Table of Contents
A low-level client representing Amazon GuardDuty:
import boto3
client = boto3.client('guardduty')
These are the available methods:
Accepts the invitation to be monitored by a master GuardDuty account.
See also: AWS API Documentation
Request Syntax
response = client.accept_invitation(
DetectorId='string',
MasterId='string',
InvitationId='string'
)
[REQUIRED]
The unique ID of the detector of the GuardDuty member account.
[REQUIRED]
The account ID of the master GuardDuty account whose invitation you're accepting.
[REQUIRED]
The value that is used to validate the master account to the member account.
dict
Response Syntax
{}
Response Structure
Exceptions
Archives GuardDuty findings that are specified by the list of finding IDs.
Note
Only the master account can archive findings. Member accounts don't have permission to archive findings from their accounts.
See also: AWS API Documentation
Request Syntax
response = client.archive_findings(
DetectorId='string',
FindingIds=[
'string',
]
)
[REQUIRED]
The ID of the detector that specifies the GuardDuty service whose findings you want to archive.
[REQUIRED]
The IDs of the findings that you want to archive.
dict
Response Syntax
{}
Response Structure
Exceptions
Check if an operation can be paginated.
Creates a single Amazon GuardDuty detector. A detector is a resource that represents the GuardDuty service. To start using GuardDuty, you must create a detector in each Region where you enable the service. You can have only one detector per account per Region.
See also: AWS API Documentation
Request Syntax
response = client.create_detector(
Enable=True|False,
ClientToken='string',
FindingPublishingFrequency='FIFTEEN_MINUTES'|'ONE_HOUR'|'SIX_HOURS',
Tags={
'string': 'string'
}
)
[REQUIRED]
A Boolean value that specifies whether the detector is to be enabled.
The idempotency token for the create request.
This field is autopopulated if not provided.
The tags to be added to a new detector resource.
dict
Response Syntax
{
'DetectorId': 'string'
}
Response Structure
(dict) --
DetectorId (string) --
The unique ID of the created detector.
Exceptions
Creates a filter using the specified finding criteria.
See also: AWS API Documentation
Request Syntax
response = client.create_filter(
DetectorId='string',
Name='string',
Description='string',
Action='NOOP'|'ARCHIVE',
Rank=123,
FindingCriteria={
'Criterion': {
'string': {
'Eq': [
'string',
],
'Neq': [
'string',
],
'Gt': 123,
'Gte': 123,
'Lt': 123,
'Lte': 123,
'Equals': [
'string',
],
'NotEquals': [
'string',
],
'GreaterThan': 123,
'GreaterThanOrEqual': 123,
'LessThan': 123,
'LessThanOrEqual': 123
}
}
},
ClientToken='string',
Tags={
'string': 'string'
}
)
[REQUIRED]
The unique ID of the detector of the GuardDuty account that you want to create a filter for.
[REQUIRED]
The name of the filter.
[REQUIRED]
Represents the criteria to be used in the filter for querying findings.
You can only use the following attributes to query findings:
Represents a map of finding properties that match specified conditions and values when querying findings.
Contains information about the condition.
Represents the equal condition to be applied to a single field when querying for findings.
Represents the not equal condition to be applied to a single field when querying for findings.
Represents a greater than condition to be applied to a single field when querying for findings.
Represents a greater than or equal condition to be applied to a single field when querying for findings.
Represents a less than condition to be applied to a single field when querying for findings.
Represents a less than or equal condition to be applied to a single field when querying for findings.
Represents an equal condition to be applied to a single field when querying for findings.
Represents a not equal condition to be applied to a single field when querying for findings.
Represents a greater than condition to be applied to a single field when querying for findings.
Represents a greater than or equal condition to be applied to a single field when querying for findings.
Represents a less than condition to be applied to a single field when querying for findings.
Represents a less than or equal condition to be applied to a single field when querying for findings.
The idempotency token for the create request.
This field is autopopulated if not provided.
The tags to be added to a new filter resource.
dict
Response Syntax
{
'Name': 'string'
}
Response Structure
(dict) --
Name (string) --
The name of the successfully created filter.
Exceptions
Creates a new IPSet, which is called a trusted IP list in the console user interface. An IPSet is a list of IP addresses that are trusted for secure communication with AWS infrastructure and applications. GuardDuty doesn't generate findings for IP addresses that are included in IPSets. Only users from the master account can use this operation.
See also: AWS API Documentation
Request Syntax
response = client.create_ip_set(
DetectorId='string',
Name='string',
Format='TXT'|'STIX'|'OTX_CSV'|'ALIEN_VAULT'|'PROOF_POINT'|'FIRE_EYE',
Location='string',
Activate=True|False,
ClientToken='string',
Tags={
'string': 'string'
}
)
[REQUIRED]
The unique ID of the detector of the GuardDuty account that you want to create an IPSet for.
[REQUIRED]
The user-friendly name to identify the IPSet.
Allowed characters are alphanumerics, spaces, hyphens (-), and underscores (_).
[REQUIRED]
The format of the file that contains the IPSet.
[REQUIRED]
The URI of the file that contains the IPSet. For example: https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key.
[REQUIRED]
A Boolean value that indicates whether GuardDuty is to start using the uploaded IPSet.
The idempotency token for the create request.
This field is autopopulated if not provided.
The tags to be added to a new IP set resource.
dict
Response Syntax
{
'IpSetId': 'string'
}
Response Structure
(dict) --
IpSetId (string) --
The ID of the IPSet resource.
Exceptions
Creates member accounts of the current AWS account by specifying a list of AWS account IDs. The current AWS account can then invite these members to manage GuardDuty in their accounts.
See also: AWS API Documentation
Request Syntax
response = client.create_members(
DetectorId='string',
AccountDetails=[
{
'AccountId': 'string',
'Email': 'string'
},
]
)
[REQUIRED]
The unique ID of the detector of the GuardDuty account that you want to associate member accounts with.
[REQUIRED]
A list of account ID and email address pairs of the accounts that you want to associate with the master GuardDuty account.
Contains information about the account.
The member account ID.
The email address of the member account.
dict
Response Syntax
{
'UnprocessedAccounts': [
{
'AccountId': 'string',
'Result': 'string'
},
]
}
Response Structure
(dict) --
UnprocessedAccounts (list) --
A list of objects that include the accountIds of the unprocessed accounts and a result string that explains why each was unprocessed.
(dict) --
Contains information about the accounts that weren't processed.
AccountId (string) --
The AWS account ID.
Result (string) --
A reason why the account hasn't been processed.
Exceptions
Creates a publishing destination to export findings to. The resource to export findings to must exist before you use this operation.
See also: AWS API Documentation
Request Syntax
response = client.create_publishing_destination(
DetectorId='string',
DestinationType='S3',
DestinationProperties={
'DestinationArn': 'string',
'KmsKeyArn': 'string'
},
ClientToken='string'
)
[REQUIRED]
The ID of the GuardDuty detector associated with the publishing destination.
[REQUIRED]
The type of resource for the publishing destination. Currently only Amazon S3 buckets are supported.
[REQUIRED]
The properties of the publishing destination, including the ARNs for the destination and the KMS key used for encryption.
The ARN of the resource to publish to.
The ARN of the KMS key to use for encryption.
The idempotency token for the request.
This field is autopopulated if not provided.
dict
Response Syntax
{
'DestinationId': 'string'
}
Response Structure
(dict) --
DestinationId (string) --
The ID of the publishing destination that is created.
Exceptions
Generates example findings of types specified by the list of finding types. If 'NULL' is specified for findingTypes , the API generates example findings of all supported finding types.
See also: AWS API Documentation
Request Syntax
response = client.create_sample_findings(
DetectorId='string',
FindingTypes=[
'string',
]
)
[REQUIRED]
The ID of the detector to create sample findings for.
The types of sample findings to generate.
dict
Response Syntax
{}
Response Structure
Exceptions
Creates a new ThreatIntelSet. ThreatIntelSets consist of known malicious IP addresses. GuardDuty generates findings based on ThreatIntelSets. Only users of the master account can use this operation.
See also: AWS API Documentation
Request Syntax
response = client.create_threat_intel_set(
DetectorId='string',
Name='string',
Format='TXT'|'STIX'|'OTX_CSV'|'ALIEN_VAULT'|'PROOF_POINT'|'FIRE_EYE',
Location='string',
Activate=True|False,
ClientToken='string',
Tags={
'string': 'string'
}
)
[REQUIRED]
The unique ID of the detector of the GuardDuty account that you want to create a threatIntelSet for.
[REQUIRED]
A user-friendly ThreatIntelSet name displayed in all findings that are generated by activity that involves IP addresses included in this ThreatIntelSet.
[REQUIRED]
The format of the file that contains the ThreatIntelSet.
[REQUIRED]
The URI of the file that contains the ThreatIntelSet. For example: https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key.
[REQUIRED]
A Boolean value that indicates whether GuardDuty is to start using the uploaded ThreatIntelSet.
The idempotency token for the create request.
This field is autopopulated if not provided.
The tags to be added to a new threat list resource.
dict
Response Syntax
{
'ThreatIntelSetId': 'string'
}
Response Structure
(dict) --
ThreatIntelSetId (string) --
The ID of the ThreatIntelSet resource.
Exceptions
Declines invitations sent to the current member account by AWS accounts specified by their account IDs.
See also: AWS API Documentation
Request Syntax
response = client.decline_invitations(
AccountIds=[
'string',
]
)
[REQUIRED]
A list of account IDs of the AWS accounts that sent invitations to the current member account that you want to decline invitations from.
{
'UnprocessedAccounts': [
{
'AccountId': 'string',
'Result': 'string'
},
]
}
Response Structure
A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.
Contains information about the accounts that weren't processed.
The AWS account ID.
A reason why the account hasn't been processed.
Exceptions
Deletes an Amazon GuardDuty detector that is specified by the detector ID.
See also: AWS API Documentation
Request Syntax
response = client.delete_detector(
DetectorId='string'
)
[REQUIRED]
The unique ID of the detector that you want to delete.
{}
Response Structure
Exceptions
Deletes the filter specified by the filter name.
See also: AWS API Documentation
Request Syntax
response = client.delete_filter(
DetectorId='string',
FilterName='string'
)
[REQUIRED]
The unique ID of the detector that the filter is associated with.
[REQUIRED]
The name of the filter that you want to delete.
dict
Response Syntax
{}
Response Structure
Exceptions
Deletes invitations sent to the current member account by AWS accounts specified by their account IDs.
See also: AWS API Documentation
Request Syntax
response = client.delete_invitations(
AccountIds=[
'string',
]
)
[REQUIRED]
A list of account IDs of the AWS accounts that sent invitations to the current member account that you want to delete invitations from.
{
'UnprocessedAccounts': [
{
'AccountId': 'string',
'Result': 'string'
},
]
}
Response Structure
A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.
Contains information about the accounts that weren't processed.
The AWS account ID.
A reason why the account hasn't been processed.
Exceptions
Deletes the IPSet specified by the ipSetId . IPSets are called trusted IP lists in the console user interface.
See also: AWS API Documentation
Request Syntax
response = client.delete_ip_set(
DetectorId='string',
IpSetId='string'
)
[REQUIRED]
The unique ID of the detector associated with the IPSet.
[REQUIRED]
The unique ID of the IPSet to delete.
dict
Response Syntax
{}
Response Structure
Exceptions
Deletes GuardDuty member accounts (to the current GuardDuty master account) specified by the account IDs.
See also: AWS API Documentation
Request Syntax
response = client.delete_members(
DetectorId='string',
AccountIds=[
'string',
]
)
[REQUIRED]
The unique ID of the detector of the GuardDuty account whose members you want to delete.
[REQUIRED]
A list of account IDs of the GuardDuty member accounts that you want to delete.
dict
Response Syntax
{
'UnprocessedAccounts': [
{
'AccountId': 'string',
'Result': 'string'
},
]
}
Response Structure
(dict) --
UnprocessedAccounts (list) --
The accounts that could not be processed.
(dict) --
Contains information about the accounts that weren't processed.
AccountId (string) --
The AWS account ID.
Result (string) --
A reason why the account hasn't been processed.
Exceptions
Deletes the publishing definition with the specified destinationId .
See also: AWS API Documentation
Request Syntax
response = client.delete_publishing_destination(
DetectorId='string',
DestinationId='string'
)
[REQUIRED]
The unique ID of the detector associated with the publishing destination to delete.
[REQUIRED]
The ID of the publishing destination to delete.
dict
Response Syntax
{}
Response Structure
Exceptions
Deletes the ThreatIntelSet specified by the ThreatIntelSet ID.
See also: AWS API Documentation
Request Syntax
response = client.delete_threat_intel_set(
DetectorId='string',
ThreatIntelSetId='string'
)
[REQUIRED]
The unique ID of the detector that the threatIntelSet is associated with.
[REQUIRED]
The unique ID of the threatIntelSet that you want to delete.
dict
Response Syntax
{}
Response Structure
Exceptions
Returns information about the account selected as the delegated administrator for GuardDuty.
See also: AWS API Documentation
Request Syntax
response = client.describe_organization_configuration(
DetectorId='string'
)
[REQUIRED]
The ID of the detector to retrieve information about the delegated administrator from.
{
'AutoEnable': True|False,
'MemberAccountLimitReached': True|False
}
Response Structure
Indicates whether GuardDuty is automatically enabled for accounts added to the organization.
Indicates whether the maximum number of allowed member accounts are already associated with the delegated administrator master account.
Exceptions
Returns information about the publishing destination specified by the provided destinationId .
See also: AWS API Documentation
Request Syntax
response = client.describe_publishing_destination(
DetectorId='string',
DestinationId='string'
)
[REQUIRED]
The unique ID of the detector associated with the publishing destination to retrieve.
[REQUIRED]
The ID of the publishing destination to retrieve.
dict
Response Syntax
{
'DestinationId': 'string',
'DestinationType': 'S3',
'Status': 'PENDING_VERIFICATION'|'PUBLISHING'|'UNABLE_TO_PUBLISH_FIX_DESTINATION_PROPERTY'|'STOPPED',
'PublishingFailureStartTimestamp': 123,
'DestinationProperties': {
'DestinationArn': 'string',
'KmsKeyArn': 'string'
}
}
Response Structure
(dict) --
DestinationId (string) --
The ID of the publishing destination.
DestinationType (string) --
The type of publishing destination. Currently, only Amazon S3 buckets are supported.
Status (string) --
The status of the publishing destination.
PublishingFailureStartTimestamp (integer) --
The time, in epoch millisecond format, at which GuardDuty was first unable to publish findings to the destination.
DestinationProperties (dict) --
A DestinationProperties object that includes the DestinationArn and KmsKeyArn of the publishing destination.
DestinationArn (string) --
The ARN of the resource to publish to.
KmsKeyArn (string) --
The ARN of the KMS key to use for encryption.
Exceptions
Disables an AWS account within the Organization as the GuardDuty delegated administrator.
See also: AWS API Documentation
Request Syntax
response = client.disable_organization_admin_account(
AdminAccountId='string'
)
[REQUIRED]
The AWS Account ID for the organizations account to be disabled as a GuardDuty delegated administrator.
{}
Response Structure
Exceptions
Disassociates the current GuardDuty member account from its master account.
See also: AWS API Documentation
Request Syntax
response = client.disassociate_from_master_account(
DetectorId='string'
)
[REQUIRED]
The unique ID of the detector of the GuardDuty member account.
{}
Response Structure
Exceptions
Disassociates GuardDuty member accounts (to the current GuardDuty master account) specified by the account IDs.
See also: AWS API Documentation
Request Syntax
response = client.disassociate_members(
DetectorId='string',
AccountIds=[
'string',
]
)
[REQUIRED]
The unique ID of the detector of the GuardDuty account whose members you want to disassociate from the master account.
[REQUIRED]
A list of account IDs of the GuardDuty member accounts that you want to disassociate from the master account.
dict
Response Syntax
{
'UnprocessedAccounts': [
{
'AccountId': 'string',
'Result': 'string'
},
]
}
Response Structure
(dict) --
UnprocessedAccounts (list) --
A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.
(dict) --
Contains information about the accounts that weren't processed.
AccountId (string) --
The AWS account ID.
Result (string) --
A reason why the account hasn't been processed.
Exceptions
Enables an AWS account within the organization as the GuardDuty delegated administrator.
See also: AWS API Documentation
Request Syntax
response = client.enable_organization_admin_account(
AdminAccountId='string'
)
[REQUIRED]
The AWS Account ID for the organization account to be enabled as a GuardDuty delegated administrator.
{}
Response Structure
Exceptions
Generate a presigned url given a client, its method, and arguments
The presigned url
Retrieves an Amazon GuardDuty detector specified by the detectorId.
See also: AWS API Documentation
Request Syntax
response = client.get_detector(
DetectorId='string'
)
[REQUIRED]
The unique ID of the detector that you want to get.
{
'CreatedAt': 'string',
'FindingPublishingFrequency': 'FIFTEEN_MINUTES'|'ONE_HOUR'|'SIX_HOURS',
'ServiceRole': 'string',
'Status': 'ENABLED'|'DISABLED',
'UpdatedAt': 'string',
'Tags': {
'string': 'string'
}
}
Response Structure
The timestamp of when the detector was created.
The publishing frequency of the finding.
The GuardDuty service role.
The detector status.
The last-updated timestamp for the detector.
The tags of the detector resource.
Exceptions
Returns the details of the filter specified by the filter name.
See also: AWS API Documentation
Request Syntax
response = client.get_filter(
DetectorId='string',
FilterName='string'
)
[REQUIRED]
The unique ID of the detector that the filter is associated with.
[REQUIRED]
The name of the filter you want to get.
dict
Response Syntax
{
'Name': 'string',
'Description': 'string',
'Action': 'NOOP'|'ARCHIVE',
'Rank': 123,
'FindingCriteria': {
'Criterion': {
'string': {
'Eq': [
'string',
],
'Neq': [
'string',
],
'Gt': 123,
'Gte': 123,
'Lt': 123,
'Lte': 123,
'Equals': [
'string',
],
'NotEquals': [
'string',
],
'GreaterThan': 123,
'GreaterThanOrEqual': 123,
'LessThan': 123,
'LessThanOrEqual': 123
}
}
},
'Tags': {
'string': 'string'
}
}
Response Structure
(dict) --
Name (string) --
The name of the filter.
Description (string) --
The description of the filter.
Action (string) --
Specifies the action that is to be applied to the findings that match the filter.
Rank (integer) --
Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
FindingCriteria (dict) --
Represents the criteria to be used in the filter for querying findings.
Criterion (dict) --
Represents a map of finding properties that match specified conditions and values when querying findings.
(string) --
(dict) --
Contains information about the condition.
Eq (list) --
Represents the equal condition to be applied to a single field when querying for findings.
Neq (list) --
Represents the not equal condition to be applied to a single field when querying for findings.
Gt (integer) --
Represents a greater than condition to be applied to a single field when querying for findings.
Gte (integer) --
Represents a greater than or equal condition to be applied to a single field when querying for findings.
Lt (integer) --
Represents a less than condition to be applied to a single field when querying for findings.
Lte (integer) --
Represents a less than or equal condition to be applied to a single field when querying for findings.
Equals (list) --
Represents an equal condition to be applied to a single field when querying for findings.
NotEquals (list) --
Represents a not equal condition to be applied to a single field when querying for findings.
GreaterThan (integer) --
Represents a greater than condition to be applied to a single field when querying for findings.
GreaterThanOrEqual (integer) --
Represents a greater than or equal condition to be applied to a single field when querying for findings.
LessThan (integer) --
Represents a less than condition to be applied to a single field when querying for findings.
LessThanOrEqual (integer) --
Represents a less than or equal condition to be applied to a single field when querying for findings.
Tags (dict) --
The tags of the filter resource.
Exceptions
Describes Amazon GuardDuty findings specified by finding IDs.
See also: AWS API Documentation
Request Syntax
response = client.get_findings(
DetectorId='string',
FindingIds=[
'string',
],
SortCriteria={
'AttributeName': 'string',
'OrderBy': 'ASC'|'DESC'
}
)
[REQUIRED]
The ID of the detector that specifies the GuardDuty service whose findings you want to retrieve.
[REQUIRED]
The IDs of the findings that you want to retrieve.
Represents the criteria used for sorting findings.
Represents the finding attribute (for example, accountId) to sort findings by.
The order by which the sorted findings are to be displayed.
dict
Response Syntax
{
'Findings': [
{
'AccountId': 'string',
'Arn': 'string',
'Confidence': 123.0,
'CreatedAt': 'string',
'Description': 'string',
'Id': 'string',
'Partition': 'string',
'Region': 'string',
'Resource': {
'AccessKeyDetails': {
'AccessKeyId': 'string',
'PrincipalId': 'string',
'UserName': 'string',
'UserType': 'string'
},
'S3BucketDetails': [
{
'Arn': 'string',
'Name': 'string',
'Type': 'string',
'CreatedAt': datetime(2015, 1, 1),
'Owner': {
'Id': 'string'
},
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'DefaultServerSideEncryption': {
'EncryptionType': 'string',
'KmsMasterKeyArn': 'string'
},
'PublicAccess': {
'PermissionConfiguration': {
'BucketLevelPermissions': {
'AccessControlList': {
'AllowsPublicReadAccess': True|False,
'AllowsPublicWriteAccess': True|False
},
'BucketPolicy': {
'AllowsPublicReadAccess': True|False,
'AllowsPublicWriteAccess': True|False
},
'BlockPublicAccess': {
'IgnorePublicAcls': True|False,
'RestrictPublicBuckets': True|False,
'BlockPublicAcls': True|False,
'BlockPublicPolicy': True|False
}
},
'AccountLevelPermissions': {
'BlockPublicAccess': {
'IgnorePublicAcls': True|False,
'RestrictPublicBuckets': True|False,
'BlockPublicAcls': True|False,
'BlockPublicPolicy': True|False
}
}
},
'EffectivePermission': 'string'
}
},
],
'InstanceDetails': {
'AvailabilityZone': 'string',
'IamInstanceProfile': {
'Arn': 'string',
'Id': 'string'
},
'ImageDescription': 'string',
'ImageId': 'string',
'InstanceId': 'string',
'InstanceState': 'string',
'InstanceType': 'string',
'OutpostArn': 'string',
'LaunchTime': 'string',
'NetworkInterfaces': [
{
'Ipv6Addresses': [
'string',
],
'NetworkInterfaceId': 'string',
'PrivateDnsName': 'string',
'PrivateIpAddress': 'string',
'PrivateIpAddresses': [
{
'PrivateDnsName': 'string',
'PrivateIpAddress': 'string'
},
],
'PublicDnsName': 'string',
'PublicIp': 'string',
'SecurityGroups': [
{
'GroupId': 'string',
'GroupName': 'string'
},
],
'SubnetId': 'string',
'VpcId': 'string'
},
],
'Platform': 'string',
'ProductCodes': [
{
'Code': 'string',
'ProductType': 'string'
},
],
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
},
'ResourceType': 'string'
},
'SchemaVersion': 'string',
'Service': {
'Action': {
'ActionType': 'string',
'AwsApiCallAction': {
'Api': 'string',
'CallerType': 'string',
'DomainDetails': {
'Domain': 'string'
},
'RemoteIpDetails': {
'City': {
'CityName': 'string'
},
'Country': {
'CountryCode': 'string',
'CountryName': 'string'
},
'GeoLocation': {
'Lat': 123.0,
'Lon': 123.0
},
'IpAddressV4': 'string',
'Organization': {
'Asn': 'string',
'AsnOrg': 'string',
'Isp': 'string',
'Org': 'string'
}
},
'ServiceName': 'string'
},
'DnsRequestAction': {
'Domain': 'string'
},
'NetworkConnectionAction': {
'Blocked': True|False,
'ConnectionDirection': 'string',
'LocalPortDetails': {
'Port': 123,
'PortName': 'string'
},
'Protocol': 'string',
'LocalIpDetails': {
'IpAddressV4': 'string'
},
'RemoteIpDetails': {
'City': {
'CityName': 'string'
},
'Country': {
'CountryCode': 'string',
'CountryName': 'string'
},
'GeoLocation': {
'Lat': 123.0,
'Lon': 123.0
},
'IpAddressV4': 'string',
'Organization': {
'Asn': 'string',
'AsnOrg': 'string',
'Isp': 'string',
'Org': 'string'
}
},
'RemotePortDetails': {
'Port': 123,
'PortName': 'string'
}
},
'PortProbeAction': {
'Blocked': True|False,
'PortProbeDetails': [
{
'LocalPortDetails': {
'Port': 123,
'PortName': 'string'
},
'LocalIpDetails': {
'IpAddressV4': 'string'
},
'RemoteIpDetails': {
'City': {
'CityName': 'string'
},
'Country': {
'CountryCode': 'string',
'CountryName': 'string'
},
'GeoLocation': {
'Lat': 123.0,
'Lon': 123.0
},
'IpAddressV4': 'string',
'Organization': {
'Asn': 'string',
'AsnOrg': 'string',
'Isp': 'string',
'Org': 'string'
}
}
},
]
}
},
'Evidence': {
'ThreatIntelligenceDetails': [
{
'ThreatListName': 'string',
'ThreatNames': [
'string',
]
},
]
},
'Archived': True|False,
'Count': 123,
'DetectorId': 'string',
'EventFirstSeen': 'string',
'EventLastSeen': 'string',
'ResourceRole': 'string',
'ServiceName': 'string',
'UserFeedback': 'string'
},
'Severity': 123.0,
'Title': 'string',
'Type': 'string',
'UpdatedAt': 'string'
},
]
}
Response Structure
(dict) --
Findings (list) --
A list of findings.
(dict) --
Contains information about the finding, which is generated when abnormal or suspicious activity is detected.
AccountId (string) --
The ID of the account in which the finding was generated.
Arn (string) --
The ARN of the finding.
Confidence (float) --
The confidence score for the finding.
CreatedAt (string) --
The time and date when the finding was created.
Description (string) --
The description of the finding.
Id (string) --
The ID of the finding.
Partition (string) --
The partition associated with the finding.
Region (string) --
The Region where the finding was generated.
Resource (dict) --
Contains information about the AWS resource associated with the activity that prompted GuardDuty to generate a finding.
AccessKeyDetails (dict) --
The IAM access key details (IAM user information) of a user that engaged in the activity that prompted GuardDuty to generate a finding.
AccessKeyId (string) --
The access key ID of the user.
PrincipalId (string) --
The principal ID of the user.
UserName (string) --
The name of the user.
UserType (string) --
The type of the user.
S3BucketDetails (list) --
Contains information on the S3 bucket.
(dict) --
Arn (string) --
The Amazon Resource Name (ARN) of the S3 bucket.
Name (string) --
The name of the S3 bucket.
Type (string) --
Describes whether the bucket is a source or destination bucket.
CreatedAt (datetime) --
The date and time the bucket was created at.
Owner (dict) --
The owner of the S3 bucket.
Id (string) --
The canonical user ID of the bucket owner. For information about locating your canonical user ID see Finding Your Account Canonical User ID.
Tags (list) --
All tags attached to the S3 bucket
(dict) --
Contains information about a tag associated with the EC2 instance.
Key (string) --
The EC2 instance tag key.
Value (string) --
The EC2 instance tag value.
DefaultServerSideEncryption (dict) --
Describes the server side encryption method used in the S3 bucket.
EncryptionType (string) --
The type of encryption used for objects within the S3 bucket.
KmsMasterKeyArn (string) --
The Amazon Resource Name (ARN) of the KMS encryption key. Only available if the bucket EncryptionType is aws:kms .
PublicAccess (dict) --
Describes the public access policies that apply to the S3 bucket.
PermissionConfiguration (dict) --
Contains information about how permissions are configured for the S3 bucket.
BucketLevelPermissions (dict) --
Contains information about the bucket level permissions for the S3 bucket.
AccessControlList (dict) --
Contains information on how Access Control Policies are applied to the bucket.
AllowsPublicReadAccess (boolean) --
A value that indicates whether public read access for the bucket is enabled through an Access Control List (ACL).
AllowsPublicWriteAccess (boolean) --
A value that indicates whether public write access for the bucket is enabled through an Access Control List (ACL).
BucketPolicy (dict) --
Contains information on the bucket policies for the S3 bucket.
AllowsPublicReadAccess (boolean) --
A value that indicates whether public read access for the bucket is enabled through a bucket policy.
AllowsPublicWriteAccess (boolean) --
A value that indicates whether public write access for the bucket is enabled through a bucket policy.
BlockPublicAccess (dict) --
Contains information on which account level S3 Block Public Access settings are applied to the S3 bucket.
IgnorePublicAcls (boolean) --
Indicates if S3 Block Public Access is set to IgnorePublicAcls .
RestrictPublicBuckets (boolean) --
Indicates if S3 Block Public Access is set to RestrictPublicBuckets .
BlockPublicAcls (boolean) --
Indicates if S3 Block Public Access is set to BlockPublicAcls .
BlockPublicPolicy (boolean) --
Indicates if S3 Block Public Access is set to BlockPublicPolicy .
AccountLevelPermissions (dict) --
Contains information about the account level permissions on the S3 bucket.
BlockPublicAccess (dict) --
Describes the S3 Block Public Access settings of the bucket's parent account.
IgnorePublicAcls (boolean) --
Indicates if S3 Block Public Access is set to IgnorePublicAcls .
RestrictPublicBuckets (boolean) --
Indicates if S3 Block Public Access is set to RestrictPublicBuckets .
BlockPublicAcls (boolean) --
Indicates if S3 Block Public Access is set to BlockPublicAcls .
BlockPublicPolicy (boolean) --
Indicates if S3 Block Public Access is set to BlockPublicPolicy .
EffectivePermission (string) --
Describes the effective permission on this bucket after factoring all attached policies.
InstanceDetails (dict) --
The information about the EC2 instance associated with the activity that prompted GuardDuty to generate a finding.
AvailabilityZone (string) --
The Availability Zone of the EC2 instance.
IamInstanceProfile (dict) --
The profile information of the EC2 instance.
Arn (string) --
The profile ARN of the EC2 instance.
Id (string) --
The profile ID of the EC2 instance.
ImageDescription (string) --
The image description of the EC2 instance.
ImageId (string) --
The image ID of the EC2 instance.
InstanceId (string) --
The ID of the EC2 instance.
InstanceState (string) --
The state of the EC2 instance.
InstanceType (string) --
The type of the EC2 instance.
OutpostArn (string) --
The Amazon Resource Name (ARN) of the AWS Outpost. Only applicable to AWS Outposts instances.
LaunchTime (string) --
The launch time of the EC2 instance.
NetworkInterfaces (list) --
The elastic network interface information of the EC2 instance.
(dict) --
Contains information about the elastic network interface of the EC2 instance.
Ipv6Addresses (list) --
A list of IPv6 addresses for the EC2 instance.
NetworkInterfaceId (string) --
The ID of the network interface.
PrivateDnsName (string) --
The private DNS name of the EC2 instance.
PrivateIpAddress (string) --
The private IP address of the EC2 instance.
PrivateIpAddresses (list) --
Other private IP address information of the EC2 instance.
(dict) --
Contains other private IP address information of the EC2 instance.
PrivateDnsName (string) --
The private DNS name of the EC2 instance.
PrivateIpAddress (string) --
The private IP address of the EC2 instance.
PublicDnsName (string) --
The public DNS name of the EC2 instance.
PublicIp (string) --
The public IP address of the EC2 instance.
SecurityGroups (list) --
The security groups associated with the EC2 instance.
(dict) --
Contains information about the security groups associated with the EC2 instance.
GroupId (string) --
The security group ID of the EC2 instance.
GroupName (string) --
The security group name of the EC2 instance.
SubnetId (string) --
The subnet ID of the EC2 instance.
VpcId (string) --
The VPC ID of the EC2 instance.
Platform (string) --
The platform of the EC2 instance.
ProductCodes (list) --
The product code of the EC2 instance.
(dict) --
Contains information about the product code for the EC2 instance.
Code (string) --
The product code information.
ProductType (string) --
The product code type.
Tags (list) --
The tags of the EC2 instance.
(dict) --
Contains information about a tag associated with the EC2 instance.
Key (string) --
The EC2 instance tag key.
Value (string) --
The EC2 instance tag value.
ResourceType (string) --
The type of AWS resource.
SchemaVersion (string) --
The version of the schema used for the finding.
Service (dict) --
Contains additional information about the generated finding.
Action (dict) --
Information about the activity that is described in a finding.
ActionType (string) --
The GuardDuty finding activity type.
AwsApiCallAction (dict) --
Information about the AWS_API_CALL action described in this finding.
Api (string) --
The AWS API name.
CallerType (string) --
The AWS API caller type.
DomainDetails (dict) --
The domain information for the AWS API call.
Domain (string) --
The domain information for the AWS API call.
RemoteIpDetails (dict) --
The remote IP information of the connection.
City (dict) --
The city information of the remote IP address.
CityName (string) --
The city name of the remote IP address.
Country (dict) --
The country code of the remote IP address.
CountryCode (string) --
The country code of the remote IP address.
CountryName (string) --
The country name of the remote IP address.
GeoLocation (dict) --
The location information of the remote IP address.
Lat (float) --
The latitude information of the remote IP address.
Lon (float) --
The longitude information of the remote IP address.
IpAddressV4 (string) --
The IPv4 remote address of the connection.
Organization (dict) --
The ISP organization information of the remote IP address.
Asn (string) --
The Autonomous System Number (ASN) of the internet provider of the remote IP address.
AsnOrg (string) --
The organization that registered this ASN.
Isp (string) --
The ISP information for the internet provider.
Org (string) --
The name of the internet provider.
ServiceName (string) --
The AWS service name whose API was invoked.
DnsRequestAction (dict) --
Information about the DNS_REQUEST action described in this finding.
Domain (string) --
The domain information for the API request.
NetworkConnectionAction (dict) --
Information about the NETWORK_CONNECTION action described in this finding.
Blocked (boolean) --
Indicates whether EC2 blocked the network connection to your instance.
ConnectionDirection (string) --
The network connection direction.
LocalPortDetails (dict) --
The local port information of the connection.
Port (integer) --
The port number of the local connection.
PortName (string) --
The port name of the local connection.
Protocol (string) --
The network connection protocol.
LocalIpDetails (dict) --
The local IP information of the connection.
IpAddressV4 (string) --
The IPv4 local address of the connection.
RemoteIpDetails (dict) --
The remote IP information of the connection.
City (dict) --
The city information of the remote IP address.
CityName (string) --
The city name of the remote IP address.
Country (dict) --
The country code of the remote IP address.
CountryCode (string) --
The country code of the remote IP address.
CountryName (string) --
The country name of the remote IP address.
GeoLocation (dict) --
The location information of the remote IP address.
Lat (float) --
The latitude information of the remote IP address.
Lon (float) --
The longitude information of the remote IP address.
IpAddressV4 (string) --
The IPv4 remote address of the connection.
Organization (dict) --
The ISP organization information of the remote IP address.
Asn (string) --
The Autonomous System Number (ASN) of the internet provider of the remote IP address.
AsnOrg (string) --
The organization that registered this ASN.
Isp (string) --
The ISP information for the internet provider.
Org (string) --
The name of the internet provider.
RemotePortDetails (dict) --
The remote port information of the connection.
Port (integer) --
The port number of the remote connection.
PortName (string) --
The port name of the remote connection.
PortProbeAction (dict) --
Information about the PORT_PROBE action described in this finding.
Blocked (boolean) --
Indicates whether EC2 blocked the port probe to the instance, such as with an ACL.
PortProbeDetails (list) --
A list of objects related to port probe details.
(dict) --
Contains information about the port probe details.
LocalPortDetails (dict) --
The local port information of the connection.
Port (integer) --
The port number of the local connection.
PortName (string) --
The port name of the local connection.
LocalIpDetails (dict) --
The local IP information of the connection.
IpAddressV4 (string) --
The IPv4 local address of the connection.
RemoteIpDetails (dict) --
The remote IP information of the connection.
City (dict) --
The city information of the remote IP address.
CityName (string) --
The city name of the remote IP address.
Country (dict) --
The country code of the remote IP address.
CountryCode (string) --
The country code of the remote IP address.
CountryName (string) --
The country name of the remote IP address.
GeoLocation (dict) --
The location information of the remote IP address.
Lat (float) --
The latitude information of the remote IP address.
Lon (float) --
The longitude information of the remote IP address.
IpAddressV4 (string) --
The IPv4 remote address of the connection.
Organization (dict) --
The ISP organization information of the remote IP address.
Asn (string) --
The Autonomous System Number (ASN) of the internet provider of the remote IP address.
AsnOrg (string) --
The organization that registered this ASN.
Isp (string) --
The ISP information for the internet provider.
Org (string) --
The name of the internet provider.
Evidence (dict) --
An evidence object associated with the service.
ThreatIntelligenceDetails (list) --
A list of threat intelligence details related to the evidence.
(dict) --
An instance of a threat intelligence detail that constitutes evidence for the finding.
ThreatListName (string) --
The name of the threat intelligence list that triggered the finding.
ThreatNames (list) --
A list of names of the threats in the threat intelligence list that triggered the finding.
Archived (boolean) --
Indicates whether this finding is archived.
Count (integer) --
The total count of the occurrences of this finding type.
DetectorId (string) --
The detector ID for the GuardDuty service.
EventFirstSeen (string) --
The first-seen timestamp of the activity that prompted GuardDuty to generate this finding.
EventLastSeen (string) --
The last-seen timestamp of the activity that prompted GuardDuty to generate this finding.
ResourceRole (string) --
The resource role information for this finding.
ServiceName (string) --
The name of the AWS service (GuardDuty) that generated a finding.
UserFeedback (string) --
Feedback that was submitted about the finding.
Severity (float) --
The severity of the finding.
Title (string) --
The title of the finding.
Type (string) --
The type of finding.
UpdatedAt (string) --
The time and date when the finding was last updated.
Exceptions
Lists Amazon GuardDuty findings statistics for the specified detector ID.
See also: AWS API Documentation
Request Syntax
response = client.get_findings_statistics(
DetectorId='string',
FindingStatisticTypes=[
'COUNT_BY_SEVERITY',
],
FindingCriteria={
'Criterion': {
'string': {
'Eq': [
'string',
],
'Neq': [
'string',
],
'Gt': 123,
'Gte': 123,
'Lt': 123,
'Lte': 123,
'Equals': [
'string',
],
'NotEquals': [
'string',
],
'GreaterThan': 123,
'GreaterThanOrEqual': 123,
'LessThan': 123,
'LessThanOrEqual': 123
}
}
}
)
[REQUIRED]
The ID of the detector that specifies the GuardDuty service whose findings' statistics you want to retrieve.
[REQUIRED]
The types of finding statistics to retrieve.
Represents the criteria that is used for querying findings.
Represents a map of finding properties that match specified conditions and values when querying findings.
Contains information about the condition.
Represents the equal condition to be applied to a single field when querying for findings.
Represents the not equal condition to be applied to a single field when querying for findings.
Represents a greater than condition to be applied to a single field when querying for findings.
Represents a greater than or equal condition to be applied to a single field when querying for findings.
Represents a less than condition to be applied to a single field when querying for findings.
Represents a less than or equal condition to be applied to a single field when querying for findings.
Represents an equal condition to be applied to a single field when querying for findings.
Represents a not equal condition to be applied to a single field when querying for findings.
Represents a greater than condition to be applied to a single field when querying for findings.
Represents a greater than or equal condition to be applied to a single field when querying for findings.
Represents a less than condition to be applied to a single field when querying for findings.
Represents a less than or equal condition to be applied to a single field when querying for findings.
dict
Response Syntax
{
'FindingStatistics': {
'CountBySeverity': {
'string': 123
}
}
}
Response Structure
(dict) --
FindingStatistics (dict) --
The finding statistics object.
CountBySeverity (dict) --
Represents a map of severity to count statistics for a set of findings.
Exceptions
Returns the count of all GuardDuty membership invitations that were sent to the current member account except the currently accepted invitation.
See also: AWS API Documentation
Request Syntax
response = client.get_invitations_count()
{
'InvitationsCount': 123
}
Response Structure
The number of received invitations.
Exceptions
Retrieves the IPSet specified by the ipSetId .
See also: AWS API Documentation
Request Syntax
response = client.get_ip_set(
DetectorId='string',
IpSetId='string'
)
[REQUIRED]
The unique ID of the detector that the IPSet is associated with.
[REQUIRED]
The unique ID of the IPSet to retrieve.
dict
Response Syntax
{
'Name': 'string',
'Format': 'TXT'|'STIX'|'OTX_CSV'|'ALIEN_VAULT'|'PROOF_POINT'|'FIRE_EYE',
'Location': 'string',
'Status': 'INACTIVE'|'ACTIVATING'|'ACTIVE'|'DEACTIVATING'|'ERROR'|'DELETE_PENDING'|'DELETED',
'Tags': {
'string': 'string'
}
}
Response Structure
(dict) --
Name (string) --
The user-friendly name for the IPSet.
Format (string) --
The format of the file that contains the IPSet.
Location (string) --
The URI of the file that contains the IPSet. For example: https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key.
Status (string) --
The status of IPSet file that was uploaded.
Tags (dict) --
The tags of the IPSet resource.
Exceptions
Provides the details for the GuardDuty master account associated with the current GuardDuty member account.
See also: AWS API Documentation
Request Syntax
response = client.get_master_account(
DetectorId='string'
)
[REQUIRED]
The unique ID of the detector of the GuardDuty member account.
{
'Master': {
'AccountId': 'string',
'InvitationId': 'string',
'RelationshipStatus': 'string',
'InvitedAt': 'string'
}
}
Response Structure
The master account details.
The ID of the account used as the master account.
The value used to validate the master account to the member account.
The status of the relationship between the master and member accounts.
The timestamp when the invitation was sent.
Exceptions
Retrieves GuardDuty member accounts (to the current GuardDuty master account) specified by the account IDs.
See also: AWS API Documentation
Request Syntax
response = client.get_members(
DetectorId='string',
AccountIds=[
'string',
]
)
[REQUIRED]
The unique ID of the detector of the GuardDuty account whose members you want to retrieve.
[REQUIRED]
A list of account IDs of the GuardDuty member accounts that you want to describe.
dict
Response Syntax
{
'Members': [
{
'AccountId': 'string',
'DetectorId': 'string',
'MasterId': 'string',
'Email': 'string',
'RelationshipStatus': 'string',
'InvitedAt': 'string',
'UpdatedAt': 'string'
},
],
'UnprocessedAccounts': [
{
'AccountId': 'string',
'Result': 'string'
},
]
}
Response Structure
(dict) --
Members (list) --
A list of members.
(dict) --
Contains information about the member account.
AccountId (string) --
The ID of the member account.
DetectorId (string) --
The detector ID of the member account.
MasterId (string) --
The master account ID.
Email (string) --
The email address of the member account.
RelationshipStatus (string) --
The status of the relationship between the member and the master.
InvitedAt (string) --
The timestamp when the invitation was sent.
UpdatedAt (string) --
The last-updated timestamp of the member.
UnprocessedAccounts (list) --
A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.
(dict) --
Contains information about the accounts that weren't processed.
AccountId (string) --
The AWS account ID.
Result (string) --
A reason why the account hasn't been processed.
Exceptions
Create a paginator for an operation.
Retrieves the ThreatIntelSet that is specified by the ThreatIntelSet ID.
See also: AWS API Documentation
Request Syntax
response = client.get_threat_intel_set(
DetectorId='string',
ThreatIntelSetId='string'
)
[REQUIRED]
The unique ID of the detector that the threatIntelSet is associated with.
[REQUIRED]
The unique ID of the threatIntelSet that you want to get.
dict
Response Syntax
{
'Name': 'string',
'Format': 'TXT'|'STIX'|'OTX_CSV'|'ALIEN_VAULT'|'PROOF_POINT'|'FIRE_EYE',
'Location': 'string',
'Status': 'INACTIVE'|'ACTIVATING'|'ACTIVE'|'DEACTIVATING'|'ERROR'|'DELETE_PENDING'|'DELETED',
'Tags': {
'string': 'string'
}
}
Response Structure
(dict) --
Name (string) --
A user-friendly ThreatIntelSet name displayed in all findings that are generated by activity that involves IP addresses included in this ThreatIntelSet.
Format (string) --
The format of the threatIntelSet.
Location (string) --
The URI of the file that contains the ThreatIntelSet. For example: https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key.
Status (string) --
The status of threatIntelSet file uploaded.
Tags (dict) --
The tags of the threat list resource.
Exceptions
Returns an object that can wait for some condition.
Invites other AWS accounts (created as members of the current AWS account by CreateMembers) to enable GuardDuty, and allow the current AWS account to view and manage these accounts' GuardDuty findings on their behalf as the master account.
See also: AWS API Documentation
Request Syntax
response = client.invite_members(
DetectorId='string',
AccountIds=[
'string',
],
DisableEmailNotification=True|False,
Message='string'
)
[REQUIRED]
The unique ID of the detector of the GuardDuty account that you want to invite members with.
[REQUIRED]
A list of account IDs of the accounts that you want to invite to GuardDuty as members.
dict
Response Syntax
{
'UnprocessedAccounts': [
{
'AccountId': 'string',
'Result': 'string'
},
]
}
Response Structure
(dict) --
UnprocessedAccounts (list) --
A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.
(dict) --
Contains information about the accounts that weren't processed.
AccountId (string) --
The AWS account ID.
Result (string) --
A reason why the account hasn't been processed.
Exceptions
Lists detectorIds of all the existing Amazon GuardDuty detector resources.
See also: AWS API Documentation
Request Syntax
response = client.list_detectors(
MaxResults=123,
NextToken='string'
)
dict
Response Syntax
{
'DetectorIds': [
'string',
],
'NextToken': 'string'
}
Response Structure
(dict) --
DetectorIds (list) --
A list of detector IDs.
NextToken (string) --
The pagination parameter to be used on the next list operation to retrieve more items.
Exceptions
Returns a paginated list of the current filters.
See also: AWS API Documentation
Request Syntax
response = client.list_filters(
DetectorId='string',
MaxResults=123,
NextToken='string'
)
[REQUIRED]
The unique ID of the detector that the filter is associated with.
dict
Response Syntax
{
'FilterNames': [
'string',
],
'NextToken': 'string'
}
Response Structure
(dict) --
FilterNames (list) --
A list of filter names.
NextToken (string) --
The pagination parameter to be used on the next list operation to retrieve more items.
Exceptions
Lists Amazon GuardDuty findings for the specified detector ID.
See also: AWS API Documentation
Request Syntax
response = client.list_findings(
DetectorId='string',
FindingCriteria={
'Criterion': {
'string': {
'Eq': [
'string',
],
'Neq': [
'string',
],
'Gt': 123,
'Gte': 123,
'Lt': 123,
'Lte': 123,
'Equals': [
'string',
],
'NotEquals': [
'string',
],
'GreaterThan': 123,
'GreaterThanOrEqual': 123,
'LessThan': 123,
'LessThanOrEqual': 123
}
}
},
SortCriteria={
'AttributeName': 'string',
'OrderBy': 'ASC'|'DESC'
},
MaxResults=123,
NextToken='string'
)
[REQUIRED]
The ID of the detector that specifies the GuardDuty service whose findings you want to list.
Represents the criteria used for querying findings. Valid values include:
Represents a map of finding properties that match specified conditions and values when querying findings.
Contains information about the condition.
Represents the equal condition to be applied to a single field when querying for findings.
Represents the not equal condition to be applied to a single field when querying for findings.
Represents a greater than condition to be applied to a single field when querying for findings.
Represents a greater than or equal condition to be applied to a single field when querying for findings.
Represents a less than condition to be applied to a single field when querying for findings.
Represents a less than or equal condition to be applied to a single field when querying for findings.
Represents an equal condition to be applied to a single field when querying for findings.
Represents a not equal condition to be applied to a single field when querying for findings.
Represents a greater than condition to be applied to a single field when querying for findings.
Represents a greater than or equal condition to be applied to a single field when querying for findings.
Represents a less than condition to be applied to a single field when querying for findings.
Represents a less than or equal condition to be applied to a single field when querying for findings.
Represents the criteria used for sorting findings.
Represents the finding attribute (for example, accountId) to sort findings by.
The order by which the sorted findings are to be displayed.
dict
Response Syntax
{
'FindingIds': [
'string',
],
'NextToken': 'string'
}
Response Structure
(dict) --
FindingIds (list) --
The IDs of the findings that you're listing.
NextToken (string) --
The pagination parameter to be used on the next list operation to retrieve more items.
Exceptions
Lists all GuardDuty membership invitations that were sent to the current AWS account.
See also: AWS API Documentation
Request Syntax
response = client.list_invitations(
MaxResults=123,
NextToken='string'
)
dict
Response Syntax
{
'Invitations': [
{
'AccountId': 'string',
'InvitationId': 'string',
'RelationshipStatus': 'string',
'InvitedAt': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Invitations (list) --
A list of invitation descriptions.
(dict) --
Contains information about the invitation to become a member account.
AccountId (string) --
The ID of the account that the invitation was sent from.
InvitationId (string) --
The ID of the invitation. This value is used to validate the inviter account to the member account.
RelationshipStatus (string) --
The status of the relationship between the inviter and invitee accounts.
InvitedAt (string) --
The timestamp when the invitation was sent.
NextToken (string) --
The pagination parameter to be used on the next list operation to retrieve more items.
Exceptions
Lists the IPSets of the GuardDuty service specified by the detector ID. If you use this operation from a member account, the IPSets returned are the IPSets from the associated master account.
See also: AWS API Documentation
Request Syntax
response = client.list_ip_sets(
DetectorId='string',
MaxResults=123,
NextToken='string'
)
[REQUIRED]
The unique ID of the detector that the IPSet is associated with.
dict
Response Syntax
{
'IpSetIds': [
'string',
],
'NextToken': 'string'
}
Response Structure
(dict) --
IpSetIds (list) --
The IDs of the IPSet resources.
NextToken (string) --
The pagination parameter to be used on the next list operation to retrieve more items.
Exceptions
Lists details about all member accounts for the current GuardDuty master account.
See also: AWS API Documentation
Request Syntax
response = client.list_members(
DetectorId='string',
MaxResults=123,
NextToken='string',
OnlyAssociated='string'
)
[REQUIRED]
The unique ID of the detector the member is associated with.
dict
Response Syntax
{
'Members': [
{
'AccountId': 'string',
'DetectorId': 'string',
'MasterId': 'string',
'Email': 'string',
'RelationshipStatus': 'string',
'InvitedAt': 'string',
'UpdatedAt': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Members (list) --
A list of members.
(dict) --
Contains information about the member account.
AccountId (string) --
The ID of the member account.
DetectorId (string) --
The detector ID of the member account.
MasterId (string) --
The master account ID.
Email (string) --
The email address of the member account.
RelationshipStatus (string) --
The status of the relationship between the member and the master.
InvitedAt (string) --
The timestamp when the invitation was sent.
UpdatedAt (string) --
The last-updated timestamp of the member.
NextToken (string) --
The pagination parameter to be used on the next list operation to retrieve more items.
Exceptions
Lists the accounts configured as GuardDuty delegated administrators.
See also: AWS API Documentation
Request Syntax
response = client.list_organization_admin_accounts(
MaxResults=123,
NextToken='string'
)
dict
Response Syntax
{
'AdminAccounts': [
{
'AdminAccountId': 'string',
'AdminStatus': 'ENABLED'|'DISABLE_IN_PROGRESS'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
AdminAccounts (list) --
An AdminAccounts object that includes a list of accounts configured as GuardDuty delegated administrators.
(dict) --
The account within the organization specified as the GuardDuty delegated administrator.
AdminAccountId (string) --
The AWS account ID for the account.
AdminStatus (string) --
Indicates whether the account is enabled as the delegated administrator.
NextToken (string) --
The pagination parameter to be used on the next list operation to retrieve more items.
Exceptions
Returns a list of publishing destinations associated with the specified dectectorId .
See also: AWS API Documentation
Request Syntax
response = client.list_publishing_destinations(
DetectorId='string',
MaxResults=123,
NextToken='string'
)
[REQUIRED]
The ID of the detector to retrieve publishing destinations for.
dict
Response Syntax
{
'Destinations': [
{
'DestinationId': 'string',
'DestinationType': 'S3',
'Status': 'PENDING_VERIFICATION'|'PUBLISHING'|'UNABLE_TO_PUBLISH_FIX_DESTINATION_PROPERTY'|'STOPPED'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Destinations (list) --
A Destinations object that includes information about each publishing destination returned.
(dict) --
Contains information about the publishing destination, including the ID, type, and status.
DestinationId (string) --
The unique ID of the publishing destination.
DestinationType (string) --
The type of resource used for the publishing destination. Currently, only Amazon S3 buckets are supported.
Status (string) --
The status of the publishing destination.
NextToken (string) --
A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the NextToken value returned from the previous request to continue listing results after the first page.
Exceptions
Lists tags for a resource. Tagging is currently supported for detectors, finding filters, IP sets, and threat intel sets, with a limit of 50 tags per resource. When invoked, this operation returns all assigned tags for a given resource.
See also: AWS API Documentation
Request Syntax
response = client.list_tags_for_resource(
ResourceArn='string'
)
[REQUIRED]
The Amazon Resource Name (ARN) for the given GuardDuty resource.
{
'Tags': {
'string': 'string'
}
}
Response Structure
The tags associated with the resource.
Exceptions
Lists the ThreatIntelSets of the GuardDuty service specified by the detector ID. If you use this operation from a member account, the ThreatIntelSets associated with the master account are returned.
See also: AWS API Documentation
Request Syntax
response = client.list_threat_intel_sets(
DetectorId='string',
MaxResults=123,
NextToken='string'
)
[REQUIRED]
The unique ID of the detector that the threatIntelSet is associated with.
dict
Response Syntax
{
'ThreatIntelSetIds': [
'string',
],
'NextToken': 'string'
}
Response Structure
(dict) --
ThreatIntelSetIds (list) --
The IDs of the ThreatIntelSet resources.
NextToken (string) --
The pagination parameter to be used on the next list operation to retrieve more items.
Exceptions
Turns on GuardDuty monitoring of the specified member accounts. Use this operation to restart monitoring of accounts that you stopped monitoring with the StopMonitoringMembers operation.
See also: AWS API Documentation
Request Syntax
response = client.start_monitoring_members(
DetectorId='string',
AccountIds=[
'string',
]
)
[REQUIRED]
The unique ID of the detector of the GuardDuty master account associated with the member accounts to monitor.
[REQUIRED]
A list of account IDs of the GuardDuty member accounts to start monitoring.
dict
Response Syntax
{
'UnprocessedAccounts': [
{
'AccountId': 'string',
'Result': 'string'
},
]
}
Response Structure
(dict) --
UnprocessedAccounts (list) --
A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.
(dict) --
Contains information about the accounts that weren't processed.
AccountId (string) --
The AWS account ID.
Result (string) --
A reason why the account hasn't been processed.
Exceptions
Stops GuardDuty monitoring for the specified member accounts. Use the StartMonitoringMembers operation to restart monitoring for those accounts.
See also: AWS API Documentation
Request Syntax
response = client.stop_monitoring_members(
DetectorId='string',
AccountIds=[
'string',
]
)
[REQUIRED]
The unique ID of the detector associated with the GuardDuty master account that is monitoring member accounts.
[REQUIRED]
A list of account IDs for the member accounts to stop monitoring.
dict
Response Syntax
{
'UnprocessedAccounts': [
{
'AccountId': 'string',
'Result': 'string'
},
]
}
Response Structure
(dict) --
UnprocessedAccounts (list) --
A list of objects that contain an accountId for each account that could not be processed, and a result string that indicates why the account was not processed.
(dict) --
Contains information about the accounts that weren't processed.
AccountId (string) --
The AWS account ID.
Result (string) --
A reason why the account hasn't been processed.
Exceptions
Adds tags to a resource.
See also: AWS API Documentation
Request Syntax
response = client.tag_resource(
ResourceArn='string',
Tags={
'string': 'string'
}
)
[REQUIRED]
The Amazon Resource Name (ARN) for the GuardDuty resource to apply a tag to.
[REQUIRED]
The tags to be added to a resource.
dict
Response Syntax
{}
Response Structure
Exceptions
Unarchives GuardDuty findings specified by the findingIds .
See also: AWS API Documentation
Request Syntax
response = client.unarchive_findings(
DetectorId='string',
FindingIds=[
'string',
]
)
[REQUIRED]
The ID of the detector associated with the findings to unarchive.
[REQUIRED]
The IDs of the findings to unarchive.
dict
Response Syntax
{}
Response Structure
Exceptions
Removes tags from a resource.
See also: AWS API Documentation
Request Syntax
response = client.untag_resource(
ResourceArn='string',
TagKeys=[
'string',
]
)
[REQUIRED]
The Amazon Resource Name (ARN) for the resource to remove tags from.
[REQUIRED]
The tag keys to remove from the resource.
dict
Response Syntax
{}
Response Structure
Exceptions
Updates the Amazon GuardDuty detector specified by the detectorId.
See also: AWS API Documentation
Request Syntax
response = client.update_detector(
DetectorId='string',
Enable=True|False,
FindingPublishingFrequency='FIFTEEN_MINUTES'|'ONE_HOUR'|'SIX_HOURS'
)
[REQUIRED]
The unique ID of the detector to update.
dict
Response Syntax
{}
Response Structure
Exceptions
Updates the filter specified by the filter name.
See also: AWS API Documentation
Request Syntax
response = client.update_filter(
DetectorId='string',
FilterName='string',
Description='string',
Action='NOOP'|'ARCHIVE',
Rank=123,
FindingCriteria={
'Criterion': {
'string': {
'Eq': [
'string',
],
'Neq': [
'string',
],
'Gt': 123,
'Gte': 123,
'Lt': 123,
'Lte': 123,
'Equals': [
'string',
],
'NotEquals': [
'string',
],
'GreaterThan': 123,
'GreaterThanOrEqual': 123,
'LessThan': 123,
'LessThanOrEqual': 123
}
}
}
)
[REQUIRED]
The unique ID of the detector that specifies the GuardDuty service where you want to update a filter.
[REQUIRED]
The name of the filter.
Represents the criteria to be used in the filter for querying findings.
Represents a map of finding properties that match specified conditions and values when querying findings.
Contains information about the condition.
Represents the equal condition to be applied to a single field when querying for findings.
Represents the not equal condition to be applied to a single field when querying for findings.
Represents a greater than condition to be applied to a single field when querying for findings.
Represents a greater than or equal condition to be applied to a single field when querying for findings.
Represents a less than condition to be applied to a single field when querying for findings.
Represents a less than or equal condition to be applied to a single field when querying for findings.
Represents an equal condition to be applied to a single field when querying for findings.
Represents a not equal condition to be applied to a single field when querying for findings.
Represents a greater than condition to be applied to a single field when querying for findings.
Represents a greater than or equal condition to be applied to a single field when querying for findings.
Represents a less than condition to be applied to a single field when querying for findings.
Represents a less than or equal condition to be applied to a single field when querying for findings.
dict
Response Syntax
{
'Name': 'string'
}
Response Structure
(dict) --
Name (string) --
The name of the filter.
Exceptions
Marks the specified GuardDuty findings as useful or not useful.
See also: AWS API Documentation
Request Syntax
response = client.update_findings_feedback(
DetectorId='string',
FindingIds=[
'string',
],
Feedback='USEFUL'|'NOT_USEFUL',
Comments='string'
)
[REQUIRED]
The ID of the detector associated with the findings to update feedback for.
[REQUIRED]
The IDs of the findings that you want to mark as useful or not useful.
[REQUIRED]
The feedback for the finding.
dict
Response Syntax
{}
Response Structure
Exceptions
Updates the IPSet specified by the IPSet ID.
See also: AWS API Documentation
Request Syntax
response = client.update_ip_set(
DetectorId='string',
IpSetId='string',
Name='string',
Location='string',
Activate=True|False
)
[REQUIRED]
The detectorID that specifies the GuardDuty service whose IPSet you want to update.
[REQUIRED]
The unique ID that specifies the IPSet that you want to update.
dict
Response Syntax
{}
Response Structure
Exceptions
Updates the delegated administrator account with the values provided.
See also: AWS API Documentation
Request Syntax
response = client.update_organization_configuration(
DetectorId='string',
AutoEnable=True|False
)
[REQUIRED]
The ID of the detector to update the delegated administrator for.
[REQUIRED]
Indicates whether to automatically enable member accounts in the organization.
dict
Response Syntax
{}
Response Structure
Exceptions
Updates information about the publishing destination specified by the destinationId .
See also: AWS API Documentation
Request Syntax
response = client.update_publishing_destination(
DetectorId='string',
DestinationId='string',
DestinationProperties={
'DestinationArn': 'string',
'KmsKeyArn': 'string'
}
)
[REQUIRED]
The ID of the detector associated with the publishing destinations to update.
[REQUIRED]
The ID of the publishing destination to update.
A DestinationProperties object that includes the DestinationArn and KmsKeyArn of the publishing destination.
The ARN of the resource to publish to.
The ARN of the KMS key to use for encryption.
dict
Response Syntax
{}
Response Structure
Exceptions
Updates the ThreatIntelSet specified by the ThreatIntelSet ID.
See also: AWS API Documentation
Request Syntax
response = client.update_threat_intel_set(
DetectorId='string',
ThreatIntelSetId='string',
Name='string',
Location='string',
Activate=True|False
)
[REQUIRED]
The detectorID that specifies the GuardDuty service whose ThreatIntelSet you want to update.
[REQUIRED]
The unique ID that specifies the ThreatIntelSet that you want to update.
dict
Response Syntax
{}
Response Structure
Exceptions
The available paginators are:
paginator = client.get_paginator('list_detectors')
Creates an iterator that will paginate through responses from GuardDuty.Client.list_detectors().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
{
'DetectorIds': [
'string',
],
}
Response Structure
A list of detector IDs.
paginator = client.get_paginator('list_filters')
Creates an iterator that will paginate through responses from GuardDuty.Client.list_filters().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
DetectorId='string',
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
[REQUIRED]
The unique ID of the detector that the filter is associated with.
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
dict
Response Syntax
{
'FilterNames': [
'string',
],
}
Response Structure
(dict) --
FilterNames (list) --
A list of filter names.
paginator = client.get_paginator('list_findings')
Creates an iterator that will paginate through responses from GuardDuty.Client.list_findings().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
DetectorId='string',
FindingCriteria={
'Criterion': {
'string': {
'Eq': [
'string',
],
'Neq': [
'string',
],
'Gt': 123,
'Gte': 123,
'Lt': 123,
'Lte': 123,
'Equals': [
'string',
],
'NotEquals': [
'string',
],
'GreaterThan': 123,
'GreaterThanOrEqual': 123,
'LessThan': 123,
'LessThanOrEqual': 123
}
}
},
SortCriteria={
'AttributeName': 'string',
'OrderBy': 'ASC'|'DESC'
},
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
[REQUIRED]
The ID of the detector that specifies the GuardDuty service whose findings you want to list.
Represents the criteria used for querying findings. Valid values include:
Represents a map of finding properties that match specified conditions and values when querying findings.
Contains information about the condition.
Represents the equal condition to be applied to a single field when querying for findings.
Represents the not equal condition to be applied to a single field when querying for findings.
Represents a greater than condition to be applied to a single field when querying for findings.
Represents a greater than or equal condition to be applied to a single field when querying for findings.
Represents a less than condition to be applied to a single field when querying for findings.
Represents a less than or equal condition to be applied to a single field when querying for findings.
Represents an equal condition to be applied to a single field when querying for findings.
Represents a not equal condition to be applied to a single field when querying for findings.
Represents a greater than condition to be applied to a single field when querying for findings.
Represents a greater than or equal condition to be applied to a single field when querying for findings.
Represents a less than condition to be applied to a single field when querying for findings.
Represents a less than or equal condition to be applied to a single field when querying for findings.
Represents the criteria used for sorting findings.
Represents the finding attribute (for example, accountId) to sort findings by.
The order by which the sorted findings are to be displayed.
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
dict
Response Syntax
{
'FindingIds': [
'string',
],
}
Response Structure
(dict) --
FindingIds (list) --
The IDs of the findings that you're listing.
paginator = client.get_paginator('list_ip_sets')
Creates an iterator that will paginate through responses from GuardDuty.Client.list_ip_sets().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
DetectorId='string',
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
[REQUIRED]
The unique ID of the detector that the IPSet is associated with.
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
dict
Response Syntax
{
'IpSetIds': [
'string',
],
}
Response Structure
(dict) --
IpSetIds (list) --
The IDs of the IPSet resources.
paginator = client.get_paginator('list_invitations')
Creates an iterator that will paginate through responses from GuardDuty.Client.list_invitations().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
{
'Invitations': [
{
'AccountId': 'string',
'InvitationId': 'string',
'RelationshipStatus': 'string',
'InvitedAt': 'string'
},
],
}
Response Structure
A list of invitation descriptions.
Contains information about the invitation to become a member account.
The ID of the account that the invitation was sent from.
The ID of the invitation. This value is used to validate the inviter account to the member account.
The status of the relationship between the inviter and invitee accounts.
The timestamp when the invitation was sent.
paginator = client.get_paginator('list_members')
Creates an iterator that will paginate through responses from GuardDuty.Client.list_members().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
DetectorId='string',
OnlyAssociated='string',
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
[REQUIRED]
The unique ID of the detector the member is associated with.
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
dict
Response Syntax
{
'Members': [
{
'AccountId': 'string',
'DetectorId': 'string',
'MasterId': 'string',
'Email': 'string',
'RelationshipStatus': 'string',
'InvitedAt': 'string',
'UpdatedAt': 'string'
},
],
}
Response Structure
(dict) --
Members (list) --
A list of members.
(dict) --
Contains information about the member account.
AccountId (string) --
The ID of the member account.
DetectorId (string) --
The detector ID of the member account.
MasterId (string) --
The master account ID.
Email (string) --
The email address of the member account.
RelationshipStatus (string) --
The status of the relationship between the member and the master.
InvitedAt (string) --
The timestamp when the invitation was sent.
UpdatedAt (string) --
The last-updated timestamp of the member.
paginator = client.get_paginator('list_organization_admin_accounts')
Creates an iterator that will paginate through responses from GuardDuty.Client.list_organization_admin_accounts().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
{
'AdminAccounts': [
{
'AdminAccountId': 'string',
'AdminStatus': 'ENABLED'|'DISABLE_IN_PROGRESS'
},
],
}
Response Structure
An AdminAccounts object that includes a list of accounts configured as GuardDuty delegated administrators.
The account within the organization specified as the GuardDuty delegated administrator.
The AWS account ID for the account.
Indicates whether the account is enabled as the delegated administrator.
paginator = client.get_paginator('list_threat_intel_sets')
Creates an iterator that will paginate through responses from GuardDuty.Client.list_threat_intel_sets().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
DetectorId='string',
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
[REQUIRED]
The unique ID of the detector that the threatIntelSet is associated with.
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
dict
Response Syntax
{
'ThreatIntelSetIds': [
'string',
],
}
Response Structure
(dict) --
ThreatIntelSetIds (list) --
The IDs of the ThreatIntelSet resources.