Amazon GuardDuty

2019/08/09 - Amazon GuardDuty - 1 updated api methods

Changes  Update guardduty client to latest version

GetFindings (updated) Link ΒΆ
Changes (response)
{'Findings': {'Service': {'Evidence': {'ThreatIntelligenceDetails': [{'ThreatListName': 'string',
                                                                      'ThreatNames': ['string']}]}}}}

Describes Amazon GuardDuty findings specified by finding IDs.

Request Syntax

        'AttributeName': 'string',
        'OrderBy': 'ASC'|'DESC'
type DetectorId


param DetectorId


The ID of the detector that specifies the GuardDuty service whose findings you want to retrieve.

type FindingIds


param FindingIds


IDs of the findings that you want to retrieve.

  • (string) --

type SortCriteria


param SortCriteria

Represents the criteria used for sorting findings.

  • AttributeName (string) --

    Represents the finding attribute (for example, accountId) by which to sort findings.

  • OrderBy (string) --

    Order by which the sorted findings are to be displayed.




Response Syntax

    'Findings': [
            'AccountId': 'string',
            'Arn': 'string',
            'Confidence': 123.0,
            'CreatedAt': 'string',
            'Description': 'string',
            'Id': 'string',
            'Partition': 'string',
            'Region': 'string',
            'Resource': {
                'AccessKeyDetails': {
                    'AccessKeyId': 'string',
                    'PrincipalId': 'string',
                    'UserName': 'string',
                    'UserType': 'string'
                'InstanceDetails': {
                    'AvailabilityZone': 'string',
                    'IamInstanceProfile': {
                        'Arn': 'string',
                        'Id': 'string'
                    'ImageDescription': 'string',
                    'ImageId': 'string',
                    'InstanceId': 'string',
                    'InstanceState': 'string',
                    'InstanceType': 'string',
                    'LaunchTime': 'string',
                    'NetworkInterfaces': [
                            'Ipv6Addresses': [
                            'NetworkInterfaceId': 'string',
                            'PrivateDnsName': 'string',
                            'PrivateIpAddress': 'string',
                            'PrivateIpAddresses': [
                                    'PrivateDnsName': 'string',
                                    'PrivateIpAddress': 'string'
                            'PublicDnsName': 'string',
                            'PublicIp': 'string',
                            'SecurityGroups': [
                                    'GroupId': 'string',
                                    'GroupName': 'string'
                            'SubnetId': 'string',
                            'VpcId': 'string'
                    'Platform': 'string',
                    'ProductCodes': [
                            'Code': 'string',
                            'ProductType': 'string'
                    'Tags': [
                            'Key': 'string',
                            'Value': 'string'
                'ResourceType': 'string'
            'SchemaVersion': 'string',
            'Service': {
                'Action': {
                    'ActionType': 'string',
                    'AwsApiCallAction': {
                        'Api': 'string',
                        'CallerType': 'string',
                        'DomainDetails': {
                            'Domain': 'string'
                        'RemoteIpDetails': {
                            'City': {
                                'CityName': 'string'
                            'Country': {
                                'CountryCode': 'string',
                                'CountryName': 'string'
                            'GeoLocation': {
                                'Lat': 123.0,
                                'Lon': 123.0
                            'IpAddressV4': 'string',
                            'Organization': {
                                'Asn': 'string',
                                'AsnOrg': 'string',
                                'Isp': 'string',
                                'Org': 'string'
                        'ServiceName': 'string'
                    'DnsRequestAction': {
                        'Domain': 'string'
                    'NetworkConnectionAction': {
                        'Blocked': True|False,
                        'ConnectionDirection': 'string',
                        'LocalPortDetails': {
                            'Port': 123,
                            'PortName': 'string'
                        'Protocol': 'string',
                        'RemoteIpDetails': {
                            'City': {
                                'CityName': 'string'
                            'Country': {
                                'CountryCode': 'string',
                                'CountryName': 'string'
                            'GeoLocation': {
                                'Lat': 123.0,
                                'Lon': 123.0
                            'IpAddressV4': 'string',
                            'Organization': {
                                'Asn': 'string',
                                'AsnOrg': 'string',
                                'Isp': 'string',
                                'Org': 'string'
                        'RemotePortDetails': {
                            'Port': 123,
                            'PortName': 'string'
                    'PortProbeAction': {
                        'Blocked': True|False,
                        'PortProbeDetails': [
                                'LocalPortDetails': {
                                    'Port': 123,
                                    'PortName': 'string'
                                'RemoteIpDetails': {
                                    'City': {
                                        'CityName': 'string'
                                    'Country': {
                                        'CountryCode': 'string',
                                        'CountryName': 'string'
                                    'GeoLocation': {
                                        'Lat': 123.0,
                                        'Lon': 123.0
                                    'IpAddressV4': 'string',
                                    'Organization': {
                                        'Asn': 'string',
                                        'AsnOrg': 'string',
                                        'Isp': 'string',
                                        'Org': 'string'
                'Evidence': {
                    'ThreatIntelligenceDetails': [
                            'ThreatListName': 'string',
                            'ThreatNames': [
                'Archived': True|False,
                'Count': 123,
                'DetectorId': 'string',
                'EventFirstSeen': 'string',
                'EventLastSeen': 'string',
                'ResourceRole': 'string',
                'ServiceName': 'string',
                'UserFeedback': 'string'
            'Severity': 123.0,
            'Title': 'string',
            'Type': 'string',
            'UpdatedAt': 'string'

Response Structure

  • (dict) --

    • Findings (list) --

      A list of findings.

      • (dict) --

        Contains information about the finding.

        • AccountId (string) --

          The ID of the account in which the finding was generated.

        • Arn (string) --

          The ARN for the finding.

        • Confidence (float) --

          The confidence score for the finding.

        • CreatedAt (string) --

          The time and date at which the finding was created.

        • Description (string) --

          The description of the finding.

        • Id (string) --

          The ID of the finding.

        • Partition (string) --

          The partition associated with the finding.

        • Region (string) --

          The Region in which the finding was generated.

        • Resource (dict) --

          Contains information about the resource.

          • AccessKeyDetails (dict) --

            The IAM access key details (IAM user information) of a user that engaged in the activity that prompted GuardDuty to generate a finding.

            • AccessKeyId (string) --

              Access key ID of the user.

            • PrincipalId (string) --

              The principal ID of the user.

            • UserName (string) --

              The name of the user.

            • UserType (string) --

              The type of the user.

          • InstanceDetails (dict) --

            The information about the EC2 instance associated with the activity that prompted GuardDuty to generate a finding.

            • AvailabilityZone (string) --

              The availability zone of the EC2 instance.

            • IamInstanceProfile (dict) --

              The profile information of the EC2 instance.

              • Arn (string) --

                AWS EC2 instance profile ARN.

              • Id (string) --

                AWS EC2 instance profile ID.

            • ImageDescription (string) --

              The image description of the EC2 instance.

            • ImageId (string) --

              The image ID of the EC2 instance.

            • InstanceId (string) --

              The ID of the EC2 instance.

            • InstanceState (string) --

              The state of the EC2 instance.

            • InstanceType (string) --

              The type of the EC2 instance.

            • LaunchTime (string) --

              The launch time of the EC2 instance.

            • NetworkInterfaces (list) --

              The network interface information of the EC2 instance.

              • (dict) --

                Contains information about the network interface.

                • Ipv6Addresses (list) --

                  A list of EC2 instance IPv6 address information.

                  • (string) --

                • NetworkInterfaceId (string) --

                  The ID of the network interface

                • PrivateDnsName (string) --

                  Private DNS name of the EC2 instance.

                • PrivateIpAddress (string) --

                  Private IP address of the EC2 instance.

                • PrivateIpAddresses (list) --

                  Other private IP address information of the EC2 instance.

                  • (dict) --

                    Contains information about the private IP address.

                    • PrivateDnsName (string) --

                      Private DNS name of the EC2 instance.

                    • PrivateIpAddress (string) --

                      Private IP address of the EC2 instance.

                • PublicDnsName (string) --

                  Public DNS name of the EC2 instance.

                • PublicIp (string) --

                  Public IP address of the EC2 instance.

                • SecurityGroups (list) --

                  Security groups associated with the EC2 instance.

                  • (dict) --

                    Contains information about the security group.

                    • GroupId (string) --

                      EC2 instance's security group ID.

                    • GroupName (string) --

                      EC2 instance's security group name.

                • SubnetId (string) --

                  The subnet ID of the EC2 instance.

                • VpcId (string) --

                  The VPC ID of the EC2 instance.

            • Platform (string) --

              The platform of the EC2 instance.

            • ProductCodes (list) --

              The product code of the EC2 instance.

              • (dict) --

                Contains information about the product code.

                • Code (string) --

                  Product code information.

                • ProductType (string) --

                  Product code type.

            • Tags (list) --

              The tags of the EC2 instance.

              • (dict) --

                Contains information about the tag associated with the resource.

                • Key (string) --

                  EC2 instance tag key.

                • Value (string) --

                  EC2 instance tag value.

          • ResourceType (string) --

            The type of the AWS resource.

        • SchemaVersion (string) --

          The version of the schema used for the finding.

        • Service (dict) --

          Contains information about the service.

          • Action (dict) --

            Information about the activity described in a finding.

            • ActionType (string) --

              GuardDuty Finding activity type.

            • AwsApiCallAction (dict) --

              Information about the AWS_API_CALL action described in this finding.

              • Api (string) --

                AWS API name.

              • CallerType (string) --

                AWS API caller type.

              • DomainDetails (dict) --

                Domain information for the AWS API call.

                • Domain (string) --

                  Domain information for the AWS API call.

              • RemoteIpDetails (dict) --

                Remote IP information of the connection.

                • City (dict) --

                  City information of the remote IP address.

                  • CityName (string) --

                    City name of the remote IP address.

                • Country (dict) --

                  Country code of the remote IP address.

                  • CountryCode (string) --

                    Country code of the remote IP address.

                  • CountryName (string) --

                    Country name of the remote IP address.

                • GeoLocation (dict) --

                  Location information of the remote IP address.

                  • Lat (float) --

                    Latitude information of remote IP address.

                  • Lon (float) --

                    Longitude information of remote IP address.

                • IpAddressV4 (string) --

                  IPV4 remote address of the connection.

                • Organization (dict) --

                  ISP Organization information of the remote IP address.

                  • Asn (string) --

                    Autonomous system number of the internet provider of the remote IP address.

                  • AsnOrg (string) --

                    Organization that registered this ASN.

                  • Isp (string) --

                    ISP information for the internet provider.

                  • Org (string) --

                    Name of the internet provider.

              • ServiceName (string) --

                AWS service name whose API was invoked.

            • DnsRequestAction (dict) --

              Information about the DNS_REQUEST action described in this finding.

              • Domain (string) --

                Domain information for the DNS request.

            • NetworkConnectionAction (dict) --

              Information about the NETWORK_CONNECTION action described in this finding.

              • Blocked (boolean) --

                Network connection blocked information.

              • ConnectionDirection (string) --

                Network connection direction.

              • LocalPortDetails (dict) --

                Local port information of the connection.

                • Port (integer) --

                  Port number of the local connection.

                • PortName (string) --

                  Port name of the local connection.

              • Protocol (string) --

                Network connection protocol.

              • RemoteIpDetails (dict) --

                Remote IP information of the connection.

                • City (dict) --

                  City information of the remote IP address.

                  • CityName (string) --

                    City name of the remote IP address.

                • Country (dict) --

                  Country code of the remote IP address.

                  • CountryCode (string) --

                    Country code of the remote IP address.

                  • CountryName (string) --

                    Country name of the remote IP address.

                • GeoLocation (dict) --

                  Location information of the remote IP address.

                  • Lat (float) --

                    Latitude information of remote IP address.

                  • Lon (float) --

                    Longitude information of remote IP address.

                • IpAddressV4 (string) --

                  IPV4 remote address of the connection.

                • Organization (dict) --

                  ISP Organization information of the remote IP address.

                  • Asn (string) --

                    Autonomous system number of the internet provider of the remote IP address.

                  • AsnOrg (string) --

                    Organization that registered this ASN.

                  • Isp (string) --

                    ISP information for the internet provider.

                  • Org (string) --

                    Name of the internet provider.

              • RemotePortDetails (dict) --

                Remote port information of the connection.

                • Port (integer) --

                  Port number of the remote connection.

                • PortName (string) --

                  Port name of the remote connection.

            • PortProbeAction (dict) --

              Information about the PORT_PROBE action described in this finding.

              • Blocked (boolean) --

                Port probe blocked information.

              • PortProbeDetails (list) --

                A list of port probe details objects.

                • (dict) --

                  Contains information about the port probe details.

                  • LocalPortDetails (dict) --

                    Local port information of the connection.

                    • Port (integer) --

                      Port number of the local connection.

                    • PortName (string) --

                      Port name of the local connection.

                  • RemoteIpDetails (dict) --

                    Remote IP information of the connection.

                    • City (dict) --

                      City information of the remote IP address.

                      • CityName (string) --

                        City name of the remote IP address.

                    • Country (dict) --

                      Country code of the remote IP address.

                      • CountryCode (string) --

                        Country code of the remote IP address.

                      • CountryName (string) --

                        Country name of the remote IP address.

                    • GeoLocation (dict) --

                      Location information of the remote IP address.

                      • Lat (float) --

                        Latitude information of remote IP address.

                      • Lon (float) --

                        Longitude information of remote IP address.

                    • IpAddressV4 (string) --

                      IPV4 remote address of the connection.

                    • Organization (dict) --

                      ISP Organization information of the remote IP address.

                      • Asn (string) --

                        Autonomous system number of the internet provider of the remote IP address.

                      • AsnOrg (string) --

                        Organization that registered this ASN.

                      • Isp (string) --

                        ISP information for the internet provider.

                      • Org (string) --

                        Name of the internet provider.

          • Evidence (dict) --

            An evidence object associated with the service.

            • ThreatIntelligenceDetails (list) --

              A list of threat intelligence details related to the evidence.

              • (dict) --

                An instance of a threat intelligence detail that constitutes evidence for the finding.

                • ThreatListName (string) --

                  The name of the threat intelligence list that triggered the finding.

                • ThreatNames (list) --

                  A list of names of the threats in the threat intelligence list that triggered the finding.

                  • (string) --

          • Archived (boolean) --

            Indicates whether this finding is archived.

          • Count (integer) --

            Total count of the occurrences of this finding type.

          • DetectorId (string) --

            Detector ID for the GuardDuty service.

          • EventFirstSeen (string) --

            First seen timestamp of the activity that prompted GuardDuty to generate this finding.

          • EventLastSeen (string) --

            Last seen timestamp of the activity that prompted GuardDuty to generate this finding.

          • ResourceRole (string) --

            Resource role information for this finding.

          • ServiceName (string) --

            The name of the AWS service (GuardDuty) that generated a finding.

          • UserFeedback (string) --

            Feedback left about the finding.

        • Severity (float) --

          The severity of the finding.

        • Title (string) --

          The title for the finding.

        • Type (string) --

          The type of the finding.

        • UpdatedAt (string) --

          The time and date at which the finding was laste updated.