Amazon GuardDuty

{'ClientToken': 'string',
 'FindingPublishingFrequency': 'FIFTEEN_MINUTES | ONE_HOUR | SIX_HOURS'}

Creates a single Amazon GuardDuty detector. A detector is an object that represents the GuardDuty service. A detector must be created in order for GuardDuty to become operational.

See also: AWS API Documentation

Request Syntax

client.create_detector(
    ClientToken='string',
    Enable=True|False,
    FindingPublishingFrequency='FIFTEEN_MINUTES'|'ONE_HOUR'|'SIX_HOURS'
)

type ClientToken:

string

param ClientToken:

The idempotency token for the create request.This field is autopopulated if not provided.

type Enable:

boolean

param Enable:

[REQUIRED] A boolean value that specifies whether the detector is to be enabled.

type FindingPublishingFrequency:

string

param FindingPublishingFrequency:

A enum value that specifies how frequently customer got Finding updates published.

rtype:

dict

returns:

Response Syntax

{
    'DetectorId': 'string'
}

Response Structure

• (dict) -- 200 response

  • DetectorId (string) -- The unique ID of the created detector.

{'ClientToken': 'string'}

Creates a new IPSet - a list of trusted IP addresses that have been whitelisted for secure communication with AWS infrastructure and applications.

See also: AWS API Documentation

Request Syntax

client.create_ip_set(
    Activate=True|False,
    ClientToken='string',
    DetectorId='string',
    Format='TXT'|'STIX'|'OTX_CSV'|'ALIEN_VAULT'|'PROOF_POINT'|'FIRE_EYE',
    Location='string',
    Name='string'
)

type Activate:

boolean

param Activate:

[REQUIRED] A boolean value that indicates whether GuardDuty is to start using the uploaded IPSet.

type ClientToken:

string

param ClientToken:

The idempotency token for the create request.This field is autopopulated if not provided.

type DetectorId:

string

param DetectorId:

[REQUIRED] The unique ID of the detector that you want to update.

type Format:

string

param Format:

[REQUIRED] The format of the file that contains the IPSet.

type Location:

string

param Location:

[REQUIRED] The URI of the file that contains the IPSet. For example (https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key)

type Name:

string

param Name:

[REQUIRED] The user friendly name to identify the IPSet. This name is displayed in all findings that are triggered by activity that involves IP addresses included in this IPSet.

rtype:

dict

returns:

Response Syntax

{
    'IpSetId': 'string'
}

Response Structure

• (dict) -- 200 response

  • IpSetId (string) -- The unique identifier for an IP Set

{'ClientToken': 'string'}

Create a new ThreatIntelSet. ThreatIntelSets consist of known malicious IP addresses. GuardDuty generates findings based on ThreatIntelSets.

See also: AWS API Documentation

Request Syntax

client.create_threat_intel_set(
    Activate=True|False,
    ClientToken='string',
    DetectorId='string',
    Format='TXT'|'STIX'|'OTX_CSV'|'ALIEN_VAULT'|'PROOF_POINT'|'FIRE_EYE',
    Location='string',
    Name='string'
)

type Activate:

boolean

param Activate:

[REQUIRED] A boolean value that indicates whether GuardDuty is to start using the uploaded ThreatIntelSet.

type ClientToken:

string

param ClientToken:

The idempotency token for the create request.This field is autopopulated if not provided.

type DetectorId:

string

param DetectorId:

[REQUIRED] The unique ID of the detector that you want to update.

type Format:

string

param Format:

[REQUIRED] The format of the file that contains the ThreatIntelSet.

type Location:

string

param Location:

[REQUIRED] The URI of the file that contains the ThreatIntelSet. For example (https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key).

type Name:

string

param Name:

[REQUIRED] A user-friendly ThreatIntelSet name that is displayed in all finding generated by activity that involves IP addresses included in this ThreatIntelSet.

rtype:

dict

returns:

Response Syntax

{
    'ThreatIntelSetId': 'string'
}

Response Structure

• (dict) -- 200 response

  • ThreatIntelSetId (string) -- The unique identifier for an threat intel set

{'FindingPublishingFrequency': 'FIFTEEN_MINUTES | ONE_HOUR | SIX_HOURS'}

Retrieves an Amazon GuardDuty detector specified by the detectorId.

See also: AWS API Documentation

Request Syntax

client.get_detector(
    DetectorId='string'
)

type DetectorId:

string

param DetectorId:

[REQUIRED] The unique ID of the detector that you want to retrieve.

rtype:

dict

returns:

Response Syntax

{
    'CreatedAt': 'string',
    'FindingPublishingFrequency': 'FIFTEEN_MINUTES'|'ONE_HOUR'|'SIX_HOURS',
    'ServiceRole': 'string',
    'Status': 'ENABLED'|'DISABLED',
    'UpdatedAt': 'string'
}

Response Structure

• (dict) -- 200 response

  • CreatedAt (string) -- The first time a resource was created. The format will be ISO-8601.

  • FindingPublishingFrequency (string) -- A enum value that specifies how frequently customer got Finding updates published.

  • ServiceRole (string) -- Customer serviceRole name or ARN for accessing customer resources

  • Status (string) -- The status of detector.

  • UpdatedAt (string) -- The first time a resource was created. The format will be ISO-8601.

{'FindingPublishingFrequency': 'FIFTEEN_MINUTES | ONE_HOUR | SIX_HOURS'}

Updates an Amazon GuardDuty detector specified by the detectorId.

See also: AWS API Documentation

Request Syntax

client.update_detector(
    DetectorId='string',
    Enable=True|False,
    FindingPublishingFrequency='FIFTEEN_MINUTES'|'ONE_HOUR'|'SIX_HOURS'
)

type DetectorId:

string

param DetectorId:

[REQUIRED] The unique ID of the detector that you want to update.

type Enable:

boolean

param Enable:

Updated boolean value for the detector that specifies whether the detector is enabled.

type FindingPublishingFrequency:

string

param FindingPublishingFrequency:

A enum value that specifies how frequently customer got Finding updates published.

rtype:

dict

returns:

Response Syntax

{}

Response Structure

• (dict) -- 200 response