GuardDuty / Client / create_detector

create_detector#

GuardDuty.Client.create_detector(**kwargs)#

Creates a single GuardDuty detector. A detector is a resource that represents the GuardDuty service. To start using GuardDuty, you must create a detector in each Region where you enable the service. You can have only one detector per account per Region. All data sources are enabled in a new detector by default.

  • When you don’t specify any features, with an exception to RUNTIME_MONITORING, all the optional features are enabled by default.

  • When you specify some of the features, any feature that is not specified in the API call gets enabled by default, with an exception to RUNTIME_MONITORING.

Specifying both EKS Runtime Monitoring ( EKS_RUNTIME_MONITORING) and Runtime Monitoring ( RUNTIME_MONITORING) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

See also: AWS API Documentation

Request Syntax

response = client.create_detector(
    Enable=True|False,
    ClientToken='string',
    FindingPublishingFrequency='FIFTEEN_MINUTES'|'ONE_HOUR'|'SIX_HOURS',
    DataSources={
        'S3Logs': {
            'Enable': True|False
        },
        'Kubernetes': {
            'AuditLogs': {
                'Enable': True|False
            }
        },
        'MalwareProtection': {
            'ScanEc2InstanceWithFindings': {
                'EbsVolumes': True|False
            }
        }
    },
    Tags={
        'string': 'string'
    },
    Features=[
        {
            'Name': 'S3_DATA_EVENTS'|'EKS_AUDIT_LOGS'|'EBS_MALWARE_PROTECTION'|'RDS_LOGIN_EVENTS'|'EKS_RUNTIME_MONITORING'|'LAMBDA_NETWORK_LOGS'|'RUNTIME_MONITORING',
            'Status': 'ENABLED'|'DISABLED',
            'AdditionalConfiguration': [
                {
                    'Name': 'EKS_ADDON_MANAGEMENT'|'ECS_FARGATE_AGENT_MANAGEMENT',
                    'Status': 'ENABLED'|'DISABLED'
                },
            ]
        },
    ]
)
Parameters:
  • Enable (boolean) –

    [REQUIRED]

    A Boolean value that specifies whether the detector is to be enabled.

  • ClientToken (string) –

    The idempotency token for the create request.

    This field is autopopulated if not provided.

  • FindingPublishingFrequency (string) – A value that specifies how frequently updated findings are exported.

  • DataSources (dict) –

    Describes which data sources will be enabled for the detector.

    There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

    • S3Logs (dict) –

      Describes whether S3 data event logs are enabled as a data source.

      • Enable (boolean) – [REQUIRED]

        The status of S3 data event logs as a data source.

    • Kubernetes (dict) –

      Describes whether any Kubernetes logs are enabled as data sources.

      • AuditLogs (dict) – [REQUIRED]

        The status of Kubernetes audit logs as a data source.

        • Enable (boolean) – [REQUIRED]

          The status of Kubernetes audit logs as a data source.

    • MalwareProtection (dict) –

      Describes whether Malware Protection is enabled as a data source.

      • ScanEc2InstanceWithFindings (dict) –

        Describes the configuration of Malware Protection for EC2 instances with findings.

        • EbsVolumes (boolean) –

          Describes the configuration for scanning EBS volumes as data source.

  • Tags (dict) –

    The tags to be added to a new detector resource.

    • (string) –

      • (string) –

  • Features (list) –

    A list of features that will be configured for the detector.

    • (dict) –

      Contains information about a GuardDuty feature.

      Specifying both EKS Runtime Monitoring ( EKS_RUNTIME_MONITORING) and Runtime Monitoring ( RUNTIME_MONITORING) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring.

      • Name (string) –

        The name of the feature.

      • Status (string) –

        The status of the feature.

      • AdditionalConfiguration (list) –

        Additional configuration for a resource.

        • (dict) –

          Information about the additional configuration for a feature in your GuardDuty account.

          • Name (string) –

            Name of the additional configuration.

          • Status (string) –

            Status of the additional configuration.

Return type:

dict

Returns:

Response Syntax

{
    'DetectorId': 'string',
    'UnprocessedDataSources': {
        'MalwareProtection': {
            'ScanEc2InstanceWithFindings': {
                'EbsVolumes': {
                    'Status': 'ENABLED'|'DISABLED',
                    'Reason': 'string'
                }
            },
            'ServiceRole': 'string'
        }
    }
}

Response Structure

  • (dict) –

    • DetectorId (string) –

      The unique ID of the created detector.

    • UnprocessedDataSources (dict) –

      Specifies the data sources that couldn’t be enabled when GuardDuty was enabled for the first time.

      • MalwareProtection (dict) –

        An object that contains information on the status of all Malware Protection data sources.

        • ScanEc2InstanceWithFindings (dict) –

          Describes the configuration of Malware Protection for EC2 instances with findings.

          • EbsVolumes (dict) –

            Describes the configuration of scanning EBS volumes as a data source.

            • Status (string) –

              Describes whether scanning EBS volumes is enabled as a data source.

            • Reason (string) –

              Specifies the reason why scanning EBS volumes (Malware Protection) was not enabled as a data source.

        • ServiceRole (string) –

          The GuardDuty Malware Protection service role.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException

  • GuardDuty.Client.exceptions.InternalServerErrorException