2022/10/13 - Amazon GuardDuty - 3 updated api methods
Changes Add UnprocessedDataSources to CreateDetectorResponse which specifies the data sources that couldn't be enabled during the CreateDetector request. In addition, update documentations.
{'UnprocessedDataSources': {'MalwareProtection': {'ScanEc2InstanceWithFindings': {'EbsVolumes': {'Reason': 'string',
'Status': 'ENABLED '
'| '
'DISABLED'}},
'ServiceRole': 'string'}}}
Creates a single Amazon GuardDuty detector. A detector is a resource that represents the GuardDuty service. To start using GuardDuty, you must create a detector in each Region where you enable the service. You can have only one detector per account per Region. All data sources are enabled in a new detector by default.
See also: AWS API Documentation
Request Syntax
client.create_detector(
Enable=True|False,
ClientToken='string',
FindingPublishingFrequency='FIFTEEN_MINUTES'|'ONE_HOUR'|'SIX_HOURS',
DataSources={
'S3Logs': {
'Enable': True|False
},
'Kubernetes': {
'AuditLogs': {
'Enable': True|False
}
},
'MalwareProtection': {
'ScanEc2InstanceWithFindings': {
'EbsVolumes': True|False
}
}
},
Tags={
'string': 'string'
}
)
boolean
[REQUIRED]
A Boolean value that specifies whether the detector is to be enabled.
string
The idempotency token for the create request.
This field is autopopulated if not provided.
string
A value that specifies how frequently updated findings are exported.
dict
Describes which data sources will be enabled for the detector.
S3Logs (dict) --
Describes whether S3 data event logs are enabled as a data source.
Enable (boolean) -- [REQUIRED]
The status of S3 data event logs as a data source.
Kubernetes (dict) --
Describes whether any Kubernetes logs are enabled as data sources.
AuditLogs (dict) -- [REQUIRED]
The status of Kubernetes audit logs as a data source.
Enable (boolean) -- [REQUIRED]
The status of Kubernetes audit logs as a data source.
MalwareProtection (dict) --
Describes whether Malware Protection is enabled as a data source.
ScanEc2InstanceWithFindings (dict) --
Describes the configuration of Malware Protection for EC2 instances with findings.
EbsVolumes (boolean) --
Describes the configuration for scanning EBS volumes as data source.
dict
The tags to be added to a new detector resource.
(string) --
(string) --
dict
Response Syntax
{
'DetectorId': 'string',
'UnprocessedDataSources': {
'MalwareProtection': {
'ScanEc2InstanceWithFindings': {
'EbsVolumes': {
'Status': 'ENABLED'|'DISABLED',
'Reason': 'string'
}
},
'ServiceRole': 'string'
}
}
}
Response Structure
(dict) --
DetectorId (string) --
The unique ID of the created detector.
UnprocessedDataSources (dict) --
Specifies the data sources that couldn't be enabled when GuardDuty was enabled for the first time.
MalwareProtection (dict) --
An object that contains information on the status of all Malware Protection data sources.
ScanEc2InstanceWithFindings (dict) --
Describes the configuration of Malware Protection for EC2 instances with findings.
EbsVolumes (dict) --
Describes the configuration of scanning EBS volumes as a data source.
Status (string) --
Describes whether scanning EBS volumes is enabled as a data source.
Reason (string) --
Specifies the reason why scanning EBS volumes (Malware Protection) was not enabled as a data source.
ServiceRole (string) --
The GuardDuty Malware Protection service role.
{'DataSources': {'MalwareProtection': {'ScanEc2InstanceWithFindings': {'EbsVolumes': {'Reason': 'string'}}}}}
Retrieves an Amazon GuardDuty detector specified by the detectorId.
See also: AWS API Documentation
Request Syntax
client.get_detector(
DetectorId='string'
)
string
[REQUIRED]
The unique ID of the detector that you want to get.
dict
Response Syntax
{
'CreatedAt': 'string',
'FindingPublishingFrequency': 'FIFTEEN_MINUTES'|'ONE_HOUR'|'SIX_HOURS',
'ServiceRole': 'string',
'Status': 'ENABLED'|'DISABLED',
'UpdatedAt': 'string',
'DataSources': {
'CloudTrail': {
'Status': 'ENABLED'|'DISABLED'
},
'DNSLogs': {
'Status': 'ENABLED'|'DISABLED'
},
'FlowLogs': {
'Status': 'ENABLED'|'DISABLED'
},
'S3Logs': {
'Status': 'ENABLED'|'DISABLED'
},
'Kubernetes': {
'AuditLogs': {
'Status': 'ENABLED'|'DISABLED'
}
},
'MalwareProtection': {
'ScanEc2InstanceWithFindings': {
'EbsVolumes': {
'Status': 'ENABLED'|'DISABLED',
'Reason': 'string'
}
},
'ServiceRole': 'string'
}
},
'Tags': {
'string': 'string'
}
}
Response Structure
(dict) --
CreatedAt (string) --
The timestamp of when the detector was created.
FindingPublishingFrequency (string) --
The publishing frequency of the finding.
ServiceRole (string) --
The GuardDuty service role.
Status (string) --
The detector status.
UpdatedAt (string) --
The last-updated timestamp for the detector.
DataSources (dict) --
Describes which data sources are enabled for the detector.
CloudTrail (dict) --
An object that contains information on the status of CloudTrail as a data source.
Status (string) --
Describes whether CloudTrail is enabled as a data source for the detector.
DNSLogs (dict) --
An object that contains information on the status of DNS logs as a data source.
Status (string) --
Denotes whether DNS logs is enabled as a data source.
FlowLogs (dict) --
An object that contains information on the status of VPC flow logs as a data source.
Status (string) --
Denotes whether VPC flow logs is enabled as a data source.
S3Logs (dict) --
An object that contains information on the status of S3 Data event logs as a data source.
Status (string) --
A value that describes whether S3 data event logs are automatically enabled for new members of the organization.
Kubernetes (dict) --
An object that contains information on the status of all Kubernetes data sources.
AuditLogs (dict) --
Describes whether Kubernetes audit logs are enabled as a data source.
Status (string) --
A value that describes whether Kubernetes audit logs are enabled as a data source.
MalwareProtection (dict) --
Describes the configuration of Malware Protection data sources.
ScanEc2InstanceWithFindings (dict) --
Describes the configuration of Malware Protection for EC2 instances with findings.
EbsVolumes (dict) --
Describes the configuration of scanning EBS volumes as a data source.
Status (string) --
Describes whether scanning EBS volumes is enabled as a data source.
Reason (string) --
Specifies the reason why scanning EBS volumes (Malware Protection) was not enabled as a data source.
ServiceRole (string) --
The GuardDuty Malware Protection service role.
Tags (dict) --
The tags of the detector resource.
(string) --
(string) --
{'MemberDataSourceConfigurations': {'DataSources': {'MalwareProtection': {'ScanEc2InstanceWithFindings': {'EbsVolumes': {'Reason': 'string'}}}}}}
Describes which data sources are enabled for the member account's detector.
See also: AWS API Documentation
Request Syntax
client.get_member_detectors(
DetectorId='string',
AccountIds=[
'string',
]
)
string
[REQUIRED]
The detector ID for the administrator account.
list
[REQUIRED]
The account ID of the member account.
(string) --
dict
Response Syntax
{
'MemberDataSourceConfigurations': [
{
'AccountId': 'string',
'DataSources': {
'CloudTrail': {
'Status': 'ENABLED'|'DISABLED'
},
'DNSLogs': {
'Status': 'ENABLED'|'DISABLED'
},
'FlowLogs': {
'Status': 'ENABLED'|'DISABLED'
},
'S3Logs': {
'Status': 'ENABLED'|'DISABLED'
},
'Kubernetes': {
'AuditLogs': {
'Status': 'ENABLED'|'DISABLED'
}
},
'MalwareProtection': {
'ScanEc2InstanceWithFindings': {
'EbsVolumes': {
'Status': 'ENABLED'|'DISABLED',
'Reason': 'string'
}
},
'ServiceRole': 'string'
}
}
},
],
'UnprocessedAccounts': [
{
'AccountId': 'string',
'Result': 'string'
},
]
}
Response Structure
(dict) --
MemberDataSourceConfigurations (list) --
An object that describes which data sources are enabled for a member account.
(dict) --
Contains information on which data sources are enabled for a member account.
AccountId (string) --
The account ID for the member account.
DataSources (dict) --
Contains information on the status of data sources for the account.
CloudTrail (dict) --
An object that contains information on the status of CloudTrail as a data source.
Status (string) --
Describes whether CloudTrail is enabled as a data source for the detector.
DNSLogs (dict) --
An object that contains information on the status of DNS logs as a data source.
Status (string) --
Denotes whether DNS logs is enabled as a data source.
FlowLogs (dict) --
An object that contains information on the status of VPC flow logs as a data source.
Status (string) --
Denotes whether VPC flow logs is enabled as a data source.
S3Logs (dict) --
An object that contains information on the status of S3 Data event logs as a data source.
Status (string) --
A value that describes whether S3 data event logs are automatically enabled for new members of the organization.
Kubernetes (dict) --
An object that contains information on the status of all Kubernetes data sources.
AuditLogs (dict) --
Describes whether Kubernetes audit logs are enabled as a data source.
Status (string) --
A value that describes whether Kubernetes audit logs are enabled as a data source.
MalwareProtection (dict) --
Describes the configuration of Malware Protection data sources.
ScanEc2InstanceWithFindings (dict) --
Describes the configuration of Malware Protection for EC2 instances with findings.
EbsVolumes (dict) --
Describes the configuration of scanning EBS volumes as a data source.
Status (string) --
Describes whether scanning EBS volumes is enabled as a data source.
Reason (string) --
Specifies the reason why scanning EBS volumes (Malware Protection) was not enabled as a data source.
ServiceRole (string) --
The GuardDuty Malware Protection service role.
UnprocessedAccounts (list) --
A list of member account IDs that were unable to be processed along with an explanation for why they were not processed.
(dict) --
Contains information about the accounts that weren't processed.
AccountId (string) --
The Amazon Web Services account ID.
Result (string) --
A reason why the account hasn't been processed.