Amazon GuardDuty 2017-11-28
- Client: Aws\GuardDuty\GuardDutyClient
- Service ID: guardduty
- Version: 2017-11-28
This page describes the parameters and results for the operations of the Amazon GuardDuty (2017-11-28), and shows how to use the Aws\GuardDuty\GuardDutyClient object to call the described operations. This documentation is specific to the 2017-11-28 API version of the service.
Operation Summary
Each of the following operations can be created from a client using
$client->getCommand('CommandName'), where "CommandName" is the
name of one of the following operations. Note: a command is a value that
encapsulates an operation and the parameters used to create an HTTP request.
You can also create and send a command immediately using the magic methods
available on a client object: $client->commandName(/* parameters */).
You can send the command asynchronously (returning a promise) by appending the
word "Async" to the operation name: $client->commandNameAsync(/* parameters */).
- AcceptAdministratorInvitation ( array $params = [] )
Accepts the invitation to be a member account and get monitored by a GuardDuty administrator account that sent the invitation.
- AcceptInvitation ( array $params = [] )
Accepts the invitation to be monitored by a GuardDuty administrator account.
- ArchiveFindings ( array $params = [] )
Archives GuardDuty findings that are specified by the list of finding IDs.
- CreateDetector ( array $params = [] )
Creates a single Amazon GuardDuty detector.
- CreateFilter ( array $params = [] )
Creates a filter using the specified finding criteria.
- CreateIPSet ( array $params = [] )
Creates a new IPSet, which is called a trusted IP list in the console user interface.
- CreateMembers ( array $params = [] )
Creates member accounts of the current Amazon Web Services account by specifying a list of Amazon Web Services account IDs.
- CreatePublishingDestination ( array $params = [] )
Creates a publishing destination to export findings to.
- CreateSampleFindings ( array $params = [] )
Generates example findings of types specified by the list of finding types.
- CreateThreatIntelSet ( array $params = [] )
Creates a new ThreatIntelSet.
- DeclineInvitations ( array $params = [] )
Declines invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs.
- DeleteDetector ( array $params = [] )
Deletes an Amazon GuardDuty detector that is specified by the detector ID.
- DeleteFilter ( array $params = [] )
Deletes the filter specified by the filter name.
- DeleteIPSet ( array $params = [] )
Deletes the IPSet specified by the ipSetId.
- DeleteInvitations ( array $params = [] )
Deletes invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs.
- DeleteMembers ( array $params = [] )
Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.
- DeletePublishingDestination ( array $params = [] )
Deletes the publishing definition with the specified destinationId.
- DeleteThreatIntelSet ( array $params = [] )
Deletes the ThreatIntelSet specified by the ThreatIntelSet ID.
- DescribeMalwareScans ( array $params = [] )
Returns a list of malware scans.
- DescribeOrganizationConfiguration ( array $params = [] )
Returns information about the account selected as the delegated administrator for GuardDuty.
- DescribePublishingDestination ( array $params = [] )
Returns information about the publishing destination specified by the provided destinationId.
- DisableOrganizationAdminAccount ( array $params = [] )
Disables an Amazon Web Services account within the Organization as the GuardDuty delegated administrator.
- DisassociateFromAdministratorAccount ( array $params = [] )
Disassociates the current GuardDuty member account from its administrator account.
- DisassociateFromMasterAccount ( array $params = [] )
Disassociates the current GuardDuty member account from its administrator account.
- DisassociateMembers ( array $params = [] )
Disassociates GuardDuty member accounts (to the current administrator account) specified by the account IDs.
- EnableOrganizationAdminAccount ( array $params = [] )
Enables an Amazon Web Services account within the organization as the GuardDuty delegated administrator.
- GetAdministratorAccount ( array $params = [] )
Provides the details for the GuardDuty administrator account associated with the current GuardDuty member account.
- GetDetector ( array $params = [] )
Retrieves an Amazon GuardDuty detector specified by the detectorId.
- GetFilter ( array $params = [] )
Returns the details of the filter specified by the filter name.
- GetFindings ( array $params = [] )
Describes Amazon GuardDuty findings specified by finding IDs.
- GetFindingsStatistics ( array $params = [] )
Lists Amazon GuardDuty findings statistics for the specified detector ID.
- GetIPSet ( array $params = [] )
Retrieves the IPSet specified by the ipSetId.
- GetInvitationsCount ( array $params = [] )
Returns the count of all GuardDuty membership invitations that were sent to the current member account except the currently accepted invitation.
- GetMalwareScanSettings ( array $params = [] )
Returns the details of the malware scan settings.
- GetMasterAccount ( array $params = [] )
Provides the details for the GuardDuty administrator account associated with the current GuardDuty member account.
- GetMemberDetectors ( array $params = [] )
Describes which data sources are enabled for the member account's detector.
- GetMembers ( array $params = [] )
Retrieves GuardDuty member accounts (of the current GuardDuty administrator account) specified by the account IDs.
- GetRemainingFreeTrialDays ( array $params = [] )
Provides the number of days left for each data source used in the free trial period.
- GetThreatIntelSet ( array $params = [] )
Retrieves the ThreatIntelSet that is specified by the ThreatIntelSet ID.
- GetUsageStatistics ( array $params = [] )
Lists Amazon GuardDuty usage statistics over the last 30 days for the specified detector ID.
- InviteMembers ( array $params = [] )
Invites other Amazon Web Services accounts (created as members of the current Amazon Web Services account by CreateMembers) to enable GuardDuty, and allow the current Amazon Web Services account to view and manage these accounts' findings on their behalf as the GuardDuty administrator account.
- ListDetectors ( array $params = [] )
Lists detectorIds of all the existing Amazon GuardDuty detector resources.
- ListFilters ( array $params = [] )
Returns a paginated list of the current filters.
- ListFindings ( array $params = [] )
Lists Amazon GuardDuty findings for the specified detector ID.
- ListIPSets ( array $params = [] )
Lists the IPSets of the GuardDuty service specified by the detector ID.
- ListInvitations ( array $params = [] )
Lists all GuardDuty membership invitations that were sent to the current Amazon Web Services account.
- ListMembers ( array $params = [] )
Lists details about all member accounts for the current GuardDuty administrator account.
- ListOrganizationAdminAccounts ( array $params = [] )
Lists the accounts configured as GuardDuty delegated administrators.
- ListPublishingDestinations ( array $params = [] )
Returns a list of publishing destinations associated with the specified detectorId.
- ListTagsForResource ( array $params = [] )
Lists tags for a resource.
- ListThreatIntelSets ( array $params = [] )
Lists the ThreatIntelSets of the GuardDuty service specified by the detector ID.
- StartMonitoringMembers ( array $params = [] )
Turns on GuardDuty monitoring of the specified member accounts.
- StopMonitoringMembers ( array $params = [] )
Stops GuardDuty monitoring for the specified member accounts.
- TagResource ( array $params = [] )
Adds tags to a resource.
- UnarchiveFindings ( array $params = [] )
Unarchives GuardDuty findings specified by the findingIds.
- UntagResource ( array $params = [] )
Removes tags from a resource.
- UpdateDetector ( array $params = [] )
Updates the Amazon GuardDuty detector specified by the detectorId.
- UpdateFilter ( array $params = [] )
Updates the filter specified by the filter name.
- UpdateFindingsFeedback ( array $params = [] )
Marks the specified GuardDuty findings as useful or not useful.
- UpdateIPSet ( array $params = [] )
Updates the IPSet specified by the IPSet ID.
- UpdateMalwareScanSettings ( array $params = [] )
Updates the malware scan settings.
- UpdateMemberDetectors ( array $params = [] )
Contains information on member accounts to be updated.
- UpdateOrganizationConfiguration ( array $params = [] )
Updates the delegated administrator account with the values provided.
- UpdatePublishingDestination ( array $params = [] )
Updates information about the publishing destination specified by the destinationId.
- UpdateThreatIntelSet ( array $params = [] )
Updates the ThreatIntelSet specified by the ThreatIntelSet ID.
Paginators
Paginators handle automatically iterating over paginated API results. Paginators are associated with specific API operations, and they accept the parameters that the corresponding API operation accepts. You can get a paginator from a client class using getPaginator($paginatorName, $operationParameters). This client supports the following paginators:
Operations
AcceptAdministratorInvitation
$result = $client->acceptAdministratorInvitation([/* ... */]); $promise = $client->acceptAdministratorInvitationAsync([/* ... */]);
Accepts the invitation to be a member account and get monitored by a GuardDuty administrator account that sent the invitation.
Parameter Syntax
$result = $client->acceptAdministratorInvitation([
'AdministratorId' => '<string>', // REQUIRED
'DetectorId' => '<string>', // REQUIRED
'InvitationId' => '<string>', // REQUIRED
]);
Parameter Details
Members
- AdministratorId
-
- Required: Yes
- Type: string
The account ID of the GuardDuty administrator account whose invitation you're accepting.
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector of the GuardDuty member account.
- InvitationId
-
- Required: Yes
- Type: string
The value that is used to validate the administrator account to the member account.
Result Syntax
[]
Result Details
Errors
-
A bad request exception object.
-
An internal server error exception object.
AcceptInvitation
$result = $client->acceptInvitation([/* ... */]); $promise = $client->acceptInvitationAsync([/* ... */]);
Accepts the invitation to be monitored by a GuardDuty administrator account.
Parameter Syntax
$result = $client->acceptInvitation([
'DetectorId' => '<string>', // REQUIRED
'InvitationId' => '<string>', // REQUIRED
'MasterId' => '<string>', // REQUIRED
]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector of the GuardDuty member account.
- InvitationId
-
- Required: Yes
- Type: string
The value that is used to validate the administrator account to the member account.
- MasterId
-
- Required: Yes
- Type: string
The account ID of the GuardDuty administrator account whose invitation you're accepting.
Result Syntax
[]
Result Details
Errors
-
A bad request exception object.
-
An internal server error exception object.
ArchiveFindings
$result = $client->archiveFindings([/* ... */]); $promise = $client->archiveFindingsAsync([/* ... */]);
Archives GuardDuty findings that are specified by the list of finding IDs.
Only the administrator account can archive findings. Member accounts don't have permission to archive findings from their accounts.
Parameter Syntax
$result = $client->archiveFindings([
'DetectorId' => '<string>', // REQUIRED
'FindingIds' => ['<string>', ...], // REQUIRED
]);
Parameter Details
Members
Result Syntax
[]
Result Details
Errors
-
A bad request exception object.
-
An internal server error exception object.
CreateDetector
$result = $client->createDetector([/* ... */]); $promise = $client->createDetectorAsync([/* ... */]);
Creates a single Amazon GuardDuty detector. A detector is a resource that represents the GuardDuty service. To start using GuardDuty, you must create a detector in each Region where you enable the service. You can have only one detector per account per Region. All data sources are enabled in a new detector by default.
Parameter Syntax
$result = $client->createDetector([
'ClientToken' => '<string>',
'DataSources' => [
'Kubernetes' => [
'AuditLogs' => [ // REQUIRED
'Enable' => true || false, // REQUIRED
],
],
'MalwareProtection' => [
'ScanEc2InstanceWithFindings' => [
'EbsVolumes' => true || false,
],
],
'S3Logs' => [
'Enable' => true || false, // REQUIRED
],
],
'Enable' => true || false, // REQUIRED
'FindingPublishingFrequency' => 'FIFTEEN_MINUTES|ONE_HOUR|SIX_HOURS',
'Tags' => ['<string>', ...],
]);
Parameter Details
Members
- ClientToken
-
- Type: string
The idempotency token for the create request.
- DataSources
-
- Type: DataSourceConfigurations structure
Describes which data sources will be enabled for the detector.
- Enable
-
- Required: Yes
- Type: boolean
A Boolean value that specifies whether the detector is to be enabled.
- FindingPublishingFrequency
-
- Type: string
A value that specifies how frequently updated findings are exported.
- Tags
-
- Type: Associative array of custom strings keys (TagKey) to strings
The tags to be added to a new detector resource.
Result Syntax
[
'DetectorId' => '<string>',
'UnprocessedDataSources' => [
'MalwareProtection' => [
'ScanEc2InstanceWithFindings' => [
'EbsVolumes' => [
'Reason' => '<string>',
'Status' => 'ENABLED|DISABLED',
],
],
'ServiceRole' => '<string>',
],
],
]
Result Details
Members
- DetectorId
-
- Type: string
The unique ID of the created detector.
- UnprocessedDataSources
-
- Type: UnprocessedDataSourcesResult structure
Specifies the data sources that couldn't be enabled when GuardDuty was enabled for the first time.
Errors
-
A bad request exception object.
-
An internal server error exception object.
CreateFilter
$result = $client->createFilter([/* ... */]); $promise = $client->createFilterAsync([/* ... */]);
Creates a filter using the specified finding criteria.
Parameter Syntax
$result = $client->createFilter([
'Action' => 'NOOP|ARCHIVE',
'ClientToken' => '<string>',
'Description' => '<string>',
'DetectorId' => '<string>', // REQUIRED
'FindingCriteria' => [ // REQUIRED
'Criterion' => [
'<String>' => [
'Eq' => ['<string>', ...],
'Equals' => ['<string>', ...],
'GreaterThan' => <integer>,
'GreaterThanOrEqual' => <integer>,
'Gt' => <integer>,
'Gte' => <integer>,
'LessThan' => <integer>,
'LessThanOrEqual' => <integer>,
'Lt' => <integer>,
'Lte' => <integer>,
'Neq' => ['<string>', ...],
'NotEquals' => ['<string>', ...],
],
// ...
],
],
'Name' => '<string>', // REQUIRED
'Rank' => <integer>,
'Tags' => ['<string>', ...],
]);
Parameter Details
Members
- Action
-
- Type: string
Specifies the action that is to be applied to the findings that match the filter.
- ClientToken
-
- Type: string
The idempotency token for the create request.
- Description
-
- Type: string
The description of the filter.
- DetectorId
-
- Required: Yes
- Type: string
The ID of the detector belonging to the GuardDuty account that you want to create a filter for.
- FindingCriteria
-
- Required: Yes
- Type: FindingCriteria structure
Represents the criteria to be used in the filter for querying findings.
You can only use the following attributes to query findings:
-
accountId
-
region
-
confidence
-
id
-
resource.accessKeyDetails.accessKeyId
-
resource.accessKeyDetails.principalId
-
resource.accessKeyDetails.userName
-
resource.accessKeyDetails.userType
-
resource.instanceDetails.iamInstanceProfile.id
-
resource.instanceDetails.imageId
-
resource.instanceDetails.instanceId
-
resource.instanceDetails.outpostArn
-
resource.instanceDetails.networkInterfaces.ipv6Addresses
-
resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress
-
resource.instanceDetails.networkInterfaces.publicDnsName
-
resource.instanceDetails.networkInterfaces.publicIp
-
resource.instanceDetails.networkInterfaces.securityGroups.groupId
-
resource.instanceDetails.networkInterfaces.securityGroups.groupName
-
resource.instanceDetails.networkInterfaces.subnetId
-
resource.instanceDetails.networkInterfaces.vpcId
-
resource.instanceDetails.tags.key
-
resource.instanceDetails.tags.value
-
resource.resourceType
-
service.action.actionType
-
service.action.awsApiCallAction.api
-
service.action.awsApiCallAction.callerType
-
service.action.awsApiCallAction.errorCode
-
service.action.awsApiCallAction.userAgent
-
service.action.awsApiCallAction.remoteIpDetails.city.cityName
-
service.action.awsApiCallAction.remoteIpDetails.country.countryName
-
service.action.awsApiCallAction.remoteIpDetails.ipAddressV4
-
service.action.awsApiCallAction.remoteIpDetails.organization.asn
-
service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg
-
service.action.awsApiCallAction.serviceName
-
service.action.dnsRequestAction.domain
-
service.action.networkConnectionAction.blocked
-
service.action.networkConnectionAction.connectionDirection
-
service.action.networkConnectionAction.localPortDetails.port
-
service.action.networkConnectionAction.protocol
-
service.action.networkConnectionAction.localIpDetails.ipAddressV4
-
service.action.networkConnectionAction.remoteIpDetails.city.cityName
-
service.action.networkConnectionAction.remoteIpDetails.country.countryName
-
service.action.networkConnectionAction.remoteIpDetails.ipAddressV4
-
service.action.networkConnectionAction.remoteIpDetails.organization.asn
-
service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg
-
service.action.networkConnectionAction.remotePortDetails.port
-
service.additionalInfo.threatListName
-
resource.s3BucketDetails.publicAccess.effectivePermissions
-
resource.s3BucketDetails.name
-
resource.s3BucketDetails.tags.key
-
resource.s3BucketDetails.tags.value
-
resource.s3BucketDetails.type
-
service.archived
When this attribute is set to TRUE, only archived findings are listed. When it's set to FALSE, only unarchived findings are listed. When this attribute is not set, all existing findings are listed.
-
service.resourceRole
-
severity
-
type
-
updatedAt
Type: ISO 8601 string format: YYYY-MM-DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds.
- Name
-
- Required: Yes
- Type: string
The name of the filter. Minimum length of 3. Maximum length of 64. Valid characters include alphanumeric characters, dot (.), underscore (_), and dash (-). Spaces are not allowed.
- Rank
-
- Type: int
Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
- Tags
-
- Type: Associative array of custom strings keys (TagKey) to strings
The tags to be added to a new filter resource.
Result Syntax
[
'Name' => '<string>',
]
Result Details
Errors
-
A bad request exception object.
-
An internal server error exception object.
CreateIPSet
$result = $client->createIPSet([/* ... */]); $promise = $client->createIPSetAsync([/* ... */]);
Creates a new IPSet, which is called a trusted IP list in the console user interface. An IPSet is a list of IP addresses that are trusted for secure communication with Amazon Web Services infrastructure and applications. GuardDuty doesn't generate findings for IP addresses that are included in IPSets. Only users from the administrator account can use this operation.
Parameter Syntax
$result = $client->createIPSet([
'Activate' => true || false, // REQUIRED
'ClientToken' => '<string>',
'DetectorId' => '<string>', // REQUIRED
'Format' => 'TXT|STIX|OTX_CSV|ALIEN_VAULT|PROOF_POINT|FIRE_EYE', // REQUIRED
'Location' => '<string>', // REQUIRED
'Name' => '<string>', // REQUIRED
'Tags' => ['<string>', ...],
]);
Parameter Details
Members
- Activate
-
- Required: Yes
- Type: boolean
A Boolean value that indicates whether GuardDuty is to start using the uploaded IPSet.
- ClientToken
-
- Type: string
The idempotency token for the create request.
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector of the GuardDuty account that you want to create an IPSet for.
- Format
-
- Required: Yes
- Type: string
The format of the file that contains the IPSet.
- Location
-
- Required: Yes
- Type: string
The URI of the file that contains the IPSet.
- Name
-
- Required: Yes
- Type: string
The user-friendly name to identify the IPSet.
Allowed characters are alphanumerics, spaces, hyphens (-), and underscores (_).
- Tags
-
- Type: Associative array of custom strings keys (TagKey) to strings
The tags to be added to a new IP set resource.
Result Syntax
[
'IpSetId' => '<string>',
]
Result Details
Errors
-
A bad request exception object.
-
An internal server error exception object.
CreateMembers
$result = $client->createMembers([/* ... */]); $promise = $client->createMembersAsync([/* ... */]);
Creates member accounts of the current Amazon Web Services account by specifying a list of Amazon Web Services account IDs. This step is a prerequisite for managing the associated member accounts either by invitation or through an organization.
When using Create Members as an organizations delegated administrator this action will enable GuardDuty in the added member accounts, with the exception of the organization delegated administrator account, which must enable GuardDuty prior to being added as a member.
If you are adding accounts by invitation use this action after GuardDuty has been enabled in potential member accounts and before using Invite Members .
Parameter Syntax
$result = $client->createMembers([
'AccountDetails' => [ // REQUIRED
[
'AccountId' => '<string>', // REQUIRED
'Email' => '<string>', // REQUIRED
],
// ...
],
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
- AccountDetails
-
- Required: Yes
- Type: Array of AccountDetail structures
A list of account ID and email address pairs of the accounts that you want to associate with the GuardDuty administrator account.
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector of the GuardDuty account that you want to associate member accounts with.
Result Syntax
[
'UnprocessedAccounts' => [
[
'AccountId' => '<string>',
'Result' => '<string>',
],
// ...
],
]
Result Details
Members
- UnprocessedAccounts
-
- Required: Yes
- Type: Array of UnprocessedAccount structures
A list of objects that include the
accountIdsof the unprocessed accounts and a result string that explains why each was unprocessed.
Errors
-
A bad request exception object.
-
An internal server error exception object.
CreatePublishingDestination
$result = $client->createPublishingDestination([/* ... */]); $promise = $client->createPublishingDestinationAsync([/* ... */]);
Creates a publishing destination to export findings to. The resource to export findings to must exist before you use this operation.
Parameter Syntax
$result = $client->createPublishingDestination([
'ClientToken' => '<string>',
'DestinationProperties' => [ // REQUIRED
'DestinationArn' => '<string>',
'KmsKeyArn' => '<string>',
],
'DestinationType' => 'S3', // REQUIRED
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
- ClientToken
-
- Type: string
The idempotency token for the request.
- DestinationProperties
-
- Required: Yes
- Type: DestinationProperties structure
The properties of the publishing destination, including the ARNs for the destination and the KMS key used for encryption.
- DestinationType
-
- Required: Yes
- Type: string
The type of resource for the publishing destination. Currently only Amazon S3 buckets are supported.
- DetectorId
-
- Required: Yes
- Type: string
The ID of the GuardDuty detector associated with the publishing destination.
Result Syntax
[
'DestinationId' => '<string>',
]
Result Details
Members
Errors
-
A bad request exception object.
-
An internal server error exception object.
CreateSampleFindings
$result = $client->createSampleFindings([/* ... */]); $promise = $client->createSampleFindingsAsync([/* ... */]);
Generates example findings of types specified by the list of finding types. If 'NULL' is specified for findingTypes, the API generates example findings of all supported finding types.
Parameter Syntax
$result = $client->createSampleFindings([
'DetectorId' => '<string>', // REQUIRED
'FindingTypes' => ['<string>', ...],
]);
Parameter Details
Members
Result Syntax
[]
Result Details
Errors
-
A bad request exception object.
-
An internal server error exception object.
CreateThreatIntelSet
$result = $client->createThreatIntelSet([/* ... */]); $promise = $client->createThreatIntelSetAsync([/* ... */]);
Creates a new ThreatIntelSet. ThreatIntelSets consist of known malicious IP addresses. GuardDuty generates findings based on ThreatIntelSets. Only users of the administrator account can use this operation.
Parameter Syntax
$result = $client->createThreatIntelSet([
'Activate' => true || false, // REQUIRED
'ClientToken' => '<string>',
'DetectorId' => '<string>', // REQUIRED
'Format' => 'TXT|STIX|OTX_CSV|ALIEN_VAULT|PROOF_POINT|FIRE_EYE', // REQUIRED
'Location' => '<string>', // REQUIRED
'Name' => '<string>', // REQUIRED
'Tags' => ['<string>', ...],
]);
Parameter Details
Members
- Activate
-
- Required: Yes
- Type: boolean
A Boolean value that indicates whether GuardDuty is to start using the uploaded ThreatIntelSet.
- ClientToken
-
- Type: string
The idempotency token for the create request.
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector of the GuardDuty account that you want to create a threatIntelSet for.
- Format
-
- Required: Yes
- Type: string
The format of the file that contains the ThreatIntelSet.
- Location
-
- Required: Yes
- Type: string
The URI of the file that contains the ThreatIntelSet.
- Name
-
- Required: Yes
- Type: string
A user-friendly ThreatIntelSet name displayed in all findings that are generated by activity that involves IP addresses included in this ThreatIntelSet.
- Tags
-
- Type: Associative array of custom strings keys (TagKey) to strings
The tags to be added to a new threat list resource.
Result Syntax
[
'ThreatIntelSetId' => '<string>',
]
Result Details
Errors
-
A bad request exception object.
-
An internal server error exception object.
DeclineInvitations
$result = $client->declineInvitations([/* ... */]); $promise = $client->declineInvitationsAsync([/* ... */]);
Declines invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs.
Parameter Syntax
$result = $client->declineInvitations([
'AccountIds' => ['<string>', ...], // REQUIRED
]);
Parameter Details
Members
Result Syntax
[
'UnprocessedAccounts' => [
[
'AccountId' => '<string>',
'Result' => '<string>',
],
// ...
],
]
Result Details
Members
- UnprocessedAccounts
-
- Required: Yes
- Type: Array of UnprocessedAccount structures
A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.
Errors
-
A bad request exception object.
-
An internal server error exception object.
DeleteDetector
$result = $client->deleteDetector([/* ... */]); $promise = $client->deleteDetectorAsync([/* ... */]);
Deletes an Amazon GuardDuty detector that is specified by the detector ID.
Parameter Syntax
$result = $client->deleteDetector([
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[]
Result Details
Errors
-
A bad request exception object.
-
An internal server error exception object.
DeleteFilter
$result = $client->deleteFilter([/* ... */]); $promise = $client->deleteFilterAsync([/* ... */]);
Deletes the filter specified by the filter name.
Parameter Syntax
$result = $client->deleteFilter([
'DetectorId' => '<string>', // REQUIRED
'FilterName' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[]
Result Details
Errors
-
A bad request exception object.
-
An internal server error exception object.
DeleteIPSet
$result = $client->deleteIPSet([/* ... */]); $promise = $client->deleteIPSetAsync([/* ... */]);
Deletes the IPSet specified by the ipSetId. IPSets are called trusted IP lists in the console user interface.
Parameter Syntax
$result = $client->deleteIPSet([
'DetectorId' => '<string>', // REQUIRED
'IpSetId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[]
Result Details
Errors
-
A bad request exception object.
-
An internal server error exception object.
DeleteInvitations
$result = $client->deleteInvitations([/* ... */]); $promise = $client->deleteInvitationsAsync([/* ... */]);
Deletes invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs.
Parameter Syntax
$result = $client->deleteInvitations([
'AccountIds' => ['<string>', ...], // REQUIRED
]);
Parameter Details
Members
Result Syntax
[
'UnprocessedAccounts' => [
[
'AccountId' => '<string>',
'Result' => '<string>',
],
// ...
],
]
Result Details
Members
- UnprocessedAccounts
-
- Required: Yes
- Type: Array of UnprocessedAccount structures
A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.
Errors
-
A bad request exception object.
-
An internal server error exception object.
DeleteMembers
$result = $client->deleteMembers([/* ... */]); $promise = $client->deleteMembersAsync([/* ... */]);
Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.
Parameter Syntax
$result = $client->deleteMembers([
'AccountIds' => ['<string>', ...], // REQUIRED
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[
'UnprocessedAccounts' => [
[
'AccountId' => '<string>',
'Result' => '<string>',
],
// ...
],
]
Result Details
Members
- UnprocessedAccounts
-
- Required: Yes
- Type: Array of UnprocessedAccount structures
The accounts that could not be processed.
Errors
-
A bad request exception object.
-
An internal server error exception object.
DeletePublishingDestination
$result = $client->deletePublishingDestination([/* ... */]); $promise = $client->deletePublishingDestinationAsync([/* ... */]);
Deletes the publishing definition with the specified destinationId.
Parameter Syntax
$result = $client->deletePublishingDestination([
'DestinationId' => '<string>', // REQUIRED
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[]
Result Details
Errors
-
A bad request exception object.
-
An internal server error exception object.
DeleteThreatIntelSet
$result = $client->deleteThreatIntelSet([/* ... */]); $promise = $client->deleteThreatIntelSetAsync([/* ... */]);
Deletes the ThreatIntelSet specified by the ThreatIntelSet ID.
Parameter Syntax
$result = $client->deleteThreatIntelSet([
'DetectorId' => '<string>', // REQUIRED
'ThreatIntelSetId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[]
Result Details
Errors
-
A bad request exception object.
-
An internal server error exception object.
DescribeMalwareScans
$result = $client->describeMalwareScans([/* ... */]); $promise = $client->describeMalwareScansAsync([/* ... */]);
Returns a list of malware scans. Each member account can view the malware scans for their own accounts. An administrator can view the malware scans for all the member accounts.
Parameter Syntax
$result = $client->describeMalwareScans([
'DetectorId' => '<string>', // REQUIRED
'FilterCriteria' => [
'FilterCriterion' => [
[
'CriterionKey' => 'EC2_INSTANCE_ARN|SCAN_ID|ACCOUNT_ID|GUARDDUTY_FINDING_ID|SCAN_START_TIME|SCAN_STATUS',
'FilterCondition' => [
'EqualsValue' => '<string>',
'GreaterThan' => <integer>,
'LessThan' => <integer>,
],
],
// ...
],
],
'MaxResults' => <integer>,
'NextToken' => '<string>',
'SortCriteria' => [
'AttributeName' => '<string>',
'OrderBy' => 'ASC|DESC',
],
]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector that the request is associated with.
- FilterCriteria
-
- Type: FilterCriteria structure
Represents the criteria to be used in the filter for describing scan entries.
- MaxResults
-
- Type: int
You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.
- NextToken
-
- Type: string
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
- SortCriteria
-
- Type: SortCriteria structure
Represents the criteria used for sorting scan entries.
Result Syntax
[
'NextToken' => '<string>',
'Scans' => [
[
'AccountId' => '<string>',
'AdminDetectorId' => '<string>',
'AttachedVolumes' => [
[
'DeviceName' => '<string>',
'EncryptionType' => '<string>',
'KmsKeyArn' => '<string>',
'SnapshotArn' => '<string>',
'VolumeArn' => '<string>',
'VolumeSizeInGB' => <integer>,
'VolumeType' => '<string>',
],
// ...
],
'DetectorId' => '<string>',
'FailureReason' => '<string>',
'FileCount' => <integer>,
'ResourceDetails' => [
'InstanceArn' => '<string>',
],
'ScanEndTime' => <DateTime>,
'ScanId' => '<string>',
'ScanResultDetails' => [
'ScanResult' => 'CLEAN|INFECTED',
],
'ScanStartTime' => <DateTime>,
'ScanStatus' => 'RUNNING|COMPLETED|FAILED',
'TotalBytes' => <integer>,
'TriggerDetails' => [
'Description' => '<string>',
'GuardDutyFindingId' => '<string>',
],
],
// ...
],
]
Result Details
Members
- NextToken
-
- Type: string
The pagination parameter to be used on the next list operation to retrieve more items.
- Scans
-
- Required: Yes
- Type: Array of Scan structures
Contains information about malware scans.
Errors
-
A bad request exception object.
-
An internal server error exception object.
DescribeOrganizationConfiguration
$result = $client->describeOrganizationConfiguration([/* ... */]); $promise = $client->describeOrganizationConfigurationAsync([/* ... */]);
Returns information about the account selected as the delegated administrator for GuardDuty.
Parameter Syntax
$result = $client->describeOrganizationConfiguration([
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[
'AutoEnable' => true || false,
'DataSources' => [
'Kubernetes' => [
'AuditLogs' => [
'AutoEnable' => true || false,
],
],
'MalwareProtection' => [
'ScanEc2InstanceWithFindings' => [
'EbsVolumes' => [
'AutoEnable' => true || false,
],
],
],
'S3Logs' => [
'AutoEnable' => true || false,
],
],
'MemberAccountLimitReached' => true || false,
]
Result Details
Members
- AutoEnable
-
- Required: Yes
- Type: boolean
Indicates whether GuardDuty is automatically enabled for accounts added to the organization.
- DataSources
-
- Type: OrganizationDataSourceConfigurationsResult structure
Describes which data sources are enabled automatically for member accounts.
- MemberAccountLimitReached
-
- Required: Yes
- Type: boolean
Indicates whether the maximum number of allowed member accounts are already associated with the delegated administrator account for your organization.
Errors
-
A bad request exception object.
-
An internal server error exception object.
DescribePublishingDestination
$result = $client->describePublishingDestination([/* ... */]); $promise = $client->describePublishingDestinationAsync([/* ... */]);
Returns information about the publishing destination specified by the provided destinationId.
Parameter Syntax
$result = $client->describePublishingDestination([
'DestinationId' => '<string>', // REQUIRED
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[
'DestinationId' => '<string>',
'DestinationProperties' => [
'DestinationArn' => '<string>',
'KmsKeyArn' => '<string>',
],
'DestinationType' => 'S3',
'PublishingFailureStartTimestamp' => <integer>,
'Status' => 'PENDING_VERIFICATION|PUBLISHING|UNABLE_TO_PUBLISH_FIX_DESTINATION_PROPERTY|STOPPED',
]
Result Details
Members
- DestinationId
-
- Required: Yes
- Type: string
The ID of the publishing destination.
- DestinationProperties
-
- Required: Yes
- Type: DestinationProperties structure
A
DestinationPropertiesobject that includes theDestinationArnandKmsKeyArnof the publishing destination. - DestinationType
-
- Required: Yes
- Type: string
The type of publishing destination. Currently, only Amazon S3 buckets are supported.
- PublishingFailureStartTimestamp
-
- Required: Yes
- Type: long (int|float)
The time, in epoch millisecond format, at which GuardDuty was first unable to publish findings to the destination.
- Status
-
- Required: Yes
- Type: string
The status of the publishing destination.
Errors
-
A bad request exception object.
-
An internal server error exception object.
DisableOrganizationAdminAccount
$result = $client->disableOrganizationAdminAccount([/* ... */]); $promise = $client->disableOrganizationAdminAccountAsync([/* ... */]);
Disables an Amazon Web Services account within the Organization as the GuardDuty delegated administrator.
Parameter Syntax
$result = $client->disableOrganizationAdminAccount([
'AdminAccountId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[]
Result Details
Errors
-
A bad request exception object.
-
An internal server error exception object.
DisassociateFromAdministratorAccount
$result = $client->disassociateFromAdministratorAccount([/* ... */]); $promise = $client->disassociateFromAdministratorAccountAsync([/* ... */]);
Disassociates the current GuardDuty member account from its administrator account.
Parameter Syntax
$result = $client->disassociateFromAdministratorAccount([
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[]
Result Details
Errors
-
A bad request exception object.
-
An internal server error exception object.
DisassociateFromMasterAccount
$result = $client->disassociateFromMasterAccount([/* ... */]); $promise = $client->disassociateFromMasterAccountAsync([/* ... */]);
Disassociates the current GuardDuty member account from its administrator account.
Parameter Syntax
$result = $client->disassociateFromMasterAccount([
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[]
Result Details
Errors
-
A bad request exception object.
-
An internal server error exception object.
DisassociateMembers
$result = $client->disassociateMembers([/* ... */]); $promise = $client->disassociateMembersAsync([/* ... */]);
Disassociates GuardDuty member accounts (to the current administrator account) specified by the account IDs.
Parameter Syntax
$result = $client->disassociateMembers([
'AccountIds' => ['<string>', ...], // REQUIRED
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
- AccountIds
-
- Required: Yes
- Type: Array of strings
A list of account IDs of the GuardDuty member accounts that you want to disassociate from the administrator account.
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector of the GuardDuty account whose members you want to disassociate from the administrator account.
Result Syntax
[
'UnprocessedAccounts' => [
[
'AccountId' => '<string>',
'Result' => '<string>',
],
// ...
],
]
Result Details
Members
- UnprocessedAccounts
-
- Required: Yes
- Type: Array of UnprocessedAccount structures
A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.
Errors
-
A bad request exception object.
-
An internal server error exception object.
EnableOrganizationAdminAccount
$result = $client->enableOrganizationAdminAccount([/* ... */]); $promise = $client->enableOrganizationAdminAccountAsync([/* ... */]);
Enables an Amazon Web Services account within the organization as the GuardDuty delegated administrator.
Parameter Syntax
$result = $client->enableOrganizationAdminAccount([
'AdminAccountId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[]
Result Details
Errors
-
A bad request exception object.
-
An internal server error exception object.
GetAdministratorAccount
$result = $client->getAdministratorAccount([/* ... */]); $promise = $client->getAdministratorAccountAsync([/* ... */]);
Provides the details for the GuardDuty administrator account associated with the current GuardDuty member account.
Parameter Syntax
$result = $client->getAdministratorAccount([
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[
'Administrator' => [
'AccountId' => '<string>',
'InvitationId' => '<string>',
'InvitedAt' => '<string>',
'RelationshipStatus' => '<string>',
],
]
Result Details
Members
- Administrator
-
- Required: Yes
- Type: Administrator structure
The administrator account details.
Errors
-
A bad request exception object.
-
An internal server error exception object.
GetDetector
$result = $client->getDetector([/* ... */]); $promise = $client->getDetectorAsync([/* ... */]);
Retrieves an Amazon GuardDuty detector specified by the detectorId.
Parameter Syntax
$result = $client->getDetector([
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Result Syntax
[
'CreatedAt' => '<string>',
'DataSources' => [
'CloudTrail' => [
'Status' => 'ENABLED|DISABLED',
],
'DNSLogs' => [
'Status' => 'ENABLED|DISABLED',
],
'FlowLogs' => [
'Status' => 'ENABLED|DISABLED',
],
'Kubernetes' => [
'AuditLogs' => [
'Status' => 'ENABLED|DISABLED',
],
],
'MalwareProtection' => [
'ScanEc2InstanceWithFindings' => [
'EbsVolumes' => [
'Reason' => '<string>',
'Status' => 'ENABLED|DISABLED',
],
],
'ServiceRole' => '<string>',
],
'S3Logs' => [
'Status' => 'ENABLED|DISABLED',
],
],
'FindingPublishingFrequency' => 'FIFTEEN_MINUTES|ONE_HOUR|SIX_HOURS',
'ServiceRole' => '<string>',
'Status' => 'ENABLED|DISABLED',
'Tags' => ['<string>', ...],
'UpdatedAt' => '<string>',
]
Result Details
Members
- CreatedAt
-
- Type: string
The timestamp of when the detector was created.
- DataSources
-
- Type: DataSourceConfigurationsResult structure
Describes which data sources are enabled for the detector.
- FindingPublishingFrequency
-
- Type: string
The publishing frequency of the finding.
- ServiceRole
-
- Required: Yes
- Type: string
The GuardDuty service role.
- Status
-
- Required: Yes
- Type: string
The detector status.
- Tags
-
- Type: Associative array of custom strings keys (TagKey) to strings
The tags of the detector resource.
- UpdatedAt
-
- Type: string
The last-updated timestamp for the detector.
Errors
-
A bad request exception object.
-
An internal server error exception object.
GetFilter
$result = $client->getFilter([/* ... */]); $promise = $client->getFilterAsync([/* ... */]);
Returns the details of the filter specified by the filter name.
Parameter Syntax
$result = $client->getFilter([
'DetectorId' => '<string>', // REQUIRED
'FilterName' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[
'Action' => 'NOOP|ARCHIVE',
'Description' => '<string>',
'FindingCriteria' => [
'Criterion' => [
'<String>' => [
'Eq' => ['<string>', ...],
'Equals' => ['<string>', ...],
'GreaterThan' => <integer>,
'GreaterThanOrEqual' => <integer>,
'Gt' => <integer>,
'Gte' => <integer>,
'LessThan' => <integer>,
'LessThanOrEqual' => <integer>,
'Lt' => <integer>,
'Lte' => <integer>,
'Neq' => ['<string>', ...],
'NotEquals' => ['<string>', ...],
],
// ...
],
],
'Name' => '<string>',
'Rank' => <integer>,
'Tags' => ['<string>', ...],
]
Result Details
Members
- Action
-
- Required: Yes
- Type: string
Specifies the action that is to be applied to the findings that match the filter.
- Description
-
- Type: string
The description of the filter.
- FindingCriteria
-
- Required: Yes
- Type: FindingCriteria structure
Represents the criteria to be used in the filter for querying findings.
- Name
-
- Required: Yes
- Type: string
The name of the filter.
- Rank
-
- Type: int
Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
- Tags
-
- Type: Associative array of custom strings keys (TagKey) to strings
The tags of the filter resource.
Errors
-
A bad request exception object.
-
An internal server error exception object.
GetFindings
$result = $client->getFindings([/* ... */]); $promise = $client->getFindingsAsync([/* ... */]);
Describes Amazon GuardDuty findings specified by finding IDs.
Parameter Syntax
$result = $client->getFindings([
'DetectorId' => '<string>', // REQUIRED
'FindingIds' => ['<string>', ...], // REQUIRED
'SortCriteria' => [
'AttributeName' => '<string>',
'OrderBy' => 'ASC|DESC',
],
]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The ID of the detector that specifies the GuardDuty service whose findings you want to retrieve.
- FindingIds
-
- Required: Yes
- Type: Array of strings
The IDs of the findings that you want to retrieve.
- SortCriteria
-
- Type: SortCriteria structure
Represents the criteria used for sorting findings.
Result Syntax
[
'Findings' => [
[
'AccountId' => '<string>',
'Arn' => '<string>',
'Confidence' => <float>,
'CreatedAt' => '<string>',
'Description' => '<string>',
'Id' => '<string>',
'Partition' => '<string>',
'Region' => '<string>',
'Resource' => [
'AccessKeyDetails' => [
'AccessKeyId' => '<string>',
'PrincipalId' => '<string>',
'UserName' => '<string>',
'UserType' => '<string>',
],
'ContainerDetails' => [
'ContainerRuntime' => '<string>',
'Id' => '<string>',
'Image' => '<string>',
'ImagePrefix' => '<string>',
'Name' => '<string>',
'SecurityContext' => [
'Privileged' => true || false,
],
'VolumeMounts' => [
[
'MountPath' => '<string>',
'Name' => '<string>',
],
// ...
],
],
'EbsVolumeDetails' => [
'ScannedVolumeDetails' => [
[
'DeviceName' => '<string>',
'EncryptionType' => '<string>',
'KmsKeyArn' => '<string>',
'SnapshotArn' => '<string>',
'VolumeArn' => '<string>',
'VolumeSizeInGB' => <integer>,
'VolumeType' => '<string>',
],
// ...
],
'SkippedVolumeDetails' => [
[
'DeviceName' => '<string>',
'EncryptionType' => '<string>',
'KmsKeyArn' => '<string>',
'SnapshotArn' => '<string>',
'VolumeArn' => '<string>',
'VolumeSizeInGB' => <integer>,
'VolumeType' => '<string>',
],
// ...
],
],
'EcsClusterDetails' => [
'ActiveServicesCount' => <integer>,
'Arn' => '<string>',
'Name' => '<string>',
'RegisteredContainerInstancesCount' => <integer>,
'RunningTasksCount' => <integer>,
'Status' => '<string>',
'Tags' => [
[
'Key' => '<string>',
'Value' => '<string>',
],
// ...
],
'TaskDetails' => [
'Arn' => '<string>',
'Containers' => [
[
'ContainerRuntime' => '<string>',
'Id' => '<string>',
'Image' => '<string>',
'ImagePrefix' => '<string>',
'Name' => '<string>',
'SecurityContext' => [
'Privileged' => true || false,
],
'VolumeMounts' => [
[
'MountPath' => '<string>',
'Name' => '<string>',
],
// ...
],
],
// ...
],
'DefinitionArn' => '<string>',
'Group' => '<string>',
'StartedAt' => <DateTime>,
'StartedBy' => '<string>',
'Tags' => [
[
'Key' => '<string>',
'Value' => '<string>',
],
// ...
],
'TaskCreatedAt' => <DateTime>,
'Version' => '<string>',
'Volumes' => [
[
'HostPath' => [
'Path' => '<string>',
],
'Name' => '<string>',
],
// ...
],
],
],
'EksClusterDetails' => [
'Arn' => '<string>',
'CreatedAt' => <DateTime>,
'Name' => '<string>',
'Status' => '<string>',
'Tags' => [
[
'Key' => '<string>',
'Value' => '<string>',
],
// ...
],
'VpcId' => '<string>',
],
'InstanceDetails' => [
'AvailabilityZone' => '<string>',
'IamInstanceProfile' => [
'Arn' => '<string>',
'Id' => '<string>',
],
'ImageDescription' => '<string>',
'ImageId' => '<string>',
'InstanceId' => '<string>',
'InstanceState' => '<string>',
'InstanceType' => '<string>',
'LaunchTime' => '<string>',
'NetworkInterfaces' => [
[
'Ipv6Addresses' => ['<string>', ...],
'NetworkInterfaceId' => '<string>',
'PrivateDnsName' => '<string>',
'PrivateIpAddress' => '<string>',
'PrivateIpAddresses' => [
[
'PrivateDnsName' => '<string>',
'PrivateIpAddress' => '<string>',
],
// ...
],
'PublicDnsName' => '<string>',
'PublicIp' => '<string>',
'SecurityGroups' => [
[
'GroupId' => '<string>',
'GroupName' => '<string>',
],
// ...
],
'SubnetId' => '<string>',
'VpcId' => '<string>',
],
// ...
],
'OutpostArn' => '<string>',
'Platform' => '<string>',
'ProductCodes' => [
[
'Code' => '<string>',
'ProductType' => '<string>',
],
// ...
],
'Tags' => [
[
'Key' => '<string>',
'Value' => '<string>',
],
// ...
],
],
'KubernetesDetails' => [
'KubernetesUserDetails' => [
'Groups' => ['<string>', ...],
'Uid' => '<string>',
'Username' => '<string>',
],
'KubernetesWorkloadDetails' => [
'Containers' => [
[
'ContainerRuntime' => '<string>',
'Id' => '<string>',
'Image' => '<string>',
'ImagePrefix' => '<string>',
'Name' => '<string>',
'SecurityContext' => [
'Privileged' => true || false,
],
'VolumeMounts' => [
[
'MountPath' => '<string>',
'Name' => '<string>',
],
// ...
],
],
// ...
],
'HostNetwork' => true || false,
'Name' => '<string>',
'Namespace' => '<string>',
'Type' => '<string>',
'Uid' => '<string>',
'Volumes' => [
[
'HostPath' => [
'Path' => '<string>',
],
'Name' => '<string>',
],
// ...
],
],
],
'ResourceType' => '<string>',
'S3BucketDetails' => [
[
'Arn' => '<string>',
'CreatedAt' => <DateTime>,
'DefaultServerSideEncryption' => [
'EncryptionType' => '<string>',
'KmsMasterKeyArn' => '<string>',
],
'Name' => '<string>',
'Owner' => [
'Id' => '<string>',
],
'PublicAccess' => [
'EffectivePermission' => '<string>',
'PermissionConfiguration' => [
'AccountLevelPermissions' => [
'BlockPublicAccess' => [
'BlockPublicAcls' => true || false,
'BlockPublicPolicy' => true || false,
'IgnorePublicAcls' => true || false,
'RestrictPublicBuckets' => true || false,
],
],
'BucketLevelPermissions' => [
'AccessControlList' => [
'AllowsPublicReadAccess' => true || false,
'AllowsPublicWriteAccess' => true || false,
],
'BlockPublicAccess' => [
'BlockPublicAcls' => true || false,
'BlockPublicPolicy' => true || false,
'IgnorePublicAcls' => true || false,
'RestrictPublicBuckets' => true || false,
],
'BucketPolicy' => [
'AllowsPublicReadAccess' => true || false,
'AllowsPublicWriteAccess' => true || false,
],
],
],
],
'Tags' => [
[
'Key' => '<string>',
'Value' => '<string>',
],
// ...
],
'Type' => '<string>',
],
// ...
],
],
'SchemaVersion' => '<string>',
'Service' => [
'Action' => [
'ActionType' => '<string>',
'AwsApiCallAction' => [
'AffectedResources' => ['<string>', ...],
'Api' => '<string>',
'CallerType' => '<string>',
'DomainDetails' => [
'Domain' => '<string>',
],
'ErrorCode' => '<string>',
'RemoteAccountDetails' => [
'AccountId' => '<string>',
'Affiliated' => true || false,
],
'RemoteIpDetails' => [
'City' => [
'CityName' => '<string>',
],
'Country' => [
'CountryCode' => '<string>',
'CountryName' => '<string>',
],
'GeoLocation' => [
'Lat' => <float>,
'Lon' => <float>,
],
'IpAddressV4' => '<string>',
'Organization' => [
'Asn' => '<string>',
'AsnOrg' => '<string>',
'Isp' => '<string>',
'Org' => '<string>',
],
],
'ServiceName' => '<string>',
'UserAgent' => '<string>',
],
'DnsRequestAction' => [
'Blocked' => true || false,
'Domain' => '<string>',
'Protocol' => '<string>',
],
'KubernetesApiCallAction' => [
'Parameters' => '<string>',
'RemoteIpDetails' => [
'City' => [
'CityName' => '<string>',
],
'Country' => [
'CountryCode' => '<string>',
'CountryName' => '<string>',
],
'GeoLocation' => [
'Lat' => <float>,
'Lon' => <float>,
],
'IpAddressV4' => '<string>',
'Organization' => [
'Asn' => '<string>',
'AsnOrg' => '<string>',
'Isp' => '<string>',
'Org' => '<string>',
],
],
'RequestUri' => '<string>',
'SourceIps' => ['<string>', ...],
'StatusCode' => <integer>,
'UserAgent' => '<string>',
'Verb' => '<string>',
],
'NetworkConnectionAction' => [
'Blocked' => true || false,
'ConnectionDirection' => '<string>',
'LocalIpDetails' => [
'IpAddressV4' => '<string>',
],
'LocalPortDetails' => [
'Port' => <integer>,
'PortName' => '<string>',
],
'Protocol' => '<string>',
'RemoteIpDetails' => [
'City' => [
'CityName' => '<string>',
],
'Country' => [
'CountryCode' => '<string>',
'CountryName' => '<string>',
],
'GeoLocation' => [
'Lat' => <float>,
'Lon' => <float>,
],
'IpAddressV4' => '<string>',
'Organization' => [
'Asn' => '<string>',
'AsnOrg' => '<string>',
'Isp' => '<string>',
'Org' => '<string>',
],
],
'RemotePortDetails' => [
'Port' => <integer>,
'PortName' => '<string>',
],
],
'PortProbeAction' => [
'Blocked' => true || false,
'PortProbeDetails' => [
[
'LocalIpDetails' => [
'IpAddressV4' => '<string>',
],
'LocalPortDetails' => [
'Port' => <integer>,
'PortName' => '<string>',
],
'RemoteIpDetails' => [
'City' => [
'CityName' => '<string>',
],
'Country' => [
'CountryCode' => '<string>',
'CountryName' => '<string>',
],
'GeoLocation' => [
'Lat' => <float>,
'Lon' => <float>,
],
'IpAddressV4' => '<string>',
'Organization' => [
'Asn' => '<string>',
'AsnOrg' => '<string>',
'Isp' => '<string>',
'Org' => '<string>',
],
],
],
// ...
],
],
],
'AdditionalInfo' => [
'Type' => '<string>',
'Value' => '<string>',
],
'Archived' => true || false,
'Count' => <integer>,
'DetectorId' => '<string>',
'EbsVolumeScanDetails' => [
'ScanCompletedAt' => <DateTime>,
'ScanDetections' => [
'HighestSeverityThreatDetails' => [
'Count' => <integer>,
'Severity' => '<string>',
'ThreatName' => '<string>',
],
'ScannedItemCount' => [
'Files' => <integer>,
'TotalGb' => <integer>,
'Volumes' => <integer>,
],
'ThreatDetectedByName' => [
'ItemCount' => <integer>,
'Shortened' => true || false,
'ThreatNames' => [
[
'FilePaths' => [
[
'FileName' => '<string>',
'FilePath' => '<string>',
'Hash' => '<string>',
'VolumeArn' => '<string>',
],
// ...
],
'ItemCount' => <integer>,
'Name' => '<string>',
'Severity' => '<string>',
],
// ...
],
'UniqueThreatNameCount' => <integer>,
],
'ThreatsDetectedItemCount' => [
'Files' => <integer>,
],
],
'ScanId' => '<string>',
'ScanStartedAt' => <DateTime>,
'Sources' => ['<string>', ...],
'TriggerFindingId' => '<string>',
],
'EventFirstSeen' => '<string>',
'EventLastSeen' => '<string>',
'Evidence' => [
'ThreatIntelligenceDetails' => [
[
'ThreatListName' => '<string>',
'ThreatNames' => ['<string>', ...],
],
// ...
],
],
'FeatureName' => '<string>',
'ResourceRole' => '<string>',
'ServiceName' => '<string>',
'UserFeedback' => '<string>',
],
'Severity' => <float>,
'Title' => '<string>',
'Type' => '<string>',
'UpdatedAt' => '<string>',
],
// ...
],
]
Result Details
Members
- Findings
-
- Required: Yes
- Type: Array of Finding structures
A list of findings.
Errors
-
A bad request exception object.
-
An internal server error exception object.
GetFindingsStatistics
$result = $client->getFindingsStatistics([/* ... */]); $promise = $client->getFindingsStatisticsAsync([/* ... */]);
Lists Amazon GuardDuty findings statistics for the specified detector ID.
Parameter Syntax
$result = $client->getFindingsStatistics([
'DetectorId' => '<string>', // REQUIRED
'FindingCriteria' => [
'Criterion' => [
'<String>' => [
'Eq' => ['<string>', ...],
'Equals' => ['<string>', ...],
'GreaterThan' => <integer>,
'GreaterThanOrEqual' => <integer>,
'Gt' => <integer>,
'Gte' => <integer>,
'LessThan' => <integer>,
'LessThanOrEqual' => <integer>,
'Lt' => <integer>,
'Lte' => <integer>,
'Neq' => ['<string>', ...],
'NotEquals' => ['<string>', ...],
],
// ...
],
],
'FindingStatisticTypes' => ['<string>', ...], // REQUIRED
]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The ID of the detector that specifies the GuardDuty service whose findings' statistics you want to retrieve.
- FindingCriteria
-
- Type: FindingCriteria structure
Represents the criteria that is used for querying findings.
- FindingStatisticTypes
-
- Required: Yes
- Type: Array of strings
The types of finding statistics to retrieve.
Result Syntax
[
'FindingStatistics' => [
'CountBySeverity' => [<integer>, ...],
],
]
Result Details
Members
- FindingStatistics
-
- Required: Yes
- Type: FindingStatistics structure
The finding statistics object.
Errors
-
A bad request exception object.
-
An internal server error exception object.
GetIPSet
$result = $client->getIPSet([/* ... */]); $promise = $client->getIPSetAsync([/* ... */]);
Retrieves the IPSet specified by the ipSetId.
Parameter Syntax
$result = $client->getIPSet([
'DetectorId' => '<string>', // REQUIRED
'IpSetId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[
'Format' => 'TXT|STIX|OTX_CSV|ALIEN_VAULT|PROOF_POINT|FIRE_EYE',
'Location' => '<string>',
'Name' => '<string>',
'Status' => 'INACTIVE|ACTIVATING|ACTIVE|DEACTIVATING|ERROR|DELETE_PENDING|DELETED',
'Tags' => ['<string>', ...],
]
Result Details
Members
- Format
-
- Required: Yes
- Type: string
The format of the file that contains the IPSet.
- Location
-
- Required: Yes
- Type: string
The URI of the file that contains the IPSet.
- Name
-
- Required: Yes
- Type: string
The user-friendly name for the IPSet.
- Status
-
- Required: Yes
- Type: string
The status of IPSet file that was uploaded.
- Tags
-
- Type: Associative array of custom strings keys (TagKey) to strings
The tags of the IPSet resource.
Errors
-
A bad request exception object.
-
An internal server error exception object.
GetInvitationsCount
$result = $client->getInvitationsCount([/* ... */]); $promise = $client->getInvitationsCountAsync([/* ... */]);
Returns the count of all GuardDuty membership invitations that were sent to the current member account except the currently accepted invitation.
Parameter Syntax
$result = $client->getInvitationsCount([ ]);
Parameter Details
Members
Result Syntax
[
'InvitationsCount' => <integer>,
]
Result Details
Errors
-
A bad request exception object.
-
An internal server error exception object.
GetMalwareScanSettings
$result = $client->getMalwareScanSettings([/* ... */]); $promise = $client->getMalwareScanSettingsAsync([/* ... */]);
Returns the details of the malware scan settings.
Parameter Syntax
$result = $client->getMalwareScanSettings([
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[
'EbsSnapshotPreservation' => 'NO_RETENTION|RETENTION_WITH_FINDING',
'ScanResourceCriteria' => [
'Exclude' => [
'<ScanCriterionKey>' => [
'MapEquals' => [
[
'Key' => '<string>',
'Value' => '<string>',
],
// ...
],
],
// ...
],
'Include' => [
'<ScanCriterionKey>' => [
'MapEquals' => [
[
'Key' => '<string>',
'Value' => '<string>',
],
// ...
],
],
// ...
],
],
]
Result Details
Members
- EbsSnapshotPreservation
-
- Type: string
An enum value representing possible snapshot preservation settings.
- ScanResourceCriteria
-
- Type: ScanResourceCriteria structure
Represents the criteria to be used in the filter for scanning resources.
Errors
-
A bad request exception object.
-
An internal server error exception object.
GetMasterAccount
$result = $client->getMasterAccount([/* ... */]); $promise = $client->getMasterAccountAsync([/* ... */]);
Provides the details for the GuardDuty administrator account associated with the current GuardDuty member account.
Parameter Syntax
$result = $client->getMasterAccount([
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[
'Master' => [
'AccountId' => '<string>',
'InvitationId' => '<string>',
'InvitedAt' => '<string>',
'RelationshipStatus' => '<string>',
],
]
Result Details
Members
- Master
-
- Required: Yes
- Type: Master structure
The administrator account details.
Errors
-
A bad request exception object.
-
An internal server error exception object.
GetMemberDetectors
$result = $client->getMemberDetectors([/* ... */]); $promise = $client->getMemberDetectorsAsync([/* ... */]);
Describes which data sources are enabled for the member account's detector.
Parameter Syntax
$result = $client->getMemberDetectors([
'AccountIds' => ['<string>', ...], // REQUIRED
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[
'MemberDataSourceConfigurations' => [
[
'AccountId' => '<string>',
'DataSources' => [
'CloudTrail' => [
'Status' => 'ENABLED|DISABLED',
],
'DNSLogs' => [
'Status' => 'ENABLED|DISABLED',
],
'FlowLogs' => [
'Status' => 'ENABLED|DISABLED',
],
'Kubernetes' => [
'AuditLogs' => [
'Status' => 'ENABLED|DISABLED',
],
],
'MalwareProtection' => [
'ScanEc2InstanceWithFindings' => [
'EbsVolumes' => [
'Reason' => '<string>',
'Status' => 'ENABLED|DISABLED',
],
],
'ServiceRole' => '<string>',
],
'S3Logs' => [
'Status' => 'ENABLED|DISABLED',
],
],
],
// ...
],
'UnprocessedAccounts' => [
[
'AccountId' => '<string>',
'Result' => '<string>',
],
// ...
],
]
Result Details
Members
- MemberDataSourceConfigurations
-
- Required: Yes
- Type: Array of MemberDataSourceConfiguration structures
An object that describes which data sources are enabled for a member account.
- UnprocessedAccounts
-
- Required: Yes
- Type: Array of UnprocessedAccount structures
A list of member account IDs that were unable to be processed along with an explanation for why they were not processed.
Errors
-
A bad request exception object.
-
An internal server error exception object.
GetMembers
$result = $client->getMembers([/* ... */]); $promise = $client->getMembersAsync([/* ... */]);
Retrieves GuardDuty member accounts (of the current GuardDuty administrator account) specified by the account IDs.
Parameter Syntax
$result = $client->getMembers([
'AccountIds' => ['<string>', ...], // REQUIRED
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[
'Members' => [
[
'AccountId' => '<string>',
'AdministratorId' => '<string>',
'DetectorId' => '<string>',
'Email' => '<string>',
'InvitedAt' => '<string>',
'MasterId' => '<string>',
'RelationshipStatus' => '<string>',
'UpdatedAt' => '<string>',
],
// ...
],
'UnprocessedAccounts' => [
[
'AccountId' => '<string>',
'Result' => '<string>',
],
// ...
],
]
Result Details
Members
- Members
-
- Required: Yes
- Type: Array of Member structures
A list of members.
- UnprocessedAccounts
-
- Required: Yes
- Type: Array of UnprocessedAccount structures
A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.
Errors
-
A bad request exception object.
-
An internal server error exception object.
GetRemainingFreeTrialDays
$result = $client->getRemainingFreeTrialDays([/* ... */]); $promise = $client->getRemainingFreeTrialDaysAsync([/* ... */]);
Provides the number of days left for each data source used in the free trial period.
Parameter Syntax
$result = $client->getRemainingFreeTrialDays([
'AccountIds' => ['<string>', ...],
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[
'Accounts' => [
[
'AccountId' => '<string>',
'DataSources' => [
'CloudTrail' => [
'FreeTrialDaysRemaining' => <integer>,
],
'DnsLogs' => [
'FreeTrialDaysRemaining' => <integer>,
],
'FlowLogs' => [
'FreeTrialDaysRemaining' => <integer>,
],
'Kubernetes' => [
'AuditLogs' => [
'FreeTrialDaysRemaining' => <integer>,
],
],
'MalwareProtection' => [
'ScanEc2InstanceWithFindings' => [
'FreeTrialDaysRemaining' => <integer>,
],
],
'S3Logs' => [
'FreeTrialDaysRemaining' => <integer>,
],
],
],
// ...
],
'UnprocessedAccounts' => [
[
'AccountId' => '<string>',
'Result' => '<string>',
],
// ...
],
]
Result Details
Members
- Accounts
-
- Type: Array of AccountFreeTrialInfo structures
The member accounts which were included in a request and were processed successfully.
- UnprocessedAccounts
-
- Type: Array of UnprocessedAccount structures
The member account that was included in a request but for which the request could not be processed.
Errors
-
A bad request exception object.
-
An internal server error exception object.
GetThreatIntelSet
$result = $client->getThreatIntelSet([/* ... */]); $promise = $client->getThreatIntelSetAsync([/* ... */]);
Retrieves the ThreatIntelSet that is specified by the ThreatIntelSet ID.
Parameter Syntax
$result = $client->getThreatIntelSet([
'DetectorId' => '<string>', // REQUIRED
'ThreatIntelSetId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[
'Format' => 'TXT|STIX|OTX_CSV|ALIEN_VAULT|PROOF_POINT|FIRE_EYE',
'Location' => '<string>',
'Name' => '<string>',
'Status' => 'INACTIVE|ACTIVATING|ACTIVE|DEACTIVATING|ERROR|DELETE_PENDING|DELETED',
'Tags' => ['<string>', ...],
]
Result Details
Members
- Format
-
- Required: Yes
- Type: string
The format of the threatIntelSet.
- Location
-
- Required: Yes
- Type: string
The URI of the file that contains the ThreatIntelSet.
- Name
-
- Required: Yes
- Type: string
A user-friendly ThreatIntelSet name displayed in all findings that are generated by activity that involves IP addresses included in this ThreatIntelSet.
- Status
-
- Required: Yes
- Type: string
The status of threatIntelSet file uploaded.
- Tags
-
- Type: Associative array of custom strings keys (TagKey) to strings
The tags of the threat list resource.
Errors
-
A bad request exception object.
-
An internal server error exception object.
GetUsageStatistics
$result = $client->getUsageStatistics([/* ... */]); $promise = $client->getUsageStatisticsAsync([/* ... */]);
Lists Amazon GuardDuty usage statistics over the last 30 days for the specified detector ID. For newly enabled detectors or data sources, the cost returned will include only the usage so far under 30 days. This may differ from the cost metrics in the console, which project usage over 30 days to provide a monthly cost estimate. For more information, see Understanding How Usage Costs are Calculated.
Parameter Syntax
$result = $client->getUsageStatistics([
'DetectorId' => '<string>', // REQUIRED
'MaxResults' => <integer>,
'NextToken' => '<string>',
'Unit' => '<string>',
'UsageCriteria' => [ // REQUIRED
'AccountIds' => ['<string>', ...],
'DataSources' => ['<string>', ...], // REQUIRED
'Resources' => ['<string>', ...],
],
'UsageStatisticType' => 'SUM_BY_ACCOUNT|SUM_BY_DATA_SOURCE|SUM_BY_RESOURCE|TOP_RESOURCES', // REQUIRED
]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The ID of the detector that specifies the GuardDuty service whose usage statistics you want to retrieve.
- MaxResults
-
- Type: int
The maximum number of results to return in the response.
- NextToken
-
- Type: string
A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the NextToken value returned from the previous request to continue listing results after the first page.
- Unit
-
- Type: string
The currency unit you would like to view your usage statistics in. Current valid values are USD.
- UsageCriteria
-
- Required: Yes
- Type: UsageCriteria structure
Represents the criteria used for querying usage.
- UsageStatisticType
-
- Required: Yes
- Type: string
The type of usage statistics to retrieve.
Result Syntax
[
'NextToken' => '<string>',
'UsageStatistics' => [
'SumByAccount' => [
[
'AccountId' => '<string>',
'Total' => [
'Amount' => '<string>',
'Unit' => '<string>',
],
],
// ...
],
'SumByDataSource' => [
[
'DataSource' => 'FLOW_LOGS|CLOUD_TRAIL|DNS_LOGS|S3_LOGS|KUBERNETES_AUDIT_LOGS|EC2_MALWARE_SCAN',
'Total' => [
'Amount' => '<string>',
'Unit' => '<string>',
],
],
// ...
],
'SumByResource' => [
[
'Resource' => '<string>',
'Total' => [
'Amount' => '<string>',
'Unit' => '<string>',
],
],
// ...
],
'TopResources' => [
[
'Resource' => '<string>',
'Total' => [
'Amount' => '<string>',
'Unit' => '<string>',
],
],
// ...
],
],
]
Result Details
Members
- NextToken
-
- Type: string
The pagination parameter to be used on the next list operation to retrieve more items.
- UsageStatistics
-
- Type: UsageStatistics structure
The usage statistics object. If a UsageStatisticType was provided, the objects representing other types will be null.
Errors
-
A bad request exception object.
-
An internal server error exception object.
InviteMembers
$result = $client->inviteMembers([/* ... */]); $promise = $client->inviteMembersAsync([/* ... */]);
Invites other Amazon Web Services accounts (created as members of the current Amazon Web Services account by CreateMembers) to enable GuardDuty, and allow the current Amazon Web Services account to view and manage these accounts' findings on their behalf as the GuardDuty administrator account.
Parameter Syntax
$result = $client->inviteMembers([
'AccountIds' => ['<string>', ...], // REQUIRED
'DetectorId' => '<string>', // REQUIRED
'DisableEmailNotification' => true || false,
'Message' => '<string>',
]);
Parameter Details
Members
- AccountIds
-
- Required: Yes
- Type: Array of strings
A list of account IDs of the accounts that you want to invite to GuardDuty as members.
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector of the GuardDuty account that you want to invite members with.
- DisableEmailNotification
-
- Type: boolean
A Boolean value that specifies whether you want to disable email notification to the accounts that you are inviting to GuardDuty as members.
- Message
-
- Type: string
The invitation message that you want to send to the accounts that you're inviting to GuardDuty as members.
Result Syntax
[
'UnprocessedAccounts' => [
[
'AccountId' => '<string>',
'Result' => '<string>',
],
// ...
],
]
Result Details
Members
- UnprocessedAccounts
-
- Required: Yes
- Type: Array of UnprocessedAccount structures
A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.
Errors
-
A bad request exception object.
-
An internal server error exception object.
ListDetectors
$result = $client->listDetectors([/* ... */]); $promise = $client->listDetectorsAsync([/* ... */]);
Lists detectorIds of all the existing Amazon GuardDuty detector resources.
Parameter Syntax
$result = $client->listDetectors([
'MaxResults' => <integer>,
'NextToken' => '<string>',
]);
Parameter Details
Members
- MaxResults
-
- Type: int
You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.
- NextToken
-
- Type: string
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
Result Syntax
[
'DetectorIds' => ['<string>', ...],
'NextToken' => '<string>',
]
Result Details
Members
Errors
-
A bad request exception object.
-
An internal server error exception object.
ListFilters
$result = $client->listFilters([/* ... */]); $promise = $client->listFiltersAsync([/* ... */]);
Returns a paginated list of the current filters.
Parameter Syntax
$result = $client->listFilters([
'DetectorId' => '<string>', // REQUIRED
'MaxResults' => <integer>,
'NextToken' => '<string>',
]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector that the filter is associated with.
- MaxResults
-
- Type: int
You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.
- NextToken
-
- Type: string
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
Result Syntax
[
'FilterNames' => ['<string>', ...],
'NextToken' => '<string>',
]
Result Details
Members
Errors
-
A bad request exception object.
-
An internal server error exception object.
ListFindings
$result = $client->listFindings([/* ... */]); $promise = $client->listFindingsAsync([/* ... */]);
Lists Amazon GuardDuty findings for the specified detector ID.
Parameter Syntax
$result = $client->listFindings([
'DetectorId' => '<string>', // REQUIRED
'FindingCriteria' => [
'Criterion' => [
'<String>' => [
'Eq' => ['<string>', ...],
'Equals' => ['<string>', ...],
'GreaterThan' => <integer>,
'GreaterThanOrEqual' => <integer>,
'Gt' => <integer>,
'Gte' => <integer>,
'LessThan' => <integer>,
'LessThanOrEqual' => <integer>,
'Lt' => <integer>,
'Lte' => <integer>,
'Neq' => ['<string>', ...],
'NotEquals' => ['<string>', ...],
],
// ...
],
],
'MaxResults' => <integer>,
'NextToken' => '<string>',
'SortCriteria' => [
'AttributeName' => '<string>',
'OrderBy' => 'ASC|DESC',
],
]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The ID of the detector that specifies the GuardDuty service whose findings you want to list.
- FindingCriteria
-
- Type: FindingCriteria structure
Represents the criteria used for querying findings. Valid values include:
-
JSON field name
-
accountId
-
region
-
confidence
-
id
-
resource.accessKeyDetails.accessKeyId
-
resource.accessKeyDetails.principalId
-
resource.accessKeyDetails.userName
-
resource.accessKeyDetails.userType
-
resource.instanceDetails.iamInstanceProfile.id
-
resource.instanceDetails.imageId
-
resource.instanceDetails.instanceId
-
resource.instanceDetails.networkInterfaces.ipv6Addresses
-
resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress
-
resource.instanceDetails.networkInterfaces.publicDnsName
-
resource.instanceDetails.networkInterfaces.publicIp
-
resource.instanceDetails.networkInterfaces.securityGroups.groupId
-
resource.instanceDetails.networkInterfaces.securityGroups.groupName
-
resource.instanceDetails.networkInterfaces.subnetId
-
resource.instanceDetails.networkInterfaces.vpcId
-
resource.instanceDetails.tags.key
-
resource.instanceDetails.tags.value
-
resource.resourceType
-
service.action.actionType
-
service.action.awsApiCallAction.api
-
service.action.awsApiCallAction.callerType
-
service.action.awsApiCallAction.remoteIpDetails.city.cityName
-
service.action.awsApiCallAction.remoteIpDetails.country.countryName
-
service.action.awsApiCallAction.remoteIpDetails.ipAddressV4
-
service.action.awsApiCallAction.remoteIpDetails.organization.asn
-
service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg
-
service.action.awsApiCallAction.serviceName
-
service.action.dnsRequestAction.domain
-
service.action.networkConnectionAction.blocked
-
service.action.networkConnectionAction.connectionDirection
-
service.action.networkConnectionAction.localPortDetails.port
-
service.action.networkConnectionAction.protocol
-
service.action.networkConnectionAction.remoteIpDetails.country.countryName
-
service.action.networkConnectionAction.remoteIpDetails.ipAddressV4
-
service.action.networkConnectionAction.remoteIpDetails.organization.asn
-
service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg
-
service.action.networkConnectionAction.remotePortDetails.port
-
service.additionalInfo.threatListName
-
service.archived
When this attribute is set to 'true', only archived findings are listed. When it's set to 'false', only unarchived findings are listed. When this attribute is not set, all existing findings are listed.
-
service.resourceRole
-
severity
-
type
-
updatedAt
Type: Timestamp in Unix Epoch millisecond format: 1486685375000
- MaxResults
-
- Type: int
You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50.
- NextToken
-
- Type: string
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
- SortCriteria
-
- Type: SortCriteria structure
Represents the criteria used for sorting findings.
Result Syntax
[
'FindingIds' => ['<string>', ...],
'NextToken' => '<string>',
]
Result Details
Members
Errors
-
A bad request exception object.
-
An internal server error exception object.
ListIPSets
$result = $client->listIPSets([/* ... */]); $promise = $client->listIPSetsAsync([/* ... */]);
Lists the IPSets of the GuardDuty service specified by the detector ID. If you use this operation from a member account, the IPSets returned are the IPSets from the associated administrator account.
Parameter Syntax
$result = $client->listIPSets([
'DetectorId' => '<string>', // REQUIRED
'MaxResults' => <integer>,
'NextToken' => '<string>',
]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector that the IPSet is associated with.
- MaxResults
-
- Type: int
You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50.
- NextToken
-
- Type: string
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
Result Syntax
[
'IpSetIds' => ['<string>', ...],
'NextToken' => '<string>',
]
Result Details
Members
Errors
-
A bad request exception object.
-
An internal server error exception object.
ListInvitations
$result = $client->listInvitations([/* ... */]); $promise = $client->listInvitationsAsync([/* ... */]);
Lists all GuardDuty membership invitations that were sent to the current Amazon Web Services account.
Parameter Syntax
$result = $client->listInvitations([
'MaxResults' => <integer>,
'NextToken' => '<string>',
]);
Parameter Details
Members
- MaxResults
-
- Type: int
You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.
- NextToken
-
- Type: string
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
Result Syntax
[
'Invitations' => [
[
'AccountId' => '<string>',
'InvitationId' => '<string>',
'InvitedAt' => '<string>',
'RelationshipStatus' => '<string>',
],
// ...
],
'NextToken' => '<string>',
]
Result Details
Members
- Invitations
-
- Type: Array of Invitation structures
A list of invitation descriptions.
- NextToken
-
- Type: string
The pagination parameter to be used on the next list operation to retrieve more items.
Errors
-
A bad request exception object.
-
An internal server error exception object.
ListMembers
$result = $client->listMembers([/* ... */]); $promise = $client->listMembersAsync([/* ... */]);
Lists details about all member accounts for the current GuardDuty administrator account.
Parameter Syntax
$result = $client->listMembers([
'DetectorId' => '<string>', // REQUIRED
'MaxResults' => <integer>,
'NextToken' => '<string>',
'OnlyAssociated' => '<string>',
]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector the member is associated with.
- MaxResults
-
- Type: int
You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50.
- NextToken
-
- Type: string
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
- OnlyAssociated
-
- Type: string
Specifies whether to only return associated members or to return all members (including members who haven't been invited yet or have been disassociated). Member accounts must have been previously associated with the GuardDuty administrator account using
Create Members.
Result Syntax
[
'Members' => [
[
'AccountId' => '<string>',
'AdministratorId' => '<string>',
'DetectorId' => '<string>',
'Email' => '<string>',
'InvitedAt' => '<string>',
'MasterId' => '<string>',
'RelationshipStatus' => '<string>',
'UpdatedAt' => '<string>',
],
// ...
],
'NextToken' => '<string>',
]
Result Details
Members
- Members
-
- Type: Array of Member structures
A list of members.
- NextToken
-
- Type: string
The pagination parameter to be used on the next list operation to retrieve more items.
Errors
-
A bad request exception object.
-
An internal server error exception object.
ListOrganizationAdminAccounts
$result = $client->listOrganizationAdminAccounts([/* ... */]); $promise = $client->listOrganizationAdminAccountsAsync([/* ... */]);
Lists the accounts configured as GuardDuty delegated administrators.
Parameter Syntax
$result = $client->listOrganizationAdminAccounts([
'MaxResults' => <integer>,
'NextToken' => '<string>',
]);
Parameter Details
Members
- MaxResults
-
- Type: int
The maximum number of results to return in the response.
- NextToken
-
- Type: string
A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the
NextTokenvalue returned from the previous request to continue listing results after the first page.
Result Syntax
[
'AdminAccounts' => [
[
'AdminAccountId' => '<string>',
'AdminStatus' => 'ENABLED|DISABLE_IN_PROGRESS',
],
// ...
],
'NextToken' => '<string>',
]
Result Details
Members
- AdminAccounts
-
- Type: Array of AdminAccount structures
A list of accounts configured as GuardDuty delegated administrators.
- NextToken
-
- Type: string
The pagination parameter to be used on the next list operation to retrieve more items.
Errors
-
A bad request exception object.
-
An internal server error exception object.
ListPublishingDestinations
$result = $client->listPublishingDestinations([/* ... */]); $promise = $client->listPublishingDestinationsAsync([/* ... */]);
Returns a list of publishing destinations associated with the specified detectorId.
Parameter Syntax
$result = $client->listPublishingDestinations([
'DetectorId' => '<string>', // REQUIRED
'MaxResults' => <integer>,
'NextToken' => '<string>',
]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The ID of the detector to retrieve publishing destinations for.
- MaxResults
-
- Type: int
The maximum number of results to return in the response.
- NextToken
-
- Type: string
A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the
NextTokenvalue returned from the previous request to continue listing results after the first page.
Result Syntax
[
'Destinations' => [
[
'DestinationId' => '<string>',
'DestinationType' => 'S3',
'Status' => 'PENDING_VERIFICATION|PUBLISHING|UNABLE_TO_PUBLISH_FIX_DESTINATION_PROPERTY|STOPPED',
],
// ...
],
'NextToken' => '<string>',
]
Result Details
Members
- Destinations
-
- Required: Yes
- Type: Array of Destination structures
A
Destinationsobject that includes information about each publishing destination returned. - NextToken
-
- Type: string
A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the
NextTokenvalue returned from the previous request to continue listing results after the first page.
Errors
-
A bad request exception object.
-
An internal server error exception object.
ListTagsForResource
$result = $client->listTagsForResource([/* ... */]); $promise = $client->listTagsForResourceAsync([/* ... */]);
Lists tags for a resource. Tagging is currently supported for detectors, finding filters, IP sets, and threat intel sets, with a limit of 50 tags per resource. When invoked, this operation returns all assigned tags for a given resource.
Parameter Syntax
$result = $client->listTagsForResource([
'ResourceArn' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[
'Tags' => ['<string>', ...],
]
Result Details
Members
Errors
-
A bad request exception object.
-
An internal server error exception object.
ListThreatIntelSets
$result = $client->listThreatIntelSets([/* ... */]); $promise = $client->listThreatIntelSetsAsync([/* ... */]);
Lists the ThreatIntelSets of the GuardDuty service specified by the detector ID. If you use this operation from a member account, the ThreatIntelSets associated with the administrator account are returned.
Parameter Syntax
$result = $client->listThreatIntelSets([
'DetectorId' => '<string>', // REQUIRED
'MaxResults' => <integer>,
'NextToken' => '<string>',
]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector that the threatIntelSet is associated with.
- MaxResults
-
- Type: int
You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.
- NextToken
-
- Type: string
You can use this parameter to paginate results in the response. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
Result Syntax
[
'NextToken' => '<string>',
'ThreatIntelSetIds' => ['<string>', ...],
]
Result Details
Members
Errors
-
A bad request exception object.
-
An internal server error exception object.
StartMonitoringMembers
$result = $client->startMonitoringMembers([/* ... */]); $promise = $client->startMonitoringMembersAsync([/* ... */]);
Turns on GuardDuty monitoring of the specified member accounts. Use this operation to restart monitoring of accounts that you stopped monitoring with the StopMonitoringMembers operation.
Parameter Syntax
$result = $client->startMonitoringMembers([
'AccountIds' => ['<string>', ...], // REQUIRED
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[
'UnprocessedAccounts' => [
[
'AccountId' => '<string>',
'Result' => '<string>',
],
// ...
],
]
Result Details
Members
- UnprocessedAccounts
-
- Required: Yes
- Type: Array of UnprocessedAccount structures
A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.
Errors
-
A bad request exception object.
-
An internal server error exception object.
StopMonitoringMembers
$result = $client->stopMonitoringMembers([/* ... */]); $promise = $client->stopMonitoringMembersAsync([/* ... */]);
Stops GuardDuty monitoring for the specified member accounts. Use the StartMonitoringMembers operation to restart monitoring for those accounts.
Parameter Syntax
$result = $client->stopMonitoringMembers([
'AccountIds' => ['<string>', ...], // REQUIRED
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
Result Syntax
[
'UnprocessedAccounts' => [
[
'AccountId' => '<string>',
'Result' => '<string>',
],
// ...
],
]
Result Details
Members
- UnprocessedAccounts
-
- Required: Yes
- Type: Array of UnprocessedAccount structures
A list of objects that contain an accountId for each account that could not be processed, and a result string that indicates why the account was not processed.
Errors
-
A bad request exception object.
-
An internal server error exception object.
TagResource
$result = $client->tagResource([/* ... */]); $promise = $client->tagResourceAsync([/* ... */]);
Adds tags to a resource.
Parameter Syntax
$result = $client->tagResource([
'ResourceArn' => '<string>', // REQUIRED
'Tags' => ['<string>', ...], // REQUIRED
]);
Parameter Details
Members
Result Syntax
[]
Result Details
Errors
-
A bad request exception object.
-
An internal server error exception object.
UnarchiveFindings
$result = $client->unarchiveFindings([/* ... */]); $promise = $client->unarchiveFindingsAsync([/* ... */]);
Unarchives GuardDuty findings specified by the findingIds.
Parameter Syntax
$result = $client->unarchiveFindings([
'DetectorId' => '<string>', // REQUIRED
'FindingIds' => ['<string>', ...], // REQUIRED
]);
Parameter Details
Members
Result Syntax
[]
Result Details
Errors
-
A bad request exception object.
-
An internal server error exception object.
UntagResource
$result = $client->untagResource([/* ... */]); $promise = $client->untagResourceAsync([/* ... */]);
Removes tags from a resource.
Parameter Syntax
$result = $client->untagResource([
'ResourceArn' => '<string>', // REQUIRED
'TagKeys' => ['<string>', ...], // REQUIRED
]);
Parameter Details
Members
Result Syntax
[]
Result Details
Errors
-
A bad request exception object.
-
An internal server error exception object.
UpdateDetector
$result = $client->updateDetector([/* ... */]); $promise = $client->updateDetectorAsync([/* ... */]);
Updates the Amazon GuardDuty detector specified by the detectorId.
Parameter Syntax
$result = $client->updateDetector([
'DataSources' => [
'Kubernetes' => [
'AuditLogs' => [ // REQUIRED
'Enable' => true || false, // REQUIRED
],
],
'MalwareProtection' => [
'ScanEc2InstanceWithFindings' => [
'EbsVolumes' => true || false,
],
],
'S3Logs' => [
'Enable' => true || false, // REQUIRED
],
],
'DetectorId' => '<string>', // REQUIRED
'Enable' => true || false,
'FindingPublishingFrequency' => 'FIFTEEN_MINUTES|ONE_HOUR|SIX_HOURS',
]);
Parameter Details
Members
- DataSources
-
- Type: DataSourceConfigurations structure
Describes which data sources will be updated.
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector to update.
- Enable
-
- Type: boolean
Specifies whether the detector is enabled or not enabled.
- FindingPublishingFrequency
-
- Type: string
An enum value that specifies how frequently findings are exported, such as to CloudWatch Events.
Result Syntax
[]
Result Details
Errors
-
A bad request exception object.
-
An internal server error exception object.
UpdateFilter
$result = $client->updateFilter([/* ... */]); $promise = $client->updateFilterAsync([/* ... */]);
Updates the filter specified by the filter name.
Parameter Syntax
$result = $client->updateFilter([
'Action' => 'NOOP|ARCHIVE',
'Description' => '<string>',
'DetectorId' => '<string>', // REQUIRED
'FilterName' => '<string>', // REQUIRED
'FindingCriteria' => [
'Criterion' => [
'<String>' => [
'Eq' => ['<string>', ...],
'Equals' => ['<string>', ...],
'GreaterThan' => <integer>,
'GreaterThanOrEqual' => <integer>,
'Gt' => <integer>,
'Gte' => <integer>,
'LessThan' => <integer>,
'LessThanOrEqual' => <integer>,
'Lt' => <integer>,
'Lte' => <integer>,
'Neq' => ['<string>', ...],
'NotEquals' => ['<string>', ...],
],
// ...
],
],
'Rank' => <integer>,
]);
Parameter Details
Members
- Action
-
- Type: string
Specifies the action that is to be applied to the findings that match the filter.
- Description
-
- Type: string
The description of the filter.
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector that specifies the GuardDuty service where you want to update a filter.
- FilterName
-
- Required: Yes
- Type: string
The name of the filter.
- FindingCriteria
-
- Type: FindingCriteria structure
Represents the criteria to be used in the filter for querying findings.
- Rank
-
- Type: int
Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
Result Syntax
[
'Name' => '<string>',
]
Result Details
Errors
-
A bad request exception object.
-
An internal server error exception object.
UpdateFindingsFeedback
$result = $client->updateFindingsFeedback([/* ... */]); $promise = $client->updateFindingsFeedbackAsync([/* ... */]);
Marks the specified GuardDuty findings as useful or not useful.
Parameter Syntax
$result = $client->updateFindingsFeedback([
'Comments' => '<string>',
'DetectorId' => '<string>', // REQUIRED
'Feedback' => 'USEFUL|NOT_USEFUL', // REQUIRED
'FindingIds' => ['<string>', ...], // REQUIRED
]);
Parameter Details
Members
- Comments
-
- Type: string
Additional feedback about the GuardDuty findings.
- DetectorId
-
- Required: Yes
- Type: string
The ID of the detector associated with the findings to update feedback for.
- Feedback
-
- Required: Yes
- Type: string
The feedback for the finding.
- FindingIds
-
- Required: Yes
- Type: Array of strings
The IDs of the findings that you want to mark as useful or not useful.
Result Syntax
[]
Result Details
Errors
-
A bad request exception object.
-
An internal server error exception object.
UpdateIPSet
$result = $client->updateIPSet([/* ... */]); $promise = $client->updateIPSetAsync([/* ... */]);
Updates the IPSet specified by the IPSet ID.
Parameter Syntax
$result = $client->updateIPSet([
'Activate' => true || false,
'DetectorId' => '<string>', // REQUIRED
'IpSetId' => '<string>', // REQUIRED
'Location' => '<string>',
'Name' => '<string>',
]);
Parameter Details
Members
- Activate
-
- Type: boolean
The updated Boolean value that specifies whether the IPSet is active or not.
- DetectorId
-
- Required: Yes
- Type: string
The detectorID that specifies the GuardDuty service whose IPSet you want to update.
- IpSetId
-
- Required: Yes
- Type: string
The unique ID that specifies the IPSet that you want to update.
- Location
-
- Type: string
The updated URI of the file that contains the IPSet.
- Name
-
- Type: string
The unique ID that specifies the IPSet that you want to update.
Result Syntax
[]
Result Details
Errors
-
A bad request exception object.
-
An internal server error exception object.
UpdateMalwareScanSettings
$result = $client->updateMalwareScanSettings([/* ... */]); $promise = $client->updateMalwareScanSettingsAsync([/* ... */]);
Updates the malware scan settings.
Parameter Syntax
$result = $client->updateMalwareScanSettings([
'DetectorId' => '<string>', // REQUIRED
'EbsSnapshotPreservation' => 'NO_RETENTION|RETENTION_WITH_FINDING',
'ScanResourceCriteria' => [
'Exclude' => [
'<ScanCriterionKey>' => [
'MapEquals' => [ // REQUIRED
[
'Key' => '<string>', // REQUIRED
'Value' => '<string>',
],
// ...
],
],
// ...
],
'Include' => [
'<ScanCriterionKey>' => [
'MapEquals' => [ // REQUIRED
[
'Key' => '<string>', // REQUIRED
'Value' => '<string>',
],
// ...
],
],
// ...
],
],
]);
Parameter Details
Members
- DetectorId
-
- Required: Yes
- Type: string
The unique ID of the detector that specifies the GuardDuty service where you want to update scan settings.
- EbsSnapshotPreservation
-
- Type: string
An enum value representing possible snapshot preservation settings.
- ScanResourceCriteria
-
- Type: ScanResourceCriteria structure
Represents the criteria to be used in the filter for selecting resources to scan.
Result Syntax
[]
Result Details
Errors
-
A bad request exception object.
-
An internal server error exception object.
UpdateMemberDetectors
$result = $client->updateMemberDetectors([/* ... */]); $promise = $client->updateMemberDetectorsAsync([/* ... */]);
Contains information on member accounts to be updated.
Parameter Syntax
$result = $client->updateMemberDetectors([
'AccountIds' => ['<string>', ...], // REQUIRED
'DataSources' => [
'Kubernetes' => [
'AuditLogs' => [ // REQUIRED
'Enable' => true || false, // REQUIRED
],
],
'MalwareProtection' => [
'ScanEc2InstanceWithFindings' => [
'EbsVolumes' => true || false,
],
],
'S3Logs' => [
'Enable' => true || false, // REQUIRED
],
],
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
- AccountIds
-
- Required: Yes
- Type: Array of strings
A list of member account IDs to be updated.
- DataSources
-
- Type: DataSourceConfigurations structure
Describes which data sources will be updated.
- DetectorId
-
- Required: Yes
- Type: string
The detector ID of the administrator account.
Result Syntax
[
'UnprocessedAccounts' => [
[
'AccountId' => '<string>',
'Result' => '<string>',
],
// ...
],
]
Result Details
Members
- UnprocessedAccounts
-
- Required: Yes
- Type: Array of UnprocessedAccount structures
A list of member account IDs that were unable to be processed along with an explanation for why they were not processed.
Errors
-
A bad request exception object.
-
An internal server error exception object.
UpdateOrganizationConfiguration
$result = $client->updateOrganizationConfiguration([/* ... */]); $promise = $client->updateOrganizationConfigurationAsync([/* ... */]);
Updates the delegated administrator account with the values provided.
Parameter Syntax
$result = $client->updateOrganizationConfiguration([
'AutoEnable' => true || false, // REQUIRED
'DataSources' => [
'Kubernetes' => [
'AuditLogs' => [ // REQUIRED
'AutoEnable' => true || false, // REQUIRED
],
],
'MalwareProtection' => [
'ScanEc2InstanceWithFindings' => [
'EbsVolumes' => [
'AutoEnable' => true || false,
],
],
],
'S3Logs' => [
'AutoEnable' => true || false, // REQUIRED
],
],
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
- AutoEnable
-
- Required: Yes
- Type: boolean
Indicates whether to automatically enable member accounts in the organization.
- DataSources
-
- Type: OrganizationDataSourceConfigurations structure
Describes which data sources will be updated.
- DetectorId
-
- Required: Yes
- Type: string
The ID of the detector to update the delegated administrator for.
Result Syntax
[]
Result Details
Errors
-
A bad request exception object.
-
An internal server error exception object.
UpdatePublishingDestination
$result = $client->updatePublishingDestination([/* ... */]); $promise = $client->updatePublishingDestinationAsync([/* ... */]);
Updates information about the publishing destination specified by the destinationId.
Parameter Syntax
$result = $client->updatePublishingDestination([
'DestinationId' => '<string>', // REQUIRED
'DestinationProperties' => [
'DestinationArn' => '<string>',
'KmsKeyArn' => '<string>',
],
'DetectorId' => '<string>', // REQUIRED
]);
Parameter Details
Members
- DestinationId
-
- Required: Yes
- Type: string
The ID of the publishing destination to update.
- DestinationProperties
-
- Type: DestinationProperties structure
A
DestinationPropertiesobject that includes theDestinationArnandKmsKeyArnof the publishing destination. - DetectorId
-
- Required: Yes
- Type: string
The ID of the detector associated with the publishing destinations to update.
Result Syntax
[]
Result Details
Errors
-
A bad request exception object.
-
An internal server error exception object.
UpdateThreatIntelSet
$result = $client->updateThreatIntelSet([/* ... */]); $promise = $client->updateThreatIntelSetAsync([/* ... */]);
Updates the ThreatIntelSet specified by the ThreatIntelSet ID.
Parameter Syntax
$result = $client->updateThreatIntelSet([
'Activate' => true || false,
'DetectorId' => '<string>', // REQUIRED
'Location' => '<string>',
'Name' => '<string>',
'ThreatIntelSetId' => '<string>', // REQUIRED
]);
Parameter Details
Members
- Activate
-
- Type: boolean
The updated Boolean value that specifies whether the ThreateIntelSet is active or not.
- DetectorId
-
- Required: Yes
- Type: string
The detectorID that specifies the GuardDuty service whose ThreatIntelSet you want to update.
- Location
-
- Type: string
The updated URI of the file that contains the ThreateIntelSet.
- Name
-
- Type: string
The unique ID that specifies the ThreatIntelSet that you want to update.
- ThreatIntelSetId
-
- Required: Yes
- Type: string
The unique ID that specifies the ThreatIntelSet that you want to update.
Result Syntax
[]
Result Details
Errors
-
A bad request exception object.
-
An internal server error exception object.
Shapes
AccessControlList
Description
Contains information on the current access control policies for the bucket.
Members
- AllowsPublicReadAccess
-
- Type: boolean
A value that indicates whether public read access for the bucket is enabled through an Access Control List (ACL).
- AllowsPublicWriteAccess
-
- Type: boolean
A value that indicates whether public write access for the bucket is enabled through an Access Control List (ACL).
AccessKeyDetails
Description
Contains information about the access keys.
Members
AccountDetail
Description
Contains information about the account.
Members
AccountFreeTrialInfo
Description
Provides details of the GuardDuty member account that uses a free trial service.
Members
- AccountId
-
- Type: string
The account identifier of the GuardDuty member account.
- DataSources
-
- Type: DataSourcesFreeTrial structure
Describes the data source enabled for the GuardDuty member account.
AccountLevelPermissions
Description
Contains information about the account level permissions on the S3 bucket.
Members
- BlockPublicAccess
-
- Type: BlockPublicAccess structure
Describes the S3 Block Public Access settings of the bucket's parent account.
Action
Description
Contains information about actions.
Members
- ActionType
-
- Type: string
The GuardDuty finding activity type.
- AwsApiCallAction
-
- Type: AwsApiCallAction structure
Information about the AWS_API_CALL action described in this finding.
- DnsRequestAction
-
- Type: DnsRequestAction structure
Information about the DNS_REQUEST action described in this finding.
- KubernetesApiCallAction
-
- Type: KubernetesApiCallAction structure
Information about the Kubernetes API call action described in this finding.
- NetworkConnectionAction
-
- Type: NetworkConnectionAction structure
Information about the NETWORK_CONNECTION action described in this finding.
- PortProbeAction
-
- Type: PortProbeAction structure
Information about the PORT_PROBE action described in this finding.
AdminAccount
Description
The account within the organization specified as the GuardDuty delegated administrator.
Members
Administrator
Description
Contains information about the administrator account and invitation.
Members
- AccountId
-
- Type: string
The ID of the account used as the administrator account.
- InvitationId
-
- Type: string
The value that is used to validate the administrator account to the member account.
- InvitedAt
-
- Type: string
The timestamp when the invitation was sent.
- RelationshipStatus
-
- Type: string
The status of the relationship between the administrator and member accounts.
AwsApiCallAction
Description
Contains information about the API action.
Members
- AffectedResources
-
- Type: Associative array of custom strings keys (String) to strings
The details of the Amazon Web Services account that made the API call. This field identifies the resources that were affected by this API call.
- Api
-
- Type: string
The Amazon Web Services API name.
- CallerType
-
- Type: string
The Amazon Web Services API caller type.
- DomainDetails
-
- Type: DomainDetails structure
The domain information for the Amazon Web Services API call.
- ErrorCode
-
- Type: string
The error code of the failed Amazon Web Services API action.
- RemoteAccountDetails
-
- Type: RemoteAccountDetails structure
The details of the Amazon Web Services account that made the API call. This field appears if the call was made from outside your account.
- RemoteIpDetails
-
- Type: RemoteIpDetails structure
The remote IP information of the connection that initiated the Amazon Web Services API call.
- ServiceName
-
- Type: string
The Amazon Web Services service name whose API was invoked.
- UserAgent
-
- Type: string
The agent through which the API request was made.
BadRequestException
Description
A bad request exception object.
Members
BlockPublicAccess
Description
Contains information on how the bucker owner's S3 Block Public Access settings are being applied to the S3 bucket. See S3 Block Public Access for more information.
Members
- BlockPublicAcls
-
- Type: boolean
Indicates if S3 Block Public Access is set to
BlockPublicAcls. - BlockPublicPolicy
-
- Type: boolean
Indicates if S3 Block Public Access is set to
BlockPublicPolicy. - IgnorePublicAcls
-
- Type: boolean
Indicates if S3 Block Public Access is set to
IgnorePublicAcls. - RestrictPublicBuckets
-
- Type: boolean
Indicates if S3 Block Public Access is set to
RestrictPublicBuckets.
BucketLevelPermissions
Description
Contains information about the bucket level permissions for the S3 bucket.
Members
- AccessControlList
-
- Type: AccessControlList structure
Contains information on how Access Control Policies are applied to the bucket.
- BlockPublicAccess
-
- Type: BlockPublicAccess structure
Contains information on which account level S3 Block Public Access settings are applied to the S3 bucket.
- BucketPolicy
-
- Type: BucketPolicy structure
Contains information on the bucket policies for the S3 bucket.
BucketPolicy
Description
Contains information on the current bucket policies for the S3 bucket.
Members
City
Description
Contains information about the city associated with the IP address.
Members
CloudTrailConfigurationResult
Description
Contains information on the status of CloudTrail as a data source for the detector.
Members
Condition
Description
Contains information about the condition.
Members
- Eq
-
- Type: Array of strings
Represents the equal condition to be applied to a single field when querying for findings.
- Equals
-
- Type: Array of strings
Represents an equal condition to be applied to a single field when querying for findings.
- GreaterThan
-
- Type: long (int|float)
Represents a greater than condition to be applied to a single field when querying for findings.
- GreaterThanOrEqual
-
- Type: long (int|float)
Represents a greater than or equal condition to be applied to a single field when querying for findings.
- Gt
-
- Type: int
Represents a greater than condition to be applied to a single field when querying for findings.
- Gte
-
- Type: int
Represents a greater than or equal condition to be applied to a single field when querying for findings.
- LessThan
-
- Type: long (int|float)
Represents a less than condition to be applied to a single field when querying for findings.
- LessThanOrEqual
-
- Type: long (int|float)
Represents a less than or equal condition to be applied to a single field when querying for findings.
- Lt
-
- Type: int
Represents a less than condition to be applied to a single field when querying for findings.
- Lte
-
- Type: int
Represents a less than or equal condition to be applied to a single field when querying for findings.
- Neq
-
- Type: Array of strings
Represents the not equal condition to be applied to a single field when querying for findings.
- NotEquals
-
- Type: Array of strings
Represents a not equal condition to be applied to a single field when querying for findings.
Container
Description
Details of a container.
Members
- ContainerRuntime
-
- Type: string
The container runtime (such as, Docker or containerd) used to run the container.
- Id
-
- Type: string
Container ID.
- Image
-
- Type: string
Container image.
- ImagePrefix
-
- Type: string
Part of the image name before the last slash. For example, imagePrefix for public.ecr.aws/amazonlinux/amazonlinux:latest would be public.ecr.aws/amazonlinux. If the image name is relative and does not have a slash, this field is empty.
- Name
-
- Type: string
Container name.
- SecurityContext
-
- Type: SecurityContext structure
Container security context.
- VolumeMounts
-
- Type: Array of VolumeMount structures
Container volume mounts.
Country
Description
Contains information about the country where the remote IP address is located.
Members
DNSLogsConfigurationResult
Description
Contains information on the status of DNS logs as a data source.
Members
DataSourceConfigurations
Description
Contains information about which data sources are enabled.
Members
- Kubernetes
-
- Type: KubernetesConfiguration structure
Describes whether any Kubernetes logs are enabled as data sources.
- MalwareProtection
-
- Type: MalwareProtectionConfiguration structure
Describes whether Malware Protection is enabled as a data source.
- S3Logs
-
- Type: S3LogsConfiguration structure
Describes whether S3 data event logs are enabled as a data source.
DataSourceConfigurationsResult
Description
Contains information on the status of data sources for the detector.
Members
- CloudTrail
-
- Required: Yes
- Type: CloudTrailConfigurationResult structure
An object that contains information on the status of CloudTrail as a data source.
- DNSLogs
-
- Required: Yes
- Type: DNSLogsConfigurationResult structure
An object that contains information on the status of DNS logs as a data source.
- FlowLogs
-
- Required: Yes
- Type: FlowLogsConfigurationResult structure
An object that contains information on the status of VPC flow logs as a data source.
- Kubernetes
-
- Type: KubernetesConfigurationResult structure
An object that contains information on the status of all Kubernetes data sources.
- MalwareProtection
-
- Type: MalwareProtectionConfigurationResult structure
Describes the configuration of Malware Protection data sources.
- S3Logs
-
- Required: Yes
- Type: S3LogsConfigurationResult structure
An object that contains information on the status of S3 Data event logs as a data source.
DataSourceFreeTrial
Description
Contains information about which data sources are enabled for the GuardDuty member account.
Members
DataSourcesFreeTrial
Description
Contains information about which data sources are enabled for the GuardDuty member account.
Members
- CloudTrail
-
- Type: DataSourceFreeTrial structure
Describes whether any Amazon Web Services CloudTrail management event logs are enabled as data sources.
- DnsLogs
-
- Type: DataSourceFreeTrial structure
Describes whether any DNS logs are enabled as data sources.
- FlowLogs
-
- Type: DataSourceFreeTrial structure
Describes whether any VPC Flow logs are enabled as data sources.
- Kubernetes
-
- Type: KubernetesDataSourceFreeTrial structure
Describes whether any Kubernetes logs are enabled as data sources.
- MalwareProtection
-
- Type: MalwareProtectionDataSourceFreeTrial structure
Describes whether Malware Protection is enabled as a data source.
- S3Logs
-
- Type: DataSourceFreeTrial structure
Describes whether any S3 data event logs are enabled as data sources.
DefaultServerSideEncryption
Description
Contains information on the server side encryption method used in the S3 bucket. See S3 Server-Side Encryption for more information.
Members
Destination
Description
Contains information about the publishing destination, including the ID, type, and status.
Members
- DestinationId
-
- Required: Yes
- Type: string
The unique ID of the publishing destination.
- DestinationType
-
- Required: Yes
- Type: string
The type of resource used for the publishing destination. Currently, only Amazon S3 buckets are supported.
- Status
-
- Required: Yes
- Type: string
The status of the publishing destination.
DestinationProperties
Description
Contains the Amazon Resource Name (ARN) of the resource to publish to, such as an S3 bucket, and the ARN of the KMS key to use to encrypt published findings.
Members
DnsRequestAction
Description
Contains information about the DNS_REQUEST action described in this finding.
Members
DomainDetails
Description
Contains information about the domain.
Members
EbsVolumeDetails
Description
Contains list of scanned and skipped EBS volumes with details.
Members
- ScannedVolumeDetails
-
- Type: Array of VolumeDetail structures
List of EBS volumes that were scanned.
- SkippedVolumeDetails
-
- Type: Array of VolumeDetail structures
List of EBS volumes that were skipped from the malware scan.
EbsVolumeScanDetails
Description
Contains details from the malware scan that created a finding.
Members
- ScanCompletedAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
Returns the completion date and time of the malware scan.
- ScanDetections
-
- Type: ScanDetections structure
Contains a complete view providing malware scan result details.
- ScanId
-
- Type: string
Unique Id of the malware scan that generated the finding.
- ScanStartedAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
Returns the start date and time of the malware scan.
- Sources
-
- Type: Array of strings
Contains list of threat intelligence sources used to detect threats.
- TriggerFindingId
-
- Type: string
GuardDuty finding ID that triggered a malware scan.
EbsVolumesResult
Description
Describes the configuration of scanning EBS volumes as a data source.
Members
EcsClusterDetails
Description
Contains information about the details of the ECS Cluster.
Members
- ActiveServicesCount
-
- Type: int
The number of services that are running on the cluster in an ACTIVE state.
- Arn
-
- Type: string
The Amazon Resource Name (ARN) that identifies the cluster.
- Name
-
- Type: string
The name of the ECS Cluster.
- RegisteredContainerInstancesCount
-
- Type: int
The number of container instances registered into the cluster.
- RunningTasksCount
-
- Type: int
The number of tasks in the cluster that are in the RUNNING state.
- Status
-
- Type: string
The status of the ECS cluster.
- Tags
-
- Type: Array of Tag structures
The tags of the ECS Cluster.
- TaskDetails
-
- Type: EcsTaskDetails structure
Contains information about the details of the ECS Task.
EcsTaskDetails
Description
Contains information about the task in an ECS cluster.
Members
- Arn
-
- Type: string
The Amazon Resource Name (ARN) of the task.
- Containers
-
- Type: Array of Container structures
The containers that's associated with the task.
- DefinitionArn
-
- Type: string
The ARN of the task definition that creates the task.
- Group
-
- Type: string
The name of the task group that's associated with the task.
- StartedAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The Unix timestamp for the time when the task started.
- StartedBy
-
- Type: string
Contains the tag specified when a task is started.
- Tags
-
- Type: Array of Tag structures
The tags of the ECS Task.
- TaskCreatedAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The Unix timestamp for the time when the task was created.
- Version
-
- Type: string
The version counter for the task.
- Volumes
-
- Type: Array of Volume structures
The list of data volume definitions for the task.
EksClusterDetails
Description
Details about the EKS cluster involved in a Kubernetes finding.
Members
- Arn
-
- Type: string
EKS cluster ARN.
- CreatedAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The timestamp when the EKS cluster was created.
- Name
-
- Type: string
EKS cluster name.
- Status
-
- Type: string
The EKS cluster status.
- Tags
-
- Type: Array of Tag structures
The EKS cluster tags.
- VpcId
-
- Type: string
The VPC ID to which the EKS cluster is attached.
Evidence
Description
Contains information about the reason that the finding was generated.
Members
- ThreatIntelligenceDetails
-
- Type: Array of ThreatIntelligenceDetail structures
A list of threat intelligence details related to the evidence.
FilterCondition
Description
Contains information about the condition.
Members
- EqualsValue
-
- Type: string
Represents an equal condition to be applied to a single field when querying for scan entries.
- GreaterThan
-
- Type: long (int|float)
Represents a greater than condition to be applied to a single field when querying for scan entries.
- LessThan
-
- Type: long (int|float)
Represents a less than condition to be applied to a single field when querying for scan entries.
FilterCriteria
Description
Represents the criteria to be used in the filter for describing scan entries.
Members
- FilterCriterion
-
- Type: Array of FilterCriterion structures
Represents a condition that when matched will be added to the response of the operation.
FilterCriterion
Description
Represents a condition that when matched will be added to the response of the operation. Irrespective of using any filter criteria, an administrator account can view the scan entries for all of its member accounts. However, each member account can view the scan entries only for their own account.
Members
- CriterionKey
-
- Type: string
An enum value representing possible scan properties to match with given scan entries.
- FilterCondition
-
- Type: FilterCondition structure
Contains information about the condition.
Finding
Description
Contains information about the finding, which is generated when abnormal or suspicious activity is detected.
Members
- AccountId
-
- Required: Yes
- Type: string
The ID of the account in which the finding was generated.
- Arn
-
- Required: Yes
- Type: string
The ARN of the finding.
- Confidence
-
- Type: double
The confidence score for the finding.
- CreatedAt
-
- Required: Yes
- Type: string
The time and date when the finding was created.
- Description
-
- Type: string
The description of the finding.
- Id
-
- Required: Yes
- Type: string
The ID of the finding.
- Partition
-
- Type: string
The partition associated with the finding.
- Region
-
- Required: Yes
- Type: string
The Region where the finding was generated.
- Resource
-
- Required: Yes
- Type: Resource structure
Contains information about the Amazon Web Services resource associated with the activity that prompted GuardDuty to generate a finding.
- SchemaVersion
-
- Required: Yes
- Type: string
The version of the schema used for the finding.
- Service
-
- Type: Service structure
Contains additional information about the generated finding.
- Severity
-
- Required: Yes
- Type: double
The severity of the finding.
- Title
-
- Type: string
The title of the finding.
- Type
-
- Required: Yes
- Type: string
The type of finding.
- UpdatedAt
-
- Required: Yes
- Type: string
The time and date when the finding was last updated.
FindingCriteria
Description
Contains information about the criteria used for querying findings.
Members
- Criterion
-
- Type: Associative array of custom strings keys (String) to Condition structures
Represents a map of finding properties that match specified conditions and values when querying findings.
FindingStatistics
Description
Contains information about finding statistics.
Members
FlowLogsConfigurationResult
Description
Contains information on the status of VPC flow logs as a data source.
Members
GeoLocation
Description
Contains information about the location of the remote IP address.
Members
HighestSeverityThreatDetails
Description
Contains details of the highest severity threat detected during scan and number of infected files.
Members
HostPath
Description
Represents a pre-existing file or directory on the host machine that the volume maps to.
Members
IamInstanceProfile
Description
Contains information about the EC2 instance profile.
Members
InstanceDetails
Description
Contains information about the details of an instance.
Members
- AvailabilityZone
-
- Type: string
The Availability Zone of the EC2 instance.
- IamInstanceProfile
-
- Type: IamInstanceProfile structure
The profile information of the EC2 instance.
- ImageDescription
-
- Type: string
The image description of the EC2 instance.
- ImageId
-
- Type: string
The image ID of the EC2 instance.
- InstanceId
-
- Type: string
The ID of the EC2 instance.
- InstanceState
-
- Type: string
The state of the EC2 instance.
- InstanceType
-
- Type: string
The type of the EC2 instance.
- LaunchTime
-
- Type: string
The launch time of the EC2 instance.
- NetworkInterfaces
-
- Type: Array of NetworkInterface structures
The elastic network interface information of the EC2 instance.
- OutpostArn
-
- Type: string
The Amazon Resource Name (ARN) of the Amazon Web Services Outpost. Only applicable to Amazon Web Services Outposts instances.
- Platform
-
- Type: string
The platform of the EC2 instance.
- ProductCodes
-
- Type: Array of ProductCode structures
The product code of the EC2 instance.
- Tags
-
- Type: Array of Tag structures
The tags of the EC2 instance.
InternalServerErrorException
Description
An internal server error exception object.
Members
Invitation
Description
Contains information about the invitation to become a member account.
Members
- AccountId
-
- Type: string
The ID of the account that the invitation was sent from.
- InvitationId
-
- Type: string
The ID of the invitation. This value is used to validate the inviter account to the member account.
- InvitedAt
-
- Type: string
The timestamp when the invitation was sent.
- RelationshipStatus
-
- Type: string
The status of the relationship between the inviter and invitee accounts.
KubernetesApiCallAction
Description
Information about the Kubernetes API call action described in this finding.
Members
- Parameters
-
- Type: string
Parameters related to the Kubernetes API call action.
- RemoteIpDetails
-
- Type: RemoteIpDetails structure
Contains information about the remote IP address of the connection.
- RequestUri
-
- Type: string
The Kubernetes API request URI.
- SourceIps
-
- Type: Array of strings
The IP of the Kubernetes API caller and the IPs of any proxies or load balancers between the caller and the API endpoint.
- StatusCode
-
- Type: int
The resulting HTTP response code of the Kubernetes API call action.
- UserAgent
-
- Type: string
The user agent of the caller of the Kubernetes API.
- Verb
-
- Type: string
The Kubernetes API request HTTP verb.
KubernetesAuditLogsConfiguration
Description
Describes whether Kubernetes audit logs are enabled as a data source.
Members
KubernetesAuditLogsConfigurationResult
Description
Describes whether Kubernetes audit logs are enabled as a data source.
Members
KubernetesConfiguration
Description
Describes whether any Kubernetes data sources are enabled.
Members
- AuditLogs
-
- Required: Yes
- Type: KubernetesAuditLogsConfiguration structure
The status of Kubernetes audit logs as a data source.
KubernetesConfigurationResult
Description
Describes whether any Kubernetes logs will be enabled as a data source.
Members
- AuditLogs
-
- Required: Yes
- Type: KubernetesAuditLogsConfigurationResult structure
Describes whether Kubernetes audit logs are enabled as a data source.
KubernetesDataSourceFreeTrial
Description
Provides details about the Kubernetes resources when it is enabled as a data source.
Members
- AuditLogs
-
- Type: DataSourceFreeTrial structure
Describes whether Kubernetes audit logs are enabled as a data source.
KubernetesDetails
Description
Details about Kubernetes resources such as a Kubernetes user or workload resource involved in a Kubernetes finding.
Members
- KubernetesUserDetails
-
- Type: KubernetesUserDetails structure
Details about the Kubernetes user involved in a Kubernetes finding.
- KubernetesWorkloadDetails
-
- Type: KubernetesWorkloadDetails structure
Details about the Kubernetes workload involved in a Kubernetes finding.
KubernetesUserDetails
Description
Details about the Kubernetes user involved in a Kubernetes finding.
Members
KubernetesWorkloadDetails
Description
Details about the Kubernetes workload involved in a Kubernetes finding.
Members
- Containers
-
- Type: Array of Container structures
Containers running as part of the Kubernetes workload.
- HostNetwork
-
- Type: boolean
Whether the hostNetwork flag is enabled for the pods included in the workload.
- Name
-
- Type: string
Kubernetes workload name.
- Namespace
-
- Type: string
Kubernetes namespace that the workload is part of.
- Type
-
- Type: string
Kubernetes workload type (e.g. Pod, Deployment, etc.).
- Uid
-
- Type: string
Kubernetes workload ID.
- Volumes
-
- Type: Array of Volume structures
Volumes used by the Kubernetes workload.
LocalIpDetails
Description
Contains information about the local IP address of the connection.
Members
LocalPortDetails
Description
Contains information about the port for the local connection.
Members
MalwareProtectionConfiguration
Description
Describes whether Malware Protection will be enabled as a data source.
Members
- ScanEc2InstanceWithFindings
-
- Type: ScanEc2InstanceWithFindings structure
Describes the configuration of Malware Protection for EC2 instances with findings.
MalwareProtectionConfigurationResult
Description
An object that contains information on the status of all Malware Protection data sources.
Members
- ScanEc2InstanceWithFindings
-
- Type: ScanEc2InstanceWithFindingsResult structure
Describes the configuration of Malware Protection for EC2 instances with findings.
- ServiceRole
-
- Type: string
The GuardDuty Malware Protection service role.
MalwareProtectionDataSourceFreeTrial
Description
Provides details about Malware Protection when it is enabled as a data source.
Members
- ScanEc2InstanceWithFindings
-
- Type: DataSourceFreeTrial structure
Describes whether Malware Protection for EC2 instances with findings is enabled as a data source.
Master
Description
Contains information about the administrator account and invitation.
Members
- AccountId
-
- Type: string
The ID of the account used as the administrator account.
- InvitationId
-
- Type: string
The value used to validate the administrator account to the member account.
- InvitedAt
-
- Type: string
The timestamp when the invitation was sent.
- RelationshipStatus
-
- Type: string
The status of the relationship between the administrator and member accounts.
Member
Description
Contains information about the member account.
Members
- AccountId
-
- Required: Yes
- Type: string
The ID of the member account.
- AdministratorId
-
- Type: string
The administrator account ID.
- DetectorId
-
- Type: string
The detector ID of the member account.
-
- Required: Yes
- Type: string
The email address of the member account.
- InvitedAt
-
- Type: string
The timestamp when the invitation was sent.
- MasterId
-
- Required: Yes
- Type: string
The administrator account ID.
- RelationshipStatus
-
- Required: Yes
- Type: string
The status of the relationship between the member and the administrator.
- UpdatedAt
-
- Required: Yes
- Type: string
The last-updated timestamp of the member.
MemberDataSourceConfiguration
Description
Contains information on which data sources are enabled for a member account.
Members
- AccountId
-
- Required: Yes
- Type: string
The account ID for the member account.
- DataSources
-
- Required: Yes
- Type: DataSourceConfigurationsResult structure
Contains information on the status of data sources for the account.
NetworkConnectionAction
Description
Contains information about the NETWORK_CONNECTION action described in the finding.
Members
- Blocked
-
- Type: boolean
Indicates whether EC2 blocked the network connection to your instance.
- ConnectionDirection
-
- Type: string
The network connection direction.
- LocalIpDetails
-
- Type: LocalIpDetails structure
The local IP information of the connection.
- LocalPortDetails
-
- Type: LocalPortDetails structure
The local port information of the connection.
- Protocol
-
- Type: string
The network connection protocol.
- RemoteIpDetails
-
- Type: RemoteIpDetails structure
The remote IP information of the connection.
- RemotePortDetails
-
- Type: RemotePortDetails structure
The remote port information of the connection.
NetworkInterface
Description
Contains information about the elastic network interface of the EC2 instance.
Members
- Ipv6Addresses
-
- Type: Array of strings
A list of IPv6 addresses for the EC2 instance.
- NetworkInterfaceId
-
- Type: string
The ID of the network interface.
- PrivateDnsName
-
- Type: string
The private DNS name of the EC2 instance.
- PrivateIpAddress
-
- Type: string
The private IP address of the EC2 instance.
- PrivateIpAddresses
-
- Type: Array of PrivateIpAddressDetails structures
Other private IP address information of the EC2 instance.
- PublicDnsName
-
- Type: string
The public DNS name of the EC2 instance.
- PublicIp
-
- Type: string
The public IP address of the EC2 instance.
- SecurityGroups
-
- Type: Array of SecurityGroup structures
The security groups associated with the EC2 instance.
- SubnetId
-
- Type: string
The subnet ID of the EC2 instance.
- VpcId
-
- Type: string
The VPC ID of the EC2 instance.
Organization
Description
Contains information about the ISP organization of the remote IP address.
Members
OrganizationDataSourceConfigurations
Description
An object that contains information on which data sources will be configured to be automatically enabled for new members within the organization.
Members
- Kubernetes
-
- Type: OrganizationKubernetesConfiguration structure
Describes the configuration of Kubernetes data sources for new members of the organization.
- MalwareProtection
-
- Type: OrganizationMalwareProtectionConfiguration structure
Describes the configuration of Malware Protection for new members of the organization.
- S3Logs
-
- Type: OrganizationS3LogsConfiguration structure
Describes whether S3 data event logs are enabled for new members of the organization.
OrganizationDataSourceConfigurationsResult
Description
An object that contains information on which data sources are automatically enabled for new members within the organization.
Members
- Kubernetes
-
- Type: OrganizationKubernetesConfigurationResult structure
Describes the configuration of Kubernetes data sources.
- MalwareProtection
-
- Type: OrganizationMalwareProtectionConfigurationResult structure
Describes the configuration of Malware Protection data source for an organization.
- S3Logs
-
- Required: Yes
- Type: OrganizationS3LogsConfigurationResult structure
Describes whether S3 data event logs are enabled as a data source.
OrganizationEbsVolumes
Description
Organization-wide EBS volumes scan configuration.
Members
OrganizationEbsVolumesResult
Description
An object that contains information on the status of whether EBS volumes scanning will be enabled as a data source for an organization.
Members
OrganizationKubernetesAuditLogsConfiguration
Description
Organization-wide Kubernetes audit logs configuration.
Members
OrganizationKubernetesAuditLogsConfigurationResult
Description
The current configuration of Kubernetes audit logs as a data source for the organization.
Members
OrganizationKubernetesConfiguration
Description
Organization-wide Kubernetes data sources configurations.
Members
- AuditLogs
-
- Required: Yes
- Type: OrganizationKubernetesAuditLogsConfiguration structure
Whether Kubernetes audit logs data source should be auto-enabled for new members joining the organization.
OrganizationKubernetesConfigurationResult
Description
The current configuration of all Kubernetes data sources for the organization.
Members
- AuditLogs
-
- Required: Yes
- Type: OrganizationKubernetesAuditLogsConfigurationResult structure
The current configuration of Kubernetes audit logs as a data source for the organization.
OrganizationMalwareProtectionConfiguration
Description
Organization-wide Malware Protection configurations.
Members
- ScanEc2InstanceWithFindings
-
- Type: OrganizationScanEc2InstanceWithFindings structure
Whether Malware Protection for EC2 instances with findings should be auto-enabled for new members joining the organization.
OrganizationMalwareProtectionConfigurationResult
Description
An object that contains information on the status of all Malware Protection data source for an organization.
Members
- ScanEc2InstanceWithFindings
-
- Type: OrganizationScanEc2InstanceWithFindingsResult structure
Describes the configuration for scanning EC2 instances with findings for an organization.
OrganizationS3LogsConfiguration
Description
Describes whether S3 data event logs will be automatically enabled for new members of the organization.
Members
OrganizationS3LogsConfigurationResult
Description
The current configuration of S3 data event logs as a data source for the organization.
Members
OrganizationScanEc2InstanceWithFindings
Description
Organization-wide EC2 instances with findings scan configuration.
Members
- EbsVolumes
-
- Type: OrganizationEbsVolumes structure
Whether scanning EBS volumes should be auto-enabled for new members joining the organization.
OrganizationScanEc2InstanceWithFindingsResult
Description
An object that contains information on the status of scanning EC2 instances with findings for an organization.
Members
- EbsVolumes
-
- Type: OrganizationEbsVolumesResult structure
Describes the configuration for scanning EBS volumes for an organization.
Owner
Description
Contains information on the owner of the bucket.
Members
- Id
-
- Type: string
The canonical user ID of the bucket owner. For information about locating your canonical user ID see Finding Your Account Canonical User ID.
PermissionConfiguration
Description
Contains information about how permissions are configured for the S3 bucket.
Members
- AccountLevelPermissions
-
- Type: AccountLevelPermissions structure
Contains information about the account level permissions on the S3 bucket.
- BucketLevelPermissions
-
- Type: BucketLevelPermissions structure
Contains information about the bucket level permissions for the S3 bucket.
PortProbeAction
Description
Contains information about the PORT_PROBE action described in the finding.
Members
- Blocked
-
- Type: boolean
Indicates whether EC2 blocked the port probe to the instance, such as with an ACL.
- PortProbeDetails
-
- Type: Array of PortProbeDetail structures
A list of objects related to port probe details.
PortProbeDetail
Description
Contains information about the port probe details.
Members
- LocalIpDetails
-
- Type: LocalIpDetails structure
The local IP information of the connection.
- LocalPortDetails
-
- Type: LocalPortDetails structure
The local port information of the connection.
- RemoteIpDetails
-
- Type: RemoteIpDetails structure
The remote IP information of the connection.
PrivateIpAddressDetails
Description
Contains other private IP address information of the EC2 instance.
Members
ProductCode
Description
Contains information about the product code for the EC2 instance.
Members
PublicAccess
Description
Describes the public access policies that apply to the S3 bucket.
Members
- EffectivePermission
-
- Type: string
Describes the effective permission on this bucket after factoring all attached policies.
- PermissionConfiguration
-
- Type: PermissionConfiguration structure
Contains information about how permissions are configured for the S3 bucket.
RemoteAccountDetails
Description
Contains details about the remote Amazon Web Services account that made the API call.
Members
- AccountId
-
- Type: string
The Amazon Web Services account ID of the remote API caller.
- Affiliated
-
- Type: boolean
Details on whether the Amazon Web Services account of the remote API caller is related to your GuardDuty environment. If this value is
Truethe API caller is affiliated to your account in some way. If it isFalsethe API caller is from outside your environment.
RemoteIpDetails
Description
Contains information about the remote IP address of the connection.
Members
- City
-
- Type: City structure
The city information of the remote IP address.
- Country
-
- Type: Country structure
The country code of the remote IP address.
- GeoLocation
-
- Type: GeoLocation structure
The location information of the remote IP address.
- IpAddressV4
-
- Type: string
The IPv4 remote address of the connection.
- Organization
-
- Type: Organization structure
The ISP organization information of the remote IP address.
RemotePortDetails
Description
Contains information about the remote port.
Members
Resource
Description
Contains information about the Amazon Web Services resource associated with the activity that prompted GuardDuty to generate a finding.
Members
- AccessKeyDetails
-
- Type: AccessKeyDetails structure
The IAM access key details (IAM user information) of a user that engaged in the activity that prompted GuardDuty to generate a finding.
- ContainerDetails
-
- Type: Container structure
Details of a container.
- EbsVolumeDetails
-
- Type: EbsVolumeDetails structure
Contains list of scanned and skipped EBS volumes with details.
- EcsClusterDetails
-
- Type: EcsClusterDetails structure
Contains information about the details of the ECS Cluster.
- EksClusterDetails
-
- Type: EksClusterDetails structure
Details about the EKS cluster involved in a Kubernetes finding.
- InstanceDetails
-
- Type: InstanceDetails structure
The information about the EC2 instance associated with the activity that prompted GuardDuty to generate a finding.
- KubernetesDetails
-
- Type: KubernetesDetails structure
Details about the Kubernetes user and workload involved in a Kubernetes finding.
- ResourceType
-
- Type: string
The type of Amazon Web Services resource.
- S3BucketDetails
-
- Type: Array of S3BucketDetail structures
Contains information on the S3 bucket.
ResourceDetails
Description
Represents the resources that were scanned in the scan entry.
Members
S3BucketDetail
Description
Contains information on the S3 bucket.
Members
- Arn
-
- Type: string
The Amazon Resource Name (ARN) of the S3 bucket.
- CreatedAt
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The date and time the bucket was created at.
- DefaultServerSideEncryption
-
- Type: DefaultServerSideEncryption structure
Describes the server side encryption method used in the S3 bucket.
- Name
-
- Type: string
The name of the S3 bucket.
- Owner
-
- Type: Owner structure
The owner of the S3 bucket.
- PublicAccess
-
- Type: PublicAccess structure
Describes the public access policies that apply to the S3 bucket.
- Tags
-
- Type: Array of Tag structures
All tags attached to the S3 bucket
- Type
-
- Type: string
Describes whether the bucket is a source or destination bucket.
S3LogsConfiguration
Description
Describes whether S3 data event logs will be enabled as a data source.
Members
S3LogsConfigurationResult
Description
Describes whether S3 data event logs will be enabled as a data source.
Members
Scan
Description
Contains information about a malware scan.
Members
- AccountId
-
- Type: string
The ID for the account that belongs to the scan.
- AdminDetectorId
-
- Type: string
The unique detector ID of the administrator account that the request is associated with. Note that this value will be the same as the one used for
DetectorIdif the account is an administrator. - AttachedVolumes
-
- Type: Array of VolumeDetail structures
List of volumes that were attached to the original instance to be scanned.
- DetectorId
-
- Type: string
The unique ID of the detector that the request is associated with.
- FailureReason
-
- Type: string
Represents the reason for FAILED scan status.
- FileCount
-
- Type: long (int|float)
Represents the number of files that were scanned.
- ResourceDetails
-
- Type: ResourceDetails structure
Represents the resources that were scanned in the scan entry.
- ScanEndTime
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The timestamp of when the scan was finished.
- ScanId
-
- Type: string
The unique scan ID associated with a scan entry.
- ScanResultDetails
-
- Type: ScanResultDetails structure
Represents the result of the scan.
- ScanStartTime
-
- Type: timestamp (string|DateTime or anything parsable by strtotime)
The timestamp of when the scan was triggered.
- ScanStatus
-
- Type: string
An enum value representing possible scan statuses.
- TotalBytes
-
- Type: long (int|float)
Represents total bytes that were scanned.
- TriggerDetails
-
- Type: TriggerDetails structure
Represents the reason the scan was triggered.
ScanCondition
Description
Contains information about the condition.
Members
- MapEquals
-
- Required: Yes
- Type: Array of ScanConditionPair structures
Represents an mapEqual condition to be applied to a single field when triggering for malware scan.
ScanConditionPair
Description
Represents key, value pair to be matched against given resource property.
Members
ScanDetections
Description
Contains a complete view providing malware scan result details.
Members
- HighestSeverityThreatDetails
-
- Type: HighestSeverityThreatDetails structure
Details of the highest severity threat detected during malware scan and number of infected files.
- ScannedItemCount
-
- Type: ScannedItemCount structure
Total number of scanned files.
- ThreatDetectedByName
-
- Type: ThreatDetectedByName structure
Contains details about identified threats organized by threat name.
- ThreatsDetectedItemCount
-
- Type: ThreatsDetectedItemCount structure
Total number of infected files.
ScanEc2InstanceWithFindings
Description
Describes whether Malware Protection for EC2 instances with findings will be enabled as a data source.
Members
ScanEc2InstanceWithFindingsResult
Description
An object that contains information on the status of whether Malware Protection for EC2 instances with findings will be enabled as a data source.
Members
- EbsVolumes
-
- Type: EbsVolumesResult structure
Describes the configuration of scanning EBS volumes as a data source.
ScanFilePath
Description
Contains details of infected file including name, file path and hash.
Members
ScanResourceCriteria
Description
Contains information about criteria used to filter resources before triggering malware scan.
Members
- Exclude
-
- Type: Associative array of custom strings keys (ScanCriterionKey) to ScanCondition structures
Represents condition that when matched will prevent a malware scan for a certain resource.
- Include
-
- Type: Associative array of custom strings keys (ScanCriterionKey) to ScanCondition structures
Represents condition that when matched will allow a malware scan for a certain resource.
ScanResultDetails
Description
Represents the result of the scan.
Members
ScanThreatName
Description
Contains files infected with the given threat providing details of malware name and severity.
Members
- FilePaths
-
- Type: Array of ScanFilePath structures
List of infected files in EBS volume with details.
- ItemCount
-
- Type: int
Total number of files infected with given threat.
- Name
-
- Type: string
The name of the identified threat.
- Severity
-
- Type: string
Severity of threat identified as part of the malware scan.
ScannedItemCount
Description
Total number of scanned files.
Members
SecurityContext
Description
Container security context.
Members
SecurityGroup
Description
Contains information about the security groups associated with the EC2 instance.
Members
Service
Description
Contains additional information about the generated finding.
Members
- Action
-
- Type: Action structure
Information about the activity that is described in a finding.
- AdditionalInfo
-
- Type: ServiceAdditionalInfo structure
Contains additional information about the generated finding.
- Archived
-
- Type: boolean
Indicates whether this finding is archived.
- Count
-
- Type: int
The total count of the occurrences of this finding type.
- DetectorId
-
- Type: string
The detector ID for the GuardDuty service.
- EbsVolumeScanDetails
-
- Type: EbsVolumeScanDetails structure
Returns details from the malware scan that created a finding.
- EventFirstSeen
-
- Type: string
The first-seen timestamp of the activity that prompted GuardDuty to generate this finding.
- EventLastSeen
-
- Type: string
The last-seen timestamp of the activity that prompted GuardDuty to generate this finding.
- Evidence
-
- Type: Evidence structure
An evidence object associated with the service.
- FeatureName
-
- Type: string
The name of the feature that generated a finding.
- ResourceRole
-
- Type: string
The resource role information for this finding.
- ServiceName
-
- Type: string
The name of the Amazon Web Services service (GuardDuty) that generated a finding.
- UserFeedback
-
- Type: string
Feedback that was submitted about the finding.
ServiceAdditionalInfo
Description
Additional information about the generated finding.
Members
SortCriteria
Description
Contains information about the criteria used for sorting findings.
Members
Tag
Description
Contains information about a tag associated with the EC2 instance.
Members
ThreatDetectedByName
Description
Contains details about identified threats organized by threat name.
Members
- ItemCount
-
- Type: int
Total number of infected files identified.
- Shortened
-
- Type: boolean
Flag to determine if the finding contains every single infected file-path and/or every threat.
- ThreatNames
-
- Type: Array of ScanThreatName structures
List of identified threats with details, organized by threat name.
- UniqueThreatNameCount
-
- Type: int
Total number of unique threats by name identified, as part of the malware scan.
ThreatIntelligenceDetail
Description
An instance of a threat intelligence detail that constitutes evidence for the finding.
Members
ThreatsDetectedItemCount
Description
Contains total number of infected files.
Members
Total
Description
Contains the total usage with the corresponding currency unit for that value.
Members
TriggerDetails
Description
Represents the reason the scan was triggered.
Members
UnprocessedAccount
Description
Contains information about the accounts that weren't processed.
Members
UnprocessedDataSourcesResult
Description
Specifies the names of the data sources that couldn't be enabled.
Members
- MalwareProtection
-
- Type: MalwareProtectionConfigurationResult structure
An object that contains information on the status of all Malware Protection data sources.
UsageAccountResult
Description
Contains information on the total of usage based on account IDs.
Members
- AccountId
-
- Type: string
The Account ID that generated usage.
- Total
-
- Type: Total structure
Represents the total of usage for the Account ID.
UsageCriteria
Description
Contains information about the criteria used to query usage statistics.
Members
- AccountIds
-
- Type: Array of strings
The account IDs to aggregate usage statistics from.
- DataSources
-
- Required: Yes
- Type: Array of strings
The data sources to aggregate usage statistics from.
- Resources
-
- Type: Array of strings
The resources to aggregate usage statistics from. Only accepts exact resource names.
UsageDataSourceResult
Description
Contains information on the result of usage based on data source type.
Members
- DataSource
-
- Type: string
The data source type that generated usage.
- Total
-
- Type: Total structure
Represents the total of usage for the specified data source.
UsageResourceResult
Description
Contains information on the sum of usage based on an Amazon Web Services resource.
Members
- Resource
-
- Type: string
The Amazon Web Services resource that generated usage.
- Total
-
- Type: Total structure
Represents the sum total of usage for the specified resource type.
UsageStatistics
Description
Contains the result of GuardDuty usage. If a UsageStatisticType is provided the result for other types will be null.
Members
- SumByAccount
-
- Type: Array of UsageAccountResult structures
The usage statistic sum organized by account ID.
- SumByDataSource
-
- Type: Array of UsageDataSourceResult structures
The usage statistic sum organized by on data source.
- SumByResource
-
- Type: Array of UsageResourceResult structures
The usage statistic sum organized by resource.
- TopResources
-
- Type: Array of UsageResourceResult structures
Lists the top 50 resources that have generated the most GuardDuty usage, in order from most to least expensive.
Volume
Description
Volume used by the Kubernetes workload.
Members
- HostPath
-
- Type: HostPath structure
Represents a pre-existing file or directory on the host machine that the volume maps to.
- Name
-
- Type: string
Volume name.
VolumeDetail
Description
Contains EBS volume details.
Members
- DeviceName
-
- Type: string
The device name for the EBS volume.
- EncryptionType
-
- Type: string
EBS volume encryption type.
- KmsKeyArn
-
- Type: string
KMS key Arn used to encrypt the EBS volume.
- SnapshotArn
-
- Type: string
Snapshot Arn of the EBS volume.
- VolumeArn
-
- Type: string
EBS volume Arn information.
- VolumeSizeInGB
-
- Type: int
EBS volume size in GB.
- VolumeType
-
- Type: string
The EBS volume type.