Amazon GuardDuty 2017-11-28
- Client: Aws\GuardDuty\GuardDutyClient
- Service ID: guardduty
- Version: 2017-11-28
This page describes the parameters and results for the operations of the Amazon GuardDuty (2017-11-28), and shows how to use the Aws\GuardDuty\GuardDutyClient object to call the described operations. This documentation is specific to the 2017-11-28 API version of the service.
Operation Summary
Each of the following operations can be created from a client using
$client->getCommand('CommandName'), where "CommandName" is the
name of one of the following operations. Note: a command is a value that
encapsulates an operation and the parameters used to create an HTTP request.
You can also create and send a command immediately using the magic methods
available on a client object: $client->commandName(/* parameters */).
You can send the command asynchronously (returning a promise) by appending the
word "Async" to the operation name: $client->commandNameAsync(/* parameters */).
- AcceptInvitation ( array $params = [] )
Accepts the invitation to be monitored by a master GuardDuty account.
- ArchiveFindings ( array $params = [] )
Archives GuardDuty findings specified by the list of finding IDs.
- CreateDetector ( array $params = [] )
Creates a single Amazon GuardDuty detector.
- CreateFilter ( array $params = [] )
Creates a filter using the specified finding criteria.
- CreateIPSet ( array $params = [] )
Creates a new IPSet, called Trusted IP list in the consoler user interface.
- CreateMembers ( array $params = [] )
Creates member accounts of the current AWS account by specifying a list of AWS account IDs.
- CreatePublishingDestination ( array $params = [] )
Creates a publishing destination to send findings to.
- CreateSampleFindings ( array $params = [] )
Generates example findings of types specified by the list of finding types.
- CreateThreatIntelSet ( array $params = [] )
Create a new ThreatIntelSet.
- DeclineInvitations ( array $params = [] )
Declines invitations sent to the current member account by AWS account specified by their account IDs.
- DeleteDetector ( array $params = [] )
Deletes a Amazon GuardDuty detector specified by the detector ID.
- DeleteFilter ( array $params = [] )
Deletes the filter specified by the filter name.
- DeleteIPSet ( array $params = [] )
Deletes the IPSet specified by the ipSetId.
- DeleteInvitations ( array $params = [] )
Deletes invitations sent to the current member account by AWS accounts specified by their account IDs.
- DeleteMembers ( array $params = [] )
Deletes GuardDuty member accounts (to the current GuardDuty master account) specified by the account IDs.
- DeletePublishingDestination ( array $params = [] )
Deletes the publishing definition with the specified destinationId.
- DeleteThreatIntelSet ( array $params = [] )
Deletes ThreatIntelSet specified by the ThreatIntelSet ID.
- DescribePublishingDestination ( array $params = [] )
Returns information about the publishing destination specified by the provided destinationId.
- DisassociateFromMasterAccount ( array $params = [] )
Disassociates the current GuardDuty member account from its master account.
- DisassociateMembers ( array $params = [] )
Disassociates GuardDuty member accounts (to the current GuardDuty master account) specified by the account IDs.
- GetDetector ( array $params = [] )
Retrieves an Amazon GuardDuty detector specified by the detectorId.
- GetFilter ( array $params = [] )
Returns the details of the filter specified by the filter name.
- GetFindings ( array $params = [] )
Describes Amazon GuardDuty findings specified by finding IDs.
- GetFindingsStatistics ( array $params = [] )
Lists Amazon GuardDuty findings' statistics for the specified detector ID.
- GetIPSet ( array $params = [] )
Retrieves the IPSet specified by the ipSetId.
- GetInvitationsCount ( array $params = [] )
Returns the count of all GuardDuty membership invitations that were sent to the current member account except the currently accepted invitation.
- GetMasterAccount ( array $params = [] )
Provides the details for the GuardDuty master account associated with the current GuardDuty member account.
- GetMembers ( array $params = [] )
Retrieves GuardDuty member accounts (to the current GuardDuty master account) specified by the account IDs.
- GetThreatIntelSet ( array $params = [] )
Retrieves the ThreatIntelSet that is specified by the ThreatIntelSet ID.
- InviteMembers ( array $params = [] )
Invites other AWS accounts (created as members of the current AWS account by CreateMembers) to enable GuardDuty and allow the current AWS account to view and manage these accounts' GuardDuty findings on their behalf as the master account.
- ListDetectors ( array $params = [] )
Lists detectorIds of all the existing Amazon GuardDuty detector resources.
- ListFilters ( array $params = [] )
Returns a paginated list of the current filters.
- ListFindings ( array $params = [] )
Lists Amazon GuardDuty findings for the specified detector ID.
- ListIPSets ( array $params = [] )
Lists the IPSets of the GuardDuty service specified by the detector ID.
- ListInvitations ( array $params = [] )
Lists all GuardDuty membership invitations that were sent to the current AWS account.
- ListMembers ( array $params = [] )
Lists details about all member accounts for the current GuardDuty master account.
- ListPublishingDestinations ( array $params = [] )
Returns a list of publishing destinations associated with the specified dectectorId.
- ListTagsForResource ( array $params = [] )
Lists tags for a resource.
- ListThreatIntelSets ( array $params = [] )
Lists the ThreatIntelSets of the GuardDuty service specified by the detector ID.
- StartMonitoringMembers ( array $params = [] )
Turns on GuardDuty monitoring of the specified member accounts.
- StopMonitoringMembers ( array $params = [] )
Stops GuardDuty monitoring for the specified member accounnts.
- TagResource ( array $params = [] )
Adds tags to a resource.
- UnarchiveFindings ( array $params = [] )
Unarchives GuardDuty findings specified by the findingIds.
- UntagResource ( array $params = [] )
Removes tags from a resource.
- UpdateDetector ( array $params = [] )
Updates the Amazon GuardDuty detector specified by the detectorId.
- UpdateFilter ( array $params = [] )
Updates the filter specified by the filter name.
- UpdateFindingsFeedback ( array $params = [] )
Marks the specified GuardDuty findings as useful or not useful.
- UpdateIPSet ( array $params = [] )
Updates the IPSet specified by the IPSet ID.
- UpdatePublishingDestination ( array $params = [] )
Updates information about the publishing destination specified by the destinationId.
- UpdateThreatIntelSet ( array $params = [] )
Updates the ThreatIntelSet specified by ThreatIntelSet ID.
Paginators
Paginators handle automatically iterating over paginated API results. Paginators are associated with specific API operations, and they accept the parameters that the corresponding API operation accepts. You can get a paginator from a client class using getPaginator($paginatorName, $operationParameters). This client supports the following paginators:
Operations
AcceptInvitation
$result = $client->acceptInvitation([/* ... */]); $promise = $client->acceptInvitationAsync([/* ... */]);
Accepts the invitation to be monitored by a master GuardDuty account.
Parameter Syntax
$result = $client->acceptInvitation([
'DetectorId' => '<string>', // REQUIRED
'InvitationId' => '<string>', // REQUIRED
'MasterId' => '<string>', // REQUIRED
]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector of the GuardDuty member account.
- InvitationId
-
- Required: Yes
- Type: string
This value is used to validate the master account to the member account.
- MasterId
-
- Required: Yes
- Type: string
The account ID of the master GuardDuty account whose invitation you're accepting.
Result Syntax
[]
Result Details
Errors
-
Bad request exception object.
-
Internal server error exception object.
ArchiveFindings
$result = $client->archiveFindings([/* ... */]); $promise = $client->archiveFindingsAsync([/* ... */]);
Archives GuardDuty findings specified by the list of finding IDs.
Only the master account can archive findings. Member accounts do not have permission to archive findings from their accounts.
Parameter Syntax
$result = $client->archiveFindings([
'DetectorId' => '<string>', // REQUIRED
'FindingIds' => ['<string>', ...], // REQUIRED
]);
Parameter Details
Members
Result Syntax
[]
Result Details
Errors
-
Bad request exception object.
-
Internal server error exception object.
CreateDetector
$result = $client->createDetector([/* ... */]); $promise = $client->createDetectorAsync([/* ... */]);
Creates a single Amazon GuardDuty detector. A detector is a resource that represents the GuardDuty service. To start using GuardDuty, you must create a detector in each region that you enable the service. You can have only one detector per account per region.
Parameter Syntax
$result = $client->createDetector([
'ClientToken' => '<string>',
'Enable' => true || false, // REQUIRED
'FindingPublishingFrequency' => 'FIFTEEN_MINUTES|ONE_HOUR|SIX_HOURS',
'Tags' => ['<string>', ...],
]);
Parameter Details
Members
- ClientToken
-
- Type: string
The idempotency token for the create request.
- Enable
-
- Required: Yes
- Type: boolean
A boolean value that specifies whether the detector is to be enabled.
- FindingPublishingFrequency
-
- Type: string
A enum value that specifies how frequently customer got Finding updates published.
- Tags
-
- Type: Associative array of custom strings keys (TagKey) to strings
The tags to be added to a new detector resource.
Result Syntax
[
'DetectorId' => '<string>',
]
Result Details
Errors
-
Bad request exception object.
-
Internal server error exception object.
CreateFilter
$result = $client->createFilter([/* ... */]); $promise = $client->createFilterAsync([/* ... */]);
Creates a filter using the specified finding criteria.
Parameter Syntax
$result = $client->createFilter([
'Action' => 'NOOP|ARCHIVE',
'ClientToken' => '<string>',
'Description' => '<string>',
'DetectorId' => '<string>', // REQUIRED
'FindingCriteria' => [ // REQUIRED
'Criterion' => [
'<String>' => [
'Eq' => ['<string>', ...],
'Equals' => ['<string>', ...],
'GreaterThan' => <integer>,
'GreaterThanOrEqual' => <integer>,
'Gt' => <integer>,
'Gte' => <integer>,
'LessThan' => <integer>,
'LessThanOrEqual' => <integer>,
'Lt' => <integer>,
'Lte' => <integer>,
'Neq' => ['<string>', ...],
'NotEquals' => ['<string>', ...],
],
// ...
],
],
'Name' => '<string>', // REQUIRED
'Rank' => <integer>,
'Tags' => ['<string>', ...],
]);
Parameter Details
Members
- Action
-
- Type: string
Specifies the action that is to be applied to the findings that match the filter.
- ClientToken
-
- Type: string
The idempotency token for the create request.
- Description
-
- Type: string
The description of the filter.
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector of the GuardDuty account for which you want to create a filter.
- FindingCriteria
-
- Required: Yes
- Type: FindingCriteria structure
Represents the criteria to be used in the filter for querying findings.
- Name
-
- Required: Yes
- Type: string
The name of the filter.
- Rank
-
- Type: int
Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
- Tags
-
- Type: Associative array of custom strings keys (TagKey) to strings
The tags to be added to a new filter resource.
Result Syntax
[
'Name' => '<string>',
]
Result Details
Errors
-
Bad request exception object.
-
Internal server error exception object.
CreateIPSet
$result = $client->createIPSet([/* ... */]); $promise = $client->createIPSetAsync([/* ... */]);
Creates a new IPSet, called Trusted IP list in the consoler user interface. An IPSet is a list IP addresses trusted for secure communication with AWS infrastructure and applications. GuardDuty does not generate findings for IP addresses included in IPSets. Only users from the master account can use this operation.
Parameter Syntax
$result = $client->createIPSet([
'Activate' => true || false, // REQUIRED
'ClientToken' => '<string>',
'DetectorId' => '<string>', // REQUIRED
'Format' => 'TXT|STIX|OTX_CSV|ALIEN_VAULT|PROOF_POINT|FIRE_EYE', // REQUIRED
'Location' => '<string>', // REQUIRED
'Name' => '<string>', // REQUIRED
'Tags' => ['<string>', ...],
]);
Parameter Details
Members
- Activate
-
- Required: Yes
- Type: boolean
A boolean value that indicates whether GuardDuty is to start using the uploaded IPSet.
- ClientToken
-
- Type: string
The idempotency token for the create request.
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector of the GuardDuty account for which you want to create an IPSet.
- Format
-
- Required: Yes
- Type: string
The format of the file that contains the IPSet.
- Location
-
- Required: Yes
- Type: string
The URI of the file that contains the IPSet. For example (https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key)
- Name
-
- Required: Yes
- Type: string
The user friendly name to identify the IPSet. This name is displayed in all findings that are triggered by activity that involves IP addresses included in this IPSet.
- Tags
-
- Type: Associative array of custom strings keys (TagKey) to strings
The tags to be added to a new IP set resource.
Result Syntax
[
'IpSetId' => '<string>',
]
Result Details
Errors
-
Bad request exception object.
-
Internal server error exception object.
CreateMembers
$result = $client->createMembers([/* ... */]); $promise = $client->createMembersAsync([/* ... */]);
Creates member accounts of the current AWS account by specifying a list of AWS account IDs. The current AWS account can then invite these members to manage GuardDuty in their accounts.
Parameter Syntax
$result = $client->createMembers([
'AccountDetails' => [ // REQUIRED
[
'AccountId' => '<string>', // REQUIRED
'Email' => '<string>', // REQUIRED
],
// ...
],
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
- AccountDetails
-
- Required: Yes
- Type: Array of AccountDetail structures
A list of account ID and email address pairs of the accounts that you want to associate with the master GuardDuty account.
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector of the GuardDuty account with which you want to associate member accounts.
Result Syntax
[
'UnprocessedAccounts' => [
[
'AccountId' => '<string>',
'Result' => '<string>',
],
// ...
],
]
Result Details
Members
- UnprocessedAccounts
-
- Required: Yes
- Type: Array of UnprocessedAccount structures
A list of objects containing the unprocessed account and a result string explaining why it was unprocessed.
Errors
-
Bad request exception object.
-
Internal server error exception object.
CreatePublishingDestination
$result = $client->createPublishingDestination([/* ... */]); $promise = $client->createPublishingDestinationAsync([/* ... */]);
Creates a publishing destination to send findings to. The resource to send findings to must exist before you use this operation.
Parameter Syntax
$result = $client->createPublishingDestination([
'ClientToken' => '<string>',
'DestinationProperties' => [ // REQUIRED
'DestinationArn' => '<string>',
'KmsKeyArn' => '<string>',
],
'DestinationType' => 'S3', // REQUIRED
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
- ClientToken
-
- Type: string
The idempotency token for the request.
- DestinationProperties
-
- Required: Yes
- Type: DestinationProperties structure
Properties of the publishing destination, including the ARNs for the destination and the KMS key used for encryption.
- DestinationType
-
- Required: Yes
- Type: string
The type of resource for the publishing destination. Currently only S3 is supported.
- DetectorId
-
- Required: Yes
- Type: string
The ID of the GuardDuty detector associated with the publishing destination.
Result Syntax
[
'DestinationId' => '<string>',
]
Result Details
Errors
-
Bad request exception object.
-
Internal server error exception object.
CreateSampleFindings
$result = $client->createSampleFindings([/* ... */]); $promise = $client->createSampleFindingsAsync([/* ... */]);
Generates example findings of types specified by the list of finding types. If 'NULL' is specified for findingTypes, the API generates example findings of all supported finding types.
Parameter Syntax
$result = $client->createSampleFindings([
'DetectorId' => '<string>', // REQUIRED
'FindingTypes' => ['<string>', ...],
]);
Parameter Details
Members
Result Syntax
[]
Result Details
Errors
-
Bad request exception object.
-
Internal server error exception object.
CreateThreatIntelSet
$result = $client->createThreatIntelSet([/* ... */]); $promise = $client->createThreatIntelSetAsync([/* ... */]);
Create a new ThreatIntelSet. ThreatIntelSets consist of known malicious IP addresses. GuardDuty generates findings based on ThreatIntelSets. Only users of the master account can use this operation.
Parameter Syntax
$result = $client->createThreatIntelSet([
'Activate' => true || false, // REQUIRED
'ClientToken' => '<string>',
'DetectorId' => '<string>', // REQUIRED
'Format' => 'TXT|STIX|OTX_CSV|ALIEN_VAULT|PROOF_POINT|FIRE_EYE', // REQUIRED
'Location' => '<string>', // REQUIRED
'Name' => '<string>', // REQUIRED
'Tags' => ['<string>', ...],
]);
Parameter Details
Members
- Activate
-
- Required: Yes
- Type: boolean
A boolean value that indicates whether GuardDuty is to start using the uploaded ThreatIntelSet.
- ClientToken
-
- Type: string
The idempotency token for the create request.
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector of the GuardDuty account for which you want to create a threatIntelSet.
- Format
-
- Required: Yes
- Type: string
The format of the file that contains the ThreatIntelSet.
- Location
-
- Required: Yes
- Type: string
The URI of the file that contains the ThreatIntelSet. For example (https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key).
- Name
-
- Required: Yes
- Type: string
A user-friendly ThreatIntelSet name that is displayed in all finding generated by activity that involves IP addresses included in this ThreatIntelSet.
- Tags
-
- Type: Associative array of custom strings keys (TagKey) to strings
The tags to be added to a new Threat List resource.
Result Syntax
[
'ThreatIntelSetId' => '<string>',
]
Result Details
Errors
-
Bad request exception object.
-
Internal server error exception object.
DeclineInvitations
$result = $client->declineInvitations([/* ... */]); $promise = $client->declineInvitationsAsync([/* ... */]);
Declines invitations sent to the current member account by AWS account specified by their account IDs.
Parameter Syntax
$result = $client->declineInvitations([
'AccountIds' => ['<string>', ...], // REQUIRED
]);
Parameter Details
Members
Result Syntax
[
'UnprocessedAccounts' => [
[
'AccountId' => '<string>',
'Result' => '<string>',
],
// ...
],
]
Result Details
Members
- UnprocessedAccounts
-
- Required: Yes
- Type: Array of UnprocessedAccount structures
A list of objects containing the unprocessed account and a result string explaining why it was unprocessed.
Errors
-
Bad request exception object.
-
Internal server error exception object.
DeleteDetector
$result = $client->deleteDetector([/* ... */]); $promise = $client->deleteDetectorAsync([/* ... */]);
Deletes a Amazon GuardDuty detector specified by the detector ID.
Parameter Syntax
$result = $client->deleteDetector([
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[]
Result Details
Errors
-
Bad request exception object.
-
Internal server error exception object.
DeleteFilter
$result = $client->deleteFilter([/* ... */]); $promise = $client->deleteFilterAsync([/* ... */]);
Deletes the filter specified by the filter name.
Parameter Syntax
$result = $client->deleteFilter([
'DetectorId' => '<string>', // REQUIRED
'FilterName' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[]
Result Details
Errors
-
Bad request exception object.
-
Internal server error exception object.
DeleteIPSet
$result = $client->deleteIPSet([/* ... */]); $promise = $client->deleteIPSetAsync([/* ... */]);
Deletes the IPSet specified by the ipSetId. IPSets are called Trusted IP lists in the console user interface.
Parameter Syntax
$result = $client->deleteIPSet([
'DetectorId' => '<string>', // REQUIRED
'IpSetId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[]
Result Details
Errors
-
Bad request exception object.
-
Internal server error exception object.
DeleteInvitations
$result = $client->deleteInvitations([/* ... */]); $promise = $client->deleteInvitationsAsync([/* ... */]);
Deletes invitations sent to the current member account by AWS accounts specified by their account IDs.
Parameter Syntax
$result = $client->deleteInvitations([
'AccountIds' => ['<string>', ...], // REQUIRED
]);
Parameter Details
Members
Result Syntax
[
'UnprocessedAccounts' => [
[
'AccountId' => '<string>',
'Result' => '<string>',
],
// ...
],
]
Result Details
Members
- UnprocessedAccounts
-
- Required: Yes
- Type: Array of UnprocessedAccount structures
A list of objects containing the unprocessed account and a result string explaining why it was unprocessed.
Errors
-
Bad request exception object.
-
Internal server error exception object.
DeleteMembers
$result = $client->deleteMembers([/* ... */]); $promise = $client->deleteMembersAsync([/* ... */]);
Deletes GuardDuty member accounts (to the current GuardDuty master account) specified by the account IDs.
Parameter Syntax
$result = $client->deleteMembers([
'AccountIds' => ['<string>', ...], // REQUIRED
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[
'UnprocessedAccounts' => [
[
'AccountId' => '<string>',
'Result' => '<string>',
],
// ...
],
]
Result Details
Members
- UnprocessedAccounts
-
- Required: Yes
- Type: Array of UnprocessedAccount structures
The accounts that could not be processed.
Errors
-
Bad request exception object.
-
Internal server error exception object.
DeletePublishingDestination
$result = $client->deletePublishingDestination([/* ... */]); $promise = $client->deletePublishingDestinationAsync([/* ... */]);
Deletes the publishing definition with the specified destinationId.
Parameter Syntax
$result = $client->deletePublishingDestination([
'DestinationId' => '<string>', // REQUIRED
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[]
Result Details
Errors
-
Bad request exception object.
-
Internal server error exception object.
DeleteThreatIntelSet
$result = $client->deleteThreatIntelSet([/* ... */]); $promise = $client->deleteThreatIntelSetAsync([/* ... */]);
Deletes ThreatIntelSet specified by the ThreatIntelSet ID.
Parameter Syntax
$result = $client->deleteThreatIntelSet([
'DetectorId' => '<string>', // REQUIRED
'ThreatIntelSetId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[]
Result Details
Errors
-
Bad request exception object.
-
Internal server error exception object.
DescribePublishingDestination
$result = $client->describePublishingDestination([/* ... */]); $promise = $client->describePublishingDestinationAsync([/* ... */]);
Returns information about the publishing destination specified by the provided destinationId.
Parameter Syntax
$result = $client->describePublishingDestination([
'DestinationId' => '<string>', // REQUIRED
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[
'DestinationId' => '<string>',
'DestinationProperties' => [
'DestinationArn' => '<string>',
'KmsKeyArn' => '<string>',
],
'DestinationType' => 'S3',
'PublishingFailureStartTimestamp' => <integer>,
'Status' => 'PENDING_VERIFICATION|PUBLISHING|UNABLE_TO_PUBLISH_FIX_DESTINATION_PROPERTY|STOPPED',
]
Result Details
Members
- DestinationId
-
- Required: Yes
- Type: string
The ID of the publishing destination.
- DestinationProperties
-
- Required: Yes
- Type: DestinationProperties structure
A
DestinationPropertiesobject that includes theDestinationArnandKmsKeyArnof the publishing destination. - DestinationType
-
- Required: Yes
- Type: string
The type of the publishing destination. Currently, only S3 is supported.
- PublishingFailureStartTimestamp
-
- Required: Yes
- Type: long (int|float)
The time, in epoch millisecond format, at which GuardDuty was first unable to publish findings to the destination.
- Status
-
- Required: Yes
- Type: string
The status of the publishing destination.
Errors
-
Bad request exception object.
-
Internal server error exception object.
DisassociateFromMasterAccount
$result = $client->disassociateFromMasterAccount([/* ... */]); $promise = $client->disassociateFromMasterAccountAsync([/* ... */]);
Disassociates the current GuardDuty member account from its master account.
Parameter Syntax
$result = $client->disassociateFromMasterAccount([
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[]
Result Details
Errors
-
Bad request exception object.
-
Internal server error exception object.
DisassociateMembers
$result = $client->disassociateMembers([/* ... */]); $promise = $client->disassociateMembersAsync([/* ... */]);
Disassociates GuardDuty member accounts (to the current GuardDuty master account) specified by the account IDs.
Parameter Syntax
$result = $client->disassociateMembers([
'AccountIds' => ['<string>', ...], // REQUIRED
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[
'UnprocessedAccounts' => [
[
'AccountId' => '<string>',
'Result' => '<string>',
],
// ...
],
]
Result Details
Members
- UnprocessedAccounts
-
- Required: Yes
- Type: Array of UnprocessedAccount structures
A list of objects containing the unprocessed account and a result string explaining why it was unprocessed.
Errors
-
Bad request exception object.
-
Internal server error exception object.
GetDetector
$result = $client->getDetector([/* ... */]); $promise = $client->getDetectorAsync([/* ... */]);
Retrieves an Amazon GuardDuty detector specified by the detectorId.
Parameter Syntax
$result = $client->getDetector([
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Result Syntax
[
'CreatedAt' => '<string>',
'FindingPublishingFrequency' => 'FIFTEEN_MINUTES|ONE_HOUR|SIX_HOURS',
'ServiceRole' => '<string>',
'Status' => 'ENABLED|DISABLED',
'Tags' => ['<string>', ...],
'UpdatedAt' => '<string>',
]
Result Details
Members
- CreatedAt
-
- Type: string
Detector creation timestamp.
- FindingPublishingFrequency
-
- Type: string
Finding publishing frequency.
- ServiceRole
-
- Required: Yes
- Type: string
The GuardDuty service role.
- Status
-
- Required: Yes
- Type: string
The detector status.
- Tags
-
- Type: Associative array of custom strings keys (TagKey) to strings
The tags of the detector resource.
- UpdatedAt
-
- Type: string
Detector last update timestamp.
Errors
-
Bad request exception object.
-
Internal server error exception object.
GetFilter
$result = $client->getFilter([/* ... */]); $promise = $client->getFilterAsync([/* ... */]);
Returns the details of the filter specified by the filter name.
Parameter Syntax
$result = $client->getFilter([
'DetectorId' => '<string>', // REQUIRED
'FilterName' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[
'Action' => 'NOOP|ARCHIVE',
'Description' => '<string>',
'FindingCriteria' => [
'Criterion' => [
'<String>' => [
'Eq' => ['<string>', ...],
'Equals' => ['<string>', ...],
'GreaterThan' => <integer>,
'GreaterThanOrEqual' => <integer>,
'Gt' => <integer>,
'Gte' => <integer>,
'LessThan' => <integer>,
'LessThanOrEqual' => <integer>,
'Lt' => <integer>,
'Lte' => <integer>,
'Neq' => ['<string>', ...],
'NotEquals' => ['<string>', ...],
],
// ...
],
],
'Name' => '<string>',
'Rank' => <integer>,
'Tags' => ['<string>', ...],
]
Result Details
Members
- Action
-
- Required: Yes
- Type: string
Specifies the action that is to be applied to the findings that match the filter.
- Description
-
- Type: string
The description of the filter.
- FindingCriteria
-
- Required: Yes
- Type: FindingCriteria structure
Represents the criteria to be used in the filter for querying findings.
- Name
-
- Required: Yes
- Type: string
The name of the filter.
- Rank
-
- Type: int
Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
- Tags
-
- Type: Associative array of custom strings keys (TagKey) to strings
The tags of the filter resource.
Errors
-
Bad request exception object.
-
Internal server error exception object.
GetFindings
$result = $client->getFindings([/* ... */]); $promise = $client->getFindingsAsync([/* ... */]);
Describes Amazon GuardDuty findings specified by finding IDs.
Parameter Syntax
$result = $client->getFindings([
'DetectorId' => '<string>', // REQUIRED
'FindingIds' => ['<string>', ...], // REQUIRED
'SortCriteria' => [
'AttributeName' => '<string>',
'OrderBy' => 'ASC|DESC',
],
]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The ID of the detector that specifies the GuardDuty service whose findings you want to retrieve.
- FindingIds
-
- Required: Yes
- Type: Array of strings
IDs of the findings that you want to retrieve.
- SortCriteria
-
- Type: SortCriteria structure
Represents the criteria used for sorting findings.
Result Syntax
[
'Findings' => [
[
'AccountId' => '<string>',
'Arn' => '<string>',
'Confidence' => <float>,
'CreatedAt' => '<string>',
'Description' => '<string>',
'Id' => '<string>',
'Partition' => '<string>',
'Region' => '<string>',
'Resource' => [
'AccessKeyDetails' => [
'AccessKeyId' => '<string>',
'PrincipalId' => '<string>',
'UserName' => '<string>',
'UserType' => '<string>',
],
'InstanceDetails' => [
'AvailabilityZone' => '<string>',
'IamInstanceProfile' => [
'Arn' => '<string>',
'Id' => '<string>',
],
'ImageDescription' => '<string>',
'ImageId' => '<string>',
'InstanceId' => '<string>',
'InstanceState' => '<string>',
'InstanceType' => '<string>',
'LaunchTime' => '<string>',
'NetworkInterfaces' => [
[
'Ipv6Addresses' => ['<string>', ...],
'NetworkInterfaceId' => '<string>',
'PrivateDnsName' => '<string>',
'PrivateIpAddress' => '<string>',
'PrivateIpAddresses' => [
[
'PrivateDnsName' => '<string>',
'PrivateIpAddress' => '<string>',
],
// ...
],
'PublicDnsName' => '<string>',
'PublicIp' => '<string>',
'SecurityGroups' => [
[
'GroupId' => '<string>',
'GroupName' => '<string>',
],
// ...
],
'SubnetId' => '<string>',
'VpcId' => '<string>',
],
// ...
],
'OutpostArn' => '<string>',
'Platform' => '<string>',
'ProductCodes' => [
[
'Code' => '<string>',
'ProductType' => '<string>',
],
// ...
],
'Tags' => [
[
'Key' => '<string>',
'Value' => '<string>',
],
// ...
],
],
'ResourceType' => '<string>',
],
'SchemaVersion' => '<string>',
'Service' => [
'Action' => [
'ActionType' => '<string>',
'AwsApiCallAction' => [
'Api' => '<string>',
'CallerType' => '<string>',
'DomainDetails' => [
'Domain' => '<string>',
],
'RemoteIpDetails' => [
'City' => [
'CityName' => '<string>',
],
'Country' => [
'CountryCode' => '<string>',
'CountryName' => '<string>',
],
'GeoLocation' => [
'Lat' => <float>,
'Lon' => <float>,
],
'IpAddressV4' => '<string>',
'Organization' => [
'Asn' => '<string>',
'AsnOrg' => '<string>',
'Isp' => '<string>',
'Org' => '<string>',
],
],
'ServiceName' => '<string>',
],
'DnsRequestAction' => [
'Domain' => '<string>',
],
'NetworkConnectionAction' => [
'Blocked' => true || false,
'ConnectionDirection' => '<string>',
'LocalIpDetails' => [
'IpAddressV4' => '<string>',
],
'LocalPortDetails' => [
'Port' => <integer>,
'PortName' => '<string>',
],
'Protocol' => '<string>',
'RemoteIpDetails' => [
'City' => [
'CityName' => '<string>',
],
'Country' => [
'CountryCode' => '<string>',
'CountryName' => '<string>',
],
'GeoLocation' => [
'Lat' => <float>,
'Lon' => <float>,
],
'IpAddressV4' => '<string>',
'Organization' => [
'Asn' => '<string>',
'AsnOrg' => '<string>',
'Isp' => '<string>',
'Org' => '<string>',
],
],
'RemotePortDetails' => [
'Port' => <integer>,
'PortName' => '<string>',
],
],
'PortProbeAction' => [
'Blocked' => true || false,
'PortProbeDetails' => [
[
'LocalIpDetails' => [
'IpAddressV4' => '<string>',
],
'LocalPortDetails' => [
'Port' => <integer>,
'PortName' => '<string>',
],
'RemoteIpDetails' => [
'City' => [
'CityName' => '<string>',
],
'Country' => [
'CountryCode' => '<string>',
'CountryName' => '<string>',
],
'GeoLocation' => [
'Lat' => <float>,
'Lon' => <float>,
],
'IpAddressV4' => '<string>',
'Organization' => [
'Asn' => '<string>',
'AsnOrg' => '<string>',
'Isp' => '<string>',
'Org' => '<string>',
],
],
],
// ...
],
],
],
'Archived' => true || false,
'Count' => <integer>,
'DetectorId' => '<string>',
'EventFirstSeen' => '<string>',
'EventLastSeen' => '<string>',
'Evidence' => [
'ThreatIntelligenceDetails' => [
[
'ThreatListName' => '<string>',
'ThreatNames' => ['<string>', ...],
],
// ...
],
],
'ResourceRole' => '<string>',
'ServiceName' => '<string>',
'UserFeedback' => '<string>',
],
'Severity' => <float>,
'Title' => '<string>',
'Type' => '<string>',
'UpdatedAt' => '<string>',
],
// ...
],
]
Result Details
Members
- Findings
-
- Required: Yes
- Type: Array of Finding structures
A list of findings.
Errors
-
Bad request exception object.
-
Internal server error exception object.
GetFindingsStatistics
$result = $client->getFindingsStatistics([/* ... */]); $promise = $client->getFindingsStatisticsAsync([/* ... */]);
Lists Amazon GuardDuty findings' statistics for the specified detector ID.
Parameter Syntax
$result = $client->getFindingsStatistics([
'DetectorId' => '<string>', // REQUIRED
'FindingCriteria' => [
'Criterion' => [
'<String>' => [
'Eq' => ['<string>', ...],
'Equals' => ['<string>', ...],
'GreaterThan' => <integer>,
'GreaterThanOrEqual' => <integer>,
'Gt' => <integer>,
'Gte' => <integer>,
'LessThan' => <integer>,
'LessThanOrEqual' => <integer>,
'Lt' => <integer>,
'Lte' => <integer>,
'Neq' => ['<string>', ...],
'NotEquals' => ['<string>', ...],
],
// ...
],
],
'FindingStatisticTypes' => ['<string>', ...], // REQUIRED
]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The ID of the detector that specifies the GuardDuty service whose findings' statistics you want to retrieve.
- FindingCriteria
-
- Type: FindingCriteria structure
Represents the criteria used for querying findings.
- FindingStatisticTypes
-
- Required: Yes
- Type: Array of strings
Types of finding statistics to retrieve.
Result Syntax
[
'FindingStatistics' => [
'CountBySeverity' => [<integer>, ...],
],
]
Result Details
Members
- FindingStatistics
-
- Required: Yes
- Type: FindingStatistics structure
Finding statistics object.
Errors
-
Bad request exception object.
-
Internal server error exception object.
GetIPSet
$result = $client->getIPSet([/* ... */]); $promise = $client->getIPSetAsync([/* ... */]);
Retrieves the IPSet specified by the ipSetId.
Parameter Syntax
$result = $client->getIPSet([
'DetectorId' => '<string>', // REQUIRED
'IpSetId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[
'Format' => 'TXT|STIX|OTX_CSV|ALIEN_VAULT|PROOF_POINT|FIRE_EYE',
'Location' => '<string>',
'Name' => '<string>',
'Status' => 'INACTIVE|ACTIVATING|ACTIVE|DEACTIVATING|ERROR|DELETE_PENDING|DELETED',
'Tags' => ['<string>', ...],
]
Result Details
Members
- Format
-
- Required: Yes
- Type: string
The format of the file that contains the IPSet.
- Location
-
- Required: Yes
- Type: string
The URI of the file that contains the IPSet. For example (https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key)
- Name
-
- Required: Yes
- Type: string
The user friendly name for the IPSet.
- Status
-
- Required: Yes
- Type: string
The status of ipSet file uploaded.
- Tags
-
- Type: Associative array of custom strings keys (TagKey) to strings
The tags of the IP set resource.
Errors
-
Bad request exception object.
-
Internal server error exception object.
GetInvitationsCount
$result = $client->getInvitationsCount([/* ... */]); $promise = $client->getInvitationsCountAsync([/* ... */]);
Returns the count of all GuardDuty membership invitations that were sent to the current member account except the currently accepted invitation.
Parameter Syntax
$result = $client->getInvitationsCount([ ]);
Parameter Details
Members
Result Syntax
[
'InvitationsCount' => <integer>,
]
Result Details
Errors
-
Bad request exception object.
-
Internal server error exception object.
GetMasterAccount
$result = $client->getMasterAccount([/* ... */]); $promise = $client->getMasterAccountAsync([/* ... */]);
Provides the details for the GuardDuty master account associated with the current GuardDuty member account.
Parameter Syntax
$result = $client->getMasterAccount([
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[
'Master' => [
'AccountId' => '<string>',
'InvitationId' => '<string>',
'InvitedAt' => '<string>',
'RelationshipStatus' => '<string>',
],
]
Result Details
Members
- Master
-
- Required: Yes
- Type: Master structure
Master account details.
Errors
-
Bad request exception object.
-
Internal server error exception object.
GetMembers
$result = $client->getMembers([/* ... */]); $promise = $client->getMembersAsync([/* ... */]);
Retrieves GuardDuty member accounts (to the current GuardDuty master account) specified by the account IDs.
Parameter Syntax
$result = $client->getMembers([
'AccountIds' => ['<string>', ...], // REQUIRED
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[
'Members' => [
[
'AccountId' => '<string>',
'DetectorId' => '<string>',
'Email' => '<string>',
'InvitedAt' => '<string>',
'MasterId' => '<string>',
'RelationshipStatus' => '<string>',
'UpdatedAt' => '<string>',
],
// ...
],
'UnprocessedAccounts' => [
[
'AccountId' => '<string>',
'Result' => '<string>',
],
// ...
],
]
Result Details
Members
- Members
-
- Required: Yes
- Type: Array of Member structures
A list of members.
- UnprocessedAccounts
-
- Required: Yes
- Type: Array of UnprocessedAccount structures
A list of objects containing the unprocessed account and a result string explaining why it was unprocessed.
Errors
-
Bad request exception object.
-
Internal server error exception object.
GetThreatIntelSet
$result = $client->getThreatIntelSet([/* ... */]); $promise = $client->getThreatIntelSetAsync([/* ... */]);
Retrieves the ThreatIntelSet that is specified by the ThreatIntelSet ID.
Parameter Syntax
$result = $client->getThreatIntelSet([
'DetectorId' => '<string>', // REQUIRED
'ThreatIntelSetId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[
'Format' => 'TXT|STIX|OTX_CSV|ALIEN_VAULT|PROOF_POINT|FIRE_EYE',
'Location' => '<string>',
'Name' => '<string>',
'Status' => 'INACTIVE|ACTIVATING|ACTIVE|DEACTIVATING|ERROR|DELETE_PENDING|DELETED',
'Tags' => ['<string>', ...],
]
Result Details
Members
- Format
-
- Required: Yes
- Type: string
The format of the threatIntelSet.
- Location
-
- Required: Yes
- Type: string
The URI of the file that contains the ThreatIntelSet. For example (https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key).
- Name
-
- Required: Yes
- Type: string
A user-friendly ThreatIntelSet name that is displayed in all finding generated by activity that involves IP addresses included in this ThreatIntelSet.
- Status
-
- Required: Yes
- Type: string
The status of threatIntelSet file uploaded.
- Tags
-
- Type: Associative array of custom strings keys (TagKey) to strings
The tags of the Threat List resource.
Errors
-
Bad request exception object.
-
Internal server error exception object.
InviteMembers
$result = $client->inviteMembers([/* ... */]); $promise = $client->inviteMembersAsync([/* ... */]);
Invites other AWS accounts (created as members of the current AWS account by CreateMembers) to enable GuardDuty and allow the current AWS account to view and manage these accounts' GuardDuty findings on their behalf as the master account.
Parameter Syntax
$result = $client->inviteMembers([
'AccountIds' => ['<string>', ...], // REQUIRED
'DetectorId' => '<string>', // REQUIRED
'DisableEmailNotification' => true || false,
'Message' => '<string>',
]);
Parameter Details
Members
- AccountIds
-
- Required: Yes
- Type: Array of strings
A list of account IDs of the accounts that you want to invite to GuardDuty as members.
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector of the GuardDuty account with which you want to invite members.
- DisableEmailNotification
-
- Type: boolean
A boolean value that specifies whether you want to disable email notification to the accounts that you’re inviting to GuardDuty as members.
- Message
-
- Type: string
The invitation message that you want to send to the accounts that you’re inviting to GuardDuty as members.
Result Syntax
[
'UnprocessedAccounts' => [
[
'AccountId' => '<string>',
'Result' => '<string>',
],
// ...
],
]
Result Details
Members
- UnprocessedAccounts
-
- Required: Yes
- Type: Array of UnprocessedAccount structures
A list of objects containing the unprocessed account and a result string explaining why it was unprocessed.
Errors
-
Bad request exception object.
-
Internal server error exception object.
ListDetectors
$result = $client->listDetectors([/* ... */]); $promise = $client->listDetectorsAsync([/* ... */]);
Lists detectorIds of all the existing Amazon GuardDuty detector resources.
Parameter Syntax
$result = $client->listDetectors([
'MaxResults' => <integer>,
'NextToken' => '<string>',
]);
Parameter Details
Members
- MaxResults
-
- Type: int
You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50.
- NextToken
-
- Type: string
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
Result Syntax
[
'DetectorIds' => ['<string>', ...],
'NextToken' => '<string>',
]
Result Details
Members
Errors
-
Bad request exception object.
-
Internal server error exception object.
ListFilters
$result = $client->listFilters([/* ... */]); $promise = $client->listFiltersAsync([/* ... */]);
Returns a paginated list of the current filters.
Parameter Syntax
$result = $client->listFilters([
'DetectorId' => '<string>', // REQUIRED
'MaxResults' => <integer>,
'NextToken' => '<string>',
]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector the filter is associated with.
- MaxResults
-
- Type: int
You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50.
- NextToken
-
- Type: string
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
Result Syntax
[
'FilterNames' => ['<string>', ...],
'NextToken' => '<string>',
]
Result Details
Members
Errors
-
Bad request exception object.
-
Internal server error exception object.
ListFindings
$result = $client->listFindings([/* ... */]); $promise = $client->listFindingsAsync([/* ... */]);
Lists Amazon GuardDuty findings for the specified detector ID.
Parameter Syntax
$result = $client->listFindings([
'DetectorId' => '<string>', // REQUIRED
'FindingCriteria' => [
'Criterion' => [
'<String>' => [
'Eq' => ['<string>', ...],
'Equals' => ['<string>', ...],
'GreaterThan' => <integer>,
'GreaterThanOrEqual' => <integer>,
'Gt' => <integer>,
'Gte' => <integer>,
'LessThan' => <integer>,
'LessThanOrEqual' => <integer>,
'Lt' => <integer>,
'Lte' => <integer>,
'Neq' => ['<string>', ...],
'NotEquals' => ['<string>', ...],
],
// ...
],
],
'MaxResults' => <integer>,
'NextToken' => '<string>',
'SortCriteria' => [
'AttributeName' => '<string>',
'OrderBy' => 'ASC|DESC',
],
]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The ID of the detector that specifies the GuardDuty service whose findings you want to list.
- FindingCriteria
-
- Type: FindingCriteria structure
Represents the criteria used for querying findings. Valid values include:
-
JSON field name
-
accountId
-
region
-
confidence
-
id
-
resource.accessKeyDetails.accessKeyId
-
resource.accessKeyDetails.principalId
-
resource.accessKeyDetails.userName
-
resource.accessKeyDetails.userType
-
resource.instanceDetails.iamInstanceProfile.id
-
resource.instanceDetails.imageId
-
resource.instanceDetails.instanceId
-
resource.instanceDetails.outpostArn
-
resource.instanceDetails.networkInterfaces.ipv6Addresses
-
resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress
-
resource.instanceDetails.networkInterfaces.publicDnsName
-
resource.instanceDetails.networkInterfaces.publicIp
-
resource.instanceDetails.networkInterfaces.securityGroups.groupId
-
resource.instanceDetails.networkInterfaces.securityGroups.groupName
-
resource.instanceDetails.networkInterfaces.subnetId
-
resource.instanceDetails.networkInterfaces.vpcId
-
resource.instanceDetails.tags.key
-
resource.instanceDetails.tags.value
-
resource.resourceType
-
service.action.actionType
-
service.action.awsApiCallAction.api
-
service.action.awsApiCallAction.callerType
-
service.action.awsApiCallAction.remoteIpDetails.city.cityName
-
service.action.awsApiCallAction.remoteIpDetails.country.countryName
-
service.action.awsApiCallAction.remoteIpDetails.ipAddressV4
-
service.action.awsApiCallAction.remoteIpDetails.organization.asn
-
service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg
-
service.action.awsApiCallAction.serviceName
-
service.action.dnsRequestAction.domain
-
service.action.networkConnectionAction.blocked
-
service.action.networkConnectionAction.connectionDirection
-
service.action.networkConnectionAction.localPortDetails.port
-
service.action.networkConnectionAction.protocol
-
service.action.networkConnectionAction.localIpDetails.ipAddressV4
-
service.action.networkConnectionAction.remoteIpDetails.city.cityName
-
service.action.networkConnectionAction.remoteIpDetails.country.countryName
-
service.action.networkConnectionAction.remoteIpDetails.ipAddressV4
-
service.action.networkConnectionAction.remoteIpDetails.organization.asn
-
service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg
-
service.action.networkConnectionAction.remotePortDetails.port
-
service.additionalInfo.threatListName
-
service.archived
When this attribute is set to 'true', only archived findings are listed. When it's set to 'false', only unarchived findings are listed. When this attribute is not set, all existing findings are listed.
-
service.resourceRole
-
severity
-
type
-
updatedAt
Type: Timestamp in Unix Epoch millisecond format: 1486685375000
- MaxResults
-
- Type: int
You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50.
- NextToken
-
- Type: string
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
- SortCriteria
-
- Type: SortCriteria structure
Represents the criteria used for sorting findings.
Result Syntax
[
'FindingIds' => ['<string>', ...],
'NextToken' => '<string>',
]
Result Details
Members
Errors
-
Bad request exception object.
-
Internal server error exception object.
ListIPSets
$result = $client->listIPSets([/* ... */]); $promise = $client->listIPSetsAsync([/* ... */]);
Lists the IPSets of the GuardDuty service specified by the detector ID. If you use this operation from a member account, the IPSets returned are the IPSets from the associated master account.
Parameter Syntax
$result = $client->listIPSets([
'DetectorId' => '<string>', // REQUIRED
'MaxResults' => <integer>,
'NextToken' => '<string>',
]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector the ipSet is associated with.
- MaxResults
-
- Type: int
You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50.
- NextToken
-
- Type: string
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
Result Syntax
[
'IpSetIds' => ['<string>', ...],
'NextToken' => '<string>',
]
Result Details
Members
Errors
-
Bad request exception object.
-
Internal server error exception object.
ListInvitations
$result = $client->listInvitations([/* ... */]); $promise = $client->listInvitationsAsync([/* ... */]);
Lists all GuardDuty membership invitations that were sent to the current AWS account.
Parameter Syntax
$result = $client->listInvitations([
'MaxResults' => <integer>,
'NextToken' => '<string>',
]);
Parameter Details
Members
- MaxResults
-
- Type: int
You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50.
- NextToken
-
- Type: string
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
Result Syntax
[
'Invitations' => [
[
'AccountId' => '<string>',
'InvitationId' => '<string>',
'InvitedAt' => '<string>',
'RelationshipStatus' => '<string>',
],
// ...
],
'NextToken' => '<string>',
]
Result Details
Members
- Invitations
-
- Type: Array of Invitation structures
A list of invitation descriptions.
- NextToken
-
- Type: string
Pagination parameter to be used on the next list operation to retrieve more items.
Errors
-
Bad request exception object.
-
Internal server error exception object.
ListMembers
$result = $client->listMembers([/* ... */]); $promise = $client->listMembersAsync([/* ... */]);
Lists details about all member accounts for the current GuardDuty master account.
Parameter Syntax
$result = $client->listMembers([
'DetectorId' => '<string>', // REQUIRED
'MaxResults' => <integer>,
'NextToken' => '<string>',
'OnlyAssociated' => '<string>',
]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector the member is associated with.
- MaxResults
-
- Type: int
You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50.
- NextToken
-
- Type: string
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
- OnlyAssociated
-
- Type: string
Specifies whether to only return associated members or to return all members (including members which haven't been invited yet or have been disassociated).
Result Syntax
[
'Members' => [
[
'AccountId' => '<string>',
'DetectorId' => '<string>',
'Email' => '<string>',
'InvitedAt' => '<string>',
'MasterId' => '<string>',
'RelationshipStatus' => '<string>',
'UpdatedAt' => '<string>',
],
// ...
],
'NextToken' => '<string>',
]
Result Details
Members
- Members
-
- Type: Array of Member structures
A list of members.
- NextToken
-
- Type: string
Pagination parameter to be used on the next list operation to retrieve more items.
Errors
-
Bad request exception object.
-
Internal server error exception object.
ListPublishingDestinations
$result = $client->listPublishingDestinations([/* ... */]); $promise = $client->listPublishingDestinationsAsync([/* ... */]);
Returns a list of publishing destinations associated with the specified dectectorId.
Parameter Syntax
$result = $client->listPublishingDestinations([
'DetectorId' => '<string>', // REQUIRED
'MaxResults' => <integer>,
'NextToken' => '<string>',
]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The ID of the detector to retrieve publishing destinations for.
- MaxResults
-
- Type: int
The maximum number of results to return in the response.
- NextToken
-
- Type: string
A token to use for paginating results returned in the repsonse. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the
NextTokenvalue returned from the previous request to continue listing results after the first page.
Result Syntax
[
'Destinations' => [
[
'DestinationId' => '<string>',
'DestinationType' => 'S3',
'Status' => 'PENDING_VERIFICATION|PUBLISHING|UNABLE_TO_PUBLISH_FIX_DESTINATION_PROPERTY|STOPPED',
],
// ...
],
'NextToken' => '<string>',
]
Result Details
Members
- Destinations
-
- Required: Yes
- Type: Array of Destination structures
A
Destinationsobect that includes information about each publishing destination returned. - NextToken
-
- Type: string
A token to use for paginating results returned in the repsonse. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the
NextTokenvalue returned from the previous request to continue listing results after the first page.
Errors
-
Bad request exception object.
-
Internal server error exception object.
ListTagsForResource
$result = $client->listTagsForResource([/* ... */]); $promise = $client->listTagsForResourceAsync([/* ... */]);
Lists tags for a resource. Tagging is currently supported for detectors, finding filters, IP sets, and Threat Intel sets, with a limit of 50 tags per resource. When invoked, this operation returns all assigned tags for a given resource..
Parameter Syntax
$result = $client->listTagsForResource([
'ResourceArn' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[
'Tags' => ['<string>', ...],
]
Result Details
Members
Errors
-
Bad request exception object.
-
Internal server error exception object.
ListThreatIntelSets
$result = $client->listThreatIntelSets([/* ... */]); $promise = $client->listThreatIntelSetsAsync([/* ... */]);
Lists the ThreatIntelSets of the GuardDuty service specified by the detector ID. If you use this operation from a member account, the ThreatIntelSets associated with the master account are returned.
Parameter Syntax
$result = $client->listThreatIntelSets([
'DetectorId' => '<string>', // REQUIRED
'MaxResults' => <integer>,
'NextToken' => '<string>',
]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector the threatIntelSet is associated with.
- MaxResults
-
- Type: int
You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50.
- NextToken
-
- Type: string
You can use this parameter to paginate results in the response. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
Result Syntax
[
'NextToken' => '<string>',
'ThreatIntelSetIds' => ['<string>', ...],
]
Result Details
Members
Errors
-
Bad request exception object.
-
Internal server error exception object.
StartMonitoringMembers
$result = $client->startMonitoringMembers([/* ... */]); $promise = $client->startMonitoringMembersAsync([/* ... */]);
Turns on GuardDuty monitoring of the specified member accounts. Use this operation to restart monitoring of accounts that you stopped monitoring with the StopMonitoringMembers operation.
Parameter Syntax
$result = $client->startMonitoringMembers([
'AccountIds' => ['<string>', ...], // REQUIRED
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[
'UnprocessedAccounts' => [
[
'AccountId' => '<string>',
'Result' => '<string>',
],
// ...
],
]
Result Details
Members
- UnprocessedAccounts
-
- Required: Yes
- Type: Array of UnprocessedAccount structures
A list of objects containing the unprocessed account and a result string explaining why it was unprocessed.
Errors
-
Bad request exception object.
-
Internal server error exception object.
StopMonitoringMembers
$result = $client->stopMonitoringMembers([/* ... */]); $promise = $client->stopMonitoringMembersAsync([/* ... */]);
Stops GuardDuty monitoring for the specified member accounnts. Use the StartMonitoringMembers to restart monitoring for those accounts.
Parameter Syntax
$result = $client->stopMonitoringMembers([
'AccountIds' => ['<string>', ...], // REQUIRED
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
- AccountIds
-
- Required: Yes
- Type: Array of strings
A list of account IDs of the GuardDuty member accounts whose findings you want the master account to stop monitoring.
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector of the GuardDuty account that you want to stop from monitor members' findings.
Result Syntax
[
'UnprocessedAccounts' => [
[
'AccountId' => '<string>',
'Result' => '<string>',
],
// ...
],
]
Result Details
Members
- UnprocessedAccounts
-
- Required: Yes
- Type: Array of UnprocessedAccount structures
A list of objects containing the unprocessed account and a result string explaining why it was unprocessed.
Errors
-
Bad request exception object.
-
Internal server error exception object.
TagResource
$result = $client->tagResource([/* ... */]); $promise = $client->tagResourceAsync([/* ... */]);
Adds tags to a resource.
Parameter Syntax
$result = $client->tagResource([
'ResourceArn' => '<string>', // REQUIRED
'Tags' => ['<string>', ...], // REQUIRED
]);
Parameter Details
Members
Result Syntax
[]
Result Details
Errors
-
Bad request exception object.
-
Internal server error exception object.
UnarchiveFindings
$result = $client->unarchiveFindings([/* ... */]); $promise = $client->unarchiveFindingsAsync([/* ... */]);
Unarchives GuardDuty findings specified by the findingIds.
Parameter Syntax
$result = $client->unarchiveFindings([
'DetectorId' => '<string>', // REQUIRED
'FindingIds' => ['<string>', ...], // REQUIRED
]);
Parameter Details
Members
Result Syntax
[]
Result Details
Errors
-
Bad request exception object.
-
Internal server error exception object.
UntagResource
$result = $client->untagResource([/* ... */]); $promise = $client->untagResourceAsync([/* ... */]);
Removes tags from a resource.
Parameter Syntax
$result = $client->untagResource([
'ResourceArn' => '<string>', // REQUIRED
'TagKeys' => ['<string>', ...], // REQUIRED
]);
Parameter Details
Members
Result Syntax
[]
Result Details
Errors
-
Bad request exception object.
-
Internal server error exception object.
UpdateDetector
$result = $client->updateDetector([/* ... */]); $promise = $client->updateDetectorAsync([/* ... */]);
Updates the Amazon GuardDuty detector specified by the detectorId.
Parameter Syntax
$result = $client->updateDetector([
'DetectorId' => '<string>', // REQUIRED
'Enable' => true || false,
'FindingPublishingFrequency' => 'FIFTEEN_MINUTES|ONE_HOUR|SIX_HOURS',
]);
Parameter Details
Members
Result Syntax
[]
Result Details
Errors
-
Bad request exception object.
-
Internal server error exception object.
UpdateFilter
$result = $client->updateFilter([/* ... */]); $promise = $client->updateFilterAsync([/* ... */]);
Updates the filter specified by the filter name.
Parameter Syntax
$result = $client->updateFilter([
'Action' => 'NOOP|ARCHIVE',
'Description' => '<string>',
'DetectorId' => '<string>', // REQUIRED
'FilterName' => '<string>', // REQUIRED
'FindingCriteria' => [
'Criterion' => [
'<String>' => [
'Eq' => ['<string>', ...],
'Equals' => ['<string>', ...],
'GreaterThan' => <integer>,
'GreaterThanOrEqual' => <integer>,
'Gt' => <integer>,
'Gte' => <integer>,
'LessThan' => <integer>,
'LessThanOrEqual' => <integer>,
'Lt' => <integer>,
'Lte' => <integer>,
'Neq' => ['<string>', ...],
'NotEquals' => ['<string>', ...],
],
// ...
],
],
'Rank' => <integer>,
]);
Parameter Details
Members
- Action
-
- Type: string
Specifies the action that is to be applied to the findings that match the filter.
- Description
-
- Type: string
The description of the filter.
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector that specifies the GuardDuty service where you want to update a filter.
- FilterName
-
- Required: Yes
- Type: string
The name of the filter.
- FindingCriteria
-
- Type: FindingCriteria structure
Represents the criteria to be used in the filter for querying findings.
- Rank
-
- Type: int
Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
Result Syntax
[
'Name' => '<string>',
]
Result Details
Errors
-
Bad request exception object.
-
Internal server error exception object.
UpdateFindingsFeedback
$result = $client->updateFindingsFeedback([/* ... */]); $promise = $client->updateFindingsFeedbackAsync([/* ... */]);
Marks the specified GuardDuty findings as useful or not useful.
Parameter Syntax
$result = $client->updateFindingsFeedback([
'Comments' => '<string>',
'DetectorId' => '<string>', // REQUIRED
'Feedback' => 'USEFUL|NOT_USEFUL', // REQUIRED
'FindingIds' => ['<string>', ...], // REQUIRED
]);
Parameter Details
Members
- Comments
-
- Type: string
Additional feedback about the GuardDuty findings.
- DetectorId
-
- Required: Yes
- Type: string
The ID of the detector associated with the findings to update feedback for.
- Feedback
-
- Required: Yes
- Type: string
The feedback for the finding.
- FindingIds
-
- Required: Yes
- Type: Array of strings
IDs of the findings that you want to mark as useful or not useful.
Result Syntax
[]
Result Details
Errors
-
Bad request exception object.
-
Internal server error exception object.
UpdateIPSet
$result = $client->updateIPSet([/* ... */]); $promise = $client->updateIPSetAsync([/* ... */]);
Updates the IPSet specified by the IPSet ID.
Parameter Syntax
$result = $client->updateIPSet([
'Activate' => true || false,
'DetectorId' => '<string>', // REQUIRED
'IpSetId' => '<string>', // REQUIRED
'Location' => '<string>',
'Name' => '<string>',
]);
Parameter Details
Members
- Activate
-
- Type: boolean
The updated boolean value that specifies whether the IPSet is active or not.
- DetectorId
-
- Required: Yes
- Type: string
The detectorID that specifies the GuardDuty service whose IPSet you want to update.
- IpSetId
-
- Required: Yes
- Type: string
The unique ID that specifies the IPSet that you want to update.
- Location
-
- Type: string
The updated URI of the file that contains the IPSet. For example (https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key).
- Name
-
- Type: string
The unique ID that specifies the IPSet that you want to update.
Result Syntax
[]
Result Details
Errors
-
Bad request exception object.
-
Internal server error exception object.
UpdatePublishingDestination
$result = $client->updatePublishingDestination([/* ... */]); $promise = $client->updatePublishingDestinationAsync([/* ... */]);
Updates information about the publishing destination specified by the destinationId.
Parameter Syntax
$result = $client->updatePublishingDestination([
'DestinationId' => '<string>', // REQUIRED
'DestinationProperties' => [
'DestinationArn' => '<string>',
'KmsKeyArn' => '<string>',
],
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
- DestinationId
-
- Required: Yes
- Type: string
The ID of the detector associated with the publishing destinations to update.
- DestinationProperties
-
- Type: DestinationProperties structure
A
DestinationPropertiesobject that includes theDestinationArnandKmsKeyArnof the publishing destination. - DetectorId
-
- Required: Yes
- Type: string
The ID of the
Result Syntax
[]
Result Details
Errors
-
Bad request exception object.
-
Internal server error exception object.
UpdateThreatIntelSet
$result = $client->updateThreatIntelSet([/* ... */]); $promise = $client->updateThreatIntelSetAsync([/* ... */]);
Updates the ThreatIntelSet specified by ThreatIntelSet ID.
Parameter Syntax
$result = $client->updateThreatIntelSet([
'Activate' => true || false,
'DetectorId' => '<string>', // REQUIRED
'Location' => '<string>',
'Name' => '<string>',
'ThreatIntelSetId' => '<string>', // REQUIRED
]);
Parameter Details
Members
- Activate
-
- Type: boolean
The updated boolean value that specifies whether the ThreateIntelSet is active or not.
- DetectorId
-
- Required: Yes
- Type: string
The detectorID that specifies the GuardDuty service whose ThreatIntelSet you want to update.
- Location
-
- Type: string
The updated URI of the file that contains the ThreateIntelSet. For example (https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key)
- Name
-
- Type: string
The unique ID that specifies the ThreatIntelSet that you want to update.
- ThreatIntelSetId
-
- Required: Yes
- Type: string
The unique ID that specifies the ThreatIntelSet that you want to update.
Result Syntax
[]
Result Details
Errors
-
Bad request exception object.
-
Internal server error exception object.
Shapes
AccessKeyDetails
Description
Contains information about the access keys.
Members
AccountDetail
Description
Contains information about the account.
Members
Action
Description
Contains information about action.
Members
- ActionType
-
- Type: string
GuardDuty Finding activity type.
- AwsApiCallAction
-
- Type: AwsApiCallAction structure
Information about the AWS_API_CALL action described in this finding.
- DnsRequestAction
-
- Type: DnsRequestAction structure
Information about the DNS_REQUEST action described in this finding.
- NetworkConnectionAction
-
- Type: NetworkConnectionAction structure
Information about the NETWORK_CONNECTION action described in this finding.
- PortProbeAction
-
- Type: PortProbeAction structure
Information about the PORT_PROBE action described in this finding.
AwsApiCallAction
Description
Contains information about the API operation.
Members
- Api
-
- Type: string
AWS API name.
- CallerType
-
- Type: string
AWS API caller type.
- DomainDetails
-
- Type: DomainDetails structure
Domain information for the AWS API call.
- RemoteIpDetails
-
- Type: RemoteIpDetails structure
Remote IP information of the connection.
- ServiceName
-
- Type: string
AWS service name whose API was invoked.
BadRequestException
Description
Bad request exception object.
Members
City
Description
Contains information about the city associated with the IP address.
Members
Condition
Description
Contains information about the condition.
Members
- Eq
-
- Type: Array of strings
Represents the equal condition to be applied to a single field when querying for findings.
- Equals
-
- Type: Array of strings
Represents an equal condition to be applied to a single field when querying for findings.
- GreaterThan
-
- Type: long (int|float)
Represents a greater than condition to be applied to a single field when querying for findings.
- GreaterThanOrEqual
-
- Type: long (int|float)
Represents a greater than equal condition to be applied to a single field when querying for findings.
- Gt
-
- Type: int
Represents a greater than condition to be applied to a single field when querying for findings.
- Gte
-
- Type: int
Represents a greater than equal condition to be applied to a single field when querying for findings.
- LessThan
-
- Type: long (int|float)
Represents a less than condition to be applied to a single field when querying for findings.
- LessThanOrEqual
-
- Type: long (int|float)
Represents a less than equal condition to be applied to a single field when querying for findings.
- Lt
-
- Type: int
Represents a less than condition to be applied to a single field when querying for findings.
- Lte
-
- Type: int
Represents a less than equal condition to be applied to a single field when querying for findings.
- Neq
-
- Type: Array of strings
Represents the not equal condition to be applied to a single field when querying for findings.
- NotEquals
-
- Type: Array of strings
Represents an not equal condition to be applied to a single field when querying for findings.
Country
Description
Contains information about the country in which the remote IP address is located.
Members
Destination
Description
Contains information about a publishing destination, including the ID, type, and status.
Members
DestinationProperties
Description
Contains the ARN of the resource to publish to, such as an S3 bucket, and the ARN of the KMS key to use to encrypt published findings.
Members
DnsRequestAction
Description
Contains information about the DNS_REQUEST action described in this finding.
Members
DomainDetails
Description
Contains information about the domain.
Members
Evidence
Description
Contains information about the reason that the finding was generated.
Members
- ThreatIntelligenceDetails
-
- Type: Array of ThreatIntelligenceDetail structures
A list of threat intelligence details related to the evidence.
Finding
Description
Contains information about the finding, which is generated when abnormal or suspicious activity is detected.
Members
- AccountId
-
- Required: Yes
- Type: string
The ID of the account in which the finding was generated.
- Arn
-
- Required: Yes
- Type: string
The ARN for the finding.
- Confidence
-
- Type: double
The confidence score for the finding.
- CreatedAt
-
- Required: Yes
- Type: string
The time and date at which the finding was created.
- Description
-
- Type: string
The description of the finding.
- Id
-
- Required: Yes
- Type: string
The ID of the finding.
- Partition
-
- Type: string
The partition associated with the finding.
- Region
-
- Required: Yes
- Type: string
The Region in which the finding was generated.
- Resource
-
- Required: Yes
- Type: Resource structure
Contains information about the AWS resource associated with the activity that prompted GuardDuty to generate a finding.
- SchemaVersion
-
- Required: Yes
- Type: string
The version of the schema used for the finding.
- Service
-
- Type: Service structure
Contains additional information about the generated finding.
- Severity
-
- Required: Yes
- Type: double
The severity of the finding.
- Title
-
- Type: string
The title for the finding.
- Type
-
- Required: Yes
- Type: string
The type of the finding.
- UpdatedAt
-
- Required: Yes
- Type: string
The time and date at which the finding was laste updated.
FindingCriteria
Description
Contains information about the criteria used for querying findings.
Members
- Criterion
-
- Type: Associative array of custom strings keys (String) to Condition structures
Represents a map of finding properties that match specified conditions and values when querying findings.
FindingStatistics
Description
Contains information about finding statistics.
Members
GeoLocation
Description
Contains information about the location of the remote IP address.
Members
IamInstanceProfile
Description
Contains information about the EC2 instance profile.
Members
InstanceDetails
Description
Contains information about the details of an instance.
Members
- AvailabilityZone
-
- Type: string
The availability zone of the EC2 instance.
- IamInstanceProfile
-
- Type: IamInstanceProfile structure
The profile information of the EC2 instance.
- ImageDescription
-
- Type: string
The image description of the EC2 instance.
- ImageId
-
- Type: string
The image ID of the EC2 instance.
- InstanceId
-
- Type: string
The ID of the EC2 instance.
- InstanceState
-
- Type: string
The state of the EC2 instance.
- InstanceType
-
- Type: string
The type of the EC2 instance.
- LaunchTime
-
- Type: string
The launch time of the EC2 instance.
- NetworkInterfaces
-
- Type: Array of NetworkInterface structures
The network interface information of the EC2 instance.
- OutpostArn
-
- Type: string
The Amazon Resource Name (ARN) of the AWS Outpost. Only applicable to AWS Outposts instances.
- Platform
-
- Type: string
The platform of the EC2 instance.
- ProductCodes
-
- Type: Array of ProductCode structures
The product code of the EC2 instance.
- Tags
-
- Type: Array of Tag structures
The tags of the EC2 instance.
InternalServerErrorException
Description
Internal server error exception object.
Members
Invitation
Description
Contains information about the invitation to become a member account.
Members
- AccountId
-
- Type: string
The ID of the account from which the invitations was sent.
- InvitationId
-
- Type: string
The ID of the invitation. This value is used to validate the inviter account to the member account.
- InvitedAt
-
- Type: string
Timestamp at which the invitation was sent.
- RelationshipStatus
-
- Type: string
The status of the relationship between the inviter and invitee accounts.
LocalIpDetails
Description
Contains information about the local IP address of the connection.
Members
LocalPortDetails
Description
Contains information about the port for the local connection.
Members
Master
Description
Contains information about the Master account and invitation.
Members
- AccountId
-
- Type: string
The ID of the account used as the Master account.
- InvitationId
-
- Type: string
This value is used to validate the master account to the member account.
- InvitedAt
-
- Type: string
Timestamp at which the invitation was sent.
- RelationshipStatus
-
- Type: string
The status of the relationship between the master and member accounts.
Member
Description
Continas information about the member account
Members
- AccountId
-
- Required: Yes
- Type: string
Member account ID.
- DetectorId
-
- Type: string
Member account's detector ID.
-
- Required: Yes
- Type: string
Member account's email address.
- InvitedAt
-
- Type: string
Timestamp at which the invitation was sent
- MasterId
-
- Required: Yes
- Type: string
Master account ID.
- RelationshipStatus
-
- Required: Yes
- Type: string
The status of the relationship between the member and the master.
- UpdatedAt
-
- Required: Yes
- Type: string
Member last updated timestamp.
NetworkConnectionAction
Description
Contains information about the NETWORK_CONNECTION action described in the finding.
Members
- Blocked
-
- Type: boolean
Network connection blocked information.
- ConnectionDirection
-
- Type: string
Network connection direction.
- LocalIpDetails
-
- Type: LocalIpDetails structure
Local IP information of the connection.
- LocalPortDetails
-
- Type: LocalPortDetails structure
Local port information of the connection.
- Protocol
-
- Type: string
Network connection protocol.
- RemoteIpDetails
-
- Type: RemoteIpDetails structure
Remote IP information of the connection.
- RemotePortDetails
-
- Type: RemotePortDetails structure
Remote port information of the connection.
NetworkInterface
Description
Contains information about the network interface of the Ec2 instance.
Members
- Ipv6Addresses
-
- Type: Array of strings
A list of EC2 instance IPv6 address information.
- NetworkInterfaceId
-
- Type: string
The ID of the network interface
- PrivateDnsName
-
- Type: string
Private DNS name of the EC2 instance.
- PrivateIpAddress
-
- Type: string
Private IP address of the EC2 instance.
- PrivateIpAddresses
-
- Type: Array of PrivateIpAddressDetails structures
Other private IP address information of the EC2 instance.
- PublicDnsName
-
- Type: string
Public DNS name of the EC2 instance.
- PublicIp
-
- Type: string
Public IP address of the EC2 instance.
- SecurityGroups
-
- Type: Array of SecurityGroup structures
Security groups associated with the EC2 instance.
- SubnetId
-
- Type: string
The subnet ID of the EC2 instance.
- VpcId
-
- Type: string
The VPC ID of the EC2 instance.
Organization
Description
Continas information about the ISP organization of the remote IP address.
Members
PortProbeAction
Description
Contains information about the PORT_PROBE action described in the finding.
Members
- Blocked
-
- Type: boolean
Port probe blocked information.
- PortProbeDetails
-
- Type: Array of PortProbeDetail structures
A list of port probe details objects.
PortProbeDetail
Description
Contains information about the port probe details.
Members
- LocalIpDetails
-
- Type: LocalIpDetails structure
Local IP information of the connection.
- LocalPortDetails
-
- Type: LocalPortDetails structure
Local port information of the connection.
- RemoteIpDetails
-
- Type: RemoteIpDetails structure
Remote IP information of the connection.
PrivateIpAddressDetails
Description
Contains other private IP address information of the EC2 instance.
Members
ProductCode
Description
Contains information about the product code for the Ec2 instance.
Members
RemoteIpDetails
Description
Continas information about the remote IP address of the connection.
Members
- City
-
- Type: City structure
City information of the remote IP address.
- Country
-
- Type: Country structure
Country code of the remote IP address.
- GeoLocation
-
- Type: GeoLocation structure
Location information of the remote IP address.
- IpAddressV4
-
- Type: string
IPV4 remote address of the connection.
- Organization
-
- Type: Organization structure
ISP Organization information of the remote IP address.
RemotePortDetails
Description
Contains information about the remote port.
Members
Resource
Description
Contains information about the AWS resource associated with the activity that prompted GuardDuty to generate a finding.
Members
- AccessKeyDetails
-
- Type: AccessKeyDetails structure
The IAM access key details (IAM user information) of a user that engaged in the activity that prompted GuardDuty to generate a finding.
- InstanceDetails
-
- Type: InstanceDetails structure
The information about the EC2 instance associated with the activity that prompted GuardDuty to generate a finding.
- ResourceType
-
- Type: string
The type of the AWS resource.
SecurityGroup
Description
Contains information about the security groups associated with the EC2 instance.
Members
Service
Description
Contains additional information about the generated finding.
Members
- Action
-
- Type: Action structure
Information about the activity described in a finding.
- Archived
-
- Type: boolean
Indicates whether this finding is archived.
- Count
-
- Type: int
Total count of the occurrences of this finding type.
- DetectorId
-
- Type: string
Detector ID for the GuardDuty service.
- EventFirstSeen
-
- Type: string
First seen timestamp of the activity that prompted GuardDuty to generate this finding.
- EventLastSeen
-
- Type: string
Last seen timestamp of the activity that prompted GuardDuty to generate this finding.
- Evidence
-
- Type: Evidence structure
An evidence object associated with the service.
- ResourceRole
-
- Type: string
Resource role information for this finding.
- ServiceName
-
- Type: string
The name of the AWS service (GuardDuty) that generated a finding.
- UserFeedback
-
- Type: string
Feedback left about the finding.
SortCriteria
Description
Contains information about the criteria used for sorting findings.
Members
Tag
Description
Contains information about a tag associated with the Ec2 instance.
Members
ThreatIntelligenceDetail
Description
An instance of a threat intelligence detail that constitutes evidence for the finding.
