View Source aws_guardduty (aws v0.7.14)
Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the following data sources: VPC flow logs, Amazon Web Services CloudTrail management event logs, CloudTrail S3 data event logs, EKS audit logs, DNS logs, and Amazon EBS volume data.
It uses threat intelligence feeds, such as lists of malicious IPs and domains, and machine learning to identify unexpected, potentially unauthorized, and malicious activity within your Amazon Web Services environment. This can include issues like escalations of privileges, uses of exposed credentials, or communication with malicious IPs, domains, or presence of malware on your Amazon EC2 instances and container workloads. For example, GuardDuty can detect compromised EC2 instances and container workloads serving malware, or mining bitcoin.
GuardDuty also monitors Amazon Web Services account access behavior for signs of compromise, such as unauthorized infrastructure deployments like EC2 instances deployed in a Region that has never been used, or unusual API calls like a password policy change to reduce password strength.
GuardDuty informs you about the status of your Amazon Web Services environment by producing security findings that you can view in the GuardDuty console or through Amazon EventBridge. For more information, see the Amazon GuardDuty User Guide .Link to this section Summary
Functions
Archives GuardDuty findings that are specified by the list of finding IDs.
Creates a single Amazon GuardDuty detector.
Creates a new IPSet, which is called a trusted IP list in the console user interface.
Creates member accounts of the current Amazon Web Services account by specifying a list of Amazon Web Services account IDs.
Creates a publishing destination to export findings to.
Generates example findings of types specified by the list of finding types.
Creates a new ThreatIntelSet.
Deletes the IPSet specified by the ipSetId
.
destinationId
.Returns a list of malware scans.
destinationId
.ipSetId
.Lists Amazon GuardDuty usage statistics over the last 30 days for the specified detector ID.
Lists the IPSets of the GuardDuty service specified by the detector ID.
detectorId
.Lists tags for a resource.
Lists the ThreatIntelSets of the GuardDuty service specified by the detector ID.
Turns on GuardDuty monitoring of the specified member accounts.
Stops GuardDuty monitoring for the specified member accounts.
findingIds
.destinationId
.Link to this section Functions
accept_administrator_invitation(Client, DetectorId, Input0, Options0)
View SourceArchives GuardDuty findings that are specified by the list of finding IDs.
Only the administrator account can archive findings. Member accounts don't have permission to archive findings from their accounts.Creates a single Amazon GuardDuty detector.
A detector is a resource that represents the GuardDuty service. To start using GuardDuty, you must create a detector in each Region where you enable the service. You can have only one detector per account per Region. All data sources are enabled in a new detector by default.Creates a new IPSet, which is called a trusted IP list in the console user interface.
An IPSet is a list of IP addresses that are trusted for secure communication with Amazon Web Services infrastructure and applications. GuardDuty doesn't generate findings for IP addresses that are included in IPSets. Only users from the administrator account can use this operation.Creates member accounts of the current Amazon Web Services account by specifying a list of Amazon Web Services account IDs.
This step is a prerequisite for managing the associated member accounts either by invitation or through an organization.
When using Create Members
as an organizations delegated administrator this action will enable GuardDuty in the added member accounts, with the exception of the organization delegated administrator account, which must enable GuardDuty prior to being added as a member.
Invite Members
.
Creates a publishing destination to export findings to.
The resource to export findings to must exist before you use this operation.create_publishing_destination(Client, DetectorId, Input0, Options0)
View SourceGenerates example findings of types specified by the list of finding types.
If 'NULL' is specified forfindingTypes
, the API generates example findings of all supported finding types.
Creates a new ThreatIntelSet.
ThreatIntelSets consist of known malicious IP addresses. GuardDuty generates findings based on ThreatIntelSets. Only users of the administrator account can use this operation.Deletes the IPSet specified by the ipSetId
.
delete_publishing_destination(Client, DestinationId, DetectorId, Input)
View SourcedestinationId
.
delete_publishing_destination(Client, DestinationId, DetectorId, Input0, Options0)
View Sourcedelete_threat_intel_set(Client, DetectorId, ThreatIntelSetId, Input)
View Sourcedelete_threat_intel_set(Client, DetectorId, ThreatIntelSetId, Input0, Options0)
View SourceReturns a list of malware scans.
Each member account can view the malware scans for their own accounts. An administrator can view the malware scans for all the member accounts.describe_organization_configuration(Client, DetectorId, QueryMap, HeadersMap)
View Sourcedescribe_organization_configuration(Client, DetectorId, QueryMap, HeadersMap, Options0)
View Sourcedescribe_publishing_destination(Client, DestinationId, DetectorId)
View SourcedestinationId
.
describe_publishing_destination(Client, DestinationId, DetectorId, QueryMap, HeadersMap)
View Sourcedescribe_publishing_destination(Client, DestinationId, DetectorId, QueryMap, HeadersMap, Options0)
View Sourcedisassociate_from_administrator_account(Client, DetectorId, Input)
View Sourcedisassociate_from_administrator_account(Client, DetectorId, Input0, Options0)
View Sourcedisassociate_from_master_account(Client, DetectorId, Input0, Options0)
View Sourceget_administrator_account(Client, DetectorId, QueryMap, HeadersMap)
View Sourceget_administrator_account(Client, DetectorId, QueryMap, HeadersMap, Options0)
View Sourceget_filter(Client, DetectorId, FilterName, QueryMap, HeadersMap, Options0)
View SourceipSetId
.
get_ip_set(Client, DetectorId, IpSetId, QueryMap, HeadersMap, Options0)
View Sourceget_malware_scan_settings(Client, DetectorId, QueryMap, HeadersMap)
View Sourceget_malware_scan_settings(Client, DetectorId, QueryMap, HeadersMap, Options0)
View Sourceget_master_account(Client, DetectorId, QueryMap, HeadersMap, Options0)
View Sourceget_remaining_free_trial_days(Client, DetectorId, Input0, Options0)
View Sourceget_threat_intel_set(Client, DetectorId, ThreatIntelSetId, QueryMap, HeadersMap)
View Sourceget_threat_intel_set(Client, DetectorId, ThreatIntelSetId, QueryMap, HeadersMap, Options0)
View SourceLists Amazon GuardDuty usage statistics over the last 30 days for the specified detector ID.
For newly enabled detectors or data sources, the cost returned will include only the usage so far under 30 days. This may differ from the cost metrics in the console, which project usage over 30 days to provide a monthly cost estimate. For more information, see Understanding How Usage Costs are Calculated.Lists the IPSets of the GuardDuty service specified by the detector ID.
If you use this operation from a member account, the IPSets returned are the IPSets from the associated administrator account.list_organization_admin_accounts(Client, QueryMap, HeadersMap, Options0)
View SourcedetectorId
.
list_publishing_destinations(Client, DetectorId, QueryMap, HeadersMap)
View Sourcelist_publishing_destinations(Client, DetectorId, QueryMap, HeadersMap, Options0)
View SourceLists tags for a resource.
Tagging is currently supported for detectors, finding filters, IP sets, and threat intel sets, with a limit of 50 tags per resource. When invoked, this operation returns all assigned tags for a given resource.list_tags_for_resource(Client, ResourceArn, QueryMap, HeadersMap, Options0)
View SourceLists the ThreatIntelSets of the GuardDuty service specified by the detector ID.
If you use this operation from a member account, the ThreatIntelSets associated with the administrator account are returned.list_threat_intel_sets(Client, DetectorId, QueryMap, HeadersMap, Options0)
View SourceTurns on GuardDuty monitoring of the specified member accounts.
Use this operation to restart monitoring of accounts that you stopped monitoring with theStopMonitoringMembers
operation.
Stops GuardDuty monitoring for the specified member accounts.
Use theStartMonitoringMembers
operation to restart monitoring for those accounts.
findingIds
.
update_malware_scan_settings(Client, DetectorId, Input0, Options0)
View Sourceupdate_organization_configuration(Client, DetectorId, Input0, Options0)
View Sourceupdate_publishing_destination(Client, DestinationId, DetectorId, Input)
View SourcedestinationId
.