2022/01/25 - Amazon GuardDuty - 9 updated api methods
Changes Amazon GuardDuty expands threat detection coverage to protect Amazon Elastic Kubernetes Service (EKS) workloads.
{'DataSources': {'Kubernetes': {'AuditLogs': {'Enable': 'boolean'}}}}
Creates a single Amazon GuardDuty detector. A detector is a resource that represents the GuardDuty service. To start using GuardDuty, you must create a detector in each Region where you enable the service. You can have only one detector per account per Region. All data sources are enabled in a new detector by default.
See also: AWS API Documentation
Request Syntax
client.create_detector(
Enable=True|False,
ClientToken='string',
FindingPublishingFrequency='FIFTEEN_MINUTES'|'ONE_HOUR'|'SIX_HOURS',
DataSources={
'S3Logs': {
'Enable': True|False
},
'Kubernetes': {
'AuditLogs': {
'Enable': True|False
}
}
},
Tags={
'string': 'string'
}
)
boolean
[REQUIRED]
A Boolean value that specifies whether the detector is to be enabled.
string
The idempotency token for the create request.
This field is autopopulated if not provided.
string
A value that specifies how frequently updated findings are exported.
dict
Describes which data sources will be enabled for the detector.
S3Logs (dict) --
Describes whether S3 data event logs are enabled as a data source.
Enable (boolean) -- [REQUIRED]
The status of S3 data event logs as a data source.
Kubernetes (dict) --
Describes whether any Kubernetes logs are enabled as data sources.
AuditLogs (dict) -- [REQUIRED]
The status of Kubernetes audit logs as a data source.
Enable (boolean) -- [REQUIRED]
The status of Kubernetes audit logs as a data source.
dict
The tags to be added to a new detector resource.
(string) --
(string) --
dict
Response Syntax
{
'DetectorId': 'string'
}
Response Structure
(dict) --
DetectorId (string) --
The unique ID of the created detector.
{'DataSources': {'Kubernetes': {'AuditLogs': {'AutoEnable': 'boolean'}}}}
Returns information about the account selected as the delegated administrator for GuardDuty.
See also: AWS API Documentation
Request Syntax
client.describe_organization_configuration(
DetectorId='string'
)
string
[REQUIRED]
The ID of the detector to retrieve information about the delegated administrator from.
dict
Response Syntax
{
'AutoEnable': True|False,
'MemberAccountLimitReached': True|False,
'DataSources': {
'S3Logs': {
'AutoEnable': True|False
},
'Kubernetes': {
'AuditLogs': {
'AutoEnable': True|False
}
}
}
}
Response Structure
(dict) --
AutoEnable (boolean) --
Indicates whether GuardDuty is automatically enabled for accounts added to the organization.
MemberAccountLimitReached (boolean) --
Indicates whether the maximum number of allowed member accounts are already associated with the delegated administrator account for your organization.
DataSources (dict) --
Describes which data sources are enabled automatically for member accounts.
S3Logs (dict) --
Describes whether S3 data event logs are enabled as a data source.
AutoEnable (boolean) --
A value that describes whether S3 data event logs are automatically enabled for new members of the organization.
Kubernetes (dict) --
Describes the configuration of Kubernetes data sources.
AuditLogs (dict) --
The current configuration of Kubernetes audit logs as a data source for the organization.
AutoEnable (boolean) --
Whether Kubernetes audit logs data source should be auto-enabled for new members joining the organization.
{'DataSources': {'Kubernetes': {'AuditLogs': {'Status': 'ENABLED | DISABLED'}}}}
Retrieves an Amazon GuardDuty detector specified by the detectorId.
See also: AWS API Documentation
Request Syntax
client.get_detector(
DetectorId='string'
)
string
[REQUIRED]
The unique ID of the detector that you want to get.
dict
Response Syntax
{
'CreatedAt': 'string',
'FindingPublishingFrequency': 'FIFTEEN_MINUTES'|'ONE_HOUR'|'SIX_HOURS',
'ServiceRole': 'string',
'Status': 'ENABLED'|'DISABLED',
'UpdatedAt': 'string',
'DataSources': {
'CloudTrail': {
'Status': 'ENABLED'|'DISABLED'
},
'DNSLogs': {
'Status': 'ENABLED'|'DISABLED'
},
'FlowLogs': {
'Status': 'ENABLED'|'DISABLED'
},
'S3Logs': {
'Status': 'ENABLED'|'DISABLED'
},
'Kubernetes': {
'AuditLogs': {
'Status': 'ENABLED'|'DISABLED'
}
}
},
'Tags': {
'string': 'string'
}
}
Response Structure
(dict) --
CreatedAt (string) --
The timestamp of when the detector was created.
FindingPublishingFrequency (string) --
The publishing frequency of the finding.
ServiceRole (string) --
The GuardDuty service role.
Status (string) --
The detector status.
UpdatedAt (string) --
The last-updated timestamp for the detector.
DataSources (dict) --
Describes which data sources are enabled for the detector.
CloudTrail (dict) --
An object that contains information on the status of CloudTrail as a data source.
Status (string) --
Describes whether CloudTrail is enabled as a data source for the detector.
DNSLogs (dict) --
An object that contains information on the status of DNS logs as a data source.
Status (string) --
Denotes whether DNS logs is enabled as a data source.
FlowLogs (dict) --
An object that contains information on the status of VPC flow logs as a data source.
Status (string) --
Denotes whether VPC flow logs is enabled as a data source.
S3Logs (dict) --
An object that contains information on the status of S3 Data event logs as a data source.
Status (string) --
A value that describes whether S3 data event logs are automatically enabled for new members of the organization.
Kubernetes (dict) --
An object that contains information on the status of all Kubernetes data sources.
AuditLogs (dict) --
Describes whether Kubernetes audit logs are enabled as a data source.
Status (string) --
A value that describes whether Kubernetes audit logs are enabled as a data source.
Tags (dict) --
The tags of the detector resource.
(string) --
(string) --
{'Findings': {'Resource': {'EksClusterDetails': {'Arn': 'string',
'CreatedAt': 'timestamp',
'Name': 'string',
'Status': 'string',
'Tags': [{'Key': 'string',
'Value': 'string'}],
'VpcId': 'string'},
'KubernetesDetails': {'KubernetesUserDetails': {'Groups': ['string'],
'Uid': 'string',
'Username': 'string'},
'KubernetesWorkloadDetails': {'Containers': [{'ContainerRuntime': 'string',
'Id': 'string',
'Image': 'string',
'ImagePrefix': 'string',
'Name': 'string',
'SecurityContext': {'Privileged': 'boolean'},
'VolumeMounts': [{'MountPath': 'string',
'Name': 'string'}]}],
'HostNetwork': 'boolean',
'Name': 'string',
'Namespace': 'string',
'Type': 'string',
'Uid': 'string',
'Volumes': [{'HostPath': {'Path': 'string'},
'Name': 'string'}]}}},
'Service': {'Action': {'AwsApiCallAction': {'UserAgent': 'string'},
'KubernetesApiCallAction': {'Parameters': 'string',
'RemoteIpDetails': {'City': {'CityName': 'string'},
'Country': {'CountryCode': 'string',
'CountryName': 'string'},
'GeoLocation': {'Lat': 'double',
'Lon': 'double'},
'IpAddressV4': 'string',
'Organization': {'Asn': 'string',
'AsnOrg': 'string',
'Isp': 'string',
'Org': 'string'}},
'RequestUri': 'string',
'SourceIps': ['string'],
'StatusCode': 'integer',
'UserAgent': 'string',
'Verb': 'string'}}}}}
Describes Amazon GuardDuty findings specified by finding IDs.
See also: AWS API Documentation
Request Syntax
client.get_findings(
DetectorId='string',
FindingIds=[
'string',
],
SortCriteria={
'AttributeName': 'string',
'OrderBy': 'ASC'|'DESC'
}
)
string
[REQUIRED]
The ID of the detector that specifies the GuardDuty service whose findings you want to retrieve.
list
[REQUIRED]
The IDs of the findings that you want to retrieve.
(string) --
dict
Represents the criteria used for sorting findings.
AttributeName (string) --
Represents the finding attribute (for example, accountId) to sort findings by.
OrderBy (string) --
The order by which the sorted findings are to be displayed.
dict
Response Syntax
{
'Findings': [
{
'AccountId': 'string',
'Arn': 'string',
'Confidence': 123.0,
'CreatedAt': 'string',
'Description': 'string',
'Id': 'string',
'Partition': 'string',
'Region': 'string',
'Resource': {
'AccessKeyDetails': {
'AccessKeyId': 'string',
'PrincipalId': 'string',
'UserName': 'string',
'UserType': 'string'
},
'S3BucketDetails': [
{
'Arn': 'string',
'Name': 'string',
'Type': 'string',
'CreatedAt': datetime(2015, 1, 1),
'Owner': {
'Id': 'string'
},
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'DefaultServerSideEncryption': {
'EncryptionType': 'string',
'KmsMasterKeyArn': 'string'
},
'PublicAccess': {
'PermissionConfiguration': {
'BucketLevelPermissions': {
'AccessControlList': {
'AllowsPublicReadAccess': True|False,
'AllowsPublicWriteAccess': True|False
},
'BucketPolicy': {
'AllowsPublicReadAccess': True|False,
'AllowsPublicWriteAccess': True|False
},
'BlockPublicAccess': {
'IgnorePublicAcls': True|False,
'RestrictPublicBuckets': True|False,
'BlockPublicAcls': True|False,
'BlockPublicPolicy': True|False
}
},
'AccountLevelPermissions': {
'BlockPublicAccess': {
'IgnorePublicAcls': True|False,
'RestrictPublicBuckets': True|False,
'BlockPublicAcls': True|False,
'BlockPublicPolicy': True|False
}
}
},
'EffectivePermission': 'string'
}
},
],
'InstanceDetails': {
'AvailabilityZone': 'string',
'IamInstanceProfile': {
'Arn': 'string',
'Id': 'string'
},
'ImageDescription': 'string',
'ImageId': 'string',
'InstanceId': 'string',
'InstanceState': 'string',
'InstanceType': 'string',
'OutpostArn': 'string',
'LaunchTime': 'string',
'NetworkInterfaces': [
{
'Ipv6Addresses': [
'string',
],
'NetworkInterfaceId': 'string',
'PrivateDnsName': 'string',
'PrivateIpAddress': 'string',
'PrivateIpAddresses': [
{
'PrivateDnsName': 'string',
'PrivateIpAddress': 'string'
},
],
'PublicDnsName': 'string',
'PublicIp': 'string',
'SecurityGroups': [
{
'GroupId': 'string',
'GroupName': 'string'
},
],
'SubnetId': 'string',
'VpcId': 'string'
},
],
'Platform': 'string',
'ProductCodes': [
{
'Code': 'string',
'ProductType': 'string'
},
],
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
]
},
'EksClusterDetails': {
'Name': 'string',
'Arn': 'string',
'VpcId': 'string',
'Status': 'string',
'Tags': [
{
'Key': 'string',
'Value': 'string'
},
],
'CreatedAt': datetime(2015, 1, 1)
},
'KubernetesDetails': {
'KubernetesUserDetails': {
'Username': 'string',
'Uid': 'string',
'Groups': [
'string',
]
},
'KubernetesWorkloadDetails': {
'Name': 'string',
'Type': 'string',
'Uid': 'string',
'Namespace': 'string',
'HostNetwork': True|False,
'Containers': [
{
'ContainerRuntime': 'string',
'Id': 'string',
'Name': 'string',
'Image': 'string',
'ImagePrefix': 'string',
'VolumeMounts': [
{
'Name': 'string',
'MountPath': 'string'
},
],
'SecurityContext': {
'Privileged': True|False
}
},
],
'Volumes': [
{
'Name': 'string',
'HostPath': {
'Path': 'string'
}
},
]
}
},
'ResourceType': 'string'
},
'SchemaVersion': 'string',
'Service': {
'Action': {
'ActionType': 'string',
'AwsApiCallAction': {
'Api': 'string',
'CallerType': 'string',
'DomainDetails': {
'Domain': 'string'
},
'ErrorCode': 'string',
'UserAgent': 'string',
'RemoteIpDetails': {
'City': {
'CityName': 'string'
},
'Country': {
'CountryCode': 'string',
'CountryName': 'string'
},
'GeoLocation': {
'Lat': 123.0,
'Lon': 123.0
},
'IpAddressV4': 'string',
'Organization': {
'Asn': 'string',
'AsnOrg': 'string',
'Isp': 'string',
'Org': 'string'
}
},
'ServiceName': 'string',
'RemoteAccountDetails': {
'AccountId': 'string',
'Affiliated': True|False
}
},
'DnsRequestAction': {
'Domain': 'string'
},
'NetworkConnectionAction': {
'Blocked': True|False,
'ConnectionDirection': 'string',
'LocalPortDetails': {
'Port': 123,
'PortName': 'string'
},
'Protocol': 'string',
'LocalIpDetails': {
'IpAddressV4': 'string'
},
'RemoteIpDetails': {
'City': {
'CityName': 'string'
},
'Country': {
'CountryCode': 'string',
'CountryName': 'string'
},
'GeoLocation': {
'Lat': 123.0,
'Lon': 123.0
},
'IpAddressV4': 'string',
'Organization': {
'Asn': 'string',
'AsnOrg': 'string',
'Isp': 'string',
'Org': 'string'
}
},
'RemotePortDetails': {
'Port': 123,
'PortName': 'string'
}
},
'PortProbeAction': {
'Blocked': True|False,
'PortProbeDetails': [
{
'LocalPortDetails': {
'Port': 123,
'PortName': 'string'
},
'LocalIpDetails': {
'IpAddressV4': 'string'
},
'RemoteIpDetails': {
'City': {
'CityName': 'string'
},
'Country': {
'CountryCode': 'string',
'CountryName': 'string'
},
'GeoLocation': {
'Lat': 123.0,
'Lon': 123.0
},
'IpAddressV4': 'string',
'Organization': {
'Asn': 'string',
'AsnOrg': 'string',
'Isp': 'string',
'Org': 'string'
}
}
},
]
},
'KubernetesApiCallAction': {
'RequestUri': 'string',
'Verb': 'string',
'SourceIps': [
'string',
],
'UserAgent': 'string',
'RemoteIpDetails': {
'City': {
'CityName': 'string'
},
'Country': {
'CountryCode': 'string',
'CountryName': 'string'
},
'GeoLocation': {
'Lat': 123.0,
'Lon': 123.0
},
'IpAddressV4': 'string',
'Organization': {
'Asn': 'string',
'AsnOrg': 'string',
'Isp': 'string',
'Org': 'string'
}
},
'StatusCode': 123,
'Parameters': 'string'
}
},
'Evidence': {
'ThreatIntelligenceDetails': [
{
'ThreatListName': 'string',
'ThreatNames': [
'string',
]
},
]
},
'Archived': True|False,
'Count': 123,
'DetectorId': 'string',
'EventFirstSeen': 'string',
'EventLastSeen': 'string',
'ResourceRole': 'string',
'ServiceName': 'string',
'UserFeedback': 'string'
},
'Severity': 123.0,
'Title': 'string',
'Type': 'string',
'UpdatedAt': 'string'
},
]
}
Response Structure
(dict) --
Findings (list) --
A list of findings.
(dict) --
Contains information about the finding, which is generated when abnormal or suspicious activity is detected.
AccountId (string) --
The ID of the account in which the finding was generated.
Arn (string) --
The ARN of the finding.
Confidence (float) --
The confidence score for the finding.
CreatedAt (string) --
The time and date when the finding was created.
Description (string) --
The description of the finding.
Id (string) --
The ID of the finding.
Partition (string) --
The partition associated with the finding.
Region (string) --
The Region where the finding was generated.
Resource (dict) --
Contains information about the Amazon Web Services resource associated with the activity that prompted GuardDuty to generate a finding.
AccessKeyDetails (dict) --
The IAM access key details (IAM user information) of a user that engaged in the activity that prompted GuardDuty to generate a finding.
AccessKeyId (string) --
The access key ID of the user.
PrincipalId (string) --
The principal ID of the user.
UserName (string) --
The name of the user.
UserType (string) --
The type of the user.
S3BucketDetails (list) --
Contains information on the S3 bucket.
(dict) --
Contains information on the S3 bucket.
Arn (string) --
The Amazon Resource Name (ARN) of the S3 bucket.
Name (string) --
The name of the S3 bucket.
Type (string) --
Describes whether the bucket is a source or destination bucket.
CreatedAt (datetime) --
The date and time the bucket was created at.
Owner (dict) --
The owner of the S3 bucket.
Id (string) --
The canonical user ID of the bucket owner. For information about locating your canonical user ID see Finding Your Account Canonical User ID.
Tags (list) --
All tags attached to the S3 bucket
(dict) --
Contains information about a tag associated with the EC2 instance.
Key (string) --
The EC2 instance tag key.
Value (string) --
The EC2 instance tag value.
DefaultServerSideEncryption (dict) --
Describes the server side encryption method used in the S3 bucket.
EncryptionType (string) --
The type of encryption used for objects within the S3 bucket.
KmsMasterKeyArn (string) --
The Amazon Resource Name (ARN) of the KMS encryption key. Only available if the bucket EncryptionType is aws:kms .
PublicAccess (dict) --
Describes the public access policies that apply to the S3 bucket.
PermissionConfiguration (dict) --
Contains information about how permissions are configured for the S3 bucket.
BucketLevelPermissions (dict) --
Contains information about the bucket level permissions for the S3 bucket.
AccessControlList (dict) --
Contains information on how Access Control Policies are applied to the bucket.
AllowsPublicReadAccess (boolean) --
A value that indicates whether public read access for the bucket is enabled through an Access Control List (ACL).
AllowsPublicWriteAccess (boolean) --
A value that indicates whether public write access for the bucket is enabled through an Access Control List (ACL).
BucketPolicy (dict) --
Contains information on the bucket policies for the S3 bucket.
AllowsPublicReadAccess (boolean) --
A value that indicates whether public read access for the bucket is enabled through a bucket policy.
AllowsPublicWriteAccess (boolean) --
A value that indicates whether public write access for the bucket is enabled through a bucket policy.
BlockPublicAccess (dict) --
Contains information on which account level S3 Block Public Access settings are applied to the S3 bucket.
IgnorePublicAcls (boolean) --
Indicates if S3 Block Public Access is set to IgnorePublicAcls .
RestrictPublicBuckets (boolean) --
Indicates if S3 Block Public Access is set to RestrictPublicBuckets .
BlockPublicAcls (boolean) --
Indicates if S3 Block Public Access is set to BlockPublicAcls .
BlockPublicPolicy (boolean) --
Indicates if S3 Block Public Access is set to BlockPublicPolicy .
AccountLevelPermissions (dict) --
Contains information about the account level permissions on the S3 bucket.
BlockPublicAccess (dict) --
Describes the S3 Block Public Access settings of the bucket's parent account.
IgnorePublicAcls (boolean) --
Indicates if S3 Block Public Access is set to IgnorePublicAcls .
RestrictPublicBuckets (boolean) --
Indicates if S3 Block Public Access is set to RestrictPublicBuckets .
BlockPublicAcls (boolean) --
Indicates if S3 Block Public Access is set to BlockPublicAcls .
BlockPublicPolicy (boolean) --
Indicates if S3 Block Public Access is set to BlockPublicPolicy .
EffectivePermission (string) --
Describes the effective permission on this bucket after factoring all attached policies.
InstanceDetails (dict) --
The information about the EC2 instance associated with the activity that prompted GuardDuty to generate a finding.
AvailabilityZone (string) --
The Availability Zone of the EC2 instance.
IamInstanceProfile (dict) --
The profile information of the EC2 instance.
Arn (string) --
The profile ARN of the EC2 instance.
Id (string) --
The profile ID of the EC2 instance.
ImageDescription (string) --
The image description of the EC2 instance.
ImageId (string) --
The image ID of the EC2 instance.
InstanceId (string) --
The ID of the EC2 instance.
InstanceState (string) --
The state of the EC2 instance.
InstanceType (string) --
The type of the EC2 instance.
OutpostArn (string) --
The Amazon Resource Name (ARN) of the Amazon Web Services Outpost. Only applicable to Amazon Web Services Outposts instances.
LaunchTime (string) --
The launch time of the EC2 instance.
NetworkInterfaces (list) --
The elastic network interface information of the EC2 instance.
(dict) --
Contains information about the elastic network interface of the EC2 instance.
Ipv6Addresses (list) --
A list of IPv6 addresses for the EC2 instance.
(string) --
NetworkInterfaceId (string) --
The ID of the network interface.
PrivateDnsName (string) --
The private DNS name of the EC2 instance.
PrivateIpAddress (string) --
The private IP address of the EC2 instance.
PrivateIpAddresses (list) --
Other private IP address information of the EC2 instance.
(dict) --
Contains other private IP address information of the EC2 instance.
PrivateDnsName (string) --
The private DNS name of the EC2 instance.
PrivateIpAddress (string) --
The private IP address of the EC2 instance.
PublicDnsName (string) --
The public DNS name of the EC2 instance.
PublicIp (string) --
The public IP address of the EC2 instance.
SecurityGroups (list) --
The security groups associated with the EC2 instance.
(dict) --
Contains information about the security groups associated with the EC2 instance.
GroupId (string) --
The security group ID of the EC2 instance.
GroupName (string) --
The security group name of the EC2 instance.
SubnetId (string) --
The subnet ID of the EC2 instance.
VpcId (string) --
The VPC ID of the EC2 instance.
Platform (string) --
The platform of the EC2 instance.
ProductCodes (list) --
The product code of the EC2 instance.
(dict) --
Contains information about the product code for the EC2 instance.
Code (string) --
The product code information.
ProductType (string) --
The product code type.
Tags (list) --
The tags of the EC2 instance.
(dict) --
Contains information about a tag associated with the EC2 instance.
Key (string) --
The EC2 instance tag key.
Value (string) --
The EC2 instance tag value.
EksClusterDetails (dict) --
Details about the EKS cluster involved in a Kubernetes finding.
Name (string) --
EKS cluster name.
Arn (string) --
EKS cluster ARN.
VpcId (string) --
The VPC ID to which the EKS cluster is attached.
Status (string) --
The EKS cluster status.
Tags (list) --
The EKS cluster tags.
(dict) --
Contains information about a tag associated with the EC2 instance.
Key (string) --
The EC2 instance tag key.
Value (string) --
The EC2 instance tag value.
CreatedAt (datetime) --
The timestamp when the EKS cluster was created.
KubernetesDetails (dict) --
Details about the Kubernetes user and workload involved in a Kubernetes finding.
KubernetesUserDetails (dict) --
Details about the Kubernetes user involved in a Kubernetes finding.
Username (string) --
The username of the user who called the Kubernetes API.
Uid (string) --
The user ID of the user who called the Kubernetes API.
Groups (list) --
The groups that include the user who called the Kubernetes API.
(string) --
KubernetesWorkloadDetails (dict) --
Details about the Kubernetes workload involved in a Kubernetes finding.
Name (string) --
Kubernetes workload name.
Type (string) --
Kubernetes workload type (e.g. Pod, Deployment, etc.).
Uid (string) --
Kubernetes workload ID.
Namespace (string) --
Kubernetes namespace that the workload is part of.
HostNetwork (boolean) --
Whether the hostNetwork flag is enabled for the pods included in the workload.
Containers (list) --
Containers running as part of the Kubernetes workload.
(dict) --
Details of a container.
ContainerRuntime (string) --
The container runtime (such as, Docker or containerd) used to run the container.
Id (string) --
Container ID.
Name (string) --
Container name.
Image (string) --
Container image.
ImagePrefix (string) --
Part of the image name before the last slash. For example, imagePrefix for public.ecr.aws/amazonlinux/amazonlinux:latest would be public.ecr.aws/amazonlinux. If the image name is relative and does not have a slash, this field is empty.
VolumeMounts (list) --
Container volume mounts.
(dict) --
Container volume mount.
Name (string) --
Volume mount name.
MountPath (string) --
Volume mount path.
SecurityContext (dict) --
Container security context.
Privileged (boolean) --
Whether the container is privileged.
Volumes (list) --
Volumes used by the Kubernetes workload.
(dict) --
Volume used by the Kubernetes workload.
Name (string) --
Volume name.
HostPath (dict) --
Represents a pre-existing file or directory on the host machine that the volume maps to.
Path (string) --
Path of the file or directory on the host that the volume maps to.
ResourceType (string) --
The type of Amazon Web Services resource.
SchemaVersion (string) --
The version of the schema used for the finding.
Service (dict) --
Contains additional information about the generated finding.
Action (dict) --
Information about the activity that is described in a finding.
ActionType (string) --
The GuardDuty finding activity type.
AwsApiCallAction (dict) --
Information about the AWS_API_CALL action described in this finding.
Api (string) --
The Amazon Web Services API name.
CallerType (string) --
The Amazon Web Services API caller type.
DomainDetails (dict) --
The domain information for the Amazon Web Services API call.
Domain (string) --
The domain information for the Amazon Web Services API call.
ErrorCode (string) --
The error code of the failed Amazon Web Services API action.
UserAgent (string) --
RemoteIpDetails (dict) --
The remote IP information of the connection that initiated the Amazon Web Services API call.
City (dict) --
The city information of the remote IP address.
CityName (string) --
The city name of the remote IP address.
Country (dict) --
The country code of the remote IP address.
CountryCode (string) --
The country code of the remote IP address.
CountryName (string) --
The country name of the remote IP address.
GeoLocation (dict) --
The location information of the remote IP address.
Lat (float) --
The latitude information of the remote IP address.
Lon (float) --
The longitude information of the remote IP address.
IpAddressV4 (string) --
The IPv4 remote address of the connection.
Organization (dict) --
The ISP organization information of the remote IP address.
Asn (string) --
The Autonomous System Number (ASN) of the internet provider of the remote IP address.
AsnOrg (string) --
The organization that registered this ASN.
Isp (string) --
The ISP information for the internet provider.
Org (string) --
The name of the internet provider.
ServiceName (string) --
The Amazon Web Services service name whose API was invoked.
RemoteAccountDetails (dict) --
The details of the Amazon Web Services account that made the API call. This field appears if the call was made from outside your account.
AccountId (string) --
The Amazon Web Services account ID of the remote API caller.
Affiliated (boolean) --
Details on whether the Amazon Web Services account of the remote API caller is related to your GuardDuty environment. If this value is True the API caller is affiliated to your account in some way. If it is False the API caller is from outside your environment.
DnsRequestAction (dict) --
Information about the DNS_REQUEST action described in this finding.
Domain (string) --
The domain information for the API request.
NetworkConnectionAction (dict) --
Information about the NETWORK_CONNECTION action described in this finding.
Blocked (boolean) --
Indicates whether EC2 blocked the network connection to your instance.
ConnectionDirection (string) --
The network connection direction.
LocalPortDetails (dict) --
The local port information of the connection.
Port (integer) --
The port number of the local connection.
PortName (string) --
The port name of the local connection.
Protocol (string) --
The network connection protocol.
LocalIpDetails (dict) --
The local IP information of the connection.
IpAddressV4 (string) --
The IPv4 local address of the connection.
RemoteIpDetails (dict) --
The remote IP information of the connection.
City (dict) --
The city information of the remote IP address.
CityName (string) --
The city name of the remote IP address.
Country (dict) --
The country code of the remote IP address.
CountryCode (string) --
The country code of the remote IP address.
CountryName (string) --
The country name of the remote IP address.
GeoLocation (dict) --
The location information of the remote IP address.
Lat (float) --
The latitude information of the remote IP address.
Lon (float) --
The longitude information of the remote IP address.
IpAddressV4 (string) --
The IPv4 remote address of the connection.
Organization (dict) --
The ISP organization information of the remote IP address.
Asn (string) --
The Autonomous System Number (ASN) of the internet provider of the remote IP address.
AsnOrg (string) --
The organization that registered this ASN.
Isp (string) --
The ISP information for the internet provider.
Org (string) --
The name of the internet provider.
RemotePortDetails (dict) --
The remote port information of the connection.
Port (integer) --
The port number of the remote connection.
PortName (string) --
The port name of the remote connection.
PortProbeAction (dict) --
Information about the PORT_PROBE action described in this finding.
Blocked (boolean) --
Indicates whether EC2 blocked the port probe to the instance, such as with an ACL.
PortProbeDetails (list) --
A list of objects related to port probe details.
(dict) --
Contains information about the port probe details.
LocalPortDetails (dict) --
The local port information of the connection.
Port (integer) --
The port number of the local connection.
PortName (string) --
The port name of the local connection.
LocalIpDetails (dict) --
The local IP information of the connection.
IpAddressV4 (string) --
The IPv4 local address of the connection.
RemoteIpDetails (dict) --
The remote IP information of the connection.
City (dict) --
The city information of the remote IP address.
CityName (string) --
The city name of the remote IP address.
Country (dict) --
The country code of the remote IP address.
CountryCode (string) --
The country code of the remote IP address.
CountryName (string) --
The country name of the remote IP address.
GeoLocation (dict) --
The location information of the remote IP address.
Lat (float) --
The latitude information of the remote IP address.
Lon (float) --
The longitude information of the remote IP address.
IpAddressV4 (string) --
The IPv4 remote address of the connection.
Organization (dict) --
The ISP organization information of the remote IP address.
Asn (string) --
The Autonomous System Number (ASN) of the internet provider of the remote IP address.
AsnOrg (string) --
The organization that registered this ASN.
Isp (string) --
The ISP information for the internet provider.
Org (string) --
The name of the internet provider.
KubernetesApiCallAction (dict) --
Information about the Kubernetes API call action described in this finding.
RequestUri (string) --
The Kubernetes API request URI.
Verb (string) --
The Kubernetes API request HTTP verb.
SourceIps (list) --
The IP of the Kubernetes API caller and the IPs of any proxies or load balancers between the caller and the API endpoint.
(string) --
UserAgent (string) --
The user agent of the caller of the Kubernetes API.
RemoteIpDetails (dict) --
Contains information about the remote IP address of the connection.
City (dict) --
The city information of the remote IP address.
CityName (string) --
The city name of the remote IP address.
Country (dict) --
The country code of the remote IP address.
CountryCode (string) --
The country code of the remote IP address.
CountryName (string) --
The country name of the remote IP address.
GeoLocation (dict) --
The location information of the remote IP address.
Lat (float) --
The latitude information of the remote IP address.
Lon (float) --
The longitude information of the remote IP address.
IpAddressV4 (string) --
The IPv4 remote address of the connection.
Organization (dict) --
The ISP organization information of the remote IP address.
Asn (string) --
The Autonomous System Number (ASN) of the internet provider of the remote IP address.
AsnOrg (string) --
The organization that registered this ASN.
Isp (string) --
The ISP information for the internet provider.
Org (string) --
The name of the internet provider.
StatusCode (integer) --
The resulting HTTP response code of the Kubernetes API call action.
Parameters (string) --
Parameters related to the Kubernetes API call action.
Evidence (dict) --
An evidence object associated with the service.
ThreatIntelligenceDetails (list) --
A list of threat intelligence details related to the evidence.
(dict) --
An instance of a threat intelligence detail that constitutes evidence for the finding.
ThreatListName (string) --
The name of the threat intelligence list that triggered the finding.
ThreatNames (list) --
A list of names of the threats in the threat intelligence list that triggered the finding.
(string) --
Archived (boolean) --
Indicates whether this finding is archived.
Count (integer) --
The total count of the occurrences of this finding type.
DetectorId (string) --
The detector ID for the GuardDuty service.
EventFirstSeen (string) --
The first-seen timestamp of the activity that prompted GuardDuty to generate this finding.
EventLastSeen (string) --
The last-seen timestamp of the activity that prompted GuardDuty to generate this finding.
ResourceRole (string) --
The resource role information for this finding.
ServiceName (string) --
The name of the Amazon Web Services service (GuardDuty) that generated a finding.
UserFeedback (string) --
Feedback that was submitted about the finding.
Severity (float) --
The severity of the finding.
Title (string) --
The title of the finding.
Type (string) --
The type of finding.
UpdatedAt (string) --
The time and date when the finding was last updated.
{'MemberDataSourceConfigurations': {'DataSources': {'Kubernetes': {'AuditLogs': {'Status': 'ENABLED '
'| '
'DISABLED'}}}}}
Describes which data sources are enabled for the member account's detector.
See also: AWS API Documentation
Request Syntax
client.get_member_detectors(
DetectorId='string',
AccountIds=[
'string',
]
)
string
[REQUIRED]
The detector ID for the administrator account.
list
[REQUIRED]
The account ID of the member account.
(string) --
dict
Response Syntax
{
'MemberDataSourceConfigurations': [
{
'AccountId': 'string',
'DataSources': {
'CloudTrail': {
'Status': 'ENABLED'|'DISABLED'
},
'DNSLogs': {
'Status': 'ENABLED'|'DISABLED'
},
'FlowLogs': {
'Status': 'ENABLED'|'DISABLED'
},
'S3Logs': {
'Status': 'ENABLED'|'DISABLED'
},
'Kubernetes': {
'AuditLogs': {
'Status': 'ENABLED'|'DISABLED'
}
}
}
},
],
'UnprocessedAccounts': [
{
'AccountId': 'string',
'Result': 'string'
},
]
}
Response Structure
(dict) --
MemberDataSourceConfigurations (list) --
An object that describes which data sources are enabled for a member account.
(dict) --
Contains information on which data sources are enabled for a member account.
AccountId (string) --
The account ID for the member account.
DataSources (dict) --
Contains information on the status of data sources for the account.
CloudTrail (dict) --
An object that contains information on the status of CloudTrail as a data source.
Status (string) --
Describes whether CloudTrail is enabled as a data source for the detector.
DNSLogs (dict) --
An object that contains information on the status of DNS logs as a data source.
Status (string) --
Denotes whether DNS logs is enabled as a data source.
FlowLogs (dict) --
An object that contains information on the status of VPC flow logs as a data source.
Status (string) --
Denotes whether VPC flow logs is enabled as a data source.
S3Logs (dict) --
An object that contains information on the status of S3 Data event logs as a data source.
Status (string) --
A value that describes whether S3 data event logs are automatically enabled for new members of the organization.
Kubernetes (dict) --
An object that contains information on the status of all Kubernetes data sources.
AuditLogs (dict) --
Describes whether Kubernetes audit logs are enabled as a data source.
Status (string) --
A value that describes whether Kubernetes audit logs are enabled as a data source.
UnprocessedAccounts (list) --
A list of member account IDs that were unable to be processed along with an explanation for why they were not processed.
(dict) --
Contains information about the accounts that weren't processed.
AccountId (string) --
The Amazon Web Services account ID.
Result (string) --
A reason why the account hasn't been processed.
{'UsageCriteria': {'DataSources': {'KUBERNETES_AUDIT_LOGS'}}}
Response {'UsageStatistics': {'SumByDataSource': {'DataSource': {'KUBERNETES_AUDIT_LOGS'}}}}
Lists Amazon GuardDuty usage statistics over the last 30 days for the specified detector ID. For newly enabled detectors or data sources the cost returned will include only the usage so far under 30 days, this may differ from the cost metrics in the console, which projects usage over 30 days to provide a monthly cost estimate. For more information see Understanding How Usage Costs are Calculated.
See also: AWS API Documentation
Request Syntax
client.get_usage_statistics(
DetectorId='string',
UsageStatisticType='SUM_BY_ACCOUNT'|'SUM_BY_DATA_SOURCE'|'SUM_BY_RESOURCE'|'TOP_RESOURCES',
UsageCriteria={
'AccountIds': [
'string',
],
'DataSources': [
'FLOW_LOGS'|'CLOUD_TRAIL'|'DNS_LOGS'|'S3_LOGS'|'KUBERNETES_AUDIT_LOGS',
],
'Resources': [
'string',
]
},
Unit='string',
MaxResults=123,
NextToken='string'
)
string
[REQUIRED]
The ID of the detector that specifies the GuardDuty service whose usage statistics you want to retrieve.
string
[REQUIRED]
The type of usage statistics to retrieve.
dict
[REQUIRED]
Represents the criteria used for querying usage.
AccountIds (list) --
The account IDs to aggregate usage statistics from.
(string) --
DataSources (list) -- [REQUIRED]
The data sources to aggregate usage statistics from.
(string) --
Resources (list) --
The resources to aggregate usage statistics from. Only accepts exact resource names.
(string) --
string
The currency unit you would like to view your usage statistics in. Current valid values are USD.
integer
The maximum number of results to return in the response.
string
A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the NextToken value returned from the previous request to continue listing results after the first page.
dict
Response Syntax
{
'UsageStatistics': {
'SumByAccount': [
{
'AccountId': 'string',
'Total': {
'Amount': 'string',
'Unit': 'string'
}
},
],
'SumByDataSource': [
{
'DataSource': 'FLOW_LOGS'|'CLOUD_TRAIL'|'DNS_LOGS'|'S3_LOGS'|'KUBERNETES_AUDIT_LOGS',
'Total': {
'Amount': 'string',
'Unit': 'string'
}
},
],
'SumByResource': [
{
'Resource': 'string',
'Total': {
'Amount': 'string',
'Unit': 'string'
}
},
],
'TopResources': [
{
'Resource': 'string',
'Total': {
'Amount': 'string',
'Unit': 'string'
}
},
]
},
'NextToken': 'string'
}
Response Structure
(dict) --
UsageStatistics (dict) --
The usage statistics object. If a UsageStatisticType was provided, the objects representing other types will be null.
SumByAccount (list) --
The usage statistic sum organized by account ID.
(dict) --
Contains information on the total of usage based on account IDs.
AccountId (string) --
The Account ID that generated usage.
Total (dict) --
Represents the total of usage for the Account ID.
Amount (string) --
The total usage.
Unit (string) --
The currency unit that the amount is given in.
SumByDataSource (list) --
The usage statistic sum organized by on data source.
(dict) --
Contains information on the result of usage based on data source type.
DataSource (string) --
The data source type that generated usage.
Total (dict) --
Represents the total of usage for the specified data source.
Amount (string) --
The total usage.
Unit (string) --
The currency unit that the amount is given in.
SumByResource (list) --
The usage statistic sum organized by resource.
(dict) --
Contains information on the sum of usage based on an Amazon Web Services resource.
Resource (string) --
The Amazon Web Services resource that generated usage.
Total (dict) --
Represents the sum total of usage for the specified resource type.
Amount (string) --
The total usage.
Unit (string) --
The currency unit that the amount is given in.
TopResources (list) --
Lists the top 50 resources that have generated the most GuardDuty usage, in order from most to least expensive.
(dict) --
Contains information on the sum of usage based on an Amazon Web Services resource.
Resource (string) --
The Amazon Web Services resource that generated usage.
Total (dict) --
Represents the sum total of usage for the specified resource type.
Amount (string) --
The total usage.
Unit (string) --
The currency unit that the amount is given in.
NextToken (string) --
The pagination parameter to be used on the next list operation to retrieve more items.
{'DataSources': {'Kubernetes': {'AuditLogs': {'Enable': 'boolean'}}}}
Updates the Amazon GuardDuty detector specified by the detectorId.
See also: AWS API Documentation
Request Syntax
client.update_detector(
DetectorId='string',
Enable=True|False,
FindingPublishingFrequency='FIFTEEN_MINUTES'|'ONE_HOUR'|'SIX_HOURS',
DataSources={
'S3Logs': {
'Enable': True|False
},
'Kubernetes': {
'AuditLogs': {
'Enable': True|False
}
}
}
)
string
[REQUIRED]
The unique ID of the detector to update.
boolean
Specifies whether the detector is enabled or not enabled.
string
An enum value that specifies how frequently findings are exported, such as to CloudWatch Events.
dict
Describes which data sources will be updated.
S3Logs (dict) --
Describes whether S3 data event logs are enabled as a data source.
Enable (boolean) -- [REQUIRED]
The status of S3 data event logs as a data source.
Kubernetes (dict) --
Describes whether any Kubernetes logs are enabled as data sources.
AuditLogs (dict) -- [REQUIRED]
The status of Kubernetes audit logs as a data source.
Enable (boolean) -- [REQUIRED]
The status of Kubernetes audit logs as a data source.
dict
Response Syntax
{}
Response Structure
(dict) --
{'DataSources': {'Kubernetes': {'AuditLogs': {'Enable': 'boolean'}}}}
Contains information on member accounts to be updated.
See also: AWS API Documentation
Request Syntax
client.update_member_detectors(
DetectorId='string',
AccountIds=[
'string',
],
DataSources={
'S3Logs': {
'Enable': True|False
},
'Kubernetes': {
'AuditLogs': {
'Enable': True|False
}
}
}
)
string
[REQUIRED]
The detector ID of the administrator account.
list
[REQUIRED]
A list of member account IDs to be updated.
(string) --
dict
Describes which data sources will be updated.
S3Logs (dict) --
Describes whether S3 data event logs are enabled as a data source.
Enable (boolean) -- [REQUIRED]
The status of S3 data event logs as a data source.
Kubernetes (dict) --
Describes whether any Kubernetes logs are enabled as data sources.
AuditLogs (dict) -- [REQUIRED]
The status of Kubernetes audit logs as a data source.
Enable (boolean) -- [REQUIRED]
The status of Kubernetes audit logs as a data source.
dict
Response Syntax
{
'UnprocessedAccounts': [
{
'AccountId': 'string',
'Result': 'string'
},
]
}
Response Structure
(dict) --
UnprocessedAccounts (list) --
A list of member account IDs that were unable to be processed along with an explanation for why they were not processed.
(dict) --
Contains information about the accounts that weren't processed.
AccountId (string) --
The Amazon Web Services account ID.
Result (string) --
A reason why the account hasn't been processed.
{'DataSources': {'Kubernetes': {'AuditLogs': {'AutoEnable': 'boolean'}}}}
Updates the delegated administrator account with the values provided.
See also: AWS API Documentation
Request Syntax
client.update_organization_configuration(
DetectorId='string',
AutoEnable=True|False,
DataSources={
'S3Logs': {
'AutoEnable': True|False
},
'Kubernetes': {
'AuditLogs': {
'AutoEnable': True|False
}
}
}
)
string
[REQUIRED]
The ID of the detector to update the delegated administrator for.
boolean
[REQUIRED]
Indicates whether to automatically enable member accounts in the organization.
dict
Describes which data sources will be updated.
S3Logs (dict) --
Describes whether S3 data event logs are enabled for new members of the organization.
AutoEnable (boolean) -- [REQUIRED]
A value that contains information on whether S3 data event logs will be enabled automatically as a data source for the organization.
Kubernetes (dict) --
Describes the configuration of Kubernetes data sources for new members of the organization.
AuditLogs (dict) -- [REQUIRED]
Whether Kubernetes audit logs data source should be auto-enabled for new members joining the organization.
AutoEnable (boolean) -- [REQUIRED]
A value that contains information on whether Kubernetes audit logs should be enabled automatically as a data source for the organization.
dict
Response Syntax
{}
Response Structure
(dict) --