GuardDuty

Table of Contents

Client

class GuardDuty.Client

A low-level client representing Amazon GuardDuty

Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the following data sources: VPC flow logs, Amazon Web Services CloudTrail management event logs, CloudTrail S3 data event logs, EKS audit logs, DNS logs, and Amazon EBS volume data. It uses threat intelligence feeds, such as lists of malicious IPs and domains, and machine learning to identify unexpected, potentially unauthorized, and malicious activity within your Amazon Web Services environment. This can include issues like escalations of privileges, uses of exposed credentials, or communication with malicious IPs, domains, or presence of malware on your Amazon EC2 instances and container workloads. For example, GuardDuty can detect compromised EC2 instances and container workloads serving malware, or mining bitcoin.

GuardDuty also monitors Amazon Web Services account access behavior for signs of compromise, such as unauthorized infrastructure deployments like EC2 instances deployed in a Region that has never been used, or unusual API calls like a password policy change to reduce password strength.

GuardDuty informs you about the status of your Amazon Web Services environment by producing security findings that you can view in the GuardDuty console or through Amazon EventBridge. For more information, see the Amazon GuardDuty User Guide .

import boto3

client = boto3.client('guardduty')

These are the available methods:

accept_administrator_invitation(**kwargs)

Accepts the invitation to be a member account and get monitored by a GuardDuty administrator account that sent the invitation.

See also: AWS API Documentation

Request Syntax

response = client.accept_administrator_invitation(
    DetectorId='string',
    AdministratorId='string',
    InvitationId='string'
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The unique ID of the detector of the GuardDuty member account.

  • AdministratorId (string) --

    [REQUIRED]

    The account ID of the GuardDuty administrator account whose invitation you're accepting.

  • InvitationId (string) --

    [REQUIRED]

    The value that is used to validate the administrator account to the member account.

Return type

dict

Returns

Response Syntax

{}

Response Structure

  • (dict) --

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
accept_invitation(**kwargs)

Accepts the invitation to be monitored by a GuardDuty administrator account.

Danger

This operation is deprecated and may not function as expected. This operation should not be used going forward and is only kept for the purpose of backwards compatiblity.

See also: AWS API Documentation

Request Syntax

response = client.accept_invitation(
    DetectorId='string',
    MasterId='string',
    InvitationId='string'
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The unique ID of the detector of the GuardDuty member account.

  • MasterId (string) --

    [REQUIRED]

    The account ID of the GuardDuty administrator account whose invitation you're accepting.

  • InvitationId (string) --

    [REQUIRED]

    The value that is used to validate the administrator account to the member account.

Return type

dict

Returns

Response Syntax

{}

Response Structure

  • (dict) --

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
archive_findings(**kwargs)

Archives GuardDuty findings that are specified by the list of finding IDs.

Note

Only the administrator account can archive findings. Member accounts don't have permission to archive findings from their accounts.

See also: AWS API Documentation

Request Syntax

response = client.archive_findings(
    DetectorId='string',
    FindingIds=[
        'string',
    ]
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The ID of the detector that specifies the GuardDuty service whose findings you want to archive.

  • FindingIds (list) --

    [REQUIRED]

    The IDs of the findings that you want to archive.

    • (string) --
Return type

dict

Returns

Response Syntax

{}

Response Structure

  • (dict) --

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
can_paginate(operation_name)

Check if an operation can be paginated.

Parameters
operation_name (string) -- The operation name. This is the same name as the method name on the client. For example, if the method name is create_foo, and you'd normally invoke the operation as client.create_foo(**kwargs), if the create_foo operation can be paginated, you can use the call client.get_paginator("create_foo").
Returns
True if the operation can be paginated, False otherwise.
close()

Closes underlying endpoint connections.

create_detector(**kwargs)

Creates a single Amazon GuardDuty detector. A detector is a resource that represents the GuardDuty service. To start using GuardDuty, you must create a detector in each Region where you enable the service. You can have only one detector per account per Region. All data sources are enabled in a new detector by default.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

See also: AWS API Documentation

Request Syntax

response = client.create_detector(
    Enable=True|False,
    ClientToken='string',
    FindingPublishingFrequency='FIFTEEN_MINUTES'|'ONE_HOUR'|'SIX_HOURS',
    DataSources={
        'S3Logs': {
            'Enable': True|False
        },
        'Kubernetes': {
            'AuditLogs': {
                'Enable': True|False
            }
        },
        'MalwareProtection': {
            'ScanEc2InstanceWithFindings': {
                'EbsVolumes': True|False
            }
        }
    },
    Tags={
        'string': 'string'
    }
)
Parameters
  • Enable (boolean) --

    [REQUIRED]

    A Boolean value that specifies whether the detector is to be enabled.

  • ClientToken (string) --

    The idempotency token for the create request.

    This field is autopopulated if not provided.

  • FindingPublishingFrequency (string) -- A value that specifies how frequently updated findings are exported.
  • DataSources (dict) --

    Describes which data sources will be enabled for the detector.

    There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

    • S3Logs (dict) --

      Describes whether S3 data event logs are enabled as a data source.

      • Enable (boolean) -- [REQUIRED]

        The status of S3 data event logs as a data source.

    • Kubernetes (dict) --

      Describes whether any Kubernetes logs are enabled as data sources.

      • AuditLogs (dict) -- [REQUIRED]

        The status of Kubernetes audit logs as a data source.

        • Enable (boolean) -- [REQUIRED]

          The status of Kubernetes audit logs as a data source.

    • MalwareProtection (dict) --

      Describes whether Malware Protection is enabled as a data source.

      • ScanEc2InstanceWithFindings (dict) --

        Describes the configuration of Malware Protection for EC2 instances with findings.

        • EbsVolumes (boolean) --

          Describes the configuration for scanning EBS volumes as data source.

  • Tags (dict) --

    The tags to be added to a new detector resource.

    • (string) --
      • (string) --
Return type

dict

Returns

Response Syntax

{
    'DetectorId': 'string',
    'UnprocessedDataSources': {
        'MalwareProtection': {
            'ScanEc2InstanceWithFindings': {
                'EbsVolumes': {
                    'Status': 'ENABLED'|'DISABLED',
                    'Reason': 'string'
                }
            },
            'ServiceRole': 'string'
        }
    }
}

Response Structure

  • (dict) --

    • DetectorId (string) --

      The unique ID of the created detector.

    • UnprocessedDataSources (dict) --

      Specifies the data sources that couldn't be enabled when GuardDuty was enabled for the first time.

      • MalwareProtection (dict) --

        An object that contains information on the status of all Malware Protection data sources.

        • ScanEc2InstanceWithFindings (dict) --

          Describes the configuration of Malware Protection for EC2 instances with findings.

          • EbsVolumes (dict) --

            Describes the configuration of scanning EBS volumes as a data source.

            • Status (string) --

              Describes whether scanning EBS volumes is enabled as a data source.

            • Reason (string) --

              Specifies the reason why scanning EBS volumes (Malware Protection) was not enabled as a data source.

        • ServiceRole (string) --

          The GuardDuty Malware Protection service role.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
create_filter(**kwargs)

Creates a filter using the specified finding criteria.

See also: AWS API Documentation

Request Syntax

response = client.create_filter(
    DetectorId='string',
    Name='string',
    Description='string',
    Action='NOOP'|'ARCHIVE',
    Rank=123,
    FindingCriteria={
        'Criterion': {
            'string': {
                'Eq': [
                    'string',
                ],
                'Neq': [
                    'string',
                ],
                'Gt': 123,
                'Gte': 123,
                'Lt': 123,
                'Lte': 123,
                'Equals': [
                    'string',
                ],
                'NotEquals': [
                    'string',
                ],
                'GreaterThan': 123,
                'GreaterThanOrEqual': 123,
                'LessThan': 123,
                'LessThanOrEqual': 123
            }
        }
    },
    ClientToken='string',
    Tags={
        'string': 'string'
    }
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The ID of the detector belonging to the GuardDuty account that you want to create a filter for.

  • Name (string) --

    [REQUIRED]

    The name of the filter. Valid characters include period (.), underscore (_), dash (-), and alphanumeric characters. A whitespace is considered to be an invalid character.

  • Description (string) -- The description of the filter. Valid characters include alphanumeric characters, and special characters such as - , . , : , { } , [ ] , ( ) , / , \t , \n , \x0B , \f , \r , _ , and whitespace.
  • Action (string) -- Specifies the action that is to be applied to the findings that match the filter.
  • Rank (integer) -- Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
  • FindingCriteria (dict) --

    [REQUIRED]

    Represents the criteria to be used in the filter for querying findings.

    You can only use the following attributes to query findings:

    • accountId
    • region
    • id
    • resource.accessKeyDetails.accessKeyId
    • resource.accessKeyDetails.principalId
    • resource.accessKeyDetails.userName
    • resource.accessKeyDetails.userType
    • resource.instanceDetails.iamInstanceProfile.id
    • resource.instanceDetails.imageId
    • resource.instanceDetails.instanceId
    • resource.instanceDetails.outpostArn
    • resource.instanceDetails.networkInterfaces.ipv6Addresses
    • resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress
    • resource.instanceDetails.networkInterfaces.publicDnsName
    • resource.instanceDetails.networkInterfaces.publicIp
    • resource.instanceDetails.networkInterfaces.securityGroups.groupId
    • resource.instanceDetails.networkInterfaces.securityGroups.groupName
    • resource.instanceDetails.networkInterfaces.subnetId
    • resource.instanceDetails.networkInterfaces.vpcId
    • resource.instanceDetails.tags.key
    • resource.instanceDetails.tags.value
    • resource.resourceType
    • service.action.actionType
    • service.action.awsApiCallAction.api
    • service.action.awsApiCallAction.callerType
    • service.action.awsApiCallAction.errorCode
    • service.action.awsApiCallAction.userAgent
    • service.action.awsApiCallAction.remoteIpDetails.city.cityName
    • service.action.awsApiCallAction.remoteIpDetails.country.countryName
    • service.action.awsApiCallAction.remoteIpDetails.ipAddressV4
    • service.action.awsApiCallAction.remoteIpDetails.organization.asn
    • service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg
    • service.action.awsApiCallAction.serviceName
    • service.action.dnsRequestAction.domain
    • service.action.networkConnectionAction.blocked
    • service.action.networkConnectionAction.connectionDirection
    • service.action.networkConnectionAction.localPortDetails.port
    • service.action.networkConnectionAction.protocol
    • service.action.networkConnectionAction.localIpDetails.ipAddressV4
    • service.action.networkConnectionAction.remoteIpDetails.city.cityName
    • service.action.networkConnectionAction.remoteIpDetails.country.countryName
    • service.action.networkConnectionAction.remoteIpDetails.ipAddressV4
    • service.action.networkConnectionAction.remoteIpDetails.organization.asn
    • service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg
    • service.action.networkConnectionAction.remotePortDetails.port
    • service.additionalInfo.threatListName
    • resource.s3BucketDetails.publicAccess.effectivePermissions
    • resource.s3BucketDetails.name
    • resource.s3BucketDetails.tags.key
    • resource.s3BucketDetails.tags.value
    • resource.s3BucketDetails.type
    • service.resourceRole
    • severity
    • type
    • updatedAt Type: ISO 8601 string format: YYYY-MM-DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds.
    • Criterion (dict) --

      Represents a map of finding properties that match specified conditions and values when querying findings.

      • (string) --
        • (dict) --

          Contains information about the condition.

          • Eq (list) --

            Represents the equal condition to be applied to a single field when querying for findings.

            • (string) --
          • Neq (list) --

            Represents the not equal condition to be applied to a single field when querying for findings.

            • (string) --
          • Gt (integer) --

            Represents a greater than condition to be applied to a single field when querying for findings.

          • Gte (integer) --

            Represents a greater than or equal condition to be applied to a single field when querying for findings.

          • Lt (integer) --

            Represents a less than condition to be applied to a single field when querying for findings.

          • Lte (integer) --

            Represents a less than or equal condition to be applied to a single field when querying for findings.

          • Equals (list) --

            Represents an equal condition to be applied to a single field when querying for findings.

            • (string) --
          • NotEquals (list) --

            Represents a not equal condition to be applied to a single field when querying for findings.

            • (string) --
          • GreaterThan (integer) --

            Represents a greater than condition to be applied to a single field when querying for findings.

          • GreaterThanOrEqual (integer) --

            Represents a greater than or equal condition to be applied to a single field when querying for findings.

          • LessThan (integer) --

            Represents a less than condition to be applied to a single field when querying for findings.

          • LessThanOrEqual (integer) --

            Represents a less than or equal condition to be applied to a single field when querying for findings.

  • ClientToken (string) --

    The idempotency token for the create request.

    This field is autopopulated if not provided.

  • Tags (dict) --

    The tags to be added to a new filter resource.

    • (string) --
      • (string) --
Return type

dict

Returns

Response Syntax

{
    'Name': 'string'
}

Response Structure

  • (dict) --

    • Name (string) --

      The name of the successfully created filter.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
create_ip_set(**kwargs)

Creates a new IPSet, which is called a trusted IP list in the console user interface. An IPSet is a list of IP addresses that are trusted for secure communication with Amazon Web Services infrastructure and applications. GuardDuty doesn't generate findings for IP addresses that are included in IPSets. Only users from the administrator account can use this operation.

See also: AWS API Documentation

Request Syntax

response = client.create_ip_set(
    DetectorId='string',
    Name='string',
    Format='TXT'|'STIX'|'OTX_CSV'|'ALIEN_VAULT'|'PROOF_POINT'|'FIRE_EYE',
    Location='string',
    Activate=True|False,
    ClientToken='string',
    Tags={
        'string': 'string'
    }
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The unique ID of the detector of the GuardDuty account that you want to create an IPSet for.

  • Name (string) --

    [REQUIRED]

    The user-friendly name to identify the IPSet.

    Allowed characters are alphanumeric, whitespace, dash (-), and underscores (_).

  • Format (string) --

    [REQUIRED]

    The format of the file that contains the IPSet.

  • Location (string) --

    [REQUIRED]

    The URI of the file that contains the IPSet.

  • Activate (boolean) --

    [REQUIRED]

    A Boolean value that indicates whether GuardDuty is to start using the uploaded IPSet.

  • ClientToken (string) --

    The idempotency token for the create request.

    This field is autopopulated if not provided.

  • Tags (dict) --

    The tags to be added to a new IP set resource.

    • (string) --
      • (string) --
Return type

dict

Returns

Response Syntax

{
    'IpSetId': 'string'
}

Response Structure

  • (dict) --

    • IpSetId (string) --

      The ID of the IPSet resource.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
create_members(**kwargs)

Creates member accounts of the current Amazon Web Services account by specifying a list of Amazon Web Services account IDs. This step is a prerequisite for managing the associated member accounts either by invitation or through an organization.

When using Create Members as an organizations delegated administrator this action will enable GuardDuty in the added member accounts, with the exception of the organization delegated administrator account, which must enable GuardDuty prior to being added as a member.

If you are adding accounts by invitation, use this action after GuardDuty has bee enabled in potential member accounts and before using InviteMembers.

See also: AWS API Documentation

Request Syntax

response = client.create_members(
    DetectorId='string',
    AccountDetails=[
        {
            'AccountId': 'string',
            'Email': 'string'
        },
    ]
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The unique ID of the detector of the GuardDuty account that you want to associate member accounts with.

  • AccountDetails (list) --

    [REQUIRED]

    A list of account ID and email address pairs of the accounts that you want to associate with the GuardDuty administrator account.

    • (dict) --

      Contains information about the account.

      • AccountId (string) -- [REQUIRED]

        The member account ID.

      • Email (string) -- [REQUIRED]

        The email address of the member account.

Return type

dict

Returns

Response Syntax

{
    'UnprocessedAccounts': [
        {
            'AccountId': 'string',
            'Result': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • UnprocessedAccounts (list) --

      A list of objects that include the accountIds of the unprocessed accounts and a result string that explains why each was unprocessed.

      • (dict) --

        Contains information about the accounts that weren't processed.

        • AccountId (string) --

          The Amazon Web Services account ID.

        • Result (string) --

          A reason why the account hasn't been processed.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
create_publishing_destination(**kwargs)

Creates a publishing destination to export findings to. The resource to export findings to must exist before you use this operation.

See also: AWS API Documentation

Request Syntax

response = client.create_publishing_destination(
    DetectorId='string',
    DestinationType='S3',
    DestinationProperties={
        'DestinationArn': 'string',
        'KmsKeyArn': 'string'
    },
    ClientToken='string'
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The ID of the GuardDuty detector associated with the publishing destination.

  • DestinationType (string) --

    [REQUIRED]

    The type of resource for the publishing destination. Currently only Amazon S3 buckets are supported.

  • DestinationProperties (dict) --

    [REQUIRED]

    The properties of the publishing destination, including the ARNs for the destination and the KMS key used for encryption.

    • DestinationArn (string) --

      The ARN of the resource to publish to.

      To specify an S3 bucket folder use the following format: arn:aws:s3:::DOC-EXAMPLE-BUCKET/myFolder/

    • KmsKeyArn (string) --

      The ARN of the KMS key to use for encryption.

  • ClientToken (string) --

    The idempotency token for the request.

    This field is autopopulated if not provided.

Return type

dict

Returns

Response Syntax

{
    'DestinationId': 'string'
}

Response Structure

  • (dict) --

    • DestinationId (string) --

      The ID of the publishing destination that is created.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
create_sample_findings(**kwargs)

Generates sample findings of types specified by the list of finding types. If 'NULL' is specified for findingTypes , the API generates sample findings of all supported finding types.

See also: AWS API Documentation

Request Syntax

response = client.create_sample_findings(
    DetectorId='string',
    FindingTypes=[
        'string',
    ]
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The ID of the detector to create sample findings for.

  • FindingTypes (list) --

    The types of sample findings to generate.

    • (string) --
Return type

dict

Returns

Response Syntax

{}

Response Structure

  • (dict) --

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
create_threat_intel_set(**kwargs)

Creates a new ThreatIntelSet. ThreatIntelSets consist of known malicious IP addresses. GuardDuty generates findings based on ThreatIntelSets. Only users of the administrator account can use this operation.

See also: AWS API Documentation

Request Syntax

response = client.create_threat_intel_set(
    DetectorId='string',
    Name='string',
    Format='TXT'|'STIX'|'OTX_CSV'|'ALIEN_VAULT'|'PROOF_POINT'|'FIRE_EYE',
    Location='string',
    Activate=True|False,
    ClientToken='string',
    Tags={
        'string': 'string'
    }
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The unique ID of the detector of the GuardDuty account that you want to create a threatIntelSet for.

  • Name (string) --

    [REQUIRED]

    A user-friendly ThreatIntelSet name displayed in all findings that are generated by activity that involves IP addresses included in this ThreatIntelSet.

  • Format (string) --

    [REQUIRED]

    The format of the file that contains the ThreatIntelSet.

  • Location (string) --

    [REQUIRED]

    The URI of the file that contains the ThreatIntelSet.

  • Activate (boolean) --

    [REQUIRED]

    A Boolean value that indicates whether GuardDuty is to start using the uploaded ThreatIntelSet.

  • ClientToken (string) --

    The idempotency token for the create request.

    This field is autopopulated if not provided.

  • Tags (dict) --

    The tags to be added to a new threat list resource.

    • (string) --
      • (string) --
Return type

dict

Returns

Response Syntax

{
    'ThreatIntelSetId': 'string'
}

Response Structure

  • (dict) --

    • ThreatIntelSetId (string) --

      The ID of the ThreatIntelSet resource.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
decline_invitations(**kwargs)

Declines invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs.

See also: AWS API Documentation

Request Syntax

response = client.decline_invitations(
    AccountIds=[
        'string',
    ]
)
Parameters
AccountIds (list) --

[REQUIRED]

A list of account IDs of the Amazon Web Services accounts that sent invitations to the current member account that you want to decline invitations from.

  • (string) --
Return type
dict
Returns
Response Syntax
{
    'UnprocessedAccounts': [
        {
            'AccountId': 'string',
            'Result': 'string'
        },
    ]
}

Response Structure

  • (dict) --
    • UnprocessedAccounts (list) --

      A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.

      • (dict) --

        Contains information about the accounts that weren't processed.

        • AccountId (string) --

          The Amazon Web Services account ID.

        • Result (string) --

          A reason why the account hasn't been processed.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
delete_detector(**kwargs)

Deletes an Amazon GuardDuty detector that is specified by the detector ID.

See also: AWS API Documentation

Request Syntax

response = client.delete_detector(
    DetectorId='string'
)
Parameters
DetectorId (string) --

[REQUIRED]

The unique ID of the detector that you want to delete.

Return type
dict
Returns
Response Syntax
{}

Response Structure

  • (dict) --

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
delete_filter(**kwargs)

Deletes the filter specified by the filter name.

See also: AWS API Documentation

Request Syntax

response = client.delete_filter(
    DetectorId='string',
    FilterName='string'
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The unique ID of the detector that the filter is associated with.

  • FilterName (string) --

    [REQUIRED]

    The name of the filter that you want to delete.

Return type

dict

Returns

Response Syntax

{}

Response Structure

  • (dict) --

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
delete_invitations(**kwargs)

Deletes invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs.

See also: AWS API Documentation

Request Syntax

response = client.delete_invitations(
    AccountIds=[
        'string',
    ]
)
Parameters
AccountIds (list) --

[REQUIRED]

A list of account IDs of the Amazon Web Services accounts that sent invitations to the current member account that you want to delete invitations from.

  • (string) --
Return type
dict
Returns
Response Syntax
{
    'UnprocessedAccounts': [
        {
            'AccountId': 'string',
            'Result': 'string'
        },
    ]
}

Response Structure

  • (dict) --
    • UnprocessedAccounts (list) --

      A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.

      • (dict) --

        Contains information about the accounts that weren't processed.

        • AccountId (string) --

          The Amazon Web Services account ID.

        • Result (string) --

          A reason why the account hasn't been processed.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
delete_ip_set(**kwargs)

Deletes the IPSet specified by the ipSetId . IPSets are called trusted IP lists in the console user interface.

See also: AWS API Documentation

Request Syntax

response = client.delete_ip_set(
    DetectorId='string',
    IpSetId='string'
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The unique ID of the detector associated with the IPSet.

  • IpSetId (string) --

    [REQUIRED]

    The unique ID of the IPSet to delete.

Return type

dict

Returns

Response Syntax

{}

Response Structure

  • (dict) --

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
delete_members(**kwargs)

Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.

See also: AWS API Documentation

Request Syntax

response = client.delete_members(
    DetectorId='string',
    AccountIds=[
        'string',
    ]
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The unique ID of the detector of the GuardDuty account whose members you want to delete.

  • AccountIds (list) --

    [REQUIRED]

    A list of account IDs of the GuardDuty member accounts that you want to delete.

    • (string) --
Return type

dict

Returns

Response Syntax

{
    'UnprocessedAccounts': [
        {
            'AccountId': 'string',
            'Result': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • UnprocessedAccounts (list) --

      The accounts that could not be processed.

      • (dict) --

        Contains information about the accounts that weren't processed.

        • AccountId (string) --

          The Amazon Web Services account ID.

        • Result (string) --

          A reason why the account hasn't been processed.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
delete_publishing_destination(**kwargs)

Deletes the publishing definition with the specified destinationId .

See also: AWS API Documentation

Request Syntax

response = client.delete_publishing_destination(
    DetectorId='string',
    DestinationId='string'
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The unique ID of the detector associated with the publishing destination to delete.

  • DestinationId (string) --

    [REQUIRED]

    The ID of the publishing destination to delete.

Return type

dict

Returns

Response Syntax

{}

Response Structure

  • (dict) --

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
delete_threat_intel_set(**kwargs)

Deletes the ThreatIntelSet specified by the ThreatIntelSet ID.

See also: AWS API Documentation

Request Syntax

response = client.delete_threat_intel_set(
    DetectorId='string',
    ThreatIntelSetId='string'
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The unique ID of the detector that the threatIntelSet is associated with.

  • ThreatIntelSetId (string) --

    [REQUIRED]

    The unique ID of the threatIntelSet that you want to delete.

Return type

dict

Returns

Response Syntax

{}

Response Structure

  • (dict) --

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
describe_malware_scans(**kwargs)

Returns a list of malware scans. Each member account can view the malware scans for their own accounts. An administrator can view the malware scans for all the member accounts.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

See also: AWS API Documentation

Request Syntax

response = client.describe_malware_scans(
    DetectorId='string',
    NextToken='string',
    MaxResults=123,
    FilterCriteria={
        'FilterCriterion': [
            {
                'CriterionKey': 'EC2_INSTANCE_ARN'|'SCAN_ID'|'ACCOUNT_ID'|'GUARDDUTY_FINDING_ID'|'SCAN_START_TIME'|'SCAN_STATUS',
                'FilterCondition': {
                    'EqualsValue': 'string',
                    'GreaterThan': 123,
                    'LessThan': 123
                }
            },
        ]
    },
    SortCriteria={
        'AttributeName': 'string',
        'OrderBy': 'ASC'|'DESC'
    }
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The unique ID of the detector that the request is associated with.

  • NextToken (string) -- You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
  • MaxResults (integer) -- You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.
  • FilterCriteria (dict) --

    Represents the criteria to be used in the filter for describing scan entries.

    • FilterCriterion (list) --

      Represents a condition that when matched will be added to the response of the operation.

      • (dict) --

        Represents a condition that when matched will be added to the response of the operation. Irrespective of using any filter criteria, an administrator account can view the scan entries for all of its member accounts. However, each member account can view the scan entries only for their own account.

        • CriterionKey (string) --

          An enum value representing possible scan properties to match with given scan entries.

        • FilterCondition (dict) --

          Contains information about the condition.

          • EqualsValue (string) --

            Represents an equal condition to be applied to a single field when querying for scan entries.

          • GreaterThan (integer) --

            Represents a greater than condition to be applied to a single field when querying for scan entries.

          • LessThan (integer) --

            Represents a less than condition to be applied to a single field when querying for scan entries.

  • SortCriteria (dict) --

    Represents the criteria used for sorting scan entries. The attributeName is required and it must be scanStartTime .

    • AttributeName (string) --

      Represents the finding attribute, such as accountId , that sorts the findings.

    • OrderBy (string) --

      The order by which the sorted findings are to be displayed.

Return type

dict

Returns

Response Syntax

{
    'Scans': [
        {
            'DetectorId': 'string',
            'AdminDetectorId': 'string',
            'ScanId': 'string',
            'ScanStatus': 'RUNNING'|'COMPLETED'|'FAILED',
            'FailureReason': 'string',
            'ScanStartTime': datetime(2015, 1, 1),
            'ScanEndTime': datetime(2015, 1, 1),
            'TriggerDetails': {
                'GuardDutyFindingId': 'string',
                'Description': 'string'
            },
            'ResourceDetails': {
                'InstanceArn': 'string'
            },
            'ScanResultDetails': {
                'ScanResult': 'CLEAN'|'INFECTED'
            },
            'AccountId': 'string',
            'TotalBytes': 123,
            'FileCount': 123,
            'AttachedVolumes': [
                {
                    'VolumeArn': 'string',
                    'VolumeType': 'string',
                    'DeviceName': 'string',
                    'VolumeSizeInGB': 123,
                    'EncryptionType': 'string',
                    'SnapshotArn': 'string',
                    'KmsKeyArn': 'string'
                },
            ]
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • Scans (list) --

      Contains information about malware scans.

      • (dict) --

        Contains information about a malware scan.

        • DetectorId (string) --

          The unique ID of the detector that the request is associated with.

        • AdminDetectorId (string) --

          The unique detector ID of the administrator account that the request is associated with. Note that this value will be the same as the one used for DetectorId if the account is an administrator.

        • ScanId (string) --

          The unique scan ID associated with a scan entry.

        • ScanStatus (string) --

          An enum value representing possible scan statuses.

        • FailureReason (string) --

          Represents the reason for FAILED scan status.

        • ScanStartTime (datetime) --

          The timestamp of when the scan was triggered.

        • ScanEndTime (datetime) --

          The timestamp of when the scan was finished.

        • TriggerDetails (dict) --

          Specifies the reason why the scan was initiated.

          • GuardDutyFindingId (string) --

            The ID of the GuardDuty finding that triggered the malware scan.

          • Description (string) --

            The description of the scan trigger.

        • ResourceDetails (dict) --

          Represents the resources that were scanned in the scan entry.

          • InstanceArn (string) --

            InstanceArn that was scanned in the scan entry.

        • ScanResultDetails (dict) --

          Represents the result of the scan.

          • ScanResult (string) --

            An enum value representing possible scan results.

        • AccountId (string) --

          The ID for the account that belongs to the scan.

        • TotalBytes (integer) --

          Represents total bytes that were scanned.

        • FileCount (integer) --

          Represents the number of files that were scanned.

        • AttachedVolumes (list) --

          List of volumes that were attached to the original instance to be scanned.

          • (dict) --

            Contains EBS volume details.

            • VolumeArn (string) --

              EBS volume Arn information.

            • VolumeType (string) --

              The EBS volume type.

            • DeviceName (string) --

              The device name for the EBS volume.

            • VolumeSizeInGB (integer) --

              EBS volume size in GB.

            • EncryptionType (string) --

              EBS volume encryption type.

            • SnapshotArn (string) --

              Snapshot Arn of the EBS volume.

            • KmsKeyArn (string) --

              KMS key Arn used to encrypt the EBS volume.

    • NextToken (string) --

      The pagination parameter to be used on the next list operation to retrieve more items.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
describe_organization_configuration(**kwargs)

Returns information about the account selected as the delegated administrator for GuardDuty.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

See also: AWS API Documentation

Request Syntax

response = client.describe_organization_configuration(
    DetectorId='string'
)
Parameters
DetectorId (string) --

[REQUIRED]

The ID of the detector to retrieve information about the delegated administrator from.

Return type
dict
Returns
Response Syntax
{
    'AutoEnable': True|False,
    'MemberAccountLimitReached': True|False,
    'DataSources': {
        'S3Logs': {
            'AutoEnable': True|False
        },
        'Kubernetes': {
            'AuditLogs': {
                'AutoEnable': True|False
            }
        },
        'MalwareProtection': {
            'ScanEc2InstanceWithFindings': {
                'EbsVolumes': {
                    'AutoEnable': True|False
                }
            }
        }
    }
}

Response Structure

  • (dict) --
    • AutoEnable (boolean) --

      Indicates whether GuardDuty is automatically enabled for accounts added to the organization.

    • MemberAccountLimitReached (boolean) --

      Indicates whether the maximum number of allowed member accounts are already associated with the delegated administrator account for your organization.

    • DataSources (dict) --

      Describes which data sources are enabled automatically for member accounts.

      • S3Logs (dict) --

        Describes whether S3 data event logs are enabled as a data source.

        • AutoEnable (boolean) --

          A value that describes whether S3 data event logs are automatically enabled for new members of the organization.

      • Kubernetes (dict) --

        Describes the configuration of Kubernetes data sources.

        • AuditLogs (dict) --

          The current configuration of Kubernetes audit logs as a data source for the organization.

          • AutoEnable (boolean) --

            Whether Kubernetes audit logs data source should be auto-enabled for new members joining the organization.

      • MalwareProtection (dict) --

        Describes the configuration of Malware Protection data source for an organization.

        • ScanEc2InstanceWithFindings (dict) --

          Describes the configuration for scanning EC2 instances with findings for an organization.

          • EbsVolumes (dict) --

            Describes the configuration for scanning EBS volumes for an organization.

            • AutoEnable (boolean) --

              An object that contains the status of whether scanning EBS volumes should be auto-enabled for new members joining the organization.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
describe_publishing_destination(**kwargs)

Returns information about the publishing destination specified by the provided destinationId .

See also: AWS API Documentation

Request Syntax

response = client.describe_publishing_destination(
    DetectorId='string',
    DestinationId='string'
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The unique ID of the detector associated with the publishing destination to retrieve.

  • DestinationId (string) --

    [REQUIRED]

    The ID of the publishing destination to retrieve.

Return type

dict

Returns

Response Syntax

{
    'DestinationId': 'string',
    'DestinationType': 'S3',
    'Status': 'PENDING_VERIFICATION'|'PUBLISHING'|'UNABLE_TO_PUBLISH_FIX_DESTINATION_PROPERTY'|'STOPPED',
    'PublishingFailureStartTimestamp': 123,
    'DestinationProperties': {
        'DestinationArn': 'string',
        'KmsKeyArn': 'string'
    }
}

Response Structure

  • (dict) --

    • DestinationId (string) --

      The ID of the publishing destination.

    • DestinationType (string) --

      The type of publishing destination. Currently, only Amazon S3 buckets are supported.

    • Status (string) --

      The status of the publishing destination.

    • PublishingFailureStartTimestamp (integer) --

      The time, in epoch millisecond format, at which GuardDuty was first unable to publish findings to the destination.

    • DestinationProperties (dict) --

      A DestinationProperties object that includes the DestinationArn and KmsKeyArn of the publishing destination.

      • DestinationArn (string) --

        The ARN of the resource to publish to.

        To specify an S3 bucket folder use the following format: arn:aws:s3:::DOC-EXAMPLE-BUCKET/myFolder/

      • KmsKeyArn (string) --

        The ARN of the KMS key to use for encryption.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
disable_organization_admin_account(**kwargs)

Disables an Amazon Web Services account within the Organization as the GuardDuty delegated administrator.

See also: AWS API Documentation

Request Syntax

response = client.disable_organization_admin_account(
    AdminAccountId='string'
)
Parameters
AdminAccountId (string) --

[REQUIRED]

The Amazon Web Services Account ID for the organizations account to be disabled as a GuardDuty delegated administrator.

Return type
dict
Returns
Response Syntax
{}

Response Structure

  • (dict) --

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
disassociate_from_administrator_account(**kwargs)

Disassociates the current GuardDuty member account from its administrator account.

See also: AWS API Documentation

Request Syntax

response = client.disassociate_from_administrator_account(
    DetectorId='string'
)
Parameters
DetectorId (string) --

[REQUIRED]

The unique ID of the detector of the GuardDuty member account.

Return type
dict
Returns
Response Syntax
{}

Response Structure

  • (dict) --

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
disassociate_from_master_account(**kwargs)

Disassociates the current GuardDuty member account from its administrator account.

Danger

This operation is deprecated and may not function as expected. This operation should not be used going forward and is only kept for the purpose of backwards compatiblity.

See also: AWS API Documentation

Request Syntax

response = client.disassociate_from_master_account(
    DetectorId='string'
)
Parameters
DetectorId (string) --

[REQUIRED]

The unique ID of the detector of the GuardDuty member account.

Return type
dict
Returns
Response Syntax
{}

Response Structure

  • (dict) --

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
disassociate_members(**kwargs)

Disassociates GuardDuty member accounts (to the current administrator account) specified by the account IDs.

See also: AWS API Documentation

Request Syntax

response = client.disassociate_members(
    DetectorId='string',
    AccountIds=[
        'string',
    ]
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The unique ID of the detector of the GuardDuty account whose members you want to disassociate from the administrator account.

  • AccountIds (list) --

    [REQUIRED]

    A list of account IDs of the GuardDuty member accounts that you want to disassociate from the administrator account.

    • (string) --
Return type

dict

Returns

Response Syntax

{
    'UnprocessedAccounts': [
        {
            'AccountId': 'string',
            'Result': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • UnprocessedAccounts (list) --

      A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.

      • (dict) --

        Contains information about the accounts that weren't processed.

        • AccountId (string) --

          The Amazon Web Services account ID.

        • Result (string) --

          A reason why the account hasn't been processed.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
enable_organization_admin_account(**kwargs)

Enables an Amazon Web Services account within the organization as the GuardDuty delegated administrator.

See also: AWS API Documentation

Request Syntax

response = client.enable_organization_admin_account(
    AdminAccountId='string'
)
Parameters
AdminAccountId (string) --

[REQUIRED]

The Amazon Web Services Account ID for the organization account to be enabled as a GuardDuty delegated administrator.

Return type
dict
Returns
Response Syntax
{}

Response Structure

  • (dict) --

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
get_administrator_account(**kwargs)

Provides the details for the GuardDuty administrator account associated with the current GuardDuty member account.

See also: AWS API Documentation

Request Syntax

response = client.get_administrator_account(
    DetectorId='string'
)
Parameters
DetectorId (string) --

[REQUIRED]

The unique ID of the detector of the GuardDuty member account.

Return type
dict
Returns
Response Syntax
{
    'Administrator': {
        'AccountId': 'string',
        'InvitationId': 'string',
        'RelationshipStatus': 'string',
        'InvitedAt': 'string'
    }
}

Response Structure

  • (dict) --
    • Administrator (dict) --

      The administrator account details.

      • AccountId (string) --

        The ID of the account used as the administrator account.

      • InvitationId (string) --

        The value that is used to validate the administrator account to the member account.

      • RelationshipStatus (string) --

        The status of the relationship between the administrator and member accounts.

      • InvitedAt (string) --

        The timestamp when the invitation was sent.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
get_detector(**kwargs)

Retrieves an Amazon GuardDuty detector specified by the detectorId.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

See also: AWS API Documentation

Request Syntax

response = client.get_detector(
    DetectorId='string'
)
Parameters
DetectorId (string) --

[REQUIRED]

The unique ID of the detector that you want to get.

Return type
dict
Returns
Response Syntax
{
    'CreatedAt': 'string',
    'FindingPublishingFrequency': 'FIFTEEN_MINUTES'|'ONE_HOUR'|'SIX_HOURS',
    'ServiceRole': 'string',
    'Status': 'ENABLED'|'DISABLED',
    'UpdatedAt': 'string',
    'DataSources': {
        'CloudTrail': {
            'Status': 'ENABLED'|'DISABLED'
        },
        'DNSLogs': {
            'Status': 'ENABLED'|'DISABLED'
        },
        'FlowLogs': {
            'Status': 'ENABLED'|'DISABLED'
        },
        'S3Logs': {
            'Status': 'ENABLED'|'DISABLED'
        },
        'Kubernetes': {
            'AuditLogs': {
                'Status': 'ENABLED'|'DISABLED'
            }
        },
        'MalwareProtection': {
            'ScanEc2InstanceWithFindings': {
                'EbsVolumes': {
                    'Status': 'ENABLED'|'DISABLED',
                    'Reason': 'string'
                }
            },
            'ServiceRole': 'string'
        }
    },
    'Tags': {
        'string': 'string'
    }
}

Response Structure

  • (dict) --
    • CreatedAt (string) --

      The timestamp of when the detector was created.

    • FindingPublishingFrequency (string) --

      The publishing frequency of the finding.

    • ServiceRole (string) --

      The GuardDuty service role.

    • Status (string) --

      The detector status.

    • UpdatedAt (string) --

      The last-updated timestamp for the detector.

    • DataSources (dict) --

      Describes which data sources are enabled for the detector.

      • CloudTrail (dict) --

        An object that contains information on the status of CloudTrail as a data source.

        • Status (string) --

          Describes whether CloudTrail is enabled as a data source for the detector.

      • DNSLogs (dict) --

        An object that contains information on the status of DNS logs as a data source.

        • Status (string) --

          Denotes whether DNS logs is enabled as a data source.

      • FlowLogs (dict) --

        An object that contains information on the status of VPC flow logs as a data source.

        • Status (string) --

          Denotes whether VPC flow logs is enabled as a data source.

      • S3Logs (dict) --

        An object that contains information on the status of S3 Data event logs as a data source.

        • Status (string) --

          A value that describes whether S3 data event logs are automatically enabled for new members of the organization.

      • Kubernetes (dict) --

        An object that contains information on the status of all Kubernetes data sources.

        • AuditLogs (dict) --

          Describes whether Kubernetes audit logs are enabled as a data source.

          • Status (string) --

            A value that describes whether Kubernetes audit logs are enabled as a data source.

      • MalwareProtection (dict) --

        Describes the configuration of Malware Protection data sources.

        • ScanEc2InstanceWithFindings (dict) --

          Describes the configuration of Malware Protection for EC2 instances with findings.

          • EbsVolumes (dict) --

            Describes the configuration of scanning EBS volumes as a data source.

            • Status (string) --

              Describes whether scanning EBS volumes is enabled as a data source.

            • Reason (string) --

              Specifies the reason why scanning EBS volumes (Malware Protection) was not enabled as a data source.

        • ServiceRole (string) --

          The GuardDuty Malware Protection service role.

    • Tags (dict) --

      The tags of the detector resource.

      • (string) --
        • (string) --

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
get_filter(**kwargs)

Returns the details of the filter specified by the filter name.

See also: AWS API Documentation

Request Syntax

response = client.get_filter(
    DetectorId='string',
    FilterName='string'
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The unique ID of the detector that the filter is associated with.

  • FilterName (string) --

    [REQUIRED]

    The name of the filter you want to get.

Return type

dict

Returns

Response Syntax

{
    'Name': 'string',
    'Description': 'string',
    'Action': 'NOOP'|'ARCHIVE',
    'Rank': 123,
    'FindingCriteria': {
        'Criterion': {
            'string': {
                'Eq': [
                    'string',
                ],
                'Neq': [
                    'string',
                ],
                'Gt': 123,
                'Gte': 123,
                'Lt': 123,
                'Lte': 123,
                'Equals': [
                    'string',
                ],
                'NotEquals': [
                    'string',
                ],
                'GreaterThan': 123,
                'GreaterThanOrEqual': 123,
                'LessThan': 123,
                'LessThanOrEqual': 123
            }
        }
    },
    'Tags': {
        'string': 'string'
    }
}

Response Structure

  • (dict) --

    • Name (string) --

      The name of the filter.

    • Description (string) --

      The description of the filter.

    • Action (string) --

      Specifies the action that is to be applied to the findings that match the filter.

    • Rank (integer) --

      Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.

    • FindingCriteria (dict) --

      Represents the criteria to be used in the filter for querying findings.

      • Criterion (dict) --

        Represents a map of finding properties that match specified conditions and values when querying findings.

        • (string) --

          • (dict) --

            Contains information about the condition.

            • Eq (list) --

              Represents the equal condition to be applied to a single field when querying for findings.

              • (string) --
            • Neq (list) --

              Represents the not equal condition to be applied to a single field when querying for findings.

              • (string) --
            • Gt (integer) --

              Represents a greater than condition to be applied to a single field when querying for findings.

            • Gte (integer) --

              Represents a greater than or equal condition to be applied to a single field when querying for findings.

            • Lt (integer) --

              Represents a less than condition to be applied to a single field when querying for findings.

            • Lte (integer) --

              Represents a less than or equal condition to be applied to a single field when querying for findings.

            • Equals (list) --

              Represents an equal condition to be applied to a single field when querying for findings.

              • (string) --
            • NotEquals (list) --

              Represents a not equal condition to be applied to a single field when querying for findings.

              • (string) --
            • GreaterThan (integer) --

              Represents a greater than condition to be applied to a single field when querying for findings.

            • GreaterThanOrEqual (integer) --

              Represents a greater than or equal condition to be applied to a single field when querying for findings.

            • LessThan (integer) --

              Represents a less than condition to be applied to a single field when querying for findings.

            • LessThanOrEqual (integer) --

              Represents a less than or equal condition to be applied to a single field when querying for findings.

    • Tags (dict) --

      The tags of the filter resource.

      • (string) --
        • (string) --

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
get_findings(**kwargs)

Describes Amazon GuardDuty findings specified by finding IDs.

See also: AWS API Documentation

Request Syntax

response = client.get_findings(
    DetectorId='string',
    FindingIds=[
        'string',
    ],
    SortCriteria={
        'AttributeName': 'string',
        'OrderBy': 'ASC'|'DESC'
    }
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The ID of the detector that specifies the GuardDuty service whose findings you want to retrieve.

  • FindingIds (list) --

    [REQUIRED]

    The IDs of the findings that you want to retrieve.

    • (string) --
  • SortCriteria (dict) --

    Represents the criteria used for sorting findings.

    • AttributeName (string) --

      Represents the finding attribute, such as accountId , that sorts the findings.

    • OrderBy (string) --

      The order by which the sorted findings are to be displayed.

Return type

dict

Returns

Response Syntax

{
    'Findings': [
        {
            'AccountId': 'string',
            'Arn': 'string',
            'Confidence': 123.0,
            'CreatedAt': 'string',
            'Description': 'string',
            'Id': 'string',
            'Partition': 'string',
            'Region': 'string',
            'Resource': {
                'AccessKeyDetails': {
                    'AccessKeyId': 'string',
                    'PrincipalId': 'string',
                    'UserName': 'string',
                    'UserType': 'string'
                },
                'S3BucketDetails': [
                    {
                        'Arn': 'string',
                        'Name': 'string',
                        'Type': 'string',
                        'CreatedAt': datetime(2015, 1, 1),
                        'Owner': {
                            'Id': 'string'
                        },
                        'Tags': [
                            {
                                'Key': 'string',
                                'Value': 'string'
                            },
                        ],
                        'DefaultServerSideEncryption': {
                            'EncryptionType': 'string',
                            'KmsMasterKeyArn': 'string'
                        },
                        'PublicAccess': {
                            'PermissionConfiguration': {
                                'BucketLevelPermissions': {
                                    'AccessControlList': {
                                        'AllowsPublicReadAccess': True|False,
                                        'AllowsPublicWriteAccess': True|False
                                    },
                                    'BucketPolicy': {
                                        'AllowsPublicReadAccess': True|False,
                                        'AllowsPublicWriteAccess': True|False
                                    },
                                    'BlockPublicAccess': {
                                        'IgnorePublicAcls': True|False,
                                        'RestrictPublicBuckets': True|False,
                                        'BlockPublicAcls': True|False,
                                        'BlockPublicPolicy': True|False
                                    }
                                },
                                'AccountLevelPermissions': {
                                    'BlockPublicAccess': {
                                        'IgnorePublicAcls': True|False,
                                        'RestrictPublicBuckets': True|False,
                                        'BlockPublicAcls': True|False,
                                        'BlockPublicPolicy': True|False
                                    }
                                }
                            },
                            'EffectivePermission': 'string'
                        }
                    },
                ],
                'InstanceDetails': {
                    'AvailabilityZone': 'string',
                    'IamInstanceProfile': {
                        'Arn': 'string',
                        'Id': 'string'
                    },
                    'ImageDescription': 'string',
                    'ImageId': 'string',
                    'InstanceId': 'string',
                    'InstanceState': 'string',
                    'InstanceType': 'string',
                    'OutpostArn': 'string',
                    'LaunchTime': 'string',
                    'NetworkInterfaces': [
                        {
                            'Ipv6Addresses': [
                                'string',
                            ],
                            'NetworkInterfaceId': 'string',
                            'PrivateDnsName': 'string',
                            'PrivateIpAddress': 'string',
                            'PrivateIpAddresses': [
                                {
                                    'PrivateDnsName': 'string',
                                    'PrivateIpAddress': 'string'
                                },
                            ],
                            'PublicDnsName': 'string',
                            'PublicIp': 'string',
                            'SecurityGroups': [
                                {
                                    'GroupId': 'string',
                                    'GroupName': 'string'
                                },
                            ],
                            'SubnetId': 'string',
                            'VpcId': 'string'
                        },
                    ],
                    'Platform': 'string',
                    'ProductCodes': [
                        {
                            'Code': 'string',
                            'ProductType': 'string'
                        },
                    ],
                    'Tags': [
                        {
                            'Key': 'string',
                            'Value': 'string'
                        },
                    ]
                },
                'EksClusterDetails': {
                    'Name': 'string',
                    'Arn': 'string',
                    'VpcId': 'string',
                    'Status': 'string',
                    'Tags': [
                        {
                            'Key': 'string',
                            'Value': 'string'
                        },
                    ],
                    'CreatedAt': datetime(2015, 1, 1)
                },
                'KubernetesDetails': {
                    'KubernetesUserDetails': {
                        'Username': 'string',
                        'Uid': 'string',
                        'Groups': [
                            'string',
                        ]
                    },
                    'KubernetesWorkloadDetails': {
                        'Name': 'string',
                        'Type': 'string',
                        'Uid': 'string',
                        'Namespace': 'string',
                        'HostNetwork': True|False,
                        'Containers': [
                            {
                                'ContainerRuntime': 'string',
                                'Id': 'string',
                                'Name': 'string',
                                'Image': 'string',
                                'ImagePrefix': 'string',
                                'VolumeMounts': [
                                    {
                                        'Name': 'string',
                                        'MountPath': 'string'
                                    },
                                ],
                                'SecurityContext': {
                                    'Privileged': True|False
                                }
                            },
                        ],
                        'Volumes': [
                            {
                                'Name': 'string',
                                'HostPath': {
                                    'Path': 'string'
                                }
                            },
                        ]
                    }
                },
                'ResourceType': 'string',
                'EbsVolumeDetails': {
                    'ScannedVolumeDetails': [
                        {
                            'VolumeArn': 'string',
                            'VolumeType': 'string',
                            'DeviceName': 'string',
                            'VolumeSizeInGB': 123,
                            'EncryptionType': 'string',
                            'SnapshotArn': 'string',
                            'KmsKeyArn': 'string'
                        },
                    ],
                    'SkippedVolumeDetails': [
                        {
                            'VolumeArn': 'string',
                            'VolumeType': 'string',
                            'DeviceName': 'string',
                            'VolumeSizeInGB': 123,
                            'EncryptionType': 'string',
                            'SnapshotArn': 'string',
                            'KmsKeyArn': 'string'
                        },
                    ]
                },
                'EcsClusterDetails': {
                    'Name': 'string',
                    'Arn': 'string',
                    'Status': 'string',
                    'ActiveServicesCount': 123,
                    'RegisteredContainerInstancesCount': 123,
                    'RunningTasksCount': 123,
                    'Tags': [
                        {
                            'Key': 'string',
                            'Value': 'string'
                        },
                    ],
                    'TaskDetails': {
                        'Arn': 'string',
                        'DefinitionArn': 'string',
                        'Version': 'string',
                        'TaskCreatedAt': datetime(2015, 1, 1),
                        'StartedAt': datetime(2015, 1, 1),
                        'StartedBy': 'string',
                        'Tags': [
                            {
                                'Key': 'string',
                                'Value': 'string'
                            },
                        ],
                        'Volumes': [
                            {
                                'Name': 'string',
                                'HostPath': {
                                    'Path': 'string'
                                }
                            },
                        ],
                        'Containers': [
                            {
                                'ContainerRuntime': 'string',
                                'Id': 'string',
                                'Name': 'string',
                                'Image': 'string',
                                'ImagePrefix': 'string',
                                'VolumeMounts': [
                                    {
                                        'Name': 'string',
                                        'MountPath': 'string'
                                    },
                                ],
                                'SecurityContext': {
                                    'Privileged': True|False
                                }
                            },
                        ],
                        'Group': 'string'
                    }
                },
                'ContainerDetails': {
                    'ContainerRuntime': 'string',
                    'Id': 'string',
                    'Name': 'string',
                    'Image': 'string',
                    'ImagePrefix': 'string',
                    'VolumeMounts': [
                        {
                            'Name': 'string',
                            'MountPath': 'string'
                        },
                    ],
                    'SecurityContext': {
                        'Privileged': True|False
                    }
                }
            },
            'SchemaVersion': 'string',
            'Service': {
                'Action': {
                    'ActionType': 'string',
                    'AwsApiCallAction': {
                        'Api': 'string',
                        'CallerType': 'string',
                        'DomainDetails': {
                            'Domain': 'string'
                        },
                        'ErrorCode': 'string',
                        'UserAgent': 'string',
                        'RemoteIpDetails': {
                            'City': {
                                'CityName': 'string'
                            },
                            'Country': {
                                'CountryCode': 'string',
                                'CountryName': 'string'
                            },
                            'GeoLocation': {
                                'Lat': 123.0,
                                'Lon': 123.0
                            },
                            'IpAddressV4': 'string',
                            'Organization': {
                                'Asn': 'string',
                                'AsnOrg': 'string',
                                'Isp': 'string',
                                'Org': 'string'
                            }
                        },
                        'ServiceName': 'string',
                        'RemoteAccountDetails': {
                            'AccountId': 'string',
                            'Affiliated': True|False
                        },
                        'AffectedResources': {
                            'string': 'string'
                        }
                    },
                    'DnsRequestAction': {
                        'Domain': 'string',
                        'Protocol': 'string',
                        'Blocked': True|False
                    },
                    'NetworkConnectionAction': {
                        'Blocked': True|False,
                        'ConnectionDirection': 'string',
                        'LocalPortDetails': {
                            'Port': 123,
                            'PortName': 'string'
                        },
                        'Protocol': 'string',
                        'LocalIpDetails': {
                            'IpAddressV4': 'string'
                        },
                        'RemoteIpDetails': {
                            'City': {
                                'CityName': 'string'
                            },
                            'Country': {
                                'CountryCode': 'string',
                                'CountryName': 'string'
                            },
                            'GeoLocation': {
                                'Lat': 123.0,
                                'Lon': 123.0
                            },
                            'IpAddressV4': 'string',
                            'Organization': {
                                'Asn': 'string',
                                'AsnOrg': 'string',
                                'Isp': 'string',
                                'Org': 'string'
                            }
                        },
                        'RemotePortDetails': {
                            'Port': 123,
                            'PortName': 'string'
                        }
                    },
                    'PortProbeAction': {
                        'Blocked': True|False,
                        'PortProbeDetails': [
                            {
                                'LocalPortDetails': {
                                    'Port': 123,
                                    'PortName': 'string'
                                },
                                'LocalIpDetails': {
                                    'IpAddressV4': 'string'
                                },
                                'RemoteIpDetails': {
                                    'City': {
                                        'CityName': 'string'
                                    },
                                    'Country': {
                                        'CountryCode': 'string',
                                        'CountryName': 'string'
                                    },
                                    'GeoLocation': {
                                        'Lat': 123.0,
                                        'Lon': 123.0
                                    },
                                    'IpAddressV4': 'string',
                                    'Organization': {
                                        'Asn': 'string',
                                        'AsnOrg': 'string',
                                        'Isp': 'string',
                                        'Org': 'string'
                                    }
                                }
                            },
                        ]
                    },
                    'KubernetesApiCallAction': {
                        'RequestUri': 'string',
                        'Verb': 'string',
                        'SourceIps': [
                            'string',
                        ],
                        'UserAgent': 'string',
                        'RemoteIpDetails': {
                            'City': {
                                'CityName': 'string'
                            },
                            'Country': {
                                'CountryCode': 'string',
                                'CountryName': 'string'
                            },
                            'GeoLocation': {
                                'Lat': 123.0,
                                'Lon': 123.0
                            },
                            'IpAddressV4': 'string',
                            'Organization': {
                                'Asn': 'string',
                                'AsnOrg': 'string',
                                'Isp': 'string',
                                'Org': 'string'
                            }
                        },
                        'StatusCode': 123,
                        'Parameters': 'string'
                    }
                },
                'Evidence': {
                    'ThreatIntelligenceDetails': [
                        {
                            'ThreatListName': 'string',
                            'ThreatNames': [
                                'string',
                            ]
                        },
                    ]
                },
                'Archived': True|False,
                'Count': 123,
                'DetectorId': 'string',
                'EventFirstSeen': 'string',
                'EventLastSeen': 'string',
                'ResourceRole': 'string',
                'ServiceName': 'string',
                'UserFeedback': 'string',
                'AdditionalInfo': {
                    'Value': 'string',
                    'Type': 'string'
                },
                'FeatureName': 'string',
                'EbsVolumeScanDetails': {
                    'ScanId': 'string',
                    'ScanStartedAt': datetime(2015, 1, 1),
                    'ScanCompletedAt': datetime(2015, 1, 1),
                    'TriggerFindingId': 'string',
                    'Sources': [
                        'string',
                    ],
                    'ScanDetections': {
                        'ScannedItemCount': {
                            'TotalGb': 123,
                            'Files': 123,
                            'Volumes': 123
                        },
                        'ThreatsDetectedItemCount': {
                            'Files': 123
                        },
                        'HighestSeverityThreatDetails': {
                            'Severity': 'string',
                            'ThreatName': 'string',
                            'Count': 123
                        },
                        'ThreatDetectedByName': {
                            'ItemCount': 123,
                            'UniqueThreatNameCount': 123,
                            'Shortened': True|False,
                            'ThreatNames': [
                                {
                                    'Name': 'string',
                                    'Severity': 'string',
                                    'ItemCount': 123,
                                    'FilePaths': [
                                        {
                                            'FilePath': 'string',
                                            'VolumeArn': 'string',
                                            'Hash': 'string',
                                            'FileName': 'string'
                                        },
                                    ]
                                },
                            ]
                        }
                    }
                }
            },
            'Severity': 123.0,
            'Title': 'string',
            'Type': 'string',
            'UpdatedAt': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • Findings (list) --

      A list of findings.

      • (dict) --

        Contains information about the finding, which is generated when abnormal or suspicious activity is detected.

        • AccountId (string) --

          The ID of the account in which the finding was generated.

        • Arn (string) --

          The ARN of the finding.

        • Confidence (float) --

          The confidence score for the finding.

        • CreatedAt (string) --

          The time and date when the finding was created.

        • Description (string) --

          The description of the finding.

        • Id (string) --

          The ID of the finding.

        • Partition (string) --

          The partition associated with the finding.

        • Region (string) --

          The Region where the finding was generated.

        • Resource (dict) --

          Contains information about the Amazon Web Services resource associated with the activity that prompted GuardDuty to generate a finding.

          • AccessKeyDetails (dict) --

            The IAM access key details (user information) of a user that engaged in the activity that prompted GuardDuty to generate a finding.

            • AccessKeyId (string) --

              The access key ID of the user.

            • PrincipalId (string) --

              The principal ID of the user.

            • UserName (string) --

              The name of the user.

            • UserType (string) --

              The type of the user.

          • S3BucketDetails (list) --

            Contains information on the S3 bucket.

            • (dict) --

              Contains information on the S3 bucket.

              • Arn (string) --

                The Amazon Resource Name (ARN) of the S3 bucket.

              • Name (string) --

                The name of the S3 bucket.

              • Type (string) --

                Describes whether the bucket is a source or destination bucket.

              • CreatedAt (datetime) --

                The date and time the bucket was created at.

              • Owner (dict) --

                The owner of the S3 bucket.

              • Tags (list) --

                All tags attached to the S3 bucket

                • (dict) --

                  Contains information about a tag associated with the EC2 instance.

                  • Key (string) --

                    The EC2 instance tag key.

                  • Value (string) --

                    The EC2 instance tag value.

              • DefaultServerSideEncryption (dict) --

                Describes the server side encryption method used in the S3 bucket.

                • EncryptionType (string) --

                  The type of encryption used for objects within the S3 bucket.

                • KmsMasterKeyArn (string) --

                  The Amazon Resource Name (ARN) of the KMS encryption key. Only available if the bucket EncryptionType is aws:kms .

              • PublicAccess (dict) --

                Describes the public access policies that apply to the S3 bucket.

                • PermissionConfiguration (dict) --

                  Contains information about how permissions are configured for the S3 bucket.

                  • BucketLevelPermissions (dict) --

                    Contains information about the bucket level permissions for the S3 bucket.

                    • AccessControlList (dict) --

                      Contains information on how Access Control Policies are applied to the bucket.

                      • AllowsPublicReadAccess (boolean) --

                        A value that indicates whether public read access for the bucket is enabled through an Access Control List (ACL).

                      • AllowsPublicWriteAccess (boolean) --

                        A value that indicates whether public write access for the bucket is enabled through an Access Control List (ACL).

                    • BucketPolicy (dict) --

                      Contains information on the bucket policies for the S3 bucket.

                      • AllowsPublicReadAccess (boolean) --

                        A value that indicates whether public read access for the bucket is enabled through a bucket policy.

                      • AllowsPublicWriteAccess (boolean) --

                        A value that indicates whether public write access for the bucket is enabled through a bucket policy.

                    • BlockPublicAccess (dict) --

                      Contains information on which account level S3 Block Public Access settings are applied to the S3 bucket.

                      • IgnorePublicAcls (boolean) --

                        Indicates if S3 Block Public Access is set to IgnorePublicAcls .

                      • RestrictPublicBuckets (boolean) --

                        Indicates if S3 Block Public Access is set to RestrictPublicBuckets .

                      • BlockPublicAcls (boolean) --

                        Indicates if S3 Block Public Access is set to BlockPublicAcls .

                      • BlockPublicPolicy (boolean) --

                        Indicates if S3 Block Public Access is set to BlockPublicPolicy .

                  • AccountLevelPermissions (dict) --

                    Contains information about the account level permissions on the S3 bucket.

                    • BlockPublicAccess (dict) --

                      Describes the S3 Block Public Access settings of the bucket's parent account.

                      • IgnorePublicAcls (boolean) --

                        Indicates if S3 Block Public Access is set to IgnorePublicAcls .

                      • RestrictPublicBuckets (boolean) --

                        Indicates if S3 Block Public Access is set to RestrictPublicBuckets .

                      • BlockPublicAcls (boolean) --

                        Indicates if S3 Block Public Access is set to BlockPublicAcls .

                      • BlockPublicPolicy (boolean) --

                        Indicates if S3 Block Public Access is set to BlockPublicPolicy .

                • EffectivePermission (string) --

                  Describes the effective permission on this bucket after factoring all attached policies.

          • InstanceDetails (dict) --

            The information about the EC2 instance associated with the activity that prompted GuardDuty to generate a finding.

            • AvailabilityZone (string) --

              The Availability Zone of the EC2 instance.

            • IamInstanceProfile (dict) --

              The profile information of the EC2 instance.

              • Arn (string) --

                The profile ARN of the EC2 instance.

              • Id (string) --

                The profile ID of the EC2 instance.

            • ImageDescription (string) --

              The image description of the EC2 instance.

            • ImageId (string) --

              The image ID of the EC2 instance.

            • InstanceId (string) --

              The ID of the EC2 instance.

            • InstanceState (string) --

              The state of the EC2 instance.

            • InstanceType (string) --

              The type of the EC2 instance.

            • OutpostArn (string) --

              The Amazon Resource Name (ARN) of the Amazon Web Services Outpost. Only applicable to Amazon Web Services Outposts instances.

            • LaunchTime (string) --

              The launch time of the EC2 instance.

            • NetworkInterfaces (list) --

              The elastic network interface information of the EC2 instance.

              • (dict) --

                Contains information about the elastic network interface of the EC2 instance.

                • Ipv6Addresses (list) --

                  A list of IPv6 addresses for the EC2 instance.

                  • (string) --
                • NetworkInterfaceId (string) --

                  The ID of the network interface.

                • PrivateDnsName (string) --

                  The private DNS name of the EC2 instance.

                • PrivateIpAddress (string) --

                  The private IP address of the EC2 instance.

                • PrivateIpAddresses (list) --

                  Other private IP address information of the EC2 instance.

                  • (dict) --

                    Contains other private IP address information of the EC2 instance.

                    • PrivateDnsName (string) --

                      The private DNS name of the EC2 instance.

                    • PrivateIpAddress (string) --

                      The private IP address of the EC2 instance.

                • PublicDnsName (string) --

                  The public DNS name of the EC2 instance.

                • PublicIp (string) --

                  The public IP address of the EC2 instance.

                • SecurityGroups (list) --

                  The security groups associated with the EC2 instance.

                  • (dict) --

                    Contains information about the security groups associated with the EC2 instance.

                    • GroupId (string) --

                      The security group ID of the EC2 instance.

                    • GroupName (string) --

                      The security group name of the EC2 instance.

                • SubnetId (string) --

                  The subnet ID of the EC2 instance.

                • VpcId (string) --

                  The VPC ID of the EC2 instance.

            • Platform (string) --

              The platform of the EC2 instance.

            • ProductCodes (list) --

              The product code of the EC2 instance.

              • (dict) --

                Contains information about the product code for the EC2 instance.

                • Code (string) --

                  The product code information.

                • ProductType (string) --

                  The product code type.

            • Tags (list) --

              The tags of the EC2 instance.

              • (dict) --

                Contains information about a tag associated with the EC2 instance.

                • Key (string) --

                  The EC2 instance tag key.

                • Value (string) --

                  The EC2 instance tag value.

          • EksClusterDetails (dict) --

            Details about the EKS cluster involved in a Kubernetes finding.

            • Name (string) --

              EKS cluster name.

            • Arn (string) --

              EKS cluster ARN.

            • VpcId (string) --

              The VPC ID to which the EKS cluster is attached.

            • Status (string) --

              The EKS cluster status.

            • Tags (list) --

              The EKS cluster tags.

              • (dict) --

                Contains information about a tag associated with the EC2 instance.

                • Key (string) --

                  The EC2 instance tag key.

                • Value (string) --

                  The EC2 instance tag value.

            • CreatedAt (datetime) --

              The timestamp when the EKS cluster was created.

          • KubernetesDetails (dict) --

            Details about the Kubernetes user and workload involved in a Kubernetes finding.

            • KubernetesUserDetails (dict) --

              Details about the Kubernetes user involved in a Kubernetes finding.

              • Username (string) --

                The username of the user who called the Kubernetes API.

              • Uid (string) --

                The user ID of the user who called the Kubernetes API.

              • Groups (list) --

                The groups that include the user who called the Kubernetes API.

                • (string) --
            • KubernetesWorkloadDetails (dict) --

              Details about the Kubernetes workload involved in a Kubernetes finding.

              • Name (string) --

                Kubernetes workload name.

              • Type (string) --

                Kubernetes workload type (e.g. Pod, Deployment, etc.).

              • Uid (string) --

                Kubernetes workload ID.

              • Namespace (string) --

                Kubernetes namespace that the workload is part of.

              • HostNetwork (boolean) --

                Whether the hostNetwork flag is enabled for the pods included in the workload.

              • Containers (list) --

                Containers running as part of the Kubernetes workload.

                • (dict) --

                  Details of a container.

                  • ContainerRuntime (string) --

                    The container runtime (such as, Docker or containerd) used to run the container.

                  • Id (string) --

                    Container ID.

                  • Name (string) --

                    Container name.

                  • Image (string) --

                    Container image.

                  • ImagePrefix (string) --

                    Part of the image name before the last slash. For example, imagePrefix for public.ecr.aws/amazonlinux/amazonlinux:latest would be public.ecr.aws/amazonlinux. If the image name is relative and does not have a slash, this field is empty.

                  • VolumeMounts (list) --

                    Container volume mounts.

                    • (dict) --

                      Container volume mount.

                      • Name (string) --

                        Volume mount name.

                      • MountPath (string) --

                        Volume mount path.

                  • SecurityContext (dict) --

                    Container security context.

                    • Privileged (boolean) --

                      Whether the container is privileged.

              • Volumes (list) --

                Volumes used by the Kubernetes workload.

                • (dict) --

                  Volume used by the Kubernetes workload.

                  • Name (string) --

                    Volume name.

                  • HostPath (dict) --

                    Represents a pre-existing file or directory on the host machine that the volume maps to.

                    • Path (string) --

                      Path of the file or directory on the host that the volume maps to.

          • ResourceType (string) --

            The type of Amazon Web Services resource.

          • EbsVolumeDetails (dict) --

            Contains list of scanned and skipped EBS volumes with details.

            • ScannedVolumeDetails (list) --

              List of EBS volumes that were scanned.

              • (dict) --

                Contains EBS volume details.

                • VolumeArn (string) --

                  EBS volume Arn information.

                • VolumeType (string) --

                  The EBS volume type.

                • DeviceName (string) --

                  The device name for the EBS volume.

                • VolumeSizeInGB (integer) --

                  EBS volume size in GB.

                • EncryptionType (string) --

                  EBS volume encryption type.

                • SnapshotArn (string) --

                  Snapshot Arn of the EBS volume.

                • KmsKeyArn (string) --

                  KMS key Arn used to encrypt the EBS volume.

            • SkippedVolumeDetails (list) --

              List of EBS volumes that were skipped from the malware scan.

              • (dict) --

                Contains EBS volume details.

                • VolumeArn (string) --

                  EBS volume Arn information.

                • VolumeType (string) --

                  The EBS volume type.

                • DeviceName (string) --

                  The device name for the EBS volume.

                • VolumeSizeInGB (integer) --

                  EBS volume size in GB.

                • EncryptionType (string) --

                  EBS volume encryption type.

                • SnapshotArn (string) --

                  Snapshot Arn of the EBS volume.

                • KmsKeyArn (string) --

                  KMS key Arn used to encrypt the EBS volume.

          • EcsClusterDetails (dict) --

            Contains information about the details of the ECS Cluster.

            • Name (string) --

              The name of the ECS Cluster.

            • Arn (string) --

              The Amazon Resource Name (ARN) that identifies the cluster.

            • Status (string) --

              The status of the ECS cluster.

            • ActiveServicesCount (integer) --

              The number of services that are running on the cluster in an ACTIVE state.

            • RegisteredContainerInstancesCount (integer) --

              The number of container instances registered into the cluster.

            • RunningTasksCount (integer) --

              The number of tasks in the cluster that are in the RUNNING state.

            • Tags (list) --

              The tags of the ECS Cluster.

              • (dict) --

                Contains information about a tag associated with the EC2 instance.

                • Key (string) --

                  The EC2 instance tag key.

                • Value (string) --

                  The EC2 instance tag value.

            • TaskDetails (dict) --

              Contains information about the details of the ECS Task.

              • Arn (string) --

                The Amazon Resource Name (ARN) of the task.

              • DefinitionArn (string) --

                The ARN of the task definition that creates the task.

              • Version (string) --

                The version counter for the task.

              • TaskCreatedAt (datetime) --

                The Unix timestamp for the time when the task was created.

              • StartedAt (datetime) --

                The Unix timestamp for the time when the task started.

              • StartedBy (string) --

                Contains the tag specified when a task is started.

              • Tags (list) --

                The tags of the ECS Task.

                • (dict) --

                  Contains information about a tag associated with the EC2 instance.

                  • Key (string) --

                    The EC2 instance tag key.

                  • Value (string) --

                    The EC2 instance tag value.

              • Volumes (list) --

                The list of data volume definitions for the task.

                • (dict) --

                  Volume used by the Kubernetes workload.

                  • Name (string) --

                    Volume name.

                  • HostPath (dict) --

                    Represents a pre-existing file or directory on the host machine that the volume maps to.

                    • Path (string) --

                      Path of the file or directory on the host that the volume maps to.

              • Containers (list) --

                The containers that's associated with the task.

                • (dict) --

                  Details of a container.

                  • ContainerRuntime (string) --

                    The container runtime (such as, Docker or containerd) used to run the container.

                  • Id (string) --

                    Container ID.

                  • Name (string) --

                    Container name.

                  • Image (string) --

                    Container image.

                  • ImagePrefix (string) --

                    Part of the image name before the last slash. For example, imagePrefix for public.ecr.aws/amazonlinux/amazonlinux:latest would be public.ecr.aws/amazonlinux. If the image name is relative and does not have a slash, this field is empty.

                  • VolumeMounts (list) --

                    Container volume mounts.

                    • (dict) --

                      Container volume mount.

                      • Name (string) --

                        Volume mount name.

                      • MountPath (string) --

                        Volume mount path.

                  • SecurityContext (dict) --

                    Container security context.

                    • Privileged (boolean) --

                      Whether the container is privileged.

              • Group (string) --

                The name of the task group that's associated with the task.

          • ContainerDetails (dict) --

            Details of a container.

            • ContainerRuntime (string) --

              The container runtime (such as, Docker or containerd) used to run the container.

            • Id (string) --

              Container ID.

            • Name (string) --

              Container name.

            • Image (string) --

              Container image.

            • ImagePrefix (string) --

              Part of the image name before the last slash. For example, imagePrefix for public.ecr.aws/amazonlinux/amazonlinux:latest would be public.ecr.aws/amazonlinux. If the image name is relative and does not have a slash, this field is empty.

            • VolumeMounts (list) --

              Container volume mounts.

              • (dict) --

                Container volume mount.

                • Name (string) --

                  Volume mount name.

                • MountPath (string) --

                  Volume mount path.

            • SecurityContext (dict) --

              Container security context.

              • Privileged (boolean) --

                Whether the container is privileged.

        • SchemaVersion (string) --

          The version of the schema used for the finding.

        • Service (dict) --

          Contains additional information about the generated finding.

          • Action (dict) --

            Information about the activity that is described in a finding.

            • ActionType (string) --

              The GuardDuty finding activity type.

            • AwsApiCallAction (dict) --

              Information about the AWS_API_CALL action described in this finding.

              • Api (string) --

                The Amazon Web Services API name.

              • CallerType (string) --

                The Amazon Web Services API caller type.

              • DomainDetails (dict) --

                The domain information for the Amazon Web Services API call.

                • Domain (string) --

                  The domain information for the Amazon Web Services API call.

              • ErrorCode (string) --

                The error code of the failed Amazon Web Services API action.

              • UserAgent (string) --

                The agent through which the API request was made.

              • RemoteIpDetails (dict) --

                The remote IP information of the connection that initiated the Amazon Web Services API call.

                • City (dict) --

                  The city information of the remote IP address.

                  • CityName (string) --

                    The city name of the remote IP address.

                • Country (dict) --

                  The country code of the remote IP address.

                  • CountryCode (string) --

                    The country code of the remote IP address.

                  • CountryName (string) --

                    The country name of the remote IP address.

                • GeoLocation (dict) --

                  The location information of the remote IP address.

                  • Lat (float) --

                    The latitude information of the remote IP address.

                  • Lon (float) --

                    The longitude information of the remote IP address.

                • IpAddressV4 (string) --

                  The IPv4 remote address of the connection.

                • Organization (dict) --

                  The ISP organization information of the remote IP address.

                  • Asn (string) --

                    The Autonomous System Number (ASN) of the internet provider of the remote IP address.

                  • AsnOrg (string) --

                    The organization that registered this ASN.

                  • Isp (string) --

                    The ISP information for the internet provider.

                  • Org (string) --

                    The name of the internet provider.

              • ServiceName (string) --

                The Amazon Web Services service name whose API was invoked.

              • RemoteAccountDetails (dict) --

                The details of the Amazon Web Services account that made the API call. This field appears if the call was made from outside your account.

                • AccountId (string) --

                  The Amazon Web Services account ID of the remote API caller.

                • Affiliated (boolean) --

                  Details on whether the Amazon Web Services account of the remote API caller is related to your GuardDuty environment. If this value is True the API caller is affiliated to your account in some way. If it is False the API caller is from outside your environment.

              • AffectedResources (dict) --

                The details of the Amazon Web Services account that made the API call. This field identifies the resources that were affected by this API call.

                • (string) --
                  • (string) --
            • DnsRequestAction (dict) --

              Information about the DNS_REQUEST action described in this finding.

              • Domain (string) --

                The domain information for the API request.

              • Protocol (string) --

                The network connection protocol observed in the activity that prompted GuardDuty to generate the finding.

              • Blocked (boolean) --

                Indicates whether the targeted port is blocked.

            • NetworkConnectionAction (dict) --

              Information about the NETWORK_CONNECTION action described in this finding.

              • Blocked (boolean) --

                Indicates whether EC2 blocked the network connection to your instance.

              • ConnectionDirection (string) --

                The network connection direction.

              • LocalPortDetails (dict) --

                The local port information of the connection.

                • Port (integer) --

                  The port number of the local connection.

                • PortName (string) --

                  The port name of the local connection.

              • Protocol (string) --

                The network connection protocol.

              • LocalIpDetails (dict) --

                The local IP information of the connection.

                • IpAddressV4 (string) --

                  The IPv4 local address of the connection.

              • RemoteIpDetails (dict) --

                The remote IP information of the connection.

                • City (dict) --

                  The city information of the remote IP address.

                  • CityName (string) --

                    The city name of the remote IP address.

                • Country (dict) --

                  The country code of the remote IP address.

                  • CountryCode (string) --

                    The country code of the remote IP address.

                  • CountryName (string) --

                    The country name of the remote IP address.

                • GeoLocation (dict) --

                  The location information of the remote IP address.

                  • Lat (float) --

                    The latitude information of the remote IP address.

                  • Lon (float) --

                    The longitude information of the remote IP address.

                • IpAddressV4 (string) --

                  The IPv4 remote address of the connection.

                • Organization (dict) --

                  The ISP organization information of the remote IP address.

                  • Asn (string) --

                    The Autonomous System Number (ASN) of the internet provider of the remote IP address.

                  • AsnOrg (string) --

                    The organization that registered this ASN.

                  • Isp (string) --

                    The ISP information for the internet provider.

                  • Org (string) --

                    The name of the internet provider.

              • RemotePortDetails (dict) --

                The remote port information of the connection.

                • Port (integer) --

                  The port number of the remote connection.

                • PortName (string) --

                  The port name of the remote connection.

            • PortProbeAction (dict) --

              Information about the PORT_PROBE action described in this finding.

              • Blocked (boolean) --

                Indicates whether EC2 blocked the port probe to the instance, such as with an ACL.

              • PortProbeDetails (list) --

                A list of objects related to port probe details.

                • (dict) --

                  Contains information about the port probe details.

                  • LocalPortDetails (dict) --

                    The local port information of the connection.

                    • Port (integer) --

                      The port number of the local connection.

                    • PortName (string) --

                      The port name of the local connection.

                  • LocalIpDetails (dict) --

                    The local IP information of the connection.

                    • IpAddressV4 (string) --

                      The IPv4 local address of the connection.

                  • RemoteIpDetails (dict) --

                    The remote IP information of the connection.

                    • City (dict) --

                      The city information of the remote IP address.

                      • CityName (string) --

                        The city name of the remote IP address.

                    • Country (dict) --

                      The country code of the remote IP address.

                      • CountryCode (string) --

                        The country code of the remote IP address.

                      • CountryName (string) --

                        The country name of the remote IP address.

                    • GeoLocation (dict) --

                      The location information of the remote IP address.

                      • Lat (float) --

                        The latitude information of the remote IP address.

                      • Lon (float) --

                        The longitude information of the remote IP address.

                    • IpAddressV4 (string) --

                      The IPv4 remote address of the connection.

                    • Organization (dict) --

                      The ISP organization information of the remote IP address.

                      • Asn (string) --

                        The Autonomous System Number (ASN) of the internet provider of the remote IP address.

                      • AsnOrg (string) --

                        The organization that registered this ASN.

                      • Isp (string) --

                        The ISP information for the internet provider.

                      • Org (string) --

                        The name of the internet provider.

            • KubernetesApiCallAction (dict) --

              Information about the Kubernetes API call action described in this finding.

              • RequestUri (string) --

                The Kubernetes API request URI.

              • Verb (string) --

                The Kubernetes API request HTTP verb.

              • SourceIps (list) --

                The IP of the Kubernetes API caller and the IPs of any proxies or load balancers between the caller and the API endpoint.

                • (string) --
              • UserAgent (string) --

                The user agent of the caller of the Kubernetes API.

              • RemoteIpDetails (dict) --

                Contains information about the remote IP address of the connection.

                • City (dict) --

                  The city information of the remote IP address.

                  • CityName (string) --

                    The city name of the remote IP address.

                • Country (dict) --

                  The country code of the remote IP address.

                  • CountryCode (string) --

                    The country code of the remote IP address.

                  • CountryName (string) --

                    The country name of the remote IP address.

                • GeoLocation (dict) --

                  The location information of the remote IP address.

                  • Lat (float) --

                    The latitude information of the remote IP address.

                  • Lon (float) --

                    The longitude information of the remote IP address.

                • IpAddressV4 (string) --

                  The IPv4 remote address of the connection.

                • Organization (dict) --

                  The ISP organization information of the remote IP address.

                  • Asn (string) --

                    The Autonomous System Number (ASN) of the internet provider of the remote IP address.

                  • AsnOrg (string) --

                    The organization that registered this ASN.

                  • Isp (string) --

                    The ISP information for the internet provider.

                  • Org (string) --

                    The name of the internet provider.

              • StatusCode (integer) --

                The resulting HTTP response code of the Kubernetes API call action.

              • Parameters (string) --

                Parameters related to the Kubernetes API call action.

          • Evidence (dict) --

            An evidence object associated with the service.

            • ThreatIntelligenceDetails (list) --

              A list of threat intelligence details related to the evidence.

              • (dict) --

                An instance of a threat intelligence detail that constitutes evidence for the finding.

                • ThreatListName (string) --

                  The name of the threat intelligence list that triggered the finding.

                • ThreatNames (list) --

                  A list of names of the threats in the threat intelligence list that triggered the finding.

                  • (string) --
          • Archived (boolean) --

            Indicates whether this finding is archived.

          • Count (integer) --

            The total count of the occurrences of this finding type.

          • DetectorId (string) --

            The detector ID for the GuardDuty service.

          • EventFirstSeen (string) --

            The first-seen timestamp of the activity that prompted GuardDuty to generate this finding.

          • EventLastSeen (string) --

            The last-seen timestamp of the activity that prompted GuardDuty to generate this finding.

          • ResourceRole (string) --

            The resource role information for this finding.

          • ServiceName (string) --

            The name of the Amazon Web Services service (GuardDuty) that generated a finding.

          • UserFeedback (string) --

            Feedback that was submitted about the finding.

          • AdditionalInfo (dict) --

            Contains additional information about the generated finding.

            • Value (string) --

              This field specifies the value of the additional information.

            • Type (string) --

              Describes the type of the additional information.

          • FeatureName (string) --

            The name of the feature that generated a finding.

          • EbsVolumeScanDetails (dict) --

            Returns details from the malware scan that created a finding.

            • ScanId (string) --

              Unique Id of the malware scan that generated the finding.

            • ScanStartedAt (datetime) --

              Returns the start date and time of the malware scan.

            • ScanCompletedAt (datetime) --

              Returns the completion date and time of the malware scan.

            • TriggerFindingId (string) --

              GuardDuty finding ID that triggered a malware scan.

            • Sources (list) --

              Contains list of threat intelligence sources used to detect threats.

              • (string) --
            • ScanDetections (dict) --

              Contains a complete view providing malware scan result details.

              • ScannedItemCount (dict) --

                Total number of scanned files.

                • TotalGb (integer) --

                  Total GB of files scanned for malware.

                • Files (integer) --

                  Number of files scanned.

                • Volumes (integer) --

                  Total number of scanned volumes.

              • ThreatsDetectedItemCount (dict) --

                Total number of infected files.

                • Files (integer) --

                  Total number of infected files.

              • HighestSeverityThreatDetails (dict) --

                Details of the highest severity threat detected during malware scan and number of infected files.

                • Severity (string) --

                  Severity level of the highest severity threat detected.

                • ThreatName (string) --

                  Threat name of the highest severity threat detected as part of the malware scan.

                • Count (integer) --

                  Total number of infected files with the highest severity threat detected.

              • ThreatDetectedByName (dict) --

                Contains details about identified threats organized by threat name.

                • ItemCount (integer) --

                  Total number of infected files identified.

                • UniqueThreatNameCount (integer) --

                  Total number of unique threats by name identified, as part of the malware scan.

                • Shortened (boolean) --

                  Flag to determine if the finding contains every single infected file-path and/or every threat.

                • ThreatNames (list) --

                  List of identified threats with details, organized by threat name.

                  • (dict) --

                    Contains files infected with the given threat providing details of malware name and severity.

                    • Name (string) --

                      The name of the identified threat.

                    • Severity (string) --

                      Severity of threat identified as part of the malware scan.

                    • ItemCount (integer) --

                      Total number of files infected with given threat.

                    • FilePaths (list) --

                      List of infected files in EBS volume with details.

                      • (dict) --

                        Contains details of infected file including name, file path and hash.

                        • FilePath (string) --

                          The file path of the infected file.

                        • VolumeArn (string) --

                          EBS volume Arn details of the infected file.

                        • Hash (string) --

                          The hash value of the infected file.

                        • FileName (string) --

                          File name of the infected file.

        • Severity (float) --

          The severity of the finding.

        • Title (string) --

          The title of the finding.

        • Type (string) --

          The type of finding.

        • UpdatedAt (string) --

          The time and date when the finding was last updated.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
get_findings_statistics(**kwargs)

Lists Amazon GuardDuty findings statistics for the specified detector ID.

See also: AWS API Documentation

Request Syntax

response = client.get_findings_statistics(
    DetectorId='string',
    FindingStatisticTypes=[
        'COUNT_BY_SEVERITY',
    ],
    FindingCriteria={
        'Criterion': {
            'string': {
                'Eq': [
                    'string',
                ],
                'Neq': [
                    'string',
                ],
                'Gt': 123,
                'Gte': 123,
                'Lt': 123,
                'Lte': 123,
                'Equals': [
                    'string',
                ],
                'NotEquals': [
                    'string',
                ],
                'GreaterThan': 123,
                'GreaterThanOrEqual': 123,
                'LessThan': 123,
                'LessThanOrEqual': 123
            }
        }
    }
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The ID of the detector that specifies the GuardDuty service whose findings' statistics you want to retrieve.

  • FindingStatisticTypes (list) --

    [REQUIRED]

    The types of finding statistics to retrieve.

    • (string) --
  • FindingCriteria (dict) --

    Represents the criteria that is used for querying findings.

    • Criterion (dict) --

      Represents a map of finding properties that match specified conditions and values when querying findings.

      • (string) --
        • (dict) --

          Contains information about the condition.

          • Eq (list) --

            Represents the equal condition to be applied to a single field when querying for findings.

            • (string) --
          • Neq (list) --

            Represents the not equal condition to be applied to a single field when querying for findings.

            • (string) --
          • Gt (integer) --

            Represents a greater than condition to be applied to a single field when querying for findings.

          • Gte (integer) --

            Represents a greater than or equal condition to be applied to a single field when querying for findings.

          • Lt (integer) --

            Represents a less than condition to be applied to a single field when querying for findings.

          • Lte (integer) --

            Represents a less than or equal condition to be applied to a single field when querying for findings.

          • Equals (list) --

            Represents an equal condition to be applied to a single field when querying for findings.

            • (string) --
          • NotEquals (list) --

            Represents a not equal condition to be applied to a single field when querying for findings.

            • (string) --
          • GreaterThan (integer) --

            Represents a greater than condition to be applied to a single field when querying for findings.

          • GreaterThanOrEqual (integer) --

            Represents a greater than or equal condition to be applied to a single field when querying for findings.

          • LessThan (integer) --

            Represents a less than condition to be applied to a single field when querying for findings.

          • LessThanOrEqual (integer) --

            Represents a less than or equal condition to be applied to a single field when querying for findings.

Return type

dict

Returns

Response Syntax

{
    'FindingStatistics': {
        'CountBySeverity': {
            'string': 123
        }
    }
}

Response Structure

  • (dict) --

    • FindingStatistics (dict) --

      The finding statistics object.

      • CountBySeverity (dict) --

        Represents a map of severity to count statistics for a set of findings.

        • (string) --
          • (integer) --

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
get_invitations_count()

Returns the count of all GuardDuty membership invitations that were sent to the current member account except the currently accepted invitation.

See also: AWS API Documentation

Request Syntax

response = client.get_invitations_count()
Return type
dict
Returns
Response Syntax
{
    'InvitationsCount': 123
}

Response Structure

  • (dict) --
    • InvitationsCount (integer) --

      The number of received invitations.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
get_ip_set(**kwargs)

Retrieves the IPSet specified by the ipSetId .

See also: AWS API Documentation

Request Syntax

response = client.get_ip_set(
    DetectorId='string',
    IpSetId='string'
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The unique ID of the detector that the IPSet is associated with.

  • IpSetId (string) --

    [REQUIRED]

    The unique ID of the IPSet to retrieve.

Return type

dict

Returns

Response Syntax

{
    'Name': 'string',
    'Format': 'TXT'|'STIX'|'OTX_CSV'|'ALIEN_VAULT'|'PROOF_POINT'|'FIRE_EYE',
    'Location': 'string',
    'Status': 'INACTIVE'|'ACTIVATING'|'ACTIVE'|'DEACTIVATING'|'ERROR'|'DELETE_PENDING'|'DELETED',
    'Tags': {
        'string': 'string'
    }
}

Response Structure

  • (dict) --

    • Name (string) --

      The user-friendly name for the IPSet.

    • Format (string) --

      The format of the file that contains the IPSet.

    • Location (string) --

      The URI of the file that contains the IPSet.

    • Status (string) --

      The status of IPSet file that was uploaded.

    • Tags (dict) --

      The tags of the IPSet resource.

      • (string) --
        • (string) --

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
get_malware_scan_settings(**kwargs)

Returns the details of the malware scan settings.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

See also: AWS API Documentation

Request Syntax

response = client.get_malware_scan_settings(
    DetectorId='string'
)
Parameters
DetectorId (string) --

[REQUIRED]

The unique ID of the detector that the scan setting is associated with.

Return type
dict
Returns
Response Syntax
{
    'ScanResourceCriteria': {
        'Include': {
            'string': {
                'MapEquals': [
                    {
                        'Key': 'string',
                        'Value': 'string'
                    },
                ]
            }
        },
        'Exclude': {
            'string': {
                'MapEquals': [
                    {
                        'Key': 'string',
                        'Value': 'string'
                    },
                ]
            }
        }
    },
    'EbsSnapshotPreservation': 'NO_RETENTION'|'RETENTION_WITH_FINDING'
}

Response Structure

  • (dict) --
    • ScanResourceCriteria (dict) --

      Represents the criteria to be used in the filter for scanning resources.

      • Include (dict) --

        Represents condition that when matched will allow a malware scan for a certain resource.

        • (string) --

          An enum value representing possible resource properties to match with given scan condition.

          • (dict) --

            Contains information about the condition.

            • MapEquals (list) --

              Represents an mapEqual condition to be applied to a single field when triggering for malware scan.

              • (dict) --

                Represents key, value pair to be matched against given resource property.

                • Key (string) --

                  Represents key in the map condition.

                • Value (string) --

                  Represents optional value in the map condition. If not specified, only key will be matched.

      • Exclude (dict) --

        Represents condition that when matched will prevent a malware scan for a certain resource.

        • (string) --

          An enum value representing possible resource properties to match with given scan condition.

          • (dict) --

            Contains information about the condition.

            • MapEquals (list) --

              Represents an mapEqual condition to be applied to a single field when triggering for malware scan.

              • (dict) --

                Represents key, value pair to be matched against given resource property.

                • Key (string) --

                  Represents key in the map condition.

                • Value (string) --

                  Represents optional value in the map condition. If not specified, only key will be matched.

    • EbsSnapshotPreservation (string) --

      An enum value representing possible snapshot preservation settings.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
get_master_account(**kwargs)

Provides the details for the GuardDuty administrator account associated with the current GuardDuty member account.

Danger

This operation is deprecated and may not function as expected. This operation should not be used going forward and is only kept for the purpose of backwards compatiblity.

See also: AWS API Documentation

Request Syntax

response = client.get_master_account(
    DetectorId='string'
)
Parameters
DetectorId (string) --

[REQUIRED]

The unique ID of the detector of the GuardDuty member account.

Return type
dict
Returns
Response Syntax
{
    'Master': {
        'AccountId': 'string',
        'InvitationId': 'string',
        'RelationshipStatus': 'string',
        'InvitedAt': 'string'
    }
}

Response Structure

  • (dict) --
    • Master (dict) --

      The administrator account details.

      • AccountId (string) --

        The ID of the account used as the administrator account.

      • InvitationId (string) --

        The value used to validate the administrator account to the member account.

      • RelationshipStatus (string) --

        The status of the relationship between the administrator and member accounts.

      • InvitedAt (string) --

        The timestamp when the invitation was sent.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
get_member_detectors(**kwargs)

Describes which data sources are enabled for the member account's detector.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

See also: AWS API Documentation

Request Syntax

response = client.get_member_detectors(
    DetectorId='string',
    AccountIds=[
        'string',
    ]
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The detector ID for the administrator account.

  • AccountIds (list) --

    [REQUIRED]

    The account ID of the member account.

    • (string) --
Return type

dict

Returns

Response Syntax

{
    'MemberDataSourceConfigurations': [
        {
            'AccountId': 'string',
            'DataSources': {
                'CloudTrail': {
                    'Status': 'ENABLED'|'DISABLED'
                },
                'DNSLogs': {
                    'Status': 'ENABLED'|'DISABLED'
                },
                'FlowLogs': {
                    'Status': 'ENABLED'|'DISABLED'
                },
                'S3Logs': {
                    'Status': 'ENABLED'|'DISABLED'
                },
                'Kubernetes': {
                    'AuditLogs': {
                        'Status': 'ENABLED'|'DISABLED'
                    }
                },
                'MalwareProtection': {
                    'ScanEc2InstanceWithFindings': {
                        'EbsVolumes': {
                            'Status': 'ENABLED'|'DISABLED',
                            'Reason': 'string'
                        }
                    },
                    'ServiceRole': 'string'
                }
            }
        },
    ],
    'UnprocessedAccounts': [
        {
            'AccountId': 'string',
            'Result': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • MemberDataSourceConfigurations (list) --

      An object that describes which data sources are enabled for a member account.

      • (dict) --

        Contains information on which data sources are enabled for a member account.

        • AccountId (string) --

          The account ID for the member account.

        • DataSources (dict) --

          Contains information on the status of data sources for the account.

          • CloudTrail (dict) --

            An object that contains information on the status of CloudTrail as a data source.

            • Status (string) --

              Describes whether CloudTrail is enabled as a data source for the detector.

          • DNSLogs (dict) --

            An object that contains information on the status of DNS logs as a data source.

            • Status (string) --

              Denotes whether DNS logs is enabled as a data source.

          • FlowLogs (dict) --

            An object that contains information on the status of VPC flow logs as a data source.

            • Status (string) --

              Denotes whether VPC flow logs is enabled as a data source.

          • S3Logs (dict) --

            An object that contains information on the status of S3 Data event logs as a data source.

            • Status (string) --

              A value that describes whether S3 data event logs are automatically enabled for new members of the organization.

          • Kubernetes (dict) --

            An object that contains information on the status of all Kubernetes data sources.

            • AuditLogs (dict) --

              Describes whether Kubernetes audit logs are enabled as a data source.

              • Status (string) --

                A value that describes whether Kubernetes audit logs are enabled as a data source.

          • MalwareProtection (dict) --

            Describes the configuration of Malware Protection data sources.

            • ScanEc2InstanceWithFindings (dict) --

              Describes the configuration of Malware Protection for EC2 instances with findings.

              • EbsVolumes (dict) --

                Describes the configuration of scanning EBS volumes as a data source.

                • Status (string) --

                  Describes whether scanning EBS volumes is enabled as a data source.

                • Reason (string) --

                  Specifies the reason why scanning EBS volumes (Malware Protection) was not enabled as a data source.

            • ServiceRole (string) --

              The GuardDuty Malware Protection service role.

    • UnprocessedAccounts (list) --

      A list of member account IDs that were unable to be processed along with an explanation for why they were not processed.

      • (dict) --

        Contains information about the accounts that weren't processed.

        • AccountId (string) --

          The Amazon Web Services account ID.

        • Result (string) --

          A reason why the account hasn't been processed.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
get_members(**kwargs)

Retrieves GuardDuty member accounts (of the current GuardDuty administrator account) specified by the account IDs.

See also: AWS API Documentation

Request Syntax

response = client.get_members(
    DetectorId='string',
    AccountIds=[
        'string',
    ]
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The unique ID of the detector of the GuardDuty account whose members you want to retrieve.

  • AccountIds (list) --

    [REQUIRED]

    A list of account IDs of the GuardDuty member accounts that you want to describe.

    • (string) --
Return type

dict

Returns

Response Syntax

{
    'Members': [
        {
            'AccountId': 'string',
            'DetectorId': 'string',
            'MasterId': 'string',
            'Email': 'string',
            'RelationshipStatus': 'string',
            'InvitedAt': 'string',
            'UpdatedAt': 'string',
            'AdministratorId': 'string'
        },
    ],
    'UnprocessedAccounts': [
        {
            'AccountId': 'string',
            'Result': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • Members (list) --

      A list of members.

      • (dict) --

        Contains information about the member account.

        • AccountId (string) --

          The ID of the member account.

        • DetectorId (string) --

          The detector ID of the member account.

        • MasterId (string) --

          The administrator account ID.

        • Email (string) --

          The email address of the member account.

        • RelationshipStatus (string) --

          The status of the relationship between the member and the administrator.

        • InvitedAt (string) --

          The timestamp when the invitation was sent.

        • UpdatedAt (string) --

          The last-updated timestamp of the member.

        • AdministratorId (string) --

          The administrator account ID.

    • UnprocessedAccounts (list) --

      A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.

      • (dict) --

        Contains information about the accounts that weren't processed.

        • AccountId (string) --

          The Amazon Web Services account ID.

        • Result (string) --

          A reason why the account hasn't been processed.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
get_paginator(operation_name)

Create a paginator for an operation.

Parameters
operation_name (string) -- The operation name. This is the same name as the method name on the client. For example, if the method name is create_foo, and you'd normally invoke the operation as client.create_foo(**kwargs), if the create_foo operation can be paginated, you can use the call client.get_paginator("create_foo").
Raises OperationNotPageableError
Raised if the operation is not pageable. You can use the client.can_paginate method to check if an operation is pageable.
Return type
L{botocore.paginate.Paginator}
Returns
A paginator object.
get_remaining_free_trial_days(**kwargs)

Provides the number of days left for each data source used in the free trial period.

See also: AWS API Documentation

Request Syntax

response = client.get_remaining_free_trial_days(
    DetectorId='string',
    AccountIds=[
        'string',
    ]
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The unique ID of the detector of the GuardDuty member account.

  • AccountIds (list) --

    A list of account identifiers of the GuardDuty member account.

    • (string) --
Return type

dict

Returns

Response Syntax

{
    'Accounts': [
        {
            'AccountId': 'string',
            'DataSources': {
                'CloudTrail': {
                    'FreeTrialDaysRemaining': 123
                },
                'DnsLogs': {
                    'FreeTrialDaysRemaining': 123
                },
                'FlowLogs': {
                    'FreeTrialDaysRemaining': 123
                },
                'S3Logs': {
                    'FreeTrialDaysRemaining': 123
                },
                'Kubernetes': {
                    'AuditLogs': {
                        'FreeTrialDaysRemaining': 123
                    }
                },
                'MalwareProtection': {
                    'ScanEc2InstanceWithFindings': {
                        'FreeTrialDaysRemaining': 123
                    }
                }
            }
        },
    ],
    'UnprocessedAccounts': [
        {
            'AccountId': 'string',
            'Result': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • Accounts (list) --

      The member accounts which were included in a request and were processed successfully.

      • (dict) --

        Provides details of the GuardDuty member account that uses a free trial service.

        • AccountId (string) --

          The account identifier of the GuardDuty member account.

        • DataSources (dict) --

          Describes the data source enabled for the GuardDuty member account.

          • CloudTrail (dict) --

            Describes whether any Amazon Web Services CloudTrail management event logs are enabled as data sources.

            • FreeTrialDaysRemaining (integer) --

              A value that specifies the number of days left to use each enabled data source.

          • DnsLogs (dict) --

            Describes whether any DNS logs are enabled as data sources.

            • FreeTrialDaysRemaining (integer) --

              A value that specifies the number of days left to use each enabled data source.

          • FlowLogs (dict) --

            Describes whether any VPC Flow logs are enabled as data sources.

            • FreeTrialDaysRemaining (integer) --

              A value that specifies the number of days left to use each enabled data source.

          • S3Logs (dict) --

            Describes whether any S3 data event logs are enabled as data sources.

            • FreeTrialDaysRemaining (integer) --

              A value that specifies the number of days left to use each enabled data source.

          • Kubernetes (dict) --

            Describes whether any Kubernetes logs are enabled as data sources.

            • AuditLogs (dict) --

              Describes whether Kubernetes audit logs are enabled as a data source.

              • FreeTrialDaysRemaining (integer) --

                A value that specifies the number of days left to use each enabled data source.

          • MalwareProtection (dict) --

            Describes whether Malware Protection is enabled as a data source.

            • ScanEc2InstanceWithFindings (dict) --

              Describes whether Malware Protection for EC2 instances with findings is enabled as a data source.

              • FreeTrialDaysRemaining (integer) --

                A value that specifies the number of days left to use each enabled data source.

    • UnprocessedAccounts (list) --

      The member account that was included in a request but for which the request could not be processed.

      • (dict) --

        Contains information about the accounts that weren't processed.

        • AccountId (string) --

          The Amazon Web Services account ID.

        • Result (string) --

          A reason why the account hasn't been processed.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
get_threat_intel_set(**kwargs)

Retrieves the ThreatIntelSet that is specified by the ThreatIntelSet ID.

See also: AWS API Documentation

Request Syntax

response = client.get_threat_intel_set(
    DetectorId='string',
    ThreatIntelSetId='string'
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The unique ID of the detector that the threatIntelSet is associated with.

  • ThreatIntelSetId (string) --

    [REQUIRED]

    The unique ID of the threatIntelSet that you want to get.

Return type

dict

Returns

Response Syntax

{
    'Name': 'string',
    'Format': 'TXT'|'STIX'|'OTX_CSV'|'ALIEN_VAULT'|'PROOF_POINT'|'FIRE_EYE',
    'Location': 'string',
    'Status': 'INACTIVE'|'ACTIVATING'|'ACTIVE'|'DEACTIVATING'|'ERROR'|'DELETE_PENDING'|'DELETED',
    'Tags': {
        'string': 'string'
    }
}

Response Structure

  • (dict) --

    • Name (string) --

      A user-friendly ThreatIntelSet name displayed in all findings that are generated by activity that involves IP addresses included in this ThreatIntelSet.

    • Format (string) --

      The format of the threatIntelSet.

    • Location (string) --

      The URI of the file that contains the ThreatIntelSet.

    • Status (string) --

      The status of threatIntelSet file uploaded.

    • Tags (dict) --

      The tags of the threat list resource.

      • (string) --
        • (string) --

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
get_usage_statistics(**kwargs)

Lists Amazon GuardDuty usage statistics over the last 30 days for the specified detector ID. For newly enabled detectors or data sources, the cost returned will include only the usage so far under 30 days. This may differ from the cost metrics in the console, which project usage over 30 days to provide a monthly cost estimate. For more information, see Understanding How Usage Costs are Calculated.

See also: AWS API Documentation

Request Syntax

response = client.get_usage_statistics(
    DetectorId='string',
    UsageStatisticType='SUM_BY_ACCOUNT'|'SUM_BY_DATA_SOURCE'|'SUM_BY_RESOURCE'|'TOP_RESOURCES',
    UsageCriteria={
        'AccountIds': [
            'string',
        ],
        'DataSources': [
            'FLOW_LOGS'|'CLOUD_TRAIL'|'DNS_LOGS'|'S3_LOGS'|'KUBERNETES_AUDIT_LOGS'|'EC2_MALWARE_SCAN',
        ],
        'Resources': [
            'string',
        ]
    },
    Unit='string',
    MaxResults=123,
    NextToken='string'
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The ID of the detector that specifies the GuardDuty service whose usage statistics you want to retrieve.

  • UsageStatisticType (string) --

    [REQUIRED]

    The type of usage statistics to retrieve.

  • UsageCriteria (dict) --

    [REQUIRED]

    Represents the criteria used for querying usage.

    • AccountIds (list) --

      The account IDs to aggregate usage statistics from.

      • (string) --
    • DataSources (list) -- [REQUIRED]

      The data sources to aggregate usage statistics from.

      • (string) --
    • Resources (list) --

      The resources to aggregate usage statistics from. Only accepts exact resource names.

      • (string) --
  • Unit (string) -- The currency unit you would like to view your usage statistics in. Current valid values are USD.
  • MaxResults (integer) -- The maximum number of results to return in the response.
  • NextToken (string) -- A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the NextToken value returned from the previous request to continue listing results after the first page.
Return type

dict

Returns

Response Syntax

{
    'UsageStatistics': {
        'SumByAccount': [
            {
                'AccountId': 'string',
                'Total': {
                    'Amount': 'string',
                    'Unit': 'string'
                }
            },
        ],
        'SumByDataSource': [
            {
                'DataSource': 'FLOW_LOGS'|'CLOUD_TRAIL'|'DNS_LOGS'|'S3_LOGS'|'KUBERNETES_AUDIT_LOGS'|'EC2_MALWARE_SCAN',
                'Total': {
                    'Amount': 'string',
                    'Unit': 'string'
                }
            },
        ],
        'SumByResource': [
            {
                'Resource': 'string',
                'Total': {
                    'Amount': 'string',
                    'Unit': 'string'
                }
            },
        ],
        'TopResources': [
            {
                'Resource': 'string',
                'Total': {
                    'Amount': 'string',
                    'Unit': 'string'
                }
            },
        ]
    },
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • UsageStatistics (dict) --

      The usage statistics object. If a UsageStatisticType was provided, the objects representing other types will be null.

      • SumByAccount (list) --

        The usage statistic sum organized by account ID.

        • (dict) --

          Contains information on the total of usage based on account IDs.

          • AccountId (string) --

            The Account ID that generated usage.

          • Total (dict) --

            Represents the total of usage for the Account ID.

            • Amount (string) --

              The total usage.

            • Unit (string) --

              The currency unit that the amount is given in.

      • SumByDataSource (list) --

        The usage statistic sum organized by on data source.

        • (dict) --

          Contains information on the result of usage based on data source type.

          • DataSource (string) --

            The data source type that generated usage.

          • Total (dict) --

            Represents the total of usage for the specified data source.

            • Amount (string) --

              The total usage.

            • Unit (string) --

              The currency unit that the amount is given in.

      • SumByResource (list) --

        The usage statistic sum organized by resource.

        • (dict) --

          Contains information on the sum of usage based on an Amazon Web Services resource.

          • Resource (string) --

            The Amazon Web Services resource that generated usage.

          • Total (dict) --

            Represents the sum total of usage for the specified resource type.

            • Amount (string) --

              The total usage.

            • Unit (string) --

              The currency unit that the amount is given in.

      • TopResources (list) --

        Lists the top 50 resources that have generated the most GuardDuty usage, in order from most to least expensive.

        • (dict) --

          Contains information on the sum of usage based on an Amazon Web Services resource.

          • Resource (string) --

            The Amazon Web Services resource that generated usage.

          • Total (dict) --

            Represents the sum total of usage for the specified resource type.

            • Amount (string) --

              The total usage.

            • Unit (string) --

              The currency unit that the amount is given in.

    • NextToken (string) --

      The pagination parameter to be used on the next list operation to retrieve more items.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
get_waiter(waiter_name)

Returns an object that can wait for some condition.

Parameters
waiter_name (str) -- The name of the waiter to get. See the waiters section of the service docs for a list of available waiters.
Returns
The specified waiter object.
Return type
botocore.waiter.Waiter
invite_members(**kwargs)

Invites other Amazon Web Services accounts (created as members of the current Amazon Web Services account by CreateMembers) to enable GuardDuty, and allow the current Amazon Web Services account to view and manage these accounts' findings on their behalf as the GuardDuty administrator account.

See also: AWS API Documentation

Request Syntax

response = client.invite_members(
    DetectorId='string',
    AccountIds=[
        'string',
    ],
    DisableEmailNotification=True|False,
    Message='string'
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The unique ID of the detector of the GuardDuty account that you want to invite members with.

  • AccountIds (list) --

    [REQUIRED]

    A list of account IDs of the accounts that you want to invite to GuardDuty as members.

    • (string) --
  • DisableEmailNotification (boolean) -- A Boolean value that specifies whether you want to disable email notification to the accounts that you are inviting to GuardDuty as members.
  • Message (string) -- The invitation message that you want to send to the accounts that you're inviting to GuardDuty as members.
Return type

dict

Returns

Response Syntax

{
    'UnprocessedAccounts': [
        {
            'AccountId': 'string',
            'Result': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • UnprocessedAccounts (list) --

      A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.

      • (dict) --

        Contains information about the accounts that weren't processed.

        • AccountId (string) --

          The Amazon Web Services account ID.

        • Result (string) --

          A reason why the account hasn't been processed.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
list_detectors(**kwargs)

Lists detectorIds of all the existing Amazon GuardDuty detector resources.

See also: AWS API Documentation

Request Syntax

response = client.list_detectors(
    MaxResults=123,
    NextToken='string'
)
Parameters
  • MaxResults (integer) -- You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.
  • NextToken (string) -- You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
Return type

dict

Returns

Response Syntax

{
    'DetectorIds': [
        'string',
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • DetectorIds (list) --

      A list of detector IDs.

      • (string) --
    • NextToken (string) --

      The pagination parameter to be used on the next list operation to retrieve more items.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
list_filters(**kwargs)

Returns a paginated list of the current filters.

See also: AWS API Documentation

Request Syntax

response = client.list_filters(
    DetectorId='string',
    MaxResults=123,
    NextToken='string'
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The unique ID of the detector that the filter is associated with.

  • MaxResults (integer) -- You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.
  • NextToken (string) -- You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
Return type

dict

Returns

Response Syntax

{
    'FilterNames': [
        'string',
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • FilterNames (list) --

      A list of filter names.

      • (string) --
    • NextToken (string) --

      The pagination parameter to be used on the next list operation to retrieve more items.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
list_findings(**kwargs)

Lists Amazon GuardDuty findings for the specified detector ID.

See also: AWS API Documentation

Request Syntax

response = client.list_findings(
    DetectorId='string',
    FindingCriteria={
        'Criterion': {
            'string': {
                'Eq': [
                    'string',
                ],
                'Neq': [
                    'string',
                ],
                'Gt': 123,
                'Gte': 123,
                'Lt': 123,
                'Lte': 123,
                'Equals': [
                    'string',
                ],
                'NotEquals': [
                    'string',
                ],
                'GreaterThan': 123,
                'GreaterThanOrEqual': 123,
                'LessThan': 123,
                'LessThanOrEqual': 123
            }
        }
    },
    SortCriteria={
        'AttributeName': 'string',
        'OrderBy': 'ASC'|'DESC'
    },
    MaxResults=123,
    NextToken='string'
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The ID of the detector that specifies the GuardDuty service whose findings you want to list.

  • FindingCriteria (dict) --

    Represents the criteria used for querying findings. Valid values include:

    • JSON field name
    • accountId
    • region
    • confidence
    • id
    • resource.accessKeyDetails.accessKeyId
    • resource.accessKeyDetails.principalId
    • resource.accessKeyDetails.userName
    • resource.accessKeyDetails.userType
    • resource.instanceDetails.iamInstanceProfile.id
    • resource.instanceDetails.imageId
    • resource.instanceDetails.instanceId
    • resource.instanceDetails.networkInterfaces.ipv6Addresses
    • resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress
    • resource.instanceDetails.networkInterfaces.publicDnsName
    • resource.instanceDetails.networkInterfaces.publicIp
    • resource.instanceDetails.networkInterfaces.securityGroups.groupId
    • resource.instanceDetails.networkInterfaces.securityGroups.groupName
    • resource.instanceDetails.networkInterfaces.subnetId
    • resource.instanceDetails.networkInterfaces.vpcId
    • resource.instanceDetails.tags.key
    • resource.instanceDetails.tags.value
    • resource.resourceType
    • service.action.actionType
    • service.action.awsApiCallAction.api
    • service.action.awsApiCallAction.callerType
    • service.action.awsApiCallAction.remoteIpDetails.city.cityName
    • service.action.awsApiCallAction.remoteIpDetails.country.countryName
    • service.action.awsApiCallAction.remoteIpDetails.ipAddressV4
    • service.action.awsApiCallAction.remoteIpDetails.organization.asn
    • service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg
    • service.action.awsApiCallAction.serviceName
    • service.action.dnsRequestAction.domain
    • service.action.networkConnectionAction.blocked
    • service.action.networkConnectionAction.connectionDirection
    • service.action.networkConnectionAction.localPortDetails.port
    • service.action.networkConnectionAction.protocol
    • service.action.networkConnectionAction.remoteIpDetails.country.countryName
    • service.action.networkConnectionAction.remoteIpDetails.ipAddressV4
    • service.action.networkConnectionAction.remoteIpDetails.organization.asn
    • service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg
    • service.action.networkConnectionAction.remotePortDetails.port
    • service.additionalInfo.threatListName
    • service.archived When this attribute is set to 'true', only archived findings are listed. When it's set to 'false', only unarchived findings are listed. When this attribute is not set, all existing findings are listed.
    • service.resourceRole
    • severity
    • type
    • updatedAt Type: Timestamp in Unix Epoch millisecond format: 1486685375000
    • Criterion (dict) --

      Represents a map of finding properties that match specified conditions and values when querying findings.

      • (string) --
        • (dict) --

          Contains information about the condition.

          • Eq (list) --

            Represents the equal condition to be applied to a single field when querying for findings.

            • (string) --
          • Neq (list) --

            Represents the not equal condition to be applied to a single field when querying for findings.

            • (string) --
          • Gt (integer) --

            Represents a greater than condition to be applied to a single field when querying for findings.

          • Gte (integer) --

            Represents a greater than or equal condition to be applied to a single field when querying for findings.

          • Lt (integer) --

            Represents a less than condition to be applied to a single field when querying for findings.

          • Lte (integer) --

            Represents a less than or equal condition to be applied to a single field when querying for findings.

          • Equals (list) --

            Represents an equal condition to be applied to a single field when querying for findings.

            • (string) --
          • NotEquals (list) --

            Represents a not equal condition to be applied to a single field when querying for findings.

            • (string) --
          • GreaterThan (integer) --

            Represents a greater than condition to be applied to a single field when querying for findings.

          • GreaterThanOrEqual (integer) --

            Represents a greater than or equal condition to be applied to a single field when querying for findings.

          • LessThan (integer) --

            Represents a less than condition to be applied to a single field when querying for findings.

          • LessThanOrEqual (integer) --

            Represents a less than or equal condition to be applied to a single field when querying for findings.

  • SortCriteria (dict) --

    Represents the criteria used for sorting findings.

    • AttributeName (string) --

      Represents the finding attribute, such as accountId , that sorts the findings.

    • OrderBy (string) --

      The order by which the sorted findings are to be displayed.

  • MaxResults (integer) -- You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50.
  • NextToken (string) -- You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
Return type

dict

Returns

Response Syntax

{
    'FindingIds': [
        'string',
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • FindingIds (list) --

      The IDs of the findings that you're listing.

      • (string) --
    • NextToken (string) --

      The pagination parameter to be used on the next list operation to retrieve more items.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
list_invitations(**kwargs)

Lists all GuardDuty membership invitations that were sent to the current Amazon Web Services account.

See also: AWS API Documentation

Request Syntax

response = client.list_invitations(
    MaxResults=123,
    NextToken='string'
)
Parameters
  • MaxResults (integer) -- You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.
  • NextToken (string) -- You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
Return type

dict

Returns

Response Syntax

{
    'Invitations': [
        {
            'AccountId': 'string',
            'InvitationId': 'string',
            'RelationshipStatus': 'string',
            'InvitedAt': 'string'
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • Invitations (list) --

      A list of invitation descriptions.

      • (dict) --

        Contains information about the invitation to become a member account.

        • AccountId (string) --

          The ID of the account that the invitation was sent from.

        • InvitationId (string) --

          The ID of the invitation. This value is used to validate the inviter account to the member account.

        • RelationshipStatus (string) --

          The status of the relationship between the inviter and invitee accounts.

        • InvitedAt (string) --

          The timestamp when the invitation was sent.

    • NextToken (string) --

      The pagination parameter to be used on the next list operation to retrieve more items.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
list_ip_sets(**kwargs)

Lists the IPSets of the GuardDuty service specified by the detector ID. If you use this operation from a member account, the IPSets returned are the IPSets from the associated administrator account.

See also: AWS API Documentation

Request Syntax

response = client.list_ip_sets(
    DetectorId='string',
    MaxResults=123,
    NextToken='string'
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The unique ID of the detector that the IPSet is associated with.

  • MaxResults (integer) -- You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50.
  • NextToken (string) -- You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
Return type

dict

Returns

Response Syntax

{
    'IpSetIds': [
        'string',
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • IpSetIds (list) --

      The IDs of the IPSet resources.

      • (string) --
    • NextToken (string) --

      The pagination parameter to be used on the next list operation to retrieve more items.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
list_members(**kwargs)

Lists details about all member accounts for the current GuardDuty administrator account.

See also: AWS API Documentation

Request Syntax

response = client.list_members(
    DetectorId='string',
    MaxResults=123,
    NextToken='string',
    OnlyAssociated='string'
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The unique ID of the detector the member is associated with.

  • MaxResults (integer) -- You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50.
  • NextToken (string) -- You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
  • OnlyAssociated (string) -- Specifies whether to only return associated members or to return all members (including members who haven't been invited yet or have been disassociated). Member accounts must have been previously associated with the GuardDuty administrator account using Create Members.
Return type

dict

Returns

Response Syntax

{
    'Members': [
        {
            'AccountId': 'string',
            'DetectorId': 'string',
            'MasterId': 'string',
            'Email': 'string',
            'RelationshipStatus': 'string',
            'InvitedAt': 'string',
            'UpdatedAt': 'string',
            'AdministratorId': 'string'
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • Members (list) --

      A list of members.

      • (dict) --

        Contains information about the member account.

        • AccountId (string) --

          The ID of the member account.

        • DetectorId (string) --

          The detector ID of the member account.

        • MasterId (string) --

          The administrator account ID.

        • Email (string) --

          The email address of the member account.

        • RelationshipStatus (string) --

          The status of the relationship between the member and the administrator.

        • InvitedAt (string) --

          The timestamp when the invitation was sent.

        • UpdatedAt (string) --

          The last-updated timestamp of the member.

        • AdministratorId (string) --

          The administrator account ID.

    • NextToken (string) --

      The pagination parameter to be used on the next list operation to retrieve more items.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
list_organization_admin_accounts(**kwargs)

Lists the accounts configured as GuardDuty delegated administrators.

See also: AWS API Documentation

Request Syntax

response = client.list_organization_admin_accounts(
    MaxResults=123,
    NextToken='string'
)
Parameters
  • MaxResults (integer) -- The maximum number of results to return in the response.
  • NextToken (string) -- A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the NextToken value returned from the previous request to continue listing results after the first page.
Return type

dict

Returns

Response Syntax

{
    'AdminAccounts': [
        {
            'AdminAccountId': 'string',
            'AdminStatus': 'ENABLED'|'DISABLE_IN_PROGRESS'
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • AdminAccounts (list) --

      A list of accounts configured as GuardDuty delegated administrators.

      • (dict) --

        The account within the organization specified as the GuardDuty delegated administrator.

        • AdminAccountId (string) --

          The Amazon Web Services account ID for the account.

        • AdminStatus (string) --

          Indicates whether the account is enabled as the delegated administrator.

    • NextToken (string) --

      The pagination parameter to be used on the next list operation to retrieve more items.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
list_publishing_destinations(**kwargs)

Returns a list of publishing destinations associated with the specified detectorId .

See also: AWS API Documentation

Request Syntax

response = client.list_publishing_destinations(
    DetectorId='string',
    MaxResults=123,
    NextToken='string'
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The ID of the detector to retrieve publishing destinations for.

  • MaxResults (integer) -- The maximum number of results to return in the response.
  • NextToken (string) -- A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the NextToken value returned from the previous request to continue listing results after the first page.
Return type

dict

Returns

Response Syntax

{
    'Destinations': [
        {
            'DestinationId': 'string',
            'DestinationType': 'S3',
            'Status': 'PENDING_VERIFICATION'|'PUBLISHING'|'UNABLE_TO_PUBLISH_FIX_DESTINATION_PROPERTY'|'STOPPED'
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • Destinations (list) --

      A Destinations object that includes information about each publishing destination returned.

      • (dict) --

        Contains information about the publishing destination, including the ID, type, and status.

        • DestinationId (string) --

          The unique ID of the publishing destination.

        • DestinationType (string) --

          The type of resource used for the publishing destination. Currently, only Amazon S3 buckets are supported.

        • Status (string) --

          The status of the publishing destination.

    • NextToken (string) --

      A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the NextToken value returned from the previous request to continue listing results after the first page.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
list_tags_for_resource(**kwargs)

Lists tags for a resource. Tagging is currently supported for detectors, finding filters, IP sets, and threat intel sets, with a limit of 50 tags per resource. When invoked, this operation returns all assigned tags for a given resource.

See also: AWS API Documentation

Request Syntax

response = client.list_tags_for_resource(
    ResourceArn='string'
)
Parameters
ResourceArn (string) --

[REQUIRED]

The Amazon Resource Name (ARN) for the given GuardDuty resource.

Return type
dict
Returns
Response Syntax
{
    'Tags': {
        'string': 'string'
    }
}

Response Structure

  • (dict) --
    • Tags (dict) --

      The tags associated with the resource.

      • (string) --
        • (string) --

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
list_threat_intel_sets(**kwargs)

Lists the ThreatIntelSets of the GuardDuty service specified by the detector ID. If you use this operation from a member account, the ThreatIntelSets associated with the administrator account are returned.

See also: AWS API Documentation

Request Syntax

response = client.list_threat_intel_sets(
    DetectorId='string',
    MaxResults=123,
    NextToken='string'
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The unique ID of the detector that the threatIntelSet is associated with.

  • MaxResults (integer) -- You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.
  • NextToken (string) -- You can use this parameter to paginate results in the response. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
Return type

dict

Returns

Response Syntax

{
    'ThreatIntelSetIds': [
        'string',
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • ThreatIntelSetIds (list) --

      The IDs of the ThreatIntelSet resources.

      • (string) --
    • NextToken (string) --

      The pagination parameter to be used on the next list operation to retrieve more items.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
start_monitoring_members(**kwargs)

Turns on GuardDuty monitoring of the specified member accounts. Use this operation to restart monitoring of accounts that you stopped monitoring with the StopMonitoringMembers operation.

See also: AWS API Documentation

Request Syntax

response = client.start_monitoring_members(
    DetectorId='string',
    AccountIds=[
        'string',
    ]
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The unique ID of the detector of the GuardDuty administrator account associated with the member accounts to monitor.

  • AccountIds (list) --

    [REQUIRED]

    A list of account IDs of the GuardDuty member accounts to start monitoring.

    • (string) --
Return type

dict

Returns

Response Syntax

{
    'UnprocessedAccounts': [
        {
            'AccountId': 'string',
            'Result': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • UnprocessedAccounts (list) --

      A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.

      • (dict) --

        Contains information about the accounts that weren't processed.

        • AccountId (string) --

          The Amazon Web Services account ID.

        • Result (string) --

          A reason why the account hasn't been processed.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
stop_monitoring_members(**kwargs)

Stops GuardDuty monitoring for the specified member accounts. Use the StartMonitoringMembers operation to restart monitoring for those accounts.

See also: AWS API Documentation

Request Syntax

response = client.stop_monitoring_members(
    DetectorId='string',
    AccountIds=[
        'string',
    ]
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The unique ID of the detector associated with the GuardDuty administrator account that is monitoring member accounts.

  • AccountIds (list) --

    [REQUIRED]

    A list of account IDs for the member accounts to stop monitoring.

    • (string) --
Return type

dict

Returns

Response Syntax

{
    'UnprocessedAccounts': [
        {
            'AccountId': 'string',
            'Result': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • UnprocessedAccounts (list) --

      A list of objects that contain an accountId for each account that could not be processed, and a result string that indicates why the account was not processed.

      • (dict) --

        Contains information about the accounts that weren't processed.

        • AccountId (string) --

          The Amazon Web Services account ID.

        • Result (string) --

          A reason why the account hasn't been processed.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
tag_resource(**kwargs)

Adds tags to a resource.

See also: AWS API Documentation

Request Syntax

response = client.tag_resource(
    ResourceArn='string',
    Tags={
        'string': 'string'
    }
)
Parameters
  • ResourceArn (string) --

    [REQUIRED]

    The Amazon Resource Name (ARN) for the GuardDuty resource to apply a tag to.

  • Tags (dict) --

    [REQUIRED]

    The tags to be added to a resource.

    • (string) --
      • (string) --
Return type

dict

Returns

Response Syntax

{}

Response Structure

  • (dict) --

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
unarchive_findings(**kwargs)

Unarchives GuardDuty findings specified by the findingIds .

See also: AWS API Documentation

Request Syntax

response = client.unarchive_findings(
    DetectorId='string',
    FindingIds=[
        'string',
    ]
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The ID of the detector associated with the findings to unarchive.

  • FindingIds (list) --

    [REQUIRED]

    The IDs of the findings to unarchive.

    • (string) --
Return type

dict

Returns

Response Syntax

{}

Response Structure

  • (dict) --

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
untag_resource(**kwargs)

Removes tags from a resource.

See also: AWS API Documentation

Request Syntax

response = client.untag_resource(
    ResourceArn='string',
    TagKeys=[
        'string',
    ]
)
Parameters
  • ResourceArn (string) --

    [REQUIRED]

    The Amazon Resource Name (ARN) for the resource to remove tags from.

  • TagKeys (list) --

    [REQUIRED]

    The tag keys to remove from the resource.

    • (string) --
Return type

dict

Returns

Response Syntax

{}

Response Structure

  • (dict) --

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
update_detector(**kwargs)

Updates the Amazon GuardDuty detector specified by the detectorId.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

See also: AWS API Documentation

Request Syntax

response = client.update_detector(
    DetectorId='string',
    Enable=True|False,
    FindingPublishingFrequency='FIFTEEN_MINUTES'|'ONE_HOUR'|'SIX_HOURS',
    DataSources={
        'S3Logs': {
            'Enable': True|False
        },
        'Kubernetes': {
            'AuditLogs': {
                'Enable': True|False
            }
        },
        'MalwareProtection': {
            'ScanEc2InstanceWithFindings': {
                'EbsVolumes': True|False
            }
        }
    }
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The unique ID of the detector to update.

  • Enable (boolean) -- Specifies whether the detector is enabled or not enabled.
  • FindingPublishingFrequency (string) -- An enum value that specifies how frequently findings are exported, such as to CloudWatch Events.
  • DataSources (dict) --

    Describes which data sources will be updated.

    There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

    • S3Logs (dict) --

      Describes whether S3 data event logs are enabled as a data source.

      • Enable (boolean) -- [REQUIRED]

        The status of S3 data event logs as a data source.

    • Kubernetes (dict) --

      Describes whether any Kubernetes logs are enabled as data sources.

      • AuditLogs (dict) -- [REQUIRED]

        The status of Kubernetes audit logs as a data source.

        • Enable (boolean) -- [REQUIRED]

          The status of Kubernetes audit logs as a data source.

    • MalwareProtection (dict) --

      Describes whether Malware Protection is enabled as a data source.

      • ScanEc2InstanceWithFindings (dict) --

        Describes the configuration of Malware Protection for EC2 instances with findings.

        • EbsVolumes (boolean) --

          Describes the configuration for scanning EBS volumes as data source.

Return type

dict

Returns

Response Syntax

{}

Response Structure

  • (dict) --

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
update_filter(**kwargs)

Updates the filter specified by the filter name.

See also: AWS API Documentation

Request Syntax

response = client.update_filter(
    DetectorId='string',
    FilterName='string',
    Description='string',
    Action='NOOP'|'ARCHIVE',
    Rank=123,
    FindingCriteria={
        'Criterion': {
            'string': {
                'Eq': [
                    'string',
                ],
                'Neq': [
                    'string',
                ],
                'Gt': 123,
                'Gte': 123,
                'Lt': 123,
                'Lte': 123,
                'Equals': [
                    'string',
                ],
                'NotEquals': [
                    'string',
                ],
                'GreaterThan': 123,
                'GreaterThanOrEqual': 123,
                'LessThan': 123,
                'LessThanOrEqual': 123
            }
        }
    }
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The unique ID of the detector that specifies the GuardDuty service where you want to update a filter.

  • FilterName (string) --

    [REQUIRED]

    The name of the filter.

  • Description (string) -- The description of the filter. Valid characters include alphanumeric characters, and special characters such as hyphen, period, colon, underscore, parentheses ( { } , [ ] , and ( ) ), forward slash, horizontal tab, vertical tab, newline, form feed, return, and whitespace.
  • Action (string) -- Specifies the action that is to be applied to the findings that match the filter.
  • Rank (integer) -- Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
  • FindingCriteria (dict) --

    Represents the criteria to be used in the filter for querying findings.

    • Criterion (dict) --

      Represents a map of finding properties that match specified conditions and values when querying findings.

      • (string) --
        • (dict) --

          Contains information about the condition.

          • Eq (list) --

            Represents the equal condition to be applied to a single field when querying for findings.

            • (string) --
          • Neq (list) --

            Represents the not equal condition to be applied to a single field when querying for findings.

            • (string) --
          • Gt (integer) --

            Represents a greater than condition to be applied to a single field when querying for findings.

          • Gte (integer) --

            Represents a greater than or equal condition to be applied to a single field when querying for findings.

          • Lt (integer) --

            Represents a less than condition to be applied to a single field when querying for findings.

          • Lte (integer) --

            Represents a less than or equal condition to be applied to a single field when querying for findings.

          • Equals (list) --

            Represents an equal condition to be applied to a single field when querying for findings.

            • (string) --
          • NotEquals (list) --

            Represents a not equal condition to be applied to a single field when querying for findings.

            • (string) --
          • GreaterThan (integer) --

            Represents a greater than condition to be applied to a single field when querying for findings.

          • GreaterThanOrEqual (integer) --

            Represents a greater than or equal condition to be applied to a single field when querying for findings.

          • LessThan (integer) --

            Represents a less than condition to be applied to a single field when querying for findings.

          • LessThanOrEqual (integer) --

            Represents a less than or equal condition to be applied to a single field when querying for findings.

Return type

dict

Returns

Response Syntax

{
    'Name': 'string'
}

Response Structure

  • (dict) --

    • Name (string) --

      The name of the filter.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
update_findings_feedback(**kwargs)

Marks the specified GuardDuty findings as useful or not useful.

See also: AWS API Documentation

Request Syntax

response = client.update_findings_feedback(
    DetectorId='string',
    FindingIds=[
        'string',
    ],
    Feedback='USEFUL'|'NOT_USEFUL',
    Comments='string'
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The ID of the detector associated with the findings to update feedback for.

  • FindingIds (list) --

    [REQUIRED]

    The IDs of the findings that you want to mark as useful or not useful.

    • (string) --
  • Feedback (string) --

    [REQUIRED]

    The feedback for the finding.

  • Comments (string) -- Additional feedback about the GuardDuty findings.
Return type

dict

Returns

Response Syntax

{}

Response Structure

  • (dict) --

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
update_ip_set(**kwargs)

Updates the IPSet specified by the IPSet ID.

See also: AWS API Documentation

Request Syntax

response = client.update_ip_set(
    DetectorId='string',
    IpSetId='string',
    Name='string',
    Location='string',
    Activate=True|False
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The detectorID that specifies the GuardDuty service whose IPSet you want to update.

  • IpSetId (string) --

    [REQUIRED]

    The unique ID that specifies the IPSet that you want to update.

  • Name (string) -- The unique ID that specifies the IPSet that you want to update.
  • Location (string) -- The updated URI of the file that contains the IPSet.
  • Activate (boolean) -- The updated Boolean value that specifies whether the IPSet is active or not.
Return type

dict

Returns

Response Syntax

{}

Response Structure

  • (dict) --

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
update_malware_scan_settings(**kwargs)

Updates the malware scan settings.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

See also: AWS API Documentation

Request Syntax

response = client.update_malware_scan_settings(
    DetectorId='string',
    ScanResourceCriteria={
        'Include': {
            'string': {
                'MapEquals': [
                    {
                        'Key': 'string',
                        'Value': 'string'
                    },
                ]
            }
        },
        'Exclude': {
            'string': {
                'MapEquals': [
                    {
                        'Key': 'string',
                        'Value': 'string'
                    },
                ]
            }
        }
    },
    EbsSnapshotPreservation='NO_RETENTION'|'RETENTION_WITH_FINDING'
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The unique ID of the detector that specifies the GuardDuty service where you want to update scan settings.

  • ScanResourceCriteria (dict) --

    Represents the criteria to be used in the filter for selecting resources to scan.

    • Include (dict) --

      Represents condition that when matched will allow a malware scan for a certain resource.

      • (string) --

        An enum value representing possible resource properties to match with given scan condition.

        • (dict) --

          Contains information about the condition.

          • MapEquals (list) -- [REQUIRED]

            Represents an mapEqual condition to be applied to a single field when triggering for malware scan.

            • (dict) --

              Represents key, value pair to be matched against given resource property.

              • Key (string) -- [REQUIRED]

                Represents key in the map condition.

              • Value (string) --

                Represents optional value in the map condition. If not specified, only key will be matched.

    • Exclude (dict) --

      Represents condition that when matched will prevent a malware scan for a certain resource.

      • (string) --

        An enum value representing possible resource properties to match with given scan condition.

        • (dict) --

          Contains information about the condition.

          • MapEquals (list) -- [REQUIRED]

            Represents an mapEqual condition to be applied to a single field when triggering for malware scan.

            • (dict) --

              Represents key, value pair to be matched against given resource property.

              • Key (string) -- [REQUIRED]

                Represents key in the map condition.

              • Value (string) --

                Represents optional value in the map condition. If not specified, only key will be matched.

  • EbsSnapshotPreservation (string) -- An enum value representing possible snapshot preservation settings.
Return type

dict

Returns

Response Syntax

{}

Response Structure

  • (dict) --

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
update_member_detectors(**kwargs)

Contains information on member accounts to be updated.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

See also: AWS API Documentation

Request Syntax

response = client.update_member_detectors(
    DetectorId='string',
    AccountIds=[
        'string',
    ],
    DataSources={
        'S3Logs': {
            'Enable': True|False
        },
        'Kubernetes': {
            'AuditLogs': {
                'Enable': True|False
            }
        },
        'MalwareProtection': {
            'ScanEc2InstanceWithFindings': {
                'EbsVolumes': True|False
            }
        }
    }
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The detector ID of the administrator account.

  • AccountIds (list) --

    [REQUIRED]

    A list of member account IDs to be updated.

    • (string) --
  • DataSources (dict) --

    Describes which data sources will be updated.

    • S3Logs (dict) --

      Describes whether S3 data event logs are enabled as a data source.

      • Enable (boolean) -- [REQUIRED]

        The status of S3 data event logs as a data source.

    • Kubernetes (dict) --

      Describes whether any Kubernetes logs are enabled as data sources.

      • AuditLogs (dict) -- [REQUIRED]

        The status of Kubernetes audit logs as a data source.

        • Enable (boolean) -- [REQUIRED]

          The status of Kubernetes audit logs as a data source.

    • MalwareProtection (dict) --

      Describes whether Malware Protection is enabled as a data source.

      • ScanEc2InstanceWithFindings (dict) --

        Describes the configuration of Malware Protection for EC2 instances with findings.

        • EbsVolumes (boolean) --

          Describes the configuration for scanning EBS volumes as data source.

Return type

dict

Returns

Response Syntax

{
    'UnprocessedAccounts': [
        {
            'AccountId': 'string',
            'Result': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • UnprocessedAccounts (list) --

      A list of member account IDs that were unable to be processed along with an explanation for why they were not processed.

      • (dict) --

        Contains information about the accounts that weren't processed.

        • AccountId (string) --

          The Amazon Web Services account ID.

        • Result (string) --

          A reason why the account hasn't been processed.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
update_organization_configuration(**kwargs)

Updates the delegated administrator account with the values provided.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

See also: AWS API Documentation

Request Syntax

response = client.update_organization_configuration(
    DetectorId='string',
    AutoEnable=True|False,
    DataSources={
        'S3Logs': {
            'AutoEnable': True|False
        },
        'Kubernetes': {
            'AuditLogs': {
                'AutoEnable': True|False
            }
        },
        'MalwareProtection': {
            'ScanEc2InstanceWithFindings': {
                'EbsVolumes': {
                    'AutoEnable': True|False
                }
            }
        }
    }
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The ID of the detector to update the delegated administrator for.

  • AutoEnable (boolean) --

    [REQUIRED]

    Indicates whether to automatically enable member accounts in the organization.

  • DataSources (dict) --

    Describes which data sources will be updated.

    • S3Logs (dict) --

      Describes whether S3 data event logs are enabled for new members of the organization.

      • AutoEnable (boolean) -- [REQUIRED]

        A value that contains information on whether S3 data event logs will be enabled automatically as a data source for the organization.

    • Kubernetes (dict) --

      Describes the configuration of Kubernetes data sources for new members of the organization.

      • AuditLogs (dict) -- [REQUIRED]

        Whether Kubernetes audit logs data source should be auto-enabled for new members joining the organization.

        • AutoEnable (boolean) -- [REQUIRED]

          A value that contains information on whether Kubernetes audit logs should be enabled automatically as a data source for the organization.

    • MalwareProtection (dict) --

      Describes the configuration of Malware Protection for new members of the organization.

      • ScanEc2InstanceWithFindings (dict) --

        Whether Malware Protection for EC2 instances with findings should be auto-enabled for new members joining the organization.

        • EbsVolumes (dict) --

          Whether scanning EBS volumes should be auto-enabled for new members joining the organization.

          • AutoEnable (boolean) --

            Whether scanning EBS volumes should be auto-enabled for new members joining the organization.

Return type

dict

Returns

Response Syntax

{}

Response Structure

  • (dict) --

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
update_publishing_destination(**kwargs)

Updates information about the publishing destination specified by the destinationId .

See also: AWS API Documentation

Request Syntax

response = client.update_publishing_destination(
    DetectorId='string',
    DestinationId='string',
    DestinationProperties={
        'DestinationArn': 'string',
        'KmsKeyArn': 'string'
    }
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The ID of the detector associated with the publishing destinations to update.

  • DestinationId (string) --

    [REQUIRED]

    The ID of the publishing destination to update.

  • DestinationProperties (dict) --

    A DestinationProperties object that includes the DestinationArn and KmsKeyArn of the publishing destination.

    • DestinationArn (string) --

      The ARN of the resource to publish to.

      To specify an S3 bucket folder use the following format: arn:aws:s3:::DOC-EXAMPLE-BUCKET/myFolder/

    • KmsKeyArn (string) --

      The ARN of the KMS key to use for encryption.

Return type

dict

Returns

Response Syntax

{}

Response Structure

  • (dict) --

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
update_threat_intel_set(**kwargs)

Updates the ThreatIntelSet specified by the ThreatIntelSet ID.

See also: AWS API Documentation

Request Syntax

response = client.update_threat_intel_set(
    DetectorId='string',
    ThreatIntelSetId='string',
    Name='string',
    Location='string',
    Activate=True|False
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The detectorID that specifies the GuardDuty service whose ThreatIntelSet you want to update.

  • ThreatIntelSetId (string) --

    [REQUIRED]

    The unique ID that specifies the ThreatIntelSet that you want to update.

  • Name (string) -- The unique ID that specifies the ThreatIntelSet that you want to update.
  • Location (string) -- The updated URI of the file that contains the ThreateIntelSet.
  • Activate (boolean) -- The updated Boolean value that specifies whether the ThreateIntelSet is active or not.
Return type

dict

Returns

Response Syntax

{}

Response Structure

  • (dict) --

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException

Paginators

The available paginators are:

class GuardDuty.Paginator.DescribeMalwareScans
paginator = client.get_paginator('describe_malware_scans')
paginate(**kwargs)

Creates an iterator that will paginate through responses from GuardDuty.Client.describe_malware_scans().

See also: AWS API Documentation

Request Syntax

response_iterator = paginator.paginate(
    DetectorId='string',
    FilterCriteria={
        'FilterCriterion': [
            {
                'CriterionKey': 'EC2_INSTANCE_ARN'|'SCAN_ID'|'ACCOUNT_ID'|'GUARDDUTY_FINDING_ID'|'SCAN_START_TIME'|'SCAN_STATUS',
                'FilterCondition': {
                    'EqualsValue': 'string',
                    'GreaterThan': 123,
                    'LessThan': 123
                }
            },
        ]
    },
    SortCriteria={
        'AttributeName': 'string',
        'OrderBy': 'ASC'|'DESC'
    },
    PaginationConfig={
        'MaxItems': 123,
        'PageSize': 123,
        'StartingToken': 'string'
    }
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The unique ID of the detector that the request is associated with.

  • FilterCriteria (dict) --

    Represents the criteria to be used in the filter for describing scan entries.

    • FilterCriterion (list) --

      Represents a condition that when matched will be added to the response of the operation.

      • (dict) --

        Represents a condition that when matched will be added to the response of the operation. Irrespective of using any filter criteria, an administrator account can view the scan entries for all of its member accounts. However, each member account can view the scan entries only for their own account.

        • CriterionKey (string) --

          An enum value representing possible scan properties to match with given scan entries.

        • FilterCondition (dict) --

          Contains information about the condition.

          • EqualsValue (string) --

            Represents an equal condition to be applied to a single field when querying for scan entries.

          • GreaterThan (integer) --

            Represents a greater than condition to be applied to a single field when querying for scan entries.

          • LessThan (integer) --

            Represents a less than condition to be applied to a single field when querying for scan entries.

  • SortCriteria (dict) --

    Represents the criteria used for sorting scan entries. The attributeName is required and it must be scanStartTime .

    • AttributeName (string) --

      Represents the finding attribute, such as accountId , that sorts the findings.

    • OrderBy (string) --

      The order by which the sorted findings are to be displayed.

  • PaginationConfig (dict) --

    A dictionary that provides parameters to control pagination.

    • MaxItems (integer) --

      The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.

    • PageSize (integer) --

      The size of each page.

    • StartingToken (string) --

      A token to specify where to start paginating. This is the NextToken from a previous response.

Return type

dict

Returns

Response Syntax

{
    'Scans': [
        {
            'DetectorId': 'string',
            'AdminDetectorId': 'string',
            'ScanId': 'string',
            'ScanStatus': 'RUNNING'|'COMPLETED'|'FAILED',
            'FailureReason': 'string',
            'ScanStartTime': datetime(2015, 1, 1),
            'ScanEndTime': datetime(2015, 1, 1),
            'TriggerDetails': {
                'GuardDutyFindingId': 'string',
                'Description': 'string'
            },
            'ResourceDetails': {
                'InstanceArn': 'string'
            },
            'ScanResultDetails': {
                'ScanResult': 'CLEAN'|'INFECTED'
            },
            'AccountId': 'string',
            'TotalBytes': 123,
            'FileCount': 123,
            'AttachedVolumes': [
                {
                    'VolumeArn': 'string',
                    'VolumeType': 'string',
                    'DeviceName': 'string',
                    'VolumeSizeInGB': 123,
                    'EncryptionType': 'string',
                    'SnapshotArn': 'string',
                    'KmsKeyArn': 'string'
                },
            ]
        },
    ],

}

Response Structure

  • (dict) --

    • Scans (list) --

      Contains information about malware scans.

      • (dict) --

        Contains information about a malware scan.

        • DetectorId (string) --

          The unique ID of the detector that the request is associated with.

        • AdminDetectorId (string) --

          The unique detector ID of the administrator account that the request is associated with. Note that this value will be the same as the one used for DetectorId if the account is an administrator.

        • ScanId (string) --

          The unique scan ID associated with a scan entry.

        • ScanStatus (string) --

          An enum value representing possible scan statuses.

        • FailureReason (string) --

          Represents the reason for FAILED scan status.

        • ScanStartTime (datetime) --

          The timestamp of when the scan was triggered.

        • ScanEndTime (datetime) --

          The timestamp of when the scan was finished.

        • TriggerDetails (dict) --

          Specifies the reason why the scan was initiated.

          • GuardDutyFindingId (string) --

            The ID of the GuardDuty finding that triggered the malware scan.

          • Description (string) --

            The description of the scan trigger.

        • ResourceDetails (dict) --

          Represents the resources that were scanned in the scan entry.

          • InstanceArn (string) --

            InstanceArn that was scanned in the scan entry.

        • ScanResultDetails (dict) --

          Represents the result of the scan.

          • ScanResult (string) --

            An enum value representing possible scan results.

        • AccountId (string) --

          The ID for the account that belongs to the scan.

        • TotalBytes (integer) --

          Represents total bytes that were scanned.

        • FileCount (integer) --

          Represents the number of files that were scanned.

        • AttachedVolumes (list) --

          List of volumes that were attached to the original instance to be scanned.

          • (dict) --

            Contains EBS volume details.

            • VolumeArn (string) --

              EBS volume Arn information.

            • VolumeType (string) --

              The EBS volume type.

            • DeviceName (string) --

              The device name for the EBS volume.

            • VolumeSizeInGB (integer) --

              EBS volume size in GB.

            • EncryptionType (string) --

              EBS volume encryption type.

            • SnapshotArn (string) --

              Snapshot Arn of the EBS volume.

            • KmsKeyArn (string) --

              KMS key Arn used to encrypt the EBS volume.

class GuardDuty.Paginator.ListDetectors
paginator = client.get_paginator('list_detectors')
paginate(**kwargs)

Creates an iterator that will paginate through responses from GuardDuty.Client.list_detectors().

See also: AWS API Documentation

Request Syntax

response_iterator = paginator.paginate(
    PaginationConfig={
        'MaxItems': 123,
        'PageSize': 123,
        'StartingToken': 'string'
    }
)
Parameters
PaginationConfig (dict) --

A dictionary that provides parameters to control pagination.

  • MaxItems (integer) --

    The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.

  • PageSize (integer) --

    The size of each page.

  • StartingToken (string) --

    A token to specify where to start paginating. This is the NextToken from a previous response.

Return type
dict
Returns
Response Syntax
{
    'DetectorIds': [
        'string',
    ],

}

Response Structure

  • (dict) --
    • DetectorIds (list) --

      A list of detector IDs.

      • (string) --
class GuardDuty.Paginator.ListFilters
paginator = client.get_paginator('list_filters')
paginate(**kwargs)

Creates an iterator that will paginate through responses from GuardDuty.Client.list_filters().

See also: AWS API Documentation

Request Syntax

response_iterator = paginator.paginate(
    DetectorId='string',
    PaginationConfig={
        'MaxItems': 123,
        'PageSize': 123,
        'StartingToken': 'string'
    }
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The unique ID of the detector that the filter is associated with.

  • PaginationConfig (dict) --

    A dictionary that provides parameters to control pagination.

    • MaxItems (integer) --

      The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.

    • PageSize (integer) --

      The size of each page.

    • StartingToken (string) --

      A token to specify where to start paginating. This is the NextToken from a previous response.

Return type

dict

Returns

Response Syntax

{
    'FilterNames': [
        'string',
    ],

}

Response Structure

  • (dict) --

    • FilterNames (list) --

      A list of filter names.

      • (string) --

class GuardDuty.Paginator.ListFindings
paginator = client.get_paginator('list_findings')
paginate(**kwargs)

Creates an iterator that will paginate through responses from GuardDuty.Client.list_findings().

See also: AWS API Documentation

Request Syntax

response_iterator = paginator.paginate(
    DetectorId='string',
    FindingCriteria={
        'Criterion': {
            'string': {
                'Eq': [
                    'string',
                ],
                'Neq': [
                    'string',
                ],
                'Gt': 123,
                'Gte': 123,
                'Lt': 123,
                'Lte': 123,
                'Equals': [
                    'string',
                ],
                'NotEquals': [
                    'string',
                ],
                'GreaterThan': 123,
                'GreaterThanOrEqual': 123,
                'LessThan': 123,
                'LessThanOrEqual': 123
            }
        }
    },
    SortCriteria={
        'AttributeName': 'string',
        'OrderBy': 'ASC'|'DESC'
    },
    PaginationConfig={
        'MaxItems': 123,
        'PageSize': 123,
        'StartingToken': 'string'
    }
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The ID of the detector that specifies the GuardDuty service whose findings you want to list.

  • FindingCriteria (dict) --

    Represents the criteria used for querying findings. Valid values include:

    • JSON field name
    • accountId
    • region
    • confidence
    • id
    • resource.accessKeyDetails.accessKeyId
    • resource.accessKeyDetails.principalId
    • resource.accessKeyDetails.userName
    • resource.accessKeyDetails.userType
    • resource.instanceDetails.iamInstanceProfile.id
    • resource.instanceDetails.imageId
    • resource.instanceDetails.instanceId
    • resource.instanceDetails.networkInterfaces.ipv6Addresses
    • resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress
    • resource.instanceDetails.networkInterfaces.publicDnsName
    • resource.instanceDetails.networkInterfaces.publicIp
    • resource.instanceDetails.networkInterfaces.securityGroups.groupId
    • resource.instanceDetails.networkInterfaces.securityGroups.groupName
    • resource.instanceDetails.networkInterfaces.subnetId
    • resource.instanceDetails.networkInterfaces.vpcId
    • resource.instanceDetails.tags.key
    • resource.instanceDetails.tags.value
    • resource.resourceType
    • service.action.actionType
    • service.action.awsApiCallAction.api
    • service.action.awsApiCallAction.callerType
    • service.action.awsApiCallAction.remoteIpDetails.city.cityName
    • service.action.awsApiCallAction.remoteIpDetails.country.countryName
    • service.action.awsApiCallAction.remoteIpDetails.ipAddressV4
    • service.action.awsApiCallAction.remoteIpDetails.organization.asn
    • service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg
    • service.action.awsApiCallAction.serviceName
    • service.action.dnsRequestAction.domain
    • service.action.networkConnectionAction.blocked
    • service.action.networkConnectionAction.connectionDirection
    • service.action.networkConnectionAction.localPortDetails.port
    • service.action.networkConnectionAction.protocol
    • service.action.networkConnectionAction.remoteIpDetails.country.countryName
    • service.action.networkConnectionAction.remoteIpDetails.ipAddressV4
    • service.action.networkConnectionAction.remoteIpDetails.organization.asn
    • service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg
    • service.action.networkConnectionAction.remotePortDetails.port
    • service.additionalInfo.threatListName
    • service.archived When this attribute is set to 'true', only archived findings are listed. When it's set to 'false', only unarchived findings are listed. When this attribute is not set, all existing findings are listed.
    • service.resourceRole
    • severity
    • type
    • updatedAt Type: Timestamp in Unix Epoch millisecond format: 1486685375000
    • Criterion (dict) --

      Represents a map of finding properties that match specified conditions and values when querying findings.

      • (string) --
        • (dict) --

          Contains information about the condition.

          • Eq (list) --

            Represents the equal condition to be applied to a single field when querying for findings.

            • (string) --
          • Neq (list) --

            Represents the not equal condition to be applied to a single field when querying for findings.

            • (string) --
          • Gt (integer) --

            Represents a greater than condition to be applied to a single field when querying for findings.

          • Gte (integer) --

            Represents a greater than or equal condition to be applied to a single field when querying for findings.

          • Lt (integer) --

            Represents a less than condition to be applied to a single field when querying for findings.

          • Lte (integer) --

            Represents a less than or equal condition to be applied to a single field when querying for findings.

          • Equals (list) --

            Represents an equal condition to be applied to a single field when querying for findings.

            • (string) --
          • NotEquals (list) --

            Represents a not equal condition to be applied to a single field when querying for findings.

            • (string) --
          • GreaterThan (integer) --

            Represents a greater than condition to be applied to a single field when querying for findings.

          • GreaterThanOrEqual (integer) --

            Represents a greater than or equal condition to be applied to a single field when querying for findings.

          • LessThan (integer) --

            Represents a less than condition to be applied to a single field when querying for findings.

          • LessThanOrEqual (integer) --

            Represents a less than or equal condition to be applied to a single field when querying for findings.

  • SortCriteria (dict) --

    Represents the criteria used for sorting findings.

    • AttributeName (string) --

      Represents the finding attribute, such as accountId , that sorts the findings.

    • OrderBy (string) --

      The order by which the sorted findings are to be displayed.

  • PaginationConfig (dict) --

    A dictionary that provides parameters to control pagination.

    • MaxItems (integer) --

      The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.

    • PageSize (integer) --

      The size of each page.

    • StartingToken (string) --

      A token to specify where to start paginating. This is the NextToken from a previous response.

Return type

dict

Returns

Response Syntax

{
    'FindingIds': [
        'string',
    ],

}

Response Structure

  • (dict) --

    • FindingIds (list) --

      The IDs of the findings that you're listing.

      • (string) --

class GuardDuty.Paginator.ListIPSets
paginator = client.get_paginator('list_ip_sets')
paginate(**kwargs)

Creates an iterator that will paginate through responses from GuardDuty.Client.list_ip_sets().

See also: AWS API Documentation

Request Syntax

response_iterator = paginator.paginate(
    DetectorId='string',
    PaginationConfig={
        'MaxItems': 123,
        'PageSize': 123,
        'StartingToken': 'string'
    }
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The unique ID of the detector that the IPSet is associated with.

  • PaginationConfig (dict) --

    A dictionary that provides parameters to control pagination.

    • MaxItems (integer) --

      The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.

    • PageSize (integer) --

      The size of each page.

    • StartingToken (string) --

      A token to specify where to start paginating. This is the NextToken from a previous response.

Return type

dict

Returns

Response Syntax

{
    'IpSetIds': [
        'string',
    ],

}

Response Structure

  • (dict) --

    • IpSetIds (list) --

      The IDs of the IPSet resources.

      • (string) --

class GuardDuty.Paginator.ListInvitations
paginator = client.get_paginator('list_invitations')
paginate(**kwargs)

Creates an iterator that will paginate through responses from GuardDuty.Client.list_invitations().

See also: AWS API Documentation

Request Syntax

response_iterator = paginator.paginate(
    PaginationConfig={
        'MaxItems': 123,
        'PageSize': 123,
        'StartingToken': 'string'
    }
)
Parameters
PaginationConfig (dict) --

A dictionary that provides parameters to control pagination.

  • MaxItems (integer) --

    The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.

  • PageSize (integer) --

    The size of each page.

  • StartingToken (string) --

    A token to specify where to start paginating. This is the NextToken from a previous response.

Return type
dict
Returns
Response Syntax
{
    'Invitations': [
        {
            'AccountId': 'string',
            'InvitationId': 'string',
            'RelationshipStatus': 'string',
            'InvitedAt': 'string'
        },
    ],

}

Response Structure

  • (dict) --
    • Invitations (list) --

      A list of invitation descriptions.

      • (dict) --

        Contains information about the invitation to become a member account.

        • AccountId (string) --

          The ID of the account that the invitation was sent from.

        • InvitationId (string) --

          The ID of the invitation. This value is used to validate the inviter account to the member account.

        • RelationshipStatus (string) --

          The status of the relationship between the inviter and invitee accounts.

        • InvitedAt (string) --

          The timestamp when the invitation was sent.

class GuardDuty.Paginator.ListMembers
paginator = client.get_paginator('list_members')
paginate(**kwargs)

Creates an iterator that will paginate through responses from GuardDuty.Client.list_members().

See also: AWS API Documentation

Request Syntax

response_iterator = paginator.paginate(
    DetectorId='string',
    OnlyAssociated='string',
    PaginationConfig={
        'MaxItems': 123,
        'PageSize': 123,
        'StartingToken': 'string'
    }
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The unique ID of the detector the member is associated with.

  • OnlyAssociated (string) -- Specifies whether to only return associated members or to return all members (including members who haven't been invited yet or have been disassociated). Member accounts must have been previously associated with the GuardDuty administrator account using Create Members.
  • PaginationConfig (dict) --

    A dictionary that provides parameters to control pagination.

    • MaxItems (integer) --

      The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.

    • PageSize (integer) --

      The size of each page.

    • StartingToken (string) --

      A token to specify where to start paginating. This is the NextToken from a previous response.

Return type

dict

Returns

Response Syntax

{
    'Members': [
        {
            'AccountId': 'string',
            'DetectorId': 'string',
            'MasterId': 'string',
            'Email': 'string',
            'RelationshipStatus': 'string',
            'InvitedAt': 'string',
            'UpdatedAt': 'string',
            'AdministratorId': 'string'
        },
    ],

}

Response Structure

  • (dict) --

    • Members (list) --

      A list of members.

      • (dict) --

        Contains information about the member account.

        • AccountId (string) --

          The ID of the member account.

        • DetectorId (string) --

          The detector ID of the member account.

        • MasterId (string) --

          The administrator account ID.

        • Email (string) --

          The email address of the member account.

        • RelationshipStatus (string) --

          The status of the relationship between the member and the administrator.

        • InvitedAt (string) --

          The timestamp when the invitation was sent.

        • UpdatedAt (string) --

          The last-updated timestamp of the member.

        • AdministratorId (string) --

          The administrator account ID.

class GuardDuty.Paginator.ListOrganizationAdminAccounts
paginator = client.get_paginator('list_organization_admin_accounts')
paginate(**kwargs)

Creates an iterator that will paginate through responses from GuardDuty.Client.list_organization_admin_accounts().

See also: AWS API Documentation

Request Syntax

response_iterator = paginator.paginate(
    PaginationConfig={
        'MaxItems': 123,
        'PageSize': 123,
        'StartingToken': 'string'
    }
)
Parameters
PaginationConfig (dict) --

A dictionary that provides parameters to control pagination.

  • MaxItems (integer) --

    The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.

  • PageSize (integer) --

    The size of each page.

  • StartingToken (string) --

    A token to specify where to start paginating. This is the NextToken from a previous response.

Return type
dict
Returns
Response Syntax
{
    'AdminAccounts': [
        {
            'AdminAccountId': 'string',
            'AdminStatus': 'ENABLED'|'DISABLE_IN_PROGRESS'
        },
    ],

}

Response Structure

  • (dict) --
    • AdminAccounts (list) --

      A list of accounts configured as GuardDuty delegated administrators.

      • (dict) --

        The account within the organization specified as the GuardDuty delegated administrator.

        • AdminAccountId (string) --

          The Amazon Web Services account ID for the account.

        • AdminStatus (string) --

          Indicates whether the account is enabled as the delegated administrator.

class GuardDuty.Paginator.ListThreatIntelSets
paginator = client.get_paginator('list_threat_intel_sets')
paginate(**kwargs)

Creates an iterator that will paginate through responses from GuardDuty.Client.list_threat_intel_sets().

See also: AWS API Documentation

Request Syntax

response_iterator = paginator.paginate(
    DetectorId='string',
    PaginationConfig={
        'MaxItems': 123,
        'PageSize': 123,
        'StartingToken': 'string'
    }
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The unique ID of the detector that the threatIntelSet is associated with.

  • PaginationConfig (dict) --

    A dictionary that provides parameters to control pagination.

    • MaxItems (integer) --

      The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.

    • PageSize (integer) --

      The size of each page.

    • StartingToken (string) --

      A token to specify where to start paginating. This is the NextToken from a previous response.

Return type

dict

Returns

Response Syntax

{
    'ThreatIntelSetIds': [
        'string',
    ],

}

Response Structure

  • (dict) --

    • ThreatIntelSetIds (list) --

      The IDs of the ThreatIntelSet resources.

      • (string) --