2019/08/09 - Amazon GuardDuty - 1 updated api methods
Changes New "evidence" field in the finding model to provide evidence information explaining why the finding has been triggered. Currently only threat-intelligence findings have this field. Some documentation updates.
{'Findings': {'Service': {'Evidence': {'ThreatIntelligenceDetails': [{'ThreatListName': 'string',
'ThreatNames': ['string']}]}}}}
Describes Amazon GuardDuty findings specified by finding IDs.
See also: AWS API Documentation
Request Syntax
client.get_findings(
DetectorId='string',
FindingIds=[
'string',
],
SortCriteria={
'AttributeName': 'string',
'OrderBy': 'ASC'|'DESC'
}
)
string
[REQUIRED]
The ID of the detector that specifies the GuardDuty service whose findings you want to retrieve.
list
[REQUIRED]
IDs of the findings that you want to retrieve.
(string) --
dict
Represents the criteria used for sorting findings.
AttributeName (string) --
Represents the finding attribute (for example, accountId) by which to sort findings.
OrderBy (string) --
Order by which the sorted findings are to be displayed.
dict
Response Syntax
{
'Findings': [
{
'AccountId': 'string',
'Arn': 'string',
'Confidence': 123.0,
'CreatedAt': 'string',
'Description': 'string',
'Id': 'string',
'Partition': 'string',
'Region': 'string',
'Resource': {
'AccessKeyDetails': {
'AccessKeyId': 'string',
'PrincipalId': 'string',
'UserName': 'string',
'UserType': 'string'
},
'InstanceDetails': {
'AvailabilityZone': 'string',
'IamInstanceProfile': {
'Arn': 'string',
'Id': 'string'
},
'ImageDescription': 'string',
'ImageId': 'string',
'InstanceId': 'string',
'InstanceState': 'string',
'InstanceType': 'string',
'LaunchTime': 'string',
'NetworkInterfaces': [
{
'Ipv6Addresses': [
'string',
],
'NetworkInterfaceId': 'string',
'PrivateDnsName': 'string',
'PrivateIpAddress': 'string',
'PrivateIpAddresses': [
{
'PrivateDnsName': 'string',
'PrivateIpAddress': 'string'
},
],
'PublicDnsName': 'string',
'PublicIp': 'string',
'SecurityGroups': [
{
'GroupId': 'string',
'GroupName': 'string'
},
],
'SubnetId': 'string',
'VpcId': 'string'
},
],
'Platform': 'string',
'ProductCodes': [
{
'Code': 'string',
'ProductType': 'string'
},
],
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
},
'ResourceType': 'string'
},
'SchemaVersion': 'string',
'Service': {
'Action': {
'ActionType': 'string',
'AwsApiCallAction': {
'Api': 'string',
'CallerType': 'string',
'DomainDetails': {
'Domain': 'string'
},
'RemoteIpDetails': {
'City': {
'CityName': 'string'
},
'Country': {
'CountryCode': 'string',
'CountryName': 'string'
},
'GeoLocation': {
'Lat': 123.0,
'Lon': 123.0
},
'IpAddressV4': 'string',
'Organization': {
'Asn': 'string',
'AsnOrg': 'string',
'Isp': 'string',
'Org': 'string'
}
},
'ServiceName': 'string'
},
'DnsRequestAction': {
'Domain': 'string'
},
'NetworkConnectionAction': {
'Blocked': True|False,
'ConnectionDirection': 'string',
'LocalPortDetails': {
'Port': 123,
'PortName': 'string'
},
'Protocol': 'string',
'RemoteIpDetails': {
'City': {
'CityName': 'string'
},
'Country': {
'CountryCode': 'string',
'CountryName': 'string'
},
'GeoLocation': {
'Lat': 123.0,
'Lon': 123.0
},
'IpAddressV4': 'string',
'Organization': {
'Asn': 'string',
'AsnOrg': 'string',
'Isp': 'string',
'Org': 'string'
}
},
'RemotePortDetails': {
'Port': 123,
'PortName': 'string'
}
},
'PortProbeAction': {
'Blocked': True|False,
'PortProbeDetails': [
{
'LocalPortDetails': {
'Port': 123,
'PortName': 'string'
},
'RemoteIpDetails': {
'City': {
'CityName': 'string'
},
'Country': {
'CountryCode': 'string',
'CountryName': 'string'
},
'GeoLocation': {
'Lat': 123.0,
'Lon': 123.0
},
'IpAddressV4': 'string',
'Organization': {
'Asn': 'string',
'AsnOrg': 'string',
'Isp': 'string',
'Org': 'string'
}
}
},
]
}
},
'Evidence': {
'ThreatIntelligenceDetails': [
{
'ThreatListName': 'string',
'ThreatNames': [
'string',
]
},
]
},
'Archived': True|False,
'Count': 123,
'DetectorId': 'string',
'EventFirstSeen': 'string',
'EventLastSeen': 'string',
'ResourceRole': 'string',
'ServiceName': 'string',
'UserFeedback': 'string'
},
'Severity': 123.0,
'Title': 'string',
'Type': 'string',
'UpdatedAt': 'string'
},
]
}
Response Structure
(dict) --
Findings (list) --
A list of findings.
(dict) --
Contains information about the finding.
AccountId (string) --
The ID of the account in which the finding was generated.
Arn (string) --
The ARN for the finding.
Confidence (float) --
The confidence score for the finding.
CreatedAt (string) --
The time and date at which the finding was created.
Description (string) --
The description of the finding.
Id (string) --
The ID of the finding.
Partition (string) --
The partition associated with the finding.
Region (string) --
The Region in which the finding was generated.
Resource (dict) --
Contains information about the resource.
AccessKeyDetails (dict) --
The IAM access key details (IAM user information) of a user that engaged in the activity that prompted GuardDuty to generate a finding.
AccessKeyId (string) --
Access key ID of the user.
PrincipalId (string) --
The principal ID of the user.
UserName (string) --
The name of the user.
UserType (string) --
The type of the user.
InstanceDetails (dict) --
The information about the EC2 instance associated with the activity that prompted GuardDuty to generate a finding.
AvailabilityZone (string) --
The availability zone of the EC2 instance.
IamInstanceProfile (dict) --
The profile information of the EC2 instance.
Arn (string) --
AWS EC2 instance profile ARN.
Id (string) --
AWS EC2 instance profile ID.
ImageDescription (string) --
The image description of the EC2 instance.
ImageId (string) --
The image ID of the EC2 instance.
InstanceId (string) --
The ID of the EC2 instance.
InstanceState (string) --
The state of the EC2 instance.
InstanceType (string) --
The type of the EC2 instance.
LaunchTime (string) --
The launch time of the EC2 instance.
NetworkInterfaces (list) --
The network interface information of the EC2 instance.
(dict) --
Contains information about the network interface.
Ipv6Addresses (list) --
A list of EC2 instance IPv6 address information.
(string) --
NetworkInterfaceId (string) --
The ID of the network interface
PrivateDnsName (string) --
Private DNS name of the EC2 instance.
PrivateIpAddress (string) --
Private IP address of the EC2 instance.
PrivateIpAddresses (list) --
Other private IP address information of the EC2 instance.
(dict) --
Contains information about the private IP address.
PrivateDnsName (string) --
Private DNS name of the EC2 instance.
PrivateIpAddress (string) --
Private IP address of the EC2 instance.
PublicDnsName (string) --
Public DNS name of the EC2 instance.
PublicIp (string) --
Public IP address of the EC2 instance.
SecurityGroups (list) --
Security groups associated with the EC2 instance.
(dict) --
Contains information about the security group.
GroupId (string) --
EC2 instance's security group ID.
GroupName (string) --
EC2 instance's security group name.
SubnetId (string) --
The subnet ID of the EC2 instance.
VpcId (string) --
The VPC ID of the EC2 instance.
Platform (string) --
The platform of the EC2 instance.
ProductCodes (list) --
The product code of the EC2 instance.
(dict) --
Contains information about the product code.
Code (string) --
Product code information.
ProductType (string) --
Product code type.
Tags (list) --
The tags of the EC2 instance.
(dict) --
Contains information about the tag associated with the resource.
Key (string) --
EC2 instance tag key.
Value (string) --
EC2 instance tag value.
ResourceType (string) --
The type of the AWS resource.
SchemaVersion (string) --
The version of the schema used for the finding.
Service (dict) --
Contains information about the service.
Action (dict) --
Information about the activity described in a finding.
ActionType (string) --
GuardDuty Finding activity type.
AwsApiCallAction (dict) --
Information about the AWS_API_CALL action described in this finding.
Api (string) --
AWS API name.
CallerType (string) --
AWS API caller type.
DomainDetails (dict) --
Domain information for the AWS API call.
Domain (string) --
Domain information for the AWS API call.
RemoteIpDetails (dict) --
Remote IP information of the connection.
City (dict) --
City information of the remote IP address.
CityName (string) --
City name of the remote IP address.
Country (dict) --
Country code of the remote IP address.
CountryCode (string) --
Country code of the remote IP address.
CountryName (string) --
Country name of the remote IP address.
GeoLocation (dict) --
Location information of the remote IP address.
Lat (float) --
Latitude information of remote IP address.
Lon (float) --
Longitude information of remote IP address.
IpAddressV4 (string) --
IPV4 remote address of the connection.
Organization (dict) --
ISP Organization information of the remote IP address.
Asn (string) --
Autonomous system number of the internet provider of the remote IP address.
AsnOrg (string) --
Organization that registered this ASN.
Isp (string) --
ISP information for the internet provider.
Org (string) --
Name of the internet provider.
ServiceName (string) --
AWS service name whose API was invoked.
DnsRequestAction (dict) --
Information about the DNS_REQUEST action described in this finding.
Domain (string) --
Domain information for the DNS request.
NetworkConnectionAction (dict) --
Information about the NETWORK_CONNECTION action described in this finding.
Blocked (boolean) --
Network connection blocked information.
ConnectionDirection (string) --
Network connection direction.
LocalPortDetails (dict) --
Local port information of the connection.
Port (integer) --
Port number of the local connection.
PortName (string) --
Port name of the local connection.
Protocol (string) --
Network connection protocol.
RemoteIpDetails (dict) --
Remote IP information of the connection.
City (dict) --
City information of the remote IP address.
CityName (string) --
City name of the remote IP address.
Country (dict) --
Country code of the remote IP address.
CountryCode (string) --
Country code of the remote IP address.
CountryName (string) --
Country name of the remote IP address.
GeoLocation (dict) --
Location information of the remote IP address.
Lat (float) --
Latitude information of remote IP address.
Lon (float) --
Longitude information of remote IP address.
IpAddressV4 (string) --
IPV4 remote address of the connection.
Organization (dict) --
ISP Organization information of the remote IP address.
Asn (string) --
Autonomous system number of the internet provider of the remote IP address.
AsnOrg (string) --
Organization that registered this ASN.
Isp (string) --
ISP information for the internet provider.
Org (string) --
Name of the internet provider.
RemotePortDetails (dict) --
Remote port information of the connection.
Port (integer) --
Port number of the remote connection.
PortName (string) --
Port name of the remote connection.
PortProbeAction (dict) --
Information about the PORT_PROBE action described in this finding.
Blocked (boolean) --
Port probe blocked information.
PortProbeDetails (list) --
A list of port probe details objects.
(dict) --
Contains information about the port probe details.
LocalPortDetails (dict) --
Local port information of the connection.
Port (integer) --
Port number of the local connection.
PortName (string) --
Port name of the local connection.
RemoteIpDetails (dict) --
Remote IP information of the connection.
City (dict) --
City information of the remote IP address.
CityName (string) --
City name of the remote IP address.
Country (dict) --
Country code of the remote IP address.
CountryCode (string) --
Country code of the remote IP address.
CountryName (string) --
Country name of the remote IP address.
GeoLocation (dict) --
Location information of the remote IP address.
Lat (float) --
Latitude information of remote IP address.
Lon (float) --
Longitude information of remote IP address.
IpAddressV4 (string) --
IPV4 remote address of the connection.
Organization (dict) --
ISP Organization information of the remote IP address.
Asn (string) --
Autonomous system number of the internet provider of the remote IP address.
AsnOrg (string) --
Organization that registered this ASN.
Isp (string) --
ISP information for the internet provider.
Org (string) --
Name of the internet provider.
Evidence (dict) --
An evidence object associated with the service.
ThreatIntelligenceDetails (list) --
A list of threat intelligence details related to the evidence.
(dict) --
An instance of a threat intelligence detail that constitutes evidence for the finding.
ThreatListName (string) --
The name of the threat intelligence list that triggered the finding.
ThreatNames (list) --
A list of names of the threats in the threat intelligence list that triggered the finding.
(string) --
Archived (boolean) --
Indicates whether this finding is archived.
Count (integer) --
Total count of the occurrences of this finding type.
DetectorId (string) --
Detector ID for the GuardDuty service.
EventFirstSeen (string) --
First seen timestamp of the activity that prompted GuardDuty to generate this finding.
EventLastSeen (string) --
Last seen timestamp of the activity that prompted GuardDuty to generate this finding.
ResourceRole (string) --
Resource role information for this finding.
ServiceName (string) --
The name of the AWS service (GuardDuty) that generated a finding.
UserFeedback (string) --
Feedback left about the finding.
Severity (float) --
The severity of the finding.
Title (string) --
The title for the finding.
Type (string) --
The type of the finding.
UpdatedAt (string) --
The time and date at which the finding was laste updated.