2025/12/02 - Amazon GuardDuty - 6 updated api methods
Changes Adding support for extended threat detection for Amazon EC2 and Amazon ECS. Adding support for wild card suppression rules.
{'FindingCriteria': {'Criterion': {'Matches': ['string'],
'NotMatches': ['string']}}}
Creates a filter using the specified finding criteria. The maximum number of saved filters per Amazon Web Services account per Region is 100. For more information, see Quotas for GuardDuty.
See also: AWS API Documentation
Request Syntax
client.create_filter(
DetectorId='string',
Name='string',
Description='string',
Action='NOOP'|'ARCHIVE',
Rank=123,
FindingCriteria={
'Criterion': {
'string': {
'Eq': [
'string',
],
'Neq': [
'string',
],
'Gt': 123,
'Gte': 123,
'Lt': 123,
'Lte': 123,
'Equals': [
'string',
],
'NotEquals': [
'string',
],
'GreaterThan': 123,
'GreaterThanOrEqual': 123,
'LessThan': 123,
'LessThanOrEqual': 123,
'Matches': [
'string',
],
'NotMatches': [
'string',
]
}
}
},
ClientToken='string',
Tags={
'string': 'string'
}
)
string
[REQUIRED]
The detector ID associated with the GuardDuty account for which you want to create a filter.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
string
[REQUIRED]
The name of the filter. Valid characters include period (.), underscore (_), dash (-), and alphanumeric characters. A whitespace is considered to be an invalid character.
string
The description of the filter. Valid characters include alphanumeric characters, and special characters such as hyphen, period, colon, underscore, parentheses ( { }, [ ], and ( )), forward slash, horizontal tab, vertical tab, newline, form feed, return, and whitespace.
string
Specifies the action that is to be applied to the findings that match the filter.
integer
Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
dict
[REQUIRED]
Represents the criteria to be used in the filter for querying findings.
You can only use the following attributes to query findings:
accountId
id
region
severity To filter on the basis of severity, the API and CLI use the following input list for the FindingCriteria condition:
Low: ["1", "2", "3"]
Medium: ["4", "5", "6"]
High: ["7", "8"]
Critical: ["9", "10"]
For more information, see Findings severity levels in the Amazon GuardDuty User Guide.
type
updatedAt Type: ISO 8601 string format: YYYY-MM-DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds.
resource.accessKeyDetails.accessKeyId
resource.accessKeyDetails.principalId
resource.accessKeyDetails.userName
resource.accessKeyDetails.userType
resource.instanceDetails.iamInstanceProfile.id
resource.instanceDetails.imageId
resource.instanceDetails.instanceId
resource.instanceDetails.tags.key
resource.instanceDetails.tags.value
resource.instanceDetails.networkInterfaces.ipv6Addresses
resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress
resource.instanceDetails.networkInterfaces.publicDnsName
resource.instanceDetails.networkInterfaces.publicIp
resource.instanceDetails.networkInterfaces.securityGroups.groupId
resource.instanceDetails.networkInterfaces.securityGroups.groupName
resource.instanceDetails.networkInterfaces.subnetId
resource.instanceDetails.networkInterfaces.vpcId
resource.instanceDetails.outpostArn
resource.resourceType
resource.s3BucketDetails.publicAccess.effectivePermissions
resource.s3BucketDetails.name
resource.s3BucketDetails.tags.key
resource.s3BucketDetails.tags.value
resource.s3BucketDetails.type
service.action.actionType
service.action.awsApiCallAction.api
service.action.awsApiCallAction.callerType
service.action.awsApiCallAction.errorCode
service.action.awsApiCallAction.remoteIpDetails.city.cityName
service.action.awsApiCallAction.remoteIpDetails.country.countryName
service.action.awsApiCallAction.remoteIpDetails.ipAddressV4
service.action.awsApiCallAction.remoteIpDetails.ipAddressV6
service.action.awsApiCallAction.remoteIpDetails.organization.asn
service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg
service.action.awsApiCallAction.serviceName
service.action.dnsRequestAction.domain
service.action.dnsRequestAction.domainWithSuffix
service.action.dnsRequestAction.vpcOwnerAccountId
service.action.networkConnectionAction.blocked
service.action.networkConnectionAction.connectionDirection
service.action.networkConnectionAction.localPortDetails.port
service.action.networkConnectionAction.protocol
service.action.networkConnectionAction.remoteIpDetails.city.cityName
service.action.networkConnectionAction.remoteIpDetails.country.countryName
service.action.networkConnectionAction.remoteIpDetails.ipAddressV4
service.action.networkConnectionAction.remoteIpDetails.ipAddressV6
service.action.networkConnectionAction.remoteIpDetails.organization.asn
service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg
service.action.networkConnectionAction.remotePortDetails.port
service.action.awsApiCallAction.remoteAccountDetails.affiliated
service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4
service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV6
service.action.kubernetesApiCallAction.namespace
service.action.kubernetesApiCallAction.remoteIpDetails.organization.asn
service.action.kubernetesApiCallAction.requestUri
service.action.kubernetesApiCallAction.statusCode
service.action.networkConnectionAction.localIpDetails.ipAddressV4
service.action.networkConnectionAction.localIpDetails.ipAddressV6
service.action.networkConnectionAction.protocol
service.action.awsApiCallAction.serviceName
service.action.awsApiCallAction.remoteAccountDetails.accountId
service.additionalInfo.threatListName
service.resourceRole
resource.eksClusterDetails.name
resource.kubernetesDetails.kubernetesWorkloadDetails.name
resource.kubernetesDetails.kubernetesWorkloadDetails.namespace
resource.kubernetesDetails.kubernetesUserDetails.username
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix
service.ebsVolumeScanDetails.scanId
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash
resource.ecsClusterDetails.name
resource.ecsClusterDetails.taskDetails.containers.image
resource.ecsClusterDetails.taskDetails.definitionArn
resource.containerDetails.image
resource.rdsDbInstanceDetails.dbInstanceIdentifier
resource.rdsDbInstanceDetails.dbClusterIdentifier
resource.rdsDbInstanceDetails.engine
resource.rdsDbUserDetails.user
resource.rdsDbInstanceDetails.tags.key
resource.rdsDbInstanceDetails.tags.value
service.runtimeDetails.process.executableSha256
service.runtimeDetails.process.name
service.runtimeDetails.process.executablePath
resource.lambdaDetails.functionName
resource.lambdaDetails.functionArn
resource.lambdaDetails.tags.key
resource.lambdaDetails.tags.value
Criterion (dict) --
Represents a map of finding properties that match specified conditions and values when querying findings.
(string) --
(dict) --
Contains information about the condition.
Eq (list) --
Represents the equal condition to be applied to a single field when querying for findings.
(string) --
Neq (list) --
Represents the not equal condition to be applied to a single field when querying for findings.
(string) --
Gt (integer) --
Represents a greater than condition to be applied to a single field when querying for findings.
Gte (integer) --
Represents a greater than or equal condition to be applied to a single field when querying for findings.
Lt (integer) --
Represents a less than condition to be applied to a single field when querying for findings.
Lte (integer) --
Represents a less than or equal condition to be applied to a single field when querying for findings.
Equals (list) --
Represents an equal condition to be applied to a single field when querying for findings.
(string) --
NotEquals (list) --
Represents a not equal condition to be applied to a single field when querying for findings.
(string) --
GreaterThan (integer) --
Represents a greater than condition to be applied to a single field when querying for findings.
GreaterThanOrEqual (integer) --
Represents a greater than or equal condition to be applied to a single field when querying for findings.
LessThan (integer) --
Represents a less than condition to be applied to a single field when querying for findings.
LessThanOrEqual (integer) --
Represents a less than or equal condition to be applied to a single field when querying for findings.
Matches (list) --
Represents the match condition to be applied to a single field when querying for findings.
(string) --
NotMatches (list) --
Represents the not match condition to be applied to a single field when querying for findings.
(string) --
string
The idempotency token for the create request.
This field is autopopulated if not provided.
dict
The tags to be added to a new filter resource.
(string) --
(string) --
dict
Response Syntax
{
'Name': 'string'
}
Response Structure
(dict) --
Name (string) --
The name of the successfully created filter.
{'FindingCriteria': {'Criterion': {'Matches': ['string'],
'NotMatches': ['string']}}}
Returns the details of the filter specified by the filter name.
See also: AWS API Documentation
Request Syntax
client.get_filter(
DetectorId='string',
FilterName='string'
)
string
[REQUIRED]
The unique ID of the detector that is associated with this filter.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
string
[REQUIRED]
The name of the filter you want to get.
dict
Response Syntax
{
'Name': 'string',
'Description': 'string',
'Action': 'NOOP'|'ARCHIVE',
'Rank': 123,
'FindingCriteria': {
'Criterion': {
'string': {
'Eq': [
'string',
],
'Neq': [
'string',
],
'Gt': 123,
'Gte': 123,
'Lt': 123,
'Lte': 123,
'Equals': [
'string',
],
'NotEquals': [
'string',
],
'GreaterThan': 123,
'GreaterThanOrEqual': 123,
'LessThan': 123,
'LessThanOrEqual': 123,
'Matches': [
'string',
],
'NotMatches': [
'string',
]
}
}
},
'Tags': {
'string': 'string'
}
}
Response Structure
(dict) --
Name (string) --
The name of the filter.
Description (string) --
The description of the filter.
Action (string) --
Specifies the action that is to be applied to the findings that match the filter.
Rank (integer) --
Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
FindingCriteria (dict) --
Represents the criteria to be used in the filter for querying findings.
Criterion (dict) --
Represents a map of finding properties that match specified conditions and values when querying findings.
(string) --
(dict) --
Contains information about the condition.
Eq (list) --
Represents the equal condition to be applied to a single field when querying for findings.
(string) --
Neq (list) --
Represents the not equal condition to be applied to a single field when querying for findings.
(string) --
Gt (integer) --
Represents a greater than condition to be applied to a single field when querying for findings.
Gte (integer) --
Represents a greater than or equal condition to be applied to a single field when querying for findings.
Lt (integer) --
Represents a less than condition to be applied to a single field when querying for findings.
Lte (integer) --
Represents a less than or equal condition to be applied to a single field when querying for findings.
Equals (list) --
Represents an equal condition to be applied to a single field when querying for findings.
(string) --
NotEquals (list) --
Represents a not equal condition to be applied to a single field when querying for findings.
(string) --
GreaterThan (integer) --
Represents a greater than condition to be applied to a single field when querying for findings.
GreaterThanOrEqual (integer) --
Represents a greater than or equal condition to be applied to a single field when querying for findings.
LessThan (integer) --
Represents a less than condition to be applied to a single field when querying for findings.
LessThanOrEqual (integer) --
Represents a less than or equal condition to be applied to a single field when querying for findings.
Matches (list) --
Represents the match condition to be applied to a single field when querying for findings.
(string) --
NotMatches (list) --
Represents the not match condition to be applied to a single field when querying for findings.
(string) --
Tags (dict) --
The tags of the filter resource.
(string) --
(string) --
{'Findings': {'Service': {'Detection': {'Sequence': {'Resources': {'Data': {'AutoscalingAutoScalingGroup': {'Ec2InstanceUids': ['string']},
'CloudformationStack': {'Ec2InstanceUids': ['string']},
'Ec2Image': {'Ec2InstanceUids': ['string']},
'Ec2LaunchTemplate': {'Ec2InstanceUids': ['string'],
'Version': 'string'},
'Ec2Vpc': {'Ec2InstanceUids': ['string']},
'EcsCluster': {'Ec2InstanceUids': ['string'],
'Status': 'ACTIVE '
'| '
'PROVISIONING '
'| '
'DEPROVISIONING '
'| '
'FAILED '
'| '
'INACTIVE'},
'EcsTask': {'ContainerUids': ['string'],
'CreatedAt': 'timestamp',
'LaunchType': 'FARGATE '
'| '
'EC2',
'TaskDefinitionArn': 'string'},
'IamInstanceProfile': {'Ec2InstanceUids': ['string']}},
'ResourceType': {'AUTOSCALING_AUTO_SCALING_GROUP',
'CLOUDFORMATION_STACK',
'EC2_IMAGE',
'EC2_LAUNCH_TEMPLATE',
'EC2_VPC',
'ECS_CLUSTER',
'ECS_TASK',
'IAM_INSTANCE_PROFILE'}}}}}}}
Describes Amazon GuardDuty findings specified by finding IDs.
See also: AWS API Documentation
Request Syntax
client.get_findings(
DetectorId='string',
FindingIds=[
'string',
],
SortCriteria={
'AttributeName': 'string',
'OrderBy': 'ASC'|'DESC'
}
)
string
[REQUIRED]
The ID of the detector that specifies the GuardDuty service whose findings you want to retrieve.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
list
[REQUIRED]
The IDs of the findings that you want to retrieve.
(string) --
dict
Represents the criteria used for sorting findings.
AttributeName (string) --
Represents the finding attribute, such as accountId, that sorts the findings.
OrderBy (string) --
The order by which the sorted findings are to be displayed.
dict
Response Syntax
{
'Findings': [
{
'AccountId': 'string',
'Arn': 'string',
'Confidence': 123.0,
'CreatedAt': 'string',
'Description': 'string',
'Id': 'string',
'Partition': 'string',
'Region': 'string',
'Resource': {
'AccessKeyDetails': {
'AccessKeyId': 'string',
'PrincipalId': 'string',
'UserName': 'string',
'UserType': 'string'
},
'S3BucketDetails': [
{
'Arn': 'string',
'Name': 'string',
'Type': 'string',
'CreatedAt': datetime(2015, 1, 1),
'Owner': {
'Id': 'string'
},
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'DefaultServerSideEncryption': {
'EncryptionType': 'string',
'KmsMasterKeyArn': 'string'
},
'PublicAccess': {
'PermissionConfiguration': {
'BucketLevelPermissions': {
'AccessControlList': {
'AllowsPublicReadAccess': True|False,
'AllowsPublicWriteAccess': True|False
},
'BucketPolicy': {
'AllowsPublicReadAccess': True|False,
'AllowsPublicWriteAccess': True|False
},
'BlockPublicAccess': {
'IgnorePublicAcls': True|False,
'RestrictPublicBuckets': True|False,
'BlockPublicAcls': True|False,
'BlockPublicPolicy': True|False
}
},
'AccountLevelPermissions': {
'BlockPublicAccess': {
'IgnorePublicAcls': True|False,
'RestrictPublicBuckets': True|False,
'BlockPublicAcls': True|False,
'BlockPublicPolicy': True|False
}
}
},
'EffectivePermission': 'string'
},
'S3ObjectDetails': [
{
'ObjectArn': 'string',
'Key': 'string',
'ETag': 'string',
'Hash': 'string',
'VersionId': 'string'
},
]
},
],
'InstanceDetails': {
'AvailabilityZone': 'string',
'IamInstanceProfile': {
'Arn': 'string',
'Id': 'string'
},
'ImageDescription': 'string',
'ImageId': 'string',
'InstanceId': 'string',
'InstanceState': 'string',
'InstanceType': 'string',
'OutpostArn': 'string',
'LaunchTime': 'string',
'NetworkInterfaces': [
{
'Ipv6Addresses': [
'string',
],
'NetworkInterfaceId': 'string',
'PrivateDnsName': 'string',
'PrivateIpAddress': 'string',
'PrivateIpAddresses': [
{
'PrivateDnsName': 'string',
'PrivateIpAddress': 'string'
},
],
'PublicDnsName': 'string',
'PublicIp': 'string',
'SecurityGroups': [
{
'GroupId': 'string',
'GroupName': 'string'
},
],
'SubnetId': 'string',
'VpcId': 'string'
},
],
'Platform': 'string',
'ProductCodes': [
{
'Code': 'string',
'ProductType': 'string'
},
],
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
},
'EksClusterDetails': {
'Name': 'string',
'Arn': 'string',
'VpcId': 'string',
'Status': 'string',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'CreatedAt': datetime(2015, 1, 1)
},
'KubernetesDetails': {
'KubernetesUserDetails': {
'Username': 'string',
'Uid': 'string',
'Groups': [
'string',
],
'SessionName': [
'string',
],
'ImpersonatedUser': {
'Username': 'string',
'Groups': [
'string',
]
}
},
'KubernetesWorkloadDetails': {
'Name': 'string',
'Type': 'string',
'Uid': 'string',
'Namespace': 'string',
'HostNetwork': True|False,
'Containers': [
{
'ContainerRuntime': 'string',
'Id': 'string',
'Name': 'string',
'Image': 'string',
'ImagePrefix': 'string',
'VolumeMounts': [
{
'Name': 'string',
'MountPath': 'string'
},
],
'SecurityContext': {
'Privileged': True|False,
'AllowPrivilegeEscalation': True|False
}
},
],
'Volumes': [
{
'Name': 'string',
'HostPath': {
'Path': 'string'
}
},
],
'ServiceAccountName': 'string',
'HostIPC': True|False,
'HostPID': True|False
}
},
'ResourceType': 'string',
'EbsVolumeDetails': {
'ScannedVolumeDetails': [
{
'VolumeArn': 'string',
'VolumeType': 'string',
'DeviceName': 'string',
'VolumeSizeInGB': 123,
'EncryptionType': 'string',
'SnapshotArn': 'string',
'KmsKeyArn': 'string'
},
],
'SkippedVolumeDetails': [
{
'VolumeArn': 'string',
'VolumeType': 'string',
'DeviceName': 'string',
'VolumeSizeInGB': 123,
'EncryptionType': 'string',
'SnapshotArn': 'string',
'KmsKeyArn': 'string'
},
]
},
'EcsClusterDetails': {
'Name': 'string',
'Arn': 'string',
'Status': 'string',
'ActiveServicesCount': 123,
'RegisteredContainerInstancesCount': 123,
'RunningTasksCount': 123,
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'TaskDetails': {
'Arn': 'string',
'DefinitionArn': 'string',
'Version': 'string',
'TaskCreatedAt': datetime(2015, 1, 1),
'StartedAt': datetime(2015, 1, 1),
'StartedBy': 'string',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'Volumes': [
{
'Name': 'string',
'HostPath': {
'Path': 'string'
}
},
],
'Containers': [
{
'ContainerRuntime': 'string',
'Id': 'string',
'Name': 'string',
'Image': 'string',
'ImagePrefix': 'string',
'VolumeMounts': [
{
'Name': 'string',
'MountPath': 'string'
},
],
'SecurityContext': {
'Privileged': True|False,
'AllowPrivilegeEscalation': True|False
}
},
],
'Group': 'string',
'LaunchType': 'string'
}
},
'ContainerDetails': {
'ContainerRuntime': 'string',
'Id': 'string',
'Name': 'string',
'Image': 'string',
'ImagePrefix': 'string',
'VolumeMounts': [
{
'Name': 'string',
'MountPath': 'string'
},
],
'SecurityContext': {
'Privileged': True|False,
'AllowPrivilegeEscalation': True|False
}
},
'RdsDbInstanceDetails': {
'DbInstanceIdentifier': 'string',
'Engine': 'string',
'EngineVersion': 'string',
'DbClusterIdentifier': 'string',
'DbInstanceArn': 'string',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
},
'RdsLimitlessDbDetails': {
'DbShardGroupIdentifier': 'string',
'DbShardGroupResourceId': 'string',
'DbShardGroupArn': 'string',
'Engine': 'string',
'EngineVersion': 'string',
'DbClusterIdentifier': 'string',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
},
'RdsDbUserDetails': {
'User': 'string',
'Application': 'string',
'Database': 'string',
'Ssl': 'string',
'AuthMethod': 'string'
},
'LambdaDetails': {
'FunctionArn': 'string',
'FunctionName': 'string',
'Description': 'string',
'LastModifiedAt': datetime(2015, 1, 1),
'RevisionId': 'string',
'FunctionVersion': 'string',
'Role': 'string',
'VpcConfig': {
'SubnetIds': [
'string',
],
'VpcId': 'string',
'SecurityGroups': [
{
'GroupId': 'string',
'GroupName': 'string'
},
]
},
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
},
'EbsSnapshotDetails': {
'SnapshotArn': 'string'
},
'Ec2ImageDetails': {
'ImageArn': 'string'
},
'RecoveryPointDetails': {
'RecoveryPointArn': 'string',
'BackupVaultName': 'string'
}
},
'SchemaVersion': 'string',
'Service': {
'Action': {
'ActionType': 'string',
'AwsApiCallAction': {
'Api': 'string',
'CallerType': 'string',
'DomainDetails': {
'Domain': 'string'
},
'ErrorCode': 'string',
'UserAgent': 'string',
'RemoteIpDetails': {
'City': {
'CityName': 'string'
},
'Country': {
'CountryCode': 'string',
'CountryName': 'string'
},
'GeoLocation': {
'Lat': 123.0,
'Lon': 123.0
},
'IpAddressV4': 'string',
'IpAddressV6': 'string',
'Organization': {
'Asn': 'string',
'AsnOrg': 'string',
'Isp': 'string',
'Org': 'string'
}
},
'ServiceName': 'string',
'RemoteAccountDetails': {
'AccountId': 'string',
'Affiliated': True|False
},
'AffectedResources': {
'string': 'string'
}
},
'DnsRequestAction': {
'Domain': 'string',
'Protocol': 'string',
'Blocked': True|False,
'DomainWithSuffix': 'string',
'VpcOwnerAccountId': 'string'
},
'NetworkConnectionAction': {
'Blocked': True|False,
'ConnectionDirection': 'string',
'LocalPortDetails': {
'Port': 123,
'PortName': 'string'
},
'Protocol': 'string',
'LocalIpDetails': {
'IpAddressV4': 'string',
'IpAddressV6': 'string'
},
'LocalNetworkInterface': 'string',
'RemoteIpDetails': {
'City': {
'CityName': 'string'
},
'Country': {
'CountryCode': 'string',
'CountryName': 'string'
},
'GeoLocation': {
'Lat': 123.0,
'Lon': 123.0
},
'IpAddressV4': 'string',
'IpAddressV6': 'string',
'Organization': {
'Asn': 'string',
'AsnOrg': 'string',
'Isp': 'string',
'Org': 'string'
}
},
'RemotePortDetails': {
'Port': 123,
'PortName': 'string'
}
},
'PortProbeAction': {
'Blocked': True|False,
'PortProbeDetails': [
{
'LocalPortDetails': {
'Port': 123,
'PortName': 'string'
},
'LocalIpDetails': {
'IpAddressV4': 'string',
'IpAddressV6': 'string'
},
'RemoteIpDetails': {
'City': {
'CityName': 'string'
},
'Country': {
'CountryCode': 'string',
'CountryName': 'string'
},
'GeoLocation': {
'Lat': 123.0,
'Lon': 123.0
},
'IpAddressV4': 'string',
'IpAddressV6': 'string',
'Organization': {
'Asn': 'string',
'AsnOrg': 'string',
'Isp': 'string',
'Org': 'string'
}
}
},
]
},
'KubernetesApiCallAction': {
'RequestUri': 'string',
'Verb': 'string',
'SourceIps': [
'string',
],
'UserAgent': 'string',
'RemoteIpDetails': {
'City': {
'CityName': 'string'
},
'Country': {
'CountryCode': 'string',
'CountryName': 'string'
},
'GeoLocation': {
'Lat': 123.0,
'Lon': 123.0
},
'IpAddressV4': 'string',
'IpAddressV6': 'string',
'Organization': {
'Asn': 'string',
'AsnOrg': 'string',
'Isp': 'string',
'Org': 'string'
}
},
'StatusCode': 123,
'Parameters': 'string',
'Resource': 'string',
'Subresource': 'string',
'Namespace': 'string',
'ResourceName': 'string'
},
'RdsLoginAttemptAction': {
'RemoteIpDetails': {
'City': {
'CityName': 'string'
},
'Country': {
'CountryCode': 'string',
'CountryName': 'string'
},
'GeoLocation': {
'Lat': 123.0,
'Lon': 123.0
},
'IpAddressV4': 'string',
'IpAddressV6': 'string',
'Organization': {
'Asn': 'string',
'AsnOrg': 'string',
'Isp': 'string',
'Org': 'string'
}
},
'LoginAttributes': [
{
'User': 'string',
'Application': 'string',
'FailedLoginAttempts': 123,
'SuccessfulLoginAttempts': 123
},
]
},
'KubernetesPermissionCheckedDetails': {
'Verb': 'string',
'Resource': 'string',
'Namespace': 'string',
'Allowed': True|False
},
'KubernetesRoleBindingDetails': {
'Kind': 'string',
'Name': 'string',
'Uid': 'string',
'RoleRefName': 'string',
'RoleRefKind': 'string'
},
'KubernetesRoleDetails': {
'Kind': 'string',
'Name': 'string',
'Uid': 'string'
}
},
'Evidence': {
'ThreatIntelligenceDetails': [
{
'ThreatListName': 'string',
'ThreatNames': [
'string',
],
'ThreatFileSha256': 'string'
},
]
},
'Archived': True|False,
'Count': 123,
'DetectorId': 'string',
'EventFirstSeen': 'string',
'EventLastSeen': 'string',
'ResourceRole': 'string',
'ServiceName': 'string',
'UserFeedback': 'string',
'AdditionalInfo': {
'Value': 'string',
'Type': 'string'
},
'FeatureName': 'string',
'EbsVolumeScanDetails': {
'ScanId': 'string',
'ScanStartedAt': datetime(2015, 1, 1),
'ScanCompletedAt': datetime(2015, 1, 1),
'TriggerFindingId': 'string',
'Sources': [
'string',
],
'ScanDetections': {
'ScannedItemCount': {
'TotalGb': 123,
'Files': 123,
'Volumes': 123
},
'ThreatsDetectedItemCount': {
'Files': 123
},
'HighestSeverityThreatDetails': {
'Severity': 'string',
'ThreatName': 'string',
'Count': 123
},
'ThreatDetectedByName': {
'ItemCount': 123,
'UniqueThreatNameCount': 123,
'Shortened': True|False,
'ThreatNames': [
{
'Name': 'string',
'Severity': 'string',
'ItemCount': 123,
'FilePaths': [
{
'FilePath': 'string',
'VolumeArn': 'string',
'Hash': 'string',
'FileName': 'string'
},
]
},
]
}
},
'ScanType': 'GUARDDUTY_INITIATED'|'ON_DEMAND'
},
'RuntimeDetails': {
'Process': {
'Name': 'string',
'ExecutablePath': 'string',
'ExecutableSha256': 'string',
'NamespacePid': 123,
'Pwd': 'string',
'Pid': 123,
'StartTime': datetime(2015, 1, 1),
'Uuid': 'string',
'ParentUuid': 'string',
'User': 'string',
'UserId': 123,
'Euid': 123,
'Lineage': [
{
'StartTime': datetime(2015, 1, 1),
'NamespacePid': 123,
'UserId': 123,
'Name': 'string',
'Pid': 123,
'Uuid': 'string',
'ExecutablePath': 'string',
'Euid': 123,
'ParentUuid': 'string'
},
]
},
'Context': {
'ModifyingProcess': {
'Name': 'string',
'ExecutablePath': 'string',
'ExecutableSha256': 'string',
'NamespacePid': 123,
'Pwd': 'string',
'Pid': 123,
'StartTime': datetime(2015, 1, 1),
'Uuid': 'string',
'ParentUuid': 'string',
'User': 'string',
'UserId': 123,
'Euid': 123,
'Lineage': [
{
'StartTime': datetime(2015, 1, 1),
'NamespacePid': 123,
'UserId': 123,
'Name': 'string',
'Pid': 123,
'Uuid': 'string',
'ExecutablePath': 'string',
'Euid': 123,
'ParentUuid': 'string'
},
]
},
'ModifiedAt': datetime(2015, 1, 1),
'ScriptPath': 'string',
'LibraryPath': 'string',
'LdPreloadValue': 'string',
'SocketPath': 'string',
'RuncBinaryPath': 'string',
'ReleaseAgentPath': 'string',
'MountSource': 'string',
'MountTarget': 'string',
'FileSystemType': 'string',
'Flags': [
'string',
],
'ModuleName': 'string',
'ModuleFilePath': 'string',
'ModuleSha256': 'string',
'ShellHistoryFilePath': 'string',
'TargetProcess': {
'Name': 'string',
'ExecutablePath': 'string',
'ExecutableSha256': 'string',
'NamespacePid': 123,
'Pwd': 'string',
'Pid': 123,
'StartTime': datetime(2015, 1, 1),
'Uuid': 'string',
'ParentUuid': 'string',
'User': 'string',
'UserId': 123,
'Euid': 123,
'Lineage': [
{
'StartTime': datetime(2015, 1, 1),
'NamespacePid': 123,
'UserId': 123,
'Name': 'string',
'Pid': 123,
'Uuid': 'string',
'ExecutablePath': 'string',
'Euid': 123,
'ParentUuid': 'string'
},
]
},
'AddressFamily': 'string',
'IanaProtocolNumber': 123,
'MemoryRegions': [
'string',
],
'ToolName': 'string',
'ToolCategory': 'string',
'ServiceName': 'string',
'CommandLineExample': 'string',
'ThreatFilePath': 'string'
}
},
'Detection': {
'Anomaly': {
'Profiles': {
'string': {
'string': [
{
'ProfileType': 'FREQUENCY',
'ProfileSubtype': 'FREQUENT'|'INFREQUENT'|'UNSEEN'|'RARE',
'Observations': {
'Text': [
'string',
]
}
},
]
}
},
'Unusual': {
'Behavior': {
'string': {
'string': {
'ProfileType': 'FREQUENCY',
'ProfileSubtype': 'FREQUENT'|'INFREQUENT'|'UNSEEN'|'RARE',
'Observations': {
'Text': [
'string',
]
}
}
}
}
}
},
'Sequence': {
'Uid': 'string',
'Description': 'string',
'Actors': [
{
'Id': 'string',
'User': {
'Name': 'string',
'Uid': 'string',
'Type': 'string',
'CredentialUid': 'string',
'Account': {
'Uid': 'string',
'Name': 'string'
}
},
'Session': {
'Uid': 'string',
'MfaStatus': 'ENABLED'|'DISABLED',
'CreatedTime': datetime(2015, 1, 1),
'Issuer': 'string'
},
'Process': {
'Name': 'string',
'Path': 'string',
'Sha256': 'string'
}
},
],
'Resources': [
{
'Uid': 'string',
'Name': 'string',
'AccountId': 'string',
'ResourceType': 'EC2_INSTANCE'|'EC2_NETWORK_INTERFACE'|'S3_BUCKET'|'S3_OBJECT'|'ACCESS_KEY'|'EKS_CLUSTER'|'KUBERNETES_WORKLOAD'|'CONTAINER'|'ECS_CLUSTER'|'ECS_TASK'|'AUTOSCALING_AUTO_SCALING_GROUP'|'IAM_INSTANCE_PROFILE'|'CLOUDFORMATION_STACK'|'EC2_LAUNCH_TEMPLATE'|'EC2_VPC'|'EC2_IMAGE',
'Region': 'string',
'Service': 'string',
'CloudPartition': 'string',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'Data': {
'S3Bucket': {
'OwnerId': 'string',
'CreatedAt': datetime(2015, 1, 1),
'EncryptionType': 'string',
'EncryptionKeyArn': 'string',
'EffectivePermission': 'string',
'PublicReadAccess': 'BLOCKED'|'ALLOWED',
'PublicWriteAccess': 'BLOCKED'|'ALLOWED',
'AccountPublicAccess': {
'PublicAclAccess': 'BLOCKED'|'ALLOWED',
'PublicPolicyAccess': 'BLOCKED'|'ALLOWED',
'PublicAclIgnoreBehavior': 'IGNORED'|'NOT_IGNORED',
'PublicBucketRestrictBehavior': 'RESTRICTED'|'NOT_RESTRICTED'
},
'BucketPublicAccess': {
'PublicAclAccess': 'BLOCKED'|'ALLOWED',
'PublicPolicyAccess': 'BLOCKED'|'ALLOWED',
'PublicAclIgnoreBehavior': 'IGNORED'|'NOT_IGNORED',
'PublicBucketRestrictBehavior': 'RESTRICTED'|'NOT_RESTRICTED'
},
'S3ObjectUids': [
'string',
]
},
'Ec2Instance': {
'AvailabilityZone': 'string',
'ImageDescription': 'string',
'InstanceState': 'string',
'IamInstanceProfile': {
'Arn': 'string',
'Id': 'string'
},
'InstanceType': 'string',
'OutpostArn': 'string',
'Platform': 'string',
'ProductCodes': [
{
'Code': 'string',
'ProductType': 'string'
},
],
'Ec2NetworkInterfaceUids': [
'string',
]
},
'AccessKey': {
'PrincipalId': 'string',
'UserName': 'string',
'UserType': 'string'
},
'Ec2NetworkInterface': {
'Ipv6Addresses': [
'string',
],
'PrivateIpAddresses': [
{
'PrivateDnsName': 'string',
'PrivateIpAddress': 'string'
},
],
'PublicIp': 'string',
'SecurityGroups': [
{
'GroupId': 'string',
'GroupName': 'string'
},
],
'SubNetId': 'string',
'VpcId': 'string'
},
'S3Object': {
'ETag': 'string',
'Key': 'string',
'VersionId': 'string'
},
'EksCluster': {
'Arn': 'string',
'CreatedAt': datetime(2015, 1, 1),
'Status': 'CREATING'|'ACTIVE'|'DELETING'|'FAILED'|'UPDATING'|'PENDING',
'VpcId': 'string',
'Ec2InstanceUids': [
'string',
]
},
'KubernetesWorkload': {
'ContainerUids': [
'string',
],
'Namespace': 'string',
'KubernetesResourcesTypes': 'PODS'|'JOBS'|'CRONJOBS'|'DEPLOYMENTS'|'DAEMONSETS'|'STATEFULSETS'|'REPLICASETS'|'REPLICATIONCONTROLLERS'
},
'Container': {
'Image': 'string',
'ImageUid': 'string'
},
'EcsCluster': {
'Status': 'ACTIVE'|'PROVISIONING'|'DEPROVISIONING'|'FAILED'|'INACTIVE',
'Ec2InstanceUids': [
'string',
]
},
'EcsTask': {
'CreatedAt': datetime(2015, 1, 1),
'TaskDefinitionArn': 'string',
'LaunchType': 'FARGATE'|'EC2',
'ContainerUids': [
'string',
]
},
'IamInstanceProfile': {
'Ec2InstanceUids': [
'string',
]
},
'AutoscalingAutoScalingGroup': {
'Ec2InstanceUids': [
'string',
]
},
'Ec2LaunchTemplate': {
'Ec2InstanceUids': [
'string',
],
'Version': 'string'
},
'Ec2Vpc': {
'Ec2InstanceUids': [
'string',
]
},
'Ec2Image': {
'Ec2InstanceUids': [
'string',
]
},
'CloudformationStack': {
'Ec2InstanceUids': [
'string',
]
}
}
},
],
'Endpoints': [
{
'Id': 'string',
'Ip': 'string',
'Domain': 'string',
'Port': 123,
'Location': {
'City': 'string',
'Country': 'string',
'Latitude': 123.0,
'Longitude': 123.0
},
'AutonomousSystem': {
'Name': 'string',
'Number': 123
},
'Connection': {
'Direction': 'INBOUND'|'OUTBOUND'
}
},
],
'Signals': [
{
'Uid': 'string',
'Type': 'FINDING'|'CLOUD_TRAIL'|'S3_DATA_EVENTS'|'EKS_AUDIT_LOGS'|'FLOW_LOGS'|'DNS_LOGS'|'RUNTIME_MONITORING',
'Description': 'string',
'Name': 'string',
'CreatedAt': datetime(2015, 1, 1),
'UpdatedAt': datetime(2015, 1, 1),
'FirstSeenAt': datetime(2015, 1, 1),
'LastSeenAt': datetime(2015, 1, 1),
'Severity': 123.0,
'Count': 123,
'ResourceUids': [
'string',
],
'ActorIds': [
'string',
],
'EndpointIds': [
'string',
],
'SignalIndicators': [
{
'Key': 'SUSPICIOUS_USER_AGENT'|'SUSPICIOUS_NETWORK'|'MALICIOUS_IP'|'TOR_IP'|'ATTACK_TACTIC'|'HIGH_RISK_API'|'ATTACK_TECHNIQUE'|'UNUSUAL_API_FOR_ACCOUNT'|'UNUSUAL_ASN_FOR_ACCOUNT'|'UNUSUAL_ASN_FOR_USER'|'SUSPICIOUS_PROCESS'|'MALICIOUS_DOMAIN'|'MALICIOUS_PROCESS'|'CRYPTOMINING_IP'|'CRYPTOMINING_DOMAIN'|'CRYPTOMINING_PROCESS',
'Values': [
'string',
],
'Title': 'string'
},
]
},
],
'SequenceIndicators': [
{
'Key': 'SUSPICIOUS_USER_AGENT'|'SUSPICIOUS_NETWORK'|'MALICIOUS_IP'|'TOR_IP'|'ATTACK_TACTIC'|'HIGH_RISK_API'|'ATTACK_TECHNIQUE'|'UNUSUAL_API_FOR_ACCOUNT'|'UNUSUAL_ASN_FOR_ACCOUNT'|'UNUSUAL_ASN_FOR_USER'|'SUSPICIOUS_PROCESS'|'MALICIOUS_DOMAIN'|'MALICIOUS_PROCESS'|'CRYPTOMINING_IP'|'CRYPTOMINING_DOMAIN'|'CRYPTOMINING_PROCESS',
'Values': [
'string',
],
'Title': 'string'
},
],
'AdditionalSequenceTypes': [
'string',
]
}
},
'MalwareScanDetails': {
'Threats': [
{
'Name': 'string',
'Source': 'string',
'ItemPaths': [
{
'NestedItemPath': 'string',
'Hash': 'string'
},
],
'Count': 123,
'Hash': 'string',
'ItemDetails': [
{
'ResourceArn': 'string',
'ItemPath': 'string',
'Hash': 'string',
'AdditionalInfo': {
'VersionId': 'string',
'DeviceName': 'string'
}
},
]
},
],
'ScanId': 'string',
'ScanType': 'BACKUP_INITIATED'|'ON_DEMAND'|'GUARDDUTY_INITIATED',
'ScanCategory': 'FULL_SCAN'|'INCREMENTAL_SCAN',
'ScanConfiguration': {
'TriggerType': 'BACKUP'|'GUARDDUTY',
'IncrementalScanDetails': {
'BaselineResourceArn': 'string'
}
},
'UniqueThreatCount': 123
}
},
'Severity': 123.0,
'Title': 'string',
'Type': 'string',
'UpdatedAt': 'string',
'AssociatedAttackSequenceArn': 'string'
},
]
}
**Response Structure**
::
# This section is too large to render.
# Please see the AWS API Documentation linked below.
`AWS API Documentation <https://docs.aws.amazon.com/goto/WebAPI/guardduty-2017-11-28/GetFindings>`_
{'FindingCriteria': {'Criterion': {'Matches': ['string'],
'NotMatches': ['string']}}}
Lists GuardDuty findings statistics for the specified detector ID.
You must provide either findingStatisticTypes or groupBy parameter, and not both. You can use the maxResults and orderBy parameters only when using groupBy.
There might be regional differences because some flags might not be available in all the Regions where GuardDuty is currently supported. For more information, see Regions and endpoints.
See also: AWS API Documentation
Request Syntax
client.get_findings_statistics(
DetectorId='string',
FindingStatisticTypes=[
'COUNT_BY_SEVERITY',
],
FindingCriteria={
'Criterion': {
'string': {
'Eq': [
'string',
],
'Neq': [
'string',
],
'Gt': 123,
'Gte': 123,
'Lt': 123,
'Lte': 123,
'Equals': [
'string',
],
'NotEquals': [
'string',
],
'GreaterThan': 123,
'GreaterThanOrEqual': 123,
'LessThan': 123,
'LessThanOrEqual': 123,
'Matches': [
'string',
],
'NotMatches': [
'string',
]
}
}
},
GroupBy='ACCOUNT'|'DATE'|'FINDING_TYPE'|'RESOURCE'|'SEVERITY',
OrderBy='ASC'|'DESC',
MaxResults=123
)
string
[REQUIRED]
The ID of the detector whose findings statistics you want to retrieve.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
list
The types of finding statistics to retrieve.
(string) --
dict
Represents the criteria that is used for querying findings.
Criterion (dict) --
Represents a map of finding properties that match specified conditions and values when querying findings.
(string) --
(dict) --
Contains information about the condition.
Eq (list) --
Represents the equal condition to be applied to a single field when querying for findings.
(string) --
Neq (list) --
Represents the not equal condition to be applied to a single field when querying for findings.
(string) --
Gt (integer) --
Represents a greater than condition to be applied to a single field when querying for findings.
Gte (integer) --
Represents a greater than or equal condition to be applied to a single field when querying for findings.
Lt (integer) --
Represents a less than condition to be applied to a single field when querying for findings.
Lte (integer) --
Represents a less than or equal condition to be applied to a single field when querying for findings.
Equals (list) --
Represents an equal condition to be applied to a single field when querying for findings.
(string) --
NotEquals (list) --
Represents a not equal condition to be applied to a single field when querying for findings.
(string) --
GreaterThan (integer) --
Represents a greater than condition to be applied to a single field when querying for findings.
GreaterThanOrEqual (integer) --
Represents a greater than or equal condition to be applied to a single field when querying for findings.
LessThan (integer) --
Represents a less than condition to be applied to a single field when querying for findings.
LessThanOrEqual (integer) --
Represents a less than or equal condition to be applied to a single field when querying for findings.
Matches (list) --
Represents the match condition to be applied to a single field when querying for findings.
(string) --
NotMatches (list) --
Represents the not match condition to be applied to a single field when querying for findings.
(string) --
string
Displays the findings statistics grouped by one of the listed valid values.
string
Displays the sorted findings in the requested order. The default value of orderBy is DESC.
You can use this parameter only with the groupBy parameter.
integer
The maximum number of results to be returned in the response. The default value is 25.
You can use this parameter only with the groupBy parameter.
dict
Response Syntax
{
'FindingStatistics': {
'CountBySeverity': {
'string': 123
},
'GroupedByAccount': [
{
'AccountId': 'string',
'LastGeneratedAt': datetime(2015, 1, 1),
'TotalFindings': 123
},
],
'GroupedByDate': [
{
'Date': datetime(2015, 1, 1),
'LastGeneratedAt': datetime(2015, 1, 1),
'Severity': 123.0,
'TotalFindings': 123
},
],
'GroupedByFindingType': [
{
'FindingType': 'string',
'LastGeneratedAt': datetime(2015, 1, 1),
'TotalFindings': 123
},
],
'GroupedByResource': [
{
'AccountId': 'string',
'LastGeneratedAt': datetime(2015, 1, 1),
'ResourceId': 'string',
'ResourceType': 'string',
'TotalFindings': 123
},
],
'GroupedBySeverity': [
{
'LastGeneratedAt': datetime(2015, 1, 1),
'Severity': 123.0,
'TotalFindings': 123
},
]
},
'NextToken': 'string'
}
Response Structure
(dict) --
FindingStatistics (dict) --
The finding statistics object.
CountBySeverity (dict) --
Represents a list of map of severity to count statistics for a set of findings.
(string) --
(integer) --
GroupedByAccount (list) --
Represents a list of map of accounts with a findings count associated with each account.
(dict) --
Represents a list of map of accounts with the number of findings associated with each account.
AccountId (string) --
The ID of the Amazon Web Services account.
LastGeneratedAt (datetime) --
The timestamp at which the finding for this account was last generated.
TotalFindings (integer) --
The total number of findings associated with an account.
GroupedByDate (list) --
Represents a list of map of dates with a count of total findings generated on each date per severity level.
(dict) --
Represents list a map of dates with a count of total findings generated on each date.
Date (datetime) --
The timestamp when the total findings count is observed.
For example, Date would look like "2024-09-05T17:00:00-07:00" whereas LastGeneratedAt would look like 2024-09-05T17:12:29-07:00".
LastGeneratedAt (datetime) --
The timestamp at which the last finding in the findings count, was generated.
Severity (float) --
The severity of the findings generated on each date.
TotalFindings (integer) --
The total number of findings that were generated per severity level on each date.
GroupedByFindingType (list) --
Represents a list of map of finding types with a count of total findings generated for each type.
Based on the orderBy parameter, this request returns either the most occurring finding types or the least occurring finding types. If the orderBy parameter is ASC, this will represent the least occurring finding types in your account; otherwise, this will represent the most occurring finding types. The default value of orderBy is DESC.
(dict) --
Information about each finding type associated with the groupedByFindingType statistics.
FindingType (string) --
Name of the finding type.
LastGeneratedAt (datetime) --
The timestamp at which this finding type was last generated in your environment.
TotalFindings (integer) --
The total number of findings associated with generated for each distinct finding type.
GroupedByResource (list) --
Represents a list of map of top resources with a count of total findings.
(dict) --
Information about each resource type associated with the groupedByResource statistics.
AccountId (string) --
The ID of the Amazon Web Services account.
LastGeneratedAt (datetime) --
The timestamp at which the statistics for this resource was last generated.
ResourceId (string) --
ID associated with each resource. The following list provides the mapping of the resource type and resource ID.
Mapping of resource and resource ID
AccessKey - resource.accessKeyDetails.accessKeyId
Container - resource.containerDetails.id
ECSCluster - resource.ecsClusterDetails.name
EKSCluster - resource.eksClusterDetails.name
Instance - resource.instanceDetails.instanceId
KubernetesCluster - resource.kubernetesDetails.kubernetesWorkloadDetails.name
Lambda - resource.lambdaDetails.functionName
RDSDBInstance - resource.rdsDbInstanceDetails.dbInstanceIdentifier
S3Bucket - resource.s3BucketDetails.name
S3Object - resource.s3BucketDetails.name
ResourceType (string) --
The type of resource.
TotalFindings (integer) --
The total number of findings associated with this resource.
GroupedBySeverity (list) --
Represents a list of map of total findings for each severity level.
(dict) --
Information about severity level for each finding type.
LastGeneratedAt (datetime) --
The timestamp at which a finding type for a specific severity was last generated.
Severity (float) --
The severity level associated with each finding type.
TotalFindings (integer) --
The total number of findings associated with this severity.
NextToken (string) --
The pagination parameter to be used on the next list operation to retrieve more items.
This parameter is currently not supported.
{'FindingCriteria': {'Criterion': {'Matches': ['string'],
'NotMatches': ['string']}}}
Lists GuardDuty findings for the specified detector ID.
There might be regional differences because some flags might not be available in all the Regions where GuardDuty is currently supported. For more information, see Regions and endpoints.
See also: AWS API Documentation
Request Syntax
client.list_findings(
DetectorId='string',
FindingCriteria={
'Criterion': {
'string': {
'Eq': [
'string',
],
'Neq': [
'string',
],
'Gt': 123,
'Gte': 123,
'Lt': 123,
'Lte': 123,
'Equals': [
'string',
],
'NotEquals': [
'string',
],
'GreaterThan': 123,
'GreaterThanOrEqual': 123,
'LessThan': 123,
'LessThanOrEqual': 123,
'Matches': [
'string',
],
'NotMatches': [
'string',
]
}
}
},
SortCriteria={
'AttributeName': 'string',
'OrderBy': 'ASC'|'DESC'
},
MaxResults=123,
NextToken='string'
)
string
[REQUIRED]
The ID of the detector that specifies the GuardDuty service whose findings you want to list.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
dict
Represents the criteria used for querying findings. Valid values include:
JSON field name
accountId
region
confidence
id
resource.accessKeyDetails.accessKeyId
resource.accessKeyDetails.principalId
resource.accessKeyDetails.userName
resource.accessKeyDetails.userType
resource.instanceDetails.iamInstanceProfile.id
resource.instanceDetails.imageId
resource.instanceDetails.instanceId
resource.instanceDetails.networkInterfaces.ipv6Addresses
resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress
resource.instanceDetails.networkInterfaces.publicDnsName
resource.instanceDetails.networkInterfaces.publicIp
resource.instanceDetails.networkInterfaces.securityGroups.groupId
resource.instanceDetails.networkInterfaces.securityGroups.groupName
resource.instanceDetails.networkInterfaces.subnetId
resource.instanceDetails.networkInterfaces.vpcId
resource.instanceDetails.tags.key
resource.instanceDetails.tags.value
resource.resourceType
service.action.actionType
service.action.awsApiCallAction.api
service.action.awsApiCallAction.callerType
service.action.awsApiCallAction.remoteIpDetails.city.cityName
service.action.awsApiCallAction.remoteIpDetails.country.countryName
service.action.awsApiCallAction.remoteIpDetails.ipAddressV4
service.action.awsApiCallAction.remoteIpDetails.organization.asn
service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg
service.action.awsApiCallAction.serviceName
service.action.dnsRequestAction.domain
service.action.dnsRequestAction.domainWithSuffix
service.action.networkConnectionAction.blocked
service.action.networkConnectionAction.connectionDirection
service.action.networkConnectionAction.localPortDetails.port
service.action.networkConnectionAction.protocol
service.action.networkConnectionAction.remoteIpDetails.country.countryName
service.action.networkConnectionAction.remoteIpDetails.ipAddressV4
service.action.networkConnectionAction.remoteIpDetails.organization.asn
service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg
service.action.networkConnectionAction.remotePortDetails.port
service.additionalInfo.threatListName
service.archived When this attribute is set to 'true', only archived findings are listed. When it's set to 'false', only unarchived findings are listed. When this attribute is not set, all existing findings are listed.
service.ebsVolumeScanDetails.scanId
service.resourceRole
severity
type
updatedAt Type: Timestamp in Unix Epoch millisecond format: 1486685375000
Criterion (dict) --
Represents a map of finding properties that match specified conditions and values when querying findings.
(string) --
(dict) --
Contains information about the condition.
Eq (list) --
Represents the equal condition to be applied to a single field when querying for findings.
(string) --
Neq (list) --
Represents the not equal condition to be applied to a single field when querying for findings.
(string) --
Gt (integer) --
Represents a greater than condition to be applied to a single field when querying for findings.
Gte (integer) --
Represents a greater than or equal condition to be applied to a single field when querying for findings.
Lt (integer) --
Represents a less than condition to be applied to a single field when querying for findings.
Lte (integer) --
Represents a less than or equal condition to be applied to a single field when querying for findings.
Equals (list) --
Represents an equal condition to be applied to a single field when querying for findings.
(string) --
NotEquals (list) --
Represents a not equal condition to be applied to a single field when querying for findings.
(string) --
GreaterThan (integer) --
Represents a greater than condition to be applied to a single field when querying for findings.
GreaterThanOrEqual (integer) --
Represents a greater than or equal condition to be applied to a single field when querying for findings.
LessThan (integer) --
Represents a less than condition to be applied to a single field when querying for findings.
LessThanOrEqual (integer) --
Represents a less than or equal condition to be applied to a single field when querying for findings.
Matches (list) --
Represents the match condition to be applied to a single field when querying for findings.
(string) --
NotMatches (list) --
Represents the not match condition to be applied to a single field when querying for findings.
(string) --
dict
Represents the criteria used for sorting findings.
AttributeName (string) --
Represents the finding attribute, such as accountId, that sorts the findings.
OrderBy (string) --
The order by which the sorted findings are to be displayed.
integer
You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50.
string
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
dict
Response Syntax
{
'FindingIds': [
'string',
],
'NextToken': 'string'
}
Response Structure
(dict) --
FindingIds (list) --
The IDs of the findings that you're listing.
(string) --
NextToken (string) --
The pagination parameter to be used on the next list operation to retrieve more items.
{'FindingCriteria': {'Criterion': {'Matches': ['string'],
'NotMatches': ['string']}}}
Updates the filter specified by the filter name.
See also: AWS API Documentation
Request Syntax
client.update_filter(
DetectorId='string',
FilterName='string',
Description='string',
Action='NOOP'|'ARCHIVE',
Rank=123,
FindingCriteria={
'Criterion': {
'string': {
'Eq': [
'string',
],
'Neq': [
'string',
],
'Gt': 123,
'Gte': 123,
'Lt': 123,
'Lte': 123,
'Equals': [
'string',
],
'NotEquals': [
'string',
],
'GreaterThan': 123,
'GreaterThanOrEqual': 123,
'LessThan': 123,
'LessThanOrEqual': 123,
'Matches': [
'string',
],
'NotMatches': [
'string',
]
}
}
}
)
string
[REQUIRED]
The unique ID of the detector that specifies the GuardDuty service where you want to update a filter.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
string
[REQUIRED]
The name of the filter.
string
The description of the filter. Valid characters include alphanumeric characters, and special characters such as hyphen, period, colon, underscore, parentheses ( { }, [ ], and ( )), forward slash, horizontal tab, vertical tab, newline, form feed, return, and whitespace.
string
Specifies the action that is to be applied to the findings that match the filter.
integer
Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
dict
Represents the criteria to be used in the filter for querying findings.
Criterion (dict) --
Represents a map of finding properties that match specified conditions and values when querying findings.
(string) --
(dict) --
Contains information about the condition.
Eq (list) --
Represents the equal condition to be applied to a single field when querying for findings.
(string) --
Neq (list) --
Represents the not equal condition to be applied to a single field when querying for findings.
(string) --
Gt (integer) --
Represents a greater than condition to be applied to a single field when querying for findings.
Gte (integer) --
Represents a greater than or equal condition to be applied to a single field when querying for findings.
Lt (integer) --
Represents a less than condition to be applied to a single field when querying for findings.
Lte (integer) --
Represents a less than or equal condition to be applied to a single field when querying for findings.
Equals (list) --
Represents an equal condition to be applied to a single field when querying for findings.
(string) --
NotEquals (list) --
Represents a not equal condition to be applied to a single field when querying for findings.
(string) --
GreaterThan (integer) --
Represents a greater than condition to be applied to a single field when querying for findings.
GreaterThanOrEqual (integer) --
Represents a greater than or equal condition to be applied to a single field when querying for findings.
LessThan (integer) --
Represents a less than condition to be applied to a single field when querying for findings.
LessThanOrEqual (integer) --
Represents a less than or equal condition to be applied to a single field when querying for findings.
Matches (list) --
Represents the match condition to be applied to a single field when querying for findings.
(string) --
NotMatches (list) --
Represents the not match condition to be applied to a single field when querying for findings.
(string) --
dict
Response Syntax
{
'Name': 'string'
}
Response Structure
(dict) --
Name (string) --
The name of the filter.