2018/02/12 - Amazon GuardDuty - 1 updated api methods
Changes Update guardduty client to latest version
{'Findings': {'Service': {'Action': {'PortProbeAction': {'Blocked': 'boolean',
'PortProbeDetails': [{'LocalPortDetails': {'Port': 'integer',
'PortName': 'string'},
'RemoteIpDetails': {'City': {'CityName': 'string'},
'Country': {'CountryCode': 'string',
'CountryName': 'string'},
'GeoLocation': {'Lat': 'double',
'Lon': 'double'},
'IpAddressV4': 'string',
'Organization': {'Asn': 'string',
'AsnOrg': 'string',
'Isp': 'string',
'Org': 'string'}}}]}}}}}
Describes Amazon GuardDuty findings specified by finding IDs.
See also: AWS API Documentation
Request Syntax
client.get_findings(
DetectorId='string',
FindingIds=[
'string',
],
SortCriteria={
'AttributeName': 'string',
'OrderBy': 'ASC'|'DESC'
}
)
string
[REQUIRED] The ID of the detector that specifies the GuardDuty service whose findings you want to retrieve.
list
IDs of the findings that you want to retrieve.
(string) -- The unique identifier for the Finding
dict
Represents the criteria used for sorting findings.
AttributeName (string) -- Represents the finding attribute (for example, accountId) by which to sort findings.
OrderBy (string) -- Order by which the sorted findings are to be displayed.
dict
Response Syntax
{
'Findings': [
{
'AccountId': 'string',
'Arn': 'string',
'Confidence': 123.0,
'CreatedAt': 'string',
'Description': 'string',
'Id': 'string',
'Partition': 'string',
'Region': 'string',
'Resource': {
'AccessKeyDetails': {
'AccessKeyId': 'string',
'PrincipalId': 'string',
'UserName': 'string',
'UserType': 'string'
},
'InstanceDetails': {
'AvailabilityZone': 'string',
'IamInstanceProfile': {
'Arn': 'string',
'Id': 'string'
},
'ImageId': 'string',
'InstanceId': 'string',
'InstanceState': 'string',
'InstanceType': 'string',
'LaunchTime': 'string',
'NetworkInterfaces': [
{
'Ipv6Addresses': [
'string',
],
'PrivateDnsName': 'string',
'PrivateIpAddress': 'string',
'PrivateIpAddresses': [
{
'PrivateDnsName': 'string',
'PrivateIpAddress': 'string'
},
],
'PublicDnsName': 'string',
'PublicIp': 'string',
'SecurityGroups': [
{
'GroupId': 'string',
'GroupName': 'string'
},
],
'SubnetId': 'string',
'VpcId': 'string'
},
],
'Platform': 'string',
'ProductCodes': [
{
'Code': 'string',
'ProductType': 'string'
},
],
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
},
'ResourceType': 'string'
},
'SchemaVersion': 'string',
'Service': {
'Action': {
'ActionType': 'string',
'AwsApiCallAction': {
'Api': 'string',
'CallerType': 'string',
'DomainDetails': {},
'RemoteIpDetails': {
'City': {
'CityName': 'string'
},
'Country': {
'CountryCode': 'string',
'CountryName': 'string'
},
'GeoLocation': {
'Lat': 123.0,
'Lon': 123.0
},
'IpAddressV4': 'string',
'Organization': {
'Asn': 'string',
'AsnOrg': 'string',
'Isp': 'string',
'Org': 'string'
}
},
'ServiceName': 'string'
},
'DnsRequestAction': {
'Domain': 'string'
},
'NetworkConnectionAction': {
'Blocked': True|False,
'ConnectionDirection': 'string',
'LocalPortDetails': {
'Port': 123,
'PortName': 'string'
},
'Protocol': 'string',
'RemoteIpDetails': {
'City': {
'CityName': 'string'
},
'Country': {
'CountryCode': 'string',
'CountryName': 'string'
},
'GeoLocation': {
'Lat': 123.0,
'Lon': 123.0
},
'IpAddressV4': 'string',
'Organization': {
'Asn': 'string',
'AsnOrg': 'string',
'Isp': 'string',
'Org': 'string'
}
},
'RemotePortDetails': {
'Port': 123,
'PortName': 'string'
}
},
'PortProbeAction': {
'Blocked': True|False,
'PortProbeDetails': [
{
'LocalPortDetails': {
'Port': 123,
'PortName': 'string'
},
'RemoteIpDetails': {
'City': {
'CityName': 'string'
},
'Country': {
'CountryCode': 'string',
'CountryName': 'string'
},
'GeoLocation': {
'Lat': 123.0,
'Lon': 123.0
},
'IpAddressV4': 'string',
'Organization': {
'Asn': 'string',
'AsnOrg': 'string',
'Isp': 'string',
'Org': 'string'
}
}
},
]
}
},
'Archived': True|False,
'Count': 123,
'DetectorId': 'string',
'EventFirstSeen': 'string',
'EventLastSeen': 'string',
'ResourceRole': 'string',
'ServiceName': 'string',
'UserFeedback': 'string'
},
'Severity': 123.0,
'Title': 'string',
'Type': 'string',
'UpdatedAt': 'string'
},
]
}
Response Structure
(dict) -- 200 response
Findings (list) -- A list of findings.
(dict) -- Representation of a abnormal or suspicious activity.
AccountId (string) -- AWS account ID where the activity occurred that prompted GuardDuty to generate a finding.
Arn (string) -- The ARN of a finding described by the action.
Confidence (float) -- The confidence level of a finding.
CreatedAt (string) -- The time stamp at which a finding was generated.
Description (string) -- The description of a finding.
Id (string) -- The identifier that corresponds to a finding described by the action.
Partition (string) -- The AWS resource partition.
Region (string) -- The AWS region where the activity occurred that prompted GuardDuty to generate a finding.
Resource (dict) -- The AWS resource associated with the activity that prompted GuardDuty to generate a finding.
AccessKeyDetails (dict) -- The IAM access key details (IAM user information) of a user that engaged in the activity that prompted GuardDuty to generate a finding.
AccessKeyId (string) -- Access key ID of the user.
PrincipalId (string) -- The principal ID of the user.
UserName (string) -- The name of the user.
UserType (string) -- The type of the user.
InstanceDetails (dict) -- The information about the EC2 instance associated with the activity that prompted GuardDuty to generate a finding.
AvailabilityZone (string) -- The availability zone of the EC2 instance.
IamInstanceProfile (dict) -- The profile information of the EC2 instance.
Arn (string) -- AWS EC2 instance profile ARN.
Id (string) -- AWS EC2 instance profile ID.
ImageId (string) -- The image ID of the EC2 instance.
InstanceId (string) -- The ID of the EC2 instance.
InstanceState (string) -- The state of the EC2 instance.
InstanceType (string) -- The type of the EC2 instance.
LaunchTime (string) -- The launch time of the EC2 instance.
NetworkInterfaces (list) -- The network interface information of the EC2 instance.
(dict) -- The network interface information of the EC2 instance.
Ipv6Addresses (list) -- A list of EC2 instance IPv6 address information.
(string) -- IpV6 address of the EC2 instance.
PrivateDnsName (string) -- Private DNS name of the EC2 instance.
PrivateIpAddress (string) -- Private IP address of the EC2 instance.
PrivateIpAddresses (list) -- Other private IP address information of the EC2 instance.
(dict) -- Other private IP address information of the EC2 instance.
PrivateDnsName (string) -- Private DNS name of the EC2 instance.
PrivateIpAddress (string) -- Private IP address of the EC2 instance.
PublicDnsName (string) -- Public DNS name of the EC2 instance.
PublicIp (string) -- Public IP address of the EC2 instance.
SecurityGroups (list) -- Security groups associated with the EC2 instance.
(dict) -- Security groups associated with the EC2 instance.
GroupId (string) -- EC2 instance's security group ID.
GroupName (string) -- EC2 instance's security group name.
SubnetId (string) -- The subnet ID of the EC2 instance.
VpcId (string) -- The VPC ID of the EC2 instance.
Platform (string) -- The platform of the EC2 instance.
ProductCodes (list) -- The product code of the EC2 instance.
(dict) -- The product code of the EC2 instance.
Code (string) -- Product code information.
ProductType (string) -- Product code type.
Tags (list) -- The tags of the EC2 instance.
(dict) -- A tag of the EC2 instance.
Key (string) -- EC2 instance tag key.
Value (string) -- EC2 instance tag value.
ResourceType (string) -- The type of the AWS resource.
SchemaVersion (string) -- Findings' schema version.
Service (dict) -- Additional information assigned to the generated finding by GuardDuty.
Action (dict) -- Information about the activity described in a finding.
ActionType (string) -- GuardDuty Finding activity type.
AwsApiCallAction (dict) -- Information about the AWS_API_CALL action described in this finding.
Api (string) -- AWS API name.
CallerType (string) -- AWS API caller type.
DomainDetails (dict) -- Domain information for the AWS API call.
RemoteIpDetails (dict) -- Remote IP information of the connection.
City (dict) -- City information of the remote IP address.
CityName (string) -- City name of the remote IP address.
Country (dict) -- Country code of the remote IP address.
CountryCode (string) -- Country code of the remote IP address.
CountryName (string) -- Country name of the remote IP address.
GeoLocation (dict) -- Location information of the remote IP address.
Lat (float) -- Latitude information of remote IP address.
Lon (float) -- Longitude information of remote IP address.
IpAddressV4 (string) -- IPV4 remote address of the connection.
Organization (dict) -- ISP Organization information of the remote IP address.
Asn (string) -- Autonomous system number of the internet provider of the remote IP address.
AsnOrg (string) -- Organization that registered this ASN.
Isp (string) -- ISP information for the internet provider.
Org (string) -- Name of the internet provider.
ServiceName (string) -- AWS service name whose API was invoked.
DnsRequestAction (dict) -- Information about the DNS_REQUEST action described in this finding.
Domain (string) -- Domain information for the DNS request.
NetworkConnectionAction (dict) -- Information about the NETWORK_CONNECTION action described in this finding.
Blocked (boolean) -- Network connection blocked information.
ConnectionDirection (string) -- Network connection direction.
LocalPortDetails (dict) -- Local port information of the connection.
Port (integer) -- Port number of the local connection.
PortName (string) -- Port name of the local connection.
Protocol (string) -- Network connection protocol.
RemoteIpDetails (dict) -- Remote IP information of the connection.
City (dict) -- City information of the remote IP address.
CityName (string) -- City name of the remote IP address.
Country (dict) -- Country code of the remote IP address.
CountryCode (string) -- Country code of the remote IP address.
CountryName (string) -- Country name of the remote IP address.
GeoLocation (dict) -- Location information of the remote IP address.
Lat (float) -- Latitude information of remote IP address.
Lon (float) -- Longitude information of remote IP address.
IpAddressV4 (string) -- IPV4 remote address of the connection.
Organization (dict) -- ISP Organization information of the remote IP address.
Asn (string) -- Autonomous system number of the internet provider of the remote IP address.
AsnOrg (string) -- Organization that registered this ASN.
Isp (string) -- ISP information for the internet provider.
Org (string) -- Name of the internet provider.
RemotePortDetails (dict) -- Remote port information of the connection.
Port (integer) -- Port number of the remote connection.
PortName (string) -- Port name of the remote connection.
PortProbeAction (dict) -- Information about the PORT_PROBE action described in this finding.
Blocked (boolean) -- Port probe blocked information.
PortProbeDetails (list) -- A list of port probe details objects.
(dict) -- Details about the port probe finding.
LocalPortDetails (dict) -- Local port information of the connection.
Port (integer) -- Port number of the local connection.
PortName (string) -- Port name of the local connection.
RemoteIpDetails (dict) -- Remote IP information of the connection.
City (dict) -- City information of the remote IP address.
CityName (string) -- City name of the remote IP address.
Country (dict) -- Country code of the remote IP address.
CountryCode (string) -- Country code of the remote IP address.
CountryName (string) -- Country name of the remote IP address.
GeoLocation (dict) -- Location information of the remote IP address.
Lat (float) -- Latitude information of remote IP address.
Lon (float) -- Longitude information of remote IP address.
IpAddressV4 (string) -- IPV4 remote address of the connection.
Organization (dict) -- ISP Organization information of the remote IP address.
Asn (string) -- Autonomous system number of the internet provider of the remote IP address.
AsnOrg (string) -- Organization that registered this ASN.
Isp (string) -- ISP information for the internet provider.
Org (string) -- Name of the internet provider.
Archived (boolean) -- Indicates whether this finding is archived.
Count (integer) -- Total count of the occurrences of this finding type.
DetectorId (string) -- Detector ID for the GuardDuty service.
EventFirstSeen (string) -- First seen timestamp of the activity that prompted GuardDuty to generate this finding.
EventLastSeen (string) -- Last seen timestamp of the activity that prompted GuardDuty to generate this finding.
ResourceRole (string) -- Resource role information for this finding.
ServiceName (string) -- The name of the AWS service (GuardDuty) that generated a finding.
UserFeedback (string) -- Feedback left about the finding.
Severity (float) -- The severity of a finding.
Title (string) -- The title of a finding.
Type (string) -- The type of a finding described by the action.
UpdatedAt (string) -- The time stamp at which a finding was last updated.