Amazon GuardDuty

2019/06/13 - Amazon GuardDuty - 3 new8 updated api methods

Changes  Update guardduty client to latest version

ListTagsForResource (new) Link ¶

Lists tags for a resource. Tagging is currently supported for detectors, finding filters, IP sets, and Threat Intel sets, with a limit of 50 tags per resource. When invoked, this operation returns all assigned tags for a given resource..

See also: AWS API Documentation

Request Syntax

client.list_tags_for_resource(
    ResourceArn='string'
)
type ResourceArn:

string

param ResourceArn:

[REQUIRED]

The Amazon Resource Name (ARN) for the given GuardDuty resource

rtype:

dict

returns:

Response Syntax

{
    'Tags': {
        'string': 'string'
    }
}

Response Structure

  • (dict) --

    • Tags (dict) --

      • (string) --

        • (string) --

UntagResource (new) Link ¶

Removes tags from a resource.

See also: AWS API Documentation

Request Syntax

client.untag_resource(
    ResourceArn='string',
    TagKeys=[
        'string',
    ]
)
type ResourceArn:

string

param ResourceArn:

[REQUIRED]

The Amazon Resource Name (ARN) for the given GuardDuty resource

type TagKeys:

list

param TagKeys:

[REQUIRED]

The tag keys to remove from a resource.

  • (string) --

rtype:

dict

returns:

Response Syntax

{}

Response Structure

  • (dict) --

TagResource (new) Link ¶

Adds tags to a resource.

See also: AWS API Documentation

Request Syntax

client.tag_resource(
    ResourceArn='string',
    Tags={
        'string': 'string'
    }
)
type ResourceArn:

string

param ResourceArn:

[REQUIRED]

The Amazon Resource Name (ARN) for the given GuardDuty resource

type Tags:

dict

param Tags:

[REQUIRED]

The tags to be added to a resource.

  • (string) --

    • (string) --

rtype:

dict

returns:

Response Syntax

{}

Response Structure

  • (dict) --

CreateDetector (updated) Link ¶
Changes (request) 
{'Tags': {'string': 'string'}}

Creates a single Amazon GuardDuty detector. A detector is an object that represents the GuardDuty service. A detector must be created in order for GuardDuty to become operational.

See also: AWS API Documentation

Request Syntax

client.create_detector(
    Enable=True|False,
    ClientToken='string',
    FindingPublishingFrequency='FIFTEEN_MINUTES'|'ONE_HOUR'|'SIX_HOURS',
    Tags={
        'string': 'string'
    }
)
type Enable:

boolean

param Enable:

[REQUIRED]

A boolean value that specifies whether the detector is to be enabled.

type ClientToken:

string

param ClientToken:

The idempotency token for the create request.

This field is autopopulated if not provided.

type FindingPublishingFrequency:

string

param FindingPublishingFrequency:

A enum value that specifies how frequently customer got Finding updates published.

type Tags:

dict

param Tags:

The tags to be added to a new detector resource.

  • (string) --

    • (string) --

rtype:

dict

returns:

Response Syntax

{
    'DetectorId': 'string'
}

Response Structure

  • (dict) --

    • DetectorId (string) --

      The unique ID of the created detector.

CreateFilter (updated) Link ¶
Changes (request) 
{'Tags': {'string': 'string'}}

Creates a filter using the specified finding criteria.

See also: AWS API Documentation

Request Syntax

client.create_filter(
    DetectorId='string',
    Name='string',
    Description='string',
    Action='NOOP'|'ARCHIVE',
    Rank=123,
    FindingCriteria={
        'Criterion': {
            'string': {
                'Eq': [
                    'string',
                ],
                'Neq': [
                    'string',
                ],
                'Gt': 123,
                'Gte': 123,
                'Lt': 123,
                'Lte': 123,
                'Equals': [
                    'string',
                ],
                'NotEquals': [
                    'string',
                ],
                'GreaterThan': 123,
                'GreaterThanOrEqual': 123,
                'LessThan': 123,
                'LessThanOrEqual': 123
            }
        }
    },
    ClientToken='string',
    Tags={
        'string': 'string'
    }
)
type DetectorId:

string

param DetectorId:

[REQUIRED]

The unique ID of the detector of the GuardDuty account for which you want to create a filter.

type Name:

string

param Name:

[REQUIRED]

The name of the filter.

type Description:

string

param Description:

The description of the filter.

type Action:

string

param Action:

Specifies the action that is to be applied to the findings that match the filter.

type Rank:

integer

param Rank:

Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.

type FindingCriteria:

dict

param FindingCriteria:

[REQUIRED]

Represents the criteria to be used in the filter for querying findings.

  • Criterion (dict) --

    Represents a map of finding properties that match specified conditions and values when querying findings.

    • (string) --

      • (dict) --

        • Eq (list) --

          Represents the equal condition to be applied to a single field when querying for findings.

          • (string) --

        • Neq (list) --

          Represents the not equal condition to be applied to a single field when querying for findings.

          • (string) --

        • Gt (integer) --

          Represents a greater than condition to be applied to a single field when querying for findings.

        • Gte (integer) --

          Represents a greater than equal condition to be applied to a single field when querying for findings.

        • Lt (integer) --

          Represents a less than condition to be applied to a single field when querying for findings.

        • Lte (integer) --

          Represents a less than equal condition to be applied to a single field when querying for findings.

        • Equals (list) --

          • (string) --

        • NotEquals (list) --

          • (string) --

        • GreaterThan (integer) --

          Represents a greater than condition to be applied to a single field when querying for findings.

        • GreaterThanOrEqual (integer) --

          Represents a greater than equal condition to be applied to a single field when querying for findings.

        • LessThan (integer) --

          Represents a less than condition to be applied to a single field when querying for findings.

        • LessThanOrEqual (integer) --

          Represents a less than equal condition to be applied to a single field when querying for findings.

type ClientToken:

string

param ClientToken:

The idempotency token for the create request.

This field is autopopulated if not provided.

type Tags:

dict

param Tags:

The tags to be added to a new filter resource.

  • (string) --

    • (string) --

rtype:

dict

returns:

Response Syntax

{
    'Name': 'string'
}

Response Structure

  • (dict) --

    • Name (string) --

      The name of the successfully created filter.

CreateIPSet (updated) Link ¶
Changes (request) 
{'Tags': {'string': 'string'}}

Creates a new IPSet - a list of trusted IP addresses that have been whitelisted for secure communication with AWS infrastructure and applications.

See also: AWS API Documentation

Request Syntax

client.create_ip_set(
    DetectorId='string',
    Name='string',
    Format='TXT'|'STIX'|'OTX_CSV'|'ALIEN_VAULT'|'PROOF_POINT'|'FIRE_EYE',
    Location='string',
    Activate=True|False,
    ClientToken='string',
    Tags={
        'string': 'string'
    }
)
type DetectorId:

string

param DetectorId:

[REQUIRED]

The unique ID of the detector of the GuardDuty account for which you want to create an IPSet.

type Name:

string

param Name:

[REQUIRED]

The user friendly name to identify the IPSet. This name is displayed in all findings that are triggered by activity that involves IP addresses included in this IPSet.

type Format:

string

param Format:

[REQUIRED]

The format of the file that contains the IPSet.

type Location:

string

param Location:

[REQUIRED]

The URI of the file that contains the IPSet. For example (https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key)

type Activate:

boolean

param Activate:

[REQUIRED]

A boolean value that indicates whether GuardDuty is to start using the uploaded IPSet.

type ClientToken:

string

param ClientToken:

The idempotency token for the create request.

This field is autopopulated if not provided.

type Tags:

dict

param Tags:

The tags to be added to a new IP set resource.

  • (string) --

    • (string) --

rtype:

dict

returns:

Response Syntax

{
    'IpSetId': 'string'
}

Response Structure

  • (dict) --

    • IpSetId (string) --

      The ID of the IPSet resource.

CreateThreatIntelSet (updated) Link ¶
Changes (request) 
{'Tags': {'string': 'string'}}

Create a new ThreatIntelSet. ThreatIntelSets consist of known malicious IP addresses. GuardDuty generates findings based on ThreatIntelSets.

See also: AWS API Documentation

Request Syntax

client.create_threat_intel_set(
    DetectorId='string',
    Name='string',
    Format='TXT'|'STIX'|'OTX_CSV'|'ALIEN_VAULT'|'PROOF_POINT'|'FIRE_EYE',
    Location='string',
    Activate=True|False,
    ClientToken='string',
    Tags={
        'string': 'string'
    }
)
type DetectorId:

string

param DetectorId:

[REQUIRED]

The unique ID of the detector of the GuardDuty account for which you want to create a threatIntelSet.

type Name:

string

param Name:

[REQUIRED]

A user-friendly ThreatIntelSet name that is displayed in all finding generated by activity that involves IP addresses included in this ThreatIntelSet.

type Format:

string

param Format:

[REQUIRED]

The format of the file that contains the ThreatIntelSet.

type Location:

string

param Location:

[REQUIRED]

The URI of the file that contains the ThreatIntelSet. For example (https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key).

type Activate:

boolean

param Activate:

[REQUIRED]

A boolean value that indicates whether GuardDuty is to start using the uploaded ThreatIntelSet.

type ClientToken:

string

param ClientToken:

The idempotency token for the create request.

This field is autopopulated if not provided.

type Tags:

dict

param Tags:

The tags to be added to a new Threat List resource.

  • (string) --

    • (string) --

rtype:

dict

returns:

Response Syntax

{
    'ThreatIntelSetId': 'string'
}

Response Structure

  • (dict) --

    • ThreatIntelSetId (string) --

      The ID of the ThreatIntelSet resource.

GetDetector (updated) Link ¶
Changes (response) 
{'Tags': {'string': 'string'}}

Retrieves an Amazon GuardDuty detector specified by the detectorId.

See also: AWS API Documentation

Request Syntax

client.get_detector(
    DetectorId='string'
)
type DetectorId:

string

param DetectorId:

[REQUIRED]

The unique ID of the detector that you want to get.

rtype:

dict

returns:

Response Syntax

{
    'CreatedAt': 'string',
    'FindingPublishingFrequency': 'FIFTEEN_MINUTES'|'ONE_HOUR'|'SIX_HOURS',
    'ServiceRole': 'string',
    'Status': 'ENABLED'|'DISABLED',
    'UpdatedAt': 'string',
    'Tags': {
        'string': 'string'
    }
}

Response Structure

  • (dict) --

    • CreatedAt (string) --

      Detector creation timestamp.

    • FindingPublishingFrequency (string) --

      Finding publishing frequency.

    • ServiceRole (string) --

      The GuardDuty service role.

    • Status (string) --

      The detector status.

    • UpdatedAt (string) --

      Detector last update timestamp.

    • Tags (dict) --

      The tags of the detector resource.

      • (string) --

        • (string) --

GetFilter (updated) Link ¶
Changes (response) 
{'Tags': {'string': 'string'}}

Returns the details of the filter specified by the filter name.

See also: AWS API Documentation

Request Syntax

client.get_filter(
    DetectorId='string',
    FilterName='string'
)
type DetectorId:

string

param DetectorId:

[REQUIRED]

The unique ID of the detector the filter is associated with.

type FilterName:

string

param FilterName:

[REQUIRED]

The name of the filter you want to get.

rtype:

dict

returns:

Response Syntax

{
    'Name': 'string',
    'Description': 'string',
    'Action': 'NOOP'|'ARCHIVE',
    'Rank': 123,
    'FindingCriteria': {
        'Criterion': {
            'string': {
                'Eq': [
                    'string',
                ],
                'Neq': [
                    'string',
                ],
                'Gt': 123,
                'Gte': 123,
                'Lt': 123,
                'Lte': 123,
                'Equals': [
                    'string',
                ],
                'NotEquals': [
                    'string',
                ],
                'GreaterThan': 123,
                'GreaterThanOrEqual': 123,
                'LessThan': 123,
                'LessThanOrEqual': 123
            }
        }
    },
    'Tags': {
        'string': 'string'
    }
}

Response Structure

  • (dict) --

    • Name (string) --

      The name of the filter.

    • Description (string) --

      The description of the filter.

    • Action (string) --

      Specifies the action that is to be applied to the findings that match the filter.

    • Rank (integer) --

      Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.

    • FindingCriteria (dict) --

      Represents the criteria to be used in the filter for querying findings.

      • Criterion (dict) --

        Represents a map of finding properties that match specified conditions and values when querying findings.

        • (string) --

          • (dict) --

            • Eq (list) --

              Represents the equal condition to be applied to a single field when querying for findings.

              • (string) --

            • Neq (list) --

              Represents the not equal condition to be applied to a single field when querying for findings.

              • (string) --

            • Gt (integer) --

              Represents a greater than condition to be applied to a single field when querying for findings.

            • Gte (integer) --

              Represents a greater than equal condition to be applied to a single field when querying for findings.

            • Lt (integer) --

              Represents a less than condition to be applied to a single field when querying for findings.

            • Lte (integer) --

              Represents a less than equal condition to be applied to a single field when querying for findings.

            • Equals (list) --

              • (string) --

            • NotEquals (list) --

              • (string) --

            • GreaterThan (integer) --

              Represents a greater than condition to be applied to a single field when querying for findings.

            • GreaterThanOrEqual (integer) --

              Represents a greater than equal condition to be applied to a single field when querying for findings.

            • LessThan (integer) --

              Represents a less than condition to be applied to a single field when querying for findings.

            • LessThanOrEqual (integer) --

              Represents a less than equal condition to be applied to a single field when querying for findings.

    • Tags (dict) --

      The tags of the filter resource.

      • (string) --

        • (string) --

GetIPSet (updated) Link ¶
Changes (response) 
{'Tags': {'string': 'string'}}

Retrieves the IPSet specified by the IPSet ID.

See also: AWS API Documentation

Request Syntax

client.get_ip_set(
    DetectorId='string',
    IpSetId='string'
)
type DetectorId:

string

param DetectorId:

[REQUIRED]

The unique ID of the detector the ipSet is associated with.

type IpSetId:

string

param IpSetId:

[REQUIRED]

The unique ID of the ipSet you want to get.

rtype:

dict

returns:

Response Syntax

{
    'Name': 'string',
    'Format': 'TXT'|'STIX'|'OTX_CSV'|'ALIEN_VAULT'|'PROOF_POINT'|'FIRE_EYE',
    'Location': 'string',
    'Status': 'INACTIVE'|'ACTIVATING'|'ACTIVE'|'DEACTIVATING'|'ERROR'|'DELETE_PENDING'|'DELETED',
    'Tags': {
        'string': 'string'
    }
}

Response Structure

  • (dict) --

    • Name (string) --

      The user friendly name to identify the IPSet. This name is displayed in all findings that are triggered by activity that involves IP addresses included in this IPSet.

    • Format (string) --

      The format of the file that contains the IPSet.

    • Location (string) --

      The URI of the file that contains the IPSet. For example (https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key)

    • Status (string) --

      The status of ipSet file uploaded.

    • Tags (dict) --

      The tags of the IP set resource.

      • (string) --

        • (string) --

GetThreatIntelSet (updated) Link ¶
Changes (response) 
{'Tags': {'string': 'string'}}

Retrieves the ThreatIntelSet that is specified by the ThreatIntelSet ID.

See also: AWS API Documentation

Request Syntax

client.get_threat_intel_set(
    DetectorId='string',
    ThreatIntelSetId='string'
)
type DetectorId:

string

param DetectorId:

[REQUIRED]

The unique ID of the detector the threatIntelSet is associated with.

type ThreatIntelSetId:

string

param ThreatIntelSetId:

[REQUIRED]

The unique ID of the threatIntelSet you want to get.

rtype:

dict

returns:

Response Syntax

{
    'Name': 'string',
    'Format': 'TXT'|'STIX'|'OTX_CSV'|'ALIEN_VAULT'|'PROOF_POINT'|'FIRE_EYE',
    'Location': 'string',
    'Status': 'INACTIVE'|'ACTIVATING'|'ACTIVE'|'DEACTIVATING'|'ERROR'|'DELETE_PENDING'|'DELETED',
    'Tags': {
        'string': 'string'
    }
}

Response Structure

  • (dict) --

    • Name (string) --

      A user-friendly ThreatIntelSet name that is displayed in all finding generated by activity that involves IP addresses included in this ThreatIntelSet.

    • Format (string) --

      The format of the threatIntelSet.

    • Location (string) --

      The URI of the file that contains the ThreatIntelSet. For example (https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key).

    • Status (string) --

      The status of threatIntelSet file uploaded.

    • Tags (dict) --

      The tags of the Threat List resource.

      • (string) --

        • (string) --