Indicator

Contains information about the indicators that include a set of signals observed in an attack sequence.

Contents

key

Specific indicator keys observed in the attack sequence. For description of the valid values for key, see Attack sequence finding details in the Amazon GuardDuty User Guide.

Type: String

Valid Values: SUSPICIOUS_USER_AGENT | SUSPICIOUS_NETWORK | MALICIOUS_IP | TOR_IP | ATTACK_TACTIC | HIGH_RISK_API | ATTACK_TECHNIQUE | UNUSUAL_API_FOR_ACCOUNT | UNUSUAL_ASN_FOR_ACCOUNT | UNUSUAL_ASN_FOR_USER

Required: Yes

title

Title describing the indicator.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Required: No

values

Values associated with each indicator key. For example, if the indicator key is SUSPICIOUS_NETWORK, then the value will be the name of the network. If the indicator key is ATTACK_TACTIC, then the value will be one of the MITRE tactics.

Type: Array of strings

Array Members: Minimum number of 1 item. Maximum number of 400 items.

Length Constraints: Minimum length of 1. Maximum length of 256.

Required: No

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS SDK for C++

• AWS SDK for Java V2

• AWS SDK for Ruby V3