represents a greater than or equal condition to be applied to a single field when querying for findings.

Gt
Type: int

Represents a greater than condition to be applied to a single field when querying for findings.

Gte
Type: int

Represents a greater than or equal condition to be applied to a single field when querying for findings.

LessThan
Type: long (int|float)

Represents a less than condition to be applied to a single field when querying for findings.

LessThanOrEqual
Type: long (int|float)

Represents a less than or equal condition to be applied to a single field when querying for findings.

Lt
Type: int

Represents a less than condition to be applied to a single field when querying for findings.

Lte
Type: int

Represents a less than or equal condition to be applied to a single field when querying for findings.

Neq
Type: Array of strings

Represents the not equal condition to be applied to a single field when querying for findings.

NotEquals
Type: Array of strings

Represents a not equal condition to be applied to a single field when querying for findings.

ConflictException

Description

A request conflict exception object.

Members
Message
Type: string

The error message.

Type
Type: string

The error type.

Container

Description

Details of a container.

Members
ContainerRuntime
Type: string

The container runtime (such as, Docker or containerd) used to run the container.

Id
Type: string

Container ID.

Image
Type: string

Container image.

ImagePrefix
Type: string

Part of the image name before the last slash. For example, imagePrefix for public.ecr.aws/amazonlinux/amazonlinux:latest would be public.ecr.aws/amazonlinux. If the image name is relative and does not have a slash, this field is empty.

Name
Type: string

Container name.

SecurityContext
Type: SecurityContext structure

Container security context.

VolumeMounts
Type: Array of VolumeMount structures

Container volume mounts.

ContainerInstanceDetails

Description

Contains information about the Amazon EC2 instance that is running the Amazon ECS container.

Members
CompatibleContainerInstances
Type: long (int|float)

Represents total number of nodes in the Amazon ECS cluster.

CoveredContainerInstances
Type: long (int|float)

Represents the nodes in the Amazon ECS cluster that has a HEALTHY coverage status.

Country

Description

Contains information about the country where the remote IP address is located.

Members
CountryCode
Type: string

The country code of the remote IP address.

CountryName
Type: string

The country name of the remote IP address.

CoverageEc2InstanceDetails

Description

Contains information about the Amazon EC2 instance runtime coverage details.

Members
AgentDetails
Type: AgentDetails structure

Information about the installed security agent.

ClusterArn
Type: string

The cluster ARN of the Amazon ECS cluster running on the Amazon EC2 instance.

InstanceId
Type: string

The Amazon EC2 instance ID.

InstanceType
Type: string

The instance type of the Amazon EC2 instance.

ManagementType
Type: string

Indicates how the GuardDuty security agent is managed for this resource.

  • AUTO_MANAGED indicates that GuardDuty deploys and manages updates for this resource.

  • MANUAL indicates that you are responsible to deploy, update, and manage the GuardDuty security agent updates for this resource.

The DISABLED status doesn't apply to Amazon EC2 instances and Amazon EKS clusters.

CoverageEcsClusterDetails

Description

Contains information about Amazon ECS cluster runtime coverage details.

Members
ClusterName
Type: string

The name of the Amazon ECS cluster.

ContainerInstanceDetails
Type: ContainerInstanceDetails structure

Information about the Amazon ECS container running on Amazon EC2 instance.

FargateDetails
Type: FargateDetails structure

Information about the Fargate details associated with the Amazon ECS cluster.

CoverageEksClusterDetails

Description

Information about the EKS cluster that has a coverage status.

Members
AddonDetails
Type: AddonDetails structure

Information about the installed EKS add-on.

ClusterName
Type: string

Name of the EKS cluster.

CompatibleNodes
Type: long (int|float)

Represents all the nodes within the EKS cluster in your account.

CoveredNodes
Type: long (int|float)

Represents the nodes within the EKS cluster that have a HEALTHY coverage status.

ManagementType
Type: string

Indicates how the Amazon EKS add-on GuardDuty agent is managed for this EKS cluster.

AUTO_MANAGED indicates GuardDuty deploys and manages updates for this resource.

MANUAL indicates that you are responsible to deploy, update, and manage the Amazon EKS add-on GuardDuty agent for this resource.

CoverageFilterCondition

Description

Represents a condition that when matched will be added to the response of the operation.

Members
Equals
Type: Array of strings

Represents an equal condition that is applied to a single field while retrieving the coverage details.

NotEquals
Type: Array of strings

Represents a not equal condition that is applied to a single field while retrieving the coverage details.

CoverageFilterCriteria

Description

Represents the criteria used in the filter.

Members
FilterCriterion
Type: Array of CoverageFilterCriterion structures

Represents a condition that when matched will be added to the response of the operation.

CoverageFilterCriterion

Description

Represents a condition that when matched will be added to the response of the operation.

Members
CriterionKey
Type: string

An enum value representing possible filter fields.

Replace the enum value CLUSTER_NAME with EKS_CLUSTER_NAME. CLUSTER_NAME has been deprecated.

FilterCondition
Type: CoverageFilterCondition structure

Contains information about the condition.

CoverageResource

Description

Information about the resource of the GuardDuty account.

Members
AccountId
Type: string

The unique ID of the Amazon Web Services account.

CoverageStatus
Type: string

Represents the status of the EKS cluster coverage.

DetectorId
Type: string

The unique ID of the GuardDuty detector associated with the resource.

Issue
Type: string

Represents the reason why a coverage status was UNHEALTHY for the EKS cluster.

ResourceDetails
Type: CoverageResourceDetails structure

Information about the resource for which the coverage statistics are retrieved.

ResourceId
Type: string

The unique ID of the resource.

UpdatedAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

The timestamp at which the coverage details for the resource were last updated. This is in UTC format.

CoverageResourceDetails

Description

Information about the resource for each individual EKS cluster.

Members
Ec2InstanceDetails
Type: CoverageEc2InstanceDetails structure

Information about the Amazon EC2 instance assessed for runtime coverage.

EcsClusterDetails
Type: CoverageEcsClusterDetails structure

Information about the Amazon ECS cluster that is assessed for runtime coverage.

EksClusterDetails
Type: CoverageEksClusterDetails structure

EKS cluster details involved in the coverage statistics.

ResourceType
Type: string

The type of Amazon Web Services resource.

CoverageSortCriteria

Description

Information about the sorting criteria used in the coverage statistics.

Members
AttributeName
Type: string

Represents the field name used to sort the coverage details.

Replace the enum value CLUSTER_NAME with EKS_CLUSTER_NAME. CLUSTER_NAME has been deprecated.

OrderBy
Type: string

The order in which the sorted findings are to be displayed.

CoverageStatistics

Description

Information about the coverage statistics for a resource.

Members
CountByCoverageStatus
Type: Associative array of custom strings keys (CoverageStatus) to long (int|float)s

Represents coverage statistics for EKS clusters aggregated by coverage status.

CountByResourceType
Type: Associative array of custom strings keys (ResourceType) to long (int|float)s

Represents coverage statistics for EKS clusters aggregated by resource type.

CreateProtectedResource

Description

Information about the protected resource that is associated with the created Malware Protection plan. Presently, S3Bucket is the only supported protected resource.

Members
S3Bucket
Type: CreateS3BucketResource structure

Information about the protected S3 bucket resource.

CreateS3BucketResource

Description

Information about the protected S3 bucket resource.

Members
BucketName
Type: string

Name of the S3 bucket.

ObjectPrefixes
Type: Array of strings

Information about the specified object prefixes. The S3 object will be scanned only if it belongs to any of the specified object prefixes.

DNSLogsConfigurationResult

Description

Contains information on the status of DNS logs as a data source.

Members
Status
Required: Yes
Type: string

Denotes whether DNS logs is enabled as a data source.

DataSourceConfigurations

Description

Contains information about which data sources are enabled.

Members
Kubernetes
Type: KubernetesConfiguration structure

Describes whether any Kubernetes logs are enabled as data sources.

MalwareProtection

Describes whether Malware Protection is enabled as a data source.

S3Logs
Type: S3LogsConfiguration structure

Describes whether S3 data event logs are enabled as a data source.

DataSourceConfigurationsResult

Description

Contains information on the status of data sources for the detector.

Members
CloudTrail
Required: Yes
Type: CloudTrailConfigurationResult structure

An object that contains information on the status of CloudTrail as a data source.

DNSLogs
Required: Yes
Type: DNSLogsConfigurationResult structure

An object that contains information on the status of DNS logs as a data source.

FlowLogs
Required: Yes
Type: FlowLogsConfigurationResult structure

An object that contains information on the status of VPC flow logs as a data source.

Kubernetes

An object that contains information on the status of all Kubernetes data sources.

MalwareProtection

Describes the configuration of Malware Protection data sources.

S3Logs
Required: Yes
Type: S3LogsConfigurationResult structure

An object that contains information on the status of S3 Data event logs as a data source.

DataSourceFreeTrial

Description

Contains information about which data sources are enabled for the GuardDuty member account.

Members
FreeTrialDaysRemaining
Type: int

A value that specifies the number of days left to use each enabled data source.

DataSourcesFreeTrial

Description

Contains information about which data sources are enabled for the GuardDuty member account.

Members
CloudTrail
Type: DataSourceFreeTrial structure

Describes whether any Amazon Web Services CloudTrail management event logs are enabled as data sources.

DnsLogs
Type: DataSourceFreeTrial structure

Describes whether any DNS logs are enabled as data sources.

FlowLogs
Type: DataSourceFreeTrial structure

Describes whether any VPC Flow logs are enabled as data sources.

Kubernetes

Describes whether any Kubernetes logs are enabled as data sources.

MalwareProtection

Describes whether Malware Protection is enabled as a data source.

S3Logs
Type: DataSourceFreeTrial structure

Describes whether any S3 data event logs are enabled as data sources.

DateStatistics

Description

Represents list a map of dates with a count of total findings generated on each date.

Members
Date
Type: timestamp (string|DateTime or anything parsable by strtotime)

The timestamp when the total findings count is observed.

For example, Date would look like "2024-09-05T17:00:00-07:00" whereas LastGeneratedAt would look like 2024-09-05T17:12:29-07:00".

LastGeneratedAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

The timestamp at which the last finding in the findings count, was generated.

Severity
Type: double

The severity of the findings generated on each date.

TotalFindings
Type: int

The total number of findings that were generated per severity level on each date.

DefaultServerSideEncryption

Description

Contains information on the server side encryption method used in the S3 bucket. See S3 Server-Side Encryption for more information.

Members
EncryptionType
Type: string

The type of encryption used for objects within the S3 bucket.

KmsMasterKeyArn
Type: string

The Amazon Resource Name (ARN) of the KMS encryption key. Only available if the bucket EncryptionType is aws:kms.

Destination

Description

Contains information about the publishing destination, including the ID, type, and status.

Members
DestinationId
Required: Yes
Type: string

The unique ID of the publishing destination.

DestinationType
Required: Yes
Type: string

The type of resource used for the publishing destination. Currently, only Amazon S3 buckets are supported.

Status
Required: Yes
Type: string

The status of the publishing destination.

DestinationProperties

Description

Contains the Amazon Resource Name (ARN) of the resource to publish to, such as an S3 bucket, and the ARN of the KMS key to use to encrypt published findings.

Members
DestinationArn
Type: string

The ARN of the resource to publish to.

To specify an S3 bucket folder use the following format: arn:aws:s3:::DOC-EXAMPLE-BUCKET/myFolder/

KmsKeyArn
Type: string

The ARN of the KMS key to use for encryption.

Detection

Description

Contains information about the detected behavior.

Members
Anomaly
Type: Anomaly structure

The details about the anomalous activity that caused GuardDuty to generate the finding.

Sequence
Type: Sequence structure

The details about the attack sequence.

DetectorAdditionalConfiguration

Description

Information about the additional configuration for a feature in your GuardDuty account.

Members
Name
Type: string

Name of the additional configuration.

Status
Type: string

Status of the additional configuration.

DetectorAdditionalConfigurationResult

Description

Information about the additional configuration.

Members
Name
Type: string

Name of the additional configuration.

Status
Type: string

Status of the additional configuration.

UpdatedAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

The timestamp at which the additional configuration was last updated. This is in UTC format.

DetectorFeatureConfiguration

Description

Contains information about a GuardDuty feature.

Specifying both EKS Runtime Monitoring (EKS_RUNTIME_MONITORING) and Runtime Monitoring (RUNTIME_MONITORING) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring.

Members
AdditionalConfiguration
Type: Array of DetectorAdditionalConfiguration structures

Additional configuration for a resource.

Name
Type: string

The name of the feature.

Status
Type: string

The status of the feature.

DetectorFeatureConfigurationResult

Description

Contains information about a GuardDuty feature.

Specifying both EKS Runtime Monitoring (EKS_RUNTIME_MONITORING) and Runtime Monitoring (RUNTIME_MONITORING) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring.

Members
AdditionalConfiguration
Type: Array of DetectorAdditionalConfigurationResult structures

Additional configuration for a resource.

Name
Type: string

Indicates the name of the feature that can be enabled for the detector.

Status
Type: string

Indicates the status of the feature that is enabled for the detector.

UpdatedAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

The timestamp at which the feature object was updated.

DnsRequestAction

Description

Contains information about the DNS_REQUEST action described in this finding.

Members
Blocked
Type: boolean

Indicates whether the targeted port is blocked.

Domain
Type: string

The domain information for the DNS query.

DomainWithSuffix
Type: string

The second and top level domain involved in the activity that potentially prompted GuardDuty to generate this finding. For a list of top-level and second-level domains, see public suffix list.

Protocol
Type: string

The network connection protocol observed in the activity that prompted GuardDuty to generate the finding.

DomainDetails

Description

Contains information about the domain.

Members
Domain
Type: string

The domain information for the Amazon Web Services API call.

EbsVolumeDetails

Description

Contains list of scanned and skipped EBS volumes with details.

Members
ScannedVolumeDetails
Type: Array of VolumeDetail structures

List of EBS volumes that were scanned.

SkippedVolumeDetails
Type: Array of VolumeDetail structures

List of EBS volumes that were skipped from the malware scan.

EbsVolumeScanDetails

Description

Contains details from the malware scan that created a finding.

Members
ScanCompletedAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

Returns the completion date and time of the malware scan.

ScanDetections
Type: ScanDetections structure

Contains a complete view providing malware scan result details.

ScanId
Type: string

Unique Id of the malware scan that generated the finding.

ScanStartedAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

Returns the start date and time of the malware scan.

ScanType
Type: string

Specifies the scan type that invoked the malware scan.

Sources
Type: Array of strings

Contains list of threat intelligence sources used to detect threats.

TriggerFindingId
Type: string

GuardDuty finding ID that triggered a malware scan.

EbsVolumesResult

Description

Describes the configuration of scanning EBS volumes as a data source.

Members
Reason
Type: string

Specifies the reason why scanning EBS volumes (Malware Protection) was not enabled as a data source.

Status
Type: string

Describes whether scanning EBS volumes is enabled as a data source.

Ec2Instance

Description

Details about the potentially impacted Amazon EC2 instance resource.

Members
AvailabilityZone
Type: string

The availability zone of the Amazon EC2 instance. For more information, see Availability zones in the Amazon EC2 User Guide.

Ec2NetworkInterfaceUids
Type: Array of strings

The ID of the network interface.

IamInstanceProfile
Type: IamInstanceProfile structure

Contains information about the EC2 instance profile.

ImageDescription
Type: string

The image description of the Amazon EC2 instance.

InstanceState
Type: string

The state of the Amazon EC2 instance. For more information, see Amazon EC2 instance state changes in the Amazon EC2 User Guide.

InstanceType
Type: string

Type of the Amazon EC2 instance.

OutpostArn
Type: string

The Amazon Resource Name (ARN) of the Amazon Web Services Outpost. This shows applicable Amazon Web Services Outposts instances.

Platform
Type: string

The platform of the Amazon EC2 instance.

ProductCodes
Type: Array of ProductCode structures

The product code of the Amazon EC2 instance.

Ec2NetworkInterface

Description

Contains information about the elastic network interface of the Amazon EC2 instance.

Members
Ipv6Addresses
Type: Array of strings

A list of IPv6 addresses for the Amazon EC2 instance.

PrivateIpAddresses
Type: Array of PrivateIpAddressDetails structures

Other private IP address information of the Amazon EC2 instance.

PublicIp
Type: string

The public IP address of the Amazon EC2 instance.

SecurityGroups
Type: Array of SecurityGroup structures

The security groups associated with the Amazon EC2 instance.

SubNetId
Type: string

The subnet ID of the Amazon EC2 instance.

VpcId
Type: string

The VPC ID of the Amazon EC2 instance.

EcsClusterDetails

Description

Contains information about the details of the ECS Cluster.

Members
ActiveServicesCount
Type: int

The number of services that are running on the cluster in an ACTIVE state.

Arn
Type: string

The Amazon Resource Name (ARN) that identifies the cluster.

Name
Type: string

The name of the ECS Cluster.

RegisteredContainerInstancesCount
Type: int

The number of container instances registered into the cluster.

RunningTasksCount
Type: int

The number of tasks in the cluster that are in the RUNNING state.

Status
Type: string

The status of the ECS cluster.

Tags
Type: Array of Tag structures

The tags of the ECS Cluster.

TaskDetails
Type: EcsTaskDetails structure

Contains information about the details of the ECS Task.

EcsTaskDetails

Description

Contains information about the task in an ECS cluster.

Members
Arn
Type: string

The Amazon Resource Name (ARN) of the task.

Containers
Type: Array of Container structures

The containers that's associated with the task.

DefinitionArn
Type: string

The ARN of the task definition that creates the task.

Group
Type: string

The name of the task group that's associated with the task.

LaunchType
Type: string

A capacity on which the task is running. For example, Fargate and EC2.

StartedAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

The Unix timestamp for the time when the task started.

StartedBy
Type: string

Contains the tag specified when a task is started.

Tags
Type: Array of Tag structures

The tags of the ECS Task.

TaskCreatedAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

The Unix timestamp for the time when the task was created.

Version
Type: string

The version counter for the task.

Volumes
Type: Array of Volume structures

The list of data volume definitions for the task.

EksClusterDetails

Description

Details about the EKS cluster involved in a Kubernetes finding.

Members
Arn
Type: string

EKS cluster ARN.

CreatedAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

The timestamp when the EKS cluster was created.

Name
Type: string

EKS cluster name.

Status
Type: string

The EKS cluster status.

Tags
Type: Array of Tag structures

The EKS cluster tags.

VpcId
Type: string

The VPC ID to which the EKS cluster is attached.

Evidence

Description

Contains information about the reason that the finding was generated.

Members
ThreatIntelligenceDetails
Type: Array of ThreatIntelligenceDetail structures

A list of threat intelligence details related to the evidence.

FargateDetails

Description

Contains information about Amazon Web Services Fargate details associated with an Amazon ECS cluster.

Members
Issues
Type: Array of strings

Runtime coverage issues identified for the resource running on Amazon Web Services Fargate.

ManagementType
Type: string

Indicates how the GuardDuty security agent is managed for this resource.

  • AUTO_MANAGED indicates that GuardDuty deploys and manages updates for this resource.

  • DISABLED indicates that the deployment of the GuardDuty security agent is disabled for this resource.

The MANUAL status doesn't apply to the Amazon Web Services Fargate (Amazon ECS only) woprkloads.

FilterCondition

Description

Contains information about the condition.

Members
EqualsValue
Type: string

Represents an equal condition to be applied to a single field when querying for scan entries.

GreaterThan
Type: long (int|float)

Represents a greater than condition to be applied to a single field when querying for scan entries.

LessThan
Type: long (int|float)

Represents a less than condition to be applied to a single field when querying for scan entries.

FilterCriteria

Description

Represents the criteria to be used in the filter for describing scan entries.

Members
FilterCriterion
Type: Array of FilterCriterion structures

Represents a condition that when matched will be added to the response of the operation.

FilterCriterion

Description

Represents a condition that when matched will be added to the response of the operation. Irrespective of using any filter criteria, an administrator account can view the scan entries for all of its member accounts. However, each member account can view the scan entries only for their own account.

Members
CriterionKey
Type: string

An enum value representing possible scan properties to match with given scan entries.

Replace the enum value CLUSTER_NAME with EKS_CLUSTER_NAME. CLUSTER_NAME has been deprecated.

FilterCondition
Type: FilterCondition structure

Contains information about the condition.

Finding

Description

Contains information about the finding that is generated when abnormal or suspicious activity is detected.

Members
AccountId
Required: Yes
Type: string

The ID of the account in which the finding was generated.

Arn
Required: Yes
Type: string

The ARN of the finding.

AssociatedAttackSequenceArn
Type: string

Amazon Resource Name (ARN) associated with the attack sequence finding.

Confidence
Type: double

The confidence score for the finding.

CreatedAt
Required: Yes
Type: string

The time and date when the finding was created.

Description
Type: string

The description of the finding.

Id
Required: Yes
Type: string

The ID of the finding.

Partition
Type: string

The partition associated with the finding.

Region
Required: Yes
Type: string

The Region where the finding was generated.

Resource
Required: Yes
Type: Resource structure

Contains information about the Amazon Web Services resource associated with the activity that prompted GuardDuty to generate a finding.

SchemaVersion
Required: Yes
Type: string

The version of the schema used for the finding.

Service
Type: Service structure

Contains additional information about the generated finding.

Severity
Required: Yes
Type: double

The severity of the finding.

Title
Type: string

The title of the finding.

Type
Required: Yes
Type: string

The type of finding.

UpdatedAt
Required: Yes
Type: string

The time and date when the finding was last updated.

FindingCriteria

Description

Contains information about the criteria used for querying findings.

Members
Criterion
Type: Associative array of custom strings keys (String) to Condition structures

Represents a map of finding properties that match specified conditions and values when querying findings.

FindingStatistics

Description

Contains information about finding statistics.

Members
CountBySeverity
Type: Associative array of custom strings keys (String) to ints

Represents a list of map of severity to count statistics for a set of findings.

GroupedByAccount
Type: Array of AccountStatistics structures

Represents a list of map of accounts with a findings count associated with each account.

GroupedByDate
Type: Array of DateStatistics structures

Represents a list of map of dates with a count of total findings generated on each date per severity level.

GroupedByFindingType
Type: Array of FindingTypeStatistics structures

Represents a list of map of finding types with a count of total findings generated for each type.

Based on the orderBy parameter, this request returns either the most occurring finding types or the least occurring finding types. If the orderBy parameter is ASC, this will represent the least occurring finding types in your account; otherwise, this will represent the most occurring finding types. The default value of orderBy is DESC.

GroupedByResource
Type: Array of ResourceStatistics structures

Represents a list of map of top resources with a count of total findings.

GroupedBySeverity
Type: Array of SeverityStatistics structures

Represents a list of map of total findings for each severity level.

FindingTypeStatistics

Description

Information about each finding type associated with the groupedByFindingType statistics.

Members
FindingType
Type: string

Name of the finding type.

LastGeneratedAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

The timestamp at which this finding type was last generated in your environment.

TotalFindings
Type: int

The total number of findings associated with generated for each distinct finding type.

FlowLogsConfigurationResult

Description

Contains information on the status of VPC flow logs as a data source.

Members
Status
Required: Yes
Type: string

Denotes whether VPC flow logs is enabled as a data source.

FreeTrialFeatureConfigurationResult

Description

Contains information about the free trial period for a feature.

Members
FreeTrialDaysRemaining
Type: int

The number of the remaining free trial days for the feature.

Name
Type: string

The name of the feature for which the free trial is configured.

GeoLocation

Description

Contains information about the location of the remote IP address.

Members
Lat
Type: double

The latitude information of the remote IP address.

Lon
Type: double

The longitude information of the remote IP address.

HighestSeverityThreatDetails

Description

Contains details of the highest severity threat detected during scan and number of infected files.

Members
Count
Type: int

Total number of infected files with the highest severity threat detected.

Severity
Type: string

Severity level of the highest severity threat detected.

ThreatName
Type: string

Threat name of the highest severity threat detected as part of the malware scan.

HostPath

Description

Represents a pre-existing file or directory on the host machine that the volume maps to.

Members
Path
Type: string

Path of the file or directory on the host that the volume maps to.

IamInstanceProfile

Description

Contains information about the EC2 instance profile.

Members
Arn
Type: string

The profile ARN of the EC2 instance.

Id
Type: string

The profile ID of the EC2 instance.

ImpersonatedUser

Description

Contains information about the impersonated user.

Members
Groups
Type: Array of strings

The group to which the user name belongs.

Username
Type: string

Information about the username that was being impersonated.

Indicator

Description

Contains information about the indicators that include a set of signals observed in an attack sequence.

Members
Key
Required: Yes
Type: string

Specific indicator keys observed in the attack sequence.

Title
Type: string

Title describing the indicator.

Values
Type: Array of strings

Values associated with each indicator key. For example, if the indicator key is SUSPICIOUS_NETWORK, then the value will be the name of the network. If the indicator key is ATTACK_TACTIC, then the value will be one of the MITRE tactics.

For more information about the values associated with the key, see GuardDuty Extended Threat Detection in the GuardDuty User Guide.

InstanceDetails

Description

Contains information about the details of an instance.

Members
AvailabilityZone
Type: string

The Availability Zone of the EC2 instance.

IamInstanceProfile
Type: IamInstanceProfile structure

The profile information of the EC2 instance.

ImageDescription
Type: string

The image description of the EC2 instance.

ImageId
Type: string

The image ID of the EC2 instance.

InstanceId
Type: string

The ID of the EC2 instance.

InstanceState
Type: string

The state of the EC2 instance.

InstanceType
Type: string

The type of the EC2 instance.

LaunchTime
Type: string

The launch time of the EC2 instance.

NetworkInterfaces
Type: Array of NetworkInterface structures

The elastic network interface information of the EC2 instance.

OutpostArn
Type: string

The Amazon Resource Name (ARN) of the Amazon Web Services Outpost. Only applicable to Amazon Web Services Outposts instances.

Platform
Type: string

The platform of the EC2 instance.

ProductCodes
Type: Array of ProductCode structures

The product code of the EC2 instance.

Tags
Type: Array of Tag structures

The tags of the EC2 instance.

InternalServerErrorException

Description

An internal server error exception object.

Members
Message
Type: string

The error message.

Type
Type: string

The error type.

Invitation

Description

Contains information about the invitation to become a member account.

Members
AccountId
Type: string

The ID of the account that the invitation was sent from.

InvitationId
Type: string

The ID of the invitation. This value is used to validate the inviter account to the member account.

InvitedAt
Type: string

The timestamp when the invitation was sent.

RelationshipStatus
Type: string

The status of the relationship between the inviter and invitee accounts.

ItemPath

Description

Information about the nested item path and hash of the protected resource.

Members
Hash
Type: string

The hash value of the infected resource.

NestedItemPath
Type: string

The nested item path where the infected file was found.

KubernetesApiCallAction

Description

Information about the Kubernetes API call action described in this finding.

Members
Namespace
Type: string

The name of the namespace where the Kubernetes API call action takes place.

Parameters
Type: string

Parameters related to the Kubernetes API call action.

RemoteIpDetails
Type: RemoteIpDetails structure

Contains information about the remote IP address of the connection.

RequestUri
Type: string

The Kubernetes API request URI.

Resource
Type: string

The resource component in the Kubernetes API call action.

ResourceName
Type: string

The name of the resource in the Kubernetes API call action.

SourceIps
Type: Array of strings

The IP of the Kubernetes API caller and the IPs of any proxies or load balancers between the caller and the API endpoint.

StatusCode
Type: int

The resulting HTTP response code of the Kubernetes API call action.

Subresource
Type: string

The name of the sub-resource in the Kubernetes API call action.

UserAgent
Type: string

The user agent of the caller of the Kubernetes API.

Verb
Type: string

The Kubernetes API request HTTP verb.

KubernetesAuditLogsConfiguration

Description

Describes whether Kubernetes audit logs are enabled as a data source.

Members
Enable
Required: Yes
Type: boolean

The status of Kubernetes audit logs as a data source.

KubernetesAuditLogsConfigurationResult

Description

Describes whether Kubernetes audit logs are enabled as a data source.

Members
Status
Required: Yes
Type: string

A value that describes whether Kubernetes audit logs are enabled as a data source.

KubernetesConfiguration

Description

Describes whether any Kubernetes data sources are enabled.

Members
AuditLogs
Required: Yes
Type: KubernetesAuditLogsConfiguration structure

The status of Kubernetes audit logs as a data source.

KubernetesConfigurationResult

Description

Describes whether any Kubernetes logs will be enabled as a data source.

Members
AuditLogs
Required: Yes
Type: KubernetesAuditLogsConfigurationResult structure

Describes whether Kubernetes audit logs are enabled as a data source.

KubernetesDataSourceFreeTrial

Description

Provides details about the Kubernetes resources when it is enabled as a data source.

Members
AuditLogs
Type: DataSourceFreeTrial structure

Describes whether Kubernetes audit logs are enabled as a data source.

KubernetesDetails

Description

Details about Kubernetes resources such as a Kubernetes user or workload resource involved in a Kubernetes finding.

Members
KubernetesUserDetails
Type: KubernetesUserDetails structure

Details about the Kubernetes user involved in a Kubernetes finding.

KubernetesWorkloadDetails
Type: KubernetesWorkloadDetails structure

Details about the Kubernetes workload involved in a Kubernetes finding.

KubernetesPermissionCheckedDetails

Description

Information about the Kubernetes API for which you check if you have permission to call.

Members
Allowed
Type: boolean

Information whether the user has the permission to call the Kubernetes API.

Namespace
Type: string

The namespace where the Kubernetes API action will take place.

Resource
Type: string

The Kubernetes resource with which your Kubernetes API call will interact.

Verb
Type: string

The verb component of the Kubernetes API call. For example, when you check whether or not you have the permission to call the CreatePod API, the verb component will be Create.

KubernetesRoleBindingDetails

Description

Contains information about the role binding that grants the permission defined in a Kubernetes role.

Members
Kind
Type: string

The kind of the role. For role binding, this value will be RoleBinding.

Name
Type: string

The name of the RoleBinding.

RoleRefKind
Type: string

The type of the role being referenced. This could be either Role or ClusterRole.

RoleRefName
Type: string

The name of the role being referenced. This must match the name of the Role or ClusterRole that you want to bind to.

Uid
Type: string

The unique identifier of the role binding.

KubernetesRoleDetails

Description

Information about the Kubernetes role name and role type.

Members
Kind
Type: string

The kind of role. For this API, the value of kind will be Role.

Name
Type: string

The name of the Kubernetes role.

Uid
Type: string

The unique identifier of the Kubernetes role name.

KubernetesUserDetails

Description

Details about the Kubernetes user involved in a Kubernetes finding.

Members
Groups
Type: Array of strings

The groups that include the user who called the Kubernetes API.

ImpersonatedUser
Type: ImpersonatedUser structure

Information about the impersonated user.

SessionName
Type: Array of strings

Entity that assumes the IAM role when Kubernetes RBAC permissions are assigned to that role.

Uid
Type: string

The user ID of the user who called the Kubernetes API.

Username
Type: string

The username of the user who called the Kubernetes API.

KubernetesWorkloadDetails

Description

Details about the Kubernetes workload involved in a Kubernetes finding.

Members
Containers
Type: Array of Container structures

Containers running as part of the Kubernetes workload.

HostIPC
Type: boolean

Whether the host IPC flag is enabled for the pods in the workload.

HostNetwork
Type: boolean

Whether the hostNetwork flag is enabled for the pods included in the workload.

HostPID
Type: boolean

Whether the host PID flag is enabled for the pods in the workload.

Name
Type: string

Kubernetes workload name.

Namespace
Type: string

Kubernetes namespace that the workload is part of.

ServiceAccountName
Type: string

The service account name that is associated with a Kubernetes workload.

Type
Type: string

Kubernetes workload type (e.g. Pod, Deployment, etc.).

Uid
Type: string

Kubernetes workload ID.

Volumes
Type: Array of Volume structures

Volumes used by the Kubernetes workload.

LambdaDetails

Description

Information about the Lambda function involved in the finding.

Members
Description
Type: string

Description of the Lambda function.

FunctionArn
Type: string

Amazon Resource Name (ARN) of the Lambda function.

FunctionName
Type: string

Name of the Lambda function.

FunctionVersion
Type: string

The version of the Lambda function.

LastModifiedAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

The timestamp when the Lambda function was last modified. This field is in the UTC date string format (2023-03-22T19:37:20.168Z).

RevisionId
Type: string

The revision ID of the Lambda function version.

Role
Type: string

The execution role of the Lambda function.

Tags
Type: Array of Tag structures

A list of tags attached to this resource, listed in the format of key:value pair.

VpcConfig
Type: VpcConfig structure

Amazon Virtual Private Cloud configuration details associated with your Lambda function.

LineageObject

Description

Information about the runtime process details.

Members
Euid
Type: int

The effective user ID that was used to execute the process.

ExecutablePath
Type: string

The absolute path of the process executable file.

Name
Type: string

The name of the process.

NamespacePid
Type: int

The process ID of the child process.

ParentUuid
Type: string

The unique ID of the parent process. This ID is assigned to the parent process by GuardDuty.

Pid
Type: int

The ID of the process.

StartTime
Type: timestamp (string|DateTime or anything parsable by strtotime)

The time when the process started. This is in UTC format.

UserId
Type: int

The user ID of the user that executed the process.

Uuid
Type: string

The unique ID assigned to the process by GuardDuty.

LocalIpDetails

Description

Contains information about the local IP address of the connection.

Members
IpAddressV4
Type: string

The IPv4 local address of the connection.

IpAddressV6
Type: string

The IPv6 local address of the connection.

LocalPortDetails

Description

Contains information about the port for the local connection.

Members
Port
Type: int

The port number of the local connection.

PortName
Type: string

The port name of the local connection.

LoginAttribute

Description

Information about the login attempts.

Members
Application
Type: string

Indicates the application name used to attempt log in.

FailedLoginAttempts
Type: int

Represents the sum of failed (unsuccessful) login attempts made to establish a connection to the database instance.

SuccessfulLoginAttempts
Type: int

Represents the sum of successful connections (a correct combination of login attributes) made to the database instance by the actor.

User
Type: string

Indicates the user name which attempted to log in.

MalwareProtectionConfiguration

Description

Describes whether Malware Protection will be enabled as a data source.

Members
ScanEc2InstanceWithFindings
Type: ScanEc2InstanceWithFindings structure

Describes the configuration of Malware Protection for EC2 instances with findings.

MalwareProtectionConfigurationResult

Description

An object that contains information on the status of all Malware Protection data sources.

Members
ScanEc2InstanceWithFindings

Describes the configuration of Malware Protection for EC2 instances with findings.

ServiceRole
Type: string

The GuardDuty Malware Protection service role.

MalwareProtectionDataSourceFreeTrial

Description

Provides details about Malware Protection when it is enabled as a data source.

Members
ScanEc2InstanceWithFindings
Type: DataSourceFreeTrial structure

Describes whether Malware Protection for EC2 instances with findings is enabled as a data source.

MalwareProtectionPlanActions

Description

Information about whether the tags will be added to the S3 object after scanning.

Members
Tagging

Indicates whether the scanned S3 object will have tags about the scan result.

MalwareProtectionPlanStatusReason

Description

Information about the issue code and message associated to the status of your Malware Protection plan.

Members
Code
Type: string

Issue code.

Message
Type: string

Issue message that specifies the reason. For information about potential troubleshooting steps, see Troubleshooting Malware Protection for S3 status issues in the GuardDuty User Guide.

MalwareProtectionPlanSummary

Description

Information about the Malware Protection plan resource.

Members
MalwareProtectionPlanId
Type: string

A unique identifier associated with Malware Protection plan.

MalwareProtectionPlanTaggingAction

Description

Information about adding tags to the scanned S3 object after the scan result.

Members
Status
Type: string

Indicates whether or not the tags will added.

MalwareScanDetails

Description

Information about the malware scan that generated a GuardDuty finding.

Members
Threats
Type: Array of Threat structures

Information about the detected threats associated with the generated GuardDuty finding.

Master

Description

Contains information about the administrator account and invitation.

Members
AccountId
Type: string

The ID of the account used as the administrator account.

InvitationId
Type: string

The value used to validate the administrator account to the member account.

InvitedAt
Type: string

The timestamp when the invitation was sent.

RelationshipStatus
Type: string

The status of the relationship between the administrator and member accounts.

Member

Description

Contains information about the member account.

Members
AccountId
Required: Yes
Type: string

The ID of the member account.

AdministratorId
Type: string

The administrator account ID.

DetectorId
Type: string

The detector ID of the member account.

Email
Required: Yes
Type: string

The email address of the member account.

InvitedAt
Type: string

The timestamp when the invitation was sent.

MasterId
Required: Yes
Type: string

The administrator account ID.

RelationshipStatus
Required: Yes
Type: string

The status of the relationship between the member and the administrator.

UpdatedAt
Required: Yes
Type: string

The last-updated timestamp of the member.

MemberAdditionalConfiguration

Description

Information about the additional configuration for the member account.

Members
Name
Type: string

Name of the additional configuration.

Status
Type: string

Status of the additional configuration.

MemberAdditionalConfigurationResult

Description

Information about the additional configuration for the member account.

Members
Name
Type: string

Indicates the name of the additional configuration that is set for the member account.

Status
Type: string

Indicates the status of the additional configuration that is set for the member account.

UpdatedAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

The timestamp at which the additional configuration was set for the member account. This is in UTC format.

MemberDataSourceConfiguration

Description

Contains information on which data sources are enabled for a member account.

Members
AccountId
Required: Yes
Type: string

The account ID for the member account.

DataSources

Contains information on the status of data sources for the account.

Features
Type: Array of MemberFeaturesConfigurationResult structures

Contains information about the status of the features for the member account.

MemberFeaturesConfiguration

Description

Contains information about the features for the member account.

Members
AdditionalConfiguration
Type: Array of MemberAdditionalConfiguration structures

Additional configuration of the feature for the member account.

Name
Type: string

The name of the feature.

Status
Type: string

The status of the feature.

MemberFeaturesConfigurationResult

Description

Contains information about the features for the member account.

Members
AdditionalConfiguration
Type: Array of MemberAdditionalConfigurationResult structures

Indicates the additional configuration of the feature that is configured for the member account.

Name
Type: string

Indicates the name of the feature that is enabled for the detector.

Status
Type: string

Indicates the status of the feature that is enabled for the detector.

UpdatedAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

The timestamp at which the feature object was updated.

NetworkConnection

Description

Contains information about the network connection.

Members
Direction
Required: Yes
Type: string

The direction in which the network traffic is flowing.

NetworkConnectionAction

Description

Contains information about the NETWORK_CONNECTION action described in the finding.

Members
Blocked
Type: boolean

Indicates whether EC2 blocked the network connection to your instance.

ConnectionDirection
Type: string

The network connection direction.

LocalIpDetails
Type: LocalIpDetails structure

The local IP information of the connection.

LocalNetworkInterface
Type: string

The EC2 instance's local elastic network interface utilized for the connection.

LocalPortDetails
Type: LocalPortDetails structure

The local port information of the connection.

Protocol
Type: string

The network connection protocol.

RemoteIpDetails
Type: RemoteIpDetails structure

The remote IP information of the connection.

RemotePortDetails
Type: RemotePortDetails structure

The remote port information of the connection.

NetworkEndpoint

Description

Contains information about network endpoints that were observed in the attack sequence.

Members
AutonomousSystem
Type: AutonomousSystem structure

The Autonomous System (AS) of the network endpoint.

Connection
Type: NetworkConnection structure

Information about the network connection.

Domain
Type: string

The domain information for the network endpoint.

Id
Required: Yes
Type: string

The ID of the network endpoint.

Ip
Type: string

The IP address associated with the network endpoint.

Location
Type: NetworkGeoLocation structure

Information about the location of the network endpoint.

Port
Type: int

The port number associated with the network endpoint.

NetworkGeoLocation

Description

Contains information about network endpoint location.

Members
City
Required: Yes
Type: string

The name of the city.

Country
Required: Yes
Type: string

The name of the country.

Latitude
Required: Yes
Type: double

The latitude information of the endpoint location.

Longitude
Required: Yes
Type: double

The longitude information of the endpoint location.

NetworkInterface

Description

Contains information about the elastic network interface of the EC2 instance.

Members
Ipv6Addresses
Type: Array of strings

A list of IPv6 addresses for the EC2 instance.

NetworkInterfaceId
Type: string

The ID of the network interface.

PrivateDnsName
Type: string

The private DNS name of the EC2 instance.

PrivateIpAddress
Type: string

The private IP address of the EC2 instance.

PrivateIpAddresses
Type: Array of PrivateIpAddressDetails structures

Other private IP address information of the EC2 instance.

PublicDnsName
Type: string

The public DNS name of the EC2 instance.

PublicIp
Type: string

The public IP address of the EC2 instance.

SecurityGroups
Type: Array of SecurityGroup structures

The security groups associated with the EC2 instance.

SubnetId
Type: string

The subnet ID of the EC2 instance.

VpcId
Type: string

The VPC ID of the EC2 instance.

Observations

Description

Contains information about the observed behavior.

Members
Text
Type: Array of strings

The text that was unusual.

Organization

Description

Contains information about the ISP organization of the remote IP address.

Members
Asn
Type: string

The Autonomous System Number (ASN) of the internet provider of the remote IP address.

AsnOrg
Type: string

The organization that registered this ASN.

Isp
Type: string

The ISP information for the internet provider.

Org
Type: string

The name of the internet provider.

OrganizationAdditionalConfiguration

Description

A list of additional configurations which will be configured for the organization.

Additional configuration applies to only GuardDuty Runtime Monitoring protection plan.

Members
AutoEnable
Type: string

The status of the additional configuration that will be configured for the organization. Use one of the following values to configure the feature status for the entire organization:

  • NEW: Indicates that when a new account joins the organization, they will have the additional configuration enabled automatically.

  • ALL: Indicates that all accounts in the organization have the additional configuration enabled automatically. This includes NEW accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty.

    It may take up to 24 hours to update the configuration for all the member accounts.

  • NONE: Indicates that the additional configuration will not be automatically enabled for any account in the organization. The administrator must manage the additional configuration for each account individually.

Name
Type: string

The name of the additional configuration that will be configured for the organization. These values are applicable to only Runtime Monitoring protection plan.

OrganizationAdditionalConfigurationResult

Description

A list of additional configuration which will be configured for the organization.

Members
AutoEnable
Type: string

Describes the status of the additional configuration that is configured for the member accounts within the organization. One of the following values is the status for the entire organization:

  • NEW: Indicates that when a new account joins the organization, they will have the additional configuration enabled automatically.

  • ALL: Indicates that all accounts in the organization have the additional configuration enabled automatically. This includes NEW accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty.

    It may take up to 24 hours to update the configuration for all the member accounts.

  • NONE: Indicates that the additional configuration will not be automatically enabled for any account in the organization. The administrator must manage the additional configuration for each account individually.

Name
Type: string

The name of the additional configuration that is configured for the member accounts within the organization. These values are applicable to only Runtime Monitoring protection plan.

OrganizationDataSourceConfigurations

Description

An object that contains information on which data sources will be configured to be automatically enabled for new members within the organization.

Members
Kubernetes

Describes the configuration of Kubernetes data sources for new members of the organization.

MalwareProtection

Describes the configuration of Malware Protection for new members of the organization.

S3Logs

Describes whether S3 data event logs are enabled for new members of the organization.

OrganizationDataSourceConfigurationsResult

Description

An object that contains information on which data sources are automatically enabled for new members within the organization.

Members
Kubernetes

Describes the configuration of Kubernetes data sources.

MalwareProtection

Describes the configuration of Malware Protection data source for an organization.

S3Logs
Required: Yes
Type: OrganizationS3LogsConfigurationResult structure

Describes whether S3 data event logs are enabled as a data source.

OrganizationDetails

Description

Information about GuardDuty coverage statistics for members in your Amazon Web Services organization.

Members
OrganizationStatistics
Type: OrganizationStatistics structure

Information about the GuardDuty coverage statistics for members in your Amazon Web Services organization.

UpdatedAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

The timestamp at which the organization statistics was last updated. This is in UTC format.

OrganizationEbsVolumes

Description

Organization-wide EBS volumes scan configuration.

Members
AutoEnable
Type: boolean

Whether scanning EBS volumes should be auto-enabled for new members joining the organization.

OrganizationEbsVolumesResult

Description

An object that contains information on the status of whether EBS volumes scanning will be enabled as a data source for an organization.

Members
AutoEnable
Type: boolean

An object that contains the status of whether scanning EBS volumes should be auto-enabled for new members joining the organization.

OrganizationFeatureConfiguration

Description

A list of features which will be configured for the organization.

Members
AdditionalConfiguration
Type: Array of OrganizationAdditionalConfiguration structures

The additional information that will be configured for the organization.

AutoEnable
Type: string

Describes the status of the feature that is configured for the member accounts within the organization. One of the following values is the status for the entire organization:

  • NEW: Indicates that when a new account joins the organization, they will have the feature enabled automatically.

  • ALL: Indicates that all accounts in the organization have the feature enabled automatically. This includes NEW accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty.

    It may take up to 24 hours to update the configuration for all the member accounts.

  • NONE: Indicates that the feature will not be automatically enabled for any account in the organization. The administrator must manage the feature for each account individually.

Name
Type: string

The name of the feature that will be configured for the organization.

OrganizationFeatureConfigurationResult

Description

A list of features which will be configured for the organization.

Members
AdditionalConfiguration
Type: Array of OrganizationAdditionalConfigurationResult structures

The additional configuration that is configured for the member accounts within the organization.

AutoEnable
Type: string

Describes the status of the feature that is configured for the member accounts within the organization.

  • NEW: Indicates that when a new account joins the organization, they will have the feature enabled automatically.

  • ALL: Indicates that all accounts in the organization have the feature enabled automatically. This includes NEW accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty.

  • NONE: Indicates that the feature will not be automatically enabled for any account in the organization. In this case, each account will be managed individually by the administrator.

Name
Type: string

The name of the feature that is configured for the member accounts within the organization.

OrganizationFeatureStatistics

Description

Information about the number of accounts that have enabled a specific feature.

Members
AdditionalConfiguration

Name of the additional configuration.

EnabledAccountsCount
Type: int

Total number of accounts that have enabled a specific feature.

Name
Type: string

Name of the feature.

OrganizationFeatureStatisticsAdditionalConfiguration

Description

Information about the coverage statistic for the additional configuration of the feature.

Members
EnabledAccountsCount
Type: int

Total number of accounts that have enabled the additional configuration.

Name
Type: string

Name of the additional configuration within a feature.

OrganizationKubernetesAuditLogsConfiguration

Description

Organization-wide Kubernetes audit logs configuration.

Members
AutoEnable
Required: Yes
Type: boolean

A value that contains information on whether Kubernetes audit logs should be enabled automatically as a data source for the organization.

OrganizationKubernetesAuditLogsConfigurationResult

Description

The current configuration of Kubernetes audit logs as a data source for the organization.

Members
AutoEnable
Required: Yes
Type: boolean

Whether Kubernetes audit logs data source should be auto-enabled for new members joining the organization.

OrganizationKubernetesConfiguration

Description

Organization-wide Kubernetes data sources configurations.

Members
AuditLogs
Required: Yes
Type: OrganizationKubernetesAuditLogsConfiguration structure

Whether Kubernetes audit logs data source should be auto-enabled for new members joining the organization.

OrganizationKubernetesConfigurationResult

Description

The current configuration of all Kubernetes data sources for the organization.

Members
AuditLogs

The current configuration of Kubernetes audit logs as a data source for the organization.

OrganizationMalwareProtectionConfiguration

Description

Organization-wide Malware Protection configurations.

Members
ScanEc2InstanceWithFindings

Whether Malware Protection for EC2 instances with findings should be auto-enabled for new members joining the organization.

OrganizationMalwareProtectionConfigurationResult

Description

An object that contains information on the status of all Malware Protection data source for an organization.

Members
ScanEc2InstanceWithFindings

Describes the configuration for scanning EC2 instances with findings for an organization.

OrganizationS3LogsConfiguration

Description

Describes whether S3 data event logs will be automatically enabled for new members of the organization.

Members
AutoEnable
Required: Yes
Type: boolean

A value that contains information on whether S3 data event logs will be enabled automatically as a data source for the organization.

OrganizationS3LogsConfigurationResult

Description

The current configuration of S3 data event logs as a data source for the organization.

Members
AutoEnable
Required: Yes
Type: boolean

A value that describes whether S3 data event logs are automatically enabled for new members of the organization.

OrganizationScanEc2InstanceWithFindings

Description

Organization-wide EC2 instances with findings scan configuration.

Members
EbsVolumes
Type: OrganizationEbsVolumes structure

Whether scanning EBS volumes should be auto-enabled for new members joining the organization.

OrganizationScanEc2InstanceWithFindingsResult

Description

An object that contains information on the status of scanning EC2 instances with findings for an organization.

Members
EbsVolumes

Describes the configuration for scanning EBS volumes for an organization.

OrganizationStatistics

Description

Information about the coverage statistics of the features for the entire Amazon Web Services organization.

When you create a new Amazon Web Services organization, it might take up to 24 hours to generate the statistics summary for this organization.

Members
ActiveAccountsCount
Type: int

Total number of active accounts in your Amazon Web Services organization that are associated with GuardDuty.

CountByFeature
Type: Array of OrganizationFeatureStatistics structures

Retrieves the coverage statistics for each feature.

EnabledAccountsCount
Type: int

Total number of accounts that have enabled GuardDuty.

MemberAccountsCount
Type: int

Total number of accounts in your Amazon Web Services organization that are associated with GuardDuty.

TotalAccountsCount
Type: int

Total number of accounts in your Amazon Web Services organization.

Owner

Description

Contains information on the owner of the bucket.

Members
Id
Type: string

The canonical user ID of the bucket owner. For information about locating your canonical user ID see Finding Your Account Canonical User ID.

PermissionConfiguration

Description

Contains information about how permissions are configured for the S3 bucket.

Members
AccountLevelPermissions
Type: AccountLevelPermissions structure

Contains information about the account level permissions on the S3 bucket.

BucketLevelPermissions
Type: BucketLevelPermissions structure

Contains information about the bucket level permissions for the S3 bucket.

PortProbeAction

Description

Contains information about the PORT_PROBE action described in the finding.

Members
Blocked
Type: boolean

Indicates whether EC2 blocked the port probe to the instance, such as with an ACL.

PortProbeDetails
Type: Array of PortProbeDetail structures

A list of objects related to port probe details.

PortProbeDetail

Description

Contains information about the port probe details.

Members
LocalIpDetails
Type: LocalIpDetails structure

The local IP information of the connection.

LocalPortDetails
Type: LocalPortDetails structure

The local port information of the connection.

RemoteIpDetails
Type: RemoteIpDetails structure

The remote IP information of the connection.

PrivateIpAddressDetails

Description

Contains other private IP address information of the EC2 instance.

Members
PrivateDnsName
Type: string

The private DNS name of the EC2 instance.

PrivateIpAddress
Type: string

The private IP address of the EC2 instance.

ProcessDetails

Description

Information about the observed process.

Members
Euid
Type: int

The effective user ID of the user that executed the process.

ExecutablePath
Type: string

The absolute path of the process executable file.

ExecutableSha256
Type: string

The SHA256 hash of the process executable.

Lineage
Type: Array of LineageObject structures

Information about the process's lineage.

Name
Type: string

The name of the process.

NamespacePid
Type: int

The ID of the child process.

ParentUuid
Type: string

The unique ID of the parent process. This ID is assigned to the parent process by GuardDuty.

Pid
Type: int

The ID of the process.

Pwd
Type: string

The present working directory of the process.

StartTime
Type: timestamp (string|DateTime or anything parsable by strtotime)

The time when the process started. This is in UTC format.

User
Type: string

The user that executed the process.

UserId
Type: int

The unique ID of the user that executed the process.

Uuid
Type: string

The unique ID assigned to the process by GuardDuty.

ProductCode

Description

Contains information about the product code for the EC2 instance.

Members
Code
Type: string

The product code information.

ProductType
Type: string

The product code type.

PublicAccess

Description

Describes the public access policies that apply to the S3 bucket.

Members
EffectivePermission
Type: string

Describes the effective permission on this bucket after factoring all attached policies.

PermissionConfiguration
Type: PermissionConfiguration structure

Contains information about how permissions are configured for the S3 bucket.

PublicAccessConfiguration

Description

Describes public access policies that apply to the Amazon S3 bucket.

For information about each of the following settings, see Blocking public access to your Amazon S3 storage in the Amazon S3 User Guide.

Members
PublicAclAccess
Type: string

Indicates whether or not there is a setting that allows public access to the Amazon S3 buckets through access control lists (ACLs).

PublicAclIgnoreBehavior
Type: string

Indicates whether or not there is a setting that ignores all public access control lists (ACLs) on the Amazon S3 bucket and the objects that it contains.

PublicBucketRestrictBehavior
Type: string

Indicates whether or not there is a setting that restricts access to the bucket with specified policies.

PublicPolicyAccess
Type: string

Indicates whether or not there is a setting that allows public access to the Amazon S3 bucket policy.

RdsDbInstanceDetails

Description

Contains information about the resource type RDSDBInstance involved in a GuardDuty finding.

Members
DbClusterIdentifier
Type: string

The identifier of the database cluster that contains the database instance ID involved in the finding.

DbInstanceArn
Type: string

The Amazon Resource Name (ARN) that identifies the database instance involved in the finding.

DbInstanceIdentifier
Type: string

The identifier associated to the database instance that was involved in the finding.

Engine
Type: string

The database engine of the database instance involved in the finding.

EngineVersion
Type: string

The version of the database engine that was involved in the finding.

Tags
Type: Array of Tag structures

Information about the tag key-value pairs.

RdsDbUserDetails

Description

Contains information about the user and authentication details for a database instance involved in the finding.

Members
Application
Type: string

The application name used in the anomalous login attempt.

AuthMethod
Type: string

The authentication method used by the user involved in the finding.

Database
Type: string

The name of the database instance involved in the anomalous login attempt.

Ssl
Type: string

The version of the Secure Socket Layer (SSL) used for the network.

User
Type: string

The user name used in the anomalous login attempt.

RdsLimitlessDbDetails

Description

Contains information about the resource type RDSLimitlessDB that is involved in a GuardDuty finding.

Members
DbClusterIdentifier
Type: string

The name of the database cluster that is a part of the Limitless Database.

DbShardGroupArn
Type: string

The Amazon Resource Name (ARN) that identifies the DB shard group.

DbShardGroupIdentifier
Type: string

The name associated with the Limitless DB shard group.

DbShardGroupResourceId
Type: string

The resource identifier of the DB shard group within the Limitless Database.

Engine
Type: string

The database engine of the database instance involved in the finding.

EngineVersion
Type: string

The version of the database engine.

Tags
Type: Array of Tag structures

Information about the tag key-value pair.

RdsLoginAttemptAction

Description

Indicates that a login attempt was made to the potentially compromised database from a remote IP address.

Members
LoginAttributes
Type: Array of LoginAttribute structures

Indicates the login attributes used in the login attempt.

RemoteIpDetails
Type: RemoteIpDetails structure

Contains information about the remote IP address of the connection.

RemoteAccountDetails

Description

Contains details about the remote Amazon Web Services account that made the API call.

Members
AccountId
Type: string

The Amazon Web Services account ID of the remote API caller.

Affiliated
Type: boolean

Details on whether the Amazon Web Services account of the remote API caller is related to your GuardDuty environment. If this value is True the API caller is affiliated to your account in some way. If it is False the API caller is from outside your environment.

RemoteIpDetails

Description

Contains information about the remote IP address of the connection.

Members
City
Type: City structure

The city information of the remote IP address.

Country
Type: Country structure

The country code of the remote IP address.

GeoLocation
Type: GeoLocation structure

The location information of the remote IP address.

IpAddressV4
Type: string

The IPv4 remote address of the connection.

IpAddressV6
Type: string

The IPv6 remote address of the connection.

Organization
Type: Organization structure

The ISP organization information of the remote IP address.

RemotePortDetails

Description

Contains information about the remote port.

Members
Port
Type: int

The port number of the remote connection.

PortName
Type: string

The port name of the remote connection.

Resource

Description

Contains information about the Amazon Web Services resource associated with the activity that prompted GuardDuty to generate a finding.

Members
AccessKeyDetails
Type: AccessKeyDetails structure

The IAM access key details (user information) of a user that engaged in the activity that prompted GuardDuty to generate a finding.

ContainerDetails
Type: Container structure

Details of a container.

EbsVolumeDetails
Type: EbsVolumeDetails structure

Contains list of scanned and skipped EBS volumes with details.

EcsClusterDetails
Type: EcsClusterDetails structure

Contains information about the details of the ECS Cluster.

EksClusterDetails
Type: EksClusterDetails structure

Details about the EKS cluster involved in a Kubernetes finding.

InstanceDetails
Type: InstanceDetails structure

The information about the EC2 instance associated with the activity that prompted GuardDuty to generate a finding.

KubernetesDetails
Type: KubernetesDetails structure

Details about the Kubernetes user and workload involved in a Kubernetes finding.

LambdaDetails
Type: LambdaDetails structure

Contains information about the Lambda function that was involved in a finding.

RdsDbInstanceDetails
Type: RdsDbInstanceDetails structure

Contains information about the database instance to which an anomalous login attempt was made.

RdsDbUserDetails
Type: RdsDbUserDetails structure

Contains information about the user details through which anomalous login attempt was made.

RdsLimitlessDbDetails
Type: RdsLimitlessDbDetails structure

Contains information about the RDS Limitless database that was involved in a GuardDuty finding.

ResourceType
Type: string

The type of Amazon Web Services resource.

S3BucketDetails
Type: Array of S3BucketDetail structures

Contains information on the S3 bucket.

ResourceData

Description

Contains information about the Amazon Web Services resource that is associated with the activity that prompted GuardDuty to generate a finding.

Members
AccessKey
Type: AccessKey structure

Contains information about the IAM access key details of a user that involved in the GuardDuty finding.

Ec2Instance
Type: Ec2Instance structure

Contains information about the Amazon EC2 instance.

Ec2NetworkInterface
Type: Ec2NetworkInterface structure

Contains information about the elastic network interface of the Amazon EC2 instance.

S3Bucket
Type: S3Bucket structure

Contains information about the Amazon S3 bucket.

S3Object
Type: S3Object structure

Contains information about the Amazon S3 object.

ResourceDetails

Description

Represents the resources that were scanned in the scan entry.

Members
InstanceArn
Type: string

Instance ARN that was scanned in the scan entry.

ResourceNotFoundException

Description

The requested resource can't be found.

Members
Message
Type: string

The error message.

Type
Type: string

The error type.

ResourceStatistics

Description

Information about each resource type associated with the groupedByResource statistics.

Members
AccountId
Type: string

The ID of the Amazon Web Services account.

LastGeneratedAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

The timestamp at which the statistics for this resource was last generated.

ResourceId
Type: string

ID associated with each resource. The following list provides the mapping of the resource type and resource ID.

Mapping of resource and resource ID

  • AccessKey - resource.accessKeyDetails.accessKeyId

  • Container - resource.containerDetails.id

  • ECSCluster - resource.ecsClusterDetails.name

  • EKSCluster - resource.eksClusterDetails.name

  • Instance - resource.instanceDetails.instanceId

  • KubernetesCluster - resource.kubernetesDetails.kubernetesWorkloadDetails.name

  • Lambda - resource.lambdaDetails.functionName

  • RDSDBInstance - resource.rdsDbInstanceDetails.dbInstanceIdentifier

  • S3Bucket - resource.s3BucketDetails.name

  • S3Object - resource.s3BucketDetails.name

ResourceType
Type: string

The type of resource.

TotalFindings
Type: int

The total number of findings associated with this resource.

ResourceV2

Description

Contains information about the Amazon Web Services resource that is associated with the GuardDuty finding.

Members
AccountId
Type: string

The Amazon Web Services account ID to which the resource belongs.

CloudPartition
Type: string

The cloud partition within the Amazon Web Services Region to which the resource belongs.

Data
Type: ResourceData structure

Contains information about the Amazon Web Services resource associated with the activity that prompted GuardDuty to generate a finding.

Name
Type: string

The name of the resource.

Region
Type: string

The Amazon Web Services Region where the resource belongs.

ResourceType
Required: Yes
Type: string

The type of the Amazon Web Services resource.

Service
Type: string

The Amazon Web Services service of the resource.

Tags
Type: Array of Tag structures

Contains information about the tags associated with the resource.

Uid
Required: Yes
Type: string

The unique identifier of the resource.

RuntimeContext

Description

Additional information about the suspicious activity.

Members
AddressFamily
Type: string

Represents the communication protocol associated with the address. For example, the address family AF_INET is used for IP version of 4 protocol.

CommandLineExample
Type: string

Example of the command line involved in the suspicious activity.

FileSystemType
Type: string

Represents the type of mounted fileSystem.

Flags
Type: Array of strings

Represents options that control the behavior of a runtime operation or action. For example, a filesystem mount operation may contain a read-only flag.

IanaProtocolNumber
Type: int

Specifies a particular protocol within the address family. Usually there is a single protocol in address families. For example, the address family AF_INET only has the IP protocol.

LdPreloadValue
Type: string

The value of the LD_PRELOAD environment variable.

LibraryPath
Type: string

The path to the new library that was loaded.

MemoryRegions
Type: Array of strings

Specifies the Region of a process's address space such as stack and heap.

ModifiedAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

The timestamp at which the process modified the current process. The timestamp is in UTC date string format.

ModifyingProcess
Type: ProcessDetails structure

Information about the process that modified the current process. This is available for multiple finding types.

ModuleFilePath
Type: string

The path to the module loaded into the kernel.

ModuleName
Type: string

The name of the module loaded into the kernel.

ModuleSha256
Type: string

The SHA256 hash of the module.

MountSource
Type: string

The path on the host that is mounted by the container.

MountTarget
Type: string

The path in the container that is mapped to the host directory.

ReleaseAgentPath
Type: string

The path in the container that modified the release agent file.

RuncBinaryPath
Type: string

The path to the leveraged runc implementation.

ScriptPath
Type: string

The path to the script that was executed.

ServiceName
Type: string

Name of the security service that has been potentially disabled.

ShellHistoryFilePath
Type: string

The path to the modified shell history file.

SocketPath
Type: string

The path to the docket socket that was accessed.

TargetProcess
Type: ProcessDetails structure

Information about the process that had its memory overwritten by the current process.

ThreatFilePath
Type: string

The suspicious file path for which the threat intelligence details were found.

ToolCategory
Type: string

Category that the tool belongs to. Some of the examples are Backdoor Tool, Pentest Tool, Network Scanner, and Network Sniffer.

ToolName
Type: string

Name of the potentially suspicious tool.

RuntimeDetails

Description

Information about the process and any required context values for a specific finding.

Members
Context
Type: RuntimeContext structure

Additional information about the suspicious activity.

Process
Type: ProcessDetails structure

Information about the observed process.

S3Bucket

Description

Contains information about the Amazon S3 bucket policies and encryption.

Members
AccountPublicAccess
Type: PublicAccessConfiguration structure

Contains information about the public access policies that apply to the Amazon S3 bucket at the account level.

BucketPublicAccess
Type: PublicAccessConfiguration structure

Contains information about public access policies that apply to the Amazon S3 bucket.

CreatedAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

The timestamp at which the Amazon S3 bucket was created.

EffectivePermission
Type: string

Describes the effective permissions on this S3 bucket, after factoring all the attached policies.

EncryptionKeyArn
Type: string

The Amazon Resource Name (ARN) of the encryption key that is used to encrypt the Amazon S3 bucket and its objects.

EncryptionType
Type: string

The type of encryption used for the Amazon S3 buckets and its objects. For more information, see Protecting data with server-side encryption in the Amazon S3 User Guide.

OwnerId
Type: string

The owner ID of the associated S3Amazon S3bucket.

PublicReadAccess
Type: string

Indicates whether or not the public read access is allowed for an Amazon S3 bucket.

PublicWriteAccess
Type: string

Indicates whether or not the public write access is allowed for an Amazon S3 bucket.

S3ObjectUids
Type: Array of strings

Represents a list of Amazon S3 object identifiers.

S3BucketDetail

Description

Contains information on the S3 bucket.

Members
Arn
Type: string

The Amazon Resource Name (ARN) of the S3 bucket.

CreatedAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

The date and time the bucket was created at.

DefaultServerSideEncryption
Type: DefaultServerSideEncryption structure

Describes the server side encryption method used in the S3 bucket.

Name
Type: string

The name of the S3 bucket.

Owner
Type: Owner structure

The owner of the S3 bucket.

PublicAccess
Type: PublicAccess structure

Describes the public access policies that apply to the S3 bucket.

S3ObjectDetails
Type: Array of S3ObjectDetail structures

Information about the S3 object that was scanned.

Tags
Type: Array of Tag structures

All tags attached to the S3 bucket

Type
Type: string

Describes whether the bucket is a source or destination bucket.

S3LogsConfiguration

Description

Describes whether S3 data event logs will be enabled as a data source.

Members
Enable
Required: Yes
Type: boolean

The status of S3 data event logs as a data source.

S3LogsConfigurationResult

Description

Describes whether S3 data event logs will be enabled as a data source.

Members
Status
Required: Yes
Type: string

A value that describes whether S3 data event logs are automatically enabled for new members of the organization.

S3Object

Description

Contains information about the Amazon S3 object.

Members
ETag
Type: string

The entity tag is a hash of the Amazon S3 object. The ETag reflects changes only to the contents of an object, and not its metadata.

Key
Type: string

The key of the Amazon S3 object.

VersionId
Type: string

The version Id of the Amazon S3 object.

S3ObjectDetail

Description

Information about the S3 object that was scanned

Members
ETag
Type: string

The entity tag is a hash of the S3 object. The ETag reflects changes only to the contents of an object, and not its metadata.

Hash
Type: string

Hash of the threat detected in this finding.

Key
Type: string

Key of the S3 object.

ObjectArn
Type: string

Amazon Resource Name (ARN) of the S3 object.

VersionId
Type: string

Version ID of the object.

Scan

Description

Contains information about malware scans associated with GuardDuty Malware Protection for EC2.

Members
AccountId
Type: string

The ID for the account that belongs to the scan.

AdminDetectorId
Type: string

The unique detector ID of the administrator account that the request is associated with. If the account is an administrator, the AdminDetectorId will be the same as the one used for DetectorId.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

AttachedVolumes
Type: Array of VolumeDetail structures

List of volumes that were attached to the original instance to be scanned.

DetectorId
Type: string

The unique ID of the detector that is associated with the request.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

FailureReason
Type: string

Represents the reason for FAILED scan status.

FileCount
Type: long (int|float)

Represents the number of files that were scanned.

ResourceDetails
Type: ResourceDetails structure

Represents the resources that were scanned in the scan entry.

ScanEndTime
Type: timestamp (string|DateTime or anything parsable by strtotime)

The timestamp of when the scan was finished.

ScanId
Type: string

The unique scan ID associated with a scan entry.

ScanResultDetails
Type: ScanResultDetails structure

Represents the result of the scan.

ScanStartTime
Type: timestamp (string|DateTime or anything parsable by strtotime)

The timestamp of when the scan was triggered.

ScanStatus
Type: string

An enum value representing possible scan statuses.

ScanType
Type: string

Specifies the scan type that invoked the malware scan.

TotalBytes
Type: long (int|float)

Represents total bytes that were scanned.

TriggerDetails
Type: TriggerDetails structure

Specifies the reason why the scan was initiated.

ScanCondition

Description

Contains information about the condition.

Members
MapEquals
Required: Yes
Type: Array of ScanConditionPair structures

Represents an mapEqual condition to be applied to a single field when triggering for malware scan.

ScanConditionPair

Description

Represents the key:value pair to be matched against given resource property.

Members
Key
Required: Yes
Type: string

Represents the key in the map condition.

Value
Type: string

Represents optional value in the map condition. If not specified, only the key will be matched.

ScanDetections

Description

Contains a complete view providing malware scan result details.

Members
HighestSeverityThreatDetails

Details of the highest severity threat detected during malware scan and number of infected files.

ScannedItemCount
Type: ScannedItemCount structure

Total number of scanned files.

ThreatDetectedByName
Type: ThreatDetectedByName structure

Contains details about identified threats organized by threat name.

ThreatsDetectedItemCount
Type: ThreatsDetectedItemCount structure

Total number of infected files.

ScanEc2InstanceWithFindings

Description

Describes whether Malware Protection for EC2 instances with findings will be enabled as a data source.

Members
EbsVolumes
Type: boolean

Describes the configuration for scanning EBS volumes as data source.

ScanEc2InstanceWithFindingsResult

Description

An object that contains information on the status of whether Malware Protection for EC2 instances with findings will be enabled as a data source.

Members
EbsVolumes
Type: EbsVolumesResult structure

Describes the configuration of scanning EBS volumes as a data source.

ScanFilePath

Description

Contains details of infected file including name, file path and hash.

Members
FileName
Type: string

File name of the infected file.

FilePath
Type: string

The file path of the infected file.

Hash
Type: string

The hash value of the infected file.

VolumeArn
Type: string

EBS volume ARN details of the infected file.

ScanResourceCriteria

Description

Contains information about criteria used to filter resources before triggering malware scan.

Members
Exclude
Type: Associative array of custom strings keys (ScanCriterionKey) to ScanCondition structures

Represents condition that when matched will prevent a malware scan for a certain resource.

Include
Type: Associative array of custom strings keys (ScanCriterionKey) to ScanCondition structures

Represents condition that when matched will allow a malware scan for a certain resource.

ScanResultDetails

Description

Represents the result of the scan.

Members
ScanResult
Type: string

An enum value representing possible scan results.

ScanThreatName

Description

Contains files infected with the given threat providing details of malware name and severity.

Members
FilePaths
Type: Array of ScanFilePath structures

List of infected files in EBS volume with details.

ItemCount
Type: int

Total number of files infected with given threat.

Name
Type: string

The name of the identified threat.

Severity
Type: string

Severity of threat identified as part of the malware scan.

ScannedItemCount

Description

Total number of scanned files.

Members
Files
Type: int

Number of files scanned.

TotalGb
Type: int

Total GB of files scanned for malware.

Volumes
Type: int

Total number of scanned volumes.

SecurityContext

Description

Container security context.

Members
AllowPrivilegeEscalation
Type: boolean

Whether or not a container or a Kubernetes pod is allowed to gain more privileges than its parent process.

Privileged
Type: boolean

Whether the container is privileged.

SecurityGroup

Description

Contains information about the security groups associated with the EC2 instance.

Members
GroupId
Type: string

The security group ID of the EC2 instance.

GroupName
Type: string

The security group name of the EC2 instance.

Sequence

Description

Contains information about the GuardDuty attack sequence finding.

Members
Actors
Type: Array of Actor structures

Contains information about the actors involved in the attack sequence.

Description
Required: Yes
Type: string

Description of the attack sequence.

Endpoints
Type: Array of NetworkEndpoint structures

Contains information about the network endpoints that were used in the attack sequence.

Resources
Type: Array of ResourceV2 structures

Contains information about the resources involved in the attack sequence.

SequenceIndicators
Type: Array of Indicator structures

Contains information about the indicators observed in the attack sequence.

Signals
Required: Yes
Type: Array of Signal structures

Contains information about the signals involved in the attack sequence.

Uid
Required: Yes
Type: string

Unique identifier of the attack sequence.

Service

Description

Contains additional information about the generated finding.

Members
Action
Type: Action structure

Information about the activity that is described in a finding.

AdditionalInfo
Type: ServiceAdditionalInfo structure

Contains additional information about the generated finding.

Archived
Type: boolean

Indicates whether this finding is archived.

Count
Type: int

The total count of the occurrences of this finding type.

Detection
Type: Detection structure

Contains information about the detected unusual behavior.

DetectorId
Type: string

The detector ID for the GuardDuty service.

EbsVolumeScanDetails
Type: EbsVolumeScanDetails structure

Returns details from the malware scan that created a finding.

EventFirstSeen
Type: string

The first-seen timestamp of the activity that prompted GuardDuty to generate this finding.

EventLastSeen
Type: string

The last-seen timestamp of the activity that prompted GuardDuty to generate this finding.

Evidence
Type: Evidence structure

An evidence object associated with the service.

FeatureName
Type: string

The name of the feature that generated a finding.

MalwareScanDetails
Type: MalwareScanDetails structure

Returns details from the malware scan that generated a GuardDuty finding.

ResourceRole
Type: string

The resource role information for this finding.

RuntimeDetails
Type: RuntimeDetails structure

Information about the process and any required context values for a specific finding

ServiceName
Type: string

The name of the Amazon Web Services service (GuardDuty) that generated a finding.

UserFeedback
Type: string

Feedback that was submitted about the finding.

ServiceAdditionalInfo

Description

Additional information about the generated finding.

Members
Type
Type: string

Describes the type of the additional information.

Value
Type: string

This field specifies the value of the additional information.

Session

Description

Contains information about the authenticated session.

Members
CreatedTime
Type: timestamp (string|DateTime or anything parsable by strtotime)

The timestamp for when the session was created.

In Amazon Web Services CloudTrail, you can find this value as userIdentity.sessionContext.attributes.creationDate.

Issuer
Type: string

Identifier of the session issuer.

In Amazon Web Services CloudTrail, you can find this value as userIdentity.sessionContext.sessionIssuer.arn.

MfaStatus
Type: string

Indicates whether or not multi-factor authencation (MFA) was used during authentication.

In Amazon Web Services CloudTrail, you can find this value as userIdentity.sessionContext.attributes.mfaAuthenticated.

Uid
Type: string

The unique identifier of the session.

SeverityStatistics

Description

Information about severity level for each finding type.

Members
LastGeneratedAt
Type: timestamp (string|DateTime or anything parsable by strtotime)

The timestamp at which a finding type for a specific severity was last generated.

Severity
Type: double

The severity level associated with each finding type.

TotalFindings
Type: int

The total number of findings associated with this severity.

Signal

Description

Contains information about the signals involved in the attack sequence.

Members
ActorIds
Type: Array of strings

Information about the IDs of the threat actors involved in the signal.

Count
Required: Yes
Type: int

The number of times this signal was observed.

CreatedAt
Required: Yes
Type: timestamp (string|DateTime or anything parsable by strtotime)

The timestamp when the first finding or activity related to this signal was observed.

Description
Type: string

The description of the signal.

EndpointIds
Type: Array of strings

Information about the endpoint IDs associated with this signal.

FirstSeenAt
Required: Yes
Type: timestamp (string|DateTime or anything parsable by strtotime)

The timestamp when the first finding or activity related to this signal was observed.

LastSeenAt
Required: Yes
Type: timestamp (string|DateTime or anything parsable by strtotime)

The timestamp when the last finding or activity related to this signal was observed.

Name
Required: Yes
Type: string

The name of the signal. For example, when signal type is FINDING, the signal name is the name of the finding.

ResourceUids
Type: Array of strings

Information about the unique identifiers of the resources involved in the signal.

Severity
Type: double

The severity associated with the signal. For more information about severity, see Findings severity levels in the GuardDuty User Guide.

SignalIndicators
Type: Array of Indicator structures

Contains information about the indicators associated with the signals.

Type
Required: Yes
Type: string

The type of the signal used to identify an attack sequence.

Signals can be GuardDuty findings or activities observed in data sources that GuardDuty monitors. For more information, see Foundational data sources in the GuardDuty User Guide.

A signal type can be one of the valid values listed in this API. Here are the related descriptions:

  • FINDING - Individually generated GuardDuty finding.

  • CLOUD_TRAIL - Activity observed from CloudTrail logs

  • S3_DATA_EVENTS - Activity observed from CloudTrail data events for S3. Activities associated with this type will show up only when you have enabled GuardDuty S3 Protection feature in your account. For more information about S3 Protection and steps to enable it, see S3 Protection in the GuardDuty User Guide.

Uid
Required: Yes
Type: string

The unique identifier of the signal.

UpdatedAt
Required: Yes
Type: timestamp (string|DateTime or anything parsable by strtotime)

The timestamp when this signal was last observed.

SortCriteria

Description

Contains information about the criteria used for sorting findings.

Members
AttributeName
Type: string

Represents the finding attribute, such as accountId, that sorts the findings.

OrderBy
Type: string

The order by which the sorted findings are to be displayed.

Tag

Description

Contains information about a tag key-value pair.

Members
Key
Type: string

Describes the key associated with the tag.

Value
Type: string

Describes the value associated with the tag key.

Threat

Description

Information about the detected threats associated with the generated finding.

Members
ItemPaths
Type: Array of ItemPath structures

Information about the nested item path and hash of the protected resource.

Name
Type: string

Name of the detected threat that caused GuardDuty to generate this finding.

Source
Type: string

Source of the threat that generated this finding.

ThreatDetectedByName

Description

Contains details about identified threats organized by threat name.

Members
ItemCount
Type: int

Total number of infected files identified.

Shortened
Type: boolean

Flag to determine if the finding contains every single infected file-path and/or every threat.

ThreatNames
Type: Array of ScanThreatName structures

List of identified threats with details, organized by threat name.

UniqueThreatNameCount
Type: int

Total number of unique threats by name identified, as part of the malware scan.

ThreatIntelligenceDetail

Description

An instance of a threat intelligence detail that constitutes evidence for the finding.

Members
ThreatFileSha256
Type: string

SHA256 of the file that generated the finding.

ThreatListName
Type: string

The name of the threat intelligence list that triggered the finding.

ThreatNames
Type: Array of strings

A list of names of the threats in the threat intelligence list that triggered the finding.

ThreatsDetectedItemCount

Description

Contains total number of infected files.

Members
Files
Type: int

Total number of infected files.

Total

Description

Contains the total usage with the corresponding currency unit for that value.

Members
Amount
Type: string

The total usage.

Unit
Type: string

The currency unit that the amount is given in.

TriggerDetails

Description

Represents the reason the scan was triggered.

Members
Description
Type: string

The description of the scan trigger.

GuardDutyFindingId
Type: string

The ID of the GuardDuty finding that triggered the malware scan.

UnprocessedAccount

Description

Contains information about the accounts that weren't processed.

Members
AccountId
Required: Yes
Type: string

The Amazon Web Services account ID.

Result
Required: Yes
Type: string

A reason why the account hasn't been processed.

UnprocessedDataSourcesResult

Description

Specifies the names of the data sources that couldn't be enabled.

Members
MalwareProtection

An object that contains information on the status of all Malware Protection data sources.

UpdateProtectedResource

Description

Information about the protected resource that is associated with the created Malware Protection plan. Presently, S3Bucket is the only supported protected resource.

Members
S3Bucket
Type: UpdateS3BucketResource structure

Information about the protected S3 bucket resource.

UpdateS3BucketResource

Description

Information about the protected S3 bucket resource.

Members
ObjectPrefixes
Type: Array of strings

Information about the specified object prefixes. The S3 object will be scanned only if it belongs to any of the specified object prefixes.

UsageAccountResult

Description

Contains information on the total of usage based on account IDs.

Members
AccountId
Type: string

The Account ID that generated usage.

Total
Type: Total structure

Represents the total of usage for the Account ID.

UsageCriteria

Description

Contains information about the criteria used to query usage statistics.

Members
AccountIds
Type: Array of strings

The account IDs to aggregate usage statistics from.

DataSources
Type: Array of strings

The data sources to aggregate usage statistics from.

Features
Type: Array of strings

The features to aggregate usage statistics from.

Resources
Type: Array of strings

The resources to aggregate usage statistics from. Only accepts exact resource names.

UsageDataSourceResult

Description

Contains information on the result of usage based on data source type.

Members
DataSource
Type: string

The data source type that generated usage.

Total
Type: Total structure

Represents the total of usage for the specified data source.

UsageFeatureResult

Description

Contains information about the result of the total usage based on the feature.

Members
Feature
Type: string

The feature that generated the usage cost.

Total
Type: Total structure

Contains the total usage with the corresponding currency unit for that value.

UsageResourceResult

Description

Contains information on the sum of usage based on an Amazon Web Services resource.

Members
Resource
Type: string

The Amazon Web Services resource that generated usage.

Total
Type: Total structure

Represents the sum total of usage for the specified resource type.

UsageStatistics

Description

Contains the result of GuardDuty usage. If a UsageStatisticType is provided the result for other types will be null.

Members
SumByAccount
Type: Array of UsageAccountResult structures

The usage statistic sum organized by account ID.

SumByDataSource
Type: Array of UsageDataSourceResult structures

The usage statistic sum organized by on data source.

SumByFeature
Type: Array of UsageFeatureResult structures

The usage statistic sum organized by feature.

SumByResource
Type: Array of UsageResourceResult structures

The usage statistic sum organized by resource.

TopAccountsByFeature
Type: Array of UsageTopAccountsResult structures

Lists the top 50 accounts by feature that have generated the most GuardDuty usage, in the order from most to least expensive.

Currently, this doesn't support RDS_LOGIN_EVENTS.

TopResources
Type: Array of UsageResourceResult structures

Lists the top 50 resources that have generated the most GuardDuty usage, in order from most to least expensive.

UsageTopAccountResult

Description

Contains information on the total of usage based on the topmost 50 account IDs.

Members
AccountId
Type: string

The unique account ID.

Total
Type: Total structure

Contains the total usage with the corresponding currency unit for that value.

UsageTopAccountsResult

Description

Information about the usage statistics, calculated by top accounts by feature.

Members
Accounts
Type: Array of UsageTopAccountResult structures

The accounts that contributed to the total usage cost.

Feature
Type: string

Features by which you can generate the usage statistics.

RDS_LOGIN_EVENTS is currently not supported with topAccountsByFeature.

User

Description

Contains information about the user involved in the attack sequence.

Members
Account
Type: Account structure

Contains information about the Amazon Web Services account.

CredentialUid
Type: string

The credentials of the user ID.

Name
Required: Yes
Type: string

The name of the user.

Type
Required: Yes
Type: string

The type of the user.

Uid
Required: Yes
Type: string

The unique identifier of the user.

Volume

Description

Volume used by the Kubernetes workload.

Members
HostPath
Type: HostPath structure

Represents a pre-existing file or directory on the host machine that the volume maps to.

Name
Type: string

Volume name.

VolumeDetail

Description

Contains EBS volume details.

Members
DeviceName
Type: string

The device name for the EBS volume.

EncryptionType
Type: string

EBS volume encryption type.

KmsKeyArn
Type: string

KMS key ARN used to encrypt the EBS volume.

SnapshotArn
Type: string

Snapshot ARN of the EBS volume.

VolumeArn
Type: string

EBS volume ARN information.

VolumeSizeInGB
Type: int

EBS volume size in GB.

VolumeType
Type: string

The EBS volume type.

VolumeMount

Description

Container volume mount.

Members
MountPath
Type: string

Volume mount path.

Name
Type: string

Volume mount name.

VpcConfig

Description

Amazon Virtual Private Cloud configuration details associated with your Lambda function.

Members
SecurityGroups
Type: Array of SecurityGroup structures

The identifier of the security group attached to the Lambda function.

SubnetIds
Type: Array of strings

The identifiers of the subnets that are associated with your Lambda function.

VpcId
Type: string

The identifier of the Amazon Virtual Private Cloud.