We announced the upcoming end-of-support for AWS SDK for JavaScript v2.
We recommend that you migrate to AWS SDK for JavaScript v3. For dates, additional details, and information on how to migrate, please refer to the linked announcement.

Class: AWS.GuardDuty

Inherits:
AWS.Service show all
Identifier:
guardduty
API Version:
2017-11-28
Defined in:
(unknown)

Overview

Constructs a service interface object. Each API operation is exposed as a function on service.

Service Description

Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the following foundational data sources - VPC flow logs, Amazon Web Services CloudTrail management event logs, CloudTrail S3 data event logs, EKS audit logs, DNS logs, Amazon EBS volume data, runtime activity belonging to container workloads, such as Amazon EKS, Amazon ECS (including Amazon Web Services Fargate), and Amazon EC2 instances. It uses threat intelligence feeds, such as lists of malicious IPs and domains, and machine learning to identify unexpected, potentially unauthorized, and malicious activity within your Amazon Web Services environment. This can include issues like escalations of privileges, uses of exposed credentials, or communication with malicious IPs, domains, or presence of malware on your Amazon EC2 instances and container workloads. For example, GuardDuty can detect compromised EC2 instances and container workloads serving malware, or mining bitcoin.

GuardDuty also monitors Amazon Web Services account access behavior for signs of compromise, such as unauthorized infrastructure deployments like EC2 instances deployed in a Region that has never been used, or unusual API calls like a password policy change to reduce password strength.

GuardDuty informs you about the status of your Amazon Web Services environment by producing security findings that you can view in the GuardDuty console or through Amazon EventBridge. For more information, see the Amazon GuardDuty User Guide .

Sending a Request Using GuardDuty

var guardduty = new AWS.GuardDuty();
guardduty.acceptAdministratorInvitation(params, function (err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Locking the API Version

In order to ensure that the GuardDuty object uses this specific API, you can construct the object by passing the apiVersion option to the constructor:

var guardduty = new AWS.GuardDuty({apiVersion: '2017-11-28'});

You can also set the API version globally in AWS.config.apiVersions using the guardduty service identifier:

AWS.config.apiVersions = {
  guardduty: '2017-11-28',
  // other service API versions
};

var guardduty = new AWS.GuardDuty();

Version:

  • 2017-11-28

Constructor Summary collapse

Property Summary collapse

Properties inherited from AWS.Service

apiVersions

Method Summary collapse

Methods inherited from AWS.Service

makeRequest, makeUnauthenticatedRequest, waitFor, setupRequestListeners, defineService

Constructor Details

new AWS.GuardDuty(options = {}) ⇒ Object

Constructs a service object. This object has one method for each API operation.

Examples:

Constructing a GuardDuty object

var guardduty = new AWS.GuardDuty({apiVersion: '2017-11-28'});

Options Hash (options):

  • params (map)

    An optional map of parameters to bind to every request sent by this service object. For more information on bound parameters, see "Working with Services" in the Getting Started Guide.

  • endpoint (String|AWS.Endpoint)

    The endpoint URI to send requests to. The default endpoint is built from the configured region. The endpoint should be a string like 'https://{service}.{region}.amazonaws.com' or an Endpoint object.

  • accessKeyId (String)

    your AWS access key ID.

  • secretAccessKey (String)

    your AWS secret access key.

  • sessionToken (AWS.Credentials)

    the optional AWS session token to sign requests with.

  • credentials (AWS.Credentials)

    the AWS credentials to sign requests with. You can either specify this object, or specify the accessKeyId and secretAccessKey options directly.

  • credentialProvider (AWS.CredentialProviderChain)

    the provider chain used to resolve credentials if no static credentials property is set.

  • region (String)

    the region to send service requests to. See AWS.GuardDuty.region for more information.

  • maxRetries (Integer)

    the maximum amount of retries to attempt with a request. See AWS.GuardDuty.maxRetries for more information.

  • maxRedirects (Integer)

    the maximum amount of redirects to follow with a request. See AWS.GuardDuty.maxRedirects for more information.

  • sslEnabled (Boolean)

    whether to enable SSL for requests.

  • paramValidation (Boolean|map)

    whether input parameters should be validated against the operation description before sending the request. Defaults to true. Pass a map to enable any of the following specific validation features:

    • min [Boolean] — Validates that a value meets the min constraint. This is enabled by default when paramValidation is set to true.
    • max [Boolean] — Validates that a value meets the max constraint.
    • pattern [Boolean] — Validates that a string value matches a regular expression.
    • enum [Boolean] — Validates that a string value matches one of the allowable enum values.
  • computeChecksums (Boolean)

    whether to compute checksums for payload bodies when the service accepts it (currently supported in S3 only)

  • convertResponseTypes (Boolean)

    whether types are converted when parsing response data. Currently only supported for JSON based services. Turning this off may improve performance on large response payloads. Defaults to true.

  • correctClockSkew (Boolean)

    whether to apply a clock skew correction and retry requests that fail because of an skewed client clock. Defaults to false.

  • s3ForcePathStyle (Boolean)

    whether to force path style URLs for S3 objects.

  • s3BucketEndpoint (Boolean)

    whether the provided endpoint addresses an individual bucket (false if it addresses the root API endpoint). Note that setting this configuration option requires an endpoint to be provided explicitly to the service constructor.

  • s3DisableBodySigning (Boolean)

    whether S3 body signing should be disabled when using signature version v4. Body signing can only be disabled when using https. Defaults to true.

  • s3UsEast1RegionalEndpoint ('legacy'|'regional')

    when region is set to 'us-east-1', whether to send s3 request to global endpoints or 'us-east-1' regional endpoints. This config is only applicable to S3 client. Defaults to legacy

  • s3UseArnRegion (Boolean)

    whether to override the request region with the region inferred from requested resource's ARN. Only available for S3 buckets Defaults to true

  • retryDelayOptions (map)

    A set of options to configure the retry delay on retryable errors. Currently supported options are:

    • base [Integer] — The base number of milliseconds to use in the exponential backoff for operation retries. Defaults to 100 ms for all services except DynamoDB, where it defaults to 50ms.
    • customBackoff [function] — A custom function that accepts a retry count and error and returns the amount of time to delay in milliseconds. If the result is a non-zero negative value, no further retry attempts will be made. The base option will be ignored if this option is supplied. The function is only called for retryable errors.
  • httpOptions (map)

    A set of options to pass to the low-level HTTP request. Currently supported options are:

    • proxy [String] — the URL to proxy requests through
    • agent [http.Agent, https.Agent] — the Agent object to perform HTTP requests with. Used for connection pooling. Defaults to the global agent (http.globalAgent) for non-SSL connections. Note that for SSL connections, a special Agent object is used in order to enable peer certificate verification. This feature is only available in the Node.js environment.
    • connectTimeout [Integer] — Sets the socket to timeout after failing to establish a connection with the server after connectTimeout milliseconds. This timeout has no effect once a socket connection has been established.
    • timeout [Integer] — Sets the socket to timeout after timeout milliseconds of inactivity on the socket. Defaults to two minutes (120000).
    • xhrAsync [Boolean] — Whether the SDK will send asynchronous HTTP requests. Used in the browser environment only. Set to false to send requests synchronously. Defaults to true (async on).
    • xhrWithCredentials [Boolean] — Sets the "withCredentials" property of an XMLHttpRequest object. Used in the browser environment only. Defaults to false.
  • apiVersion (String, Date)

    a String in YYYY-MM-DD format (or a date) that represents the latest possible API version that can be used in all services (unless overridden by apiVersions). Specify 'latest' to use the latest possible version.

  • apiVersions (map<String, String|Date>)

    a map of service identifiers (the lowercase service class name) with the API version to use when instantiating a service. Specify 'latest' for each individual that can use the latest available version.

  • logger (#write, #log)

    an object that responds to .write() (like a stream) or .log() (like the console object) in order to log information about requests

  • systemClockOffset (Number)

    an offset value in milliseconds to apply to all signing times. Use this to compensate for clock skew when your system may be out of sync with the service time. Note that this configuration option can only be applied to the global AWS.config object and cannot be overridden in service-specific configuration. Defaults to 0 milliseconds.

  • signatureVersion (String)

    the signature version to sign requests with (overriding the API configuration). Possible values are: 'v2', 'v3', 'v4'.

  • signatureCache (Boolean)

    whether the signature to sign requests with (overriding the API configuration) is cached. Only applies to the signature version 'v4'. Defaults to true.

  • dynamoDbCrc32 (Boolean)

    whether to validate the CRC32 checksum of HTTP response bodies returned by DynamoDB. Default: true.

  • useAccelerateEndpoint (Boolean)

    Whether to use the S3 Transfer Acceleration endpoint with the S3 service. Default: false.

  • clientSideMonitoring (Boolean)

    whether to collect and publish this client's performance metrics of all its API requests.

  • endpointDiscoveryEnabled (Boolean|undefined)

    whether to call operations with endpoints given by service dynamically. Setting this

  • endpointCacheSize (Number)

    the size of the global cache storing endpoints from endpoint discovery operations. Once endpoint cache is created, updating this setting cannot change existing cache size. Defaults to 1000

  • hostPrefixEnabled (Boolean)

    whether to marshal request parameters to the prefix of hostname. Defaults to true.

  • stsRegionalEndpoints ('legacy'|'regional')

    whether to send sts request to global endpoints or regional endpoints. Defaults to 'legacy'.

  • useFipsEndpoint (Boolean)

    Enables FIPS compatible endpoints. Defaults to false.

  • useDualstackEndpoint (Boolean)

    Enables IPv6 dualstack endpoint. Defaults to false.

Property Details

endpointAWS.Endpoint (readwrite)

Returns an Endpoint object representing the endpoint URL for service requests.

Returns:

  • (AWS.Endpoint)

    an Endpoint object representing the endpoint URL for service requests.

Method Details

acceptAdministratorInvitation(params = {}, callback) ⇒ AWS.Request

Accepts the invitation to be a member account and get monitored by a GuardDuty administrator account that sent the invitation.

Service Reference:

Examples:

Calling the acceptAdministratorInvitation operation

var params = {
  AdministratorId: 'STRING_VALUE', /* required */
  DetectorId: 'STRING_VALUE', /* required */
  InvitationId: 'STRING_VALUE' /* required */
};
guardduty.acceptAdministratorInvitation(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector of the GuardDuty member account.

    • AdministratorId — (String)

      The account ID of the GuardDuty administrator account whose invitation you're accepting.

    • InvitationId — (String)

      The value that is used to validate the administrator account to the member account.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

acceptInvitation(params = {}, callback) ⇒ AWS.Request

Accepts the invitation to be monitored by a GuardDuty administrator account.

Service Reference:

Examples:

Calling the acceptInvitation operation

var params = {
  DetectorId: 'STRING_VALUE', /* required */
  InvitationId: 'STRING_VALUE', /* required */
  MasterId: 'STRING_VALUE' /* required */
};
guardduty.acceptInvitation(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector of the GuardDuty member account.

    • MasterId — (String)

      The account ID of the GuardDuty administrator account whose invitation you're accepting.

    • InvitationId — (String)

      The value that is used to validate the administrator account to the member account.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

archiveFindings(params = {}, callback) ⇒ AWS.Request

Archives GuardDuty findings that are specified by the list of finding IDs.

Note: Only the administrator account can archive findings. Member accounts don't have permission to archive findings from their accounts.

Service Reference:

Examples:

Calling the archiveFindings operation

var params = {
  DetectorId: 'STRING_VALUE', /* required */
  FindingIds: [ /* required */
    'STRING_VALUE',
    /* more items */
  ]
};
guardduty.archiveFindings(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The ID of the detector that specifies the GuardDuty service whose findings you want to archive.

    • FindingIds — (Array<String>)

      The IDs of the findings that you want to archive.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

createDetector(params = {}, callback) ⇒ AWS.Request

Creates a single GuardDuty detector. A detector is a resource that represents the GuardDuty service. To start using GuardDuty, you must create a detector in each Region where you enable the service. You can have only one detector per account per Region. All data sources are enabled in a new detector by default.

  • When you don't specify any features, with an exception to RUNTIME_MONITORING, all the optional features are enabled by default.

  • When you specify some of the features, any feature that is not specified in the API call gets enabled by default, with an exception to RUNTIME_MONITORING.

Specifying both EKS Runtime Monitoring (EKS_RUNTIME_MONITORING) and Runtime Monitoring (RUNTIME_MONITORING) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

Service Reference:

Examples:

Calling the createDetector operation

var params = {
  Enable: true || false, /* required */
  ClientToken: 'STRING_VALUE',
  DataSources: {
    Kubernetes: {
      AuditLogs: { /* required */
        Enable: true || false /* required */
      }
    },
    MalwareProtection: {
      ScanEc2InstanceWithFindings: {
        EbsVolumes: true || false
      }
    },
    S3Logs: {
      Enable: true || false /* required */
    }
  },
  Features: [
    {
      AdditionalConfiguration: [
        {
          Name: EKS_ADDON_MANAGEMENT | ECS_FARGATE_AGENT_MANAGEMENT,
          Status: ENABLED | DISABLED
        },
        /* more items */
      ],
      Name: S3_DATA_EVENTS | EKS_AUDIT_LOGS | EBS_MALWARE_PROTECTION | RDS_LOGIN_EVENTS | EKS_RUNTIME_MONITORING | LAMBDA_NETWORK_LOGS | RUNTIME_MONITORING,
      Status: ENABLED | DISABLED
    },
    /* more items */
  ],
  FindingPublishingFrequency: FIFTEEN_MINUTES | ONE_HOUR | SIX_HOURS,
  Tags: {
    '<TagKey>': 'STRING_VALUE',
    /* '<TagKey>': ... */
  }
};
guardduty.createDetector(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • Enable — (Boolean)

      A Boolean value that specifies whether the detector is to be enabled.

    • ClientToken — (String)

      The idempotency token for the create request.

      If a token is not provided, the SDK will use a version 4 UUID.
    • FindingPublishingFrequency — (String)

      A value that specifies how frequently updated findings are exported.

      Possible values include:
      • "FIFTEEN_MINUTES"
      • "ONE_HOUR"
      • "SIX_HOURS"
    • DataSources — (map)

      Describes which data sources will be enabled for the detector.

      There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

      • S3Logs — (map)

        Describes whether S3 data event logs are enabled as a data source.

        • Enablerequired — (Boolean)

          The status of S3 data event logs as a data source.

      • Kubernetes — (map)

        Describes whether any Kubernetes logs are enabled as data sources.

        • AuditLogsrequired — (map)

          The status of Kubernetes audit logs as a data source.

          • Enablerequired — (Boolean)

            The status of Kubernetes audit logs as a data source.

      • MalwareProtection — (map)

        Describes whether Malware Protection is enabled as a data source.

        • ScanEc2InstanceWithFindings — (map)

          Describes the configuration of Malware Protection for EC2 instances with findings.

          • EbsVolumes — (Boolean)

            Describes the configuration for scanning EBS volumes as data source.

    • Tags — (map<String>)

      The tags to be added to a new detector resource.

    • Features — (Array<map>)

      A list of features that will be configured for the detector.

      • Name — (String)

        The name of the feature.

        Possible values include:
        • "S3_DATA_EVENTS"
        • "EKS_AUDIT_LOGS"
        • "EBS_MALWARE_PROTECTION"
        • "RDS_LOGIN_EVENTS"
        • "EKS_RUNTIME_MONITORING"
        • "LAMBDA_NETWORK_LOGS"
        • "RUNTIME_MONITORING"
      • Status — (String)

        The status of the feature.

        Possible values include:
        • "ENABLED"
        • "DISABLED"
      • AdditionalConfiguration — (Array<map>)

        Additional configuration for a resource.

        • Name — (String)

          Name of the additional configuration.

          Possible values include:
          • "EKS_ADDON_MANAGEMENT"
          • "ECS_FARGATE_AGENT_MANAGEMENT"
        • Status — (String)

          Status of the additional configuration.

          Possible values include:
          • "ENABLED"
          • "DISABLED"

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • DetectorId — (String)

        The unique ID of the created detector.

      • UnprocessedDataSources — (map)

        Specifies the data sources that couldn't be enabled when GuardDuty was enabled for the first time.

        • MalwareProtection — (map)

          An object that contains information on the status of all Malware Protection data sources.

          • ScanEc2InstanceWithFindings — (map)

            Describes the configuration of Malware Protection for EC2 instances with findings.

            • EbsVolumes — (map)

              Describes the configuration of scanning EBS volumes as a data source.

              • Status — (String)

                Describes whether scanning EBS volumes is enabled as a data source.

                Possible values include:
                • "ENABLED"
                • "DISABLED"
              • Reason — (String)

                Specifies the reason why scanning EBS volumes (Malware Protection) was not enabled as a data source.

          • ServiceRole — (String)

            The GuardDuty Malware Protection service role.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

createFilter(params = {}, callback) ⇒ AWS.Request

Creates a filter using the specified finding criteria. The maximum number of saved filters per Amazon Web Services account per Region is 100. For more information, see Quotas for GuardDuty.

Service Reference:

Examples:

Calling the createFilter operation

var params = {
  DetectorId: 'STRING_VALUE', /* required */
  FindingCriteria: { /* required */
    Criterion: {
      '<String>': {
        Eq: [
          'STRING_VALUE',
          /* more items */
        ],
        Equals: [
          'STRING_VALUE',
          /* more items */
        ],
        GreaterThan: 'NUMBER_VALUE',
        GreaterThanOrEqual: 'NUMBER_VALUE',
        Gt: 'NUMBER_VALUE',
        Gte: 'NUMBER_VALUE',
        LessThan: 'NUMBER_VALUE',
        LessThanOrEqual: 'NUMBER_VALUE',
        Lt: 'NUMBER_VALUE',
        Lte: 'NUMBER_VALUE',
        Neq: [
          'STRING_VALUE',
          /* more items */
        ],
        NotEquals: [
          'STRING_VALUE',
          /* more items */
        ]
      },
      /* '<String>': ... */
    }
  },
  Name: 'STRING_VALUE', /* required */
  Action: NOOP | ARCHIVE,
  ClientToken: 'STRING_VALUE',
  Description: 'STRING_VALUE',
  Rank: 'NUMBER_VALUE',
  Tags: {
    '<TagKey>': 'STRING_VALUE',
    /* '<TagKey>': ... */
  }
};
guardduty.createFilter(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The ID of the detector belonging to the GuardDuty account that you want to create a filter for.

    • Name — (String)

      The name of the filter. Valid characters include period (.), underscore (_), dash (-), and alphanumeric characters. A whitespace is considered to be an invalid character.

    • Description — (String)

      The description of the filter. Valid characters include alphanumeric characters, and special characters such as hyphen, period, colon, underscore, parentheses ({ }, [ ], and ( )), forward slash, horizontal tab, vertical tab, newline, form feed, return, and whitespace.

    • Action — (String)

      Specifies the action that is to be applied to the findings that match the filter.

      Possible values include:
      • "NOOP"
      • "ARCHIVE"
    • Rank — (Integer)

      Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.

    • FindingCriteria — (map)

      Represents the criteria to be used in the filter for querying findings.

      You can only use the following attributes to query findings:

      • accountId

      • id

      • region

      • severity

        To filter on the basis of severity, the API and CLI use the following input list for the FindingCriteria condition:

        • Low: ["1", "2", "3"]

        • Medium: ["4", "5", "6"]

        • High: ["7", "8", "9"]

        For more information, see Severity levels for GuardDuty findings.

      • type

      • updatedAt

        Type: ISO 8601 string format: YYYY-MM-DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds.

      • resource.accessKeyDetails.accessKeyId

      • resource.accessKeyDetails.principalId

      • resource.accessKeyDetails.userName

      • resource.accessKeyDetails.userType

      • resource.instanceDetails.iamInstanceProfile.id

      • resource.instanceDetails.imageId

      • resource.instanceDetails.instanceId

      • resource.instanceDetails.tags.key

      • resource.instanceDetails.tags.value

      • resource.instanceDetails.networkInterfaces.ipv6Addresses

      • resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress

      • resource.instanceDetails.networkInterfaces.publicDnsName

      • resource.instanceDetails.networkInterfaces.publicIp

      • resource.instanceDetails.networkInterfaces.securityGroups.groupId

      • resource.instanceDetails.networkInterfaces.securityGroups.groupName

      • resource.instanceDetails.networkInterfaces.subnetId

      • resource.instanceDetails.networkInterfaces.vpcId

      • resource.instanceDetails.outpostArn

      • resource.resourceType

      • resource.s3BucketDetails.publicAccess.effectivePermissions

      • resource.s3BucketDetails.name

      • resource.s3BucketDetails.tags.key

      • resource.s3BucketDetails.tags.value

      • resource.s3BucketDetails.type

      • service.action.actionType

      • service.action.awsApiCallAction.api

      • service.action.awsApiCallAction.callerType

      • service.action.awsApiCallAction.errorCode

      • service.action.awsApiCallAction.remoteIpDetails.city.cityName

      • service.action.awsApiCallAction.remoteIpDetails.country.countryName

      • service.action.awsApiCallAction.remoteIpDetails.ipAddressV4

      • service.action.awsApiCallAction.remoteIpDetails.organization.asn

      • service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg

      • service.action.awsApiCallAction.serviceName

      • service.action.dnsRequestAction.domain

      • service.action.dnsRequestAction.domainWithSuffix

      • service.action.networkConnectionAction.blocked

      • service.action.networkConnectionAction.connectionDirection

      • service.action.networkConnectionAction.localPortDetails.port

      • service.action.networkConnectionAction.protocol

      • service.action.networkConnectionAction.remoteIpDetails.city.cityName

      • service.action.networkConnectionAction.remoteIpDetails.country.countryName

      • service.action.networkConnectionAction.remoteIpDetails.ipAddressV4

      • service.action.networkConnectionAction.remoteIpDetails.organization.asn

      • service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg

      • service.action.networkConnectionAction.remotePortDetails.port

      • service.action.awsApiCallAction.remoteAccountDetails.affiliated

      • service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4

      • service.action.kubernetesApiCallAction.namespace

      • service.action.kubernetesApiCallAction.remoteIpDetails.organization.asn

      • service.action.kubernetesApiCallAction.requestUri

      • service.action.kubernetesApiCallAction.statusCode

      • service.action.networkConnectionAction.localIpDetails.ipAddressV4

      • service.action.networkConnectionAction.protocol

      • service.action.awsApiCallAction.serviceName

      • service.action.awsApiCallAction.remoteAccountDetails.accountId

      • service.additionalInfo.threatListName

      • service.resourceRole

      • resource.eksClusterDetails.name

      • resource.kubernetesDetails.kubernetesWorkloadDetails.name

      • resource.kubernetesDetails.kubernetesWorkloadDetails.namespace

      • resource.kubernetesDetails.kubernetesUserDetails.username

      • resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image

      • resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix

      • service.ebsVolumeScanDetails.scanId

      • service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name

      • service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity

      • service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash

      • resource.ecsClusterDetails.name

      • resource.ecsClusterDetails.taskDetails.containers.image

      • resource.ecsClusterDetails.taskDetails.definitionArn

      • resource.containerDetails.image

      • resource.rdsDbInstanceDetails.dbInstanceIdentifier

      • resource.rdsDbInstanceDetails.dbClusterIdentifier

      • resource.rdsDbInstanceDetails.engine

      • resource.rdsDbUserDetails.user

      • resource.rdsDbInstanceDetails.tags.key

      • resource.rdsDbInstanceDetails.tags.value

      • service.runtimeDetails.process.executableSha256

      • service.runtimeDetails.process.name

      • service.runtimeDetails.process.name

      • resource.lambdaDetails.functionName

      • resource.lambdaDetails.functionArn

      • resource.lambdaDetails.tags.key

      • resource.lambdaDetails.tags.value

      • Criterion — (map<map>)

        Represents a map of finding properties that match specified conditions and values when querying findings.

        • Eq — (Array<String>)

          Represents the equal condition to be applied to a single field when querying for findings.

        • Neq — (Array<String>)

          Represents the not equal condition to be applied to a single field when querying for findings.

        • Gt — (Integer)

          Represents a greater than condition to be applied to a single field when querying for findings.

        • Gte — (Integer)

          Represents a greater than or equal condition to be applied to a single field when querying for findings.

        • Lt — (Integer)

          Represents a less than condition to be applied to a single field when querying for findings.

        • Lte — (Integer)

          Represents a less than or equal condition to be applied to a single field when querying for findings.

        • Equals — (Array<String>)

          Represents an equal condition to be applied to a single field when querying for findings.

        • NotEquals — (Array<String>)

          Represents a not equal condition to be applied to a single field when querying for findings.

        • GreaterThan — (Integer)

          Represents a greater than condition to be applied to a single field when querying for findings.

        • GreaterThanOrEqual — (Integer)

          Represents a greater than or equal condition to be applied to a single field when querying for findings.

        • LessThan — (Integer)

          Represents a less than condition to be applied to a single field when querying for findings.

        • LessThanOrEqual — (Integer)

          Represents a less than or equal condition to be applied to a single field when querying for findings.

    • ClientToken — (String)

      The idempotency token for the create request.

      If a token is not provided, the SDK will use a version 4 UUID.
    • Tags — (map<String>)

      The tags to be added to a new filter resource.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • Name — (String)

        The name of the successfully created filter.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

createIPSet(params = {}, callback) ⇒ AWS.Request

Creates a new IPSet, which is called a trusted IP list in the console user interface. An IPSet is a list of IP addresses that are trusted for secure communication with Amazon Web Services infrastructure and applications. GuardDuty doesn't generate findings for IP addresses that are included in IPSets. Only users from the administrator account can use this operation.

Service Reference:

Examples:

Calling the createIPSet operation

var params = {
  Activate: true || false, /* required */
  DetectorId: 'STRING_VALUE', /* required */
  Format: TXT | STIX | OTX_CSV | ALIEN_VAULT | PROOF_POINT | FIRE_EYE, /* required */
  Location: 'STRING_VALUE', /* required */
  Name: 'STRING_VALUE', /* required */
  ClientToken: 'STRING_VALUE',
  Tags: {
    '<TagKey>': 'STRING_VALUE',
    /* '<TagKey>': ... */
  }
};
guardduty.createIPSet(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector of the GuardDuty account that you want to create an IPSet for.

    • Name — (String)

      The user-friendly name to identify the IPSet.

      Allowed characters are alphanumeric, whitespace, dash (-), and underscores (_).

    • Format — (String)

      The format of the file that contains the IPSet.

      Possible values include:
      • "TXT"
      • "STIX"
      • "OTX_CSV"
      • "ALIEN_VAULT"
      • "PROOF_POINT"
      • "FIRE_EYE"
    • Location — (String)

      The URI of the file that contains the IPSet.

    • Activate — (Boolean)

      A Boolean value that indicates whether GuardDuty is to start using the uploaded IPSet.

    • ClientToken — (String)

      The idempotency token for the create request.

      If a token is not provided, the SDK will use a version 4 UUID.
    • Tags — (map<String>)

      The tags to be added to a new IP set resource.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • IpSetId — (String)

        The ID of the IPSet resource.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

createMembers(params = {}, callback) ⇒ AWS.Request

Creates member accounts of the current Amazon Web Services account by specifying a list of Amazon Web Services account IDs. This step is a prerequisite for managing the associated member accounts either by invitation or through an organization.

As a delegated administrator, using CreateMembers will enable GuardDuty in the added member accounts, with the exception of the organization delegated administrator account. A delegated administrator must enable GuardDuty prior to being added as a member.

When you use CreateMembers as an Organizations delegated administrator, GuardDuty applies your organization's auto-enable settings to the member accounts in this request, irrespective of the accounts being new or existing members. For more information about the existing auto-enable settings for your organization, see DescribeOrganizationConfiguration.

If you are adding accounts by invitation, before using InviteMembers, use CreateMembers after GuardDuty has been enabled in potential member accounts.

If you disassociate a member from a GuardDuty delegated administrator, the member account details obtained from this API, including the associated email addresses, will be retained. This is done so that the delegated administrator can invoke the InviteMembers API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the DeleteMembers API.

Service Reference:

Examples:

Calling the createMembers operation

var params = {
  AccountDetails: [ /* required */
    {
      AccountId: 'STRING_VALUE', /* required */
      Email: 'STRING_VALUE' /* required */
    },
    /* more items */
  ],
  DetectorId: 'STRING_VALUE' /* required */
};
guardduty.createMembers(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector of the GuardDuty account that you want to associate member accounts with.

    • AccountDetails — (Array<map>)

      A list of account ID and email address pairs of the accounts that you want to associate with the GuardDuty administrator account.

      • AccountIdrequired — (String)

        The member account ID.

      • Emailrequired — (String)

        The email address of the member account.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • UnprocessedAccounts — (Array<map>)

        A list of objects that include the accountIds of the unprocessed accounts and a result string that explains why each was unprocessed.

        • AccountIdrequired — (String)

          The Amazon Web Services account ID.

        • Resultrequired — (String)

          A reason why the account hasn't been processed.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

createPublishingDestination(params = {}, callback) ⇒ AWS.Request

Creates a publishing destination to export findings to. The resource to export findings to must exist before you use this operation.

Service Reference:

Examples:

Calling the createPublishingDestination operation

var params = {
  DestinationProperties: { /* required */
    DestinationArn: 'STRING_VALUE',
    KmsKeyArn: 'STRING_VALUE'
  },
  DestinationType: S3, /* required */
  DetectorId: 'STRING_VALUE', /* required */
  ClientToken: 'STRING_VALUE'
};
guardduty.createPublishingDestination(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The ID of the GuardDuty detector associated with the publishing destination.

    • DestinationType — (String)

      The type of resource for the publishing destination. Currently only Amazon S3 buckets are supported.

      Possible values include:
      • "S3"
    • DestinationProperties — (map)

      The properties of the publishing destination, including the ARNs for the destination and the KMS key used for encryption.

      • DestinationArn — (String)

        The ARN of the resource to publish to.

        To specify an S3 bucket folder use the following format: arn:aws:s3:::DOC-EXAMPLE-BUCKET/myFolder/

      • KmsKeyArn — (String)

        The ARN of the KMS key to use for encryption.

    • ClientToken — (String)

      The idempotency token for the request.

      If a token is not provided, the SDK will use a version 4 UUID.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • DestinationId — (String)

        The ID of the publishing destination that is created.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

createSampleFindings(params = {}, callback) ⇒ AWS.Request

Generates sample findings of types specified by the list of finding types. If 'NULL' is specified for findingTypes, the API generates sample findings of all supported finding types.

Service Reference:

Examples:

Calling the createSampleFindings operation

var params = {
  DetectorId: 'STRING_VALUE', /* required */
  FindingTypes: [
    'STRING_VALUE',
    /* more items */
  ]
};
guardduty.createSampleFindings(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The ID of the detector to create sample findings for.

    • FindingTypes — (Array<String>)

      The types of sample findings to generate.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

createThreatIntelSet(params = {}, callback) ⇒ AWS.Request

Creates a new ThreatIntelSet. ThreatIntelSets consist of known malicious IP addresses. GuardDuty generates findings based on ThreatIntelSets. Only users of the administrator account can use this operation.

Service Reference:

Examples:

Calling the createThreatIntelSet operation

var params = {
  Activate: true || false, /* required */
  DetectorId: 'STRING_VALUE', /* required */
  Format: TXT | STIX | OTX_CSV | ALIEN_VAULT | PROOF_POINT | FIRE_EYE, /* required */
  Location: 'STRING_VALUE', /* required */
  Name: 'STRING_VALUE', /* required */
  ClientToken: 'STRING_VALUE',
  Tags: {
    '<TagKey>': 'STRING_VALUE',
    /* '<TagKey>': ... */
  }
};
guardduty.createThreatIntelSet(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector of the GuardDuty account that you want to create a threatIntelSet for.

    • Name — (String)

      A user-friendly ThreatIntelSet name displayed in all findings that are generated by activity that involves IP addresses included in this ThreatIntelSet.

    • Format — (String)

      The format of the file that contains the ThreatIntelSet.

      Possible values include:
      • "TXT"
      • "STIX"
      • "OTX_CSV"
      • "ALIEN_VAULT"
      • "PROOF_POINT"
      • "FIRE_EYE"
    • Location — (String)

      The URI of the file that contains the ThreatIntelSet.

    • Activate — (Boolean)

      A Boolean value that indicates whether GuardDuty is to start using the uploaded ThreatIntelSet.

    • ClientToken — (String)

      The idempotency token for the create request.

      If a token is not provided, the SDK will use a version 4 UUID.
    • Tags — (map<String>)

      The tags to be added to a new threat list resource.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • ThreatIntelSetId — (String)

        The ID of the ThreatIntelSet resource.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

declineInvitations(params = {}, callback) ⇒ AWS.Request

Declines invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs.

Service Reference:

Examples:

Calling the declineInvitations operation

var params = {
  AccountIds: [ /* required */
    'STRING_VALUE',
    /* more items */
  ]
};
guardduty.declineInvitations(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • AccountIds — (Array<String>)

      A list of account IDs of the Amazon Web Services accounts that sent invitations to the current member account that you want to decline invitations from.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • UnprocessedAccounts — (Array<map>)

        A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.

        • AccountIdrequired — (String)

          The Amazon Web Services account ID.

        • Resultrequired — (String)

          A reason why the account hasn't been processed.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

deleteDetector(params = {}, callback) ⇒ AWS.Request

Deletes an Amazon GuardDuty detector that is specified by the detector ID.

Service Reference:

Examples:

Calling the deleteDetector operation

var params = {
  DetectorId: 'STRING_VALUE' /* required */
};
guardduty.deleteDetector(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector that you want to delete.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

deleteFilter(params = {}, callback) ⇒ AWS.Request

Deletes the filter specified by the filter name.

Service Reference:

Examples:

Calling the deleteFilter operation

var params = {
  DetectorId: 'STRING_VALUE', /* required */
  FilterName: 'STRING_VALUE' /* required */
};
guardduty.deleteFilter(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector that the filter is associated with.

    • FilterName — (String)

      The name of the filter that you want to delete.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

deleteInvitations(params = {}, callback) ⇒ AWS.Request

Deletes invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs.

Service Reference:

Examples:

Calling the deleteInvitations operation

var params = {
  AccountIds: [ /* required */
    'STRING_VALUE',
    /* more items */
  ]
};
guardduty.deleteInvitations(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • AccountIds — (Array<String>)

      A list of account IDs of the Amazon Web Services accounts that sent invitations to the current member account that you want to delete invitations from.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • UnprocessedAccounts — (Array<map>)

        A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.

        • AccountIdrequired — (String)

          The Amazon Web Services account ID.

        • Resultrequired — (String)

          A reason why the account hasn't been processed.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

deleteIPSet(params = {}, callback) ⇒ AWS.Request

Deletes the IPSet specified by the ipSetId. IPSets are called trusted IP lists in the console user interface.

Service Reference:

Examples:

Calling the deleteIPSet operation

var params = {
  DetectorId: 'STRING_VALUE', /* required */
  IpSetId: 'STRING_VALUE' /* required */
};
guardduty.deleteIPSet(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector associated with the IPSet.

    • IpSetId — (String)

      The unique ID of the IPSet to delete.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

deleteMembers(params = {}, callback) ⇒ AWS.Request

Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.

With autoEnableOrganizationMembers configuration for your organization set to ALL, you'll receive an error if you attempt to disable GuardDuty for a member account in your organization.

Service Reference:

Examples:

Calling the deleteMembers operation

var params = {
  AccountIds: [ /* required */
    'STRING_VALUE',
    /* more items */
  ],
  DetectorId: 'STRING_VALUE' /* required */
};
guardduty.deleteMembers(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector of the GuardDuty account whose members you want to delete.

    • AccountIds — (Array<String>)

      A list of account IDs of the GuardDuty member accounts that you want to delete.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • UnprocessedAccounts — (Array<map>)

        The accounts that could not be processed.

        • AccountIdrequired — (String)

          The Amazon Web Services account ID.

        • Resultrequired — (String)

          A reason why the account hasn't been processed.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

deletePublishingDestination(params = {}, callback) ⇒ AWS.Request

Deletes the publishing definition with the specified destinationId.

Service Reference:

Examples:

Calling the deletePublishingDestination operation

var params = {
  DestinationId: 'STRING_VALUE', /* required */
  DetectorId: 'STRING_VALUE' /* required */
};
guardduty.deletePublishingDestination(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector associated with the publishing destination to delete.

    • DestinationId — (String)

      The ID of the publishing destination to delete.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

deleteThreatIntelSet(params = {}, callback) ⇒ AWS.Request

Deletes the ThreatIntelSet specified by the ThreatIntelSet ID.

Service Reference:

Examples:

Calling the deleteThreatIntelSet operation

var params = {
  DetectorId: 'STRING_VALUE', /* required */
  ThreatIntelSetId: 'STRING_VALUE' /* required */
};
guardduty.deleteThreatIntelSet(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector that the threatIntelSet is associated with.

    • ThreatIntelSetId — (String)

      The unique ID of the threatIntelSet that you want to delete.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

describeMalwareScans(params = {}, callback) ⇒ AWS.Request

Returns a list of malware scans. Each member account can view the malware scans for their own accounts. An administrator can view the malware scans for all the member accounts.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

Service Reference:

Examples:

Calling the describeMalwareScans operation

var params = {
  DetectorId: 'STRING_VALUE', /* required */
  FilterCriteria: {
    FilterCriterion: [
      {
        CriterionKey: EC2_INSTANCE_ARN | SCAN_ID | ACCOUNT_ID | GUARDDUTY_FINDING_ID | SCAN_START_TIME | SCAN_STATUS | SCAN_TYPE,
        FilterCondition: {
          EqualsValue: 'STRING_VALUE',
          GreaterThan: 'NUMBER_VALUE',
          LessThan: 'NUMBER_VALUE'
        }
      },
      /* more items */
    ]
  },
  MaxResults: 'NUMBER_VALUE',
  NextToken: 'STRING_VALUE',
  SortCriteria: {
    AttributeName: 'STRING_VALUE',
    OrderBy: ASC | DESC
  }
};
guardduty.describeMalwareScans(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector that the request is associated with.

    • NextToken — (String)

      You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.

    • MaxResults — (Integer)

      You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.

    • FilterCriteria — (map)

      Represents the criteria to be used in the filter for describing scan entries.

      • FilterCriterion — (Array<map>)

        Represents a condition that when matched will be added to the response of the operation.

        • CriterionKey — (String)

          An enum value representing possible scan properties to match with given scan entries.

          Note: Replace the enum value CLUSTER_NAME with EKS_CLUSTER_NAME. CLUSTER_NAME has been deprecated.
          Possible values include:
          • "EC2_INSTANCE_ARN"
          • "SCAN_ID"
          • "ACCOUNT_ID"
          • "GUARDDUTY_FINDING_ID"
          • "SCAN_START_TIME"
          • "SCAN_STATUS"
          • "SCAN_TYPE"
        • FilterCondition — (map)

          Contains information about the condition.

          • EqualsValue — (String)

            Represents an equal condition to be applied to a single field when querying for scan entries.

          • GreaterThan — (Integer)

            Represents a greater than condition to be applied to a single field when querying for scan entries.

          • LessThan — (Integer)

            Represents a less than condition to be applied to a single field when querying for scan entries.

    • SortCriteria — (map)

      Represents the criteria used for sorting scan entries. The attributeName is required and it must be scanStartTime.

      • AttributeName — (String)

        Represents the finding attribute, such as accountId, that sorts the findings.

      • OrderBy — (String)

        The order by which the sorted findings are to be displayed.

        Possible values include:
        • "ASC"
        • "DESC"

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • Scans — (Array<map>)

        Contains information about malware scans.

        • DetectorId — (String)

          The unique ID of the detector that the request is associated with.

        • AdminDetectorId — (String)

          The unique detector ID of the administrator account that the request is associated with. Note that this value will be the same as the one used for DetectorId if the account is an administrator.

        • ScanId — (String)

          The unique scan ID associated with a scan entry.

        • ScanStatus — (String)

          An enum value representing possible scan statuses.

          Possible values include:
          • "RUNNING"
          • "COMPLETED"
          • "FAILED"
          • "SKIPPED"
        • FailureReason — (String)

          Represents the reason for FAILED scan status.

        • ScanStartTime — (Date)

          The timestamp of when the scan was triggered.

        • ScanEndTime — (Date)

          The timestamp of when the scan was finished.

        • TriggerDetails — (map)

          Specifies the reason why the scan was initiated.

          • GuardDutyFindingId — (String)

            The ID of the GuardDuty finding that triggered the malware scan.

          • Description — (String)

            The description of the scan trigger.

        • ResourceDetails — (map)

          Represents the resources that were scanned in the scan entry.

          • InstanceArn — (String)

            InstanceArn that was scanned in the scan entry.

        • ScanResultDetails — (map)

          Represents the result of the scan.

          • ScanResult — (String)

            An enum value representing possible scan results.

            Possible values include:
            • "CLEAN"
            • "INFECTED"
        • AccountId — (String)

          The ID for the account that belongs to the scan.

        • TotalBytes — (Integer)

          Represents total bytes that were scanned.

        • FileCount — (Integer)

          Represents the number of files that were scanned.

        • AttachedVolumes — (Array<map>)

          List of volumes that were attached to the original instance to be scanned.

          • VolumeArn — (String)

            EBS volume Arn information.

          • VolumeType — (String)

            The EBS volume type.

          • DeviceName — (String)

            The device name for the EBS volume.

          • VolumeSizeInGB — (Integer)

            EBS volume size in GB.

          • EncryptionType — (String)

            EBS volume encryption type.

          • SnapshotArn — (String)

            Snapshot Arn of the EBS volume.

          • KmsKeyArn — (String)

            KMS key Arn used to encrypt the EBS volume.

        • ScanType — (String)

          Specifies the scan type that invoked the malware scan.

          Possible values include:
          • "GUARDDUTY_INITIATED"
          • "ON_DEMAND"
      • NextToken — (String)

        The pagination parameter to be used on the next list operation to retrieve more items.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

describeOrganizationConfiguration(params = {}, callback) ⇒ AWS.Request

Returns information about the account selected as the delegated administrator for GuardDuty.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

Examples:

Calling the describeOrganizationConfiguration operation

var params = {
  DetectorId: 'STRING_VALUE', /* required */
  MaxResults: 'NUMBER_VALUE',
  NextToken: 'STRING_VALUE'
};
guardduty.describeOrganizationConfiguration(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The ID of the detector to retrieve information about the delegated administrator from.

    • MaxResults — (Integer)

      You can use this parameter to indicate the maximum number of items that you want in the response.

    • NextToken — (String)

      You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • AutoEnable — (Boolean)

        Indicates whether GuardDuty is automatically enabled for accounts added to the organization.

        Even though this is still supported, we recommend using AutoEnableOrganizationMembers to achieve the similar results.

      • MemberAccountLimitReached — (Boolean)

        Indicates whether the maximum number of allowed member accounts are already associated with the delegated administrator account for your organization.

      • DataSources — (map)

        Describes which data sources are enabled automatically for member accounts.

        • S3Logsrequired — (map)

          Describes whether S3 data event logs are enabled as a data source.

          • AutoEnablerequired — (Boolean)

            A value that describes whether S3 data event logs are automatically enabled for new members of the organization.

        • Kubernetes — (map)

          Describes the configuration of Kubernetes data sources.

          • AuditLogsrequired — (map)

            The current configuration of Kubernetes audit logs as a data source for the organization.

            • AutoEnablerequired — (Boolean)

              Whether Kubernetes audit logs data source should be auto-enabled for new members joining the organization.

        • MalwareProtection — (map)

          Describes the configuration of Malware Protection data source for an organization.

          • ScanEc2InstanceWithFindings — (map)

            Describes the configuration for scanning EC2 instances with findings for an organization.

            • EbsVolumes — (map)

              Describes the configuration for scanning EBS volumes for an organization.

              • AutoEnable — (Boolean)

                An object that contains the status of whether scanning EBS volumes should be auto-enabled for new members joining the organization.

      • Features — (Array<map>)

        A list of features that are configured for this organization.

        • Name — (String)

          The name of the feature that is configured for the member accounts within the organization.

          Possible values include:
          • "S3_DATA_EVENTS"
          • "EKS_AUDIT_LOGS"
          • "EBS_MALWARE_PROTECTION"
          • "RDS_LOGIN_EVENTS"
          • "EKS_RUNTIME_MONITORING"
          • "LAMBDA_NETWORK_LOGS"
          • "RUNTIME_MONITORING"
        • AutoEnable — (String)

          Describes the status of the feature that is configured for the member accounts within the organization.

          • NEW: Indicates that when a new account joins the organization, they will have the feature enabled automatically.

          • ALL: Indicates that all accounts in the organization have the feature enabled automatically. This includes NEW accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty.

          • NONE: Indicates that the feature will not be automatically enabled for any account in the organization. In this case, each account will be managed individually by the administrator.

          Possible values include:
          • "NEW"
          • "NONE"
          • "ALL"
        • AdditionalConfiguration — (Array<map>)

          The additional configuration that is configured for the member accounts within the organization.

          • Name — (String)

            The name of the additional configuration that is configured for the member accounts within the organization.

            Possible values include:
            • "EKS_ADDON_MANAGEMENT"
            • "ECS_FARGATE_AGENT_MANAGEMENT"
          • AutoEnable — (String)

            Describes the status of the additional configuration that is configured for the member accounts within the organization. One of the following values is the status for the entire organization:

            • NEW: Indicates that when a new account joins the organization, they will have the additional configuration enabled automatically.

            • ALL: Indicates that all accounts in the organization have the additional configuration enabled automatically. This includes NEW accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty.

              It may take up to 24 hours to update the configuration for all the member accounts.

            • NONE: Indicates that the additional configuration will not be automatically enabled for any account in the organization. The administrator must manage the additional configuration for each account individually.

            Possible values include:
            • "NEW"
            • "NONE"
            • "ALL"
      • NextToken — (String)

        The pagination parameter to be used on the next list operation to retrieve more items.

      • AutoEnableOrganizationMembers — (String)

        Indicates the auto-enablement configuration of GuardDuty or any of the corresponding protection plans for the member accounts in the organization.

        • NEW: Indicates that when a new account joins the organization, they will have GuardDuty or any of the corresponding protection plans enabled automatically.

        • ALL: Indicates that all accounts in the organization have GuardDuty and any of the corresponding protection plans enabled automatically. This includes NEW accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty.

        • NONE: Indicates that GuardDuty or any of the corresponding protection plans will not be automatically enabled for any account in the organization. The administrator must manage GuardDuty for each account in the organization individually.

          When you update the auto-enable setting from ALL or NEW to NONE, this action doesn't disable the corresponding option for your existing accounts. This configuration will apply to the new accounts that join the organization. After you update the auto-enable settings, no new account will have the corresponding option as enabled.

        Possible values include:
        • "NEW"
        • "ALL"
        • "NONE"

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

describePublishingDestination(params = {}, callback) ⇒ AWS.Request

Returns information about the publishing destination specified by the provided destinationId.

Service Reference:

Examples:

Calling the describePublishingDestination operation

var params = {
  DestinationId: 'STRING_VALUE', /* required */
  DetectorId: 'STRING_VALUE' /* required */
};
guardduty.describePublishingDestination(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector associated with the publishing destination to retrieve.

    • DestinationId — (String)

      The ID of the publishing destination to retrieve.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • DestinationId — (String)

        The ID of the publishing destination.

      • DestinationType — (String)

        The type of publishing destination. Currently, only Amazon S3 buckets are supported.

        Possible values include:
        • "S3"
      • Status — (String)

        The status of the publishing destination.

        Possible values include:
        • "PENDING_VERIFICATION"
        • "PUBLISHING"
        • "UNABLE_TO_PUBLISH_FIX_DESTINATION_PROPERTY"
        • "STOPPED"
      • PublishingFailureStartTimestamp — (Integer)

        The time, in epoch millisecond format, at which GuardDuty was first unable to publish findings to the destination.

      • DestinationProperties — (map)

        A DestinationProperties object that includes the DestinationArn and KmsKeyArn of the publishing destination.

        • DestinationArn — (String)

          The ARN of the resource to publish to.

          To specify an S3 bucket folder use the following format: arn:aws:s3:::DOC-EXAMPLE-BUCKET/myFolder/

        • KmsKeyArn — (String)

          The ARN of the KMS key to use for encryption.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

disableOrganizationAdminAccount(params = {}, callback) ⇒ AWS.Request

Removes the existing GuardDuty delegated administrator of the organization. Only the organization's management account can run this API operation.

Service Reference:

Examples:

Calling the disableOrganizationAdminAccount operation

var params = {
  AdminAccountId: 'STRING_VALUE' /* required */
};
guardduty.disableOrganizationAdminAccount(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • AdminAccountId — (String)

      The Amazon Web Services Account ID for the organizations account to be disabled as a GuardDuty delegated administrator.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

disassociateFromAdministratorAccount(params = {}, callback) ⇒ AWS.Request

Disassociates the current GuardDuty member account from its administrator account.

When you disassociate an invited member from a GuardDuty delegated administrator, the member account details obtained from the CreateMembers API, including the associated email addresses, are retained. This is done so that the delegated administrator can invoke the InviteMembers API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the DeleteMembers API.

With autoEnableOrganizationMembers configuration for your organization set to ALL, you'll receive an error if you attempt to disable GuardDuty in a member account.

Examples:

Calling the disassociateFromAdministratorAccount operation

var params = {
  DetectorId: 'STRING_VALUE' /* required */
};
guardduty.disassociateFromAdministratorAccount(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector of the GuardDuty member account.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

disassociateFromMasterAccount(params = {}, callback) ⇒ AWS.Request

Disassociates the current GuardDuty member account from its administrator account.

When you disassociate an invited member from a GuardDuty delegated administrator, the member account details obtained from the CreateMembers API, including the associated email addresses, are retained. This is done so that the delegated administrator can invoke the InviteMembers API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the DeleteMembers API.

Service Reference:

Examples:

Calling the disassociateFromMasterAccount operation

var params = {
  DetectorId: 'STRING_VALUE' /* required */
};
guardduty.disassociateFromMasterAccount(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector of the GuardDuty member account.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

disassociateMembers(params = {}, callback) ⇒ AWS.Request

Disassociates GuardDuty member accounts (from the current administrator account) specified by the account IDs.

When you disassociate an invited member from a GuardDuty delegated administrator, the member account details obtained from the CreateMembers API, including the associated email addresses, are retained. This is done so that the delegated administrator can invoke the InviteMembers API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the DeleteMembers API.

With autoEnableOrganizationMembers configuration for your organization set to ALL, you'll receive an error if you attempt to disassociate a member account before removing them from your organization.

Service Reference:

Examples:

Calling the disassociateMembers operation

var params = {
  AccountIds: [ /* required */
    'STRING_VALUE',
    /* more items */
  ],
  DetectorId: 'STRING_VALUE' /* required */
};
guardduty.disassociateMembers(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector of the GuardDuty account whose members you want to disassociate from the administrator account.

    • AccountIds — (Array<String>)

      A list of account IDs of the GuardDuty member accounts that you want to disassociate from the administrator account.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • UnprocessedAccounts — (Array<map>)

        A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.

        • AccountIdrequired — (String)

          The Amazon Web Services account ID.

        • Resultrequired — (String)

          A reason why the account hasn't been processed.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

enableOrganizationAdminAccount(params = {}, callback) ⇒ AWS.Request

Designates an Amazon Web Services account within the organization as your GuardDuty delegated administrator. Only the organization's management account can run this API operation.

Service Reference:

Examples:

Calling the enableOrganizationAdminAccount operation

var params = {
  AdminAccountId: 'STRING_VALUE' /* required */
};
guardduty.enableOrganizationAdminAccount(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • AdminAccountId — (String)

      The Amazon Web Services account ID for the organization account to be enabled as a GuardDuty delegated administrator.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

getAdministratorAccount(params = {}, callback) ⇒ AWS.Request

Provides the details of the GuardDuty administrator account associated with the current GuardDuty member account.

Note: If the organization's management account or a delegated administrator runs this API, it will return success (HTTP 200) but no content.

Service Reference:

Examples:

Calling the getAdministratorAccount operation

var params = {
  DetectorId: 'STRING_VALUE' /* required */
};
guardduty.getAdministratorAccount(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector of the GuardDuty member account.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • Administrator — (map)

        The administrator account details.

        • AccountId — (String)

          The ID of the account used as the administrator account.

        • InvitationId — (String)

          The value that is used to validate the administrator account to the member account.

        • RelationshipStatus — (String)

          The status of the relationship between the administrator and member accounts.

        • InvitedAt — (String)

          The timestamp when the invitation was sent.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

getCoverageStatistics(params = {}, callback) ⇒ AWS.Request

Retrieves aggregated statistics for your account. If you are a GuardDuty administrator, you can retrieve the statistics for all the resources associated with the active member accounts in your organization who have enabled Runtime Monitoring and have the GuardDuty security agent running on their resources.

Service Reference:

Examples:

Calling the getCoverageStatistics operation

var params = {
  DetectorId: 'STRING_VALUE', /* required */
  StatisticsType: [ /* required */
    COUNT_BY_RESOURCE_TYPE | COUNT_BY_COVERAGE_STATUS,
    /* more items */
  ],
  FilterCriteria: {
    FilterCriterion: [
      {
        CriterionKey: ACCOUNT_ID | CLUSTER_NAME | RESOURCE_TYPE | COVERAGE_STATUS | ADDON_VERSION | MANAGEMENT_TYPE | EKS_CLUSTER_NAME | ECS_CLUSTER_NAME | AGENT_VERSION | INSTANCE_ID | CLUSTER_ARN,
        FilterCondition: {
          Equals: [
            'STRING_VALUE',
            /* more items */
          ],
          NotEquals: [
            'STRING_VALUE',
            /* more items */
          ]
        }
      },
      /* more items */
    ]
  }
};
guardduty.getCoverageStatistics(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the GuardDuty detector associated to the coverage statistics.

    • FilterCriteria — (map)

      Represents the criteria used to filter the coverage statistics

      • FilterCriterion — (Array<map>)

        Represents a condition that when matched will be added to the response of the operation.

        • CriterionKey — (String)

          An enum value representing possible filter fields.

          Note: Replace the enum value CLUSTER_NAME with EKS_CLUSTER_NAME. CLUSTER_NAME has been deprecated.
          Possible values include:
          • "ACCOUNT_ID"
          • "CLUSTER_NAME"
          • "RESOURCE_TYPE"
          • "COVERAGE_STATUS"
          • "ADDON_VERSION"
          • "MANAGEMENT_TYPE"
          • "EKS_CLUSTER_NAME"
          • "ECS_CLUSTER_NAME"
          • "AGENT_VERSION"
          • "INSTANCE_ID"
          • "CLUSTER_ARN"
        • FilterCondition — (map)

          Contains information about the condition.

          • Equals — (Array<String>)

            Represents an equal condition that is applied to a single field while retrieving the coverage details.

          • NotEquals — (Array<String>)

            Represents a not equal condition that is applied to a single field while retrieving the coverage details.

    • StatisticsType — (Array<String>)

      Represents the statistics type used to aggregate the coverage details.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • CoverageStatistics — (map)

        Represents the count aggregated by the statusCode and resourceType.

        • CountByResourceType — (map<Integer>)

          Represents coverage statistics for EKS clusters aggregated by resource type.

        • CountByCoverageStatus — (map<Integer>)

          Represents coverage statistics for EKS clusters aggregated by coverage status.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

getDetector(params = {}, callback) ⇒ AWS.Request

Retrieves an Amazon GuardDuty detector specified by the detectorId.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

Service Reference:

Examples:

Calling the getDetector operation

var params = {
  DetectorId: 'STRING_VALUE' /* required */
};
guardduty.getDetector(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector that you want to get.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • CreatedAt — (String)

        The timestamp of when the detector was created.

      • FindingPublishingFrequency — (String)

        The publishing frequency of the finding.

        Possible values include:
        • "FIFTEEN_MINUTES"
        • "ONE_HOUR"
        • "SIX_HOURS"
      • ServiceRole — (String)

        The GuardDuty service role.

      • Status — (String)

        The detector status.

        Possible values include:
        • "ENABLED"
        • "DISABLED"
      • UpdatedAt — (String)

        The last-updated timestamp for the detector.

      • DataSources — (map)

        Describes which data sources are enabled for the detector.

        • CloudTrailrequired — (map)

          An object that contains information on the status of CloudTrail as a data source.

          • Statusrequired — (String)

            Describes whether CloudTrail is enabled as a data source for the detector.

            Possible values include:
            • "ENABLED"
            • "DISABLED"
        • DNSLogsrequired — (map)

          An object that contains information on the status of DNS logs as a data source.

          • Statusrequired — (String)

            Denotes whether DNS logs is enabled as a data source.

            Possible values include:
            • "ENABLED"
            • "DISABLED"
        • FlowLogsrequired — (map)

          An object that contains information on the status of VPC flow logs as a data source.

          • Statusrequired — (String)

            Denotes whether VPC flow logs is enabled as a data source.

            Possible values include:
            • "ENABLED"
            • "DISABLED"
        • S3Logsrequired — (map)

          An object that contains information on the status of S3 Data event logs as a data source.

          • Statusrequired — (String)

            A value that describes whether S3 data event logs are automatically enabled for new members of the organization.

            Possible values include:
            • "ENABLED"
            • "DISABLED"
        • Kubernetes — (map)

          An object that contains information on the status of all Kubernetes data sources.

          • AuditLogsrequired — (map)

            Describes whether Kubernetes audit logs are enabled as a data source.

            • Statusrequired — (String)

              A value that describes whether Kubernetes audit logs are enabled as a data source.

              Possible values include:
              • "ENABLED"
              • "DISABLED"
        • MalwareProtection — (map)

          Describes the configuration of Malware Protection data sources.

          • ScanEc2InstanceWithFindings — (map)

            Describes the configuration of Malware Protection for EC2 instances with findings.

            • EbsVolumes — (map)

              Describes the configuration of scanning EBS volumes as a data source.

              • Status — (String)

                Describes whether scanning EBS volumes is enabled as a data source.

                Possible values include:
                • "ENABLED"
                • "DISABLED"
              • Reason — (String)

                Specifies the reason why scanning EBS volumes (Malware Protection) was not enabled as a data source.

          • ServiceRole — (String)

            The GuardDuty Malware Protection service role.

      • Tags — (map<String>)

        The tags of the detector resource.

      • Features — (Array<map>)

        Describes the features that have been enabled for the detector.

        • Name — (String)

          Indicates the name of the feature that can be enabled for the detector.

          Possible values include:
          • "FLOW_LOGS"
          • "CLOUD_TRAIL"
          • "DNS_LOGS"
          • "S3_DATA_EVENTS"
          • "EKS_AUDIT_LOGS"
          • "EBS_MALWARE_PROTECTION"
          • "RDS_LOGIN_EVENTS"
          • "EKS_RUNTIME_MONITORING"
          • "LAMBDA_NETWORK_LOGS"
          • "RUNTIME_MONITORING"
        • Status — (String)

          Indicates the status of the feature that is enabled for the detector.

          Possible values include:
          • "ENABLED"
          • "DISABLED"
        • UpdatedAt — (Date)

          The timestamp at which the feature object was updated.

        • AdditionalConfiguration — (Array<map>)

          Additional configuration for a resource.

          • Name — (String)

            Name of the additional configuration.

            Possible values include:
            • "EKS_ADDON_MANAGEMENT"
            • "ECS_FARGATE_AGENT_MANAGEMENT"
          • Status — (String)

            Status of the additional configuration.

            Possible values include:
            • "ENABLED"
            • "DISABLED"
          • UpdatedAt — (Date)

            The timestamp at which the additional configuration was last updated. This is in UTC format.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

getFilter(params = {}, callback) ⇒ AWS.Request

Returns the details of the filter specified by the filter name.

Service Reference:

Examples:

Calling the getFilter operation

var params = {
  DetectorId: 'STRING_VALUE', /* required */
  FilterName: 'STRING_VALUE' /* required */
};
guardduty.getFilter(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector that the filter is associated with.

    • FilterName — (String)

      The name of the filter you want to get.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • Name — (String)

        The name of the filter.

      • Description — (String)

        The description of the filter.

      • Action — (String)

        Specifies the action that is to be applied to the findings that match the filter.

        Possible values include:
        • "NOOP"
        • "ARCHIVE"
      • Rank — (Integer)

        Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.

      • FindingCriteria — (map)

        Represents the criteria to be used in the filter for querying findings.

        • Criterion — (map<map>)

          Represents a map of finding properties that match specified conditions and values when querying findings.

          • Eq — (Array<String>)

            Represents the equal condition to be applied to a single field when querying for findings.

          • Neq — (Array<String>)

            Represents the not equal condition to be applied to a single field when querying for findings.

          • Gt — (Integer)

            Represents a greater than condition to be applied to a single field when querying for findings.

          • Gte — (Integer)

            Represents a greater than or equal condition to be applied to a single field when querying for findings.

          • Lt — (Integer)

            Represents a less than condition to be applied to a single field when querying for findings.

          • Lte — (Integer)

            Represents a less than or equal condition to be applied to a single field when querying for findings.

          • Equals — (Array<String>)

            Represents an equal condition to be applied to a single field when querying for findings.

          • NotEquals — (Array<String>)

            Represents a not equal condition to be applied to a single field when querying for findings.

          • GreaterThan — (Integer)

            Represents a greater than condition to be applied to a single field when querying for findings.

          • GreaterThanOrEqual — (Integer)

            Represents a greater than or equal condition to be applied to a single field when querying for findings.

          • LessThan — (Integer)

            Represents a less than condition to be applied to a single field when querying for findings.

          • LessThanOrEqual — (Integer)

            Represents a less than or equal condition to be applied to a single field when querying for findings.

      • Tags — (map<String>)

        The tags of the filter resource.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

getFindings(params = {}, callback) ⇒ AWS.Request

Describes Amazon GuardDuty findings specified by finding IDs.

Service Reference:

Examples:

Calling the getFindings operation

var params = {
  DetectorId: 'STRING_VALUE', /* required */
  FindingIds: [ /* required */
    'STRING_VALUE',
    /* more items */
  ],
  SortCriteria: {
    AttributeName: 'STRING_VALUE',
    OrderBy: ASC | DESC
  }
};
guardduty.getFindings(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The ID of the detector that specifies the GuardDuty service whose findings you want to retrieve.

    • FindingIds — (Array<String>)

      The IDs of the findings that you want to retrieve.

    • SortCriteria — (map)

      Represents the criteria used for sorting findings.

      • AttributeName — (String)

        Represents the finding attribute, such as accountId, that sorts the findings.

      • OrderBy — (String)

        The order by which the sorted findings are to be displayed.

        Possible values include:
        • "ASC"
        • "DESC"

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • Findings — (Array<map>)

        A list of findings.

        • AccountIdrequired — (String)

          The ID of the account in which the finding was generated.

        • Arnrequired — (String)

          The ARN of the finding.

        • Confidence — (Float)

          The confidence score for the finding.

        • CreatedAtrequired — (String)

          The time and date when the finding was created.

        • Description — (String)

          The description of the finding.

        • Idrequired — (String)

          The ID of the finding.

        • Partition — (String)

          The partition associated with the finding.

        • Regionrequired — (String)

          The Region where the finding was generated.

        • Resourcerequired — (map)

          Contains information about the Amazon Web Services resource associated with the activity that prompted GuardDuty to generate a finding.

          • AccessKeyDetails — (map)

            The IAM access key details (user information) of a user that engaged in the activity that prompted GuardDuty to generate a finding.

            • AccessKeyId — (String)

              The access key ID of the user.

            • PrincipalId — (String)

              The principal ID of the user.

            • UserName — (String)

              The name of the user.

            • UserType — (String)

              The type of the user.

          • S3BucketDetails — (Array<map>)

            Contains information on the S3 bucket.

            • Arn — (String)

              The Amazon Resource Name (ARN) of the S3 bucket.

            • Name — (String)

              The name of the S3 bucket.

            • Type — (String)

              Describes whether the bucket is a source or destination bucket.

            • CreatedAt — (Date)

              The date and time the bucket was created at.

            • Owner — (map)

              The owner of the S3 bucket.

            • Tags — (Array<map>)

              All tags attached to the S3 bucket

              • Key — (String)

                The EC2 instance tag key.

              • Value — (String)

                The EC2 instance tag value.

            • DefaultServerSideEncryption — (map)

              Describes the server side encryption method used in the S3 bucket.

              • EncryptionType — (String)

                The type of encryption used for objects within the S3 bucket.

              • KmsMasterKeyArn — (String)

                The Amazon Resource Name (ARN) of the KMS encryption key. Only available if the bucket EncryptionType is aws:kms.

            • PublicAccess — (map)

              Describes the public access policies that apply to the S3 bucket.

              • PermissionConfiguration — (map)

                Contains information about how permissions are configured for the S3 bucket.

                • BucketLevelPermissions — (map)

                  Contains information about the bucket level permissions for the S3 bucket.

                  • AccessControlList — (map)

                    Contains information on how Access Control Policies are applied to the bucket.

                    • AllowsPublicReadAccess — (Boolean)

                      A value that indicates whether public read access for the bucket is enabled through an Access Control List (ACL).

                    • AllowsPublicWriteAccess — (Boolean)

                      A value that indicates whether public write access for the bucket is enabled through an Access Control List (ACL).

                  • BucketPolicy — (map)

                    Contains information on the bucket policies for the S3 bucket.

                    • AllowsPublicReadAccess — (Boolean)

                      A value that indicates whether public read access for the bucket is enabled through a bucket policy.

                    • AllowsPublicWriteAccess — (Boolean)

                      A value that indicates whether public write access for the bucket is enabled through a bucket policy.

                  • BlockPublicAccess — (map)

                    Contains information on which account level S3 Block Public Access settings are applied to the S3 bucket.

                    • IgnorePublicAcls — (Boolean)

                      Indicates if S3 Block Public Access is set to IgnorePublicAcls.

                    • RestrictPublicBuckets — (Boolean)

                      Indicates if S3 Block Public Access is set to RestrictPublicBuckets.

                    • BlockPublicAcls — (Boolean)

                      Indicates if S3 Block Public Access is set to BlockPublicAcls.

                    • BlockPublicPolicy — (Boolean)

                      Indicates if S3 Block Public Access is set to BlockPublicPolicy.

                • AccountLevelPermissions — (map)

                  Contains information about the account level permissions on the S3 bucket.

                  • BlockPublicAccess — (map)

                    Describes the S3 Block Public Access settings of the bucket's parent account.

                    • IgnorePublicAcls — (Boolean)

                      Indicates if S3 Block Public Access is set to IgnorePublicAcls.

                    • RestrictPublicBuckets — (Boolean)

                      Indicates if S3 Block Public Access is set to RestrictPublicBuckets.

                    • BlockPublicAcls — (Boolean)

                      Indicates if S3 Block Public Access is set to BlockPublicAcls.

                    • BlockPublicPolicy — (Boolean)

                      Indicates if S3 Block Public Access is set to BlockPublicPolicy.

              • EffectivePermission — (String)

                Describes the effective permission on this bucket after factoring all attached policies.

          • InstanceDetails — (map)

            The information about the EC2 instance associated with the activity that prompted GuardDuty to generate a finding.

            • AvailabilityZone — (String)

              The Availability Zone of the EC2 instance.

            • IamInstanceProfile — (map)

              The profile information of the EC2 instance.

              • Arn — (String)

                The profile ARN of the EC2 instance.

              • Id — (String)

                The profile ID of the EC2 instance.

            • ImageDescription — (String)

              The image description of the EC2 instance.

            • ImageId — (String)

              The image ID of the EC2 instance.

            • InstanceId — (String)

              The ID of the EC2 instance.

            • InstanceState — (String)

              The state of the EC2 instance.

            • InstanceType — (String)

              The type of the EC2 instance.

            • OutpostArn — (String)

              The Amazon Resource Name (ARN) of the Amazon Web Services Outpost. Only applicable to Amazon Web Services Outposts instances.

            • LaunchTime — (String)

              The launch time of the EC2 instance.

            • NetworkInterfaces — (Array<map>)

              The elastic network interface information of the EC2 instance.

              • Ipv6Addresses — (Array<String>)

                A list of IPv6 addresses for the EC2 instance.

              • NetworkInterfaceId — (String)

                The ID of the network interface.

              • PrivateDnsName — (String)

                The private DNS name of the EC2 instance.

              • PrivateIpAddress — (String)

                The private IP address of the EC2 instance.

              • PrivateIpAddresses — (Array<map>)

                Other private IP address information of the EC2 instance.

                • PrivateDnsName — (String)

                  The private DNS name of the EC2 instance.

                • PrivateIpAddress — (String)

                  The private IP address of the EC2 instance.

              • PublicDnsName — (String)

                The public DNS name of the EC2 instance.

              • PublicIp — (String)

                The public IP address of the EC2 instance.

              • SecurityGroups — (Array<map>)

                The security groups associated with the EC2 instance.

                • GroupId — (String)

                  The security group ID of the EC2 instance.

                • GroupName — (String)

                  The security group name of the EC2 instance.

              • SubnetId — (String)

                The subnet ID of the EC2 instance.

              • VpcId — (String)

                The VPC ID of the EC2 instance.

            • Platform — (String)

              The platform of the EC2 instance.

            • ProductCodes — (Array<map>)

              The product code of the EC2 instance.

              • Code — (String)

                The product code information.

              • ProductType — (String)

                The product code type.

            • Tags — (Array<map>)

              The tags of the EC2 instance.

              • Key — (String)

                The EC2 instance tag key.

              • Value — (String)

                The EC2 instance tag value.

          • EksClusterDetails — (map)

            Details about the EKS cluster involved in a Kubernetes finding.

            • Name — (String)

              EKS cluster name.

            • Arn — (String)

              EKS cluster ARN.

            • VpcId — (String)

              The VPC ID to which the EKS cluster is attached.

            • Status — (String)

              The EKS cluster status.

            • Tags — (Array<map>)

              The EKS cluster tags.

              • Key — (String)

                The EC2 instance tag key.

              • Value — (String)

                The EC2 instance tag value.

            • CreatedAt — (Date)

              The timestamp when the EKS cluster was created.

          • KubernetesDetails — (map)

            Details about the Kubernetes user and workload involved in a Kubernetes finding.

            • KubernetesUserDetails — (map)

              Details about the Kubernetes user involved in a Kubernetes finding.

              • Username — (String)

                The username of the user who called the Kubernetes API.

              • Uid — (String)

                The user ID of the user who called the Kubernetes API.

              • Groups — (Array<String>)

                The groups that include the user who called the Kubernetes API.

              • SessionName — (Array<String>)

                Entity that assumes the IAM role when Kubernetes RBAC permissions are assigned to that role.

              • ImpersonatedUser — (map)

                Information about the impersonated user.

                • Username — (String)

                  Information about the username that was being impersonated.

                • Groups — (Array<String>)

                  The group to which the user name belongs.

            • KubernetesWorkloadDetails — (map)

              Details about the Kubernetes workload involved in a Kubernetes finding.

              • Name — (String)

                Kubernetes workload name.

              • Type — (String)

                Kubernetes workload type (e.g. Pod, Deployment, etc.).

              • Uid — (String)

                Kubernetes workload ID.

              • Namespace — (String)

                Kubernetes namespace that the workload is part of.

              • HostNetwork — (Boolean)

                Whether the hostNetwork flag is enabled for the pods included in the workload.

              • Containers — (Array<map>)

                Containers running as part of the Kubernetes workload.

                • ContainerRuntime — (String)

                  The container runtime (such as, Docker or containerd) used to run the container.

                • Id — (String)

                  Container ID.

                • Name — (String)

                  Container name.

                • Image — (String)

                  Container image.

                • ImagePrefix — (String)

                  Part of the image name before the last slash. For example, imagePrefix for public.ecr.aws/amazonlinux/amazonlinux:latest would be public.ecr.aws/amazonlinux. If the image name is relative and does not have a slash, this field is empty.

                • VolumeMounts — (Array<map>)

                  Container volume mounts.

                  • Name — (String)

                    Volume mount name.

                  • MountPath — (String)

                    Volume mount path.

                • SecurityContext — (map)

                  Container security context.

                  • Privileged — (Boolean)

                    Whether the container is privileged.

                  • AllowPrivilegeEscalation — (Boolean)

                    Whether or not a container or a Kubernetes pod is allowed to gain more privileges than its parent process.

              • Volumes — (Array<map>)

                Volumes used by the Kubernetes workload.

                • Name — (String)

                  Volume name.

                • HostPath — (map)

                  Represents a pre-existing file or directory on the host machine that the volume maps to.

                  • Path — (String)

                    Path of the file or directory on the host that the volume maps to.

              • ServiceAccountName — (String)

                The service account name that is associated with a Kubernetes workload.

              • HostIPC — (Boolean)

                Whether the host IPC flag is enabled for the pods in the workload.

              • HostPID — (Boolean)

                Whether the host PID flag is enabled for the pods in the workload.

          • ResourceType — (String)

            The type of Amazon Web Services resource.

          • EbsVolumeDetails — (map)

            Contains list of scanned and skipped EBS volumes with details.

            • ScannedVolumeDetails — (Array<map>)

              List of EBS volumes that were scanned.

              • VolumeArn — (String)

                EBS volume Arn information.

              • VolumeType — (String)

                The EBS volume type.

              • DeviceName — (String)

                The device name for the EBS volume.

              • VolumeSizeInGB — (Integer)

                EBS volume size in GB.

              • EncryptionType — (String)

                EBS volume encryption type.

              • SnapshotArn — (String)

                Snapshot Arn of the EBS volume.

              • KmsKeyArn — (String)

                KMS key Arn used to encrypt the EBS volume.

            • SkippedVolumeDetails — (Array<map>)

              List of EBS volumes that were skipped from the malware scan.

              • VolumeArn — (String)

                EBS volume Arn information.

              • VolumeType — (String)

                The EBS volume type.

              • DeviceName — (String)

                The device name for the EBS volume.

              • VolumeSizeInGB — (Integer)

                EBS volume size in GB.

              • EncryptionType — (String)

                EBS volume encryption type.

              • SnapshotArn — (String)

                Snapshot Arn of the EBS volume.

              • KmsKeyArn — (String)

                KMS key Arn used to encrypt the EBS volume.

          • EcsClusterDetails — (map)

            Contains information about the details of the ECS Cluster.

            • Name — (String)

              The name of the ECS Cluster.

            • Arn — (String)

              The Amazon Resource Name (ARN) that identifies the cluster.

            • Status — (String)

              The status of the ECS cluster.

            • ActiveServicesCount — (Integer)

              The number of services that are running on the cluster in an ACTIVE state.

            • RegisteredContainerInstancesCount — (Integer)

              The number of container instances registered into the cluster.

            • RunningTasksCount — (Integer)

              The number of tasks in the cluster that are in the RUNNING state.

            • Tags — (Array<map>)

              The tags of the ECS Cluster.

              • Key — (String)

                The EC2 instance tag key.

              • Value — (String)

                The EC2 instance tag value.

            • TaskDetails — (map)

              Contains information about the details of the ECS Task.

              • Arn — (String)

                The Amazon Resource Name (ARN) of the task.

              • DefinitionArn — (String)

                The ARN of the task definition that creates the task.

              • Version — (String)

                The version counter for the task.

              • TaskCreatedAt — (Date)

                The Unix timestamp for the time when the task was created.

              • StartedAt — (Date)

                The Unix timestamp for the time when the task started.

              • StartedBy — (String)

                Contains the tag specified when a task is started.

              • Tags — (Array<map>)

                The tags of the ECS Task.

                • Key — (String)

                  The EC2 instance tag key.

                • Value — (String)

                  The EC2 instance tag value.

              • Volumes — (Array<map>)

                The list of data volume definitions for the task.

                • Name — (String)

                  Volume name.

                • HostPath — (map)

                  Represents a pre-existing file or directory on the host machine that the volume maps to.

                  • Path — (String)

                    Path of the file or directory on the host that the volume maps to.

              • Containers — (Array<map>)

                The containers that's associated with the task.

                • ContainerRuntime — (String)

                  The container runtime (such as, Docker or containerd) used to run the container.

                • Id — (String)

                  Container ID.

                • Name — (String)

                  Container name.

                • Image — (String)

                  Container image.

                • ImagePrefix — (String)

                  Part of the image name before the last slash. For example, imagePrefix for public.ecr.aws/amazonlinux/amazonlinux:latest would be public.ecr.aws/amazonlinux. If the image name is relative and does not have a slash, this field is empty.

                • VolumeMounts — (Array<map>)

                  Container volume mounts.

                  • Name — (String)

                    Volume mount name.

                  • MountPath — (String)

                    Volume mount path.

                • SecurityContext — (map)

                  Container security context.

                  • Privileged — (Boolean)

                    Whether the container is privileged.

                  • AllowPrivilegeEscalation — (Boolean)

                    Whether or not a container or a Kubernetes pod is allowed to gain more privileges than its parent process.

              • Group — (String)

                The name of the task group that's associated with the task.

          • ContainerDetails — (map)

            Details of a container.

            • ContainerRuntime — (String)

              The container runtime (such as, Docker or containerd) used to run the container.

            • Id — (String)

              Container ID.

            • Name — (String)

              Container name.

            • Image — (String)

              Container image.

            • ImagePrefix — (String)

              Part of the image name before the last slash. For example, imagePrefix for public.ecr.aws/amazonlinux/amazonlinux:latest would be public.ecr.aws/amazonlinux. If the image name is relative and does not have a slash, this field is empty.

            • VolumeMounts — (Array<map>)

              Container volume mounts.

              • Name — (String)

                Volume mount name.

              • MountPath — (String)

                Volume mount path.

            • SecurityContext — (map)

              Container security context.

              • Privileged — (Boolean)

                Whether the container is privileged.

              • AllowPrivilegeEscalation — (Boolean)

                Whether or not a container or a Kubernetes pod is allowed to gain more privileges than its parent process.

          • RdsDbInstanceDetails — (map)

            Contains information about the database instance to which an anomalous login attempt was made.

            • DbInstanceIdentifier — (String)

              The identifier associated to the database instance that was involved in the finding.

            • Engine — (String)

              The database engine of the database instance involved in the finding.

            • EngineVersion — (String)

              The version of the database engine that was involved in the finding.

            • DbClusterIdentifier — (String)

              The identifier of the database cluster that contains the database instance ID involved in the finding.

            • DbInstanceArn — (String)

              The Amazon Resource Name (ARN) that identifies the database instance involved in the finding.

            • Tags — (Array<map>)

              Instance tag key-value pairs associated with the database instance ID.

              • Key — (String)

                The EC2 instance tag key.

              • Value — (String)

                The EC2 instance tag value.

          • RdsDbUserDetails — (map)

            Contains information about the user details through which anomalous login attempt was made.

            • User — (String)

              The user name used in the anomalous login attempt.

            • Application — (String)

              The application name used in the anomalous login attempt.

            • Database — (String)

              The name of the database instance involved in the anomalous login attempt.

            • Ssl — (String)

              The version of the Secure Socket Layer (SSL) used for the network.

            • AuthMethod — (String)

              The authentication method used by the user involved in the finding.

          • LambdaDetails — (map)

            Contains information about the Lambda function that was involved in a finding.

            • FunctionArn — (String)

              Amazon Resource Name (ARN) of the Lambda function.

            • FunctionName — (String)

              Name of the Lambda function.

            • Description — (String)

              Description of the Lambda function.

            • LastModifiedAt — (Date)

              The timestamp when the Lambda function was last modified. This field is in the UTC date string format (2023-03-22T19:37:20.168Z).

            • RevisionId — (String)

              The revision ID of the Lambda function version.

            • FunctionVersion — (String)

              The version of the Lambda function.

            • Role — (String)

              The execution role of the Lambda function.

            • VpcConfig — (map)

              Amazon Virtual Private Cloud configuration details associated with your Lambda function.

              • SubnetIds — (Array<String>)

                The identifiers of the subnets that are associated with your Lambda function.

              • VpcId — (String)

                The identifier of the Amazon Virtual Private Cloud.

              • SecurityGroups — (Array<map>)

                The identifier of the security group attached to the Lambda function.

                • GroupId — (String)

                  The security group ID of the EC2 instance.

                • GroupName — (String)

                  The security group name of the EC2 instance.

            • Tags — (Array<map>)

              A list of tags attached to this resource, listed in the format of key:value pair.

              • Key — (String)

                The EC2 instance tag key.

              • Value — (String)

                The EC2 instance tag value.

        • SchemaVersionrequired — (String)

          The version of the schema used for the finding.

        • Service — (map)

          Contains additional information about the generated finding.

          • Action — (map)

            Information about the activity that is described in a finding.

            • ActionType — (String)

              The GuardDuty finding activity type.

            • AwsApiCallAction — (map)

              Information about the AWS_API_CALL action described in this finding.

              • Api — (String)

                The Amazon Web Services API name.

              • CallerType — (String)

                The Amazon Web Services API caller type.

              • DomainDetails — (map)

                The domain information for the Amazon Web Services API call.

                • Domain — (String)

                  The domain information for the Amazon Web Services API call.

              • ErrorCode — (String)

                The error code of the failed Amazon Web Services API action.

              • UserAgent — (String)

                The agent through which the API request was made.

              • RemoteIpDetails — (map)

                The remote IP information of the connection that initiated the Amazon Web Services API call.

                • City — (map)

                  The city information of the remote IP address.

                  • CityName — (String)

                    The city name of the remote IP address.

                • Country — (map)

                  The country code of the remote IP address.

                  • CountryCode — (String)

                    The country code of the remote IP address.

                  • CountryName — (String)

                    The country name of the remote IP address.

                • GeoLocation — (map)

                  The location information of the remote IP address.

                  • Lat — (Float)

                    The latitude information of the remote IP address.

                  • Lon — (Float)

                    The longitude information of the remote IP address.

                • IpAddressV4 — (String)

                  The IPv4 remote address of the connection.

                • Organization — (map)

                  The ISP organization information of the remote IP address.

                  • Asn — (String)

                    The Autonomous System Number (ASN) of the internet provider of the remote IP address.

                  • AsnOrg — (String)

                    The organization that registered this ASN.

                  • Isp — (String)

                    The ISP information for the internet provider.

                  • Org — (String)

                    The name of the internet provider.

              • ServiceName — (String)

                The Amazon Web Services service name whose API was invoked.

              • RemoteAccountDetails — (map)

                The details of the Amazon Web Services account that made the API call. This field appears if the call was made from outside your account.

                • AccountId — (String)

                  The Amazon Web Services account ID of the remote API caller.

                • Affiliated — (Boolean)

                  Details on whether the Amazon Web Services account of the remote API caller is related to your GuardDuty environment. If this value is True the API caller is affiliated to your account in some way. If it is False the API caller is from outside your environment.

              • AffectedResources — (map<String>)

                The details of the Amazon Web Services account that made the API call. This field identifies the resources that were affected by this API call.

            • DnsRequestAction — (map)

              Information about the DNS_REQUEST action described in this finding.

              • Domain — (String)

                The domain information for the DNS query.

              • Protocol — (String)

                The network connection protocol observed in the activity that prompted GuardDuty to generate the finding.

              • Blocked — (Boolean)

                Indicates whether the targeted port is blocked.

              • DomainWithSuffix — (String)

                The second and top level domain involved in the activity that prompted GuardDuty to generate this finding.

            • NetworkConnectionAction — (map)

              Information about the NETWORK_CONNECTION action described in this finding.

              • Blocked — (Boolean)

                Indicates whether EC2 blocked the network connection to your instance.

              • ConnectionDirection — (String)

                The network connection direction.

              • LocalPortDetails — (map)

                The local port information of the connection.

                • Port — (Integer)

                  The port number of the local connection.

                • PortName — (String)

                  The port name of the local connection.

              • Protocol — (String)

                The network connection protocol.

              • LocalIpDetails — (map)

                The local IP information of the connection.

                • IpAddressV4 — (String)

                  The IPv4 local address of the connection.

              • RemoteIpDetails — (map)

                The remote IP information of the connection.

                • City — (map)

                  The city information of the remote IP address.

                  • CityName — (String)

                    The city name of the remote IP address.

                • Country — (map)

                  The country code of the remote IP address.

                  • CountryCode — (String)

                    The country code of the remote IP address.

                  • CountryName — (String)

                    The country name of the remote IP address.

                • GeoLocation — (map)

                  The location information of the remote IP address.

                  • Lat — (Float)

                    The latitude information of the remote IP address.

                  • Lon — (Float)

                    The longitude information of the remote IP address.

                • IpAddressV4 — (String)

                  The IPv4 remote address of the connection.

                • Organization — (map)

                  The ISP organization information of the remote IP address.

                  • Asn — (String)

                    The Autonomous System Number (ASN) of the internet provider of the remote IP address.

                  • AsnOrg — (String)

                    The organization that registered this ASN.

                  • Isp — (String)

                    The ISP information for the internet provider.

                  • Org — (String)

                    The name of the internet provider.

              • RemotePortDetails — (map)

                The remote port information of the connection.

                • Port — (Integer)

                  The port number of the remote connection.

                • PortName — (String)

                  The port name of the remote connection.

            • PortProbeAction — (map)

              Information about the PORT_PROBE action described in this finding.

              • Blocked — (Boolean)

                Indicates whether EC2 blocked the port probe to the instance, such as with an ACL.

              • PortProbeDetails — (Array<map>)

                A list of objects related to port probe details.

                • LocalPortDetails — (map)

                  The local port information of the connection.

                  • Port — (Integer)

                    The port number of the local connection.

                  • PortName — (String)

                    The port name of the local connection.

                • LocalIpDetails — (map)

                  The local IP information of the connection.

                  • IpAddressV4 — (String)

                    The IPv4 local address of the connection.

                • RemoteIpDetails — (map)

                  The remote IP information of the connection.

                  • City — (map)

                    The city information of the remote IP address.

                    • CityName — (String)

                      The city name of the remote IP address.

                  • Country — (map)

                    The country code of the remote IP address.

                    • CountryCode — (String)

                      The country code of the remote IP address.

                    • CountryName — (String)

                      The country name of the remote IP address.

                  • GeoLocation — (map)

                    The location information of the remote IP address.

                    • Lat — (Float)

                      The latitude information of the remote IP address.

                    • Lon — (Float)

                      The longitude information of the remote IP address.

                  • IpAddressV4 — (String)

                    The IPv4 remote address of the connection.

                  • Organization — (map)

                    The ISP organization information of the remote IP address.

                    • Asn — (String)

                      The Autonomous System Number (ASN) of the internet provider of the remote IP address.

                    • AsnOrg — (String)

                      The organization that registered this ASN.

                    • Isp — (String)

                      The ISP information for the internet provider.

                    • Org — (String)

                      The name of the internet provider.

            • KubernetesApiCallAction — (map)

              Information about the Kubernetes API call action described in this finding.

              • RequestUri — (String)

                The Kubernetes API request URI.

              • Verb — (String)

                The Kubernetes API request HTTP verb.

              • SourceIps — (Array<String>)

                The IP of the Kubernetes API caller and the IPs of any proxies or load balancers between the caller and the API endpoint.

              • UserAgent — (String)

                The user agent of the caller of the Kubernetes API.

              • RemoteIpDetails — (map)

                Contains information about the remote IP address of the connection.

                • City — (map)

                  The city information of the remote IP address.

                  • CityName — (String)

                    The city name of the remote IP address.

                • Country — (map)

                  The country code of the remote IP address.

                  • CountryCode — (String)

                    The country code of the remote IP address.

                  • CountryName — (String)

                    The country name of the remote IP address.

                • GeoLocation — (map)

                  The location information of the remote IP address.

                  • Lat — (Float)

                    The latitude information of the remote IP address.

                  • Lon — (Float)

                    The longitude information of the remote IP address.

                • IpAddressV4 — (String)

                  The IPv4 remote address of the connection.

                • Organization — (map)

                  The ISP organization information of the remote IP address.

                  • Asn — (String)

                    The Autonomous System Number (ASN) of the internet provider of the remote IP address.

                  • AsnOrg — (String)

                    The organization that registered this ASN.

                  • Isp — (String)

                    The ISP information for the internet provider.

                  • Org — (String)

                    The name of the internet provider.

              • StatusCode — (Integer)

                The resulting HTTP response code of the Kubernetes API call action.

              • Parameters — (String)

                Parameters related to the Kubernetes API call action.

              • Resource — (String)

                The resource component in the Kubernetes API call action.

              • Subresource — (String)

                The name of the sub-resource in the Kubernetes API call action.

              • Namespace — (String)

                The name of the namespace where the Kubernetes API call action takes place.

              • ResourceName — (String)

                The name of the resource in the Kubernetes API call action.

            • RdsLoginAttemptAction — (map)

              Information about RDS_LOGIN_ATTEMPT action described in this finding.

              • RemoteIpDetails — (map)

                Contains information about the remote IP address of the connection.

                • City — (map)

                  The city information of the remote IP address.

                  • CityName — (String)

                    The city name of the remote IP address.

                • Country — (map)

                  The country code of the remote IP address.

                  • CountryCode — (String)

                    The country code of the remote IP address.

                  • CountryName — (String)

                    The country name of the remote IP address.

                • GeoLocation — (map)

                  The location information of the remote IP address.

                  • Lat — (Float)

                    The latitude information of the remote IP address.

                  • Lon — (Float)

                    The longitude information of the remote IP address.

                • IpAddressV4 — (String)

                  The IPv4 remote address of the connection.

                • Organization — (map)

                  The ISP organization information of the remote IP address.

                  • Asn — (String)

                    The Autonomous System Number (ASN) of the internet provider of the remote IP address.

                  • AsnOrg — (String)

                    The organization that registered this ASN.

                  • Isp — (String)

                    The ISP information for the internet provider.

                  • Org — (String)

                    The name of the internet provider.

              • LoginAttributes — (Array<map>)

                Indicates the login attributes used in the login attempt.

                • User — (String)

                  Indicates the user name which attempted to log in.

                • Application — (String)

                  Indicates the application name used to attempt log in.

                • FailedLoginAttempts — (Integer)

                  Represents the sum of failed (unsuccessful) login attempts made to establish a connection to the database instance.

                • SuccessfulLoginAttempts — (Integer)

                  Represents the sum of successful connections (a correct combination of login attributes) made to the database instance by the actor.

            • KubernetesPermissionCheckedDetails — (map)

              Information whether the user has the permission to use a specific Kubernetes API.

              • Verb — (String)

                The verb component of the Kubernetes API call. For example, when you check whether or not you have the permission to call the CreatePod API, the verb component will be Create.

              • Resource — (String)

                The Kubernetes resource with which your Kubernetes API call will interact.

              • Namespace — (String)

                The namespace where the Kubernetes API action will take place.

              • Allowed — (Boolean)

                Information whether the user has the permission to call the Kubernetes API.

            • KubernetesRoleBindingDetails — (map)

              Information about the role binding that grants the permission defined in a Kubernetes role.

              • Kind — (String)

                The kind of the role. For role binding, this value will be RoleBinding.

              • Name — (String)

                The name of the RoleBinding.

              • Uid — (String)

                The unique identifier of the role binding.

              • RoleRefName — (String)

                The name of the role being referenced. This must match the name of the Role or ClusterRole that you want to bind to.

              • RoleRefKind — (String)

                The type of the role being referenced. This could be either Role or ClusterRole.

            • KubernetesRoleDetails — (map)

              Information about the Kubernetes role name and role type.

              • Kind — (String)

                The kind of role. For this API, the value of kind will be Role.

              • Name — (String)

                The name of the Kubernetes role.

              • Uid — (String)

                The unique identifier of the Kubernetes role name.

          • Evidence — (map)

            An evidence object associated with the service.

            • ThreatIntelligenceDetails — (Array<map>)

              A list of threat intelligence details related to the evidence.

              • ThreatListName — (String)

                The name of the threat intelligence list that triggered the finding.

              • ThreatNames — (Array<String>)

                A list of names of the threats in the threat intelligence list that triggered the finding.

          • Archived — (Boolean)

            Indicates whether this finding is archived.

          • Count — (Integer)

            The total count of the occurrences of this finding type.

          • DetectorId — (String)

            The detector ID for the GuardDuty service.

          • EventFirstSeen — (String)

            The first-seen timestamp of the activity that prompted GuardDuty to generate this finding.

          • EventLastSeen — (String)

            The last-seen timestamp of the activity that prompted GuardDuty to generate this finding.

          • ResourceRole — (String)

            The resource role information for this finding.

          • ServiceName — (String)

            The name of the Amazon Web Services service (GuardDuty) that generated a finding.

          • UserFeedback — (String)

            Feedback that was submitted about the finding.

          • AdditionalInfo — (map)

            Contains additional information about the generated finding.

            • Value — (String)

              This field specifies the value of the additional information.

            • Type — (String)

              Describes the type of the additional information.

          • FeatureName — (String)

            The name of the feature that generated a finding.

          • EbsVolumeScanDetails — (map)

            Returns details from the malware scan that created a finding.

            • ScanId — (String)

              Unique Id of the malware scan that generated the finding.

            • ScanStartedAt — (Date)

              Returns the start date and time of the malware scan.

            • ScanCompletedAt — (Date)

              Returns the completion date and time of the malware scan.

            • TriggerFindingId — (String)

              GuardDuty finding ID that triggered a malware scan.

            • Sources — (Array<String>)

              Contains list of threat intelligence sources used to detect threats.

            • ScanDetections — (map)

              Contains a complete view providing malware scan result details.

              • ScannedItemCount — (map)

                Total number of scanned files.

                • TotalGb — (Integer)

                  Total GB of files scanned for malware.

                • Files — (Integer)

                  Number of files scanned.

                • Volumes — (Integer)

                  Total number of scanned volumes.

              • ThreatsDetectedItemCount — (map)

                Total number of infected files.

                • Files — (Integer)

                  Total number of infected files.

              • HighestSeverityThreatDetails — (map)

                Details of the highest severity threat detected during malware scan and number of infected files.

                • Severity — (String)

                  Severity level of the highest severity threat detected.

                • ThreatName — (String)

                  Threat name of the highest severity threat detected as part of the malware scan.

                • Count — (Integer)

                  Total number of infected files with the highest severity threat detected.

              • ThreatDetectedByName — (map)

                Contains details about identified threats organized by threat name.

                • ItemCount — (Integer)

                  Total number of infected files identified.

                • UniqueThreatNameCount — (Integer)

                  Total number of unique threats by name identified, as part of the malware scan.

                • Shortened — (Boolean)

                  Flag to determine if the finding contains every single infected file-path and/or every threat.

                • ThreatNames — (Array<map>)

                  List of identified threats with details, organized by threat name.

                  • Name — (String)

                    The name of the identified threat.

                  • Severity — (String)

                    Severity of threat identified as part of the malware scan.

                  • ItemCount — (Integer)

                    Total number of files infected with given threat.

                  • FilePaths — (Array<map>)

                    List of infected files in EBS volume with details.

                    • FilePath — (String)

                      The file path of the infected file.

                    • VolumeArn — (String)

                      EBS volume Arn details of the infected file.

                    • Hash — (String)

                      The hash value of the infected file.

                    • FileName — (String)

                      File name of the infected file.

            • ScanType — (String)

              Specifies the scan type that invoked the malware scan.

              Possible values include:
              • "GUARDDUTY_INITIATED"
              • "ON_DEMAND"
          • RuntimeDetails — (map)

            Information about the process and any required context values for a specific finding

            • Process — (map)

              Information about the observed process.

              • Name — (String)

                The name of the process.

              • ExecutablePath — (String)

                The absolute path of the process executable file.

              • ExecutableSha256 — (String)

                The SHA256 hash of the process executable.

              • NamespacePid — (Integer)

                The ID of the child process.

              • Pwd — (String)

                The present working directory of the process.

              • Pid — (Integer)

                The ID of the process.

              • StartTime — (Date)

                The time when the process started. This is in UTC format.

              • Uuid — (String)

                The unique ID assigned to the process by GuardDuty.

              • ParentUuid — (String)

                The unique ID of the parent process. This ID is assigned to the parent process by GuardDuty.

              • User — (String)

                The user that executed the process.

              • UserId — (Integer)

                The unique ID of the user that executed the process.

              • Euid — (Integer)

                The effective user ID of the user that executed the process.

              • Lineage — (Array<map>)

                Information about the process's lineage.

                • StartTime — (Date)

                  The time when the process started. This is in UTC format.

                • NamespacePid — (Integer)

                  The process ID of the child process.

                • UserId — (Integer)

                  The user ID of the user that executed the process.

                • Name — (String)

                  The name of the process.

                • Pid — (Integer)

                  The ID of the process.

                • Uuid — (String)

                  The unique ID assigned to the process by GuardDuty.

                • ExecutablePath — (String)

                  The absolute path of the process executable file.

                • Euid — (Integer)

                  The effective user ID that was used to execute the process.

                • ParentUuid — (String)

                  The unique ID of the parent process. This ID is assigned to the parent process by GuardDuty.

            • Context — (map)

              Additional information about the suspicious activity.

              • ModifyingProcess — (map)

                Information about the process that modified the current process. This is available for multiple finding types.

                • Name — (String)

                  The name of the process.

                • ExecutablePath — (String)

                  The absolute path of the process executable file.

                • ExecutableSha256 — (String)

                  The SHA256 hash of the process executable.

                • NamespacePid — (Integer)

                  The ID of the child process.

                • Pwd — (String)

                  The present working directory of the process.

                • Pid — (Integer)

                  The ID of the process.

                • StartTime — (Date)

                  The time when the process started. This is in UTC format.

                • Uuid — (String)

                  The unique ID assigned to the process by GuardDuty.

                • ParentUuid — (String)

                  The unique ID of the parent process. This ID is assigned to the parent process by GuardDuty.

                • User — (String)

                  The user that executed the process.

                • UserId — (Integer)

                  The unique ID of the user that executed the process.

                • Euid — (Integer)

                  The effective user ID of the user that executed the process.

                • Lineage — (Array<map>)

                  Information about the process's lineage.

                  • StartTime — (Date)

                    The time when the process started. This is in UTC format.

                  • NamespacePid — (Integer)

                    The process ID of the child process.

                  • UserId — (Integer)

                    The user ID of the user that executed the process.

                  • Name — (String)

                    The name of the process.

                  • Pid — (Integer)

                    The ID of the process.

                  • Uuid — (String)

                    The unique ID assigned to the process by GuardDuty.

                  • ExecutablePath — (String)

                    The absolute path of the process executable file.

                  • Euid — (Integer)

                    The effective user ID that was used to execute the process.

                  • ParentUuid — (String)

                    The unique ID of the parent process. This ID is assigned to the parent process by GuardDuty.

              • ModifiedAt — (Date)

                The timestamp at which the process modified the current process. The timestamp is in UTC date string format.

              • ScriptPath — (String)

                The path to the script that was executed.

              • LibraryPath — (String)

                The path to the new library that was loaded.

              • LdPreloadValue — (String)

                The value of the LD_PRELOAD environment variable.

              • SocketPath — (String)

                The path to the docket socket that was accessed.

              • RuncBinaryPath — (String)

                The path to the leveraged runc implementation.

              • ReleaseAgentPath — (String)

                The path in the container that modified the release agent file.

              • MountSource — (String)

                The path on the host that is mounted by the container.

              • MountTarget — (String)

                The path in the container that is mapped to the host directory.

              • FileSystemType — (String)

                Represents the type of mounted fileSystem.

              • Flags — (Array<String>)

                Represents options that control the behavior of a runtime operation or action. For example, a filesystem mount operation may contain a read-only flag.

              • ModuleName — (String)

                The name of the module loaded into the kernel.

              • ModuleFilePath — (String)

                The path to the module loaded into the kernel.

              • ModuleSha256 — (String)

                The SHA256 hash of the module.

              • ShellHistoryFilePath — (String)

                The path to the modified shell history file.

              • TargetProcess — (map)

                Information about the process that had its memory overwritten by the current process.

                • Name — (String)

                  The name of the process.

                • ExecutablePath — (String)

                  The absolute path of the process executable file.

                • ExecutableSha256 — (String)

                  The SHA256 hash of the process executable.

                • NamespacePid — (Integer)

                  The ID of the child process.

                • Pwd — (String)

                  The present working directory of the process.

                • Pid — (Integer)

                  The ID of the process.

                • StartTime — (Date)

                  The time when the process started. This is in UTC format.

                • Uuid — (String)

                  The unique ID assigned to the process by GuardDuty.

                • ParentUuid — (String)

                  The unique ID of the parent process. This ID is assigned to the parent process by GuardDuty.

                • User — (String)

                  The user that executed the process.

                • UserId — (Integer)

                  The unique ID of the user that executed the process.

                • Euid — (Integer)

                  The effective user ID of the user that executed the process.

                • Lineage — (Array<map>)

                  Information about the process's lineage.

                  • StartTime — (Date)

                    The time when the process started. This is in UTC format.

                  • NamespacePid — (Integer)

                    The process ID of the child process.

                  • UserId — (Integer)

                    The user ID of the user that executed the process.

                  • Name — (String)

                    The name of the process.

                  • Pid — (Integer)

                    The ID of the process.

                  • Uuid — (String)

                    The unique ID assigned to the process by GuardDuty.

                  • ExecutablePath — (String)

                    The absolute path of the process executable file.

                  • Euid — (Integer)

                    The effective user ID that was used to execute the process.

                  • ParentUuid — (String)

                    The unique ID of the parent process. This ID is assigned to the parent process by GuardDuty.

              • AddressFamily — (String)

                Represents the communication protocol associated with the address. For example, the address family AF_INET is used for IP version of 4 protocol.

              • IanaProtocolNumber — (Integer)

                Specifies a particular protocol within the address family. Usually there is a single protocol in address families. For example, the address family AF_INET only has the IP protocol.

              • MemoryRegions — (Array<String>)

                Specifies the Region of a process's address space such as stack and heap.

          • Detection — (map)

            Contains information about the detected unusual behavior.

            • Anomaly — (map)

              The details about the anomalous activity that caused GuardDuty to generate the finding.

              • Profiles — (map<map<Array<map>>>)

                Information about the types of profiles.

                • ProfileType — (String)

                  The type of behavior of the profile.

                  Possible values include:
                  • "FREQUENCY"
                • ProfileSubtype — (String)

                  The frequency of the anomaly.

                  Possible values include:
                  • "FREQUENT"
                  • "INFREQUENT"
                  • "UNSEEN"
                  • "RARE"
                • Observations — (map)

                  The recorded value.

                  • Text — (Array<String>)

                    The text that was unusual.

              • Unusual — (map)

                Information about the behavior of the anomalies.

                • Behavior — (map<map<map>>)

                  The behavior of the anomalous activity that caused GuardDuty to generate the finding.

                  • ProfileType — (String)

                    The type of behavior of the profile.

                    Possible values include:
                    • "FREQUENCY"
                  • ProfileSubtype — (String)

                    The frequency of the anomaly.

                    Possible values include:
                    • "FREQUENT"
                    • "INFREQUENT"
                    • "UNSEEN"
                    • "RARE"
                  • Observations — (map)

                    The recorded value.

                    • Text — (Array<String>)

                      The text that was unusual.

        • Severityrequired — (Float)

          The severity of the finding.

        • Title — (String)

          The title of the finding.

        • Typerequired — (String)

          The type of finding.

        • UpdatedAtrequired — (String)

          The time and date when the finding was last updated.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

getFindingsStatistics(params = {}, callback) ⇒ AWS.Request

Lists Amazon GuardDuty findings statistics for the specified detector ID.

There might be regional differences because some flags might not be available in all the Regions where GuardDuty is currently supported. For more information, see Regions and endpoints.

Service Reference:

Examples:

Calling the getFindingsStatistics operation

var params = {
  DetectorId: 'STRING_VALUE', /* required */
  FindingStatisticTypes: [ /* required */
    COUNT_BY_SEVERITY,
    /* more items */
  ],
  FindingCriteria: {
    Criterion: {
      '<String>': {
        Eq: [
          'STRING_VALUE',
          /* more items */
        ],
        Equals: [
          'STRING_VALUE',
          /* more items */
        ],
        GreaterThan: 'NUMBER_VALUE',
        GreaterThanOrEqual: 'NUMBER_VALUE',
        Gt: 'NUMBER_VALUE',
        Gte: 'NUMBER_VALUE',
        LessThan: 'NUMBER_VALUE',
        LessThanOrEqual: 'NUMBER_VALUE',
        Lt: 'NUMBER_VALUE',
        Lte: 'NUMBER_VALUE',
        Neq: [
          'STRING_VALUE',
          /* more items */
        ],
        NotEquals: [
          'STRING_VALUE',
          /* more items */
        ]
      },
      /* '<String>': ... */
    }
  }
};
guardduty.getFindingsStatistics(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The ID of the detector that specifies the GuardDuty service whose findings' statistics you want to retrieve.

    • FindingStatisticTypes — (Array<String>)

      The types of finding statistics to retrieve.

    • FindingCriteria — (map)

      Represents the criteria that is used for querying findings.

      • Criterion — (map<map>)

        Represents a map of finding properties that match specified conditions and values when querying findings.

        • Eq — (Array<String>)

          Represents the equal condition to be applied to a single field when querying for findings.

        • Neq — (Array<String>)

          Represents the not equal condition to be applied to a single field when querying for findings.

        • Gt — (Integer)

          Represents a greater than condition to be applied to a single field when querying for findings.

        • Gte — (Integer)

          Represents a greater than or equal condition to be applied to a single field when querying for findings.

        • Lt — (Integer)

          Represents a less than condition to be applied to a single field when querying for findings.

        • Lte — (Integer)

          Represents a less than or equal condition to be applied to a single field when querying for findings.

        • Equals — (Array<String>)

          Represents an equal condition to be applied to a single field when querying for findings.

        • NotEquals — (Array<String>)

          Represents a not equal condition to be applied to a single field when querying for findings.

        • GreaterThan — (Integer)

          Represents a greater than condition to be applied to a single field when querying for findings.

        • GreaterThanOrEqual — (Integer)

          Represents a greater than or equal condition to be applied to a single field when querying for findings.

        • LessThan — (Integer)

          Represents a less than condition to be applied to a single field when querying for findings.

        • LessThanOrEqual — (Integer)

          Represents a less than or equal condition to be applied to a single field when querying for findings.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • FindingStatistics — (map)

        The finding statistics object.

        • CountBySeverity — (map<Integer>)

          Represents a map of severity to count statistics for a set of findings.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

getInvitationsCount(params = {}, callback) ⇒ AWS.Request

Returns the count of all GuardDuty membership invitations that were sent to the current member account except the currently accepted invitation.

Service Reference:

Examples:

Calling the getInvitationsCount operation

var params = {
};
guardduty.getInvitationsCount(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • InvitationsCount — (Integer)

        The number of received invitations.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

getIPSet(params = {}, callback) ⇒ AWS.Request

Retrieves the IPSet specified by the ipSetId.

Service Reference:

Examples:

Calling the getIPSet operation

var params = {
  DetectorId: 'STRING_VALUE', /* required */
  IpSetId: 'STRING_VALUE' /* required */
};
guardduty.getIPSet(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector that the IPSet is associated with.

    • IpSetId — (String)

      The unique ID of the IPSet to retrieve.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • Name — (String)

        The user-friendly name for the IPSet.

      • Format — (String)

        The format of the file that contains the IPSet.

        Possible values include:
        • "TXT"
        • "STIX"
        • "OTX_CSV"
        • "ALIEN_VAULT"
        • "PROOF_POINT"
        • "FIRE_EYE"
      • Location — (String)

        The URI of the file that contains the IPSet.

      • Status — (String)

        The status of IPSet file that was uploaded.

        Possible values include:
        • "INACTIVE"
        • "ACTIVATING"
        • "ACTIVE"
        • "DEACTIVATING"
        • "ERROR"
        • "DELETE_PENDING"
        • "DELETED"
      • Tags — (map<String>)

        The tags of the IPSet resource.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

getMalwareScanSettings(params = {}, callback) ⇒ AWS.Request

Returns the details of the malware scan settings.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

Service Reference:

Examples:

Calling the getMalwareScanSettings operation

var params = {
  DetectorId: 'STRING_VALUE' /* required */
};
guardduty.getMalwareScanSettings(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector that the scan setting is associated with.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • ScanResourceCriteria — (map)

        Represents the criteria to be used in the filter for scanning resources.

        • Include — (map<map>)

          Represents condition that when matched will allow a malware scan for a certain resource.

          • MapEqualsrequired — (Array<map>)

            Represents an mapEqual condition to be applied to a single field when triggering for malware scan.

            • Keyrequired — (String)

              Represents the key in the map condition.

            • Value — (String)

              Represents optional value in the map condition. If not specified, only the key will be matched.

        • Exclude — (map<map>)

          Represents condition that when matched will prevent a malware scan for a certain resource.

          • MapEqualsrequired — (Array<map>)

            Represents an mapEqual condition to be applied to a single field when triggering for malware scan.

            • Keyrequired — (String)

              Represents the key in the map condition.

            • Value — (String)

              Represents optional value in the map condition. If not specified, only the key will be matched.

      • EbsSnapshotPreservation — (String)

        An enum value representing possible snapshot preservation settings.

        Possible values include:
        • "NO_RETENTION"
        • "RETENTION_WITH_FINDING"

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

getMasterAccount(params = {}, callback) ⇒ AWS.Request

Provides the details for the GuardDuty administrator account associated with the current GuardDuty member account.

Service Reference:

Examples:

Calling the getMasterAccount operation

var params = {
  DetectorId: 'STRING_VALUE' /* required */
};
guardduty.getMasterAccount(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector of the GuardDuty member account.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • Master — (map)

        The administrator account details.

        • AccountId — (String)

          The ID of the account used as the administrator account.

        • InvitationId — (String)

          The value used to validate the administrator account to the member account.

        • RelationshipStatus — (String)

          The status of the relationship between the administrator and member accounts.

        • InvitedAt — (String)

          The timestamp when the invitation was sent.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

getMemberDetectors(params = {}, callback) ⇒ AWS.Request

Describes which data sources are enabled for the member account's detector.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

Service Reference:

Examples:

Calling the getMemberDetectors operation

var params = {
  AccountIds: [ /* required */
    'STRING_VALUE',
    /* more items */
  ],
  DetectorId: 'STRING_VALUE' /* required */
};
guardduty.getMemberDetectors(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The detector ID for the administrator account.

    • AccountIds — (Array<String>)

      The account ID of the member account.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • MemberDataSourceConfigurations — (Array<map>)

        An object that describes which data sources are enabled for a member account.

        • AccountIdrequired — (String)

          The account ID for the member account.

        • DataSources — (map)

          Contains information on the status of data sources for the account.

          • CloudTrailrequired — (map)

            An object that contains information on the status of CloudTrail as a data source.

            • Statusrequired — (String)

              Describes whether CloudTrail is enabled as a data source for the detector.

              Possible values include:
              • "ENABLED"
              • "DISABLED"
          • DNSLogsrequired — (map)

            An object that contains information on the status of DNS logs as a data source.

            • Statusrequired — (String)

              Denotes whether DNS logs is enabled as a data source.

              Possible values include:
              • "ENABLED"
              • "DISABLED"
          • FlowLogsrequired — (map)

            An object that contains information on the status of VPC flow logs as a data source.

            • Statusrequired — (String)

              Denotes whether VPC flow logs is enabled as a data source.

              Possible values include:
              • "ENABLED"
              • "DISABLED"
          • S3Logsrequired — (map)

            An object that contains information on the status of S3 Data event logs as a data source.

            • Statusrequired — (String)

              A value that describes whether S3 data event logs are automatically enabled for new members of the organization.

              Possible values include:
              • "ENABLED"
              • "DISABLED"
          • Kubernetes — (map)

            An object that contains information on the status of all Kubernetes data sources.

            • AuditLogsrequired — (map)

              Describes whether Kubernetes audit logs are enabled as a data source.

              • Statusrequired — (String)

                A value that describes whether Kubernetes audit logs are enabled as a data source.

                Possible values include:
                • "ENABLED"
                • "DISABLED"
          • MalwareProtection — (map)

            Describes the configuration of Malware Protection data sources.

            • ScanEc2InstanceWithFindings — (map)

              Describes the configuration of Malware Protection for EC2 instances with findings.

              • EbsVolumes — (map)

                Describes the configuration of scanning EBS volumes as a data source.

                • Status — (String)

                  Describes whether scanning EBS volumes is enabled as a data source.

                  Possible values include:
                  • "ENABLED"
                  • "DISABLED"
                • Reason — (String)

                  Specifies the reason why scanning EBS volumes (Malware Protection) was not enabled as a data source.

            • ServiceRole — (String)

              The GuardDuty Malware Protection service role.

        • Features — (Array<map>)

          Contains information about the status of the features for the member account.

          • Name — (String)

            Indicates the name of the feature that is enabled for the detector.

            Possible values include:
            • "S3_DATA_EVENTS"
            • "EKS_AUDIT_LOGS"
            • "EBS_MALWARE_PROTECTION"
            • "RDS_LOGIN_EVENTS"
            • "EKS_RUNTIME_MONITORING"
            • "LAMBDA_NETWORK_LOGS"
            • "RUNTIME_MONITORING"
          • Status — (String)

            Indicates the status of the feature that is enabled for the detector.

            Possible values include:
            • "ENABLED"
            • "DISABLED"
          • UpdatedAt — (Date)

            The timestamp at which the feature object was updated.

          • AdditionalConfiguration — (Array<map>)

            Indicates the additional configuration of the feature that is configured for the member account.

            • Name — (String)

              Indicates the name of the additional configuration that is set for the member account.

              Possible values include:
              • "EKS_ADDON_MANAGEMENT"
              • "ECS_FARGATE_AGENT_MANAGEMENT"
            • Status — (String)

              Indicates the status of the additional configuration that is set for the member account.

              Possible values include:
              • "ENABLED"
              • "DISABLED"
            • UpdatedAt — (Date)

              The timestamp at which the additional configuration was set for the member account. This is in UTC format.

      • UnprocessedAccounts — (Array<map>)

        A list of member account IDs that were unable to be processed along with an explanation for why they were not processed.

        • AccountIdrequired — (String)

          The Amazon Web Services account ID.

        • Resultrequired — (String)

          A reason why the account hasn't been processed.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

getMembers(params = {}, callback) ⇒ AWS.Request

Retrieves GuardDuty member accounts (of the current GuardDuty administrator account) specified by the account IDs.

Service Reference:

Examples:

Calling the getMembers operation

var params = {
  AccountIds: [ /* required */
    'STRING_VALUE',
    /* more items */
  ],
  DetectorId: 'STRING_VALUE' /* required */
};
guardduty.getMembers(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector of the GuardDuty account whose members you want to retrieve.

    • AccountIds — (Array<String>)

      A list of account IDs of the GuardDuty member accounts that you want to describe.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • Members — (Array<map>)

        A list of members.

        • AccountIdrequired — (String)

          The ID of the member account.

        • DetectorId — (String)

          The detector ID of the member account.

        • MasterIdrequired — (String)

          The administrator account ID.

        • Emailrequired — (String)

          The email address of the member account.

        • RelationshipStatusrequired — (String)

          The status of the relationship between the member and the administrator.

        • InvitedAt — (String)

          The timestamp when the invitation was sent.

        • UpdatedAtrequired — (String)

          The last-updated timestamp of the member.

        • AdministratorId — (String)

          The administrator account ID.

      • UnprocessedAccounts — (Array<map>)

        A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.

        • AccountIdrequired — (String)

          The Amazon Web Services account ID.

        • Resultrequired — (String)

          A reason why the account hasn't been processed.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

getOrganizationStatistics(params = {}, callback) ⇒ AWS.Request

Retrieves how many active member accounts have each feature enabled within GuardDuty. Only a delegated GuardDuty administrator of an organization can run this API.

When you create a new organization, it might take up to 24 hours to generate the statistics for the entire organization.

Service Reference:

Examples:

Calling the getOrganizationStatistics operation

guardduty.getOrganizationStatistics(function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • OrganizationDetails — (map)

        Information about the statistics report for your organization.

        • UpdatedAt — (Date)

          The timestamp at which the organization statistics was last updated. This is in UTC format.

        • OrganizationStatistics — (map)

          Information about the GuardDuty coverage statistics for members in your Amazon Web Services organization.

          • TotalAccountsCount — (Integer)

            Total number of accounts in your Amazon Web Services organization.

          • MemberAccountsCount — (Integer)

            Total number of accounts in your Amazon Web Services organization that are associated with GuardDuty.

          • ActiveAccountsCount — (Integer)

            Total number of active accounts in your Amazon Web Services organization that are associated with GuardDuty.

          • EnabledAccountsCount — (Integer)

            Total number of accounts that have enabled GuardDuty.

          • CountByFeature — (Array<map>)

            Retrieves the coverage statistics for each feature.

            • Name — (String)

              Name of the feature.

              Possible values include:
              • "S3_DATA_EVENTS"
              • "EKS_AUDIT_LOGS"
              • "EBS_MALWARE_PROTECTION"
              • "RDS_LOGIN_EVENTS"
              • "EKS_RUNTIME_MONITORING"
              • "LAMBDA_NETWORK_LOGS"
              • "RUNTIME_MONITORING"
            • EnabledAccountsCount — (Integer)

              Total number of accounts that have enabled a specific feature.

            • AdditionalConfiguration — (Array<map>)

              Name of the additional configuration.

              • Name — (String)

                Name of the additional configuration within a feature.

                Possible values include:
                • "EKS_ADDON_MANAGEMENT"
                • "ECS_FARGATE_AGENT_MANAGEMENT"
              • EnabledAccountsCount — (Integer)

                Total number of accounts that have enabled the additional configuration.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

getRemainingFreeTrialDays(params = {}, callback) ⇒ AWS.Request

Provides the number of days left for each data source used in the free trial period.

Service Reference:

Examples:

Calling the getRemainingFreeTrialDays operation

var params = {
  DetectorId: 'STRING_VALUE', /* required */
  AccountIds: [
    'STRING_VALUE',
    /* more items */
  ]
};
guardduty.getRemainingFreeTrialDays(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector of the GuardDuty member account.

    • AccountIds — (Array<String>)

      A list of account identifiers of the GuardDuty member account.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • Accounts — (Array<map>)

        The member accounts which were included in a request and were processed successfully.

        • AccountId — (String)

          The account identifier of the GuardDuty member account.

        • DataSources — (map)

          Describes the data source enabled for the GuardDuty member account.

          • CloudTrail — (map)

            Describes whether any Amazon Web Services CloudTrail management event logs are enabled as data sources.

            • FreeTrialDaysRemaining — (Integer)

              A value that specifies the number of days left to use each enabled data source.

          • DnsLogs — (map)

            Describes whether any DNS logs are enabled as data sources.

            • FreeTrialDaysRemaining — (Integer)

              A value that specifies the number of days left to use each enabled data source.

          • FlowLogs — (map)

            Describes whether any VPC Flow logs are enabled as data sources.

            • FreeTrialDaysRemaining — (Integer)

              A value that specifies the number of days left to use each enabled data source.

          • S3Logs — (map)

            Describes whether any S3 data event logs are enabled as data sources.

            • FreeTrialDaysRemaining — (Integer)

              A value that specifies the number of days left to use each enabled data source.

          • Kubernetes — (map)

            Describes whether any Kubernetes logs are enabled as data sources.

            • AuditLogs — (map)

              Describes whether Kubernetes audit logs are enabled as a data source.

              • FreeTrialDaysRemaining — (Integer)

                A value that specifies the number of days left to use each enabled data source.

          • MalwareProtection — (map)

            Describes whether Malware Protection is enabled as a data source.

            • ScanEc2InstanceWithFindings — (map)

              Describes whether Malware Protection for EC2 instances with findings is enabled as a data source.

              • FreeTrialDaysRemaining — (Integer)

                A value that specifies the number of days left to use each enabled data source.

        • Features — (Array<map>)

          A list of features enabled for the GuardDuty account.

          • Name — (String)

            The name of the feature for which the free trial is configured.

            Possible values include:
            • "FLOW_LOGS"
            • "CLOUD_TRAIL"
            • "DNS_LOGS"
            • "S3_DATA_EVENTS"
            • "EKS_AUDIT_LOGS"
            • "EBS_MALWARE_PROTECTION"
            • "RDS_LOGIN_EVENTS"
            • "EKS_RUNTIME_MONITORING"
            • "LAMBDA_NETWORK_LOGS"
            • "FARGATE_RUNTIME_MONITORING"
            • "EC2_RUNTIME_MONITORING"
          • FreeTrialDaysRemaining — (Integer)

            The number of the remaining free trial days for the feature.

      • UnprocessedAccounts — (Array<map>)

        The member account that was included in a request but for which the request could not be processed.

        • AccountIdrequired — (String)

          The Amazon Web Services account ID.

        • Resultrequired — (String)

          A reason why the account hasn't been processed.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

getThreatIntelSet(params = {}, callback) ⇒ AWS.Request

Retrieves the ThreatIntelSet that is specified by the ThreatIntelSet ID.

Service Reference:

Examples:

Calling the getThreatIntelSet operation

var params = {
  DetectorId: 'STRING_VALUE', /* required */
  ThreatIntelSetId: 'STRING_VALUE' /* required */
};
guardduty.getThreatIntelSet(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector that the threatIntelSet is associated with.

    • ThreatIntelSetId — (String)

      The unique ID of the threatIntelSet that you want to get.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • Name — (String)

        A user-friendly ThreatIntelSet name displayed in all findings that are generated by activity that involves IP addresses included in this ThreatIntelSet.

      • Format — (String)

        The format of the threatIntelSet.

        Possible values include:
        • "TXT"
        • "STIX"
        • "OTX_CSV"
        • "ALIEN_VAULT"
        • "PROOF_POINT"
        • "FIRE_EYE"
      • Location — (String)

        The URI of the file that contains the ThreatIntelSet.

      • Status — (String)

        The status of threatIntelSet file uploaded.

        Possible values include:
        • "INACTIVE"
        • "ACTIVATING"
        • "ACTIVE"
        • "DEACTIVATING"
        • "ERROR"
        • "DELETE_PENDING"
        • "DELETED"
      • Tags — (map<String>)

        The tags of the threat list resource.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

getUsageStatistics(params = {}, callback) ⇒ AWS.Request

Lists Amazon GuardDuty usage statistics over the last 30 days for the specified detector ID. For newly enabled detectors or data sources, the cost returned will include only the usage so far under 30 days. This may differ from the cost metrics in the console, which project usage over 30 days to provide a monthly cost estimate. For more information, see Understanding How Usage Costs are Calculated.

Service Reference:

Examples:

Calling the getUsageStatistics operation

var params = {
  DetectorId: 'STRING_VALUE', /* required */
  UsageCriteria: { /* required */
    AccountIds: [
      'STRING_VALUE',
      /* more items */
    ],
    DataSources: [
      FLOW_LOGS | CLOUD_TRAIL | DNS_LOGS | S3_LOGS | KUBERNETES_AUDIT_LOGS | EC2_MALWARE_SCAN,
      /* more items */
    ],
    Features: [
      FLOW_LOGS | CLOUD_TRAIL | DNS_LOGS | S3_DATA_EVENTS | EKS_AUDIT_LOGS | EBS_MALWARE_PROTECTION | RDS_LOGIN_EVENTS | LAMBDA_NETWORK_LOGS | EKS_RUNTIME_MONITORING | FARGATE_RUNTIME_MONITORING | EC2_RUNTIME_MONITORING | RDS_DBI_PROTECTION_PROVISIONED | RDS_DBI_PROTECTION_SERVERLESS,
      /* more items */
    ],
    Resources: [
      'STRING_VALUE',
      /* more items */
    ]
  },
  UsageStatisticType: SUM_BY_ACCOUNT | SUM_BY_DATA_SOURCE | SUM_BY_RESOURCE | TOP_RESOURCES | SUM_BY_FEATURES | TOP_ACCOUNTS_BY_FEATURE, /* required */
  MaxResults: 'NUMBER_VALUE',
  NextToken: 'STRING_VALUE',
  Unit: 'STRING_VALUE'
};
guardduty.getUsageStatistics(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The ID of the detector that specifies the GuardDuty service whose usage statistics you want to retrieve.

    • UsageStatisticType — (String)

      The type of usage statistics to retrieve.

      Possible values include:
      • "SUM_BY_ACCOUNT"
      • "SUM_BY_DATA_SOURCE"
      • "SUM_BY_RESOURCE"
      • "TOP_RESOURCES"
      • "SUM_BY_FEATURES"
      • "TOP_ACCOUNTS_BY_FEATURE"
    • UsageCriteria — (map)

      Represents the criteria used for querying usage.

      • AccountIds — (Array<String>)

        The account IDs to aggregate usage statistics from.

      • DataSources — (Array<String>)

        The data sources to aggregate usage statistics from.

      • Resources — (Array<String>)

        The resources to aggregate usage statistics from. Only accepts exact resource names.

      • Features — (Array<String>)

        The features to aggregate usage statistics from.

    • Unit — (String)

      The currency unit you would like to view your usage statistics in. Current valid values are USD.

    • MaxResults — (Integer)

      The maximum number of results to return in the response.

    • NextToken — (String)

      A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the NextToken value returned from the previous request to continue listing results after the first page.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • UsageStatistics — (map)

        The usage statistics object. If a UsageStatisticType was provided, the objects representing other types will be null.

        • SumByAccount — (Array<map>)

          The usage statistic sum organized by account ID.

          • AccountId — (String)

            The Account ID that generated usage.

          • Total — (map)

            Represents the total of usage for the Account ID.

            • Amount — (String)

              The total usage.

            • Unit — (String)

              The currency unit that the amount is given in.

        • TopAccountsByFeature — (Array<map>)

          Lists the top 50 accounts by feature that have generated the most GuardDuty usage, in the order from most to least expensive.

          Currently, this doesn't support RDS_LOGIN_EVENTS.

          • Feature — (String)

            Features by which you can generate the usage statistics.

            RDS_LOGIN_EVENTS is currently not supported with topAccountsByFeature.

            Possible values include:
            • "FLOW_LOGS"
            • "CLOUD_TRAIL"
            • "DNS_LOGS"
            • "S3_DATA_EVENTS"
            • "EKS_AUDIT_LOGS"
            • "EBS_MALWARE_PROTECTION"
            • "RDS_LOGIN_EVENTS"
            • "LAMBDA_NETWORK_LOGS"
            • "EKS_RUNTIME_MONITORING"
            • "FARGATE_RUNTIME_MONITORING"
            • "EC2_RUNTIME_MONITORING"
            • "RDS_DBI_PROTECTION_PROVISIONED"
            • "RDS_DBI_PROTECTION_SERVERLESS"
          • Accounts — (Array<map>)

            The accounts that contributed to the total usage cost.

            • AccountId — (String)

              The unique account ID.

            • Total — (map)

              Contains the total usage with the corresponding currency unit for that value.

              • Amount — (String)

                The total usage.

              • Unit — (String)

                The currency unit that the amount is given in.

        • SumByDataSource — (Array<map>)

          The usage statistic sum organized by on data source.

          • DataSource — (String)

            The data source type that generated usage.

            Possible values include:
            • "FLOW_LOGS"
            • "CLOUD_TRAIL"
            • "DNS_LOGS"
            • "S3_LOGS"
            • "KUBERNETES_AUDIT_LOGS"
            • "EC2_MALWARE_SCAN"
          • Total — (map)

            Represents the total of usage for the specified data source.

            • Amount — (String)

              The total usage.

            • Unit — (String)

              The currency unit that the amount is given in.

        • SumByResource — (Array<map>)

          The usage statistic sum organized by resource.

          • Resource — (String)

            The Amazon Web Services resource that generated usage.

          • Total — (map)

            Represents the sum total of usage for the specified resource type.

            • Amount — (String)

              The total usage.

            • Unit — (String)

              The currency unit that the amount is given in.

        • TopResources — (Array<map>)

          Lists the top 50 resources that have generated the most GuardDuty usage, in order from most to least expensive.

          • Resource — (String)

            The Amazon Web Services resource that generated usage.

          • Total — (map)

            Represents the sum total of usage for the specified resource type.

            • Amount — (String)

              The total usage.

            • Unit — (String)

              The currency unit that the amount is given in.

        • SumByFeature — (Array<map>)

          The usage statistic sum organized by feature.

          • Feature — (String)

            The feature that generated the usage cost.

            Possible values include:
            • "FLOW_LOGS"
            • "CLOUD_TRAIL"
            • "DNS_LOGS"
            • "S3_DATA_EVENTS"
            • "EKS_AUDIT_LOGS"
            • "EBS_MALWARE_PROTECTION"
            • "RDS_LOGIN_EVENTS"
            • "LAMBDA_NETWORK_LOGS"
            • "EKS_RUNTIME_MONITORING"
            • "FARGATE_RUNTIME_MONITORING"
            • "EC2_RUNTIME_MONITORING"
            • "RDS_DBI_PROTECTION_PROVISIONED"
            • "RDS_DBI_PROTECTION_SERVERLESS"
          • Total — (map)

            Contains the total usage with the corresponding currency unit for that value.

            • Amount — (String)

              The total usage.

            • Unit — (String)

              The currency unit that the amount is given in.

      • NextToken — (String)

        The pagination parameter to be used on the next list operation to retrieve more items.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

inviteMembers(params = {}, callback) ⇒ AWS.Request

Invites Amazon Web Services accounts to become members of an organization administered by the Amazon Web Services account that invokes this API. If you are using Amazon Web Services Organizations to manage your GuardDuty environment, this step is not needed. For more information, see Managing accounts with organizations.

To invite Amazon Web Services accounts, the first step is to ensure that GuardDuty has been enabled in the potential member accounts. You can now invoke this API to add accounts by invitation. The invited accounts can either accept or decline the invitation from their GuardDuty accounts. Each invited Amazon Web Services account can choose to accept the invitation from only one Amazon Web Services account. For more information, see Managing GuardDuty accounts by invitation.

After the invite has been accepted and you choose to disassociate a member account (by using DisassociateMembers) from your account, the details of the member account obtained by invoking CreateMembers, including the associated email addresses, will be retained. This is done so that you can invoke InviteMembers without the need to invoke CreateMembers again. To remove the details associated with a member account, you must also invoke DeleteMembers.

Service Reference:

Examples:

Calling the inviteMembers operation

var params = {
  AccountIds: [ /* required */
    'STRING_VALUE',
    /* more items */
  ],
  DetectorId: 'STRING_VALUE', /* required */
  DisableEmailNotification: true || false,
  Message: 'STRING_VALUE'
};
guardduty.inviteMembers(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector of the GuardDuty account that you want to invite members with.

    • AccountIds — (Array<String>)

      A list of account IDs of the accounts that you want to invite to GuardDuty as members.

    • DisableEmailNotification — (Boolean)

      A Boolean value that specifies whether you want to disable email notification to the accounts that you are inviting to GuardDuty as members.

    • Message — (String)

      The invitation message that you want to send to the accounts that you're inviting to GuardDuty as members.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • UnprocessedAccounts — (Array<map>)

        A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.

        • AccountIdrequired — (String)

          The Amazon Web Services account ID.

        • Resultrequired — (String)

          A reason why the account hasn't been processed.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

listCoverage(params = {}, callback) ⇒ AWS.Request

Lists coverage details for your GuardDuty account. If you're a GuardDuty administrator, you can retrieve all resources associated with the active member accounts in your organization.

Make sure the accounts have Runtime Monitoring enabled and GuardDuty agent running on their resources.

Service Reference:

Examples:

Calling the listCoverage operation

var params = {
  DetectorId: 'STRING_VALUE', /* required */
  FilterCriteria: {
    FilterCriterion: [
      {
        CriterionKey: ACCOUNT_ID | CLUSTER_NAME | RESOURCE_TYPE | COVERAGE_STATUS | ADDON_VERSION | MANAGEMENT_TYPE | EKS_CLUSTER_NAME | ECS_CLUSTER_NAME | AGENT_VERSION | INSTANCE_ID | CLUSTER_ARN,
        FilterCondition: {
          Equals: [
            'STRING_VALUE',
            /* more items */
          ],
          NotEquals: [
            'STRING_VALUE',
            /* more items */
          ]
        }
      },
      /* more items */
    ]
  },
  MaxResults: 'NUMBER_VALUE',
  NextToken: 'STRING_VALUE',
  SortCriteria: {
    AttributeName: ACCOUNT_ID | CLUSTER_NAME | COVERAGE_STATUS | ISSUE | ADDON_VERSION | UPDATED_AT | EKS_CLUSTER_NAME | ECS_CLUSTER_NAME | INSTANCE_ID,
    OrderBy: ASC | DESC
  }
};
guardduty.listCoverage(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector whose coverage details you want to retrieve.

    • NextToken — (String)

      A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the NextToken value returned from the previous request to continue listing results after the first page.

    • MaxResults — (Integer)

      The maximum number of results to return in the response.

    • FilterCriteria — (map)

      Represents the criteria used to filter the coverage details.

      • FilterCriterion — (Array<map>)

        Represents a condition that when matched will be added to the response of the operation.

        • CriterionKey — (String)

          An enum value representing possible filter fields.

          Note: Replace the enum value CLUSTER_NAME with EKS_CLUSTER_NAME. CLUSTER_NAME has been deprecated.
          Possible values include:
          • "ACCOUNT_ID"
          • "CLUSTER_NAME"
          • "RESOURCE_TYPE"
          • "COVERAGE_STATUS"
          • "ADDON_VERSION"
          • "MANAGEMENT_TYPE"
          • "EKS_CLUSTER_NAME"
          • "ECS_CLUSTER_NAME"
          • "AGENT_VERSION"
          • "INSTANCE_ID"
          • "CLUSTER_ARN"
        • FilterCondition — (map)

          Contains information about the condition.

          • Equals — (Array<String>)

            Represents an equal condition that is applied to a single field while retrieving the coverage details.

          • NotEquals — (Array<String>)

            Represents a not equal condition that is applied to a single field while retrieving the coverage details.

    • SortCriteria — (map)

      Represents the criteria used to sort the coverage details.

      • AttributeName — (String)

        Represents the field name used to sort the coverage details.

        Note: Replace the enum value CLUSTER_NAME with EKS_CLUSTER_NAME. CLUSTER_NAME has been deprecated.
        Possible values include:
        • "ACCOUNT_ID"
        • "CLUSTER_NAME"
        • "COVERAGE_STATUS"
        • "ISSUE"
        • "ADDON_VERSION"
        • "UPDATED_AT"
        • "EKS_CLUSTER_NAME"
        • "ECS_CLUSTER_NAME"
        • "INSTANCE_ID"
      • OrderBy — (String)

        The order in which the sorted findings are to be displayed.

        Possible values include:
        • "ASC"
        • "DESC"

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • Resources — (Array<map>)

        A list of resources and their attributes providing cluster details.

        • ResourceId — (String)

          The unique ID of the resource.

        • DetectorId — (String)

          The unique ID of the GuardDuty detector associated with the resource.

        • AccountId — (String)

          The unique ID of the Amazon Web Services account.

        • ResourceDetails — (map)

          Information about the resource for which the coverage statistics are retrieved.

          • EksClusterDetails — (map)

            EKS cluster details involved in the coverage statistics.

            • ClusterName — (String)

              Name of the EKS cluster.

            • CoveredNodes — (Integer)

              Represents the nodes within the EKS cluster that have a HEALTHY coverage status.

            • CompatibleNodes — (Integer)

              Represents all the nodes within the EKS cluster in your account.

            • AddonDetails — (map)

              Information about the installed EKS add-on.

              • AddonVersion — (String)

                Version of the installed EKS add-on.

              • AddonStatus — (String)

                Status of the installed EKS add-on.

            • ManagementType — (String)

              Indicates how the Amazon EKS add-on GuardDuty agent is managed for this EKS cluster.

              AUTO_MANAGED indicates GuardDuty deploys and manages updates for this resource.

              MANUAL indicates that you are responsible to deploy, update, and manage the Amazon EKS add-on GuardDuty agent for this resource.

              Possible values include:
              • "AUTO_MANAGED"
              • "MANUAL"
              • "DISABLED"
          • ResourceType — (String)

            The type of Amazon Web Services resource.

            Possible values include:
            • "EKS"
            • "ECS"
            • "EC2"
          • EcsClusterDetails — (map)

            Information about the Amazon ECS cluster that is assessed for runtime coverage.

            • ClusterName — (String)

              The name of the Amazon ECS cluster.

            • FargateDetails — (map)

              Information about the Fargate details associated with the Amazon ECS cluster.

              • Issues — (Array<String>)

                Runtime coverage issues identified for the resource running on Amazon Web Services Fargate.

              • ManagementType — (String)

                Indicates how the GuardDuty security agent is managed for this resource.

                • AUTO_MANAGED indicates that GuardDuty deploys and manages updates for this resource.

                • DISABLED indicates that the deployment of the GuardDuty security agent is disabled for this resource.

                Note: The MANUAL status doesn't apply to the Amazon Web Services Fargate (Amazon ECS only) woprkloads.
                Possible values include:
                • "AUTO_MANAGED"
                • "MANUAL"
                • "DISABLED"
            • ContainerInstanceDetails — (map)

              Information about the Amazon ECS container running on Amazon EC2 instance.

              • CoveredContainerInstances — (Integer)

                Represents the nodes in the Amazon ECS cluster that has a HEALTHY coverage status.

              • CompatibleContainerInstances — (Integer)

                Represents total number of nodes in the Amazon ECS cluster.

          • Ec2InstanceDetails — (map)
            Note: This API is also used when you use GuardDuty Runtime Monitoring for your Amazon EC2 instances (currently in preview release) and is subject to change. The use of this API is subject to Section 2 of the Amazon Web Services Service Terms ("Betas and Previews").

            Information about the Amazon EC2 instance assessed for runtime coverage.

            • InstanceId — (String)

              The Amazon EC2 instance ID.

            • InstanceType — (String)

              The instance type of the Amazon EC2 instance.

            • ClusterArn — (String)

              The cluster ARN of the Amazon ECS cluster running on the Amazon EC2 instance.

            • AgentDetails — (map)

              Information about the installed security agent.

              • Version — (String)

                Version of the installed GuardDuty security agent.

            • ManagementType — (String)

              Indicates how the GuardDuty security agent is managed for this resource.

              • AUTO_MANAGED indicates that GuardDuty deploys and manages updates for this resource.

              • MANUAL indicates that you are responsible to deploy, update, and manage the GuardDuty security agent updates for this resource.

              Note: The DISABLED status doesn't apply to Amazon EC2 instances and Amazon EKS clusters.
              Possible values include:
              • "AUTO_MANAGED"
              • "MANUAL"
              • "DISABLED"
        • CoverageStatus — (String)

          Represents the status of the EKS cluster coverage.

          Possible values include:
          • "HEALTHY"
          • "UNHEALTHY"
        • Issue — (String)

          Represents the reason why a coverage status was UNHEALTHY for the EKS cluster.

        • UpdatedAt — (Date)

          The timestamp at which the coverage details for the resource were last updated. This is in UTC format.

      • NextToken — (String)

        The pagination parameter to be used on the next list operation to retrieve more items.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

listDetectors(params = {}, callback) ⇒ AWS.Request

Lists detectorIds of all the existing Amazon GuardDuty detector resources.

Service Reference:

Examples:

Calling the listDetectors operation

var params = {
  MaxResults: 'NUMBER_VALUE',
  NextToken: 'STRING_VALUE'
};
guardduty.listDetectors(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • MaxResults — (Integer)

      You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.

    • NextToken — (String)

      You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • DetectorIds — (Array<String>)

        A list of detector IDs.

      • NextToken — (String)

        The pagination parameter to be used on the next list operation to retrieve more items.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

listFilters(params = {}, callback) ⇒ AWS.Request

Returns a paginated list of the current filters.

Service Reference:

Examples:

Calling the listFilters operation

var params = {
  DetectorId: 'STRING_VALUE', /* required */
  MaxResults: 'NUMBER_VALUE',
  NextToken: 'STRING_VALUE'
};
guardduty.listFilters(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector that the filter is associated with.

    • MaxResults — (Integer)

      You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.

    • NextToken — (String)

      You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • FilterNames — (Array<String>)

        A list of filter names.

      • NextToken — (String)

        The pagination parameter to be used on the next list operation to retrieve more items.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

listFindings(params = {}, callback) ⇒ AWS.Request

Lists GuardDuty findings for the specified detector ID.

There might be regional differences because some flags might not be available in all the Regions where GuardDuty is currently supported. For more information, see Regions and endpoints.

Service Reference:

Examples:

Calling the listFindings operation

var params = {
  DetectorId: 'STRING_VALUE', /* required */
  FindingCriteria: {
    Criterion: {
      '<String>': {
        Eq: [
          'STRING_VALUE',
          /* more items */
        ],
        Equals: [
          'STRING_VALUE',
          /* more items */
        ],
        GreaterThan: 'NUMBER_VALUE',
        GreaterThanOrEqual: 'NUMBER_VALUE',
        Gt: 'NUMBER_VALUE',
        Gte: 'NUMBER_VALUE',
        LessThan: 'NUMBER_VALUE',
        LessThanOrEqual: 'NUMBER_VALUE',
        Lt: 'NUMBER_VALUE',
        Lte: 'NUMBER_VALUE',
        Neq: [
          'STRING_VALUE',
          /* more items */
        ],
        NotEquals: [
          'STRING_VALUE',
          /* more items */
        ]
      },
      /* '<String>': ... */
    }
  },
  MaxResults: 'NUMBER_VALUE',
  NextToken: 'STRING_VALUE',
  SortCriteria: {
    AttributeName: 'STRING_VALUE',
    OrderBy: ASC | DESC
  }
};
guardduty.listFindings(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The ID of the detector that specifies the GuardDuty service whose findings you want to list.

    • FindingCriteria — (map)

      Represents the criteria used for querying findings. Valid values include:

      • JSON field name

      • accountId

      • region

      • confidence

      • id

      • resource.accessKeyDetails.accessKeyId

      • resource.accessKeyDetails.principalId

      • resource.accessKeyDetails.userName

      • resource.accessKeyDetails.userType

      • resource.instanceDetails.iamInstanceProfile.id

      • resource.instanceDetails.imageId

      • resource.instanceDetails.instanceId

      • resource.instanceDetails.networkInterfaces.ipv6Addresses

      • resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress

      • resource.instanceDetails.networkInterfaces.publicDnsName

      • resource.instanceDetails.networkInterfaces.publicIp

      • resource.instanceDetails.networkInterfaces.securityGroups.groupId

      • resource.instanceDetails.networkInterfaces.securityGroups.groupName

      • resource.instanceDetails.networkInterfaces.subnetId

      • resource.instanceDetails.networkInterfaces.vpcId

      • resource.instanceDetails.tags.key

      • resource.instanceDetails.tags.value

      • resource.resourceType

      • service.action.actionType

      • service.action.awsApiCallAction.api

      • service.action.awsApiCallAction.callerType

      • service.action.awsApiCallAction.remoteIpDetails.city.cityName

      • service.action.awsApiCallAction.remoteIpDetails.country.countryName

      • service.action.awsApiCallAction.remoteIpDetails.ipAddressV4

      • service.action.awsApiCallAction.remoteIpDetails.organization.asn

      • service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg

      • service.action.awsApiCallAction.serviceName

      • service.action.dnsRequestAction.domain

      • service.action.dnsRequestAction.domainWithSuffix

      • service.action.networkConnectionAction.blocked

      • service.action.networkConnectionAction.connectionDirection

      • service.action.networkConnectionAction.localPortDetails.port

      • service.action.networkConnectionAction.protocol

      • service.action.networkConnectionAction.remoteIpDetails.country.countryName

      • service.action.networkConnectionAction.remoteIpDetails.ipAddressV4

      • service.action.networkConnectionAction.remoteIpDetails.organization.asn

      • service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg

      • service.action.networkConnectionAction.remotePortDetails.port

      • service.additionalInfo.threatListName

      • service.archived

        When this attribute is set to 'true', only archived findings are listed. When it's set to 'false', only unarchived findings are listed. When this attribute is not set, all existing findings are listed.

      • service.resourceRole

      • severity

      • type

      • updatedAt

        Type: Timestamp in Unix Epoch millisecond format: 1486685375000

      • Criterion — (map<map>)

        Represents a map of finding properties that match specified conditions and values when querying findings.

        • Eq — (Array<String>)

          Represents the equal condition to be applied to a single field when querying for findings.

        • Neq — (Array<String>)

          Represents the not equal condition to be applied to a single field when querying for findings.

        • Gt — (Integer)

          Represents a greater than condition to be applied to a single field when querying for findings.

        • Gte — (Integer)

          Represents a greater than or equal condition to be applied to a single field when querying for findings.

        • Lt — (Integer)

          Represents a less than condition to be applied to a single field when querying for findings.

        • Lte — (Integer)

          Represents a less than or equal condition to be applied to a single field when querying for findings.

        • Equals — (Array<String>)

          Represents an equal condition to be applied to a single field when querying for findings.

        • NotEquals — (Array<String>)

          Represents a not equal condition to be applied to a single field when querying for findings.

        • GreaterThan — (Integer)

          Represents a greater than condition to be applied to a single field when querying for findings.

        • GreaterThanOrEqual — (Integer)

          Represents a greater than or equal condition to be applied to a single field when querying for findings.

        • LessThan — (Integer)

          Represents a less than condition to be applied to a single field when querying for findings.

        • LessThanOrEqual — (Integer)

          Represents a less than or equal condition to be applied to a single field when querying for findings.

    • SortCriteria — (map)

      Represents the criteria used for sorting findings.

      • AttributeName — (String)

        Represents the finding attribute, such as accountId, that sorts the findings.

      • OrderBy — (String)

        The order by which the sorted findings are to be displayed.

        Possible values include:
        • "ASC"
        • "DESC"
    • MaxResults — (Integer)

      You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50.

    • NextToken — (String)

      You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • FindingIds — (Array<String>)

        The IDs of the findings that you're listing.

      • NextToken — (String)

        The pagination parameter to be used on the next list operation to retrieve more items.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

listInvitations(params = {}, callback) ⇒ AWS.Request

Lists all GuardDuty membership invitations that were sent to the current Amazon Web Services account.

Service Reference:

Examples:

Calling the listInvitations operation

var params = {
  MaxResults: 'NUMBER_VALUE',
  NextToken: 'STRING_VALUE'
};
guardduty.listInvitations(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • MaxResults — (Integer)

      You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.

    • NextToken — (String)

      You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • Invitations — (Array<map>)

        A list of invitation descriptions.

        • AccountId — (String)

          The ID of the account that the invitation was sent from.

        • InvitationId — (String)

          The ID of the invitation. This value is used to validate the inviter account to the member account.

        • RelationshipStatus — (String)

          The status of the relationship between the inviter and invitee accounts.

        • InvitedAt — (String)

          The timestamp when the invitation was sent.

      • NextToken — (String)

        The pagination parameter to be used on the next list operation to retrieve more items.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

listIPSets(params = {}, callback) ⇒ AWS.Request

Lists the IPSets of the GuardDuty service specified by the detector ID. If you use this operation from a member account, the IPSets returned are the IPSets from the associated administrator account.

Service Reference:

Examples:

Calling the listIPSets operation

var params = {
  DetectorId: 'STRING_VALUE', /* required */
  MaxResults: 'NUMBER_VALUE',
  NextToken: 'STRING_VALUE'
};
guardduty.listIPSets(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector that the IPSet is associated with.

    • MaxResults — (Integer)

      You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50.

    • NextToken — (String)

      You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • IpSetIds — (Array<String>)

        The IDs of the IPSet resources.

      • NextToken — (String)

        The pagination parameter to be used on the next list operation to retrieve more items.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

listMembers(params = {}, callback) ⇒ AWS.Request

Lists details about all member accounts for the current GuardDuty administrator account.

Service Reference:

Examples:

Calling the listMembers operation

var params = {
  DetectorId: 'STRING_VALUE', /* required */
  MaxResults: 'NUMBER_VALUE',
  NextToken: 'STRING_VALUE',
  OnlyAssociated: 'STRING_VALUE'
};
guardduty.listMembers(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector the member is associated with.

    • MaxResults — (Integer)

      You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50.

    • NextToken — (String)

      You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.

    • OnlyAssociated — (String)

      Specifies whether to only return associated members or to return all members (including members who haven't been invited yet or have been disassociated). Member accounts must have been previously associated with the GuardDuty administrator account using Create Members .

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • Members — (Array<map>)

        A list of members.

        Note: The values for email and invitedAt are available only if the member accounts are added by invitation.
        • AccountIdrequired — (String)

          The ID of the member account.

        • DetectorId — (String)

          The detector ID of the member account.

        • MasterIdrequired — (String)

          The administrator account ID.

        • Emailrequired — (String)

          The email address of the member account.

        • RelationshipStatusrequired — (String)

          The status of the relationship between the member and the administrator.

        • InvitedAt — (String)

          The timestamp when the invitation was sent.

        • UpdatedAtrequired — (String)

          The last-updated timestamp of the member.

        • AdministratorId — (String)

          The administrator account ID.

      • NextToken — (String)

        The pagination parameter to be used on the next list operation to retrieve more items.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

listOrganizationAdminAccounts(params = {}, callback) ⇒ AWS.Request

Lists the accounts designated as GuardDuty delegated administrators. Only the organization's management account can run this API operation.

Service Reference:

Examples:

Calling the listOrganizationAdminAccounts operation

var params = {
  MaxResults: 'NUMBER_VALUE',
  NextToken: 'STRING_VALUE'
};
guardduty.listOrganizationAdminAccounts(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • MaxResults — (Integer)

      The maximum number of results to return in the response.

    • NextToken — (String)

      A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the NextToken value returned from the previous request to continue listing results after the first page.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • AdminAccounts — (Array<map>)

        A list of accounts configured as GuardDuty delegated administrators.

        • AdminAccountId — (String)

          The Amazon Web Services account ID for the account.

        • AdminStatus — (String)

          Indicates whether the account is enabled as the delegated administrator.

          Possible values include:
          • "ENABLED"
          • "DISABLE_IN_PROGRESS"
      • NextToken — (String)

        The pagination parameter to be used on the next list operation to retrieve more items.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

listPublishingDestinations(params = {}, callback) ⇒ AWS.Request

Returns a list of publishing destinations associated with the specified detectorId.

Service Reference:

Examples:

Calling the listPublishingDestinations operation

var params = {
  DetectorId: 'STRING_VALUE', /* required */
  MaxResults: 'NUMBER_VALUE',
  NextToken: 'STRING_VALUE'
};
guardduty.listPublishingDestinations(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The ID of the detector to retrieve publishing destinations for.

    • MaxResults — (Integer)

      The maximum number of results to return in the response.

    • NextToken — (String)

      A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the NextToken value returned from the previous request to continue listing results after the first page.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • Destinations — (Array<map>)

        A Destinations object that includes information about each publishing destination returned.

        • DestinationIdrequired — (String)

          The unique ID of the publishing destination.

        • DestinationTyperequired — (String)

          The type of resource used for the publishing destination. Currently, only Amazon S3 buckets are supported.

          Possible values include:
          • "S3"
        • Statusrequired — (String)

          The status of the publishing destination.

          Possible values include:
          • "PENDING_VERIFICATION"
          • "PUBLISHING"
          • "UNABLE_TO_PUBLISH_FIX_DESTINATION_PROPERTY"
          • "STOPPED"
      • NextToken — (String)

        A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the NextToken value returned from the previous request to continue listing results after the first page.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

listTagsForResource(params = {}, callback) ⇒ AWS.Request

Lists tags for a resource. Tagging is currently supported for detectors, finding filters, IP sets, threat intel sets, and publishing destination, with a limit of 50 tags per resource. When invoked, this operation returns all assigned tags for a given resource.

Service Reference:

Examples:

Calling the listTagsForResource operation

var params = {
  ResourceArn: 'STRING_VALUE' /* required */
};
guardduty.listTagsForResource(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • ResourceArn — (String)

      The Amazon Resource Name (ARN) for the given GuardDuty resource.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • Tags — (map<String>)

        The tags associated with the resource.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

listThreatIntelSets(params = {}, callback) ⇒ AWS.Request

Lists the ThreatIntelSets of the GuardDuty service specified by the detector ID. If you use this operation from a member account, the ThreatIntelSets associated with the administrator account are returned.

Service Reference:

Examples:

Calling the listThreatIntelSets operation

var params = {
  DetectorId: 'STRING_VALUE', /* required */
  MaxResults: 'NUMBER_VALUE',
  NextToken: 'STRING_VALUE'
};
guardduty.listThreatIntelSets(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector that the threatIntelSet is associated with.

    • MaxResults — (Integer)

      You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.

    • NextToken — (String)

      You can use this parameter to paginate results in the response. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • ThreatIntelSetIds — (Array<String>)

        The IDs of the ThreatIntelSet resources.

      • NextToken — (String)

        The pagination parameter to be used on the next list operation to retrieve more items.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

startMalwareScan(params = {}, callback) ⇒ AWS.Request

Initiates the malware scan. Invoking this API will automatically create the Service-linked role in the corresponding account.

When the malware scan starts, you can use the associated scan ID to track the status of the scan. For more information, see DescribeMalwareScans.

Service Reference:

Examples:

Calling the startMalwareScan operation

var params = {
  ResourceArn: 'STRING_VALUE' /* required */
};
guardduty.startMalwareScan(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • ResourceArn — (String)

      Amazon Resource Name (ARN) of the resource for which you invoked the API.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • ScanId — (String)

        A unique identifier that gets generated when you invoke the API without any error. Each malware scan has a corresponding scan ID. Using this scan ID, you can monitor the status of your malware scan.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

startMonitoringMembers(params = {}, callback) ⇒ AWS.Request

Turns on GuardDuty monitoring of the specified member accounts. Use this operation to restart monitoring of accounts that you stopped monitoring with the StopMonitoringMembers operation.

Service Reference:

Examples:

Calling the startMonitoringMembers operation

var params = {
  AccountIds: [ /* required */
    'STRING_VALUE',
    /* more items */
  ],
  DetectorId: 'STRING_VALUE' /* required */
};
guardduty.startMonitoringMembers(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector of the GuardDuty administrator account associated with the member accounts to monitor.

    • AccountIds — (Array<String>)

      A list of account IDs of the GuardDuty member accounts to start monitoring.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • UnprocessedAccounts — (Array<map>)

        A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.

        • AccountIdrequired — (String)

          The Amazon Web Services account ID.

        • Resultrequired — (String)

          A reason why the account hasn't been processed.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

stopMonitoringMembers(params = {}, callback) ⇒ AWS.Request

Stops GuardDuty monitoring for the specified member accounts. Use the StartMonitoringMembers operation to restart monitoring for those accounts.

With autoEnableOrganizationMembers configuration for your organization set to ALL, you'll receive an error if you attempt to stop monitoring the member accounts in your organization.

Service Reference:

Examples:

Calling the stopMonitoringMembers operation

var params = {
  AccountIds: [ /* required */
    'STRING_VALUE',
    /* more items */
  ],
  DetectorId: 'STRING_VALUE' /* required */
};
guardduty.stopMonitoringMembers(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector associated with the GuardDuty administrator account that is monitoring member accounts.

    • AccountIds — (Array<String>)

      A list of account IDs for the member accounts to stop monitoring.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • UnprocessedAccounts — (Array<map>)

        A list of objects that contain an accountId for each account that could not be processed, and a result string that indicates why the account was not processed.

        • AccountIdrequired — (String)

          The Amazon Web Services account ID.

        • Resultrequired — (String)

          A reason why the account hasn't been processed.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

tagResource(params = {}, callback) ⇒ AWS.Request

Adds tags to a resource.

Service Reference:

Examples:

Calling the tagResource operation

var params = {
  ResourceArn: 'STRING_VALUE', /* required */
  Tags: { /* required */
    '<TagKey>': 'STRING_VALUE',
    /* '<TagKey>': ... */
  }
};
guardduty.tagResource(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • ResourceArn — (String)

      The Amazon Resource Name (ARN) for the GuardDuty resource to apply a tag to.

    • Tags — (map<String>)

      The tags to be added to a resource.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

unarchiveFindings(params = {}, callback) ⇒ AWS.Request

Unarchives GuardDuty findings specified by the findingIds.

Service Reference:

Examples:

Calling the unarchiveFindings operation

var params = {
  DetectorId: 'STRING_VALUE', /* required */
  FindingIds: [ /* required */
    'STRING_VALUE',
    /* more items */
  ]
};
guardduty.unarchiveFindings(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The ID of the detector associated with the findings to unarchive.

    • FindingIds — (Array<String>)

      The IDs of the findings to unarchive.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

untagResource(params = {}, callback) ⇒ AWS.Request

Removes tags from a resource.

Service Reference:

Examples:

Calling the untagResource operation

var params = {
  ResourceArn: 'STRING_VALUE', /* required */
  TagKeys: [ /* required */
    'STRING_VALUE',
    /* more items */
  ]
};
guardduty.untagResource(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • ResourceArn — (String)

      The Amazon Resource Name (ARN) for the resource to remove tags from.

    • TagKeys — (Array<String>)

      The tag keys to remove from the resource.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

updateDetector(params = {}, callback) ⇒ AWS.Request

Updates the GuardDuty detector specified by the detector ID.

Specifying both EKS Runtime Monitoring (EKS_RUNTIME_MONITORING) and Runtime Monitoring (RUNTIME_MONITORING) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

Service Reference:

Examples:

Calling the updateDetector operation

var params = {
  DetectorId: 'STRING_VALUE', /* required */
  DataSources: {
    Kubernetes: {
      AuditLogs: { /* required */
        Enable: true || false /* required */
      }
    },
    MalwareProtection: {
      ScanEc2InstanceWithFindings: {
        EbsVolumes: true || false
      }
    },
    S3Logs: {
      Enable: true || false /* required */
    }
  },
  Enable: true || false,
  Features: [
    {
      AdditionalConfiguration: [
        {
          Name: EKS_ADDON_MANAGEMENT | ECS_FARGATE_AGENT_MANAGEMENT,
          Status: ENABLED | DISABLED
        },
        /* more items */
      ],
      Name: S3_DATA_EVENTS | EKS_AUDIT_LOGS | EBS_MALWARE_PROTECTION | RDS_LOGIN_EVENTS | EKS_RUNTIME_MONITORING | LAMBDA_NETWORK_LOGS | RUNTIME_MONITORING,
      Status: ENABLED | DISABLED
    },
    /* more items */
  ],
  FindingPublishingFrequency: FIFTEEN_MINUTES | ONE_HOUR | SIX_HOURS
};
guardduty.updateDetector(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector to update.

    • Enable — (Boolean)

      Specifies whether the detector is enabled or not enabled.

    • FindingPublishingFrequency — (String)

      An enum value that specifies how frequently findings are exported, such as to CloudWatch Events.

      Possible values include:
      • "FIFTEEN_MINUTES"
      • "ONE_HOUR"
      • "SIX_HOURS"
    • DataSources — (map)

      Describes which data sources will be updated.

      There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

      • S3Logs — (map)

        Describes whether S3 data event logs are enabled as a data source.

        • Enablerequired — (Boolean)

          The status of S3 data event logs as a data source.

      • Kubernetes — (map)

        Describes whether any Kubernetes logs are enabled as data sources.

        • AuditLogsrequired — (map)

          The status of Kubernetes audit logs as a data source.

          • Enablerequired — (Boolean)

            The status of Kubernetes audit logs as a data source.

      • MalwareProtection — (map)

        Describes whether Malware Protection is enabled as a data source.

        • ScanEc2InstanceWithFindings — (map)

          Describes the configuration of Malware Protection for EC2 instances with findings.

          • EbsVolumes — (Boolean)

            Describes the configuration for scanning EBS volumes as data source.

    • Features — (Array<map>)

      Provides the features that will be updated for the detector.

      • Name — (String)

        The name of the feature.

        Possible values include:
        • "S3_DATA_EVENTS"
        • "EKS_AUDIT_LOGS"
        • "EBS_MALWARE_PROTECTION"
        • "RDS_LOGIN_EVENTS"
        • "EKS_RUNTIME_MONITORING"
        • "LAMBDA_NETWORK_LOGS"
        • "RUNTIME_MONITORING"
      • Status — (String)

        The status of the feature.

        Possible values include:
        • "ENABLED"
        • "DISABLED"
      • AdditionalConfiguration — (Array<map>)

        Additional configuration for a resource.

        • Name — (String)

          Name of the additional configuration.

          Possible values include:
          • "EKS_ADDON_MANAGEMENT"
          • "ECS_FARGATE_AGENT_MANAGEMENT"
        • Status — (String)

          Status of the additional configuration.

          Possible values include:
          • "ENABLED"
          • "DISABLED"

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

updateFilter(params = {}, callback) ⇒ AWS.Request

Updates the filter specified by the filter name.

Service Reference:

Examples:

Calling the updateFilter operation

var params = {
  DetectorId: 'STRING_VALUE', /* required */
  FilterName: 'STRING_VALUE', /* required */
  Action: NOOP | ARCHIVE,
  Description: 'STRING_VALUE',
  FindingCriteria: {
    Criterion: {
      '<String>': {
        Eq: [
          'STRING_VALUE',
          /* more items */
        ],
        Equals: [
          'STRING_VALUE',
          /* more items */
        ],
        GreaterThan: 'NUMBER_VALUE',
        GreaterThanOrEqual: 'NUMBER_VALUE',
        Gt: 'NUMBER_VALUE',
        Gte: 'NUMBER_VALUE',
        LessThan: 'NUMBER_VALUE',
        LessThanOrEqual: 'NUMBER_VALUE',
        Lt: 'NUMBER_VALUE',
        Lte: 'NUMBER_VALUE',
        Neq: [
          'STRING_VALUE',
          /* more items */
        ],
        NotEquals: [
          'STRING_VALUE',
          /* more items */
        ]
      },
      /* '<String>': ... */
    }
  },
  Rank: 'NUMBER_VALUE'
};
guardduty.updateFilter(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector that specifies the GuardDuty service where you want to update a filter.

    • FilterName — (String)

      The name of the filter.

    • Description — (String)

      The description of the filter. Valid characters include alphanumeric characters, and special characters such as hyphen, period, colon, underscore, parentheses ({ }, [ ], and ( )), forward slash, horizontal tab, vertical tab, newline, form feed, return, and whitespace.

    • Action — (String)

      Specifies the action that is to be applied to the findings that match the filter.

      Possible values include:
      • "NOOP"
      • "ARCHIVE"
    • Rank — (Integer)

      Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.

    • FindingCriteria — (map)

      Represents the criteria to be used in the filter for querying findings.

      • Criterion — (map<map>)

        Represents a map of finding properties that match specified conditions and values when querying findings.

        • Eq — (Array<String>)

          Represents the equal condition to be applied to a single field when querying for findings.

        • Neq — (Array<String>)

          Represents the not equal condition to be applied to a single field when querying for findings.

        • Gt — (Integer)

          Represents a greater than condition to be applied to a single field when querying for findings.

        • Gte — (Integer)

          Represents a greater than or equal condition to be applied to a single field when querying for findings.

        • Lt — (Integer)

          Represents a less than condition to be applied to a single field when querying for findings.

        • Lte — (Integer)

          Represents a less than or equal condition to be applied to a single field when querying for findings.

        • Equals — (Array<String>)

          Represents an equal condition to be applied to a single field when querying for findings.

        • NotEquals — (Array<String>)

          Represents a not equal condition to be applied to a single field when querying for findings.

        • GreaterThan — (Integer)

          Represents a greater than condition to be applied to a single field when querying for findings.

        • GreaterThanOrEqual — (Integer)

          Represents a greater than or equal condition to be applied to a single field when querying for findings.

        • LessThan — (Integer)

          Represents a less than condition to be applied to a single field when querying for findings.

        • LessThanOrEqual — (Integer)

          Represents a less than or equal condition to be applied to a single field when querying for findings.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • Name — (String)

        The name of the filter.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

updateFindingsFeedback(params = {}, callback) ⇒ AWS.Request

Marks the specified GuardDuty findings as useful or not useful.

Service Reference:

Examples:

Calling the updateFindingsFeedback operation

var params = {
  DetectorId: 'STRING_VALUE', /* required */
  Feedback: USEFUL | NOT_USEFUL, /* required */
  FindingIds: [ /* required */
    'STRING_VALUE',
    /* more items */
  ],
  Comments: 'STRING_VALUE'
};
guardduty.updateFindingsFeedback(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The ID of the detector associated with the findings to update feedback for.

    • FindingIds — (Array<String>)

      The IDs of the findings that you want to mark as useful or not useful.

    • Feedback — (String)

      The feedback for the finding.

      Possible values include:
      • "USEFUL"
      • "NOT_USEFUL"
    • Comments — (String)

      Additional feedback about the GuardDuty findings.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

updateIPSet(params = {}, callback) ⇒ AWS.Request

Updates the IPSet specified by the IPSet ID.

Service Reference:

Examples:

Calling the updateIPSet operation

var params = {
  DetectorId: 'STRING_VALUE', /* required */
  IpSetId: 'STRING_VALUE', /* required */
  Activate: true || false,
  Location: 'STRING_VALUE',
  Name: 'STRING_VALUE'
};
guardduty.updateIPSet(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The detectorID that specifies the GuardDuty service whose IPSet you want to update.

    • IpSetId — (String)

      The unique ID that specifies the IPSet that you want to update.

    • Name — (String)

      The unique ID that specifies the IPSet that you want to update.

    • Location — (String)

      The updated URI of the file that contains the IPSet.

    • Activate — (Boolean)

      The updated Boolean value that specifies whether the IPSet is active or not.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

updateMalwareScanSettings(params = {}, callback) ⇒ AWS.Request

Updates the malware scan settings.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

Service Reference:

Examples:

Calling the updateMalwareScanSettings operation

var params = {
  DetectorId: 'STRING_VALUE', /* required */
  EbsSnapshotPreservation: NO_RETENTION | RETENTION_WITH_FINDING,
  ScanResourceCriteria: {
    Exclude: {
      '<ScanCriterionKey>': {
        MapEquals: [ /* required */
          {
            Key: 'STRING_VALUE', /* required */
            Value: 'STRING_VALUE'
          },
          /* more items */
        ]
      },
      /* '<ScanCriterionKey>': ... */
    },
    Include: {
      '<ScanCriterionKey>': {
        MapEquals: [ /* required */
          {
            Key: 'STRING_VALUE', /* required */
            Value: 'STRING_VALUE'
          },
          /* more items */
        ]
      },
      /* '<ScanCriterionKey>': ... */
    }
  }
};
guardduty.updateMalwareScanSettings(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The unique ID of the detector that specifies the GuardDuty service where you want to update scan settings.

    • ScanResourceCriteria — (map)

      Represents the criteria to be used in the filter for selecting resources to scan.

      • Include — (map<map>)

        Represents condition that when matched will allow a malware scan for a certain resource.

        • MapEqualsrequired — (Array<map>)

          Represents an mapEqual condition to be applied to a single field when triggering for malware scan.

          • Keyrequired — (String)

            Represents the key in the map condition.

          • Value — (String)

            Represents optional value in the map condition. If not specified, only the key will be matched.

      • Exclude — (map<map>)

        Represents condition that when matched will prevent a malware scan for a certain resource.

        • MapEqualsrequired — (Array<map>)

          Represents an mapEqual condition to be applied to a single field when triggering for malware scan.

          • Keyrequired — (String)

            Represents the key in the map condition.

          • Value — (String)

            Represents optional value in the map condition. If not specified, only the key will be matched.

    • EbsSnapshotPreservation — (String)

      An enum value representing possible snapshot preservation settings.

      Possible values include:
      • "NO_RETENTION"
      • "RETENTION_WITH_FINDING"

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

updateMemberDetectors(params = {}, callback) ⇒ AWS.Request

Contains information on member accounts to be updated.

Specifying both EKS Runtime Monitoring (EKS_RUNTIME_MONITORING) and Runtime Monitoring (RUNTIME_MONITORING) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

Service Reference:

Examples:

Calling the updateMemberDetectors operation

var params = {
  AccountIds: [ /* required */
    'STRING_VALUE',
    /* more items */
  ],
  DetectorId: 'STRING_VALUE', /* required */
  DataSources: {
    Kubernetes: {
      AuditLogs: { /* required */
        Enable: true || false /* required */
      }
    },
    MalwareProtection: {
      ScanEc2InstanceWithFindings: {
        EbsVolumes: true || false
      }
    },
    S3Logs: {
      Enable: true || false /* required */
    }
  },
  Features: [
    {
      AdditionalConfiguration: [
        {
          Name: EKS_ADDON_MANAGEMENT | ECS_FARGATE_AGENT_MANAGEMENT,
          Status: ENABLED | DISABLED
        },
        /* more items */
      ],
      Name: S3_DATA_EVENTS | EKS_AUDIT_LOGS | EBS_MALWARE_PROTECTION | RDS_LOGIN_EVENTS | EKS_RUNTIME_MONITORING | LAMBDA_NETWORK_LOGS | RUNTIME_MONITORING,
      Status: ENABLED | DISABLED
    },
    /* more items */
  ]
};
guardduty.updateMemberDetectors(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The detector ID of the administrator account.

    • AccountIds — (Array<String>)

      A list of member account IDs to be updated.

    • DataSources — (map)

      Describes which data sources will be updated.

      • S3Logs — (map)

        Describes whether S3 data event logs are enabled as a data source.

        • Enablerequired — (Boolean)

          The status of S3 data event logs as a data source.

      • Kubernetes — (map)

        Describes whether any Kubernetes logs are enabled as data sources.

        • AuditLogsrequired — (map)

          The status of Kubernetes audit logs as a data source.

          • Enablerequired — (Boolean)

            The status of Kubernetes audit logs as a data source.

      • MalwareProtection — (map)

        Describes whether Malware Protection is enabled as a data source.

        • ScanEc2InstanceWithFindings — (map)

          Describes the configuration of Malware Protection for EC2 instances with findings.

          • EbsVolumes — (Boolean)

            Describes the configuration for scanning EBS volumes as data source.

    • Features — (Array<map>)

      A list of features that will be updated for the specified member accounts.

      • Name — (String)

        The name of the feature.

        Possible values include:
        • "S3_DATA_EVENTS"
        • "EKS_AUDIT_LOGS"
        • "EBS_MALWARE_PROTECTION"
        • "RDS_LOGIN_EVENTS"
        • "EKS_RUNTIME_MONITORING"
        • "LAMBDA_NETWORK_LOGS"
        • "RUNTIME_MONITORING"
      • Status — (String)

        The status of the feature.

        Possible values include:
        • "ENABLED"
        • "DISABLED"
      • AdditionalConfiguration — (Array<map>)

        Additional configuration of the feature for the member account.

        • Name — (String)

          Name of the additional configuration.

          Possible values include:
          • "EKS_ADDON_MANAGEMENT"
          • "ECS_FARGATE_AGENT_MANAGEMENT"
        • Status — (String)

          Status of the additional configuration.

          Possible values include:
          • "ENABLED"
          • "DISABLED"

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs. The data object has the following properties:

      • UnprocessedAccounts — (Array<map>)

        A list of member account IDs that were unable to be processed along with an explanation for why they were not processed.

        • AccountIdrequired — (String)

          The Amazon Web Services account ID.

        • Resultrequired — (String)

          A reason why the account hasn't been processed.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

updateOrganizationConfiguration(params = {}, callback) ⇒ AWS.Request

Configures the delegated administrator account with the provided values. You must provide a value for either autoEnableOrganizationMembers or autoEnable, but not both.

Specifying both EKS Runtime Monitoring (EKS_RUNTIME_MONITORING) and Runtime Monitoring (RUNTIME_MONITORING) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.

Service Reference:

Examples:

Calling the updateOrganizationConfiguration operation

var params = {
  DetectorId: 'STRING_VALUE', /* required */
  AutoEnable: true || false,
  AutoEnableOrganizationMembers: NEW | ALL | NONE,
  DataSources: {
    Kubernetes: {
      AuditLogs: { /* required */
        AutoEnable: true || false /* required */
      }
    },
    MalwareProtection: {
      ScanEc2InstanceWithFindings: {
        EbsVolumes: {
          AutoEnable: true || false
        }
      }
    },
    S3Logs: {
      AutoEnable: true || false /* required */
    }
  },
  Features: [
    {
      AdditionalConfiguration: [
        {
          AutoEnable: NEW | NONE | ALL,
          Name: EKS_ADDON_MANAGEMENT | ECS_FARGATE_AGENT_MANAGEMENT
        },
        /* more items */
      ],
      AutoEnable: NEW | NONE | ALL,
      Name: S3_DATA_EVENTS | EKS_AUDIT_LOGS | EBS_MALWARE_PROTECTION | RDS_LOGIN_EVENTS | EKS_RUNTIME_MONITORING | LAMBDA_NETWORK_LOGS | RUNTIME_MONITORING
    },
    /* more items */
  ]
};
guardduty.updateOrganizationConfiguration(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The ID of the detector that configures the delegated administrator.

    • AutoEnable — (Boolean)

      Represents whether or not to automatically enable member accounts in the organization.

      Even though this is still supported, we recommend using AutoEnableOrganizationMembers to achieve the similar results. You must provide a value for either autoEnableOrganizationMembers or autoEnable.

    • DataSources — (map)

      Describes which data sources will be updated.

      • S3Logs — (map)

        Describes whether S3 data event logs are enabled for new members of the organization.

        • AutoEnablerequired — (Boolean)

          A value that contains information on whether S3 data event logs will be enabled automatically as a data source for the organization.

      • Kubernetes — (map)

        Describes the configuration of Kubernetes data sources for new members of the organization.

        • AuditLogsrequired — (map)

          Whether Kubernetes audit logs data source should be auto-enabled for new members joining the organization.

          • AutoEnablerequired — (Boolean)

            A value that contains information on whether Kubernetes audit logs should be enabled automatically as a data source for the organization.

      • MalwareProtection — (map)

        Describes the configuration of Malware Protection for new members of the organization.

        • ScanEc2InstanceWithFindings — (map)

          Whether Malware Protection for EC2 instances with findings should be auto-enabled for new members joining the organization.

          • EbsVolumes — (map)

            Whether scanning EBS volumes should be auto-enabled for new members joining the organization.

            • AutoEnable — (Boolean)

              Whether scanning EBS volumes should be auto-enabled for new members joining the organization.

    • Features — (Array<map>)

      A list of features that will be configured for the organization.

      • Name — (String)

        The name of the feature that will be configured for the organization.

        Possible values include:
        • "S3_DATA_EVENTS"
        • "EKS_AUDIT_LOGS"
        • "EBS_MALWARE_PROTECTION"
        • "RDS_LOGIN_EVENTS"
        • "EKS_RUNTIME_MONITORING"
        • "LAMBDA_NETWORK_LOGS"
        • "RUNTIME_MONITORING"
      • AutoEnable — (String)

        Describes the status of the feature that is configured for the member accounts within the organization. One of the following values is the status for the entire organization:

        • NEW: Indicates that when a new account joins the organization, they will have the feature enabled automatically.

        • ALL: Indicates that all accounts in the organization have the feature enabled automatically. This includes NEW accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty.

          It may take up to 24 hours to update the configuration for all the member accounts.

        • NONE: Indicates that the feature will not be automatically enabled for any account in the organization. The administrator must manage the feature for each account individually.

        Possible values include:
        • "NEW"
        • "NONE"
        • "ALL"
      • AdditionalConfiguration — (Array<map>)

        The additional information that will be configured for the organization.

        • Name — (String)

          The name of the additional configuration that will be configured for the organization.

          Possible values include:
          • "EKS_ADDON_MANAGEMENT"
          • "ECS_FARGATE_AGENT_MANAGEMENT"
        • AutoEnable — (String)

          The status of the additional configuration that will be configured for the organization. Use one of the following values to configure the feature status for the entire organization:

          • NEW: Indicates that when a new account joins the organization, they will have the additional configuration enabled automatically.

          • ALL: Indicates that all accounts in the organization have the additional configuration enabled automatically. This includes NEW accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty.

            It may take up to 24 hours to update the configuration for all the member accounts.

          • NONE: Indicates that the additional configuration will not be automatically enabled for any account in the organization. The administrator must manage the additional configuration for each account individually.

          Possible values include:
          • "NEW"
          • "NONE"
          • "ALL"
    • AutoEnableOrganizationMembers — (String)

      Indicates the auto-enablement configuration of GuardDuty for the member accounts in the organization. You must provide a value for either autoEnableOrganizationMembers or autoEnable.

      Use one of the following configuration values for autoEnableOrganizationMembers:

      • NEW: Indicates that when a new account joins the organization, they will have GuardDuty enabled automatically.

      • ALL: Indicates that all accounts in the organization have GuardDuty enabled automatically. This includes NEW accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty.

        It may take up to 24 hours to update the configuration for all the member accounts.

      • NONE: Indicates that GuardDuty will not be automatically enabled for any account in the organization. The administrator must manage GuardDuty for each account in the organization individually.

        When you update the auto-enable setting from ALL or NEW to NONE, this action doesn't disable the corresponding option for your existing accounts. This configuration will apply to the new accounts that join the organization. After you update the auto-enable settings, no new account will have the corresponding option as enabled.

      Possible values include:
      • "NEW"
      • "ALL"
      • "NONE"

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

updatePublishingDestination(params = {}, callback) ⇒ AWS.Request

Updates information about the publishing destination specified by the destinationId.

Service Reference:

Examples:

Calling the updatePublishingDestination operation

var params = {
  DestinationId: 'STRING_VALUE', /* required */
  DetectorId: 'STRING_VALUE', /* required */
  DestinationProperties: {
    DestinationArn: 'STRING_VALUE',
    KmsKeyArn: 'STRING_VALUE'
  }
};
guardduty.updatePublishingDestination(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The ID of the detector associated with the publishing destinations to update.

    • DestinationId — (String)

      The ID of the publishing destination to update.

    • DestinationProperties — (map)

      A DestinationProperties object that includes the DestinationArn and KmsKeyArn of the publishing destination.

      • DestinationArn — (String)

        The ARN of the resource to publish to.

        To specify an S3 bucket folder use the following format: arn:aws:s3:::DOC-EXAMPLE-BUCKET/myFolder/

      • KmsKeyArn — (String)

        The ARN of the KMS key to use for encryption.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.

updateThreatIntelSet(params = {}, callback) ⇒ AWS.Request

Updates the ThreatIntelSet specified by the ThreatIntelSet ID.

Service Reference:

Examples:

Calling the updateThreatIntelSet operation

var params = {
  DetectorId: 'STRING_VALUE', /* required */
  ThreatIntelSetId: 'STRING_VALUE', /* required */
  Activate: true || false,
  Location: 'STRING_VALUE',
  Name: 'STRING_VALUE'
};
guardduty.updateThreatIntelSet(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

Parameters:

  • params (Object) (defaults to: {})
    • DetectorId — (String)

      The detectorID that specifies the GuardDuty service whose ThreatIntelSet you want to update.

    • ThreatIntelSetId — (String)

      The unique ID that specifies the ThreatIntelSet that you want to update.

    • Name — (String)

      The unique ID that specifies the ThreatIntelSet that you want to update.

    • Location — (String)

      The updated URI of the file that contains the ThreateIntelSet.

    • Activate — (Boolean)

      The updated Boolean value that specifies whether the ThreateIntelSet is active or not.

Callback (callback):

  • function(err, data) { ... }

    Called when a response from the service is returned. If a callback is not supplied, you must call AWS.Request.send() on the returned request object to initiate the request.

    Context (this):

    • (AWS.Response)

      the response object containing error, data properties, and the original request object.

    Parameters:

    • err (Error)

      the error object returned from the request. Set to null if the request is successful.

    • data (Object)

      the de-serialized data returned from the request. Set to null if a request error occurs.

Returns:

  • (AWS.Request)

    a handle to the operation request for subsequent event callback registration.