Note: You are viewing the documentation for an older major version of the AWS CLI (version 1).

AWS CLI version 2, the latest major version of AWS CLI, is now stable and recommended for general use. To view this page for the AWS CLI version 2, click here. For more information see the AWS CLI version 2 installation instructions and migration guide.

[ aws . guardduty ]

get-findings

Description

Describes Amazon GuardDuty findings specified by finding IDs.

See also: AWS API Documentation

See 'aws help' for descriptions of global parameters.

Synopsis

  get-findings
--detector-id <value>
--finding-ids <value>
[--sort-criteria <value>]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]

Options

--detector-id (string)

The ID of the detector that specifies the GuardDuty service whose findings you want to retrieve.

--finding-ids (list)

The IDs of the findings that you want to retrieve.

(string)

Syntax:

"string" "string" ...

--sort-criteria (structure)

Represents the criteria used for sorting findings.

AttributeName -> (string)

Represents the finding attribute (for example, accountId) to sort findings by.

OrderBy -> (string)

The order by which the sorted findings are to be displayed.

Shorthand Syntax:

AttributeName=string,OrderBy=string

JSON Syntax:

{
  "AttributeName": "string",
  "OrderBy": "ASC"|"DESC"
}

--cli-input-json (string) Performs service operation based on the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, the CLI values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See 'aws help' for descriptions of global parameters.

Examples

Note

To use the following examples, you must have the AWS CLI installed and configured. See the Getting started guide in the AWS CLI User Guide for more information.

Unless otherwise stated, all examples have unix-like quotation rules. These examples will need to be adapted to your terminal's quoting rules. See Using quotation marks with strings in the AWS CLI User Guide .

Example 1: To retrieve the details of a specific finding

The following get-findings example retrieves the full JSON finding details of the specified finding.

aws guardduty get-findings \
    --detector-id 12abc34d567e8fa901bc2d34eexample \
    --finding-id 1ab92989eaf0e742df4a014d5example

Output:

{
    "Findings": [
        {
            "Resource": {
                "ResourceType": "AccessKey",
                "AccessKeyDetails": {
                    "UserName": "testuser",
                    "UserType": "IAMUser",
                    "PrincipalId": "AIDACKCEVSQ6C2EXAMPLE",
                    "AccessKeyId": "ASIASZ4SI7REEEXAMPLE"
                }
            },
            "Description": "APIs commonly used to discover the users, groups, policies and permissions in an account, was invoked by IAM principal testuser under unusual circumstances. Such activity is not typically seen from this principal.",
            "Service": {
                "Count": 5,
                "Archived": false,
                "ServiceName": "guardduty",
                "EventFirstSeen": "2020-05-26T22:02:24Z",
                "ResourceRole": "TARGET",
                "EventLastSeen": "2020-05-26T22:33:55Z",
                "DetectorId": "d4b040365221be2b54a6264dcexample",
                "Action": {
                    "ActionType": "AWS_API_CALL",
                    "AwsApiCallAction": {
                        "RemoteIpDetails": {
                            "GeoLocation": {
                                "Lat": 51.5164,
                                "Lon": -0.093
                            },
                            "City": {
                                "CityName": "London"
                            },
                            "IpAddressV4": "52.94.36.7",
                            "Organization": {
                                "Org": "Amazon.com",
                                "Isp": "Amazon.com",
                                "Asn": "16509",
                                "AsnOrg": "AMAZON-02"
                            },
                            "Country": {
                                "CountryName": "United Kingdom"
                            }
                        },
                        "Api": "ListPolicyVersions",
                        "ServiceName": "iam.amazonaws.com",
                        "CallerType": "Remote IP"
                    }
                }
            },
            "Title": "Unusual user permission reconnaissance activity by testuser.",
            "Type": "Recon:IAMUser/UserPermissions",
            "Region": "us-east-1",
            "Partition": "aws",
            "Arn": "arn:aws:guardduty:us-east-1:111122223333:detector/d4b040365221be2b54a6264dcexample/finding/1ab92989eaf0e742df4a014d5example",
            "UpdatedAt": "2020-05-26T22:55:21.703Z",
            "SchemaVersion": "2.0",
            "Severity": 5,
            "Id": "1ab92989eaf0e742df4a014d5example",
            "CreatedAt": "2020-05-26T22:21:48.385Z",
            "AccountId": "111122223333"
        }
    ]
}

For more information, see Findings in the GuardDuty User Guide.

Output

Findings -> (list)

A list of findings.

(structure)

Contains information about the finding, which is generated when abnormal or suspicious activity is detected.

AccountId -> (string)

The ID of the account in which the finding was generated.

Arn -> (string)

The ARN of the finding.

Confidence -> (double)

The confidence score for the finding.

CreatedAt -> (string)

The time and date when the finding was created.

Description -> (string)

The description of the finding.

Id -> (string)

The ID of the finding.

Partition -> (string)

The partition associated with the finding.

Region -> (string)

The Region where the finding was generated.

Resource -> (structure)

Contains information about the Amazon Web Services resource associated with the activity that prompted GuardDuty to generate a finding.

AccessKeyDetails -> (structure)

The IAM access key details (IAM user information) of a user that engaged in the activity that prompted GuardDuty to generate a finding.

AccessKeyId -> (string)

The access key ID of the user.

PrincipalId -> (string)

The principal ID of the user.

UserName -> (string)

The name of the user.

UserType -> (string)

The type of the user.

S3BucketDetails -> (list)

Contains information on the S3 bucket.

(structure)

Contains information on the S3 bucket.

Arn -> (string)

The Amazon Resource Name (ARN) of the S3 bucket.

Name -> (string)

The name of the S3 bucket.

Type -> (string)

Describes whether the bucket is a source or destination bucket.

CreatedAt -> (timestamp)

The date and time the bucket was created at.

Owner -> (structure)

The owner of the S3 bucket.

Id -> (string)

The canonical user ID of the bucket owner. For information about locating your canonical user ID see Finding Your Account Canonical User ID.

Tags -> (list)

All tags attached to the S3 bucket

(structure)

Contains information about a tag associated with the EC2 instance.

Key -> (string)

The EC2 instance tag key.

Value -> (string)

The EC2 instance tag value.

DefaultServerSideEncryption -> (structure)

Describes the server side encryption method used in the S3 bucket.

EncryptionType -> (string)

The type of encryption used for objects within the S3 bucket.

KmsMasterKeyArn -> (string)

The Amazon Resource Name (ARN) of the KMS encryption key. Only available if the bucket EncryptionType is aws:kms .

PublicAccess -> (structure)

Describes the public access policies that apply to the S3 bucket.

PermissionConfiguration -> (structure)

Contains information about how permissions are configured for the S3 bucket.

BucketLevelPermissions -> (structure)

Contains information about the bucket level permissions for the S3 bucket.

AccessControlList -> (structure)

Contains information on how Access Control Policies are applied to the bucket.

AllowsPublicReadAccess -> (boolean)

A value that indicates whether public read access for the bucket is enabled through an Access Control List (ACL).

AllowsPublicWriteAccess -> (boolean)

A value that indicates whether public write access for the bucket is enabled through an Access Control List (ACL).

BucketPolicy -> (structure)

Contains information on the bucket policies for the S3 bucket.

AllowsPublicReadAccess -> (boolean)

A value that indicates whether public read access for the bucket is enabled through a bucket policy.

AllowsPublicWriteAccess -> (boolean)

A value that indicates whether public write access for the bucket is enabled through a bucket policy.

BlockPublicAccess -> (structure)

Contains information on which account level S3 Block Public Access settings are applied to the S3 bucket.

IgnorePublicAcls -> (boolean)

Indicates if S3 Block Public Access is set to IgnorePublicAcls .

RestrictPublicBuckets -> (boolean)

Indicates if S3 Block Public Access is set to RestrictPublicBuckets .

BlockPublicAcls -> (boolean)

Indicates if S3 Block Public Access is set to BlockPublicAcls .

BlockPublicPolicy -> (boolean)

Indicates if S3 Block Public Access is set to BlockPublicPolicy .

AccountLevelPermissions -> (structure)

Contains information about the account level permissions on the S3 bucket.

BlockPublicAccess -> (structure)

Describes the S3 Block Public Access settings of the bucket's parent account.

IgnorePublicAcls -> (boolean)

Indicates if S3 Block Public Access is set to IgnorePublicAcls .

RestrictPublicBuckets -> (boolean)

Indicates if S3 Block Public Access is set to RestrictPublicBuckets .

BlockPublicAcls -> (boolean)

Indicates if S3 Block Public Access is set to BlockPublicAcls .

BlockPublicPolicy -> (boolean)

Indicates if S3 Block Public Access is set to BlockPublicPolicy .

EffectivePermission -> (string)

Describes the effective permission on this bucket after factoring all attached policies.

InstanceDetails -> (structure)

The information about the EC2 instance associated with the activity that prompted GuardDuty to generate a finding.

AvailabilityZone -> (string)

The Availability Zone of the EC2 instance.

IamInstanceProfile -> (structure)

The profile information of the EC2 instance.

Arn -> (string)

The profile ARN of the EC2 instance.

Id -> (string)

The profile ID of the EC2 instance.

ImageDescription -> (string)

The image description of the EC2 instance.

ImageId -> (string)

The image ID of the EC2 instance.

InstanceId -> (string)

The ID of the EC2 instance.

InstanceState -> (string)

The state of the EC2 instance.

InstanceType -> (string)

The type of the EC2 instance.

OutpostArn -> (string)

The Amazon Resource Name (ARN) of the Amazon Web Services Outpost. Only applicable to Amazon Web Services Outposts instances.

LaunchTime -> (string)

The launch time of the EC2 instance.

NetworkInterfaces -> (list)

The elastic network interface information of the EC2 instance.

(structure)

Contains information about the elastic network interface of the EC2 instance.

Ipv6Addresses -> (list)

A list of IPv6 addresses for the EC2 instance.

(string)

NetworkInterfaceId -> (string)

The ID of the network interface.

PrivateDnsName -> (string)

The private DNS name of the EC2 instance.

PrivateIpAddress -> (string)

The private IP address of the EC2 instance.

PrivateIpAddresses -> (list)

Other private IP address information of the EC2 instance.

(structure)

Contains other private IP address information of the EC2 instance.

PrivateDnsName -> (string)

The private DNS name of the EC2 instance.

PrivateIpAddress -> (string)

The private IP address of the EC2 instance.

PublicDnsName -> (string)

The public DNS name of the EC2 instance.

PublicIp -> (string)

The public IP address of the EC2 instance.

SecurityGroups -> (list)

The security groups associated with the EC2 instance.

(structure)

Contains information about the security groups associated with the EC2 instance.

GroupId -> (string)

The security group ID of the EC2 instance.

GroupName -> (string)

The security group name of the EC2 instance.

SubnetId -> (string)

The subnet ID of the EC2 instance.

VpcId -> (string)

The VPC ID of the EC2 instance.

Platform -> (string)

The platform of the EC2 instance.

ProductCodes -> (list)

The product code of the EC2 instance.

(structure)

Contains information about the product code for the EC2 instance.

Code -> (string)

The product code information.

ProductType -> (string)

The product code type.

Tags -> (list)

The tags of the EC2 instance.

(structure)

Contains information about a tag associated with the EC2 instance.

Key -> (string)

The EC2 instance tag key.

Value -> (string)

The EC2 instance tag value.

EksClusterDetails -> (structure)

Details about the EKS cluster involved in a Kubernetes finding.

Name -> (string)

EKS cluster name.

Arn -> (string)

EKS cluster ARN.

VpcId -> (string)

The VPC ID to which the EKS cluster is attached.

Status -> (string)

The EKS cluster status.

Tags -> (list)

The EKS cluster tags.

(structure)

Contains information about a tag associated with the EC2 instance.

Key -> (string)

The EC2 instance tag key.

Value -> (string)

The EC2 instance tag value.

CreatedAt -> (timestamp)

The timestamp when the EKS cluster was created.

KubernetesDetails -> (structure)

Details about the Kubernetes user and workload involved in a Kubernetes finding.

KubernetesUserDetails -> (structure)

Details about the Kubernetes user involved in a Kubernetes finding.

Username -> (string)

The username of the user who called the Kubernetes API.

Uid -> (string)

The user ID of the user who called the Kubernetes API.

Groups -> (list)

The groups that include the user who called the Kubernetes API.

(string)

KubernetesWorkloadDetails -> (structure)

Details about the Kubernetes workload involved in a Kubernetes finding.

Name -> (string)

Kubernetes workload name.

Type -> (string)

Kubernetes workload type (e.g. Pod, Deployment, etc.).

Uid -> (string)

Kubernetes workload ID.

Namespace -> (string)

Kubernetes namespace that the workload is part of.

HostNetwork -> (boolean)

Whether the hostNetwork flag is enabled for the pods included in the workload.

Containers -> (list)

Containers running as part of the Kubernetes workload.

(structure)

Details of a container.

ContainerRuntime -> (string)

The container runtime (such as, Docker or containerd) used to run the container.

Id -> (string)

Container ID.

Name -> (string)

Container name.

Image -> (string)

Container image.

ImagePrefix -> (string)

Part of the image name before the last slash. For example, imagePrefix for public.ecr.aws/amazonlinux/amazonlinux:latest would be public.ecr.aws/amazonlinux. If the image name is relative and does not have a slash, this field is empty.

VolumeMounts -> (list)

Container volume mounts.

(structure)

Container volume mount.

Name -> (string)

Volume mount name.

MountPath -> (string)

Volume mount path.

SecurityContext -> (structure)

Container security context.

Privileged -> (boolean)

Whether the container is privileged.

Volumes -> (list)

Volumes used by the Kubernetes workload.

(structure)

Volume used by the Kubernetes workload.

Name -> (string)

Volume name.

HostPath -> (structure)

Represents a pre-existing file or directory on the host machine that the volume maps to.

Path -> (string)

Path of the file or directory on the host that the volume maps to.

ResourceType -> (string)

The type of Amazon Web Services resource.

EbsVolumeDetails -> (structure)

Contains list of scanned and skipped EBS volumes with details.

ScannedVolumeDetails -> (list)

List of EBS volumes that were scanned.

(structure)

Contains EBS volume details.

VolumeArn -> (string)

EBS volume Arn information.

VolumeType -> (string)

The EBS volume type.

DeviceName -> (string)

The device name for the EBS volume.

VolumeSizeInGB -> (integer)

EBS volume size in GB.

EncryptionType -> (string)

EBS volume encryption type.

SnapshotArn -> (string)

Snapshot Arn of the EBS volume.

KmsKeyArn -> (string)

KMS key Arn used to encrypt the EBS volume.

SkippedVolumeDetails -> (list)

List of EBS volumes that were skipped from the malware scan.

(structure)

Contains EBS volume details.

VolumeArn -> (string)

EBS volume Arn information.

VolumeType -> (string)

The EBS volume type.

DeviceName -> (string)

The device name for the EBS volume.

VolumeSizeInGB -> (integer)

EBS volume size in GB.

EncryptionType -> (string)

EBS volume encryption type.

SnapshotArn -> (string)

Snapshot Arn of the EBS volume.

KmsKeyArn -> (string)

KMS key Arn used to encrypt the EBS volume.

EcsClusterDetails -> (structure)

Contains information about the details of the ECS Cluster.

Name -> (string)

The name of the ECS Cluster.

Arn -> (string)

The Amazon Resource Name (ARN) that identifies the cluster.

Status -> (string)

The status of the ECS cluster.

ActiveServicesCount -> (integer)

The number of services that are running on the cluster in an ACTIVE state.

RegisteredContainerInstancesCount -> (integer)

The number of container instances registered into the cluster.

RunningTasksCount -> (integer)

The number of tasks in the cluster that are in the RUNNING state.

Tags -> (list)

The tags of the ECS Cluster.

(structure)

Contains information about a tag associated with the EC2 instance.

Key -> (string)

The EC2 instance tag key.

Value -> (string)

The EC2 instance tag value.

TaskDetails -> (structure)

Contains information about the details of the ECS Task.

Arn -> (string)

The Amazon Resource Name (ARN) of the task.

DefinitionArn -> (string)

The ARN of the task definition that creates the task.

Version -> (string)

The version counter for the task.

TaskCreatedAt -> (timestamp)

The Unix timestamp for the time when the task was created.

StartedAt -> (timestamp)

The Unix timestamp for the time when the task started.

StartedBy -> (string)

Contains the tag specified when a task is started.

Tags -> (list)

The tags of the ECS Task.

(structure)

Contains information about a tag associated with the EC2 instance.

Key -> (string)

The EC2 instance tag key.

Value -> (string)

The EC2 instance tag value.

Volumes -> (list)

The list of data volume definitions for the task.

(structure)

Volume used by the Kubernetes workload.

Name -> (string)

Volume name.

HostPath -> (structure)

Represents a pre-existing file or directory on the host machine that the volume maps to.

Path -> (string)

Path of the file or directory on the host that the volume maps to.

Containers -> (list)

The containers that's associated with the task.

(structure)

Details of a container.

ContainerRuntime -> (string)

The container runtime (such as, Docker or containerd) used to run the container.

Id -> (string)

Container ID.

Name -> (string)

Container name.

Image -> (string)

Container image.

ImagePrefix -> (string)

Part of the image name before the last slash. For example, imagePrefix for public.ecr.aws/amazonlinux/amazonlinux:latest would be public.ecr.aws/amazonlinux. If the image name is relative and does not have a slash, this field is empty.

VolumeMounts -> (list)

Container volume mounts.

(structure)

Container volume mount.

Name -> (string)

Volume mount name.

MountPath -> (string)

Volume mount path.

SecurityContext -> (structure)

Container security context.

Privileged -> (boolean)

Whether the container is privileged.

Group -> (string)

The name of the task group that's associated with the task.

ContainerDetails -> (structure)

Details of a container.

ContainerRuntime -> (string)

The container runtime (such as, Docker or containerd) used to run the container.

Id -> (string)

Container ID.

Name -> (string)

Container name.

Image -> (string)

Container image.

ImagePrefix -> (string)

Part of the image name before the last slash. For example, imagePrefix for public.ecr.aws/amazonlinux/amazonlinux:latest would be public.ecr.aws/amazonlinux. If the image name is relative and does not have a slash, this field is empty.

VolumeMounts -> (list)

Container volume mounts.

(structure)

Container volume mount.

Name -> (string)

Volume mount name.

MountPath -> (string)

Volume mount path.

SecurityContext -> (structure)

Container security context.

Privileged -> (boolean)

Whether the container is privileged.

SchemaVersion -> (string)

The version of the schema used for the finding.

Service -> (structure)

Contains additional information about the generated finding.

Action -> (structure)

Information about the activity that is described in a finding.

ActionType -> (string)

The GuardDuty finding activity type.

AwsApiCallAction -> (structure)

Information about the AWS_API_CALL action described in this finding.

Api -> (string)

The Amazon Web Services API name.

CallerType -> (string)

The Amazon Web Services API caller type.

DomainDetails -> (structure)

The domain information for the Amazon Web Services API call.

Domain -> (string)

The domain information for the Amazon Web Services API call.

ErrorCode -> (string)

The error code of the failed Amazon Web Services API action.

UserAgent -> (string)

The agent through which the API request was made.

RemoteIpDetails -> (structure)

The remote IP information of the connection that initiated the Amazon Web Services API call.

City -> (structure)

The city information of the remote IP address.

CityName -> (string)

The city name of the remote IP address.

Country -> (structure)

The country code of the remote IP address.

CountryCode -> (string)

The country code of the remote IP address.

CountryName -> (string)

The country name of the remote IP address.

GeoLocation -> (structure)

The location information of the remote IP address.

Lat -> (double)

The latitude information of the remote IP address.

Lon -> (double)

The longitude information of the remote IP address.

IpAddressV4 -> (string)

The IPv4 remote address of the connection.

Organization -> (structure)

The ISP organization information of the remote IP address.

Asn -> (string)

The Autonomous System Number (ASN) of the internet provider of the remote IP address.

AsnOrg -> (string)

The organization that registered this ASN.

Isp -> (string)

The ISP information for the internet provider.

Org -> (string)

The name of the internet provider.

ServiceName -> (string)

The Amazon Web Services service name whose API was invoked.

RemoteAccountDetails -> (structure)

The details of the Amazon Web Services account that made the API call. This field appears if the call was made from outside your account.

AccountId -> (string)

The Amazon Web Services account ID of the remote API caller.

Affiliated -> (boolean)

Details on whether the Amazon Web Services account of the remote API caller is related to your GuardDuty environment. If this value is True the API caller is affiliated to your account in some way. If it is False the API caller is from outside your environment.

AffectedResources -> (map)

The details of the Amazon Web Services account that made the API call. This field identifies the resources that were affected by this API call.

key -> (string)

value -> (string)

DnsRequestAction -> (structure)

Information about the DNS_REQUEST action described in this finding.

Domain -> (string)

The domain information for the API request.

Protocol -> (string)

The network connection protocol observed in the activity that prompted GuardDuty to generate the finding.

Blocked -> (boolean)

Indicates whether the targeted port is blocked.

NetworkConnectionAction -> (structure)

Information about the NETWORK_CONNECTION action described in this finding.

Blocked -> (boolean)

Indicates whether EC2 blocked the network connection to your instance.

ConnectionDirection -> (string)

The network connection direction.

LocalPortDetails -> (structure)

The local port information of the connection.

Port -> (integer)

The port number of the local connection.

PortName -> (string)

The port name of the local connection.

Protocol -> (string)

The network connection protocol.

LocalIpDetails -> (structure)

The local IP information of the connection.

IpAddressV4 -> (string)

The IPv4 local address of the connection.

RemoteIpDetails -> (structure)

The remote IP information of the connection.

City -> (structure)

The city information of the remote IP address.

CityName -> (string)

The city name of the remote IP address.

Country -> (structure)

The country code of the remote IP address.

CountryCode -> (string)

The country code of the remote IP address.

CountryName -> (string)

The country name of the remote IP address.

GeoLocation -> (structure)

The location information of the remote IP address.

Lat -> (double)

The latitude information of the remote IP address.

Lon -> (double)

The longitude information of the remote IP address.

IpAddressV4 -> (string)

The IPv4 remote address of the connection.

Organization -> (structure)

The ISP organization information of the remote IP address.

Asn -> (string)

The Autonomous System Number (ASN) of the internet provider of the remote IP address.

AsnOrg -> (string)

The organization that registered this ASN.

Isp -> (string)

The ISP information for the internet provider.

Org -> (string)

The name of the internet provider.

RemotePortDetails -> (structure)

The remote port information of the connection.

Port -> (integer)

The port number of the remote connection.

PortName -> (string)

The port name of the remote connection.

PortProbeAction -> (structure)

Information about the PORT_PROBE action described in this finding.

Blocked -> (boolean)

Indicates whether EC2 blocked the port probe to the instance, such as with an ACL.

PortProbeDetails -> (list)

A list of objects related to port probe details.

(structure)

Contains information about the port probe details.

LocalPortDetails -> (structure)

The local port information of the connection.

Port -> (integer)

The port number of the local connection.

PortName -> (string)

The port name of the local connection.

LocalIpDetails -> (structure)

The local IP information of the connection.

IpAddressV4 -> (string)

The IPv4 local address of the connection.

RemoteIpDetails -> (structure)

The remote IP information of the connection.

City -> (structure)

The city information of the remote IP address.

CityName -> (string)

The city name of the remote IP address.

Country -> (structure)

The country code of the remote IP address.

CountryCode -> (string)

The country code of the remote IP address.

CountryName -> (string)

The country name of the remote IP address.

GeoLocation -> (structure)

The location information of the remote IP address.

Lat -> (double)

The latitude information of the remote IP address.

Lon -> (double)

The longitude information of the remote IP address.

IpAddressV4 -> (string)

The IPv4 remote address of the connection.

Organization -> (structure)

The ISP organization information of the remote IP address.

Asn -> (string)

The Autonomous System Number (ASN) of the internet provider of the remote IP address.

AsnOrg -> (string)

The organization that registered this ASN.

Isp -> (string)

The ISP information for the internet provider.

Org -> (string)

The name of the internet provider.

KubernetesApiCallAction -> (structure)

Information about the Kubernetes API call action described in this finding.

RequestUri -> (string)

The Kubernetes API request URI.

Verb -> (string)

The Kubernetes API request HTTP verb.

SourceIps -> (list)

The IP of the Kubernetes API caller and the IPs of any proxies or load balancers between the caller and the API endpoint.

(string)

UserAgent -> (string)

The user agent of the caller of the Kubernetes API.

RemoteIpDetails -> (structure)

Contains information about the remote IP address of the connection.

City -> (structure)

The city information of the remote IP address.

CityName -> (string)

The city name of the remote IP address.

Country -> (structure)

The country code of the remote IP address.

CountryCode -> (string)

The country code of the remote IP address.

CountryName -> (string)

The country name of the remote IP address.

GeoLocation -> (structure)

The location information of the remote IP address.

Lat -> (double)

The latitude information of the remote IP address.

Lon -> (double)

The longitude information of the remote IP address.

IpAddressV4 -> (string)

The IPv4 remote address of the connection.

Organization -> (structure)

The ISP organization information of the remote IP address.

Asn -> (string)

The Autonomous System Number (ASN) of the internet provider of the remote IP address.

AsnOrg -> (string)

The organization that registered this ASN.

Isp -> (string)

The ISP information for the internet provider.

Org -> (string)

The name of the internet provider.

StatusCode -> (integer)

The resulting HTTP response code of the Kubernetes API call action.

Parameters -> (string)

Parameters related to the Kubernetes API call action.

Evidence -> (structure)

An evidence object associated with the service.

ThreatIntelligenceDetails -> (list)

A list of threat intelligence details related to the evidence.

(structure)

An instance of a threat intelligence detail that constitutes evidence for the finding.

ThreatListName -> (string)

The name of the threat intelligence list that triggered the finding.

ThreatNames -> (list)

A list of names of the threats in the threat intelligence list that triggered the finding.

(string)

Archived -> (boolean)

Indicates whether this finding is archived.

Count -> (integer)

The total count of the occurrences of this finding type.

DetectorId -> (string)

The detector ID for the GuardDuty service.

EventFirstSeen -> (string)

The first-seen timestamp of the activity that prompted GuardDuty to generate this finding.

EventLastSeen -> (string)

The last-seen timestamp of the activity that prompted GuardDuty to generate this finding.

ResourceRole -> (string)

The resource role information for this finding.

ServiceName -> (string)

The name of the Amazon Web Services service (GuardDuty) that generated a finding.

UserFeedback -> (string)

Feedback that was submitted about the finding.

AdditionalInfo -> (structure)

Contains additional information about the generated finding.

Value -> (string)

This field specifies the value of the additional information.

Type -> (string)

Describes the type of the additional information.

FeatureName -> (string)

The name of the feature that generated a finding.

EbsVolumeScanDetails -> (structure)

Returns details from the malware scan that created a finding.

ScanId -> (string)

Unique Id of the malware scan that generated the finding.

ScanStartedAt -> (timestamp)

Returns the start date and time of the malware scan.

ScanCompletedAt -> (timestamp)

Returns the completion date and time of the malware scan.

TriggerFindingId -> (string)

GuardDuty finding ID that triggered a malware scan.

Sources -> (list)

Contains list of threat intelligence sources used to detect threats.

(string)

ScanDetections -> (structure)

Contains a complete view providing malware scan result details.

ScannedItemCount -> (structure)

Total number of scanned files.

TotalGb -> (integer)

Total GB of files scanned for malware.

Files -> (integer)

Number of files scanned.

Volumes -> (integer)

Total number of scanned volumes.

ThreatsDetectedItemCount -> (structure)

Total number of infected files.

Files -> (integer)

Total number of infected files.

HighestSeverityThreatDetails -> (structure)

Details of the highest severity threat detected during malware scan and number of infected files.

Severity -> (string)

Severity level of the highest severity threat detected.

ThreatName -> (string)

Threat name of the highest severity threat detected as part of the malware scan.

Count -> (integer)

Total number of infected files with the highest severity threat detected.

ThreatDetectedByName -> (structure)

Contains details about identified threats organized by threat name.

ItemCount -> (integer)

Total number of infected files identified.

UniqueThreatNameCount -> (integer)

Total number of unique threats by name identified, as part of the malware scan.

Shortened -> (boolean)

Flag to determine if the finding contains every single infected file-path and/or every threat.

ThreatNames -> (list)

List of identified threats with details, organized by threat name.

(structure)

Contains files infected with the given threat providing details of malware name and severity.

Name -> (string)

The name of the identified threat.

Severity -> (string)

Severity of threat identified as part of the malware scan.

ItemCount -> (integer)

Total number of files infected with given threat.

FilePaths -> (list)

List of infected files in EBS volume with details.

(structure)

Contains details of infected file including name, file path and hash.

FilePath -> (string)

The file path of the infected file.

VolumeArn -> (string)

EBS volume Arn details of the infected file.

Hash -> (string)

The hash value of the infected file.

FileName -> (string)

File name of the infected file.

Severity -> (double)

The severity of the finding.

Title -> (string)

The title of the finding.

Type -> (string)

The type of finding.

UpdatedAt -> (string)

The time and date when the finding was last updated.