Amazon GuardDuty 2017-11-28
- Client: Aws\GuardDuty\GuardDutyClient
- Service ID: guardduty
- Version: 2017-11-28
This page describes the parameters and results for the operations of the Amazon GuardDuty (2017-11-28), and shows how to use the Aws\GuardDuty\GuardDutyClient object to call the described operations. This documentation is specific to the 2017-11-28 API version of the service.
Operation Summary
Each of the following operations can be created from a client using
$client->getCommand('CommandName')
, where "CommandName" is the
name of one of the following operations. Note: a command is a value that
encapsulates an operation and the parameters used to create an HTTP request.
You can also create and send a command immediately using the magic methods
available on a client object: $client->commandName(/* parameters */)
.
You can send the command asynchronously (returning a promise) by appending the
word "Async" to the operation name: $client->commandNameAsync(/* parameters */)
.
- AcceptAdministratorInvitation ( array $params = [] )
- Accepts the invitation to be a member account and get monitored by a GuardDuty administrator account that sent the invitation.
- AcceptInvitation ( array $params = [] )
- Accepts the invitation to be monitored by a GuardDuty administrator account.
- ArchiveFindings ( array $params = [] )
- Archives GuardDuty findings that are specified by the list of finding IDs.
- CreateDetector ( array $params = [] )
- Creates a single GuardDuty detector.
- CreateFilter ( array $params = [] )
- Creates a filter using the specified finding criteria.
- CreateIPSet ( array $params = [] )
- Creates a new IPSet, which is called a trusted IP list in the console user interface.
- CreateMalwareProtectionPlan ( array $params = [] )
- Creates a new Malware Protection plan for the protected resource.
- CreateMembers ( array $params = [] )
- Creates member accounts of the current Amazon Web Services account by specifying a list of Amazon Web Services account IDs.
- CreatePublishingDestination ( array $params = [] )
- Creates a publishing destination where you can export your GuardDuty findings.
- CreateSampleFindings ( array $params = [] )
- Generates sample findings of types specified by the list of finding types.
- CreateThreatIntelSet ( array $params = [] )
- Creates a new ThreatIntelSet.
- DeclineInvitations ( array $params = [] )
- Declines invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs.
- DeleteDetector ( array $params = [] )
- Deletes an Amazon GuardDuty detector that is specified by the detector ID.
- DeleteFilter ( array $params = [] )
- Deletes the filter specified by the filter name.
- DeleteIPSet ( array $params = [] )
- Deletes the IPSet specified by the ipSetId.
- DeleteInvitations ( array $params = [] )
- Deletes invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs.
- DeleteMalwareProtectionPlan ( array $params = [] )
- Deletes the Malware Protection plan ID associated with the Malware Protection plan resource.
- DeleteMembers ( array $params = [] )
- Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.
- DeletePublishingDestination ( array $params = [] )
- Deletes the publishing definition with the specified destinationId.
- DeleteThreatIntelSet ( array $params = [] )
- Deletes the ThreatIntelSet specified by the ThreatIntelSet ID.
- DescribeMalwareScans ( array $params = [] )
- Returns a list of malware scans.
- DescribeOrganizationConfiguration ( array $params = [] )
- Returns information about the account selected as the delegated administrator for GuardDuty.
- DescribePublishingDestination ( array $params = [] )
- Returns information about the publishing destination specified by the provided destinationId.
- DisableOrganizationAdminAccount ( array $params = [] )
- Removes the existing GuardDuty delegated administrator of the organization.
- DisassociateFromAdministratorAccount ( array $params = [] )
- Disassociates the current GuardDuty member account from its administrator account.
- DisassociateFromMasterAccount ( array $params = [] )
- Disassociates the current GuardDuty member account from its administrator account.
- DisassociateMembers ( array $params = [] )
- Disassociates GuardDuty member accounts (from the current administrator account) specified by the account IDs.
- EnableOrganizationAdminAccount ( array $params = [] )
- Designates an Amazon Web Services account within the organization as your GuardDuty delegated administrator.
- GetAdministratorAccount ( array $params = [] )
- Provides the details of the GuardDuty administrator account associated with the current GuardDuty member account.
- GetCoverageStatistics ( array $params = [] )
- Retrieves aggregated statistics for your account.
- GetDetector ( array $params = [] )
- Retrieves a GuardDuty detector specified by the detectorId.
- GetFilter ( array $params = [] )
- Returns the details of the filter specified by the filter name.
- GetFindings ( array $params = [] )
- Describes Amazon GuardDuty findings specified by finding IDs.
- GetFindingsStatistics ( array $params = [] )
- Lists GuardDuty findings statistics for the specified detector ID.
- GetIPSet ( array $params = [] )
- Retrieves the IPSet specified by the ipSetId.
- GetInvitationsCount ( array $params = [] )
- Returns the count of all GuardDuty membership invitations that were sent to the current member account except the currently accepted invitation.
- GetMalwareProtectionPlan ( array $params = [] )
- Retrieves the Malware Protection plan details associated with a Malware Protection plan ID.
- GetMalwareScanSettings ( array $params = [] )
- Returns the details of the malware scan settings.
- GetMasterAccount ( array $params = [] )
- Provides the details for the GuardDuty administrator account associated with the current GuardDuty member account.
- GetMemberDetectors ( array $params = [] )
- Describes which data sources are enabled for the member account's detector.
- GetMembers ( array $params = [] )
- Retrieves GuardDuty member accounts (of the current GuardDuty administrator account) specified by the account IDs.
- GetOrganizationStatistics ( array $params = [] )
- Retrieves how many active member accounts have each feature enabled within GuardDuty.
- GetRemainingFreeTrialDays ( array $params = [] )
- Provides the number of days left for each data source used in the free trial period.
- GetThreatIntelSet ( array $params = [] )
- Retrieves the ThreatIntelSet that is specified by the ThreatIntelSet ID.
- GetUsageStatistics ( array $params = [] )
- Lists Amazon GuardDuty usage statistics over the last 30 days for the specified detector ID.
- InviteMembers ( array $params = [] )
- Invites Amazon Web Services accounts to become members of an organization administered by the Amazon Web Services account that invokes this API.
- ListCoverage ( array $params = [] )
- Lists coverage details for your GuardDuty account.
- ListDetectors ( array $params = [] )
- Lists detectorIds of all the existing Amazon GuardDuty detector resources.
- ListFilters ( array $params = [] )
- Returns a paginated list of the current filters.
- ListFindings ( array $params = [] )
- Lists GuardDuty findings for the specified detector ID.
- ListIPSets ( array $params = [] )
- Lists the IPSets of the GuardDuty service specified by the detector ID.
- ListInvitations ( array $params = [] )
- Lists all GuardDuty membership invitations that were sent to the current Amazon Web Services account.
- ListMalwareProtectionPlans ( array $params = [] )
- Lists the Malware Protection plan IDs associated with the protected resources in your Amazon Web Services account.
- ListMembers ( array $params = [] )
- Lists details about all member accounts for the current GuardDuty administrator account.
- ListOrganizationAdminAccounts ( array $params = [] )
- Lists the accounts designated as GuardDuty delegated administrators.
- ListPublishingDestinations ( array $params = [] )
- Returns a list of publishing destinations associated with the specified detectorId.
- ListTagsForResource ( array $params = [] )
- Lists tags for a resource.
- ListThreatIntelSets ( array $params = [] )
- Lists the ThreatIntelSets of the GuardDuty service specified by the detector ID.
- StartMalwareScan ( array $params = [] )
- Initiates the malware scan.
- StartMonitoringMembers ( array $params = [] )
- Turns on GuardDuty monitoring of the specified member accounts.
- StopMonitoringMembers ( array $params = [] )
- Stops GuardDuty monitoring for the specified member accounts.
- TagResource ( array $params = [] )
- Adds tags to a resource.
- UnarchiveFindings ( array $params = [] )
- Unarchives GuardDuty findings specified by the findingIds.
- UntagResource ( array $params = [] )
- Removes tags from a resource.
- UpdateDetector ( array $params = [] )
- Updates the GuardDuty detector specified by the detector ID.
- UpdateFilter ( array $params = [] )
- Updates the filter specified by the filter name.
- UpdateFindingsFeedback ( array $params = [] )
- Marks the specified GuardDuty findings as useful or not useful.
- UpdateIPSet ( array $params = [] )
- Updates the IPSet specified by the IPSet ID.
- UpdateMalwareProtectionPlan ( array $params = [] )
- Updates an existing Malware Protection plan resource.
- UpdateMalwareScanSettings ( array $params = [] )
- Updates the malware scan settings.
- UpdateMemberDetectors ( array $params = [] )
- Contains information on member accounts to be updated.
- UpdateOrganizationConfiguration ( array $params = [] )
- Configures the delegated administrator account with the provided values.
- UpdatePublishingDestination ( array $params = [] )
- Updates information about the publishing destination specified by the destinationId.
- UpdateThreatIntelSet ( array $params = [] )
- Updates the ThreatIntelSet specified by the ThreatIntelSet ID.
Paginators
Paginators handle automatically iterating over paginated API results. Paginators are associated with specific API operations, and they accept the parameters that the corresponding API operation accepts. You can get a paginator from a client class using getPaginator($paginatorName, $operationParameters). This client supports the following paginators:
- DescribeMalwareScans
- DescribeOrganizationConfiguration
- GetUsageStatistics
- ListCoverage
- ListDetectors
- ListFilters
- ListFindings
- ListIPSets
- ListInvitations
- ListMembers
- ListOrganizationAdminAccounts
- ListPublishingDestinations
- ListThreatIntelSets
Operations
AcceptAdministratorInvitation
$result = $client->acceptAdministratorInvitation
([/* ... */]); $promise = $client->acceptAdministratorInvitationAsync
([/* ... */]);
Accepts the invitation to be a member account and get monitored by a GuardDuty administrator account that sent the invitation.
Parameter Syntax
$result = $client->acceptAdministratorInvitation([ 'AdministratorId' => '<string>', // REQUIRED 'DetectorId' => '<string>', // REQUIRED 'InvitationId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- AdministratorId
-
- Required: Yes
- Type: string
The account ID of the GuardDuty administrator account whose invitation you're accepting.
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector of the GuardDuty member account.
- InvitationId
-
- Required: Yes
- Type: string
The value that is used to validate the administrator account to the member account.
Result Syntax
[]
Result Details
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
AcceptInvitation
$result = $client->acceptInvitation
([/* ... */]); $promise = $client->acceptInvitationAsync
([/* ... */]);
Accepts the invitation to be monitored by a GuardDuty administrator account.
Parameter Syntax
$result = $client->acceptInvitation([ 'DetectorId' => '<string>', // REQUIRED 'InvitationId' => '<string>', // REQUIRED 'MasterId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector of the GuardDuty member account.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - InvitationId
-
- Required: Yes
- Type: string
The value that is used to validate the administrator account to the member account.
- MasterId
-
- Required: Yes
- Type: string
The account ID of the GuardDuty administrator account whose invitation you're accepting.
Result Syntax
[]
Result Details
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
ArchiveFindings
$result = $client->archiveFindings
([/* ... */]); $promise = $client->archiveFindingsAsync
([/* ... */]);
Archives GuardDuty findings that are specified by the list of finding IDs.
Only the administrator account can archive findings. Member accounts don't have permission to archive findings from their accounts.
Parameter Syntax
$result = $client->archiveFindings([ 'DetectorId' => '<string>', // REQUIRED 'FindingIds' => ['<string>', ...], // REQUIRED ]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The ID of the detector that specifies the GuardDuty service whose findings you want to archive.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - FindingIds
-
- Required: Yes
- Type: Array of strings
The IDs of the findings that you want to archive.
Result Syntax
[]
Result Details
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
CreateDetector
$result = $client->createDetector
([/* ... */]); $promise = $client->createDetectorAsync
([/* ... */]);
Creates a single GuardDuty detector. A detector is a resource that represents the GuardDuty service. To start using GuardDuty, you must create a detector in each Region where you enable the service. You can have only one detector per account per Region. All data sources are enabled in a new detector by default.
-
When you don't specify any
features
, with an exception toRUNTIME_MONITORING
, all the optional features are enabled by default. -
When you specify some of the
features
, any feature that is not specified in the API call gets enabled by default, with an exception toRUNTIME_MONITORING
.
Specifying both EKS Runtime Monitoring (EKS_RUNTIME_MONITORING
) and Runtime Monitoring (RUNTIME_MONITORING
) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring.
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.
Parameter Syntax
$result = $client->createDetector([ 'ClientToken' => '<string>', 'DataSources' => [ 'Kubernetes' => [ 'AuditLogs' => [ // REQUIRED 'Enable' => true || false, // REQUIRED ], ], 'MalwareProtection' => [ 'ScanEc2InstanceWithFindings' => [ 'EbsVolumes' => true || false, ], ], 'S3Logs' => [ 'Enable' => true || false, // REQUIRED ], ], 'Enable' => true || false, // REQUIRED 'Features' => [ [ 'AdditionalConfiguration' => [ [ 'Name' => 'EKS_ADDON_MANAGEMENT|ECS_FARGATE_AGENT_MANAGEMENT|EC2_AGENT_MANAGEMENT', 'Status' => 'ENABLED|DISABLED', ], // ... ], 'Name' => 'S3_DATA_EVENTS|EKS_AUDIT_LOGS|EBS_MALWARE_PROTECTION|RDS_LOGIN_EVENTS|EKS_RUNTIME_MONITORING|LAMBDA_NETWORK_LOGS|RUNTIME_MONITORING', 'Status' => 'ENABLED|DISABLED', ], // ... ], 'FindingPublishingFrequency' => 'FIFTEEN_MINUTES|ONE_HOUR|SIX_HOURS', 'Tags' => ['<string>', ...], ]);
Parameter Details
Members
- ClientToken
-
- Type: string
The idempotency token for the create request.
- DataSources
-
- Type: DataSourceConfigurations structure
Describes which data sources will be enabled for the detector.
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.
- Enable
-
- Required: Yes
- Type: boolean
A Boolean value that specifies whether the detector is to be enabled.
- Features
-
- Type: Array of DetectorFeatureConfiguration structures
A list of features that will be configured for the detector.
- FindingPublishingFrequency
-
- Type: string
A value that specifies how frequently updated findings are exported.
- Tags
-
- Type: Associative array of custom strings keys (TagKey) to strings
The tags to be added to a new detector resource.
Result Syntax
[ 'DetectorId' => '<string>', 'UnprocessedDataSources' => [ 'MalwareProtection' => [ 'ScanEc2InstanceWithFindings' => [ 'EbsVolumes' => [ 'Reason' => '<string>', 'Status' => 'ENABLED|DISABLED', ], ], 'ServiceRole' => '<string>', ], ], ]
Result Details
Members
- DetectorId
-
- Type: string
The unique ID of the created detector.
- UnprocessedDataSources
-
- Type: UnprocessedDataSourcesResult structure
Specifies the data sources that couldn't be enabled when GuardDuty was enabled for the first time.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
CreateFilter
$result = $client->createFilter
([/* ... */]); $promise = $client->createFilterAsync
([/* ... */]);
Creates a filter using the specified finding criteria. The maximum number of saved filters per Amazon Web Services account per Region is 100. For more information, see Quotas for GuardDuty.
Parameter Syntax
$result = $client->createFilter([ 'Action' => 'NOOP|ARCHIVE', 'ClientToken' => '<string>', 'Description' => '<string>', 'DetectorId' => '<string>', // REQUIRED 'FindingCriteria' => [ // REQUIRED 'Criterion' => [ '<String>' => [ 'Eq' => ['<string>', ...], 'Equals' => ['<string>', ...], 'GreaterThan' => <integer>, 'GreaterThanOrEqual' => <integer>, 'Gt' => <integer>, 'Gte' => <integer>, 'LessThan' => <integer>, 'LessThanOrEqual' => <integer>, 'Lt' => <integer>, 'Lte' => <integer>, 'Neq' => ['<string>', ...], 'NotEquals' => ['<string>', ...], ], // ... ], ], 'Name' => '<string>', // REQUIRED 'Rank' => <integer>, 'Tags' => ['<string>', ...], ]);
Parameter Details
Members
- Action
-
- Type: string
Specifies the action that is to be applied to the findings that match the filter.
- ClientToken
-
- Type: string
The idempotency token for the create request.
- Description
-
- Type: string
The description of the filter. Valid characters include alphanumeric characters, and special characters such as hyphen, period, colon, underscore, parentheses (
{ }
,[ ]
, and( )
), forward slash, horizontal tab, vertical tab, newline, form feed, return, and whitespace. - DetectorId
-
- Required: Yes
- Type: string
The detector ID associated with the GuardDuty account for which you want to create a filter.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - FindingCriteria
-
- Required: Yes
- Type: FindingCriteria structure
Represents the criteria to be used in the filter for querying findings.
You can only use the following attributes to query findings:
-
accountId
-
id
-
region
-
severity
To filter on the basis of severity, the API and CLI use the following input list for the FindingCriteria condition:
-
Low:
["1", "2", "3"]
-
Medium:
["4", "5", "6"]
-
High:
["7", "8"]
-
Critical:
["9", "10"]
For more information, see Findings severity levels in the Amazon GuardDuty User Guide.
-
-
type
-
updatedAt
Type: ISO 8601 string format: YYYY-MM-DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds.
-
resource.accessKeyDetails.accessKeyId
-
resource.accessKeyDetails.principalId
-
resource.accessKeyDetails.userName
-
resource.accessKeyDetails.userType
-
resource.instanceDetails.iamInstanceProfile.id
-
resource.instanceDetails.imageId
-
resource.instanceDetails.instanceId
-
resource.instanceDetails.tags.key
-
resource.instanceDetails.tags.value
-
resource.instanceDetails.networkInterfaces.ipv6Addresses
-
resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress
-
resource.instanceDetails.networkInterfaces.publicDnsName
-
resource.instanceDetails.networkInterfaces.publicIp
-
resource.instanceDetails.networkInterfaces.securityGroups.groupId
-
resource.instanceDetails.networkInterfaces.securityGroups.groupName
-
resource.instanceDetails.networkInterfaces.subnetId
-
resource.instanceDetails.networkInterfaces.vpcId
-
resource.instanceDetails.outpostArn
-
resource.resourceType
-
resource.s3BucketDetails.publicAccess.effectivePermissions
-
resource.s3BucketDetails.name
-
resource.s3BucketDetails.tags.key
-
resource.s3BucketDetails.tags.value
-
resource.s3BucketDetails.type
-
service.action.actionType
-
service.action.awsApiCallAction.api
-
service.action.awsApiCallAction.callerType
-
service.action.awsApiCallAction.errorCode
-
service.action.awsApiCallAction.remoteIpDetails.city.cityName
-
service.action.awsApiCallAction.remoteIpDetails.country.countryName
-
service.action.awsApiCallAction.remoteIpDetails.ipAddressV4
-
service.action.awsApiCallAction.remoteIpDetails.ipAddressV6
-
service.action.awsApiCallAction.remoteIpDetails.organization.asn
-
service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg
-
service.action.awsApiCallAction.serviceName
-
service.action.dnsRequestAction.domain
-
service.action.dnsRequestAction.domainWithSuffix
-
service.action.networkConnectionAction.blocked
-
service.action.networkConnectionAction.connectionDirection
-
service.action.networkConnectionAction.localPortDetails.port
-
service.action.networkConnectionAction.protocol
-
service.action.networkConnectionAction.remoteIpDetails.city.cityName
-
service.action.networkConnectionAction.remoteIpDetails.country.countryName
-
service.action.networkConnectionAction.remoteIpDetails.ipAddressV4
-
service.action.networkConnectionAction.remoteIpDetails.ipAddressV6
-
service.action.networkConnectionAction.remoteIpDetails.organization.asn
-
service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg
-
service.action.networkConnectionAction.remotePortDetails.port
-
service.action.awsApiCallAction.remoteAccountDetails.affiliated
-
service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4
-
service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV6
-
service.action.kubernetesApiCallAction.namespace
-
service.action.kubernetesApiCallAction.remoteIpDetails.organization.asn
-
service.action.kubernetesApiCallAction.requestUri
-
service.action.kubernetesApiCallAction.statusCode
-
service.action.networkConnectionAction.localIpDetails.ipAddressV4
-
service.action.networkConnectionAction.localIpDetails.ipAddressV6
-
service.action.networkConnectionAction.protocol
-
service.action.awsApiCallAction.serviceName
-
service.action.awsApiCallAction.remoteAccountDetails.accountId
-
service.additionalInfo.threatListName
-
service.resourceRole
-
resource.eksClusterDetails.name
-
resource.kubernetesDetails.kubernetesWorkloadDetails.name
-
resource.kubernetesDetails.kubernetesWorkloadDetails.namespace
-
resource.kubernetesDetails.kubernetesUserDetails.username
-
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image
-
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix
-
service.ebsVolumeScanDetails.scanId
-
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name
-
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity
-
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash
-
resource.ecsClusterDetails.name
-
resource.ecsClusterDetails.taskDetails.containers.image
-
resource.ecsClusterDetails.taskDetails.definitionArn
-
resource.containerDetails.image
-
resource.rdsDbInstanceDetails.dbInstanceIdentifier
-
resource.rdsDbInstanceDetails.dbClusterIdentifier
-
resource.rdsDbInstanceDetails.engine
-
resource.rdsDbUserDetails.user
-
resource.rdsDbInstanceDetails.tags.key
-
resource.rdsDbInstanceDetails.tags.value
-
service.runtimeDetails.process.executableSha256
-
service.runtimeDetails.process.name
-
service.runtimeDetails.process.name
-
resource.lambdaDetails.functionName
-
resource.lambdaDetails.functionArn
-
resource.lambdaDetails.tags.key
-
resource.lambdaDetails.tags.value
- Name
-
- Required: Yes
- Type: string
The name of the filter. Valid characters include period (.), underscore (_), dash (-), and alphanumeric characters. A whitespace is considered to be an invalid character.
- Rank
-
- Type: int
Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
- Tags
-
- Type: Associative array of custom strings keys (TagKey) to strings
The tags to be added to a new filter resource.
Result Syntax
[ 'Name' => '<string>', ]
Result Details
Members
- Name
-
- Required: Yes
- Type: string
The name of the successfully created filter.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
CreateIPSet
$result = $client->createIPSet
([/* ... */]); $promise = $client->createIPSetAsync
([/* ... */]);
Creates a new IPSet, which is called a trusted IP list in the console user interface. An IPSet is a list of IP addresses that are trusted for secure communication with Amazon Web Services infrastructure and applications. GuardDuty doesn't generate findings for IP addresses that are included in IPSets. Only users from the administrator account can use this operation.
Parameter Syntax
$result = $client->createIPSet([ 'Activate' => true || false, // REQUIRED 'ClientToken' => '<string>', 'DetectorId' => '<string>', // REQUIRED 'Format' => 'TXT|STIX|OTX_CSV|ALIEN_VAULT|PROOF_POINT|FIRE_EYE', // REQUIRED 'Location' => '<string>', // REQUIRED 'Name' => '<string>', // REQUIRED 'Tags' => ['<string>', ...], ]);
Parameter Details
Members
- Activate
-
- Required: Yes
- Type: boolean
A Boolean value that indicates whether GuardDuty is to start using the uploaded IPSet.
- ClientToken
-
- Type: string
The idempotency token for the create request.
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector of the GuardDuty account for which you want to create an IPSet.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - Format
-
- Required: Yes
- Type: string
The format of the file that contains the IPSet.
- Location
-
- Required: Yes
- Type: string
The URI of the file that contains the IPSet.
- Name
-
- Required: Yes
- Type: string
The user-friendly name to identify the IPSet.
Allowed characters are alphanumeric, whitespace, dash (-), and underscores (_).
- Tags
-
- Type: Associative array of custom strings keys (TagKey) to strings
The tags to be added to a new IP set resource.
Result Syntax
[ 'IpSetId' => '<string>', ]
Result Details
Members
- IpSetId
-
- Required: Yes
- Type: string
The ID of the IPSet resource.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
CreateMalwareProtectionPlan
$result = $client->createMalwareProtectionPlan
([/* ... */]); $promise = $client->createMalwareProtectionPlanAsync
([/* ... */]);
Creates a new Malware Protection plan for the protected resource.
When you create a Malware Protection plan, the Amazon Web Services service terms for GuardDuty Malware Protection apply. For more information, see Amazon Web Services service terms for GuardDuty Malware Protection.
Parameter Syntax
$result = $client->createMalwareProtectionPlan([ 'Actions' => [ 'Tagging' => [ 'Status' => 'ENABLED|DISABLED', ], ], 'ClientToken' => '<string>', 'ProtectedResource' => [ // REQUIRED 'S3Bucket' => [ 'BucketName' => '<string>', 'ObjectPrefixes' => ['<string>', ...], ], ], 'Role' => '<string>', // REQUIRED 'Tags' => ['<string>', ...], ]);
Parameter Details
Members
- Actions
-
- Type: MalwareProtectionPlanActions structure
Information about whether the tags will be added to the S3 object after scanning.
- ClientToken
-
- Type: string
The idempotency token for the create request.
- ProtectedResource
-
- Required: Yes
- Type: CreateProtectedResource structure
Information about the protected resource that is associated with the created Malware Protection plan. Presently,
S3Bucket
is the only supported protected resource. - Role
-
- Required: Yes
- Type: string
Amazon Resource Name (ARN) of the IAM role that has the permissions to scan and add tags to the associated protected resource.
- Tags
-
- Type: Associative array of custom strings keys (TagKey) to strings
Tags added to the Malware Protection plan resource.
Result Syntax
[ 'MalwareProtectionPlanId' => '<string>', ]
Result Details
Members
- MalwareProtectionPlanId
-
- Type: string
A unique identifier associated with the Malware Protection plan resource.
Errors
- BadRequestException:
A bad request exception object.
- AccessDeniedException:
An access denied exception object.
- ConflictException:
A request conflict exception object.
- InternalServerErrorException:
An internal server error exception object.
CreateMembers
$result = $client->createMembers
([/* ... */]); $promise = $client->createMembersAsync
([/* ... */]);
Creates member accounts of the current Amazon Web Services account by specifying a list of Amazon Web Services account IDs. This step is a prerequisite for managing the associated member accounts either by invitation or through an organization.
As a delegated administrator, using CreateMembers
will enable GuardDuty in the added member accounts, with the exception of the organization delegated administrator account. A delegated administrator must enable GuardDuty prior to being added as a member.
When you use CreateMembers as an Organizations delegated administrator, GuardDuty applies your organization's auto-enable settings to the member accounts in this request, irrespective of the accounts being new or existing members. For more information about the existing auto-enable settings for your organization, see DescribeOrganizationConfiguration.
If you disassociate a member account that was added by invitation, the member account details obtained from this API, including the associated email addresses, will be retained. This is done so that the delegated administrator can invoke the InviteMembers API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the DeleteMembers API.
When the member accounts added through Organizations are later disassociated, you (administrator) can't invite them by calling the InviteMembers API. You can create an association with these member accounts again only by calling the CreateMembers API.
Parameter Syntax
$result = $client->createMembers([ 'AccountDetails' => [ // REQUIRED [ 'AccountId' => '<string>', // REQUIRED 'Email' => '<string>', // REQUIRED ], // ... ], 'DetectorId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- AccountDetails
-
- Required: Yes
- Type: Array of AccountDetail structures
A list of account ID and email address pairs of the accounts that you want to associate with the GuardDuty administrator account.
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector of the GuardDuty account for which you want to associate member accounts.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
Result Syntax
[ 'UnprocessedAccounts' => [ [ 'AccountId' => '<string>', 'Result' => '<string>', ], // ... ], ]
Result Details
Members
- UnprocessedAccounts
-
- Required: Yes
- Type: Array of UnprocessedAccount structures
A list of objects that include the
accountIds
of the unprocessed accounts and a result string that explains why each was unprocessed.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
CreatePublishingDestination
$result = $client->createPublishingDestination
([/* ... */]); $promise = $client->createPublishingDestinationAsync
([/* ... */]);
Creates a publishing destination where you can export your GuardDuty findings. Before you start exporting the findings, the destination resource must exist.
Parameter Syntax
$result = $client->createPublishingDestination([ 'ClientToken' => '<string>', 'DestinationProperties' => [ // REQUIRED 'DestinationArn' => '<string>', 'KmsKeyArn' => '<string>', ], 'DestinationType' => 'S3', // REQUIRED 'DetectorId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- ClientToken
-
- Type: string
The idempotency token for the request.
- DestinationProperties
-
- Required: Yes
- Type: DestinationProperties structure
The properties of the publishing destination, including the ARNs for the destination and the KMS key used for encryption.
- DestinationType
-
- Required: Yes
- Type: string
The type of resource for the publishing destination. Currently only Amazon S3 buckets are supported.
- DetectorId
-
- Required: Yes
- Type: string
The ID of the GuardDuty detector associated with the publishing destination.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
Result Syntax
[ 'DestinationId' => '<string>', ]
Result Details
Members
- DestinationId
-
- Required: Yes
- Type: string
The ID of the publishing destination that is created.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
CreateSampleFindings
$result = $client->createSampleFindings
([/* ... */]); $promise = $client->createSampleFindingsAsync
([/* ... */]);
Generates sample findings of types specified by the list of finding types. If 'NULL' is specified for findingTypes
, the API generates sample findings of all supported finding types.
Parameter Syntax
$result = $client->createSampleFindings([ 'DetectorId' => '<string>', // REQUIRED 'FindingTypes' => ['<string>', ...], ]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The ID of the detector for which you need to create sample findings.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - FindingTypes
-
- Type: Array of strings
The types of sample findings to generate.
Result Syntax
[]
Result Details
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
CreateThreatIntelSet
$result = $client->createThreatIntelSet
([/* ... */]); $promise = $client->createThreatIntelSetAsync
([/* ... */]);
Creates a new ThreatIntelSet. ThreatIntelSets consist of known malicious IP addresses. GuardDuty generates findings based on ThreatIntelSets. Only users of the administrator account can use this operation.
Parameter Syntax
$result = $client->createThreatIntelSet([ 'Activate' => true || false, // REQUIRED 'ClientToken' => '<string>', 'DetectorId' => '<string>', // REQUIRED 'Format' => 'TXT|STIX|OTX_CSV|ALIEN_VAULT|PROOF_POINT|FIRE_EYE', // REQUIRED 'Location' => '<string>', // REQUIRED 'Name' => '<string>', // REQUIRED 'Tags' => ['<string>', ...], ]);
Parameter Details
Members
- Activate
-
- Required: Yes
- Type: boolean
A Boolean value that indicates whether GuardDuty is to start using the uploaded ThreatIntelSet.
- ClientToken
-
- Type: string
The idempotency token for the create request.
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector of the GuardDuty account for which you want to create a
ThreatIntelSet
.To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - Format
-
- Required: Yes
- Type: string
The format of the file that contains the ThreatIntelSet.
- Location
-
- Required: Yes
- Type: string
The URI of the file that contains the ThreatIntelSet.
- Name
-
- Required: Yes
- Type: string
A user-friendly ThreatIntelSet name displayed in all findings that are generated by activity that involves IP addresses included in this ThreatIntelSet.
- Tags
-
- Type: Associative array of custom strings keys (TagKey) to strings
The tags to be added to a new threat list resource.
Result Syntax
[ 'ThreatIntelSetId' => '<string>', ]
Result Details
Members
- ThreatIntelSetId
-
- Required: Yes
- Type: string
The ID of the ThreatIntelSet resource.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
DeclineInvitations
$result = $client->declineInvitations
([/* ... */]); $promise = $client->declineInvitationsAsync
([/* ... */]);
Declines invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs.
Parameter Syntax
$result = $client->declineInvitations([ 'AccountIds' => ['<string>', ...], // REQUIRED ]);
Parameter Details
Members
- AccountIds
-
- Required: Yes
- Type: Array of strings
A list of account IDs of the Amazon Web Services accounts that sent invitations to the current member account that you want to decline invitations from.
Result Syntax
[ 'UnprocessedAccounts' => [ [ 'AccountId' => '<string>', 'Result' => '<string>', ], // ... ], ]
Result Details
Members
- UnprocessedAccounts
-
- Required: Yes
- Type: Array of UnprocessedAccount structures
A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
DeleteDetector
$result = $client->deleteDetector
([/* ... */]); $promise = $client->deleteDetectorAsync
([/* ... */]);
Deletes an Amazon GuardDuty detector that is specified by the detector ID.
Parameter Syntax
$result = $client->deleteDetector([ 'DetectorId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector that you want to delete.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
Result Syntax
[]
Result Details
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
DeleteFilter
$result = $client->deleteFilter
([/* ... */]); $promise = $client->deleteFilterAsync
([/* ... */]);
Deletes the filter specified by the filter name.
Parameter Syntax
$result = $client->deleteFilter([ 'DetectorId' => '<string>', // REQUIRED 'FilterName' => '<string>', // REQUIRED ]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector that is associated with the filter.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - FilterName
-
- Required: Yes
- Type: string
The name of the filter that you want to delete.
Result Syntax
[]
Result Details
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
DeleteIPSet
$result = $client->deleteIPSet
([/* ... */]); $promise = $client->deleteIPSetAsync
([/* ... */]);
Deletes the IPSet specified by the ipSetId
. IPSets are called trusted IP lists in the console user interface.
Parameter Syntax
$result = $client->deleteIPSet([ 'DetectorId' => '<string>', // REQUIRED 'IpSetId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector associated with the IPSet.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - IpSetId
-
- Required: Yes
- Type: string
The unique ID of the IPSet to delete.
Result Syntax
[]
Result Details
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
DeleteInvitations
$result = $client->deleteInvitations
([/* ... */]); $promise = $client->deleteInvitationsAsync
([/* ... */]);
Deletes invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs.
Parameter Syntax
$result = $client->deleteInvitations([ 'AccountIds' => ['<string>', ...], // REQUIRED ]);
Parameter Details
Members
- AccountIds
-
- Required: Yes
- Type: Array of strings
A list of account IDs of the Amazon Web Services accounts that sent invitations to the current member account that you want to delete invitations from.
Result Syntax
[ 'UnprocessedAccounts' => [ [ 'AccountId' => '<string>', 'Result' => '<string>', ], // ... ], ]
Result Details
Members
- UnprocessedAccounts
-
- Required: Yes
- Type: Array of UnprocessedAccount structures
A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
DeleteMalwareProtectionPlan
$result = $client->deleteMalwareProtectionPlan
([/* ... */]); $promise = $client->deleteMalwareProtectionPlanAsync
([/* ... */]);
Deletes the Malware Protection plan ID associated with the Malware Protection plan resource. Use this API only when you no longer want to protect the resource associated with this Malware Protection plan ID.
Parameter Syntax
$result = $client->deleteMalwareProtectionPlan([ 'MalwareProtectionPlanId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- MalwareProtectionPlanId
-
- Required: Yes
- Type: string
A unique identifier associated with Malware Protection plan resource.
Result Syntax
[]
Result Details
Errors
- BadRequestException:
A bad request exception object.
- AccessDeniedException:
An access denied exception object.
- InternalServerErrorException:
An internal server error exception object.
- ResourceNotFoundException:
The requested resource can't be found.
DeleteMembers
$result = $client->deleteMembers
([/* ... */]); $promise = $client->deleteMembersAsync
([/* ... */]);
Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.
With autoEnableOrganizationMembers
configuration for your organization set to ALL
, you'll receive an error if you attempt to disable GuardDuty for a member account in your organization.
Parameter Syntax
$result = $client->deleteMembers([ 'AccountIds' => ['<string>', ...], // REQUIRED 'DetectorId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- AccountIds
-
- Required: Yes
- Type: Array of strings
A list of account IDs of the GuardDuty member accounts that you want to delete.
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector of the GuardDuty account whose members you want to delete.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
Result Syntax
[ 'UnprocessedAccounts' => [ [ 'AccountId' => '<string>', 'Result' => '<string>', ], // ... ], ]
Result Details
Members
- UnprocessedAccounts
-
- Required: Yes
- Type: Array of UnprocessedAccount structures
The accounts that could not be processed.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
DeletePublishingDestination
$result = $client->deletePublishingDestination
([/* ... */]); $promise = $client->deletePublishingDestinationAsync
([/* ... */]);
Deletes the publishing definition with the specified destinationId
.
Parameter Syntax
$result = $client->deletePublishingDestination([ 'DestinationId' => '<string>', // REQUIRED 'DetectorId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- DestinationId
-
- Required: Yes
- Type: string
The ID of the publishing destination to delete.
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector associated with the publishing destination to delete.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
Result Syntax
[]
Result Details
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
DeleteThreatIntelSet
$result = $client->deleteThreatIntelSet
([/* ... */]); $promise = $client->deleteThreatIntelSetAsync
([/* ... */]);
Deletes the ThreatIntelSet specified by the ThreatIntelSet ID.
Parameter Syntax
$result = $client->deleteThreatIntelSet([ 'DetectorId' => '<string>', // REQUIRED 'ThreatIntelSetId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector that is associated with the threatIntelSet.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - ThreatIntelSetId
-
- Required: Yes
- Type: string
The unique ID of the threatIntelSet that you want to delete.
Result Syntax
[]
Result Details
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
DescribeMalwareScans
$result = $client->describeMalwareScans
([/* ... */]); $promise = $client->describeMalwareScansAsync
([/* ... */]);
Returns a list of malware scans. Each member account can view the malware scans for their own accounts. An administrator can view the malware scans for all the member accounts.
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.
Parameter Syntax
$result = $client->describeMalwareScans([ 'DetectorId' => '<string>', // REQUIRED 'FilterCriteria' => [ 'FilterCriterion' => [ [ 'CriterionKey' => 'EC2_INSTANCE_ARN|SCAN_ID|ACCOUNT_ID|GUARDDUTY_FINDING_ID|SCAN_START_TIME|SCAN_STATUS|SCAN_TYPE', 'FilterCondition' => [ 'EqualsValue' => '<string>', 'GreaterThan' => <integer>, 'LessThan' => <integer>, ], ], // ... ], ], 'MaxResults' => <integer>, 'NextToken' => '<string>', 'SortCriteria' => [ 'AttributeName' => '<string>', 'OrderBy' => 'ASC|DESC', ], ]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector that the request is associated with.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - FilterCriteria
-
- Type: FilterCriteria structure
Represents the criteria to be used in the filter for describing scan entries.
- MaxResults
-
- Type: int
You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.
- NextToken
-
- Type: string
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
- SortCriteria
-
- Type: SortCriteria structure
Represents the criteria used for sorting scan entries. The
attributeName
is required and it must bescanStartTime
.
Result Syntax
[ 'NextToken' => '<string>', 'Scans' => [ [ 'AccountId' => '<string>', 'AdminDetectorId' => '<string>', 'AttachedVolumes' => [ [ 'DeviceName' => '<string>', 'EncryptionType' => '<string>', 'KmsKeyArn' => '<string>', 'SnapshotArn' => '<string>', 'VolumeArn' => '<string>', 'VolumeSizeInGB' => <integer>, 'VolumeType' => '<string>', ], // ... ], 'DetectorId' => '<string>', 'FailureReason' => '<string>', 'FileCount' => <integer>, 'ResourceDetails' => [ 'InstanceArn' => '<string>', ], 'ScanEndTime' => <DateTime>, 'ScanId' => '<string>', 'ScanResultDetails' => [ 'ScanResult' => 'CLEAN|INFECTED', ], 'ScanStartTime' => <DateTime>, 'ScanStatus' => 'RUNNING|COMPLETED|FAILED|SKIPPED', 'ScanType' => 'GUARDDUTY_INITIATED|ON_DEMAND', 'TotalBytes' => <integer>, 'TriggerDetails' => [ 'Description' => '<string>', 'GuardDutyFindingId' => '<string>', ], ], // ... ], ]
Result Details
Members
- NextToken
-
- Type: string
The pagination parameter to be used on the next list operation to retrieve more items.
- Scans
-
- Required: Yes
- Type: Array of Scan structures
Contains information about malware scans associated with GuardDuty Malware Protection for EC2.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
DescribeOrganizationConfiguration
$result = $client->describeOrganizationConfiguration
([/* ... */]); $promise = $client->describeOrganizationConfigurationAsync
([/* ... */]);
Returns information about the account selected as the delegated administrator for GuardDuty.
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.
Parameter Syntax
$result = $client->describeOrganizationConfiguration([ 'DetectorId' => '<string>', // REQUIRED 'MaxResults' => <integer>, 'NextToken' => '<string>', ]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The detector ID of the delegated administrator for which you need to retrieve the information.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - MaxResults
-
- Type: int
You can use this parameter to indicate the maximum number of items that you want in the response.
- NextToken
-
- Type: string
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill
nextToken
in the request with the value ofNextToken
from the previous response to continue listing data.
Result Syntax
[ 'AutoEnable' => true || false, 'AutoEnableOrganizationMembers' => 'NEW|ALL|NONE', 'DataSources' => [ 'Kubernetes' => [ 'AuditLogs' => [ 'AutoEnable' => true || false, ], ], 'MalwareProtection' => [ 'ScanEc2InstanceWithFindings' => [ 'EbsVolumes' => [ 'AutoEnable' => true || false, ], ], ], 'S3Logs' => [ 'AutoEnable' => true || false, ], ], 'Features' => [ [ 'AdditionalConfiguration' => [ [ 'AutoEnable' => 'NEW|NONE|ALL', 'Name' => 'EKS_ADDON_MANAGEMENT|ECS_FARGATE_AGENT_MANAGEMENT|EC2_AGENT_MANAGEMENT', ], // ... ], 'AutoEnable' => 'NEW|NONE|ALL', 'Name' => 'S3_DATA_EVENTS|EKS_AUDIT_LOGS|EBS_MALWARE_PROTECTION|RDS_LOGIN_EVENTS|EKS_RUNTIME_MONITORING|LAMBDA_NETWORK_LOGS|RUNTIME_MONITORING', ], // ... ], 'MemberAccountLimitReached' => true || false, 'NextToken' => '<string>', ]
Result Details
Members
- AutoEnable
-
- Type: boolean
Indicates whether GuardDuty is automatically enabled for accounts added to the organization.
Even though this is still supported, we recommend using
AutoEnableOrganizationMembers
to achieve the similar results. - AutoEnableOrganizationMembers
-
- Type: string
Indicates the auto-enablement configuration of GuardDuty or any of the corresponding protection plans for the member accounts in the organization.
-
NEW
: Indicates that when a new account joins the organization, they will have GuardDuty or any of the corresponding protection plans enabled automatically. -
ALL
: Indicates that all accounts in the organization have GuardDuty and any of the corresponding protection plans enabled automatically. This includesNEW
accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty. -
NONE
: Indicates that GuardDuty or any of the corresponding protection plans will not be automatically enabled for any account in the organization. The administrator must manage GuardDuty for each account in the organization individually.When you update the auto-enable setting from
ALL
orNEW
toNONE
, this action doesn't disable the corresponding option for your existing accounts. This configuration will apply to the new accounts that join the organization. After you update the auto-enable settings, no new account will have the corresponding option as enabled.
- DataSources
-
- Type: OrganizationDataSourceConfigurationsResult structure
Describes which data sources are enabled automatically for member accounts.
- Features
-
- Type: Array of OrganizationFeatureConfigurationResult structures
A list of features that are configured for this organization.
- MemberAccountLimitReached
-
- Required: Yes
- Type: boolean
Indicates whether the maximum number of allowed member accounts are already associated with the delegated administrator account for your organization.
- NextToken
-
- Type: string
The pagination parameter to be used on the next list operation to retrieve more items.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
DescribePublishingDestination
$result = $client->describePublishingDestination
([/* ... */]); $promise = $client->describePublishingDestinationAsync
([/* ... */]);
Returns information about the publishing destination specified by the provided destinationId
.
Parameter Syntax
$result = $client->describePublishingDestination([ 'DestinationId' => '<string>', // REQUIRED 'DetectorId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- DestinationId
-
- Required: Yes
- Type: string
The ID of the publishing destination to retrieve.
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector associated with the publishing destination to retrieve.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
Result Syntax
[ 'DestinationId' => '<string>', 'DestinationProperties' => [ 'DestinationArn' => '<string>', 'KmsKeyArn' => '<string>', ], 'DestinationType' => 'S3', 'PublishingFailureStartTimestamp' => <integer>, 'Status' => 'PENDING_VERIFICATION|PUBLISHING|UNABLE_TO_PUBLISH_FIX_DESTINATION_PROPERTY|STOPPED', ]
Result Details
Members
- DestinationId
-
- Required: Yes
- Type: string
The ID of the publishing destination.
- DestinationProperties
-
- Required: Yes
- Type: DestinationProperties structure
A
DestinationProperties
object that includes theDestinationArn
andKmsKeyArn
of the publishing destination. - DestinationType
-
- Required: Yes
- Type: string
The type of publishing destination. Currently, only Amazon S3 buckets are supported.
- PublishingFailureStartTimestamp
-
- Required: Yes
- Type: long (int|float)
The time, in epoch millisecond format, at which GuardDuty was first unable to publish findings to the destination.
- Status
-
- Required: Yes
- Type: string
The status of the publishing destination.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
DisableOrganizationAdminAccount
$result = $client->disableOrganizationAdminAccount
([/* ... */]); $promise = $client->disableOrganizationAdminAccountAsync
([/* ... */]);
Removes the existing GuardDuty delegated administrator of the organization. Only the organization's management account can run this API operation.
Parameter Syntax
$result = $client->disableOrganizationAdminAccount([ 'AdminAccountId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- AdminAccountId
-
- Required: Yes
- Type: string
The Amazon Web Services Account ID for the organizations account to be disabled as a GuardDuty delegated administrator.
Result Syntax
[]
Result Details
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
DisassociateFromAdministratorAccount
$result = $client->disassociateFromAdministratorAccount
([/* ... */]); $promise = $client->disassociateFromAdministratorAccountAsync
([/* ... */]);
Disassociates the current GuardDuty member account from its administrator account.
When you disassociate an invited member from a GuardDuty delegated administrator, the member account details obtained from the CreateMembers API, including the associated email addresses, are retained. This is done so that the delegated administrator can invoke the InviteMembers API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the DeleteMembers API.
With autoEnableOrganizationMembers
configuration for your organization set to ALL
, you'll receive an error if you attempt to disable GuardDuty in a member account.
Parameter Syntax
$result = $client->disassociateFromAdministratorAccount([ 'DetectorId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector of the GuardDuty member account.
Result Syntax
[]
Result Details
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
DisassociateFromMasterAccount
$result = $client->disassociateFromMasterAccount
([/* ... */]); $promise = $client->disassociateFromMasterAccountAsync
([/* ... */]);
Disassociates the current GuardDuty member account from its administrator account.
When you disassociate an invited member from a GuardDuty delegated administrator, the member account details obtained from the CreateMembers API, including the associated email addresses, are retained. This is done so that the delegated administrator can invoke the InviteMembers API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the DeleteMembers API.
Parameter Syntax
$result = $client->disassociateFromMasterAccount([ 'DetectorId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector of the GuardDuty member account.
Result Syntax
[]
Result Details
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
DisassociateMembers
$result = $client->disassociateMembers
([/* ... */]); $promise = $client->disassociateMembersAsync
([/* ... */]);
Disassociates GuardDuty member accounts (from the current administrator account) specified by the account IDs.
When you disassociate an invited member from a GuardDuty delegated administrator, the member account details obtained from the CreateMembers API, including the associated email addresses, are retained. This is done so that the delegated administrator can invoke the InviteMembers API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the DeleteMembers API.
With autoEnableOrganizationMembers
configuration for your organization set to ALL
, you'll receive an error if you attempt to disassociate a member account before removing them from your organization.
If you disassociate a member account that was added by invitation, the member account details obtained from this API, including the associated email addresses, will be retained. This is done so that the delegated administrator can invoke the InviteMembers API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the DeleteMembers API.
When the member accounts added through Organizations are later disassociated, you (administrator) can't invite them by calling the InviteMembers API. You can create an association with these member accounts again only by calling the CreateMembers API.
Parameter Syntax
$result = $client->disassociateMembers([ 'AccountIds' => ['<string>', ...], // REQUIRED 'DetectorId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- AccountIds
-
- Required: Yes
- Type: Array of strings
A list of account IDs of the GuardDuty member accounts that you want to disassociate from the administrator account.
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector of the GuardDuty account whose members you want to disassociate from the administrator account.
Result Syntax
[ 'UnprocessedAccounts' => [ [ 'AccountId' => '<string>', 'Result' => '<string>', ], // ... ], ]
Result Details
Members
- UnprocessedAccounts
-
- Required: Yes
- Type: Array of UnprocessedAccount structures
A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
EnableOrganizationAdminAccount
$result = $client->enableOrganizationAdminAccount
([/* ... */]); $promise = $client->enableOrganizationAdminAccountAsync
([/* ... */]);
Designates an Amazon Web Services account within the organization as your GuardDuty delegated administrator. Only the organization's management account can run this API operation.
Parameter Syntax
$result = $client->enableOrganizationAdminAccount([ 'AdminAccountId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- AdminAccountId
-
- Required: Yes
- Type: string
The Amazon Web Services account ID for the organization account to be enabled as a GuardDuty delegated administrator.
Result Syntax
[]
Result Details
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
GetAdministratorAccount
$result = $client->getAdministratorAccount
([/* ... */]); $promise = $client->getAdministratorAccountAsync
([/* ... */]);
Provides the details of the GuardDuty administrator account associated with the current GuardDuty member account.
If the organization's management account or a delegated administrator runs this API, it will return success (HTTP 200
) but no content.
Parameter Syntax
$result = $client->getAdministratorAccount([ 'DetectorId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector of the GuardDuty member account.
Result Syntax
[ 'Administrator' => [ 'AccountId' => '<string>', 'InvitationId' => '<string>', 'InvitedAt' => '<string>', 'RelationshipStatus' => '<string>', ], ]
Result Details
Members
- Administrator
-
- Required: Yes
- Type: Administrator structure
The administrator account details.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
GetCoverageStatistics
$result = $client->getCoverageStatistics
([/* ... */]); $promise = $client->getCoverageStatisticsAsync
([/* ... */]);
Retrieves aggregated statistics for your account. If you are a GuardDuty administrator, you can retrieve the statistics for all the resources associated with the active member accounts in your organization who have enabled Runtime Monitoring and have the GuardDuty security agent running on their resources.
Parameter Syntax
$result = $client->getCoverageStatistics([ 'DetectorId' => '<string>', // REQUIRED 'FilterCriteria' => [ 'FilterCriterion' => [ [ 'CriterionKey' => 'ACCOUNT_ID|CLUSTER_NAME|RESOURCE_TYPE|COVERAGE_STATUS|ADDON_VERSION|MANAGEMENT_TYPE|EKS_CLUSTER_NAME|ECS_CLUSTER_NAME|AGENT_VERSION|INSTANCE_ID|CLUSTER_ARN', 'FilterCondition' => [ 'Equals' => ['<string>', ...], 'NotEquals' => ['<string>', ...], ], ], // ... ], ], 'StatisticsType' => ['<string>', ...], // REQUIRED ]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the GuardDuty detector.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - FilterCriteria
-
- Type: CoverageFilterCriteria structure
Represents the criteria used to filter the coverage statistics.
- StatisticsType
-
- Required: Yes
- Type: Array of strings
Represents the statistics type used to aggregate the coverage details.
Result Syntax
[ 'CoverageStatistics' => [ 'CountByCoverageStatus' => [<integer>, ...], 'CountByResourceType' => [<integer>, ...], ], ]
Result Details
Members
- CoverageStatistics
-
- Type: CoverageStatistics structure
Represents the count aggregated by the
statusCode
andresourceType
.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
GetDetector
$result = $client->getDetector
([/* ... */]); $promise = $client->getDetectorAsync
([/* ... */]);
Retrieves a GuardDuty detector specified by the detectorId.
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.
Parameter Syntax
$result = $client->getDetector([ 'DetectorId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector that you want to get.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
Result Syntax
[ 'CreatedAt' => '<string>', 'DataSources' => [ 'CloudTrail' => [ 'Status' => 'ENABLED|DISABLED', ], 'DNSLogs' => [ 'Status' => 'ENABLED|DISABLED', ], 'FlowLogs' => [ 'Status' => 'ENABLED|DISABLED', ], 'Kubernetes' => [ 'AuditLogs' => [ 'Status' => 'ENABLED|DISABLED', ], ], 'MalwareProtection' => [ 'ScanEc2InstanceWithFindings' => [ 'EbsVolumes' => [ 'Reason' => '<string>', 'Status' => 'ENABLED|DISABLED', ], ], 'ServiceRole' => '<string>', ], 'S3Logs' => [ 'Status' => 'ENABLED|DISABLED', ], ], 'Features' => [ [ 'AdditionalConfiguration' => [ [ 'Name' => 'EKS_ADDON_MANAGEMENT|ECS_FARGATE_AGENT_MANAGEMENT|EC2_AGENT_MANAGEMENT', 'Status' => 'ENABLED|DISABLED', 'UpdatedAt' => <DateTime>, ], // ... ], 'Name' => 'FLOW_LOGS|CLOUD_TRAIL|DNS_LOGS|S3_DATA_EVENTS|EKS_AUDIT_LOGS|EBS_MALWARE_PROTECTION|RDS_LOGIN_EVENTS|EKS_RUNTIME_MONITORING|LAMBDA_NETWORK_LOGS|RUNTIME_MONITORING', 'Status' => 'ENABLED|DISABLED', 'UpdatedAt' => <DateTime>, ], // ... ], 'FindingPublishingFrequency' => 'FIFTEEN_MINUTES|ONE_HOUR|SIX_HOURS', 'ServiceRole' => '<string>', 'Status' => 'ENABLED|DISABLED', 'Tags' => ['<string>', ...], 'UpdatedAt' => '<string>', ]
Result Details
Members
- CreatedAt
-
- Type: string
The timestamp of when the detector was created.
- DataSources
-
- Type: DataSourceConfigurationsResult structure
Describes which data sources are enabled for the detector.
- Features
-
- Type: Array of DetectorFeatureConfigurationResult structures
Describes the features that have been enabled for the detector.
- FindingPublishingFrequency
-
- Type: string
The publishing frequency of the finding.
- ServiceRole
-
- Required: Yes
- Type: string
The GuardDuty service role.
- Status
-
- Required: Yes
- Type: string
The detector status.
- Tags
-
- Type: Associative array of custom strings keys (TagKey) to strings
The tags of the detector resource.
- UpdatedAt
-
- Type: string
The last-updated timestamp for the detector.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
GetFilter
$result = $client->getFilter
([/* ... */]); $promise = $client->getFilterAsync
([/* ... */]);
Returns the details of the filter specified by the filter name.
Parameter Syntax
$result = $client->getFilter([ 'DetectorId' => '<string>', // REQUIRED 'FilterName' => '<string>', // REQUIRED ]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector that is associated with this filter.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - FilterName
-
- Required: Yes
- Type: string
The name of the filter you want to get.
Result Syntax
[ 'Action' => 'NOOP|ARCHIVE', 'Description' => '<string>', 'FindingCriteria' => [ 'Criterion' => [ '<String>' => [ 'Eq' => ['<string>', ...], 'Equals' => ['<string>', ...], 'GreaterThan' => <integer>, 'GreaterThanOrEqual' => <integer>, 'Gt' => <integer>, 'Gte' => <integer>, 'LessThan' => <integer>, 'LessThanOrEqual' => <integer>, 'Lt' => <integer>, 'Lte' => <integer>, 'Neq' => ['<string>', ...], 'NotEquals' => ['<string>', ...], ], // ... ], ], 'Name' => '<string>', 'Rank' => <integer>, 'Tags' => ['<string>', ...], ]
Result Details
Members
- Action
-
- Required: Yes
- Type: string
Specifies the action that is to be applied to the findings that match the filter.
- Description
-
- Type: string
The description of the filter.
- FindingCriteria
-
- Required: Yes
- Type: FindingCriteria structure
Represents the criteria to be used in the filter for querying findings.
- Name
-
- Required: Yes
- Type: string
The name of the filter.
- Rank
-
- Type: int
Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
- Tags
-
- Type: Associative array of custom strings keys (TagKey) to strings
The tags of the filter resource.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
GetFindings
$result = $client->getFindings
([/* ... */]); $promise = $client->getFindingsAsync
([/* ... */]);
Describes Amazon GuardDuty findings specified by finding IDs.
Parameter Syntax
$result = $client->getFindings([ 'DetectorId' => '<string>', // REQUIRED 'FindingIds' => ['<string>', ...], // REQUIRED 'SortCriteria' => [ 'AttributeName' => '<string>', 'OrderBy' => 'ASC|DESC', ], ]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The ID of the detector that specifies the GuardDuty service whose findings you want to retrieve.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - FindingIds
-
- Required: Yes
- Type: Array of strings
The IDs of the findings that you want to retrieve.
- SortCriteria
-
- Type: SortCriteria structure
Represents the criteria used for sorting findings.
Result Syntax
[ 'Findings' => [ [ 'AccountId' => '<string>', 'Arn' => '<string>', 'AssociatedAttackSequenceArn' => '<string>', 'Confidence' => <float>, 'CreatedAt' => '<string>', 'Description' => '<string>', 'Id' => '<string>', 'Partition' => '<string>', 'Region' => '<string>', 'Resource' => [ 'AccessKeyDetails' => [ 'AccessKeyId' => '<string>', 'PrincipalId' => '<string>', 'UserName' => '<string>', 'UserType' => '<string>', ], 'ContainerDetails' => [ 'ContainerRuntime' => '<string>', 'Id' => '<string>', 'Image' => '<string>', 'ImagePrefix' => '<string>', 'Name' => '<string>', 'SecurityContext' => [ 'AllowPrivilegeEscalation' => true || false, 'Privileged' => true || false, ], 'VolumeMounts' => [ [ 'MountPath' => '<string>', 'Name' => '<string>', ], // ... ], ], 'EbsVolumeDetails' => [ 'ScannedVolumeDetails' => [ [ 'DeviceName' => '<string>', 'EncryptionType' => '<string>', 'KmsKeyArn' => '<string>', 'SnapshotArn' => '<string>', 'VolumeArn' => '<string>', 'VolumeSizeInGB' => <integer>, 'VolumeType' => '<string>', ], // ... ], 'SkippedVolumeDetails' => [ [ 'DeviceName' => '<string>', 'EncryptionType' => '<string>', 'KmsKeyArn' => '<string>', 'SnapshotArn' => '<string>', 'VolumeArn' => '<string>', 'VolumeSizeInGB' => <integer>, 'VolumeType' => '<string>', ], // ... ], ], 'EcsClusterDetails' => [ 'ActiveServicesCount' => <integer>, 'Arn' => '<string>', 'Name' => '<string>', 'RegisteredContainerInstancesCount' => <integer>, 'RunningTasksCount' => <integer>, 'Status' => '<string>', 'Tags' => [ [ 'Key' => '<string>', 'Value' => '<string>', ], // ... ], 'TaskDetails' => [ 'Arn' => '<string>', 'Containers' => [ [ 'ContainerRuntime' => '<string>', 'Id' => '<string>', 'Image' => '<string>', 'ImagePrefix' => '<string>', 'Name' => '<string>', 'SecurityContext' => [ 'AllowPrivilegeEscalation' => true || false, 'Privileged' => true || false, ], 'VolumeMounts' => [ [ 'MountPath' => '<string>', 'Name' => '<string>', ], // ... ], ], // ... ], 'DefinitionArn' => '<string>', 'Group' => '<string>', 'LaunchType' => '<string>', 'StartedAt' => <DateTime>, 'StartedBy' => '<string>', 'Tags' => [ [ 'Key' => '<string>', 'Value' => '<string>', ], // ... ], 'TaskCreatedAt' => <DateTime>, 'Version' => '<string>', 'Volumes' => [ [ 'HostPath' => [ 'Path' => '<string>', ], 'Name' => '<string>', ], // ... ], ], ], 'EksClusterDetails' => [ 'Arn' => '<string>', 'CreatedAt' => <DateTime>, 'Name' => '<string>', 'Status' => '<string>', 'Tags' => [ [ 'Key' => '<string>', 'Value' => '<string>', ], // ... ], 'VpcId' => '<string>', ], 'InstanceDetails' => [ 'AvailabilityZone' => '<string>', 'IamInstanceProfile' => [ 'Arn' => '<string>', 'Id' => '<string>', ], 'ImageDescription' => '<string>', 'ImageId' => '<string>', 'InstanceId' => '<string>', 'InstanceState' => '<string>', 'InstanceType' => '<string>', 'LaunchTime' => '<string>', 'NetworkInterfaces' => [ [ 'Ipv6Addresses' => ['<string>', ...], 'NetworkInterfaceId' => '<string>', 'PrivateDnsName' => '<string>', 'PrivateIpAddress' => '<string>', 'PrivateIpAddresses' => [ [ 'PrivateDnsName' => '<string>', 'PrivateIpAddress' => '<string>', ], // ... ], 'PublicDnsName' => '<string>', 'PublicIp' => '<string>', 'SecurityGroups' => [ [ 'GroupId' => '<string>', 'GroupName' => '<string>', ], // ... ], 'SubnetId' => '<string>', 'VpcId' => '<string>', ], // ... ], 'OutpostArn' => '<string>', 'Platform' => '<string>', 'ProductCodes' => [ [ 'Code' => '<string>', 'ProductType' => '<string>', ], // ... ], 'Tags' => [ [ 'Key' => '<string>', 'Value' => '<string>', ], // ... ], ], 'KubernetesDetails' => [ 'KubernetesUserDetails' => [ 'Groups' => ['<string>', ...], 'ImpersonatedUser' => [ 'Groups' => ['<string>', ...], 'Username' => '<string>', ], 'SessionName' => ['<string>', ...], 'Uid' => '<string>', 'Username' => '<string>', ], 'KubernetesWorkloadDetails' => [ 'Containers' => [ [ 'ContainerRuntime' => '<string>', 'Id' => '<string>', 'Image' => '<string>', 'ImagePrefix' => '<string>', 'Name' => '<string>', 'SecurityContext' => [ 'AllowPrivilegeEscalation' => true || false, 'Privileged' => true || false, ], 'VolumeMounts' => [ [ 'MountPath' => '<string>', 'Name' => '<string>', ], // ... ], ], // ... ], 'HostIPC' => true || false, 'HostNetwork' => true || false, 'HostPID' => true || false, 'Name' => '<string>', 'Namespace' => '<string>', 'ServiceAccountName' => '<string>', 'Type' => '<string>', 'Uid' => '<string>', 'Volumes' => [ [ 'HostPath' => [ 'Path' => '<string>', ], 'Name' => '<string>', ], // ... ], ], ], 'LambdaDetails' => [ 'Description' => '<string>', 'FunctionArn' => '<string>', 'FunctionName' => '<string>', 'FunctionVersion' => '<string>', 'LastModifiedAt' => <DateTime>, 'RevisionId' => '<string>', 'Role' => '<string>', 'Tags' => [ [ 'Key' => '<string>', 'Value' => '<string>', ], // ... ], 'VpcConfig' => [ 'SecurityGroups' => [ [ 'GroupId' => '<string>', 'GroupName' => '<string>', ], // ... ], 'SubnetIds' => ['<string>', ...], 'VpcId' => '<string>', ], ], 'RdsDbInstanceDetails' => [ 'DbClusterIdentifier' => '<string>', 'DbInstanceArn' => '<string>', 'DbInstanceIdentifier' => '<string>', 'Engine' => '<string>', 'EngineVersion' => '<string>', 'Tags' => [ [ 'Key' => '<string>', 'Value' => '<string>', ], // ... ], ], 'RdsDbUserDetails' => [ 'Application' => '<string>', 'AuthMethod' => '<string>', 'Database' => '<string>', 'Ssl' => '<string>', 'User' => '<string>', ], 'RdsLimitlessDbDetails' => [ 'DbClusterIdentifier' => '<string>', 'DbShardGroupArn' => '<string>', 'DbShardGroupIdentifier' => '<string>', 'DbShardGroupResourceId' => '<string>', 'Engine' => '<string>', 'EngineVersion' => '<string>', 'Tags' => [ [ 'Key' => '<string>', 'Value' => '<string>', ], // ... ], ], 'ResourceType' => '<string>', 'S3BucketDetails' => [ [ 'Arn' => '<string>', 'CreatedAt' => <DateTime>, 'DefaultServerSideEncryption' => [ 'EncryptionType' => '<string>', 'KmsMasterKeyArn' => '<string>', ], 'Name' => '<string>', 'Owner' => [ 'Id' => '<string>', ], 'PublicAccess' => [ 'EffectivePermission' => '<string>', 'PermissionConfiguration' => [ 'AccountLevelPermissions' => [ 'BlockPublicAccess' => [ 'BlockPublicAcls' => true || false, 'BlockPublicPolicy' => true || false, 'IgnorePublicAcls' => true || false, 'RestrictPublicBuckets' => true || false, ], ], 'BucketLevelPermissions' => [ 'AccessControlList' => [ 'AllowsPublicReadAccess' => true || false, 'AllowsPublicWriteAccess' => true || false, ], 'BlockPublicAccess' => [ 'BlockPublicAcls' => true || false, 'BlockPublicPolicy' => true || false, 'IgnorePublicAcls' => true || false, 'RestrictPublicBuckets' => true || false, ], 'BucketPolicy' => [ 'AllowsPublicReadAccess' => true || false, 'AllowsPublicWriteAccess' => true || false, ], ], ], ], 'S3ObjectDetails' => [ [ 'ETag' => '<string>', 'Hash' => '<string>', 'Key' => '<string>', 'ObjectArn' => '<string>', 'VersionId' => '<string>', ], // ... ], 'Tags' => [ [ 'Key' => '<string>', 'Value' => '<string>', ], // ... ], 'Type' => '<string>', ], // ... ], ], 'SchemaVersion' => '<string>', 'Service' => [ 'Action' => [ 'ActionType' => '<string>', 'AwsApiCallAction' => [ 'AffectedResources' => ['<string>', ...], 'Api' => '<string>', 'CallerType' => '<string>', 'DomainDetails' => [ 'Domain' => '<string>', ], 'ErrorCode' => '<string>', 'RemoteAccountDetails' => [ 'AccountId' => '<string>', 'Affiliated' => true || false, ], 'RemoteIpDetails' => [ 'City' => [ 'CityName' => '<string>', ], 'Country' => [ 'CountryCode' => '<string>', 'CountryName' => '<string>', ], 'GeoLocation' => [ 'Lat' => <float>, 'Lon' => <float>, ], 'IpAddressV4' => '<string>', 'IpAddressV6' => '<string>', 'Organization' => [ 'Asn' => '<string>', 'AsnOrg' => '<string>', 'Isp' => '<string>', 'Org' => '<string>', ], ], 'ServiceName' => '<string>', 'UserAgent' => '<string>', ], 'DnsRequestAction' => [ 'Blocked' => true || false, 'Domain' => '<string>', 'DomainWithSuffix' => '<string>', 'Protocol' => '<string>', ], 'KubernetesApiCallAction' => [ 'Namespace' => '<string>', 'Parameters' => '<string>', 'RemoteIpDetails' => [ 'City' => [ 'CityName' => '<string>', ], 'Country' => [ 'CountryCode' => '<string>', 'CountryName' => '<string>', ], 'GeoLocation' => [ 'Lat' => <float>, 'Lon' => <float>, ], 'IpAddressV4' => '<string>', 'IpAddressV6' => '<string>', 'Organization' => [ 'Asn' => '<string>', 'AsnOrg' => '<string>', 'Isp' => '<string>', 'Org' => '<string>', ], ], 'RequestUri' => '<string>', 'Resource' => '<string>', 'ResourceName' => '<string>', 'SourceIps' => ['<string>', ...], 'StatusCode' => <integer>, 'Subresource' => '<string>', 'UserAgent' => '<string>', 'Verb' => '<string>', ], 'KubernetesPermissionCheckedDetails' => [ 'Allowed' => true || false, 'Namespace' => '<string>', 'Resource' => '<string>', 'Verb' => '<string>', ], 'KubernetesRoleBindingDetails' => [ 'Kind' => '<string>', 'Name' => '<string>', 'RoleRefKind' => '<string>', 'RoleRefName' => '<string>', 'Uid' => '<string>', ], 'KubernetesRoleDetails' => [ 'Kind' => '<string>', 'Name' => '<string>', 'Uid' => '<string>', ], 'NetworkConnectionAction' => [ 'Blocked' => true || false, 'ConnectionDirection' => '<string>', 'LocalIpDetails' => [ 'IpAddressV4' => '<string>', 'IpAddressV6' => '<string>', ], 'LocalNetworkInterface' => '<string>', 'LocalPortDetails' => [ 'Port' => <integer>, 'PortName' => '<string>', ], 'Protocol' => '<string>', 'RemoteIpDetails' => [ 'City' => [ 'CityName' => '<string>', ], 'Country' => [ 'CountryCode' => '<string>', 'CountryName' => '<string>', ], 'GeoLocation' => [ 'Lat' => <float>, 'Lon' => <float>, ], 'IpAddressV4' => '<string>', 'IpAddressV6' => '<string>', 'Organization' => [ 'Asn' => '<string>', 'AsnOrg' => '<string>', 'Isp' => '<string>', 'Org' => '<string>', ], ], 'RemotePortDetails' => [ 'Port' => <integer>, 'PortName' => '<string>', ], ], 'PortProbeAction' => [ 'Blocked' => true || false, 'PortProbeDetails' => [ [ 'LocalIpDetails' => [ 'IpAddressV4' => '<string>', 'IpAddressV6' => '<string>', ], 'LocalPortDetails' => [ 'Port' => <integer>, 'PortName' => '<string>', ], 'RemoteIpDetails' => [ 'City' => [ 'CityName' => '<string>', ], 'Country' => [ 'CountryCode' => '<string>', 'CountryName' => '<string>', ], 'GeoLocation' => [ 'Lat' => <float>, 'Lon' => <float>, ], 'IpAddressV4' => '<string>', 'IpAddressV6' => '<string>', 'Organization' => [ 'Asn' => '<string>', 'AsnOrg' => '<string>', 'Isp' => '<string>', 'Org' => '<string>', ], ], ], // ... ], ], 'RdsLoginAttemptAction' => [ 'LoginAttributes' => [ [ 'Application' => '<string>', 'FailedLoginAttempts' => <integer>, 'SuccessfulLoginAttempts' => <integer>, 'User' => '<string>', ], // ... ], 'RemoteIpDetails' => [ 'City' => [ 'CityName' => '<string>', ], 'Country' => [ 'CountryCode' => '<string>', 'CountryName' => '<string>', ], 'GeoLocation' => [ 'Lat' => <float>, 'Lon' => <float>, ], 'IpAddressV4' => '<string>', 'IpAddressV6' => '<string>', 'Organization' => [ 'Asn' => '<string>', 'AsnOrg' => '<string>', 'Isp' => '<string>', 'Org' => '<string>', ], ], ], ], 'AdditionalInfo' => [ 'Type' => '<string>', 'Value' => '<string>', ], 'Archived' => true || false, 'Count' => <integer>, 'Detection' => [ 'Anomaly' => [ 'Profiles' => [ '<String>' => [ '<String>' => [ [ 'Observations' => [ 'Text' => ['<string>', ...], ], 'ProfileSubtype' => 'FREQUENT|INFREQUENT|UNSEEN|RARE', 'ProfileType' => 'FREQUENCY', ], // ... ], // ... ], // ... ], 'Unusual' => [ 'Behavior' => [ '<String>' => [ '<String>' => [ 'Observations' => [ 'Text' => ['<string>', ...], ], 'ProfileSubtype' => 'FREQUENT|INFREQUENT|UNSEEN|RARE', 'ProfileType' => 'FREQUENCY', ], // ... ], // ... ], ], ], 'Sequence' => [ 'Actors' => [ [ 'Id' => '<string>', 'Session' => [ 'CreatedTime' => <DateTime>, 'Issuer' => '<string>', 'MfaStatus' => 'ENABLED|DISABLED', 'Uid' => '<string>', ], 'User' => [ 'Account' => [ 'Name' => '<string>', 'Uid' => '<string>', ], 'CredentialUid' => '<string>', 'Name' => '<string>', 'Type' => '<string>', 'Uid' => '<string>', ], ], // ... ], 'Description' => '<string>', 'Endpoints' => [ [ 'AutonomousSystem' => [ 'Name' => '<string>', 'Number' => <integer>, ], 'Connection' => [ 'Direction' => 'INBOUND|OUTBOUND', ], 'Domain' => '<string>', 'Id' => '<string>', 'Ip' => '<string>', 'Location' => [ 'City' => '<string>', 'Country' => '<string>', 'Latitude' => <float>, 'Longitude' => <float>, ], 'Port' => <integer>, ], // ... ], 'Resources' => [ [ 'AccountId' => '<string>', 'CloudPartition' => '<string>', 'Data' => [ 'AccessKey' => [ 'PrincipalId' => '<string>', 'UserName' => '<string>', 'UserType' => '<string>', ], 'Ec2Instance' => [ 'AvailabilityZone' => '<string>', 'Ec2NetworkInterfaceUids' => ['<string>', ...], 'IamInstanceProfile' => [ 'Arn' => '<string>', 'Id' => '<string>', ], 'ImageDescription' => '<string>', 'InstanceState' => '<string>', 'InstanceType' => '<string>', 'OutpostArn' => '<string>', 'Platform' => '<string>', 'ProductCodes' => [ [ 'Code' => '<string>', 'ProductType' => '<string>', ], // ... ], ], 'Ec2NetworkInterface' => [ 'Ipv6Addresses' => ['<string>', ...], 'PrivateIpAddresses' => [ [ 'PrivateDnsName' => '<string>', 'PrivateIpAddress' => '<string>', ], // ... ], 'PublicIp' => '<string>', 'SecurityGroups' => [ [ 'GroupId' => '<string>', 'GroupName' => '<string>', ], // ... ], 'SubNetId' => '<string>', 'VpcId' => '<string>', ], 'S3Bucket' => [ 'AccountPublicAccess' => [ 'PublicAclAccess' => 'BLOCKED|ALLOWED', 'PublicAclIgnoreBehavior' => 'IGNORED|NOT_IGNORED', 'PublicBucketRestrictBehavior' => 'RESTRICTED|NOT_RESTRICTED', 'PublicPolicyAccess' => 'BLOCKED|ALLOWED', ], 'BucketPublicAccess' => [ 'PublicAclAccess' => 'BLOCKED|ALLOWED', 'PublicAclIgnoreBehavior' => 'IGNORED|NOT_IGNORED', 'PublicBucketRestrictBehavior' => 'RESTRICTED|NOT_RESTRICTED', 'PublicPolicyAccess' => 'BLOCKED|ALLOWED', ], 'CreatedAt' => <DateTime>, 'EffectivePermission' => '<string>', 'EncryptionKeyArn' => '<string>', 'EncryptionType' => '<string>', 'OwnerId' => '<string>', 'PublicReadAccess' => 'BLOCKED|ALLOWED', 'PublicWriteAccess' => 'BLOCKED|ALLOWED', 'S3ObjectUids' => ['<string>', ...], ], 'S3Object' => [ 'ETag' => '<string>', 'Key' => '<string>', 'VersionId' => '<string>', ], ], 'Name' => '<string>', 'Region' => '<string>', 'ResourceType' => 'EC2_INSTANCE|EC2_NETWORK_INTERFACE|S3_BUCKET|S3_OBJECT|ACCESS_KEY', 'Service' => '<string>', 'Tags' => [ [ 'Key' => '<string>', 'Value' => '<string>', ], // ... ], 'Uid' => '<string>', ], // ... ], 'SequenceIndicators' => [ [ 'Key' => 'SUSPICIOUS_USER_AGENT|SUSPICIOUS_NETWORK|MALICIOUS_IP|TOR_IP|ATTACK_TACTIC|HIGH_RISK_API|ATTACK_TECHNIQUE|UNUSUAL_API_FOR_ACCOUNT|UNUSUAL_ASN_FOR_ACCOUNT|UNUSUAL_ASN_FOR_USER', 'Title' => '<string>', 'Values' => ['<string>', ...], ], // ... ], 'Signals' => [ [ 'ActorIds' => ['<string>', ...], 'Count' => <integer>, 'CreatedAt' => <DateTime>, 'Description' => '<string>', 'EndpointIds' => ['<string>', ...], 'FirstSeenAt' => <DateTime>, 'LastSeenAt' => <DateTime>, 'Name' => '<string>', 'ResourceUids' => ['<string>', ...], 'Severity' => <float>, 'SignalIndicators' => [ [ 'Key' => 'SUSPICIOUS_USER_AGENT|SUSPICIOUS_NETWORK|MALICIOUS_IP|TOR_IP|ATTACK_TACTIC|HIGH_RISK_API|ATTACK_TECHNIQUE|UNUSUAL_API_FOR_ACCOUNT|UNUSUAL_ASN_FOR_ACCOUNT|UNUSUAL_ASN_FOR_USER', 'Title' => '<string>', 'Values' => ['<string>', ...], ], // ... ], 'Type' => 'FINDING|CLOUD_TRAIL|S3_DATA_EVENTS', 'Uid' => '<string>', 'UpdatedAt' => <DateTime>, ], // ... ], 'Uid' => '<string>', ], ], 'DetectorId' => '<string>', 'EbsVolumeScanDetails' => [ 'ScanCompletedAt' => <DateTime>, 'ScanDetections' => [ 'HighestSeverityThreatDetails' => [ 'Count' => <integer>, 'Severity' => '<string>', 'ThreatName' => '<string>', ], 'ScannedItemCount' => [ 'Files' => <integer>, 'TotalGb' => <integer>, 'Volumes' => <integer>, ], 'ThreatDetectedByName' => [ 'ItemCount' => <integer>, 'Shortened' => true || false, 'ThreatNames' => [ [ 'FilePaths' => [ [ 'FileName' => '<string>', 'FilePath' => '<string>', 'Hash' => '<string>', 'VolumeArn' => '<string>', ], // ... ], 'ItemCount' => <integer>, 'Name' => '<string>', 'Severity' => '<string>', ], // ... ], 'UniqueThreatNameCount' => <integer>, ], 'ThreatsDetectedItemCount' => [ 'Files' => <integer>, ], ], 'ScanId' => '<string>', 'ScanStartedAt' => <DateTime>, 'ScanType' => 'GUARDDUTY_INITIATED|ON_DEMAND', 'Sources' => ['<string>', ...], 'TriggerFindingId' => '<string>', ], 'EventFirstSeen' => '<string>', 'EventLastSeen' => '<string>', 'Evidence' => [ 'ThreatIntelligenceDetails' => [ [ 'ThreatFileSha256' => '<string>', 'ThreatListName' => '<string>', 'ThreatNames' => ['<string>', ...], ], // ... ], ], 'FeatureName' => '<string>', 'MalwareScanDetails' => [ 'Threats' => [ [ 'ItemPaths' => [ [ 'Hash' => '<string>', 'NestedItemPath' => '<string>', ], // ... ], 'Name' => '<string>', 'Source' => '<string>', ], // ... ], ], 'ResourceRole' => '<string>', 'RuntimeDetails' => [ 'Context' => [ 'AddressFamily' => '<string>', 'CommandLineExample' => '<string>', 'FileSystemType' => '<string>', 'Flags' => ['<string>', ...], 'IanaProtocolNumber' => <integer>, 'LdPreloadValue' => '<string>', 'LibraryPath' => '<string>', 'MemoryRegions' => ['<string>', ...], 'ModifiedAt' => <DateTime>, 'ModifyingProcess' => [ 'Euid' => <integer>, 'ExecutablePath' => '<string>', 'ExecutableSha256' => '<string>', 'Lineage' => [ [ 'Euid' => <integer>, 'ExecutablePath' => '<string>', 'Name' => '<string>', 'NamespacePid' => <integer>, 'ParentUuid' => '<string>', 'Pid' => <integer>, 'StartTime' => <DateTime>, 'UserId' => <integer>, 'Uuid' => '<string>', ], // ... ], 'Name' => '<string>', 'NamespacePid' => <integer>, 'ParentUuid' => '<string>', 'Pid' => <integer>, 'Pwd' => '<string>', 'StartTime' => <DateTime>, 'User' => '<string>', 'UserId' => <integer>, 'Uuid' => '<string>', ], 'ModuleFilePath' => '<string>', 'ModuleName' => '<string>', 'ModuleSha256' => '<string>', 'MountSource' => '<string>', 'MountTarget' => '<string>', 'ReleaseAgentPath' => '<string>', 'RuncBinaryPath' => '<string>', 'ScriptPath' => '<string>', 'ServiceName' => '<string>', 'ShellHistoryFilePath' => '<string>', 'SocketPath' => '<string>', 'TargetProcess' => [ 'Euid' => <integer>, 'ExecutablePath' => '<string>', 'ExecutableSha256' => '<string>', 'Lineage' => [ [ 'Euid' => <integer>, 'ExecutablePath' => '<string>', 'Name' => '<string>', 'NamespacePid' => <integer>, 'ParentUuid' => '<string>', 'Pid' => <integer>, 'StartTime' => <DateTime>, 'UserId' => <integer>, 'Uuid' => '<string>', ], // ... ], 'Name' => '<string>', 'NamespacePid' => <integer>, 'ParentUuid' => '<string>', 'Pid' => <integer>, 'Pwd' => '<string>', 'StartTime' => <DateTime>, 'User' => '<string>', 'UserId' => <integer>, 'Uuid' => '<string>', ], 'ThreatFilePath' => '<string>', 'ToolCategory' => '<string>', 'ToolName' => '<string>', ], 'Process' => [ 'Euid' => <integer>, 'ExecutablePath' => '<string>', 'ExecutableSha256' => '<string>', 'Lineage' => [ [ 'Euid' => <integer>, 'ExecutablePath' => '<string>', 'Name' => '<string>', 'NamespacePid' => <integer>, 'ParentUuid' => '<string>', 'Pid' => <integer>, 'StartTime' => <DateTime>, 'UserId' => <integer>, 'Uuid' => '<string>', ], // ... ], 'Name' => '<string>', 'NamespacePid' => <integer>, 'ParentUuid' => '<string>', 'Pid' => <integer>, 'Pwd' => '<string>', 'StartTime' => <DateTime>, 'User' => '<string>', 'UserId' => <integer>, 'Uuid' => '<string>', ], ], 'ServiceName' => '<string>', 'UserFeedback' => '<string>', ], 'Severity' => <float>, 'Title' => '<string>', 'Type' => '<string>', 'UpdatedAt' => '<string>', ], // ... ], ]
Result Details
Members
- Findings
-
- Required: Yes
- Type: Array of Finding structures
A list of findings.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
GetFindingsStatistics
$result = $client->getFindingsStatistics
([/* ... */]); $promise = $client->getFindingsStatisticsAsync
([/* ... */]);
Lists GuardDuty findings statistics for the specified detector ID.
You must provide either findingStatisticTypes
or groupBy
parameter, and not both. You can use the maxResults
and orderBy
parameters only when using groupBy
.
There might be regional differences because some flags might not be available in all the Regions where GuardDuty is currently supported. For more information, see Regions and endpoints.
Parameter Syntax
$result = $client->getFindingsStatistics([ 'DetectorId' => '<string>', // REQUIRED 'FindingCriteria' => [ 'Criterion' => [ '<String>' => [ 'Eq' => ['<string>', ...], 'Equals' => ['<string>', ...], 'GreaterThan' => <integer>, 'GreaterThanOrEqual' => <integer>, 'Gt' => <integer>, 'Gte' => <integer>, 'LessThan' => <integer>, 'LessThanOrEqual' => <integer>, 'Lt' => <integer>, 'Lte' => <integer>, 'Neq' => ['<string>', ...], 'NotEquals' => ['<string>', ...], ], // ... ], ], 'FindingStatisticTypes' => ['<string>', ...], 'GroupBy' => 'ACCOUNT|DATE|FINDING_TYPE|RESOURCE|SEVERITY', 'MaxResults' => <integer>, 'OrderBy' => 'ASC|DESC', ]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The ID of the detector whose findings statistics you want to retrieve.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - FindingCriteria
-
- Type: FindingCriteria structure
Represents the criteria that is used for querying findings.
- FindingStatisticTypes
-
- Type: Array of strings
The types of finding statistics to retrieve.
- GroupBy
-
- Type: string
Displays the findings statistics grouped by one of the listed valid values.
- MaxResults
-
- Type: int
The maximum number of results to be returned in the response. The default value is 25.
You can use this parameter only with the
groupBy
parameter. - OrderBy
-
- Type: string
Displays the sorted findings in the requested order. The default value of
orderBy
isDESC
.You can use this parameter only with the
groupBy
parameter.
Result Syntax
[ 'FindingStatistics' => [ 'CountBySeverity' => [<integer>, ...], 'GroupedByAccount' => [ [ 'AccountId' => '<string>', 'LastGeneratedAt' => <DateTime>, 'TotalFindings' => <integer>, ], // ... ], 'GroupedByDate' => [ [ 'Date' => <DateTime>, 'LastGeneratedAt' => <DateTime>, 'Severity' => <float>, 'TotalFindings' => <integer>, ], // ... ], 'GroupedByFindingType' => [ [ 'FindingType' => '<string>', 'LastGeneratedAt' => <DateTime>, 'TotalFindings' => <integer>, ], // ... ], 'GroupedByResource' => [ [ 'AccountId' => '<string>', 'LastGeneratedAt' => <DateTime>, 'ResourceId' => '<string>', 'ResourceType' => '<string>', 'TotalFindings' => <integer>, ], // ... ], 'GroupedBySeverity' => [ [ 'LastGeneratedAt' => <DateTime>, 'Severity' => <float>, 'TotalFindings' => <integer>, ], // ... ], ], 'NextToken' => '<string>', ]
Result Details
Members
- FindingStatistics
-
- Required: Yes
- Type: FindingStatistics structure
The finding statistics object.
- NextToken
-
- Type: string
The pagination parameter to be used on the next list operation to retrieve more items.
This parameter is currently not supported.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
GetIPSet
$result = $client->getIPSet
([/* ... */]); $promise = $client->getIPSetAsync
([/* ... */]);
Retrieves the IPSet specified by the ipSetId
.
Parameter Syntax
$result = $client->getIPSet([ 'DetectorId' => '<string>', // REQUIRED 'IpSetId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector that is associated with the IPSet.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - IpSetId
-
- Required: Yes
- Type: string
The unique ID of the IPSet to retrieve.
Result Syntax
[ 'Format' => 'TXT|STIX|OTX_CSV|ALIEN_VAULT|PROOF_POINT|FIRE_EYE', 'Location' => '<string>', 'Name' => '<string>', 'Status' => 'INACTIVE|ACTIVATING|ACTIVE|DEACTIVATING|ERROR|DELETE_PENDING|DELETED', 'Tags' => ['<string>', ...], ]
Result Details
Members
- Format
-
- Required: Yes
- Type: string
The format of the file that contains the IPSet.
- Location
-
- Required: Yes
- Type: string
The URI of the file that contains the IPSet.
- Name
-
- Required: Yes
- Type: string
The user-friendly name for the IPSet.
- Status
-
- Required: Yes
- Type: string
The status of IPSet file that was uploaded.
- Tags
-
- Type: Associative array of custom strings keys (TagKey) to strings
The tags of the IPSet resource.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
GetInvitationsCount
$result = $client->getInvitationsCount
([/* ... */]); $promise = $client->getInvitationsCountAsync
([/* ... */]);
Returns the count of all GuardDuty membership invitations that were sent to the current member account except the currently accepted invitation.
Parameter Syntax
$result = $client->getInvitationsCount([ ]);
Parameter Details
Members
Result Syntax
[ 'InvitationsCount' => <integer>, ]
Result Details
Members
- InvitationsCount
-
- Type: int
The number of received invitations.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
GetMalwareProtectionPlan
$result = $client->getMalwareProtectionPlan
([/* ... */]); $promise = $client->getMalwareProtectionPlanAsync
([/* ... */]);
Retrieves the Malware Protection plan details associated with a Malware Protection plan ID.
Parameter Syntax
$result = $client->getMalwareProtectionPlan([ 'MalwareProtectionPlanId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- MalwareProtectionPlanId
-
- Required: Yes
- Type: string
A unique identifier associated with Malware Protection plan resource.
Result Syntax
[ 'Actions' => [ 'Tagging' => [ 'Status' => 'ENABLED|DISABLED', ], ], 'Arn' => '<string>', 'CreatedAt' => <DateTime>, 'ProtectedResource' => [ 'S3Bucket' => [ 'BucketName' => '<string>', 'ObjectPrefixes' => ['<string>', ...], ], ], 'Role' => '<string>', 'Status' => 'ACTIVE|WARNING|ERROR', 'StatusReasons' => [ [ 'Code' => '<string>', 'Message' => '<string>', ], // ... ], 'Tags' => ['<string>', ...], ]
Result Details
Members
- Actions
-
- Type: MalwareProtectionPlanActions structure
Information about whether the tags will be added to the S3 object after scanning.
- Arn
-
- Type: string
Amazon Resource Name (ARN) of the protected resource.
- CreatedAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The timestamp when the Malware Protection plan resource was created.
- ProtectedResource
-
- Type: CreateProtectedResource structure
Information about the protected resource that is associated with the created Malware Protection plan. Presently,
S3Bucket
is the only supported protected resource. - Role
-
- Type: string
Amazon Resource Name (ARN) of the IAM role that includes the permissions to scan and add tags to the associated protected resource.
- Status
-
- Type: string
Malware Protection plan status.
- StatusReasons
-
- Type: Array of MalwareProtectionPlanStatusReason structures
Information about the issue code and message associated to the status of your Malware Protection plan.
- Tags
-
- Type: Associative array of custom strings keys (TagKey) to strings
Tags added to the Malware Protection plan resource.
Errors
- BadRequestException:
A bad request exception object.
- AccessDeniedException:
An access denied exception object.
- InternalServerErrorException:
An internal server error exception object.
- ResourceNotFoundException:
The requested resource can't be found.
GetMalwareScanSettings
$result = $client->getMalwareScanSettings
([/* ... */]); $promise = $client->getMalwareScanSettingsAsync
([/* ... */]);
Returns the details of the malware scan settings.
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.
Parameter Syntax
$result = $client->getMalwareScanSettings([ 'DetectorId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector that is associated with this scan.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
Result Syntax
[ 'EbsSnapshotPreservation' => 'NO_RETENTION|RETENTION_WITH_FINDING', 'ScanResourceCriteria' => [ 'Exclude' => [ '<ScanCriterionKey>' => [ 'MapEquals' => [ [ 'Key' => '<string>', 'Value' => '<string>', ], // ... ], ], // ... ], 'Include' => [ '<ScanCriterionKey>' => [ 'MapEquals' => [ [ 'Key' => '<string>', 'Value' => '<string>', ], // ... ], ], // ... ], ], ]
Result Details
Members
- EbsSnapshotPreservation
-
- Type: string
An enum value representing possible snapshot preservation settings.
- ScanResourceCriteria
-
- Type: ScanResourceCriteria structure
Represents the criteria to be used in the filter for scanning resources.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
GetMasterAccount
$result = $client->getMasterAccount
([/* ... */]); $promise = $client->getMasterAccountAsync
([/* ... */]);
Provides the details for the GuardDuty administrator account associated with the current GuardDuty member account.
Parameter Syntax
$result = $client->getMasterAccount([ 'DetectorId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector of the GuardDuty member account.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
Result Syntax
[ 'Master' => [ 'AccountId' => '<string>', 'InvitationId' => '<string>', 'InvitedAt' => '<string>', 'RelationshipStatus' => '<string>', ], ]
Result Details
Members
- Master
-
- Required: Yes
- Type: Master structure
The administrator account details.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
GetMemberDetectors
$result = $client->getMemberDetectors
([/* ... */]); $promise = $client->getMemberDetectorsAsync
([/* ... */]);
Describes which data sources are enabled for the member account's detector.
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.
Parameter Syntax
$result = $client->getMemberDetectors([ 'AccountIds' => ['<string>', ...], // REQUIRED 'DetectorId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- AccountIds
-
- Required: Yes
- Type: Array of strings
A list of member account IDs.
- DetectorId
-
- Required: Yes
- Type: string
The detector ID for the administrator account.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
Result Syntax
[ 'MemberDataSourceConfigurations' => [ [ 'AccountId' => '<string>', 'DataSources' => [ 'CloudTrail' => [ 'Status' => 'ENABLED|DISABLED', ], 'DNSLogs' => [ 'Status' => 'ENABLED|DISABLED', ], 'FlowLogs' => [ 'Status' => 'ENABLED|DISABLED', ], 'Kubernetes' => [ 'AuditLogs' => [ 'Status' => 'ENABLED|DISABLED', ], ], 'MalwareProtection' => [ 'ScanEc2InstanceWithFindings' => [ 'EbsVolumes' => [ 'Reason' => '<string>', 'Status' => 'ENABLED|DISABLED', ], ], 'ServiceRole' => '<string>', ], 'S3Logs' => [ 'Status' => 'ENABLED|DISABLED', ], ], 'Features' => [ [ 'AdditionalConfiguration' => [ [ 'Name' => 'EKS_ADDON_MANAGEMENT|ECS_FARGATE_AGENT_MANAGEMENT|EC2_AGENT_MANAGEMENT', 'Status' => 'ENABLED|DISABLED', 'UpdatedAt' => <DateTime>, ], // ... ], 'Name' => 'S3_DATA_EVENTS|EKS_AUDIT_LOGS|EBS_MALWARE_PROTECTION|RDS_LOGIN_EVENTS|EKS_RUNTIME_MONITORING|LAMBDA_NETWORK_LOGS|RUNTIME_MONITORING', 'Status' => 'ENABLED|DISABLED', 'UpdatedAt' => <DateTime>, ], // ... ], ], // ... ], 'UnprocessedAccounts' => [ [ 'AccountId' => '<string>', 'Result' => '<string>', ], // ... ], ]
Result Details
Members
- MemberDataSourceConfigurations
-
- Required: Yes
- Type: Array of MemberDataSourceConfiguration structures
An object that describes which data sources are enabled for a member account.
- UnprocessedAccounts
-
- Required: Yes
- Type: Array of UnprocessedAccount structures
A list of member account IDs that were unable to be processed along with an explanation for why they were not processed.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
GetMembers
$result = $client->getMembers
([/* ... */]); $promise = $client->getMembersAsync
([/* ... */]);
Retrieves GuardDuty member accounts (of the current GuardDuty administrator account) specified by the account IDs.
Parameter Syntax
$result = $client->getMembers([ 'AccountIds' => ['<string>', ...], // REQUIRED 'DetectorId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- AccountIds
-
- Required: Yes
- Type: Array of strings
A list of account IDs of the GuardDuty member accounts that you want to describe.
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector of the GuardDuty account whose members you want to retrieve.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
Result Syntax
[ 'Members' => [ [ 'AccountId' => '<string>', 'AdministratorId' => '<string>', 'DetectorId' => '<string>', 'Email' => '<string>', 'InvitedAt' => '<string>', 'MasterId' => '<string>', 'RelationshipStatus' => '<string>', 'UpdatedAt' => '<string>', ], // ... ], 'UnprocessedAccounts' => [ [ 'AccountId' => '<string>', 'Result' => '<string>', ], // ... ], ]
Result Details
Members
- Members
-
- Required: Yes
- Type: Array of Member structures
A list of members.
- UnprocessedAccounts
-
- Required: Yes
- Type: Array of UnprocessedAccount structures
A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
GetOrganizationStatistics
$result = $client->getOrganizationStatistics
([/* ... */]); $promise = $client->getOrganizationStatisticsAsync
([/* ... */]);
Retrieves how many active member accounts have each feature enabled within GuardDuty. Only a delegated GuardDuty administrator of an organization can run this API.
When you create a new organization, it might take up to 24 hours to generate the statistics for the entire organization.
Parameter Syntax
$result = $client->getOrganizationStatistics([ ]);
Parameter Details
Members
Result Syntax
[ 'OrganizationDetails' => [ 'OrganizationStatistics' => [ 'ActiveAccountsCount' => <integer>, 'CountByFeature' => [ [ 'AdditionalConfiguration' => [ [ 'EnabledAccountsCount' => <integer>, 'Name' => 'EKS_ADDON_MANAGEMENT|ECS_FARGATE_AGENT_MANAGEMENT|EC2_AGENT_MANAGEMENT', ], // ... ], 'EnabledAccountsCount' => <integer>, 'Name' => 'S3_DATA_EVENTS|EKS_AUDIT_LOGS|EBS_MALWARE_PROTECTION|RDS_LOGIN_EVENTS|EKS_RUNTIME_MONITORING|LAMBDA_NETWORK_LOGS|RUNTIME_MONITORING', ], // ... ], 'EnabledAccountsCount' => <integer>, 'MemberAccountsCount' => <integer>, 'TotalAccountsCount' => <integer>, ], 'UpdatedAt' => <DateTime>, ], ]
Result Details
Members
- OrganizationDetails
-
- Type: OrganizationDetails structure
Information about the statistics report for your organization.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
GetRemainingFreeTrialDays
$result = $client->getRemainingFreeTrialDays
([/* ... */]); $promise = $client->getRemainingFreeTrialDaysAsync
([/* ... */]);
Provides the number of days left for each data source used in the free trial period.
Parameter Syntax
$result = $client->getRemainingFreeTrialDays([ 'AccountIds' => ['<string>', ...], 'DetectorId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- AccountIds
-
- Type: Array of strings
A list of account identifiers of the GuardDuty member account.
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector of the GuardDuty member account.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
Result Syntax
[ 'Accounts' => [ [ 'AccountId' => '<string>', 'DataSources' => [ 'CloudTrail' => [ 'FreeTrialDaysRemaining' => <integer>, ], 'DnsLogs' => [ 'FreeTrialDaysRemaining' => <integer>, ], 'FlowLogs' => [ 'FreeTrialDaysRemaining' => <integer>, ], 'Kubernetes' => [ 'AuditLogs' => [ 'FreeTrialDaysRemaining' => <integer>, ], ], 'MalwareProtection' => [ 'ScanEc2InstanceWithFindings' => [ 'FreeTrialDaysRemaining' => <integer>, ], ], 'S3Logs' => [ 'FreeTrialDaysRemaining' => <integer>, ], ], 'Features' => [ [ 'FreeTrialDaysRemaining' => <integer>, 'Name' => 'FLOW_LOGS|CLOUD_TRAIL|DNS_LOGS|S3_DATA_EVENTS|EKS_AUDIT_LOGS|EBS_MALWARE_PROTECTION|RDS_LOGIN_EVENTS|EKS_RUNTIME_MONITORING|LAMBDA_NETWORK_LOGS|FARGATE_RUNTIME_MONITORING|EC2_RUNTIME_MONITORING', ], // ... ], ], // ... ], 'UnprocessedAccounts' => [ [ 'AccountId' => '<string>', 'Result' => '<string>', ], // ... ], ]
Result Details
Members
- Accounts
-
- Type: Array of AccountFreeTrialInfo structures
The member accounts which were included in a request and were processed successfully.
- UnprocessedAccounts
-
- Type: Array of UnprocessedAccount structures
The member account that was included in a request but for which the request could not be processed.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
GetThreatIntelSet
$result = $client->getThreatIntelSet
([/* ... */]); $promise = $client->getThreatIntelSetAsync
([/* ... */]);
Retrieves the ThreatIntelSet that is specified by the ThreatIntelSet ID.
Parameter Syntax
$result = $client->getThreatIntelSet([ 'DetectorId' => '<string>', // REQUIRED 'ThreatIntelSetId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector that is associated with the threatIntelSet.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - ThreatIntelSetId
-
- Required: Yes
- Type: string
The unique ID of the threatIntelSet that you want to get.
Result Syntax
[ 'Format' => 'TXT|STIX|OTX_CSV|ALIEN_VAULT|PROOF_POINT|FIRE_EYE', 'Location' => '<string>', 'Name' => '<string>', 'Status' => 'INACTIVE|ACTIVATING|ACTIVE|DEACTIVATING|ERROR|DELETE_PENDING|DELETED', 'Tags' => ['<string>', ...], ]
Result Details
Members
- Format
-
- Required: Yes
- Type: string
The format of the threatIntelSet.
- Location
-
- Required: Yes
- Type: string
The URI of the file that contains the ThreatIntelSet.
- Name
-
- Required: Yes
- Type: string
A user-friendly ThreatIntelSet name displayed in all findings that are generated by activity that involves IP addresses included in this ThreatIntelSet.
- Status
-
- Required: Yes
- Type: string
The status of threatIntelSet file uploaded.
- Tags
-
- Type: Associative array of custom strings keys (TagKey) to strings
The tags of the threat list resource.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
GetUsageStatistics
$result = $client->getUsageStatistics
([/* ... */]); $promise = $client->getUsageStatisticsAsync
([/* ... */]);
Lists Amazon GuardDuty usage statistics over the last 30 days for the specified detector ID. For newly enabled detectors or data sources, the cost returned will include only the usage so far under 30 days. This may differ from the cost metrics in the console, which project usage over 30 days to provide a monthly cost estimate. For more information, see Understanding How Usage Costs are Calculated.
Parameter Syntax
$result = $client->getUsageStatistics([ 'DetectorId' => '<string>', // REQUIRED 'MaxResults' => <integer>, 'NextToken' => '<string>', 'Unit' => '<string>', 'UsageCriteria' => [ // REQUIRED 'AccountIds' => ['<string>', ...], 'DataSources' => ['<string>', ...], 'Features' => ['<string>', ...], 'Resources' => ['<string>', ...], ], 'UsageStatisticType' => 'SUM_BY_ACCOUNT|SUM_BY_DATA_SOURCE|SUM_BY_RESOURCE|TOP_RESOURCES|SUM_BY_FEATURES|TOP_ACCOUNTS_BY_FEATURE', // REQUIRED ]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The ID of the detector that specifies the GuardDuty service whose usage statistics you want to retrieve.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - MaxResults
-
- Type: int
The maximum number of results to return in the response.
- NextToken
-
- Type: string
A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the NextToken value returned from the previous request to continue listing results after the first page.
- Unit
-
- Type: string
The currency unit you would like to view your usage statistics in. Current valid values are USD.
- UsageCriteria
-
- Required: Yes
- Type: UsageCriteria structure
Represents the criteria used for querying usage.
- UsageStatisticType
-
- Required: Yes
- Type: string
The type of usage statistics to retrieve.
Result Syntax
[ 'NextToken' => '<string>', 'UsageStatistics' => [ 'SumByAccount' => [ [ 'AccountId' => '<string>', 'Total' => [ 'Amount' => '<string>', 'Unit' => '<string>', ], ], // ... ], 'SumByDataSource' => [ [ 'DataSource' => 'FLOW_LOGS|CLOUD_TRAIL|DNS_LOGS|S3_LOGS|KUBERNETES_AUDIT_LOGS|EC2_MALWARE_SCAN', 'Total' => [ 'Amount' => '<string>', 'Unit' => '<string>', ], ], // ... ], 'SumByFeature' => [ [ 'Feature' => 'FLOW_LOGS|CLOUD_TRAIL|DNS_LOGS|S3_DATA_EVENTS|EKS_AUDIT_LOGS|EBS_MALWARE_PROTECTION|RDS_LOGIN_EVENTS|LAMBDA_NETWORK_LOGS|EKS_RUNTIME_MONITORING|FARGATE_RUNTIME_MONITORING|EC2_RUNTIME_MONITORING|RDS_DBI_PROTECTION_PROVISIONED|RDS_DBI_PROTECTION_SERVERLESS', 'Total' => [ 'Amount' => '<string>', 'Unit' => '<string>', ], ], // ... ], 'SumByResource' => [ [ 'Resource' => '<string>', 'Total' => [ 'Amount' => '<string>', 'Unit' => '<string>', ], ], // ... ], 'TopAccountsByFeature' => [ [ 'Accounts' => [ [ 'AccountId' => '<string>', 'Total' => [ 'Amount' => '<string>', 'Unit' => '<string>', ], ], // ... ], 'Feature' => 'FLOW_LOGS|CLOUD_TRAIL|DNS_LOGS|S3_DATA_EVENTS|EKS_AUDIT_LOGS|EBS_MALWARE_PROTECTION|RDS_LOGIN_EVENTS|LAMBDA_NETWORK_LOGS|EKS_RUNTIME_MONITORING|FARGATE_RUNTIME_MONITORING|EC2_RUNTIME_MONITORING|RDS_DBI_PROTECTION_PROVISIONED|RDS_DBI_PROTECTION_SERVERLESS', ], // ... ], 'TopResources' => [ [ 'Resource' => '<string>', 'Total' => [ 'Amount' => '<string>', 'Unit' => '<string>', ], ], // ... ], ], ]
Result Details
Members
- NextToken
-
- Type: string
The pagination parameter to be used on the next list operation to retrieve more items.
- UsageStatistics
-
- Type: UsageStatistics structure
The usage statistics object. If a UsageStatisticType was provided, the objects representing other types will be null.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
InviteMembers
$result = $client->inviteMembers
([/* ... */]); $promise = $client->inviteMembersAsync
([/* ... */]);
Invites Amazon Web Services accounts to become members of an organization administered by the Amazon Web Services account that invokes this API. If you are using Amazon Web Services Organizations to manage your GuardDuty environment, this step is not needed. For more information, see Managing accounts with organizations.
To invite Amazon Web Services accounts, the first step is to ensure that GuardDuty has been enabled in the potential member accounts. You can now invoke this API to add accounts by invitation. The invited accounts can either accept or decline the invitation from their GuardDuty accounts. Each invited Amazon Web Services account can choose to accept the invitation from only one Amazon Web Services account. For more information, see Managing GuardDuty accounts by invitation.
After the invite has been accepted and you choose to disassociate a member account (by using DisassociateMembers) from your account, the details of the member account obtained by invoking CreateMembers, including the associated email addresses, will be retained. This is done so that you can invoke InviteMembers without the need to invoke CreateMembers again. To remove the details associated with a member account, you must also invoke DeleteMembers.
If you disassociate a member account that was added by invitation, the member account details obtained from this API, including the associated email addresses, will be retained. This is done so that the delegated administrator can invoke the InviteMembers API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the DeleteMembers API.
When the member accounts added through Organizations are later disassociated, you (administrator) can't invite them by calling the InviteMembers API. You can create an association with these member accounts again only by calling the CreateMembers API.
Parameter Syntax
$result = $client->inviteMembers([ 'AccountIds' => ['<string>', ...], // REQUIRED 'DetectorId' => '<string>', // REQUIRED 'DisableEmailNotification' => true || false, 'Message' => '<string>', ]);
Parameter Details
Members
- AccountIds
-
- Required: Yes
- Type: Array of strings
A list of account IDs of the accounts that you want to invite to GuardDuty as members.
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector of the GuardDuty account with which you want to invite members.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - DisableEmailNotification
-
- Type: boolean
A Boolean value that specifies whether you want to disable email notification to the accounts that you are inviting to GuardDuty as members.
- Message
-
- Type: string
The invitation message that you want to send to the accounts that you're inviting to GuardDuty as members.
Result Syntax
[ 'UnprocessedAccounts' => [ [ 'AccountId' => '<string>', 'Result' => '<string>', ], // ... ], ]
Result Details
Members
- UnprocessedAccounts
-
- Required: Yes
- Type: Array of UnprocessedAccount structures
A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
ListCoverage
$result = $client->listCoverage
([/* ... */]); $promise = $client->listCoverageAsync
([/* ... */]);
Lists coverage details for your GuardDuty account. If you're a GuardDuty administrator, you can retrieve all resources associated with the active member accounts in your organization.
Make sure the accounts have Runtime Monitoring enabled and GuardDuty agent running on their resources.
Parameter Syntax
$result = $client->listCoverage([ 'DetectorId' => '<string>', // REQUIRED 'FilterCriteria' => [ 'FilterCriterion' => [ [ 'CriterionKey' => 'ACCOUNT_ID|CLUSTER_NAME|RESOURCE_TYPE|COVERAGE_STATUS|ADDON_VERSION|MANAGEMENT_TYPE|EKS_CLUSTER_NAME|ECS_CLUSTER_NAME|AGENT_VERSION|INSTANCE_ID|CLUSTER_ARN', 'FilterCondition' => [ 'Equals' => ['<string>', ...], 'NotEquals' => ['<string>', ...], ], ], // ... ], ], 'MaxResults' => <integer>, 'NextToken' => '<string>', 'SortCriteria' => [ 'AttributeName' => 'ACCOUNT_ID|CLUSTER_NAME|COVERAGE_STATUS|ISSUE|ADDON_VERSION|UPDATED_AT|EKS_CLUSTER_NAME|ECS_CLUSTER_NAME|INSTANCE_ID', 'OrderBy' => 'ASC|DESC', ], ]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector whose coverage details you want to retrieve.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - FilterCriteria
-
- Type: CoverageFilterCriteria structure
Represents the criteria used to filter the coverage details.
- MaxResults
-
- Type: int
The maximum number of results to return in the response.
- NextToken
-
- Type: string
A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the NextToken value returned from the previous request to continue listing results after the first page.
- SortCriteria
-
- Type: CoverageSortCriteria structure
Represents the criteria used to sort the coverage details.
Result Syntax
[ 'NextToken' => '<string>', 'Resources' => [ [ 'AccountId' => '<string>', 'CoverageStatus' => 'HEALTHY|UNHEALTHY', 'DetectorId' => '<string>', 'Issue' => '<string>', 'ResourceDetails' => [ 'Ec2InstanceDetails' => [ 'AgentDetails' => [ 'Version' => '<string>', ], 'ClusterArn' => '<string>', 'InstanceId' => '<string>', 'InstanceType' => '<string>', 'ManagementType' => 'AUTO_MANAGED|MANUAL|DISABLED', ], 'EcsClusterDetails' => [ 'ClusterName' => '<string>', 'ContainerInstanceDetails' => [ 'CompatibleContainerInstances' => <integer>, 'CoveredContainerInstances' => <integer>, ], 'FargateDetails' => [ 'Issues' => ['<string>', ...], 'ManagementType' => 'AUTO_MANAGED|MANUAL|DISABLED', ], ], 'EksClusterDetails' => [ 'AddonDetails' => [ 'AddonStatus' => '<string>', 'AddonVersion' => '<string>', ], 'ClusterName' => '<string>', 'CompatibleNodes' => <integer>, 'CoveredNodes' => <integer>, 'ManagementType' => 'AUTO_MANAGED|MANUAL|DISABLED', ], 'ResourceType' => 'EKS|ECS|EC2', ], 'ResourceId' => '<string>', 'UpdatedAt' => <DateTime>, ], // ... ], ]
Result Details
Members
- NextToken
-
- Type: string
The pagination parameter to be used on the next list operation to retrieve more items.
- Resources
-
- Required: Yes
- Type: Array of CoverageResource structures
A list of resources and their attributes providing cluster details.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
ListDetectors
$result = $client->listDetectors
([/* ... */]); $promise = $client->listDetectorsAsync
([/* ... */]);
Lists detectorIds of all the existing Amazon GuardDuty detector resources.
Parameter Syntax
$result = $client->listDetectors([ 'MaxResults' => <integer>, 'NextToken' => '<string>', ]);
Parameter Details
Members
- MaxResults
-
- Type: int
You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.
- NextToken
-
- Type: string
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
Result Syntax
[ 'DetectorIds' => ['<string>', ...], 'NextToken' => '<string>', ]
Result Details
Members
- DetectorIds
-
- Required: Yes
- Type: Array of strings
A list of detector IDs.
- NextToken
-
- Type: string
The pagination parameter to be used on the next list operation to retrieve more items.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
ListFilters
$result = $client->listFilters
([/* ... */]); $promise = $client->listFiltersAsync
([/* ... */]);
Returns a paginated list of the current filters.
Parameter Syntax
$result = $client->listFilters([ 'DetectorId' => '<string>', // REQUIRED 'MaxResults' => <integer>, 'NextToken' => '<string>', ]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector that is associated with the filter.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - MaxResults
-
- Type: int
You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.
- NextToken
-
- Type: string
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
Result Syntax
[ 'FilterNames' => ['<string>', ...], 'NextToken' => '<string>', ]
Result Details
Members
- FilterNames
-
- Required: Yes
- Type: Array of strings
A list of filter names.
- NextToken
-
- Type: string
The pagination parameter to be used on the next list operation to retrieve more items.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
ListFindings
$result = $client->listFindings
([/* ... */]); $promise = $client->listFindingsAsync
([/* ... */]);
Lists GuardDuty findings for the specified detector ID.
There might be regional differences because some flags might not be available in all the Regions where GuardDuty is currently supported. For more information, see Regions and endpoints.
Parameter Syntax
$result = $client->listFindings([ 'DetectorId' => '<string>', // REQUIRED 'FindingCriteria' => [ 'Criterion' => [ '<String>' => [ 'Eq' => ['<string>', ...], 'Equals' => ['<string>', ...], 'GreaterThan' => <integer>, 'GreaterThanOrEqual' => <integer>, 'Gt' => <integer>, 'Gte' => <integer>, 'LessThan' => <integer>, 'LessThanOrEqual' => <integer>, 'Lt' => <integer>, 'Lte' => <integer>, 'Neq' => ['<string>', ...], 'NotEquals' => ['<string>', ...], ], // ... ], ], 'MaxResults' => <integer>, 'NextToken' => '<string>', 'SortCriteria' => [ 'AttributeName' => '<string>', 'OrderBy' => 'ASC|DESC', ], ]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The ID of the detector that specifies the GuardDuty service whose findings you want to list.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - FindingCriteria
-
- Type: FindingCriteria structure
Represents the criteria used for querying findings. Valid values include:
-
JSON field name
-
accountId
-
region
-
confidence
-
id
-
resource.accessKeyDetails.accessKeyId
-
resource.accessKeyDetails.principalId
-
resource.accessKeyDetails.userName
-
resource.accessKeyDetails.userType
-
resource.instanceDetails.iamInstanceProfile.id
-
resource.instanceDetails.imageId
-
resource.instanceDetails.instanceId
-
resource.instanceDetails.networkInterfaces.ipv6Addresses
-
resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress
-
resource.instanceDetails.networkInterfaces.publicDnsName
-
resource.instanceDetails.networkInterfaces.publicIp
-
resource.instanceDetails.networkInterfaces.securityGroups.groupId
-
resource.instanceDetails.networkInterfaces.securityGroups.groupName
-
resource.instanceDetails.networkInterfaces.subnetId
-
resource.instanceDetails.networkInterfaces.vpcId
-
resource.instanceDetails.tags.key
-
resource.instanceDetails.tags.value
-
resource.resourceType
-
service.action.actionType
-
service.action.awsApiCallAction.api
-
service.action.awsApiCallAction.callerType
-
service.action.awsApiCallAction.remoteIpDetails.city.cityName
-
service.action.awsApiCallAction.remoteIpDetails.country.countryName
-
service.action.awsApiCallAction.remoteIpDetails.ipAddressV4
-
service.action.awsApiCallAction.remoteIpDetails.organization.asn
-
service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg
-
service.action.awsApiCallAction.serviceName
-
service.action.dnsRequestAction.domain
-
service.action.dnsRequestAction.domainWithSuffix
-
service.action.networkConnectionAction.blocked
-
service.action.networkConnectionAction.connectionDirection
-
service.action.networkConnectionAction.localPortDetails.port
-
service.action.networkConnectionAction.protocol
-
service.action.networkConnectionAction.remoteIpDetails.country.countryName
-
service.action.networkConnectionAction.remoteIpDetails.ipAddressV4
-
service.action.networkConnectionAction.remoteIpDetails.organization.asn
-
service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg
-
service.action.networkConnectionAction.remotePortDetails.port
-
service.additionalInfo.threatListName
-
service.archived
When this attribute is set to 'true', only archived findings are listed. When it's set to 'false', only unarchived findings are listed. When this attribute is not set, all existing findings are listed.
-
service.ebsVolumeScanDetails.scanId
-
service.resourceRole
-
severity
-
type
-
updatedAt
Type: Timestamp in Unix Epoch millisecond format: 1486685375000
- MaxResults
-
- Type: int
You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50.
- NextToken
-
- Type: string
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
- SortCriteria
-
- Type: SortCriteria structure
Represents the criteria used for sorting findings.
Result Syntax
[ 'FindingIds' => ['<string>', ...], 'NextToken' => '<string>', ]
Result Details
Members
- FindingIds
-
- Required: Yes
- Type: Array of strings
The IDs of the findings that you're listing.
- NextToken
-
- Type: string
The pagination parameter to be used on the next list operation to retrieve more items.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
ListIPSets
$result = $client->listIPSets
([/* ... */]); $promise = $client->listIPSetsAsync
([/* ... */]);
Lists the IPSets of the GuardDuty service specified by the detector ID. If you use this operation from a member account, the IPSets returned are the IPSets from the associated administrator account.
Parameter Syntax
$result = $client->listIPSets([ 'DetectorId' => '<string>', // REQUIRED 'MaxResults' => <integer>, 'NextToken' => '<string>', ]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector that is associated with IPSet.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - MaxResults
-
- Type: int
You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50.
- NextToken
-
- Type: string
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
Result Syntax
[ 'IpSetIds' => ['<string>', ...], 'NextToken' => '<string>', ]
Result Details
Members
- IpSetIds
-
- Required: Yes
- Type: Array of strings
The IDs of the IPSet resources.
- NextToken
-
- Type: string
The pagination parameter to be used on the next list operation to retrieve more items.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
ListInvitations
$result = $client->listInvitations
([/* ... */]); $promise = $client->listInvitationsAsync
([/* ... */]);
Lists all GuardDuty membership invitations that were sent to the current Amazon Web Services account.
Parameter Syntax
$result = $client->listInvitations([ 'MaxResults' => <integer>, 'NextToken' => '<string>', ]);
Parameter Details
Members
- MaxResults
-
- Type: int
You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.
- NextToken
-
- Type: string
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
Result Syntax
[ 'Invitations' => [ [ 'AccountId' => '<string>', 'InvitationId' => '<string>', 'InvitedAt' => '<string>', 'RelationshipStatus' => '<string>', ], // ... ], 'NextToken' => '<string>', ]
Result Details
Members
- Invitations
-
- Type: Array of Invitation structures
A list of invitation descriptions.
- NextToken
-
- Type: string
The pagination parameter to be used on the next list operation to retrieve more items.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
ListMalwareProtectionPlans
$result = $client->listMalwareProtectionPlans
([/* ... */]); $promise = $client->listMalwareProtectionPlansAsync
([/* ... */]);
Lists the Malware Protection plan IDs associated with the protected resources in your Amazon Web Services account.
Parameter Syntax
$result = $client->listMalwareProtectionPlans([ 'NextToken' => '<string>', ]);
Parameter Details
Members
- NextToken
-
- Type: string
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of
NextToken
from the previous response to continue listing data.
Result Syntax
[ 'MalwareProtectionPlans' => [ [ 'MalwareProtectionPlanId' => '<string>', ], // ... ], 'NextToken' => '<string>', ]
Result Details
Members
- MalwareProtectionPlans
-
- Type: Array of MalwareProtectionPlanSummary structures
A list of unique identifiers associated with each Malware Protection plan.
- NextToken
-
- Type: string
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of
NextToken
from the previous response to continue listing data.
Errors
- BadRequestException:
A bad request exception object.
- AccessDeniedException:
An access denied exception object.
- InternalServerErrorException:
An internal server error exception object.
ListMembers
$result = $client->listMembers
([/* ... */]); $promise = $client->listMembersAsync
([/* ... */]);
Lists details about all member accounts for the current GuardDuty administrator account.
Parameter Syntax
$result = $client->listMembers([ 'DetectorId' => '<string>', // REQUIRED 'MaxResults' => <integer>, 'NextToken' => '<string>', 'OnlyAssociated' => '<string>', ]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector that is associated with the member.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - MaxResults
-
- Type: int
You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50.
- NextToken
-
- Type: string
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
- OnlyAssociated
-
- Type: string
Specifies whether to only return associated members or to return all members (including members who haven't been invited yet or have been disassociated). Member accounts must have been previously associated with the GuardDuty administrator account using
Create Members
.
Result Syntax
[ 'Members' => [ [ 'AccountId' => '<string>', 'AdministratorId' => '<string>', 'DetectorId' => '<string>', 'Email' => '<string>', 'InvitedAt' => '<string>', 'MasterId' => '<string>', 'RelationshipStatus' => '<string>', 'UpdatedAt' => '<string>', ], // ... ], 'NextToken' => '<string>', ]
Result Details
Members
- Members
-
- Type: Array of Member structures
A list of members.
The values for
email
andinvitedAt
are available only if the member accounts are added by invitation. - NextToken
-
- Type: string
The pagination parameter to be used on the next list operation to retrieve more items.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
ListOrganizationAdminAccounts
$result = $client->listOrganizationAdminAccounts
([/* ... */]); $promise = $client->listOrganizationAdminAccountsAsync
([/* ... */]);
Lists the accounts designated as GuardDuty delegated administrators. Only the organization's management account can run this API operation.
Parameter Syntax
$result = $client->listOrganizationAdminAccounts([ 'MaxResults' => <integer>, 'NextToken' => '<string>', ]);
Parameter Details
Members
- MaxResults
-
- Type: int
The maximum number of results to return in the response.
- NextToken
-
- Type: string
A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the
NextToken
value returned from the previous request to continue listing results after the first page.
Result Syntax
[ 'AdminAccounts' => [ [ 'AdminAccountId' => '<string>', 'AdminStatus' => 'ENABLED|DISABLE_IN_PROGRESS', ], // ... ], 'NextToken' => '<string>', ]
Result Details
Members
- AdminAccounts
-
- Type: Array of AdminAccount structures
A list of accounts configured as GuardDuty delegated administrators.
- NextToken
-
- Type: string
The pagination parameter to be used on the next list operation to retrieve more items.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
ListPublishingDestinations
$result = $client->listPublishingDestinations
([/* ... */]); $promise = $client->listPublishingDestinationsAsync
([/* ... */]);
Returns a list of publishing destinations associated with the specified detectorId
.
Parameter Syntax
$result = $client->listPublishingDestinations([ 'DetectorId' => '<string>', // REQUIRED 'MaxResults' => <integer>, 'NextToken' => '<string>', ]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The detector ID for which you want to retrieve the publishing destination.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - MaxResults
-
- Type: int
The maximum number of results to return in the response.
- NextToken
-
- Type: string
A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the
NextToken
value returned from the previous request to continue listing results after the first page.
Result Syntax
[ 'Destinations' => [ [ 'DestinationId' => '<string>', 'DestinationType' => 'S3', 'Status' => 'PENDING_VERIFICATION|PUBLISHING|UNABLE_TO_PUBLISH_FIX_DESTINATION_PROPERTY|STOPPED', ], // ... ], 'NextToken' => '<string>', ]
Result Details
Members
- Destinations
-
- Required: Yes
- Type: Array of Destination structures
A
Destinations
object that includes information about each publishing destination returned. - NextToken
-
- Type: string
A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the
NextToken
value returned from the previous request to continue listing results after the first page.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
ListTagsForResource
$result = $client->listTagsForResource
([/* ... */]); $promise = $client->listTagsForResourceAsync
([/* ... */]);
Lists tags for a resource. Tagging is currently supported for detectors, finding filters, IP sets, threat intel sets, and publishing destination, with a limit of 50 tags per resource. When invoked, this operation returns all assigned tags for a given resource.
Parameter Syntax
$result = $client->listTagsForResource([ 'ResourceArn' => '<string>', // REQUIRED ]);
Parameter Details
Members
- ResourceArn
-
- Required: Yes
- Type: string
The Amazon Resource Name (ARN) for the given GuardDuty resource.
Result Syntax
[ 'Tags' => ['<string>', ...], ]
Result Details
Members
- Tags
-
- Type: Associative array of custom strings keys (TagKey) to strings
The tags associated with the resource.
Errors
- BadRequestException:
A bad request exception object.
- AccessDeniedException:
An access denied exception object.
- InternalServerErrorException:
An internal server error exception object.
ListThreatIntelSets
$result = $client->listThreatIntelSets
([/* ... */]); $promise = $client->listThreatIntelSetsAsync
([/* ... */]);
Lists the ThreatIntelSets of the GuardDuty service specified by the detector ID. If you use this operation from a member account, the ThreatIntelSets associated with the administrator account are returned.
Parameter Syntax
$result = $client->listThreatIntelSets([ 'DetectorId' => '<string>', // REQUIRED 'MaxResults' => <integer>, 'NextToken' => '<string>', ]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector that is associated with the threatIntelSet.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - MaxResults
-
- Type: int
You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.
- NextToken
-
- Type: string
You can use this parameter to paginate results in the response. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
Result Syntax
[ 'NextToken' => '<string>', 'ThreatIntelSetIds' => ['<string>', ...], ]
Result Details
Members
- NextToken
-
- Type: string
The pagination parameter to be used on the next list operation to retrieve more items.
- ThreatIntelSetIds
-
- Required: Yes
- Type: Array of strings
The IDs of the ThreatIntelSet resources.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
StartMalwareScan
$result = $client->startMalwareScan
([/* ... */]); $promise = $client->startMalwareScanAsync
([/* ... */]);
Initiates the malware scan. Invoking this API will automatically create the Service-linked role in the corresponding account.
When the malware scan starts, you can use the associated scan ID to track the status of the scan. For more information, see DescribeMalwareScans.
Parameter Syntax
$result = $client->startMalwareScan([ 'ResourceArn' => '<string>', // REQUIRED ]);
Parameter Details
Members
- ResourceArn
-
- Required: Yes
- Type: string
Amazon Resource Name (ARN) of the resource for which you invoked the API.
Result Syntax
[ 'ScanId' => '<string>', ]
Result Details
Members
- ScanId
-
- Type: string
A unique identifier that gets generated when you invoke the API without any error. Each malware scan has a corresponding scan ID. Using this scan ID, you can monitor the status of your malware scan.
Errors
- BadRequestException:
A bad request exception object.
- ConflictException:
A request conflict exception object.
- InternalServerErrorException:
An internal server error exception object.
StartMonitoringMembers
$result = $client->startMonitoringMembers
([/* ... */]); $promise = $client->startMonitoringMembersAsync
([/* ... */]);
Turns on GuardDuty monitoring of the specified member accounts. Use this operation to restart monitoring of accounts that you stopped monitoring with the StopMonitoringMembers operation.
Parameter Syntax
$result = $client->startMonitoringMembers([ 'AccountIds' => ['<string>', ...], // REQUIRED 'DetectorId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- AccountIds
-
- Required: Yes
- Type: Array of strings
A list of account IDs of the GuardDuty member accounts to start monitoring.
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector of the GuardDuty administrator account associated with the member accounts to monitor.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
Result Syntax
[ 'UnprocessedAccounts' => [ [ 'AccountId' => '<string>', 'Result' => '<string>', ], // ... ], ]
Result Details
Members
- UnprocessedAccounts
-
- Required: Yes
- Type: Array of UnprocessedAccount structures
A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
StopMonitoringMembers
$result = $client->stopMonitoringMembers
([/* ... */]); $promise = $client->stopMonitoringMembersAsync
([/* ... */]);
Stops GuardDuty monitoring for the specified member accounts. Use the StartMonitoringMembers
operation to restart monitoring for those accounts.
With autoEnableOrganizationMembers
configuration for your organization set to ALL
, you'll receive an error if you attempt to stop monitoring the member accounts in your organization.
Parameter Syntax
$result = $client->stopMonitoringMembers([ 'AccountIds' => ['<string>', ...], // REQUIRED 'DetectorId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- AccountIds
-
- Required: Yes
- Type: Array of strings
A list of account IDs for the member accounts to stop monitoring.
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector associated with the GuardDuty administrator account that is monitoring member accounts.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
Result Syntax
[ 'UnprocessedAccounts' => [ [ 'AccountId' => '<string>', 'Result' => '<string>', ], // ... ], ]
Result Details
Members
- UnprocessedAccounts
-
- Required: Yes
- Type: Array of UnprocessedAccount structures
A list of objects that contain an accountId for each account that could not be processed, and a result string that indicates why the account was not processed.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
TagResource
$result = $client->tagResource
([/* ... */]); $promise = $client->tagResourceAsync
([/* ... */]);
Adds tags to a resource.
Parameter Syntax
$result = $client->tagResource([ 'ResourceArn' => '<string>', // REQUIRED 'Tags' => ['<string>', ...], // REQUIRED ]);
Parameter Details
Members
- ResourceArn
-
- Required: Yes
- Type: string
The Amazon Resource Name (ARN) for the GuardDuty resource to apply a tag to.
- Tags
-
- Required: Yes
- Type: Associative array of custom strings keys (TagKey) to strings
The tags to be added to a resource.
Result Syntax
[]
Result Details
Errors
- BadRequestException:
A bad request exception object.
- AccessDeniedException:
An access denied exception object.
- InternalServerErrorException:
An internal server error exception object.
UnarchiveFindings
$result = $client->unarchiveFindings
([/* ... */]); $promise = $client->unarchiveFindingsAsync
([/* ... */]);
Unarchives GuardDuty findings specified by the findingIds
.
Parameter Syntax
$result = $client->unarchiveFindings([ 'DetectorId' => '<string>', // REQUIRED 'FindingIds' => ['<string>', ...], // REQUIRED ]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The ID of the detector associated with the findings to unarchive.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - FindingIds
-
- Required: Yes
- Type: Array of strings
The IDs of the findings to unarchive.
Result Syntax
[]
Result Details
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
UntagResource
$result = $client->untagResource
([/* ... */]); $promise = $client->untagResourceAsync
([/* ... */]);
Removes tags from a resource.
Parameter Syntax
$result = $client->untagResource([ 'ResourceArn' => '<string>', // REQUIRED 'TagKeys' => ['<string>', ...], // REQUIRED ]);
Parameter Details
Members
- ResourceArn
-
- Required: Yes
- Type: string
The Amazon Resource Name (ARN) for the resource to remove tags from.
- TagKeys
-
- Required: Yes
- Type: Array of strings
The tag keys to remove from the resource.
Result Syntax
[]
Result Details
Errors
- BadRequestException:
A bad request exception object.
- AccessDeniedException:
An access denied exception object.
- InternalServerErrorException:
An internal server error exception object.
UpdateDetector
$result = $client->updateDetector
([/* ... */]); $promise = $client->updateDetectorAsync
([/* ... */]);
Updates the GuardDuty detector specified by the detector ID.
Specifying both EKS Runtime Monitoring (EKS_RUNTIME_MONITORING
) and Runtime Monitoring (RUNTIME_MONITORING
) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring.
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.
Parameter Syntax
$result = $client->updateDetector([ 'DataSources' => [ 'Kubernetes' => [ 'AuditLogs' => [ // REQUIRED 'Enable' => true || false, // REQUIRED ], ], 'MalwareProtection' => [ 'ScanEc2InstanceWithFindings' => [ 'EbsVolumes' => true || false, ], ], 'S3Logs' => [ 'Enable' => true || false, // REQUIRED ], ], 'DetectorId' => '<string>', // REQUIRED 'Enable' => true || false, 'Features' => [ [ 'AdditionalConfiguration' => [ [ 'Name' => 'EKS_ADDON_MANAGEMENT|ECS_FARGATE_AGENT_MANAGEMENT|EC2_AGENT_MANAGEMENT', 'Status' => 'ENABLED|DISABLED', ], // ... ], 'Name' => 'S3_DATA_EVENTS|EKS_AUDIT_LOGS|EBS_MALWARE_PROTECTION|RDS_LOGIN_EVENTS|EKS_RUNTIME_MONITORING|LAMBDA_NETWORK_LOGS|RUNTIME_MONITORING', 'Status' => 'ENABLED|DISABLED', ], // ... ], 'FindingPublishingFrequency' => 'FIFTEEN_MINUTES|ONE_HOUR|SIX_HOURS', ]);
Parameter Details
Members
- DataSources
-
- Type: DataSourceConfigurations structure
Describes which data sources will be updated.
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector to update.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - Enable
-
- Type: boolean
Specifies whether the detector is enabled or not enabled.
- Features
-
- Type: Array of DetectorFeatureConfiguration structures
Provides the features that will be updated for the detector.
- FindingPublishingFrequency
-
- Type: string
An enum value that specifies how frequently findings are exported, such as to CloudWatch Events.
Result Syntax
[]
Result Details
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
UpdateFilter
$result = $client->updateFilter
([/* ... */]); $promise = $client->updateFilterAsync
([/* ... */]);
Updates the filter specified by the filter name.
Parameter Syntax
$result = $client->updateFilter([ 'Action' => 'NOOP|ARCHIVE', 'Description' => '<string>', 'DetectorId' => '<string>', // REQUIRED 'FilterName' => '<string>', // REQUIRED 'FindingCriteria' => [ 'Criterion' => [ '<String>' => [ 'Eq' => ['<string>', ...], 'Equals' => ['<string>', ...], 'GreaterThan' => <integer>, 'GreaterThanOrEqual' => <integer>, 'Gt' => <integer>, 'Gte' => <integer>, 'LessThan' => <integer>, 'LessThanOrEqual' => <integer>, 'Lt' => <integer>, 'Lte' => <integer>, 'Neq' => ['<string>', ...], 'NotEquals' => ['<string>', ...], ], // ... ], ], 'Rank' => <integer>, ]);
Parameter Details
Members
- Action
-
- Type: string
Specifies the action that is to be applied to the findings that match the filter.
- Description
-
- Type: string
The description of the filter. Valid characters include alphanumeric characters, and special characters such as hyphen, period, colon, underscore, parentheses (
{ }
,[ ]
, and( )
), forward slash, horizontal tab, vertical tab, newline, form feed, return, and whitespace. - DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector that specifies the GuardDuty service where you want to update a filter.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - FilterName
-
- Required: Yes
- Type: string
The name of the filter.
- FindingCriteria
-
- Type: FindingCriteria structure
Represents the criteria to be used in the filter for querying findings.
- Rank
-
- Type: int
Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
Result Syntax
[ 'Name' => '<string>', ]
Result Details
Members
- Name
-
- Required: Yes
- Type: string
The name of the filter.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
UpdateFindingsFeedback
$result = $client->updateFindingsFeedback
([/* ... */]); $promise = $client->updateFindingsFeedbackAsync
([/* ... */]);
Marks the specified GuardDuty findings as useful or not useful.
Parameter Syntax
$result = $client->updateFindingsFeedback([ 'Comments' => '<string>', 'DetectorId' => '<string>', // REQUIRED 'Feedback' => 'USEFUL|NOT_USEFUL', // REQUIRED 'FindingIds' => ['<string>', ...], // REQUIRED ]);
Parameter Details
Members
- Comments
-
- Type: string
Additional feedback about the GuardDuty findings.
- DetectorId
-
- Required: Yes
- Type: string
The ID of the detector that is associated with the findings for which you want to update the feedback.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - Feedback
-
- Required: Yes
- Type: string
The feedback for the finding.
- FindingIds
-
- Required: Yes
- Type: Array of strings
The IDs of the findings that you want to mark as useful or not useful.
Result Syntax
[]
Result Details
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
UpdateIPSet
$result = $client->updateIPSet
([/* ... */]); $promise = $client->updateIPSetAsync
([/* ... */]);
Updates the IPSet specified by the IPSet ID.
Parameter Syntax
$result = $client->updateIPSet([ 'Activate' => true || false, 'DetectorId' => '<string>', // REQUIRED 'IpSetId' => '<string>', // REQUIRED 'Location' => '<string>', 'Name' => '<string>', ]);
Parameter Details
Members
- Activate
-
- Type: boolean
The updated Boolean value that specifies whether the IPSet is active or not.
- DetectorId
-
- Required: Yes
- Type: string
The detectorID that specifies the GuardDuty service whose IPSet you want to update.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - IpSetId
-
- Required: Yes
- Type: string
The unique ID that specifies the IPSet that you want to update.
- Location
-
- Type: string
The updated URI of the file that contains the IPSet.
- Name
-
- Type: string
The unique ID that specifies the IPSet that you want to update.
Result Syntax
[]
Result Details
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
UpdateMalwareProtectionPlan
$result = $client->updateMalwareProtectionPlan
([/* ... */]); $promise = $client->updateMalwareProtectionPlanAsync
([/* ... */]);
Updates an existing Malware Protection plan resource.
Parameter Syntax
$result = $client->updateMalwareProtectionPlan([ 'Actions' => [ 'Tagging' => [ 'Status' => 'ENABLED|DISABLED', ], ], 'MalwareProtectionPlanId' => '<string>', // REQUIRED 'ProtectedResource' => [ 'S3Bucket' => [ 'ObjectPrefixes' => ['<string>', ...], ], ], 'Role' => '<string>', ]);
Parameter Details
Members
- Actions
-
- Type: MalwareProtectionPlanActions structure
Information about whether the tags will be added to the S3 object after scanning.
- MalwareProtectionPlanId
-
- Required: Yes
- Type: string
A unique identifier associated with the Malware Protection plan.
- ProtectedResource
-
- Type: UpdateProtectedResource structure
Information about the protected resource that is associated with the created Malware Protection plan. Presently,
S3Bucket
is the only supported protected resource. - Role
-
- Type: string
Amazon Resource Name (ARN) of the IAM role with permissions to scan and add tags to the associated protected resource.
Result Syntax
[]
Result Details
Errors
- BadRequestException:
A bad request exception object.
- AccessDeniedException:
An access denied exception object.
- ResourceNotFoundException:
The requested resource can't be found.
- InternalServerErrorException:
An internal server error exception object.
UpdateMalwareScanSettings
$result = $client->updateMalwareScanSettings
([/* ... */]); $promise = $client->updateMalwareScanSettingsAsync
([/* ... */]);
Updates the malware scan settings.
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.
Parameter Syntax
$result = $client->updateMalwareScanSettings([ 'DetectorId' => '<string>', // REQUIRED 'EbsSnapshotPreservation' => 'NO_RETENTION|RETENTION_WITH_FINDING', 'ScanResourceCriteria' => [ 'Exclude' => [ '<ScanCriterionKey>' => [ 'MapEquals' => [ // REQUIRED [ 'Key' => '<string>', // REQUIRED 'Value' => '<string>', ], // ... ], ], // ... ], 'Include' => [ '<ScanCriterionKey>' => [ 'MapEquals' => [ // REQUIRED [ 'Key' => '<string>', // REQUIRED 'Value' => '<string>', ], // ... ], ], // ... ], ], ]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector that specifies the GuardDuty service where you want to update scan settings.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - EbsSnapshotPreservation
-
- Type: string
An enum value representing possible snapshot preservation settings.
- ScanResourceCriteria
-
- Type: ScanResourceCriteria structure
Represents the criteria to be used in the filter for selecting resources to scan.
Result Syntax
[]
Result Details
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
UpdateMemberDetectors
$result = $client->updateMemberDetectors
([/* ... */]); $promise = $client->updateMemberDetectorsAsync
([/* ... */]);
Contains information on member accounts to be updated.
Specifying both EKS Runtime Monitoring (EKS_RUNTIME_MONITORING
) and Runtime Monitoring (RUNTIME_MONITORING
) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring.
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.
Parameter Syntax
$result = $client->updateMemberDetectors([ 'AccountIds' => ['<string>', ...], // REQUIRED 'DataSources' => [ 'Kubernetes' => [ 'AuditLogs' => [ // REQUIRED 'Enable' => true || false, // REQUIRED ], ], 'MalwareProtection' => [ 'ScanEc2InstanceWithFindings' => [ 'EbsVolumes' => true || false, ], ], 'S3Logs' => [ 'Enable' => true || false, // REQUIRED ], ], 'DetectorId' => '<string>', // REQUIRED 'Features' => [ [ 'AdditionalConfiguration' => [ [ 'Name' => 'EKS_ADDON_MANAGEMENT|ECS_FARGATE_AGENT_MANAGEMENT|EC2_AGENT_MANAGEMENT', 'Status' => 'ENABLED|DISABLED', ], // ... ], 'Name' => 'S3_DATA_EVENTS|EKS_AUDIT_LOGS|EBS_MALWARE_PROTECTION|RDS_LOGIN_EVENTS|EKS_RUNTIME_MONITORING|LAMBDA_NETWORK_LOGS|RUNTIME_MONITORING', 'Status' => 'ENABLED|DISABLED', ], // ... ], ]);
Parameter Details
Members
- AccountIds
-
- Required: Yes
- Type: Array of strings
A list of member account IDs to be updated.
- DataSources
-
- Type: DataSourceConfigurations structure
Describes which data sources will be updated.
- DetectorId
-
- Required: Yes
- Type: string
The detector ID of the administrator account.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - Features
-
- Type: Array of MemberFeaturesConfiguration structures
A list of features that will be updated for the specified member accounts.
Result Syntax
[ 'UnprocessedAccounts' => [ [ 'AccountId' => '<string>', 'Result' => '<string>', ], // ... ], ]
Result Details
Members
- UnprocessedAccounts
-
- Required: Yes
- Type: Array of UnprocessedAccount structures
A list of member account IDs that were unable to be processed along with an explanation for why they were not processed.
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
UpdateOrganizationConfiguration
$result = $client->updateOrganizationConfiguration
([/* ... */]); $promise = $client->updateOrganizationConfigurationAsync
([/* ... */]);
Configures the delegated administrator account with the provided values. You must provide a value for either autoEnableOrganizationMembers
or autoEnable
, but not both.
Specifying both EKS Runtime Monitoring (EKS_RUNTIME_MONITORING
) and Runtime Monitoring (RUNTIME_MONITORING
) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring.
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.
Parameter Syntax
$result = $client->updateOrganizationConfiguration([ 'AutoEnable' => true || false, 'AutoEnableOrganizationMembers' => 'NEW|ALL|NONE', 'DataSources' => [ 'Kubernetes' => [ 'AuditLogs' => [ // REQUIRED 'AutoEnable' => true || false, // REQUIRED ], ], 'MalwareProtection' => [ 'ScanEc2InstanceWithFindings' => [ 'EbsVolumes' => [ 'AutoEnable' => true || false, ], ], ], 'S3Logs' => [ 'AutoEnable' => true || false, // REQUIRED ], ], 'DetectorId' => '<string>', // REQUIRED 'Features' => [ [ 'AdditionalConfiguration' => [ [ 'AutoEnable' => 'NEW|NONE|ALL', 'Name' => 'EKS_ADDON_MANAGEMENT|ECS_FARGATE_AGENT_MANAGEMENT|EC2_AGENT_MANAGEMENT', ], // ... ], 'AutoEnable' => 'NEW|NONE|ALL', 'Name' => 'S3_DATA_EVENTS|EKS_AUDIT_LOGS|EBS_MALWARE_PROTECTION|RDS_LOGIN_EVENTS|EKS_RUNTIME_MONITORING|LAMBDA_NETWORK_LOGS|RUNTIME_MONITORING', ], // ... ], ]);
Parameter Details
Members
- AutoEnable
-
- Type: boolean
Represents whether to automatically enable member accounts in the organization. This applies to only new member accounts, not the existing member accounts. When a new account joins the organization, the chosen features will be enabled for them by default.
Even though this is still supported, we recommend using
AutoEnableOrganizationMembers
to achieve the similar results. You must provide a value for eitherautoEnableOrganizationMembers
orautoEnable
. - AutoEnableOrganizationMembers
-
- Type: string
Indicates the auto-enablement configuration of GuardDuty for the member accounts in the organization. You must provide a value for either
autoEnableOrganizationMembers
orautoEnable
.Use one of the following configuration values for
autoEnableOrganizationMembers
:-
NEW
: Indicates that when a new account joins the organization, they will have GuardDuty enabled automatically. -
ALL
: Indicates that all accounts in the organization have GuardDuty enabled automatically. This includesNEW
accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty.It may take up to 24 hours to update the configuration for all the member accounts.
-
NONE
: Indicates that GuardDuty will not be automatically enabled for any account in the organization. The administrator must manage GuardDuty for each account in the organization individually.When you update the auto-enable setting from
ALL
orNEW
toNONE
, this action doesn't disable the corresponding option for your existing accounts. This configuration will apply to the new accounts that join the organization. After you update the auto-enable settings, no new account will have the corresponding option as enabled.
- DataSources
-
- Type: OrganizationDataSourceConfigurations structure
Describes which data sources will be updated.
- DetectorId
-
- Required: Yes
- Type: string
The ID of the detector that configures the delegated administrator.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - Features
-
- Type: Array of OrganizationFeatureConfiguration structures
A list of features that will be configured for the organization.
Result Syntax
[]
Result Details
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
UpdatePublishingDestination
$result = $client->updatePublishingDestination
([/* ... */]); $promise = $client->updatePublishingDestinationAsync
([/* ... */]);
Updates information about the publishing destination specified by the destinationId
.
Parameter Syntax
$result = $client->updatePublishingDestination([ 'DestinationId' => '<string>', // REQUIRED 'DestinationProperties' => [ 'DestinationArn' => '<string>', 'KmsKeyArn' => '<string>', ], 'DetectorId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- DestinationId
-
- Required: Yes
- Type: string
The ID of the publishing destination to update.
- DestinationProperties
-
- Type: DestinationProperties structure
A
DestinationProperties
object that includes theDestinationArn
andKmsKeyArn
of the publishing destination. - DetectorId
-
- Required: Yes
- Type: string
The ID of the detector associated with the publishing destinations to update.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
Result Syntax
[]
Result Details
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
UpdateThreatIntelSet
$result = $client->updateThreatIntelSet
([/* ... */]); $promise = $client->updateThreatIntelSetAsync
([/* ... */]);
Updates the ThreatIntelSet specified by the ThreatIntelSet ID.
Parameter Syntax
$result = $client->updateThreatIntelSet([ 'Activate' => true || false, 'DetectorId' => '<string>', // REQUIRED 'Location' => '<string>', 'Name' => '<string>', 'ThreatIntelSetId' => '<string>', // REQUIRED ]);
Parameter Details
Members
- Activate
-
- Type: boolean
The updated Boolean value that specifies whether the ThreateIntelSet is active or not.
- DetectorId
-
- Required: Yes
- Type: string
The detectorID that specifies the GuardDuty service whose ThreatIntelSet you want to update.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - Location
-
- Type: string
The updated URI of the file that contains the ThreateIntelSet.
- Name
-
- Type: string
The unique ID that specifies the ThreatIntelSet that you want to update.
- ThreatIntelSetId
-
- Required: Yes
- Type: string
The unique ID that specifies the ThreatIntelSet that you want to update.
Result Syntax
[]
Result Details
Errors
- BadRequestException:
A bad request exception object.
- InternalServerErrorException:
An internal server error exception object.
Shapes
AccessControlList
Description
Contains information on the current access control policies for the bucket.
Members
- AllowsPublicReadAccess
-
- Type: boolean
A value that indicates whether public read access for the bucket is enabled through an Access Control List (ACL).
- AllowsPublicWriteAccess
-
- Type: boolean
A value that indicates whether public write access for the bucket is enabled through an Access Control List (ACL).
AccessDeniedException
Description
An access denied exception object.
Members
- Message
-
- Type: string
The error message.
- Type
-
- Type: string
The error type.
AccessKey
Description
Contains information about the access keys.
Members
- PrincipalId
-
- Type: string
Principal ID of the user.
- UserName
-
- Type: string
Name of the user.
- UserType
-
- Type: string
Type of the user.
AccessKeyDetails
Description
Contains information about the access keys.
Members
- AccessKeyId
-
- Type: string
The access key ID of the user.
- PrincipalId
-
- Type: string
The principal ID of the user.
- UserName
-
- Type: string
The name of the user.
- UserType
-
- Type: string
The type of the user.
Account
Description
Contains information about the account.
Members
- Name
-
- Type: string
Name of the member's Amazon Web Services account.
- Uid
-
- Required: Yes
- Type: string
ID of the member's Amazon Web Services account
AccountDetail
Description
Contains information about the account.
Members
- AccountId
-
- Required: Yes
- Type: string
The member account ID.
-
- Required: Yes
- Type: string
The email address of the member account.
AccountFreeTrialInfo
Description
Provides details of the GuardDuty member account that uses a free trial service.
Members
- AccountId
-
- Type: string
The account identifier of the GuardDuty member account.
- DataSources
-
- Type: DataSourcesFreeTrial structure
Describes the data source enabled for the GuardDuty member account.
- Features
-
- Type: Array of FreeTrialFeatureConfigurationResult structures
A list of features enabled for the GuardDuty account.
AccountLevelPermissions
Description
Contains information about the account level permissions on the S3 bucket.
Members
- BlockPublicAccess
-
- Type: BlockPublicAccess structure
Describes the S3 Block Public Access settings of the bucket's parent account.
AccountStatistics
Description
Represents a list of map of accounts with the number of findings associated with each account.
Members
- AccountId
-
- Type: string
The ID of the Amazon Web Services account.
- LastGeneratedAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The timestamp at which the finding for this account was last generated.
- TotalFindings
-
- Type: int
The total number of findings associated with an account.
Action
Description
Contains information about actions.
Members
- ActionType
-
- Type: string
The GuardDuty finding activity type.
- AwsApiCallAction
-
- Type: AwsApiCallAction structure
Information about the AWS_API_CALL action described in this finding.
- DnsRequestAction
-
- Type: DnsRequestAction structure
Information about the DNS_REQUEST action described in this finding.
- KubernetesApiCallAction
-
- Type: KubernetesApiCallAction structure
Information about the Kubernetes API call action described in this finding.
- KubernetesPermissionCheckedDetails
-
- Type: KubernetesPermissionCheckedDetails structure
Information whether the user has the permission to use a specific Kubernetes API.
- KubernetesRoleBindingDetails
-
- Type: KubernetesRoleBindingDetails structure
Information about the role binding that grants the permission defined in a Kubernetes role.
- KubernetesRoleDetails
-
- Type: KubernetesRoleDetails structure
Information about the Kubernetes role name and role type.
- NetworkConnectionAction
-
- Type: NetworkConnectionAction structure
Information about the NETWORK_CONNECTION action described in this finding.
- PortProbeAction
-
- Type: PortProbeAction structure
Information about the PORT_PROBE action described in this finding.
- RdsLoginAttemptAction
-
- Type: RdsLoginAttemptAction structure
Information about
RDS_LOGIN_ATTEMPT
action described in this finding.
Actor
Description
Information about the actors involved in an attack sequence.
Members
AddonDetails
Description
Information about the installed EKS add-on (GuardDuty security agent).
Members
- AddonStatus
-
- Type: string
Status of the installed EKS add-on.
- AddonVersion
-
- Type: string
Version of the installed EKS add-on.
AdminAccount
Description
The account within the organization specified as the GuardDuty delegated administrator.
Members
- AdminAccountId
-
- Type: string
The Amazon Web Services account ID for the account.
- AdminStatus
-
- Type: string
Indicates whether the account is enabled as the delegated administrator.
Administrator
Description
Contains information about the administrator account and invitation.
Members
- AccountId
-
- Type: string
The ID of the account used as the administrator account.
- InvitationId
-
- Type: string
The value that is used to validate the administrator account to the member account.
- InvitedAt
-
- Type: string
The timestamp when the invitation was sent.
- RelationshipStatus
-
- Type: string
The status of the relationship between the administrator and member accounts.
AgentDetails
Description
Information about the installed GuardDuty security agent.
Members
- Version
-
- Type: string
Version of the installed GuardDuty security agent.
Anomaly
Description
Contains information about the anomalies.
Members
- Profiles
-
- Type: Associative array of custom strings keys (String) to maps
Information about the types of profiles.
- Unusual
-
- Type: AnomalyUnusual structure
Information about the behavior of the anomalies.
AnomalyObject
Description
Contains information about the unusual anomalies.
Members
- Observations
-
- Type: Observations structure
The recorded value.
- ProfileSubtype
-
- Type: string
The frequency of the anomaly.
- ProfileType
-
- Type: string
The type of behavior of the profile.
AnomalyUnusual
Description
Contains information about the behavior of the anomaly that is new to GuardDuty.
Members
- Behavior
-
- Type: Associative array of custom strings keys (String) to AnomalyObject structuress
The behavior of the anomalous activity that caused GuardDuty to generate the finding.
AutonomousSystem
Description
Contains information about the Autonomous System (AS) associated with the network endpoints involved in an attack sequence.
Members
- Name
-
- Required: Yes
- Type: string
Name associated with the Autonomous System (AS).
- Number
-
- Required: Yes
- Type: int
The unique number that identifies the Autonomous System (AS).
AwsApiCallAction
Description
Contains information about the API action.
Members
- AffectedResources
-
- Type: Associative array of custom strings keys (String) to strings
The details of the Amazon Web Services account that made the API call. This field identifies the resources that were affected by this API call.
- Api
-
- Type: string
The Amazon Web Services API name.
- CallerType
-
- Type: string
The Amazon Web Services API caller type.
- DomainDetails
-
- Type: DomainDetails structure
The domain information for the Amazon Web Services API call.
- ErrorCode
-
- Type: string
The error code of the failed Amazon Web Services API action.
- RemoteAccountDetails
-
- Type: RemoteAccountDetails structure
The details of the Amazon Web Services account that made the API call. This field appears if the call was made from outside your account.
- RemoteIpDetails
-
- Type: RemoteIpDetails structure
The remote IP information of the connection that initiated the Amazon Web Services API call.
- ServiceName
-
- Type: string
The Amazon Web Services service name whose API was invoked.
- UserAgent
-
- Type: string
The agent through which the API request was made.
BadRequestException
Description
A bad request exception object.
Members
- Message
-
- Type: string
The error message.
- Type
-
- Type: string
The error type.
BlockPublicAccess
Description
Contains information on how the bucker owner's S3 Block Public Access settings are being applied to the S3 bucket. See S3 Block Public Access for more information.
Members
- BlockPublicAcls
-
- Type: boolean
Indicates if S3 Block Public Access is set to
BlockPublicAcls
. - BlockPublicPolicy
-
- Type: boolean
Indicates if S3 Block Public Access is set to
BlockPublicPolicy
. - IgnorePublicAcls
-
- Type: boolean
Indicates if S3 Block Public Access is set to
IgnorePublicAcls
. - RestrictPublicBuckets
-
- Type: boolean
Indicates if S3 Block Public Access is set to
RestrictPublicBuckets
.
BucketLevelPermissions
Description
Contains information about the bucket level permissions for the S3 bucket.
Members
- AccessControlList
-
- Type: AccessControlList structure
Contains information on how Access Control Policies are applied to the bucket.
- BlockPublicAccess
-
- Type: BlockPublicAccess structure
Contains information on which account level S3 Block Public Access settings are applied to the S3 bucket.
- BucketPolicy
-
- Type: BucketPolicy structure
Contains information on the bucket policies for the S3 bucket.
BucketPolicy
Description
Contains information on the current bucket policies for the S3 bucket.
Members
- AllowsPublicReadAccess
-
- Type: boolean
A value that indicates whether public read access for the bucket is enabled through a bucket policy.
- AllowsPublicWriteAccess
-
- Type: boolean
A value that indicates whether public write access for the bucket is enabled through a bucket policy.
City
Description
Contains information about the city associated with the IP address.
Members
- CityName
-
- Type: string
The city name of the remote IP address.
CloudTrailConfigurationResult
Description
Contains information on the status of CloudTrail as a data source for the detector.
Members
- Status
-
- Required: Yes
- Type: string
Describes whether CloudTrail is enabled as a data source for the detector.
Condition
Description
Contains information about the condition.
Members
- Eq
-
- Type: Array of strings
Represents the equal condition to be applied to a single field when querying for findings.
- Equals
-
- Type: Array of strings
Represents an equal condition to be applied to a single field when querying for findings.
- GreaterThan
-
- Type: long (int|float)
Represents a greater than condition to be applied to a single field when querying for findings.
- GreaterThanOrEqual
-
- Type: long (int|float)
Represents a greater than or equal condition to be applied to a single field when querying for findings.
- Gt
-
- Type: int
Represents a greater than condition to be applied to a single field when querying for findings.
- Gte
-
- Type: int
Represents a greater than or equal condition to be applied to a single field when querying for findings.
- LessThan
-
- Type: long (int|float)
Represents a less than condition to be applied to a single field when querying for findings.
- LessThanOrEqual
-
- Type: long (int|float)
Represents a less than or equal condition to be applied to a single field when querying for findings.
- Lt
-
- Type: int
Represents a less than condition to be applied to a single field when querying for findings.
- Lte
-
- Type: int
Represents a less than or equal condition to be applied to a single field when querying for findings.
- Neq
-
- Type: Array of strings
Represents the not equal condition to be applied to a single field when querying for findings.
- NotEquals
-
- Type: Array of strings
Represents a not equal condition to be applied to a single field when querying for findings.
ConflictException
Description
A request conflict exception object.
Members
- Message
-
- Type: string
The error message.
- Type
-
- Type: string
The error type.
Container
Description
Details of a container.
Members
- ContainerRuntime
-
- Type: string
The container runtime (such as, Docker or containerd) used to run the container.
- Id
-
- Type: string
Container ID.
- Image
-
- Type: string
Container image.
- ImagePrefix
-
- Type: string
Part of the image name before the last slash. For example, imagePrefix for public.ecr.aws/amazonlinux/amazonlinux:latest would be public.ecr.aws/amazonlinux. If the image name is relative and does not have a slash, this field is empty.
- Name
-
- Type: string
Container name.
- SecurityContext
-
- Type: SecurityContext structure
Container security context.
- VolumeMounts
-
- Type: Array of VolumeMount structures
Container volume mounts.
ContainerInstanceDetails
Description
Contains information about the Amazon EC2 instance that is running the Amazon ECS container.
Members
- CompatibleContainerInstances
-
- Type: long (int|float)
Represents total number of nodes in the Amazon ECS cluster.
- CoveredContainerInstances
-
- Type: long (int|float)
Represents the nodes in the Amazon ECS cluster that has a
HEALTHY
coverage status.
Country
Description
Contains information about the country where the remote IP address is located.
Members
- CountryCode
-
- Type: string
The country code of the remote IP address.
- CountryName
-
- Type: string
The country name of the remote IP address.
CoverageEc2InstanceDetails
Description
Contains information about the Amazon EC2 instance runtime coverage details.
Members
- AgentDetails
-
- Type: AgentDetails structure
Information about the installed security agent.
- ClusterArn
-
- Type: string
The cluster ARN of the Amazon ECS cluster running on the Amazon EC2 instance.
- InstanceId
-
- Type: string
The Amazon EC2 instance ID.
- InstanceType
-
- Type: string
The instance type of the Amazon EC2 instance.
- ManagementType
-
- Type: string
Indicates how the GuardDuty security agent is managed for this resource.
-
AUTO_MANAGED
indicates that GuardDuty deploys and manages updates for this resource. -
MANUAL
indicates that you are responsible to deploy, update, and manage the GuardDuty security agent updates for this resource.
The
DISABLED
status doesn't apply to Amazon EC2 instances and Amazon EKS clusters.
CoverageEcsClusterDetails
Description
Contains information about Amazon ECS cluster runtime coverage details.
Members
- ClusterName
-
- Type: string
The name of the Amazon ECS cluster.
- ContainerInstanceDetails
-
- Type: ContainerInstanceDetails structure
Information about the Amazon ECS container running on Amazon EC2 instance.
- FargateDetails
-
- Type: FargateDetails structure
Information about the Fargate details associated with the Amazon ECS cluster.
CoverageEksClusterDetails
Description
Information about the EKS cluster that has a coverage status.
Members
- AddonDetails
-
- Type: AddonDetails structure
Information about the installed EKS add-on.
- ClusterName
-
- Type: string
Name of the EKS cluster.
- CompatibleNodes
-
- Type: long (int|float)
Represents all the nodes within the EKS cluster in your account.
- CoveredNodes
-
- Type: long (int|float)
Represents the nodes within the EKS cluster that have a
HEALTHY
coverage status. - ManagementType
-
- Type: string
Indicates how the Amazon EKS add-on GuardDuty agent is managed for this EKS cluster.
AUTO_MANAGED
indicates GuardDuty deploys and manages updates for this resource.MANUAL
indicates that you are responsible to deploy, update, and manage the Amazon EKS add-on GuardDuty agent for this resource.
CoverageFilterCondition
Description
Represents a condition that when matched will be added to the response of the operation.
Members
- Equals
-
- Type: Array of strings
Represents an equal condition that is applied to a single field while retrieving the coverage details.
- NotEquals
-
- Type: Array of strings
Represents a not equal condition that is applied to a single field while retrieving the coverage details.
CoverageFilterCriteria
Description
Represents the criteria used in the filter.
Members
- FilterCriterion
-
- Type: Array of CoverageFilterCriterion structures
Represents a condition that when matched will be added to the response of the operation.
CoverageFilterCriterion
Description
Represents a condition that when matched will be added to the response of the operation.
Members
- CriterionKey
-
- Type: string
An enum value representing possible filter fields.
Replace the enum value
CLUSTER_NAME
withEKS_CLUSTER_NAME
.CLUSTER_NAME
has been deprecated. - FilterCondition
-
- Type: CoverageFilterCondition structure
Contains information about the condition.
CoverageResource
Description
Information about the resource of the GuardDuty account.
Members
- AccountId
-
- Type: string
The unique ID of the Amazon Web Services account.
- CoverageStatus
-
- Type: string
Represents the status of the EKS cluster coverage.
- DetectorId
-
- Type: string
The unique ID of the GuardDuty detector associated with the resource.
- Issue
-
- Type: string
Represents the reason why a coverage status was
UNHEALTHY
for the EKS cluster. - ResourceDetails
-
- Type: CoverageResourceDetails structure
Information about the resource for which the coverage statistics are retrieved.
- ResourceId
-
- Type: string
The unique ID of the resource.
- UpdatedAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The timestamp at which the coverage details for the resource were last updated. This is in UTC format.
CoverageResourceDetails
Description
Information about the resource for each individual EKS cluster.
Members
- Ec2InstanceDetails
-
- Type: CoverageEc2InstanceDetails structure
Information about the Amazon EC2 instance assessed for runtime coverage.
- EcsClusterDetails
-
- Type: CoverageEcsClusterDetails structure
Information about the Amazon ECS cluster that is assessed for runtime coverage.
- EksClusterDetails
-
- Type: CoverageEksClusterDetails structure
EKS cluster details involved in the coverage statistics.
- ResourceType
-
- Type: string
The type of Amazon Web Services resource.
CoverageSortCriteria
Description
Information about the sorting criteria used in the coverage statistics.
Members
- AttributeName
-
- Type: string
Represents the field name used to sort the coverage details.
Replace the enum value
CLUSTER_NAME
withEKS_CLUSTER_NAME
.CLUSTER_NAME
has been deprecated. - OrderBy
-
- Type: string
The order in which the sorted findings are to be displayed.
CoverageStatistics
Description
Information about the coverage statistics for a resource.
Members
- CountByCoverageStatus
-
- Type: Associative array of custom strings keys (CoverageStatus) to long (int|float)s
Represents coverage statistics for EKS clusters aggregated by coverage status.
- CountByResourceType
-
- Type: Associative array of custom strings keys (ResourceType) to long (int|float)s
Represents coverage statistics for EKS clusters aggregated by resource type.
CreateProtectedResource
Description
Information about the protected resource that is associated with the created Malware Protection plan. Presently, S3Bucket
is the only supported protected resource.
Members
- S3Bucket
-
- Type: CreateS3BucketResource structure
Information about the protected S3 bucket resource.
CreateS3BucketResource
Description
Information about the protected S3 bucket resource.
Members
- BucketName
-
- Type: string
Name of the S3 bucket.
- ObjectPrefixes
-
- Type: Array of strings
Information about the specified object prefixes. The S3 object will be scanned only if it belongs to any of the specified object prefixes.
DNSLogsConfigurationResult
Description
Contains information on the status of DNS logs as a data source.
Members
- Status
-
- Required: Yes
- Type: string
Denotes whether DNS logs is enabled as a data source.
DataSourceConfigurations
Description
Contains information about which data sources are enabled.
Members
- Kubernetes
-
- Type: KubernetesConfiguration structure
Describes whether any Kubernetes logs are enabled as data sources.
- MalwareProtection
-
- Type: MalwareProtectionConfiguration structure
Describes whether Malware Protection is enabled as a data source.
- S3Logs
-
- Type: S3LogsConfiguration structure
Describes whether S3 data event logs are enabled as a data source.
DataSourceConfigurationsResult
Description
Contains information on the status of data sources for the detector.
Members
- CloudTrail
-
- Required: Yes
- Type: CloudTrailConfigurationResult structure
An object that contains information on the status of CloudTrail as a data source.
- DNSLogs
-
- Required: Yes
- Type: DNSLogsConfigurationResult structure
An object that contains information on the status of DNS logs as a data source.
- FlowLogs
-
- Required: Yes
- Type: FlowLogsConfigurationResult structure
An object that contains information on the status of VPC flow logs as a data source.
- Kubernetes
-
- Type: KubernetesConfigurationResult structure
An object that contains information on the status of all Kubernetes data sources.
- MalwareProtection
-
- Type: MalwareProtectionConfigurationResult structure
Describes the configuration of Malware Protection data sources.
- S3Logs
-
- Required: Yes
- Type: S3LogsConfigurationResult structure
An object that contains information on the status of S3 Data event logs as a data source.
DataSourceFreeTrial
Description
Contains information about which data sources are enabled for the GuardDuty member account.
Members
- FreeTrialDaysRemaining
-
- Type: int
A value that specifies the number of days left to use each enabled data source.
DataSourcesFreeTrial
Description
Contains information about which data sources are enabled for the GuardDuty member account.
Members
- CloudTrail
-
- Type: DataSourceFreeTrial structure
Describes whether any Amazon Web Services CloudTrail management event logs are enabled as data sources.
- DnsLogs
-
- Type: DataSourceFreeTrial structure
Describes whether any DNS logs are enabled as data sources.
- FlowLogs
-
- Type: DataSourceFreeTrial structure
Describes whether any VPC Flow logs are enabled as data sources.
- Kubernetes
-
- Type: KubernetesDataSourceFreeTrial structure
Describes whether any Kubernetes logs are enabled as data sources.
- MalwareProtection
-
- Type: MalwareProtectionDataSourceFreeTrial structure
Describes whether Malware Protection is enabled as a data source.
- S3Logs
-
- Type: DataSourceFreeTrial structure
Describes whether any S3 data event logs are enabled as data sources.
DateStatistics
Description
Represents list a map of dates with a count of total findings generated on each date.
Members
- Date
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The timestamp when the total findings count is observed.
For example,
Date
would look like"2024-09-05T17:00:00-07:00"
whereasLastGeneratedAt
would look like 2024-09-05T17:12:29-07:00". - LastGeneratedAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The timestamp at which the last finding in the findings count, was generated.
- Severity
-
- Type: double
The severity of the findings generated on each date.
- TotalFindings
-
- Type: int
The total number of findings that were generated per severity level on each date.
DefaultServerSideEncryption
Description
Contains information on the server side encryption method used in the S3 bucket. See S3 Server-Side Encryption for more information.
Members
- EncryptionType
-
- Type: string
The type of encryption used for objects within the S3 bucket.
- KmsMasterKeyArn
-
- Type: string
The Amazon Resource Name (ARN) of the KMS encryption key. Only available if the bucket
EncryptionType
isaws:kms
.
Destination
Description
Contains information about the publishing destination, including the ID, type, and status.
Members
- DestinationId
-
- Required: Yes
- Type: string
The unique ID of the publishing destination.
- DestinationType
-
- Required: Yes
- Type: string
The type of resource used for the publishing destination. Currently, only Amazon S3 buckets are supported.
- Status
-
- Required: Yes
- Type: string
The status of the publishing destination.
DestinationProperties
Description
Contains the Amazon Resource Name (ARN) of the resource to publish to, such as an S3 bucket, and the ARN of the KMS key to use to encrypt published findings.
Members
- DestinationArn
-
- Type: string
The ARN of the resource to publish to.
To specify an S3 bucket folder use the following format:
arn:aws:s3:::DOC-EXAMPLE-BUCKET/myFolder/
- KmsKeyArn
-
- Type: string
The ARN of the KMS key to use for encryption.
Detection
DetectorAdditionalConfiguration
Description
Information about the additional configuration for a feature in your GuardDuty account.
Members
- Name
-
- Type: string
Name of the additional configuration.
- Status
-
- Type: string
Status of the additional configuration.
DetectorAdditionalConfigurationResult
Description
Information about the additional configuration.
Members
- Name
-
- Type: string
Name of the additional configuration.
- Status
-
- Type: string
Status of the additional configuration.
- UpdatedAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The timestamp at which the additional configuration was last updated. This is in UTC format.
DetectorFeatureConfiguration
Description
Contains information about a GuardDuty feature.
Specifying both EKS Runtime Monitoring (EKS_RUNTIME_MONITORING
) and Runtime Monitoring (RUNTIME_MONITORING
) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring.
Members
- AdditionalConfiguration
-
- Type: Array of DetectorAdditionalConfiguration structures
Additional configuration for a resource.
- Name
-
- Type: string
The name of the feature.
- Status
-
- Type: string
The status of the feature.
DetectorFeatureConfigurationResult
Description
Contains information about a GuardDuty feature.
Specifying both EKS Runtime Monitoring (EKS_RUNTIME_MONITORING
) and Runtime Monitoring (RUNTIME_MONITORING
) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring.
Members
- AdditionalConfiguration
-
- Type: Array of DetectorAdditionalConfigurationResult structures
Additional configuration for a resource.
- Name
-
- Type: string
Indicates the name of the feature that can be enabled for the detector.
- Status
-
- Type: string
Indicates the status of the feature that is enabled for the detector.
- UpdatedAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The timestamp at which the feature object was updated.
DnsRequestAction
Description
Contains information about the DNS_REQUEST action described in this finding.
Members
- Blocked
-
- Type: boolean
Indicates whether the targeted port is blocked.
- Domain
-
- Type: string
The domain information for the DNS query.
- DomainWithSuffix
-
- Type: string
The second and top level domain involved in the activity that potentially prompted GuardDuty to generate this finding. For a list of top-level and second-level domains, see public suffix list.
- Protocol
-
- Type: string
The network connection protocol observed in the activity that prompted GuardDuty to generate the finding.
DomainDetails
Description
Contains information about the domain.
Members
- Domain
-
- Type: string
The domain information for the Amazon Web Services API call.
EbsVolumeDetails
Description
Contains list of scanned and skipped EBS volumes with details.
Members
- ScannedVolumeDetails
-
- Type: Array of VolumeDetail structures
List of EBS volumes that were scanned.
- SkippedVolumeDetails
-
- Type: Array of VolumeDetail structures
List of EBS volumes that were skipped from the malware scan.
EbsVolumeScanDetails
Description
Contains details from the malware scan that created a finding.
Members
- ScanCompletedAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
Returns the completion date and time of the malware scan.
- ScanDetections
-
- Type: ScanDetections structure
Contains a complete view providing malware scan result details.
- ScanId
-
- Type: string
Unique Id of the malware scan that generated the finding.
- ScanStartedAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
Returns the start date and time of the malware scan.
- ScanType
-
- Type: string
Specifies the scan type that invoked the malware scan.
- Sources
-
- Type: Array of strings
Contains list of threat intelligence sources used to detect threats.
- TriggerFindingId
-
- Type: string
GuardDuty finding ID that triggered a malware scan.
EbsVolumesResult
Description
Describes the configuration of scanning EBS volumes as a data source.
Members
- Reason
-
- Type: string
Specifies the reason why scanning EBS volumes (Malware Protection) was not enabled as a data source.
- Status
-
- Type: string
Describes whether scanning EBS volumes is enabled as a data source.
Ec2Instance
Description
Details about the potentially impacted Amazon EC2 instance resource.
Members
- AvailabilityZone
-
- Type: string
The availability zone of the Amazon EC2 instance. For more information, see Availability zones in the Amazon EC2 User Guide.
- Ec2NetworkInterfaceUids
-
- Type: Array of strings
The ID of the network interface.
- IamInstanceProfile
-
- Type: IamInstanceProfile structure
Contains information about the EC2 instance profile.
- ImageDescription
-
- Type: string
The image description of the Amazon EC2 instance.
- InstanceState
-
- Type: string
The state of the Amazon EC2 instance. For more information, see Amazon EC2 instance state changes in the Amazon EC2 User Guide.
- InstanceType
-
- Type: string
Type of the Amazon EC2 instance.
- OutpostArn
-
- Type: string
The Amazon Resource Name (ARN) of the Amazon Web Services Outpost. This shows applicable Amazon Web Services Outposts instances.
- Platform
-
- Type: string
The platform of the Amazon EC2 instance.
- ProductCodes
-
- Type: Array of ProductCode structures
The product code of the Amazon EC2 instance.
Ec2NetworkInterface
Description
Contains information about the elastic network interface of the Amazon EC2 instance.
Members
- Ipv6Addresses
-
- Type: Array of strings
A list of IPv6 addresses for the Amazon EC2 instance.
- PrivateIpAddresses
-
- Type: Array of PrivateIpAddressDetails structures
Other private IP address information of the Amazon EC2 instance.
- PublicIp
-
- Type: string
The public IP address of the Amazon EC2 instance.
- SecurityGroups
-
- Type: Array of SecurityGroup structures
The security groups associated with the Amazon EC2 instance.
- SubNetId
-
- Type: string
The subnet ID of the Amazon EC2 instance.
- VpcId
-
- Type: string
The VPC ID of the Amazon EC2 instance.
EcsClusterDetails
Description
Contains information about the details of the ECS Cluster.
Members
- ActiveServicesCount
-
- Type: int
The number of services that are running on the cluster in an ACTIVE state.
- Arn
-
- Type: string
The Amazon Resource Name (ARN) that identifies the cluster.
- Name
-
- Type: string
The name of the ECS Cluster.
- RegisteredContainerInstancesCount
-
- Type: int
The number of container instances registered into the cluster.
- RunningTasksCount
-
- Type: int
The number of tasks in the cluster that are in the RUNNING state.
- Status
-
- Type: string
The status of the ECS cluster.
- Tags
-
- Type: Array of Tag structures
The tags of the ECS Cluster.
- TaskDetails
-
- Type: EcsTaskDetails structure
Contains information about the details of the ECS Task.
EcsTaskDetails
Description
Contains information about the task in an ECS cluster.
Members
- Arn
-
- Type: string
The Amazon Resource Name (ARN) of the task.
- Containers
-
- Type: Array of Container structures
The containers that's associated with the task.
- DefinitionArn
-
- Type: string
The ARN of the task definition that creates the task.
- Group
-
- Type: string
The name of the task group that's associated with the task.
- LaunchType
-
- Type: string
A capacity on which the task is running. For example,
Fargate
andEC2
. - StartedAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The Unix timestamp for the time when the task started.
- StartedBy
-
- Type: string
Contains the tag specified when a task is started.
- Tags
-
- Type: Array of Tag structures
The tags of the ECS Task.
- TaskCreatedAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The Unix timestamp for the time when the task was created.
- Version
-
- Type: string
The version counter for the task.
- Volumes
-
- Type: Array of Volume structures
The list of data volume definitions for the task.
EksClusterDetails
Description
Details about the EKS cluster involved in a Kubernetes finding.
Members
- Arn
-
- Type: string
EKS cluster ARN.
- CreatedAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The timestamp when the EKS cluster was created.
- Name
-
- Type: string
EKS cluster name.
- Status
-
- Type: string
The EKS cluster status.
- Tags
-
- Type: Array of Tag structures
The EKS cluster tags.
- VpcId
-
- Type: string
The VPC ID to which the EKS cluster is attached.
Evidence
Description
Contains information about the reason that the finding was generated.
Members
- ThreatIntelligenceDetails
-
- Type: Array of ThreatIntelligenceDetail structures
A list of threat intelligence details related to the evidence.
FargateDetails
Description
Contains information about Amazon Web Services Fargate details associated with an Amazon ECS cluster.
Members
- Issues
-
- Type: Array of strings
Runtime coverage issues identified for the resource running on Amazon Web Services Fargate.
- ManagementType
-
- Type: string
Indicates how the GuardDuty security agent is managed for this resource.
-
AUTO_MANAGED
indicates that GuardDuty deploys and manages updates for this resource. -
DISABLED
indicates that the deployment of the GuardDuty security agent is disabled for this resource.
The
MANUAL
status doesn't apply to the Amazon Web Services Fargate (Amazon ECS only) woprkloads.
FilterCondition
Description
Contains information about the condition.
Members
- EqualsValue
-
- Type: string
Represents an equal condition to be applied to a single field when querying for scan entries.
- GreaterThan
-
- Type: long (int|float)
Represents a greater than condition to be applied to a single field when querying for scan entries.
- LessThan
-
- Type: long (int|float)
Represents a less than condition to be applied to a single field when querying for scan entries.
FilterCriteria
Description
Represents the criteria to be used in the filter for describing scan entries.
Members
- FilterCriterion
-
- Type: Array of FilterCriterion structures
Represents a condition that when matched will be added to the response of the operation.
FilterCriterion
Description
Represents a condition that when matched will be added to the response of the operation. Irrespective of using any filter criteria, an administrator account can view the scan entries for all of its member accounts. However, each member account can view the scan entries only for their own account.
Members
- CriterionKey
-
- Type: string
An enum value representing possible scan properties to match with given scan entries.
Replace the enum value
CLUSTER_NAME
withEKS_CLUSTER_NAME
.CLUSTER_NAME
has been deprecated. - FilterCondition
-
- Type: FilterCondition structure
Contains information about the condition.
Finding
Description
Contains information about the finding that is generated when abnormal or suspicious activity is detected.
Members
- AccountId
-
- Required: Yes
- Type: string
The ID of the account in which the finding was generated.
- Arn
-
- Required: Yes
- Type: string
The ARN of the finding.
- AssociatedAttackSequenceArn
-
- Type: string
Amazon Resource Name (ARN) associated with the attack sequence finding.
- Confidence
-
- Type: double
The confidence score for the finding.
- CreatedAt
-
- Required: Yes
- Type: string
The time and date when the finding was created.
- Description
-
- Type: string
The description of the finding.
- Id
-
- Required: Yes
- Type: string
The ID of the finding.
- Partition
-
- Type: string
The partition associated with the finding.
- Region
-
- Required: Yes
- Type: string
The Region where the finding was generated.
- Resource
-
- Required: Yes
- Type: Resource structure
Contains information about the Amazon Web Services resource associated with the activity that prompted GuardDuty to generate a finding.
- SchemaVersion
-
- Required: Yes
- Type: string
The version of the schema used for the finding.
- Service
-
- Type: Service structure
Contains additional information about the generated finding.
- Severity
-
- Required: Yes
- Type: double
The severity of the finding.
- Title
-
- Type: string
The title of the finding.
- Type
-
- Required: Yes
- Type: string
The type of finding.
- UpdatedAt
-
- Required: Yes
- Type: string
The time and date when the finding was last updated.
FindingCriteria
Description
Contains information about the criteria used for querying findings.
Members
- Criterion
-
- Type: Associative array of custom strings keys (String) to Condition structures
Represents a map of finding properties that match specified conditions and values when querying findings.
FindingStatistics
Description
Contains information about finding statistics.
Members
- CountBySeverity
-
- Type: Associative array of custom strings keys (String) to ints
Represents a list of map of severity to count statistics for a set of findings.
- GroupedByAccount
-
- Type: Array of AccountStatistics structures
Represents a list of map of accounts with a findings count associated with each account.
- GroupedByDate
-
- Type: Array of DateStatistics structures
Represents a list of map of dates with a count of total findings generated on each date per severity level.
- GroupedByFindingType
-
- Type: Array of FindingTypeStatistics structures
Represents a list of map of finding types with a count of total findings generated for each type.
Based on the
orderBy
parameter, this request returns either the most occurring finding types or the least occurring finding types. If theorderBy
parameter isASC
, this will represent the least occurring finding types in your account; otherwise, this will represent the most occurring finding types. The default value oforderBy
isDESC
. - GroupedByResource
-
- Type: Array of ResourceStatistics structures
Represents a list of map of top resources with a count of total findings.
- GroupedBySeverity
-
- Type: Array of SeverityStatistics structures
Represents a list of map of total findings for each severity level.
FindingTypeStatistics
Description
Information about each finding type associated with the groupedByFindingType
statistics.
Members
- FindingType
-
- Type: string
Name of the finding type.
- LastGeneratedAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The timestamp at which this finding type was last generated in your environment.
- TotalFindings
-
- Type: int
The total number of findings associated with generated for each distinct finding type.
FlowLogsConfigurationResult
Description
Contains information on the status of VPC flow logs as a data source.
Members
- Status
-
- Required: Yes
- Type: string
Denotes whether VPC flow logs is enabled as a data source.
FreeTrialFeatureConfigurationResult
Description
Contains information about the free trial period for a feature.
Members
- FreeTrialDaysRemaining
-
- Type: int
The number of the remaining free trial days for the feature.
- Name
-
- Type: string
The name of the feature for which the free trial is configured.
GeoLocation
Description
Contains information about the location of the remote IP address.
Members
- Lat
-
- Type: double
The latitude information of the remote IP address.
- Lon
-
- Type: double
The longitude information of the remote IP address.
HighestSeverityThreatDetails
Description
Contains details of the highest severity threat detected during scan and number of infected files.
Members
- Count
-
- Type: int
Total number of infected files with the highest severity threat detected.
- Severity
-
- Type: string
Severity level of the highest severity threat detected.
- ThreatName
-
- Type: string
Threat name of the highest severity threat detected as part of the malware scan.
HostPath
Description
Represents a pre-existing file or directory on the host machine that the volume maps to.
Members
- Path
-
- Type: string
Path of the file or directory on the host that the volume maps to.
IamInstanceProfile
Description
Contains information about the EC2 instance profile.
Members
- Arn
-
- Type: string
The profile ARN of the EC2 instance.
- Id
-
- Type: string
The profile ID of the EC2 instance.
ImpersonatedUser
Description
Contains information about the impersonated user.
Members
- Groups
-
- Type: Array of strings
The
group
to which the user name belongs. - Username
-
- Type: string
Information about the
username
that was being impersonated.
Indicator
Description
Contains information about the indicators that include a set of signals observed in an attack sequence.
Members
- Key
-
- Required: Yes
- Type: string
Specific indicator keys observed in the attack sequence.
- Title
-
- Type: string
Title describing the indicator.
- Values
-
- Type: Array of strings
Values associated with each indicator key. For example, if the indicator key is
SUSPICIOUS_NETWORK
, then the value will be the name of the network. If the indicator key isATTACK_TACTIC
, then the value will be one of the MITRE tactics.For more information about the values associated with the key, see GuardDuty Extended Threat Detection in the GuardDuty User Guide.
InstanceDetails
Description
Contains information about the details of an instance.
Members
- AvailabilityZone
-
- Type: string
The Availability Zone of the EC2 instance.
- IamInstanceProfile
-
- Type: IamInstanceProfile structure
The profile information of the EC2 instance.
- ImageDescription
-
- Type: string
The image description of the EC2 instance.
- ImageId
-
- Type: string
The image ID of the EC2 instance.
- InstanceId
-
- Type: string
The ID of the EC2 instance.
- InstanceState
-
- Type: string
The state of the EC2 instance.
- InstanceType
-
- Type: string
The type of the EC2 instance.
- LaunchTime
-
- Type: string
The launch time of the EC2 instance.
- NetworkInterfaces
-
- Type: Array of NetworkInterface structures
The elastic network interface information of the EC2 instance.
- OutpostArn
-
- Type: string
The Amazon Resource Name (ARN) of the Amazon Web Services Outpost. Only applicable to Amazon Web Services Outposts instances.
- Platform
-
- Type: string
The platform of the EC2 instance.
- ProductCodes
-
- Type: Array of ProductCode structures
The product code of the EC2 instance.
- Tags
-
- Type: Array of Tag structures
The tags of the EC2 instance.
InternalServerErrorException
Description
An internal server error exception object.
Members
- Message
-
- Type: string
The error message.
- Type
-
- Type: string
The error type.
Invitation
Description
Contains information about the invitation to become a member account.
Members
- AccountId
-
- Type: string
The ID of the account that the invitation was sent from.
- InvitationId
-
- Type: string
The ID of the invitation. This value is used to validate the inviter account to the member account.
- InvitedAt
-
- Type: string
The timestamp when the invitation was sent.
- RelationshipStatus
-
- Type: string
The status of the relationship between the inviter and invitee accounts.
ItemPath
Description
Information about the nested item path and hash of the protected resource.
Members
- Hash
-
- Type: string
The hash value of the infected resource.
- NestedItemPath
-
- Type: string
The nested item path where the infected file was found.
KubernetesApiCallAction
Description
Information about the Kubernetes API call action described in this finding.
Members
- Namespace
-
- Type: string
The name of the namespace where the Kubernetes API call action takes place.
- Parameters
-
- Type: string
Parameters related to the Kubernetes API call action.
- RemoteIpDetails
-
- Type: RemoteIpDetails structure
Contains information about the remote IP address of the connection.
- RequestUri
-
- Type: string
The Kubernetes API request URI.
- Resource
-
- Type: string
The resource component in the Kubernetes API call action.
- ResourceName
-
- Type: string
The name of the resource in the Kubernetes API call action.
- SourceIps
-
- Type: Array of strings
The IP of the Kubernetes API caller and the IPs of any proxies or load balancers between the caller and the API endpoint.
- StatusCode
-
- Type: int
The resulting HTTP response code of the Kubernetes API call action.
- Subresource
-
- Type: string
The name of the sub-resource in the Kubernetes API call action.
- UserAgent
-
- Type: string
The user agent of the caller of the Kubernetes API.
- Verb
-
- Type: string
The Kubernetes API request HTTP verb.
KubernetesAuditLogsConfiguration
Description
Describes whether Kubernetes audit logs are enabled as a data source.
Members
- Enable
-
- Required: Yes
- Type: boolean
The status of Kubernetes audit logs as a data source.
KubernetesAuditLogsConfigurationResult
Description
Describes whether Kubernetes audit logs are enabled as a data source.
Members
- Status
-
- Required: Yes
- Type: string
A value that describes whether Kubernetes audit logs are enabled as a data source.
KubernetesConfiguration
Description
Describes whether any Kubernetes data sources are enabled.
Members
- AuditLogs
-
- Required: Yes
- Type: KubernetesAuditLogsConfiguration structure
The status of Kubernetes audit logs as a data source.
KubernetesConfigurationResult
Description
Describes whether any Kubernetes logs will be enabled as a data source.
Members
- AuditLogs
-
- Required: Yes
- Type: KubernetesAuditLogsConfigurationResult structure
Describes whether Kubernetes audit logs are enabled as a data source.
KubernetesDataSourceFreeTrial
Description
Provides details about the Kubernetes resources when it is enabled as a data source.
Members
- AuditLogs
-
- Type: DataSourceFreeTrial structure
Describes whether Kubernetes audit logs are enabled as a data source.
KubernetesDetails
Description
Details about Kubernetes resources such as a Kubernetes user or workload resource involved in a Kubernetes finding.
Members
- KubernetesUserDetails
-
- Type: KubernetesUserDetails structure
Details about the Kubernetes user involved in a Kubernetes finding.
- KubernetesWorkloadDetails
-
- Type: KubernetesWorkloadDetails structure
Details about the Kubernetes workload involved in a Kubernetes finding.
KubernetesPermissionCheckedDetails
Description
Information about the Kubernetes API for which you check if you have permission to call.
Members
- Allowed
-
- Type: boolean
Information whether the user has the permission to call the Kubernetes API.
- Namespace
-
- Type: string
The namespace where the Kubernetes API action will take place.
- Resource
-
- Type: string
The Kubernetes resource with which your Kubernetes API call will interact.
- Verb
-
- Type: string
The verb component of the Kubernetes API call. For example, when you check whether or not you have the permission to call the
CreatePod
API, the verb component will beCreate
.
KubernetesRoleBindingDetails
Description
Contains information about the role binding that grants the permission defined in a Kubernetes role.
Members
- Kind
-
- Type: string
The kind of the role. For role binding, this value will be
RoleBinding
. - Name
-
- Type: string
The name of the
RoleBinding
. - RoleRefKind
-
- Type: string
The type of the role being referenced. This could be either
Role
orClusterRole
. - RoleRefName
-
- Type: string
The name of the role being referenced. This must match the name of the
Role
orClusterRole
that you want to bind to. - Uid
-
- Type: string
The unique identifier of the role binding.
KubernetesRoleDetails
Description
Information about the Kubernetes role name and role type.
Members
- Kind
-
- Type: string
The kind of role. For this API, the value of
kind
will beRole
. - Name
-
- Type: string
The name of the Kubernetes role.
- Uid
-
- Type: string
The unique identifier of the Kubernetes role name.
KubernetesUserDetails
Description
Details about the Kubernetes user involved in a Kubernetes finding.
Members
- Groups
-
- Type: Array of strings
The groups that include the user who called the Kubernetes API.
- ImpersonatedUser
-
- Type: ImpersonatedUser structure
Information about the impersonated user.
- SessionName
-
- Type: Array of strings
Entity that assumes the IAM role when Kubernetes RBAC permissions are assigned to that role.
- Uid
-
- Type: string
The user ID of the user who called the Kubernetes API.
- Username
-
- Type: string
The username of the user who called the Kubernetes API.
KubernetesWorkloadDetails
Description
Details about the Kubernetes workload involved in a Kubernetes finding.
Members
- Containers
-
- Type: Array of Container structures
Containers running as part of the Kubernetes workload.
- HostIPC
-
- Type: boolean
Whether the host IPC flag is enabled for the pods in the workload.
- HostNetwork
-
- Type: boolean
Whether the hostNetwork flag is enabled for the pods included in the workload.
- HostPID
-
- Type: boolean
Whether the host PID flag is enabled for the pods in the workload.
- Name
-
- Type: string
Kubernetes workload name.
- Namespace
-
- Type: string
Kubernetes namespace that the workload is part of.
- ServiceAccountName
-
- Type: string
The service account name that is associated with a Kubernetes workload.
- Type
-
- Type: string
Kubernetes workload type (e.g. Pod, Deployment, etc.).
- Uid
-
- Type: string
Kubernetes workload ID.
- Volumes
-
- Type: Array of Volume structures
Volumes used by the Kubernetes workload.
LambdaDetails
Description
Information about the Lambda function involved in the finding.
Members
- Description
-
- Type: string
Description of the Lambda function.
- FunctionArn
-
- Type: string
Amazon Resource Name (ARN) of the Lambda function.
- FunctionName
-
- Type: string
Name of the Lambda function.
- FunctionVersion
-
- Type: string
The version of the Lambda function.
- LastModifiedAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The timestamp when the Lambda function was last modified. This field is in the UTC date string format
(2023-03-22T19:37:20.168Z)
. - RevisionId
-
- Type: string
The revision ID of the Lambda function version.
- Role
-
- Type: string
The execution role of the Lambda function.
- Tags
-
- Type: Array of Tag structures
A list of tags attached to this resource, listed in the format of
key
:value
pair. - VpcConfig
-
- Type: VpcConfig structure
Amazon Virtual Private Cloud configuration details associated with your Lambda function.
LineageObject
Description
Information about the runtime process details.
Members
- Euid
-
- Type: int
The effective user ID that was used to execute the process.
- ExecutablePath
-
- Type: string
The absolute path of the process executable file.
- Name
-
- Type: string
The name of the process.
- NamespacePid
-
- Type: int
The process ID of the child process.
- ParentUuid
-
- Type: string
The unique ID of the parent process. This ID is assigned to the parent process by GuardDuty.
- Pid
-
- Type: int
The ID of the process.
- StartTime
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The time when the process started. This is in UTC format.
- UserId
-
- Type: int
The user ID of the user that executed the process.
- Uuid
-
- Type: string
The unique ID assigned to the process by GuardDuty.
LocalIpDetails
Description
Contains information about the local IP address of the connection.
Members
- IpAddressV4
-
- Type: string
The IPv4 local address of the connection.
- IpAddressV6
-
- Type: string
The IPv6 local address of the connection.
LocalPortDetails
Description
Contains information about the port for the local connection.
Members
- Port
-
- Type: int
The port number of the local connection.
- PortName
-
- Type: string
The port name of the local connection.
LoginAttribute
Description
Information about the login attempts.
Members
- Application
-
- Type: string
Indicates the application name used to attempt log in.
- FailedLoginAttempts
-
- Type: int
Represents the sum of failed (unsuccessful) login attempts made to establish a connection to the database instance.
- SuccessfulLoginAttempts
-
- Type: int
Represents the sum of successful connections (a correct combination of login attributes) made to the database instance by the actor.
- User
-
- Type: string
Indicates the user name which attempted to log in.
MalwareProtectionConfiguration
Description
Describes whether Malware Protection will be enabled as a data source.
Members
- ScanEc2InstanceWithFindings
-
- Type: ScanEc2InstanceWithFindings structure
Describes the configuration of Malware Protection for EC2 instances with findings.
MalwareProtectionConfigurationResult
Description
An object that contains information on the status of all Malware Protection data sources.
Members
- ScanEc2InstanceWithFindings
-
- Type: ScanEc2InstanceWithFindingsResult structure
Describes the configuration of Malware Protection for EC2 instances with findings.
- ServiceRole
-
- Type: string
The GuardDuty Malware Protection service role.
MalwareProtectionDataSourceFreeTrial
Description
Provides details about Malware Protection when it is enabled as a data source.
Members
- ScanEc2InstanceWithFindings
-
- Type: DataSourceFreeTrial structure
Describes whether Malware Protection for EC2 instances with findings is enabled as a data source.
MalwareProtectionPlanActions
Description
Information about whether the tags will be added to the S3 object after scanning.
Members
- Tagging
-
- Type: MalwareProtectionPlanTaggingAction structure
Indicates whether the scanned S3 object will have tags about the scan result.
MalwareProtectionPlanStatusReason
Description
Information about the issue code and message associated to the status of your Malware Protection plan.
Members
- Code
-
- Type: string
Issue code.
- Message
-
- Type: string
Issue message that specifies the reason. For information about potential troubleshooting steps, see Troubleshooting Malware Protection for S3 status issues in the GuardDuty User Guide.
MalwareProtectionPlanSummary
Description
Information about the Malware Protection plan resource.
Members
- MalwareProtectionPlanId
-
- Type: string
A unique identifier associated with Malware Protection plan.
MalwareProtectionPlanTaggingAction
Description
Information about adding tags to the scanned S3 object after the scan result.
Members
- Status
-
- Type: string
Indicates whether or not the tags will added.
MalwareScanDetails
Description
Information about the malware scan that generated a GuardDuty finding.
Members
- Threats
-
- Type: Array of Threat structures
Information about the detected threats associated with the generated GuardDuty finding.
Master
Description
Contains information about the administrator account and invitation.
Members
- AccountId
-
- Type: string
The ID of the account used as the administrator account.
- InvitationId
-
- Type: string
The value used to validate the administrator account to the member account.
- InvitedAt
-
- Type: string
The timestamp when the invitation was sent.
- RelationshipStatus
-
- Type: string
The status of the relationship between the administrator and member accounts.
Member
Description
Contains information about the member account.
Members
- AccountId
-
- Required: Yes
- Type: string
The ID of the member account.
- AdministratorId
-
- Type: string
The administrator account ID.
- DetectorId
-
- Type: string
The detector ID of the member account.
-
- Required: Yes
- Type: string
The email address of the member account.
- InvitedAt
-
- Type: string
The timestamp when the invitation was sent.
- MasterId
-
- Required: Yes
- Type: string
The administrator account ID.
- RelationshipStatus
-
- Required: Yes
- Type: string
The status of the relationship between the member and the administrator.
- UpdatedAt
-
- Required: Yes
- Type: string
The last-updated timestamp of the member.
MemberAdditionalConfiguration
Description
Information about the additional configuration for the member account.
Members
- Name
-
- Type: string
Name of the additional configuration.
- Status
-
- Type: string
Status of the additional configuration.
MemberAdditionalConfigurationResult
Description
Information about the additional configuration for the member account.
Members
- Name
-
- Type: string
Indicates the name of the additional configuration that is set for the member account.
- Status
-
- Type: string
Indicates the status of the additional configuration that is set for the member account.
- UpdatedAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The timestamp at which the additional configuration was set for the member account. This is in UTC format.
MemberDataSourceConfiguration
Description
Contains information on which data sources are enabled for a member account.
Members
- AccountId
-
- Required: Yes
- Type: string
The account ID for the member account.
- DataSources
-
- Type: DataSourceConfigurationsResult structure
Contains information on the status of data sources for the account.
- Features
-
- Type: Array of MemberFeaturesConfigurationResult structures
Contains information about the status of the features for the member account.
MemberFeaturesConfiguration
Description
Contains information about the features for the member account.
Members
- AdditionalConfiguration
-
- Type: Array of MemberAdditionalConfiguration structures
Additional configuration of the feature for the member account.
- Name
-
- Type: string
The name of the feature.
- Status
-
- Type: string
The status of the feature.
MemberFeaturesConfigurationResult
Description
Contains information about the features for the member account.
Members
- AdditionalConfiguration
-
- Type: Array of MemberAdditionalConfigurationResult structures
Indicates the additional configuration of the feature that is configured for the member account.
- Name
-
- Type: string
Indicates the name of the feature that is enabled for the detector.
- Status
-
- Type: string
Indicates the status of the feature that is enabled for the detector.
- UpdatedAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The timestamp at which the feature object was updated.
NetworkConnection
Description
Contains information about the network connection.
Members
- Direction
-
- Required: Yes
- Type: string
The direction in which the network traffic is flowing.
NetworkConnectionAction
Description
Contains information about the NETWORK_CONNECTION action described in the finding.
Members
- Blocked
-
- Type: boolean
Indicates whether EC2 blocked the network connection to your instance.
- ConnectionDirection
-
- Type: string
The network connection direction.
- LocalIpDetails
-
- Type: LocalIpDetails structure
The local IP information of the connection.
- LocalNetworkInterface
-
- Type: string
The EC2 instance's local elastic network interface utilized for the connection.
- LocalPortDetails
-
- Type: LocalPortDetails structure
The local port information of the connection.
- Protocol
-
- Type: string
The network connection protocol.
- RemoteIpDetails
-
- Type: RemoteIpDetails structure
The remote IP information of the connection.
- RemotePortDetails
-
- Type: RemotePortDetails structure
The remote port information of the connection.
NetworkEndpoint
Description
Contains information about network endpoints that were observed in the attack sequence.
Members
- AutonomousSystem
-
- Type: AutonomousSystem structure
The Autonomous System (AS) of the network endpoint.
- Connection
-
- Type: NetworkConnection structure
Information about the network connection.
- Domain
-
- Type: string
The domain information for the network endpoint.
- Id
-
- Required: Yes
- Type: string
The ID of the network endpoint.
- Ip
-
- Type: string
The IP address associated with the network endpoint.
- Location
-
- Type: NetworkGeoLocation structure
Information about the location of the network endpoint.
- Port
-
- Type: int
The port number associated with the network endpoint.
NetworkGeoLocation
Description
Contains information about network endpoint location.
Members
- City
-
- Required: Yes
- Type: string
The name of the city.
- Country
-
- Required: Yes
- Type: string
The name of the country.
- Latitude
-
- Required: Yes
- Type: double
The latitude information of the endpoint location.
- Longitude
-
- Required: Yes
- Type: double
The longitude information of the endpoint location.
NetworkInterface
Description
Contains information about the elastic network interface of the EC2 instance.
Members
- Ipv6Addresses
-
- Type: Array of strings
A list of IPv6 addresses for the EC2 instance.
- NetworkInterfaceId
-
- Type: string
The ID of the network interface.
- PrivateDnsName
-
- Type: string
The private DNS name of the EC2 instance.
- PrivateIpAddress
-
- Type: string
The private IP address of the EC2 instance.
- PrivateIpAddresses
-
- Type: Array of PrivateIpAddressDetails structures
Other private IP address information of the EC2 instance.
- PublicDnsName
-
- Type: string
The public DNS name of the EC2 instance.
- PublicIp
-
- Type: string
The public IP address of the EC2 instance.
- SecurityGroups
-
- Type: Array of SecurityGroup structures
The security groups associated with the EC2 instance.
- SubnetId
-
- Type: string
The subnet ID of the EC2 instance.
- VpcId
-
- Type: string
The VPC ID of the EC2 instance.
Observations
Description
Contains information about the observed behavior.
Members
- Text
-
- Type: Array of strings
The text that was unusual.
Organization
Description
Contains information about the ISP organization of the remote IP address.
Members
- Asn
-
- Type: string
The Autonomous System Number (ASN) of the internet provider of the remote IP address.
- AsnOrg
-
- Type: string
The organization that registered this ASN.
- Isp
-
- Type: string
The ISP information for the internet provider.
- Org
-
- Type: string
The name of the internet provider.
OrganizationAdditionalConfiguration
Description
A list of additional configurations which will be configured for the organization.
Additional configuration applies to only GuardDuty Runtime Monitoring protection plan.
Members
- AutoEnable
-
- Type: string
The status of the additional configuration that will be configured for the organization. Use one of the following values to configure the feature status for the entire organization:
-
NEW
: Indicates that when a new account joins the organization, they will have the additional configuration enabled automatically. -
ALL
: Indicates that all accounts in the organization have the additional configuration enabled automatically. This includesNEW
accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty.It may take up to 24 hours to update the configuration for all the member accounts.
-
NONE
: Indicates that the additional configuration will not be automatically enabled for any account in the organization. The administrator must manage the additional configuration for each account individually.
- Name
-
- Type: string
The name of the additional configuration that will be configured for the organization. These values are applicable to only Runtime Monitoring protection plan.
OrganizationAdditionalConfigurationResult
Description
A list of additional configuration which will be configured for the organization.
Members
- AutoEnable
-
- Type: string
Describes the status of the additional configuration that is configured for the member accounts within the organization. One of the following values is the status for the entire organization:
-
NEW
: Indicates that when a new account joins the organization, they will have the additional configuration enabled automatically. -
ALL
: Indicates that all accounts in the organization have the additional configuration enabled automatically. This includesNEW
accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty.It may take up to 24 hours to update the configuration for all the member accounts.
-
NONE
: Indicates that the additional configuration will not be automatically enabled for any account in the organization. The administrator must manage the additional configuration for each account individually.
- Name
-
- Type: string
The name of the additional configuration that is configured for the member accounts within the organization. These values are applicable to only Runtime Monitoring protection plan.
OrganizationDataSourceConfigurations
Description
An object that contains information on which data sources will be configured to be automatically enabled for new members within the organization.
Members
- Kubernetes
-
- Type: OrganizationKubernetesConfiguration structure
Describes the configuration of Kubernetes data sources for new members of the organization.
- MalwareProtection
-
- Type: OrganizationMalwareProtectionConfiguration structure
Describes the configuration of Malware Protection for new members of the organization.
- S3Logs
-
- Type: OrganizationS3LogsConfiguration structure
Describes whether S3 data event logs are enabled for new members of the organization.
OrganizationDataSourceConfigurationsResult
Description
An object that contains information on which data sources are automatically enabled for new members within the organization.
Members
- Kubernetes
-
- Type: OrganizationKubernetesConfigurationResult structure
Describes the configuration of Kubernetes data sources.
- MalwareProtection
-
- Type: OrganizationMalwareProtectionConfigurationResult structure
Describes the configuration of Malware Protection data source for an organization.
- S3Logs
-
- Required: Yes
- Type: OrganizationS3LogsConfigurationResult structure
Describes whether S3 data event logs are enabled as a data source.
OrganizationDetails
Description
Information about GuardDuty coverage statistics for members in your Amazon Web Services organization.
Members
- OrganizationStatistics
-
- Type: OrganizationStatistics structure
Information about the GuardDuty coverage statistics for members in your Amazon Web Services organization.
- UpdatedAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The timestamp at which the organization statistics was last updated. This is in UTC format.
OrganizationEbsVolumes
Description
Organization-wide EBS volumes scan configuration.
Members
- AutoEnable
-
- Type: boolean
Whether scanning EBS volumes should be auto-enabled for new members joining the organization.
OrganizationEbsVolumesResult
Description
An object that contains information on the status of whether EBS volumes scanning will be enabled as a data source for an organization.
Members
- AutoEnable
-
- Type: boolean
An object that contains the status of whether scanning EBS volumes should be auto-enabled for new members joining the organization.
OrganizationFeatureConfiguration
Description
A list of features which will be configured for the organization.
Members
- AdditionalConfiguration
-
- Type: Array of OrganizationAdditionalConfiguration structures
The additional information that will be configured for the organization.
- AutoEnable
-
- Type: string
Describes the status of the feature that is configured for the member accounts within the organization. One of the following values is the status for the entire organization:
-
NEW
: Indicates that when a new account joins the organization, they will have the feature enabled automatically. -
ALL
: Indicates that all accounts in the organization have the feature enabled automatically. This includesNEW
accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty.It may take up to 24 hours to update the configuration for all the member accounts.
-
NONE
: Indicates that the feature will not be automatically enabled for any account in the organization. The administrator must manage the feature for each account individually.
- Name
-
- Type: string
The name of the feature that will be configured for the organization.
OrganizationFeatureConfigurationResult
Description
A list of features which will be configured for the organization.
Members
- AdditionalConfiguration
-
- Type: Array of OrganizationAdditionalConfigurationResult structures
The additional configuration that is configured for the member accounts within the organization.
- AutoEnable
-
- Type: string
Describes the status of the feature that is configured for the member accounts within the organization.
-
NEW
: Indicates that when a new account joins the organization, they will have the feature enabled automatically. -
ALL
: Indicates that all accounts in the organization have the feature enabled automatically. This includesNEW
accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty. -
NONE
: Indicates that the feature will not be automatically enabled for any account in the organization. In this case, each account will be managed individually by the administrator.
- Name
-
- Type: string
The name of the feature that is configured for the member accounts within the organization.
OrganizationFeatureStatistics
Description
Information about the number of accounts that have enabled a specific feature.
Members
- AdditionalConfiguration
-
- Type: Array of OrganizationFeatureStatisticsAdditionalConfiguration structures
Name of the additional configuration.
- EnabledAccountsCount
-
- Type: int
Total number of accounts that have enabled a specific feature.
- Name
-
- Type: string
Name of the feature.
OrganizationFeatureStatisticsAdditionalConfiguration
Description
Information about the coverage statistic for the additional configuration of the feature.
Members
- EnabledAccountsCount
-
- Type: int
Total number of accounts that have enabled the additional configuration.
- Name
-
- Type: string
Name of the additional configuration within a feature.
OrganizationKubernetesAuditLogsConfiguration
Description
Organization-wide Kubernetes audit logs configuration.
Members
- AutoEnable
-
- Required: Yes
- Type: boolean
A value that contains information on whether Kubernetes audit logs should be enabled automatically as a data source for the organization.
OrganizationKubernetesAuditLogsConfigurationResult
Description
The current configuration of Kubernetes audit logs as a data source for the organization.
Members
- AutoEnable
-
- Required: Yes
- Type: boolean
Whether Kubernetes audit logs data source should be auto-enabled for new members joining the organization.
OrganizationKubernetesConfiguration
Description
Organization-wide Kubernetes data sources configurations.
Members
- AuditLogs
-
- Required: Yes
- Type: OrganizationKubernetesAuditLogsConfiguration structure
Whether Kubernetes audit logs data source should be auto-enabled for new members joining the organization.
OrganizationKubernetesConfigurationResult
Description
The current configuration of all Kubernetes data sources for the organization.
Members
- AuditLogs
-
- Required: Yes
- Type: OrganizationKubernetesAuditLogsConfigurationResult structure
The current configuration of Kubernetes audit logs as a data source for the organization.
OrganizationMalwareProtectionConfiguration
Description
Organization-wide Malware Protection configurations.
Members
- ScanEc2InstanceWithFindings
-
- Type: OrganizationScanEc2InstanceWithFindings structure
Whether Malware Protection for EC2 instances with findings should be auto-enabled for new members joining the organization.
OrganizationMalwareProtectionConfigurationResult
Description
An object that contains information on the status of all Malware Protection data source for an organization.
Members
- ScanEc2InstanceWithFindings
-
- Type: OrganizationScanEc2InstanceWithFindingsResult structure
Describes the configuration for scanning EC2 instances with findings for an organization.
OrganizationS3LogsConfiguration
Description
Describes whether S3 data event logs will be automatically enabled for new members of the organization.
Members
- AutoEnable
-
- Required: Yes
- Type: boolean
A value that contains information on whether S3 data event logs will be enabled automatically as a data source for the organization.
OrganizationS3LogsConfigurationResult
Description
The current configuration of S3 data event logs as a data source for the organization.
Members
- AutoEnable
-
- Required: Yes
- Type: boolean
A value that describes whether S3 data event logs are automatically enabled for new members of the organization.
OrganizationScanEc2InstanceWithFindings
Description
Organization-wide EC2 instances with findings scan configuration.
Members
- EbsVolumes
-
- Type: OrganizationEbsVolumes structure
Whether scanning EBS volumes should be auto-enabled for new members joining the organization.
OrganizationScanEc2InstanceWithFindingsResult
Description
An object that contains information on the status of scanning EC2 instances with findings for an organization.
Members
- EbsVolumes
-
- Type: OrganizationEbsVolumesResult structure
Describes the configuration for scanning EBS volumes for an organization.
OrganizationStatistics
Description
Information about the coverage statistics of the features for the entire Amazon Web Services organization.
When you create a new Amazon Web Services organization, it might take up to 24 hours to generate the statistics summary for this organization.
Members
- ActiveAccountsCount
-
- Type: int
Total number of active accounts in your Amazon Web Services organization that are associated with GuardDuty.
- CountByFeature
-
- Type: Array of OrganizationFeatureStatistics structures
Retrieves the coverage statistics for each feature.
- EnabledAccountsCount
-
- Type: int
Total number of accounts that have enabled GuardDuty.
- MemberAccountsCount
-
- Type: int
Total number of accounts in your Amazon Web Services organization that are associated with GuardDuty.
- TotalAccountsCount
-
- Type: int
Total number of accounts in your Amazon Web Services organization.
Owner
Description
Contains information on the owner of the bucket.
Members
- Id
-
- Type: string
The canonical user ID of the bucket owner. For information about locating your canonical user ID see Finding Your Account Canonical User ID.
PermissionConfiguration
Description
Contains information about how permissions are configured for the S3 bucket.
Members
- AccountLevelPermissions
-
- Type: AccountLevelPermissions structure
Contains information about the account level permissions on the S3 bucket.
- BucketLevelPermissions
-
- Type: BucketLevelPermissions structure
Contains information about the bucket level permissions for the S3 bucket.
PortProbeAction
Description
Contains information about the PORT_PROBE action described in the finding.
Members
- Blocked
-
- Type: boolean
Indicates whether EC2 blocked the port probe to the instance, such as with an ACL.
- PortProbeDetails
-
- Type: Array of PortProbeDetail structures
A list of objects related to port probe details.
PortProbeDetail
Description
Contains information about the port probe details.
Members
- LocalIpDetails
-
- Type: LocalIpDetails structure
The local IP information of the connection.
- LocalPortDetails
-
- Type: LocalPortDetails structure
The local port information of the connection.
- RemoteIpDetails
-
- Type: RemoteIpDetails structure
The remote IP information of the connection.
PrivateIpAddressDetails
Description
Contains other private IP address information of the EC2 instance.
Members
- PrivateDnsName
-
- Type: string
The private DNS name of the EC2 instance.
- PrivateIpAddress
-
- Type: string
The private IP address of the EC2 instance.
ProcessDetails
Description
Information about the observed process.
Members
- Euid
-
- Type: int
The effective user ID of the user that executed the process.
- ExecutablePath
-
- Type: string
The absolute path of the process executable file.
- ExecutableSha256
-
- Type: string
The
SHA256
hash of the process executable. - Lineage
-
- Type: Array of LineageObject structures
Information about the process's lineage.
- Name
-
- Type: string
The name of the process.
- NamespacePid
-
- Type: int
The ID of the child process.
- ParentUuid
-
- Type: string
The unique ID of the parent process. This ID is assigned to the parent process by GuardDuty.
- Pid
-
- Type: int
The ID of the process.
- Pwd
-
- Type: string
The present working directory of the process.
- StartTime
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The time when the process started. This is in UTC format.
- User
-
- Type: string
The user that executed the process.
- UserId
-
- Type: int
The unique ID of the user that executed the process.
- Uuid
-
- Type: string
The unique ID assigned to the process by GuardDuty.
ProductCode
Description
Contains information about the product code for the EC2 instance.
Members
- Code
-
- Type: string
The product code information.
- ProductType
-
- Type: string
The product code type.
PublicAccess
Description
Describes the public access policies that apply to the S3 bucket.
Members
- EffectivePermission
-
- Type: string
Describes the effective permission on this bucket after factoring all attached policies.
- PermissionConfiguration
-
- Type: PermissionConfiguration structure
Contains information about how permissions are configured for the S3 bucket.
PublicAccessConfiguration
Description
Describes public access policies that apply to the Amazon S3 bucket.
For information about each of the following settings, see Blocking public access to your Amazon S3 storage in the Amazon S3 User Guide.
Members
- PublicAclAccess
-
- Type: string
Indicates whether or not there is a setting that allows public access to the Amazon S3 buckets through access control lists (ACLs).
- PublicAclIgnoreBehavior
-
- Type: string
Indicates whether or not there is a setting that ignores all public access control lists (ACLs) on the Amazon S3 bucket and the objects that it contains.
- PublicBucketRestrictBehavior
-
- Type: string
Indicates whether or not there is a setting that restricts access to the bucket with specified policies.
- PublicPolicyAccess
-
- Type: string
Indicates whether or not there is a setting that allows public access to the Amazon S3 bucket policy.
RdsDbInstanceDetails
Description
Contains information about the resource type RDSDBInstance
involved in a GuardDuty finding.
Members
- DbClusterIdentifier
-
- Type: string
The identifier of the database cluster that contains the database instance ID involved in the finding.
- DbInstanceArn
-
- Type: string
The Amazon Resource Name (ARN) that identifies the database instance involved in the finding.
- DbInstanceIdentifier
-
- Type: string
The identifier associated to the database instance that was involved in the finding.
- Engine
-
- Type: string
The database engine of the database instance involved in the finding.
- EngineVersion
-
- Type: string
The version of the database engine that was involved in the finding.
- Tags
-
- Type: Array of Tag structures
Information about the tag key-value pairs.
RdsDbUserDetails
Description
Contains information about the user and authentication details for a database instance involved in the finding.
Members
- Application
-
- Type: string
The application name used in the anomalous login attempt.
- AuthMethod
-
- Type: string
The authentication method used by the user involved in the finding.
- Database
-
- Type: string
The name of the database instance involved in the anomalous login attempt.
- Ssl
-
- Type: string
The version of the Secure Socket Layer (SSL) used for the network.
- User
-
- Type: string
The user name used in the anomalous login attempt.
RdsLimitlessDbDetails
Description
Contains information about the resource type RDSLimitlessDB
that is involved in a GuardDuty finding.
Members
- DbClusterIdentifier
-
- Type: string
The name of the database cluster that is a part of the Limitless Database.
- DbShardGroupArn
-
- Type: string
The Amazon Resource Name (ARN) that identifies the DB shard group.
- DbShardGroupIdentifier
-
- Type: string
The name associated with the Limitless DB shard group.
- DbShardGroupResourceId
-
- Type: string
The resource identifier of the DB shard group within the Limitless Database.
- Engine
-
- Type: string
The database engine of the database instance involved in the finding.
- EngineVersion
-
- Type: string
The version of the database engine.
- Tags
-
- Type: Array of Tag structures
Information about the tag key-value pair.
RdsLoginAttemptAction
Description
Indicates that a login attempt was made to the potentially compromised database from a remote IP address.
Members
- LoginAttributes
-
- Type: Array of LoginAttribute structures
Indicates the login attributes used in the login attempt.
- RemoteIpDetails
-
- Type: RemoteIpDetails structure
Contains information about the remote IP address of the connection.
RemoteAccountDetails
Description
Contains details about the remote Amazon Web Services account that made the API call.
Members
- AccountId
-
- Type: string
The Amazon Web Services account ID of the remote API caller.
- Affiliated
-
- Type: boolean
Details on whether the Amazon Web Services account of the remote API caller is related to your GuardDuty environment. If this value is
True
the API caller is affiliated to your account in some way. If it isFalse
the API caller is from outside your environment.
RemoteIpDetails
Description
Contains information about the remote IP address of the connection.
Members
- City
-
- Type: City structure
The city information of the remote IP address.
- Country
-
- Type: Country structure
The country code of the remote IP address.
- GeoLocation
-
- Type: GeoLocation structure
The location information of the remote IP address.
- IpAddressV4
-
- Type: string
The IPv4 remote address of the connection.
- IpAddressV6
-
- Type: string
The IPv6 remote address of the connection.
- Organization
-
- Type: Organization structure
The ISP organization information of the remote IP address.
RemotePortDetails
Description
Contains information about the remote port.
Members
- Port
-
- Type: int
The port number of the remote connection.
- PortName
-
- Type: string
The port name of the remote connection.
Resource
Description
Contains information about the Amazon Web Services resource associated with the activity that prompted GuardDuty to generate a finding.
Members
- AccessKeyDetails
-
- Type: AccessKeyDetails structure
The IAM access key details (user information) of a user that engaged in the activity that prompted GuardDuty to generate a finding.
- ContainerDetails
-
- Type: Container structure
Details of a container.
- EbsVolumeDetails
-
- Type: EbsVolumeDetails structure
Contains list of scanned and skipped EBS volumes with details.
- EcsClusterDetails
-
- Type: EcsClusterDetails structure
Contains information about the details of the ECS Cluster.
- EksClusterDetails
-
- Type: EksClusterDetails structure
Details about the EKS cluster involved in a Kubernetes finding.
- InstanceDetails
-
- Type: InstanceDetails structure
The information about the EC2 instance associated with the activity that prompted GuardDuty to generate a finding.
- KubernetesDetails
-
- Type: KubernetesDetails structure
Details about the Kubernetes user and workload involved in a Kubernetes finding.
- LambdaDetails
-
- Type: LambdaDetails structure
Contains information about the Lambda function that was involved in a finding.
- RdsDbInstanceDetails
-
- Type: RdsDbInstanceDetails structure
Contains information about the database instance to which an anomalous login attempt was made.
- RdsDbUserDetails
-
- Type: RdsDbUserDetails structure
Contains information about the user details through which anomalous login attempt was made.
- RdsLimitlessDbDetails
-
- Type: RdsLimitlessDbDetails structure
Contains information about the RDS Limitless database that was involved in a GuardDuty finding.
- ResourceType
-
- Type: string
The type of Amazon Web Services resource.
- S3BucketDetails
-
- Type: Array of S3BucketDetail structures
Contains information on the S3 bucket.
ResourceData
Description
Contains information about the Amazon Web Services resource that is associated with the activity that prompted GuardDuty to generate a finding.
Members
- AccessKey
-
- Type: AccessKey structure
Contains information about the IAM access key details of a user that involved in the GuardDuty finding.
- Ec2Instance
-
- Type: Ec2Instance structure
Contains information about the Amazon EC2 instance.
- Ec2NetworkInterface
-
- Type: Ec2NetworkInterface structure
Contains information about the elastic network interface of the Amazon EC2 instance.
- S3Bucket
-
- Type: S3Bucket structure
Contains information about the Amazon S3 bucket.
- S3Object
-
- Type: S3Object structure
Contains information about the Amazon S3 object.
ResourceDetails
Description
Represents the resources that were scanned in the scan entry.
Members
- InstanceArn
-
- Type: string
Instance ARN that was scanned in the scan entry.
ResourceNotFoundException
Description
The requested resource can't be found.
Members
- Message
-
- Type: string
The error message.
- Type
-
- Type: string
The error type.
ResourceStatistics
Description
Information about each resource type associated with the groupedByResource
statistics.
Members
- AccountId
-
- Type: string
The ID of the Amazon Web Services account.
- LastGeneratedAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The timestamp at which the statistics for this resource was last generated.
- ResourceId
-
- Type: string
ID associated with each resource. The following list provides the mapping of the resource type and resource ID.
Mapping of resource and resource ID
-
AccessKey -
resource.accessKeyDetails.accessKeyId
-
Container -
resource.containerDetails.id
-
ECSCluster -
resource.ecsClusterDetails.name
-
EKSCluster -
resource.eksClusterDetails.name
-
Instance -
resource.instanceDetails.instanceId
-
KubernetesCluster -
resource.kubernetesDetails.kubernetesWorkloadDetails.name
-
Lambda -
resource.lambdaDetails.functionName
-
RDSDBInstance -
resource.rdsDbInstanceDetails.dbInstanceIdentifier
-
S3Bucket -
resource.s3BucketDetails.name
-
S3Object -
resource.s3BucketDetails.name
- ResourceType
-
- Type: string
The type of resource.
- TotalFindings
-
- Type: int
The total number of findings associated with this resource.
ResourceV2
Description
Contains information about the Amazon Web Services resource that is associated with the GuardDuty finding.
Members
- AccountId
-
- Type: string
The Amazon Web Services account ID to which the resource belongs.
- CloudPartition
-
- Type: string
The cloud partition within the Amazon Web Services Region to which the resource belongs.
- Data
-
- Type: ResourceData structure
Contains information about the Amazon Web Services resource associated with the activity that prompted GuardDuty to generate a finding.
- Name
-
- Type: string
The name of the resource.
- Region
-
- Type: string
The Amazon Web Services Region where the resource belongs.
- ResourceType
-
- Required: Yes
- Type: string
The type of the Amazon Web Services resource.
- Service
-
- Type: string
The Amazon Web Services service of the resource.
- Tags
-
- Type: Array of Tag structures
Contains information about the tags associated with the resource.
- Uid
-
- Required: Yes
- Type: string
The unique identifier of the resource.
RuntimeContext
Description
Additional information about the suspicious activity.
Members
- AddressFamily
-
- Type: string
Represents the communication protocol associated with the address. For example, the address family
AF_INET
is used for IP version of 4 protocol. - CommandLineExample
-
- Type: string
Example of the command line involved in the suspicious activity.
- FileSystemType
-
- Type: string
Represents the type of mounted fileSystem.
- Flags
-
- Type: Array of strings
Represents options that control the behavior of a runtime operation or action. For example, a filesystem mount operation may contain a read-only flag.
- IanaProtocolNumber
-
- Type: int
Specifies a particular protocol within the address family. Usually there is a single protocol in address families. For example, the address family
AF_INET
only has the IP protocol. - LdPreloadValue
-
- Type: string
The value of the LD_PRELOAD environment variable.
- LibraryPath
-
- Type: string
The path to the new library that was loaded.
- MemoryRegions
-
- Type: Array of strings
Specifies the Region of a process's address space such as stack and heap.
- ModifiedAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The timestamp at which the process modified the current process. The timestamp is in UTC date string format.
- ModifyingProcess
-
- Type: ProcessDetails structure
Information about the process that modified the current process. This is available for multiple finding types.
- ModuleFilePath
-
- Type: string
The path to the module loaded into the kernel.
- ModuleName
-
- Type: string
The name of the module loaded into the kernel.
- ModuleSha256
-
- Type: string
The
SHA256
hash of the module. - MountSource
-
- Type: string
The path on the host that is mounted by the container.
- MountTarget
-
- Type: string
The path in the container that is mapped to the host directory.
- ReleaseAgentPath
-
- Type: string
The path in the container that modified the release agent file.
- RuncBinaryPath
-
- Type: string
The path to the leveraged
runc
implementation. - ScriptPath
-
- Type: string
The path to the script that was executed.
- ServiceName
-
- Type: string
Name of the security service that has been potentially disabled.
- ShellHistoryFilePath
-
- Type: string
The path to the modified shell history file.
- SocketPath
-
- Type: string
The path to the docket socket that was accessed.
- TargetProcess
-
- Type: ProcessDetails structure
Information about the process that had its memory overwritten by the current process.
- ThreatFilePath
-
- Type: string
The suspicious file path for which the threat intelligence details were found.
- ToolCategory
-
- Type: string
Category that the tool belongs to. Some of the examples are Backdoor Tool, Pentest Tool, Network Scanner, and Network Sniffer.
- ToolName
-
- Type: string
Name of the potentially suspicious tool.
RuntimeDetails
Description
Information about the process and any required context values for a specific finding.
Members
- Context
-
- Type: RuntimeContext structure
Additional information about the suspicious activity.
- Process
-
- Type: ProcessDetails structure
Information about the observed process.
S3Bucket
Description
Contains information about the Amazon S3 bucket policies and encryption.
Members
- AccountPublicAccess
-
- Type: PublicAccessConfiguration structure
Contains information about the public access policies that apply to the Amazon S3 bucket at the account level.
- BucketPublicAccess
-
- Type: PublicAccessConfiguration structure
Contains information about public access policies that apply to the Amazon S3 bucket.
- CreatedAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The timestamp at which the Amazon S3 bucket was created.
- EffectivePermission
-
- Type: string
Describes the effective permissions on this S3 bucket, after factoring all the attached policies.
- EncryptionKeyArn
-
- Type: string
The Amazon Resource Name (ARN) of the encryption key that is used to encrypt the Amazon S3 bucket and its objects.
- EncryptionType
-
- Type: string
The type of encryption used for the Amazon S3 buckets and its objects. For more information, see Protecting data with server-side encryption in the Amazon S3 User Guide.
- OwnerId
-
- Type: string
The owner ID of the associated S3Amazon S3bucket.
- PublicReadAccess
-
- Type: string
Indicates whether or not the public read access is allowed for an Amazon S3 bucket.
- PublicWriteAccess
-
- Type: string
Indicates whether or not the public write access is allowed for an Amazon S3 bucket.
- S3ObjectUids
-
- Type: Array of strings
Represents a list of Amazon S3 object identifiers.
S3BucketDetail
Description
Contains information on the S3 bucket.
Members
- Arn
-
- Type: string
The Amazon Resource Name (ARN) of the S3 bucket.
- CreatedAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The date and time the bucket was created at.
- DefaultServerSideEncryption
-
- Type: DefaultServerSideEncryption structure
Describes the server side encryption method used in the S3 bucket.
- Name
-
- Type: string
The name of the S3 bucket.
- Owner
-
- Type: Owner structure
The owner of the S3 bucket.
- PublicAccess
-
- Type: PublicAccess structure
Describes the public access policies that apply to the S3 bucket.
- S3ObjectDetails
-
- Type: Array of S3ObjectDetail structures
Information about the S3 object that was scanned.
- Tags
-
- Type: Array of Tag structures
All tags attached to the S3 bucket
- Type
-
- Type: string
Describes whether the bucket is a source or destination bucket.
S3LogsConfiguration
Description
Describes whether S3 data event logs will be enabled as a data source.
Members
- Enable
-
- Required: Yes
- Type: boolean
The status of S3 data event logs as a data source.
S3LogsConfigurationResult
Description
Describes whether S3 data event logs will be enabled as a data source.
Members
- Status
-
- Required: Yes
- Type: string
A value that describes whether S3 data event logs are automatically enabled for new members of the organization.
S3Object
Description
Contains information about the Amazon S3 object.
Members
- ETag
-
- Type: string
The entity tag is a hash of the Amazon S3 object. The ETag reflects changes only to the contents of an object, and not its metadata.
- Key
-
- Type: string
The key of the Amazon S3 object.
- VersionId
-
- Type: string
The version Id of the Amazon S3 object.
S3ObjectDetail
Description
Information about the S3 object that was scanned
Members
- ETag
-
- Type: string
The entity tag is a hash of the S3 object. The ETag reflects changes only to the contents of an object, and not its metadata.
- Hash
-
- Type: string
Hash of the threat detected in this finding.
- Key
-
- Type: string
Key of the S3 object.
- ObjectArn
-
- Type: string
Amazon Resource Name (ARN) of the S3 object.
- VersionId
-
- Type: string
Version ID of the object.
Scan
Description
Contains information about malware scans associated with GuardDuty Malware Protection for EC2.
Members
- AccountId
-
- Type: string
The ID for the account that belongs to the scan.
- AdminDetectorId
-
- Type: string
The unique detector ID of the administrator account that the request is associated with. If the account is an administrator, the
AdminDetectorId
will be the same as the one used forDetectorId
.To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - AttachedVolumes
-
- Type: Array of VolumeDetail structures
List of volumes that were attached to the original instance to be scanned.
- DetectorId
-
- Type: string
The unique ID of the detector that is associated with the request.
To find the
detectorId
in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. - FailureReason
-
- Type: string
Represents the reason for
FAILED
scan status. - FileCount
-
- Type: long (int|float)
Represents the number of files that were scanned.
- ResourceDetails
-
- Type: ResourceDetails structure
Represents the resources that were scanned in the scan entry.
- ScanEndTime
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The timestamp of when the scan was finished.
- ScanId
-
- Type: string
The unique scan ID associated with a scan entry.
- ScanResultDetails
-
- Type: ScanResultDetails structure
Represents the result of the scan.
- ScanStartTime
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The timestamp of when the scan was triggered.
- ScanStatus
-
- Type: string
An enum value representing possible scan statuses.
- ScanType
-
- Type: string
Specifies the scan type that invoked the malware scan.
- TotalBytes
-
- Type: long (int|float)
Represents total bytes that were scanned.
- TriggerDetails
-
- Type: TriggerDetails structure
Specifies the reason why the scan was initiated.
ScanCondition
Description
Contains information about the condition.
Members
- MapEquals
-
- Required: Yes
- Type: Array of ScanConditionPair structures
Represents an mapEqual condition to be applied to a single field when triggering for malware scan.
ScanConditionPair
Description
Represents the key:value
pair to be matched against given resource property.
Members
- Key
-
- Required: Yes
- Type: string
Represents the key in the map condition.
- Value
-
- Type: string
Represents optional value in the map condition. If not specified, only the key will be matched.
ScanDetections
Description
Contains a complete view providing malware scan result details.
Members
- HighestSeverityThreatDetails
-
- Type: HighestSeverityThreatDetails structure
Details of the highest severity threat detected during malware scan and number of infected files.
- ScannedItemCount
-
- Type: ScannedItemCount structure
Total number of scanned files.
- ThreatDetectedByName
-
- Type: ThreatDetectedByName structure
Contains details about identified threats organized by threat name.
- ThreatsDetectedItemCount
-
- Type: ThreatsDetectedItemCount structure
Total number of infected files.
ScanEc2InstanceWithFindings
Description
Describes whether Malware Protection for EC2 instances with findings will be enabled as a data source.
Members
- EbsVolumes
-
- Type: boolean
Describes the configuration for scanning EBS volumes as data source.
ScanEc2InstanceWithFindingsResult
Description
An object that contains information on the status of whether Malware Protection for EC2 instances with findings will be enabled as a data source.
Members
- EbsVolumes
-
- Type: EbsVolumesResult structure
Describes the configuration of scanning EBS volumes as a data source.
ScanFilePath
Description
Contains details of infected file including name, file path and hash.
Members
- FileName
-
- Type: string
File name of the infected file.
- FilePath
-
- Type: string
The file path of the infected file.
- Hash
-
- Type: string
The hash value of the infected file.
- VolumeArn
-
- Type: string
EBS volume ARN details of the infected file.
ScanResourceCriteria
Description
Contains information about criteria used to filter resources before triggering malware scan.
Members
- Exclude
-
- Type: Associative array of custom strings keys (ScanCriterionKey) to ScanCondition structures
Represents condition that when matched will prevent a malware scan for a certain resource.
- Include
-
- Type: Associative array of custom strings keys (ScanCriterionKey) to ScanCondition structures
Represents condition that when matched will allow a malware scan for a certain resource.
ScanResultDetails
Description
Represents the result of the scan.
Members
- ScanResult
-
- Type: string
An enum value representing possible scan results.
ScanThreatName
Description
Contains files infected with the given threat providing details of malware name and severity.
Members
- FilePaths
-
- Type: Array of ScanFilePath structures
List of infected files in EBS volume with details.
- ItemCount
-
- Type: int
Total number of files infected with given threat.
- Name
-
- Type: string
The name of the identified threat.
- Severity
-
- Type: string
Severity of threat identified as part of the malware scan.
ScannedItemCount
Description
Total number of scanned files.
Members
- Files
-
- Type: int
Number of files scanned.
- TotalGb
-
- Type: int
Total GB of files scanned for malware.
- Volumes
-
- Type: int
Total number of scanned volumes.
SecurityContext
Description
Container security context.
Members
- AllowPrivilegeEscalation
-
- Type: boolean
Whether or not a container or a Kubernetes pod is allowed to gain more privileges than its parent process.
- Privileged
-
- Type: boolean
Whether the container is privileged.
SecurityGroup
Description
Contains information about the security groups associated with the EC2 instance.
Members
- GroupId
-
- Type: string
The security group ID of the EC2 instance.
- GroupName
-
- Type: string
The security group name of the EC2 instance.
Sequence
Description
Contains information about the GuardDuty attack sequence finding.
Members
- Actors
-
- Type: Array of Actor structures
Contains information about the actors involved in the attack sequence.
- Description
-
- Required: Yes
- Type: string
Description of the attack sequence.
- Endpoints
-
- Type: Array of NetworkEndpoint structures
Contains information about the network endpoints that were used in the attack sequence.
- Resources
-
- Type: Array of ResourceV2 structures
Contains information about the resources involved in the attack sequence.
- SequenceIndicators
-
- Type: Array of Indicator structures
Contains information about the indicators observed in the attack sequence.
- Signals
-
- Required: Yes
- Type: Array of Signal structures
Contains information about the signals involved in the attack sequence.
- Uid
-
- Required: Yes
- Type: string
Unique identifier of the attack sequence.
Service
Description
Contains additional information about the generated finding.
Members
- Action
-
- Type: Action structure
Information about the activity that is described in a finding.
- AdditionalInfo
-
- Type: ServiceAdditionalInfo structure
Contains additional information about the generated finding.
- Archived
-
- Type: boolean
Indicates whether this finding is archived.
- Count
-
- Type: int
The total count of the occurrences of this finding type.
- Detection
-
- Type: Detection structure
Contains information about the detected unusual behavior.
- DetectorId
-
- Type: string
The detector ID for the GuardDuty service.
- EbsVolumeScanDetails
-
- Type: EbsVolumeScanDetails structure
Returns details from the malware scan that created a finding.
- EventFirstSeen
-
- Type: string
The first-seen timestamp of the activity that prompted GuardDuty to generate this finding.
- EventLastSeen
-
- Type: string
The last-seen timestamp of the activity that prompted GuardDuty to generate this finding.
- Evidence
-
- Type: Evidence structure
An evidence object associated with the service.
- FeatureName
-
- Type: string
The name of the feature that generated a finding.
- MalwareScanDetails
-
- Type: MalwareScanDetails structure
Returns details from the malware scan that generated a GuardDuty finding.
- ResourceRole
-
- Type: string
The resource role information for this finding.
- RuntimeDetails
-
- Type: RuntimeDetails structure
Information about the process and any required context values for a specific finding
- ServiceName
-
- Type: string
The name of the Amazon Web Services service (GuardDuty) that generated a finding.
- UserFeedback
-
- Type: string
Feedback that was submitted about the finding.
ServiceAdditionalInfo
Description
Additional information about the generated finding.
Members
- Type
-
- Type: string
Describes the type of the additional information.
- Value
-
- Type: string
This field specifies the value of the additional information.
Session
Description
Contains information about the authenticated session.
Members
- CreatedTime
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The timestamp for when the session was created.
In Amazon Web Services CloudTrail, you can find this value as
userIdentity.sessionContext.attributes.creationDate
. - Issuer
-
- Type: string
Identifier of the session issuer.
In Amazon Web Services CloudTrail, you can find this value as
userIdentity.sessionContext.sessionIssuer.arn
. - MfaStatus
-
- Type: string
Indicates whether or not multi-factor authencation (MFA) was used during authentication.
In Amazon Web Services CloudTrail, you can find this value as
userIdentity.sessionContext.attributes.mfaAuthenticated
. - Uid
-
- Type: string
The unique identifier of the session.
SeverityStatistics
Description
Information about severity level for each finding type.
Members
- LastGeneratedAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The timestamp at which a finding type for a specific severity was last generated.
- Severity
-
- Type: double
The severity level associated with each finding type.
- TotalFindings
-
- Type: int
The total number of findings associated with this severity.
Signal
Description
Contains information about the signals involved in the attack sequence.
Members
- ActorIds
-
- Type: Array of strings
Information about the IDs of the threat actors involved in the signal.
- Count
-
- Required: Yes
- Type: int
The number of times this signal was observed.
- CreatedAt
-
- Required: Yes
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The timestamp when the first finding or activity related to this signal was observed.
- Description
-
- Type: string
The description of the signal.
- EndpointIds
-
- Type: Array of strings
Information about the endpoint IDs associated with this signal.
- FirstSeenAt
-
- Required: Yes
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The timestamp when the first finding or activity related to this signal was observed.
- LastSeenAt
-
- Required: Yes
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The timestamp when the last finding or activity related to this signal was observed.
- Name
-
- Required: Yes
- Type: string
The name of the signal. For example, when signal type is
FINDING
, the signal name is the name of the finding. - ResourceUids
-
- Type: Array of strings
Information about the unique identifiers of the resources involved in the signal.
- Severity
-
- Type: double
The severity associated with the signal. For more information about severity, see Findings severity levels in the GuardDuty User Guide.
- SignalIndicators
-
- Type: Array of Indicator structures
Contains information about the indicators associated with the signals.
- Type
-
- Required: Yes
- Type: string
The type of the signal used to identify an attack sequence.
Signals can be GuardDuty findings or activities observed in data sources that GuardDuty monitors. For more information, see Foundational data sources in the GuardDuty User Guide.
A signal type can be one of the valid values listed in this API. Here are the related descriptions:
-
FINDING
- Individually generated GuardDuty finding. -
CLOUD_TRAIL
- Activity observed from CloudTrail logs -
S3_DATA_EVENTS
- Activity observed from CloudTrail data events for S3. Activities associated with this type will show up only when you have enabled GuardDuty S3 Protection feature in your account. For more information about S3 Protection and steps to enable it, see S3 Protection in the GuardDuty User Guide.
- Uid
-
- Required: Yes
- Type: string
The unique identifier of the signal.
- UpdatedAt
-
- Required: Yes
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The timestamp when this signal was last observed.
SortCriteria
Description
Contains information about the criteria used for sorting findings.
Members
- AttributeName
-
- Type: string
Represents the finding attribute, such as
accountId
, that sorts the findings. - OrderBy
-
- Type: string
The order by which the sorted findings are to be displayed.
Tag
Description
Contains information about a tag key-value pair.
Members
- Key
-
- Type: string
Describes the key associated with the tag.
- Value
-
- Type: string
Describes the value associated with the tag key.
Threat
Description
Information about the detected threats associated with the generated finding.
Members
- ItemPaths
-
- Type: Array of ItemPath structures
Information about the nested item path and hash of the protected resource.
- Name
-
- Type: string
Name of the detected threat that caused GuardDuty to generate this finding.
- Source
-
- Type: string
Source of the threat that generated this finding.
ThreatDetectedByName
Description
Contains details about identified threats organized by threat name.
Members
- ItemCount
-
- Type: int
Total number of infected files identified.
- Shortened
-
- Type: boolean
Flag to determine if the finding contains every single infected file-path and/or every threat.
- ThreatNames
-
- Type: Array of ScanThreatName structures
List of identified threats with details, organized by threat name.
- UniqueThreatNameCount
-
- Type: int
Total number of unique threats by name identified, as part of the malware scan.
ThreatIntelligenceDetail
Description
An instance of a threat intelligence detail that constitutes evidence for the finding.
Members
- ThreatFileSha256
-
- Type: string
SHA256 of the file that generated the finding.
- ThreatListName
-
- Type: string
The name of the threat intelligence list that triggered the finding.
- ThreatNames
-
- Type: Array of strings
A list of names of the threats in the threat intelligence list that triggered the finding.
ThreatsDetectedItemCount
Description
Contains total number of infected files.
Members
- Files
-
- Type: int
Total number of infected files.
Total
Description
Contains the total usage with the corresponding currency unit for that value.
Members
- Amount
-
- Type: string
The total usage.
- Unit
-
- Type: string
The currency unit that the amount is given in.
TriggerDetails
Description
Represents the reason the scan was triggered.
Members
- Description
-
- Type: string
The description of the scan trigger.
- GuardDutyFindingId
-
- Type: string
The ID of the GuardDuty finding that triggered the malware scan.
UnprocessedAccount
Description
Contains information about the accounts that weren't processed.
Members
- AccountId
-
- Required: Yes
- Type: string
The Amazon Web Services account ID.
- Result
-
- Required: Yes
- Type: string
A reason why the account hasn't been processed.
UnprocessedDataSourcesResult
Description
Specifies the names of the data sources that couldn't be enabled.
Members
- MalwareProtection
-
- Type: MalwareProtectionConfigurationResult structure
An object that contains information on the status of all Malware Protection data sources.
UpdateProtectedResource
Description
Information about the protected resource that is associated with the created Malware Protection plan. Presently, S3Bucket
is the only supported protected resource.
Members
- S3Bucket
-
- Type: UpdateS3BucketResource structure
Information about the protected S3 bucket resource.
UpdateS3BucketResource
Description
Information about the protected S3 bucket resource.
Members
- ObjectPrefixes
-
- Type: Array of strings
Information about the specified object prefixes. The S3 object will be scanned only if it belongs to any of the specified object prefixes.
UsageAccountResult
Description
Contains information on the total of usage based on account IDs.
Members
- AccountId
-
- Type: string
The Account ID that generated usage.
- Total
-
- Type: Total structure
Represents the total of usage for the Account ID.
UsageCriteria
Description
Contains information about the criteria used to query usage statistics.
Members
- AccountIds
-
- Type: Array of strings
The account IDs to aggregate usage statistics from.
- DataSources
-
- Type: Array of strings
The data sources to aggregate usage statistics from.
- Features
-
- Type: Array of strings
The features to aggregate usage statistics from.
- Resources
-
- Type: Array of strings
The resources to aggregate usage statistics from. Only accepts exact resource names.
UsageDataSourceResult
Description
Contains information on the result of usage based on data source type.
Members
- DataSource
-
- Type: string
The data source type that generated usage.
- Total
-
- Type: Total structure
Represents the total of usage for the specified data source.
UsageFeatureResult
Description
Contains information about the result of the total usage based on the feature.
Members
- Feature
-
- Type: string
The feature that generated the usage cost.
- Total
-
- Type: Total structure
Contains the total usage with the corresponding currency unit for that value.
UsageResourceResult
Description
Contains information on the sum of usage based on an Amazon Web Services resource.
Members
- Resource
-
- Type: string
The Amazon Web Services resource that generated usage.
- Total
-
- Type: Total structure
Represents the sum total of usage for the specified resource type.
UsageStatistics
Description
Contains the result of GuardDuty usage. If a UsageStatisticType is provided the result for other types will be null.
Members
- SumByAccount
-
- Type: Array of UsageAccountResult structures
The usage statistic sum organized by account ID.
- SumByDataSource
-
- Type: Array of UsageDataSourceResult structures
The usage statistic sum organized by on data source.
- SumByFeature
-
- Type: Array of UsageFeatureResult structures
The usage statistic sum organized by feature.
- SumByResource
-
- Type: Array of UsageResourceResult structures
The usage statistic sum organized by resource.
- TopAccountsByFeature
-
- Type: Array of UsageTopAccountsResult structures
Lists the top 50 accounts by feature that have generated the most GuardDuty usage, in the order from most to least expensive.
Currently, this doesn't support
RDS_LOGIN_EVENTS
. - TopResources
-
- Type: Array of UsageResourceResult structures
Lists the top 50 resources that have generated the most GuardDuty usage, in order from most to least expensive.
UsageTopAccountResult
Description
Contains information on the total of usage based on the topmost 50 account IDs.
Members
- AccountId
-
- Type: string
The unique account ID.
- Total
-
- Type: Total structure
Contains the total usage with the corresponding currency unit for that value.
UsageTopAccountsResult
Description
Information about the usage statistics, calculated by top accounts by feature.
Members
- Accounts
-
- Type: Array of UsageTopAccountResult structures
The accounts that contributed to the total usage cost.
- Feature
-
- Type: string
Features by which you can generate the usage statistics.
RDS_LOGIN_EVENTS
is currently not supported withtopAccountsByFeature
.
User
Description
Contains information about the user involved in the attack sequence.
Members
- Account
-
- Type: Account structure
Contains information about the Amazon Web Services account.
- CredentialUid
-
- Type: string
The credentials of the user ID.
- Name
-
- Required: Yes
- Type: string
The name of the user.
- Type
-
- Required: Yes
- Type: string
The type of the user.
- Uid
-
- Required: Yes
- Type: string
The unique identifier of the user.
Volume
Description
Volume used by the Kubernetes workload.
Members
- HostPath
-
- Type: HostPath structure
Represents a pre-existing file or directory on the host machine that the volume maps to.
- Name
-
- Type: string
Volume name.
VolumeDetail
Description
Contains EBS volume details.
Members
- DeviceName
-
- Type: string
The device name for the EBS volume.
- EncryptionType
-
- Type: string
EBS volume encryption type.
- KmsKeyArn
-
- Type: string
KMS key ARN used to encrypt the EBS volume.
- SnapshotArn
-
- Type: string
Snapshot ARN of the EBS volume.
- VolumeArn
-
- Type: string
EBS volume ARN information.
- VolumeSizeInGB
-
- Type: int
EBS volume size in GB.
- VolumeType
-
- Type: string
The EBS volume type.
VolumeMount
Description
Container volume mount.
Members
- MountPath
-
- Type: string
Volume mount path.
- Name
-
- Type: string
Volume mount name.
VpcConfig
Description
Amazon Virtual Private Cloud configuration details associated with your Lambda function.
Members
- SecurityGroups
-
- Type: Array of SecurityGroup structures
The identifier of the security group attached to the Lambda function.
- SubnetIds
-
- Type: Array of strings
The identifiers of the subnets that are associated with your Lambda function.
- VpcId
-
- Type: string
The identifier of the Amazon Virtual Private Cloud.