GuardDuty ********* Client ====== class GuardDuty.Client A low-level client representing Amazon GuardDuty Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the following foundational data sources - VPC flow logs, Amazon Web Services CloudTrail management event logs, CloudTrail S3 data event logs, EKS audit logs, DNS logs, Amazon EBS volume data, runtime activity belonging to container workloads, such as Amazon EKS, Amazon ECS (including Amazon Web Services Fargate), and Amazon EC2 instances. It uses threat intelligence feeds, such as lists of malicious IPs and domains, and machine learning to identify unexpected, potentially unauthorized, and malicious activity within your Amazon Web Services environment. This can include issues like escalations of privileges, uses of exposed credentials, or communication with malicious IPs, domains, or presence of malware on your Amazon EC2 instances and container workloads. For example, GuardDuty can detect compromised EC2 instances and container workloads serving malware, or mining bitcoin. GuardDuty also monitors Amazon Web Services account access behavior for signs of compromise, such as unauthorized infrastructure deployments like EC2 instances deployed in a Region that has never been used, or unusual API calls like a password policy change to reduce password strength. GuardDuty informs you about the status of your Amazon Web Services environment by producing security findings that you can view in the GuardDuty console or through Amazon EventBridge. For more information, see the Amazon GuardDuty User Guide . import boto3 client = boto3.client('guardduty') These are the available methods: * accept_administrator_invitation * accept_invitation * archive_findings * can_paginate * close * create_detector * create_filter * create_ip_set * create_malware_protection_plan * create_members * create_publishing_destination * create_sample_findings * create_threat_intel_set * decline_invitations * delete_detector * delete_filter * delete_invitations * delete_ip_set * delete_malware_protection_plan * delete_members * delete_publishing_destination * delete_threat_intel_set * describe_malware_scans * describe_organization_configuration * describe_publishing_destination * disable_organization_admin_account * disassociate_from_administrator_account * disassociate_from_master_account * disassociate_members * enable_organization_admin_account * get_administrator_account * get_coverage_statistics * get_detector * get_filter * get_findings * get_findings_statistics * get_invitations_count * get_ip_set * get_malware_protection_plan * get_malware_scan_settings * get_master_account * get_member_detectors * get_members * get_organization_statistics * get_paginator * get_remaining_free_trial_days * get_threat_intel_set * get_usage_statistics * get_waiter * invite_members * list_coverage * list_detectors * list_filters * list_findings * list_invitations * list_ip_sets * list_malware_protection_plans * list_members * list_organization_admin_accounts * list_publishing_destinations * list_tags_for_resource * list_threat_intel_sets * start_malware_scan * start_monitoring_members * stop_monitoring_members * tag_resource * unarchive_findings * untag_resource * update_detector * update_filter * update_findings_feedback * update_ip_set * update_malware_protection_plan * update_malware_scan_settings * update_member_detectors * update_organization_configuration * update_publishing_destination * update_threat_intel_set Paginators ========== Paginators are available on a client instance via the "get_paginator" method. For more detailed instructions and examples on the usage of paginators, see the paginators user guide. The available paginators are: * DescribeMalwareScans * ListCoverage * ListDetectors * ListFilters * ListFindings * ListIPSets * ListInvitations * ListMembers * ListOrganizationAdminAccounts * ListThreatIntelSets GuardDuty / Paginator / ListIPSets ListIPSets ********** class GuardDuty.Paginator.ListIPSets paginator = client.get_paginator('list_ip_sets') paginate(**kwargs) Creates an iterator that will paginate through responses from "GuardDuty.Client.list_ip_sets()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( DetectorId='string', PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector that is associated with IPSet. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'IpSetIds': [ 'string', ], } **Response Structure** * *(dict) --* * **IpSetIds** *(list) --* The IDs of the IPSet resources. * *(string) --* GuardDuty / Paginator / ListInvitations ListInvitations *************** class GuardDuty.Paginator.ListInvitations paginator = client.get_paginator('list_invitations') paginate(**kwargs) Creates an iterator that will paginate through responses from "GuardDuty.Client.list_invitations()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max- items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'Invitations': [ { 'AccountId': 'string', 'InvitationId': 'string', 'RelationshipStatus': 'string', 'InvitedAt': 'string' }, ], } **Response Structure** * *(dict) --* * **Invitations** *(list) --* A list of invitation descriptions. * *(dict) --* Contains information about the invitation to become a member account. * **AccountId** *(string) --* The ID of the account that the invitation was sent from. * **InvitationId** *(string) --* The ID of the invitation. This value is used to validate the inviter account to the member account. * **RelationshipStatus** *(string) --* The status of the relationship between the inviter and invitee accounts. * **InvitedAt** *(string) --* The timestamp when the invitation was sent. GuardDuty / Paginator / ListOrganizationAdminAccounts ListOrganizationAdminAccounts ***************************** class GuardDuty.Paginator.ListOrganizationAdminAccounts paginator = client.get_paginator('list_organization_admin_accounts') paginate(**kwargs) Creates an iterator that will paginate through responses from "GuardDuty.Client.list_organization_admin_accounts()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max- items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'AdminAccounts': [ { 'AdminAccountId': 'string', 'AdminStatus': 'ENABLED'|'DISABLE_IN_PROGRESS' }, ], } **Response Structure** * *(dict) --* * **AdminAccounts** *(list) --* A list of accounts configured as GuardDuty delegated administrators. * *(dict) --* The account within the organization specified as the GuardDuty delegated administrator. * **AdminAccountId** *(string) --* The Amazon Web Services account ID for the account. * **AdminStatus** *(string) --* Indicates whether the account is enabled as the delegated administrator. GuardDuty / Paginator / ListThreatIntelSets ListThreatIntelSets ******************* class GuardDuty.Paginator.ListThreatIntelSets paginator = client.get_paginator('list_threat_intel_sets') paginate(**kwargs) Creates an iterator that will paginate through responses from "GuardDuty.Client.list_threat_intel_sets()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( DetectorId='string', PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector that is associated with the threatIntelSet. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'ThreatIntelSetIds': [ 'string', ], } **Response Structure** * *(dict) --* * **ThreatIntelSetIds** *(list) --* The IDs of the ThreatIntelSet resources. * *(string) --* GuardDuty / Paginator / ListMembers ListMembers *********** class GuardDuty.Paginator.ListMembers paginator = client.get_paginator('list_members') paginate(**kwargs) Creates an iterator that will paginate through responses from "GuardDuty.Client.list_members()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( DetectorId='string', OnlyAssociated='string', PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector that is associated with the member. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **OnlyAssociated** (*string*) -- Specifies whether to only return associated members or to return all members (including members who haven't been invited yet or have been disassociated). Member accounts must have been previously associated with the GuardDuty administrator account using Create Members. * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'Members': [ { 'AccountId': 'string', 'DetectorId': 'string', 'MasterId': 'string', 'Email': 'string', 'RelationshipStatus': 'string', 'InvitedAt': 'string', 'UpdatedAt': 'string', 'AdministratorId': 'string' }, ], } **Response Structure** * *(dict) --* * **Members** *(list) --* A list of members. Note: The values for "email" and "invitedAt" are available only if the member accounts are added by invitation. * *(dict) --* Contains information about the member account. * **AccountId** *(string) --* The ID of the member account. * **DetectorId** *(string) --* The detector ID of the member account. * **MasterId** *(string) --* The administrator account ID. * **Email** *(string) --* The email address of the member account. * **RelationshipStatus** *(string) --* The status of the relationship between the member and the administrator. * **InvitedAt** *(string) --* The timestamp when the invitation was sent. * **UpdatedAt** *(string) --* The last-updated timestamp of the member. * **AdministratorId** *(string) --* The administrator account ID. GuardDuty / Paginator / ListFilters ListFilters *********** class GuardDuty.Paginator.ListFilters paginator = client.get_paginator('list_filters') paginate(**kwargs) Creates an iterator that will paginate through responses from "GuardDuty.Client.list_filters()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( DetectorId='string', PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector that is associated with the filter. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'FilterNames': [ 'string', ], } **Response Structure** * *(dict) --* * **FilterNames** *(list) --* A list of filter names. * *(string) --* GuardDuty / Paginator / ListFindings ListFindings ************ class GuardDuty.Paginator.ListFindings paginator = client.get_paginator('list_findings') paginate(**kwargs) Creates an iterator that will paginate through responses from "GuardDuty.Client.list_findings()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( DetectorId='string', FindingCriteria={ 'Criterion': { 'string': { 'Eq': [ 'string', ], 'Neq': [ 'string', ], 'Gt': 123, 'Gte': 123, 'Lt': 123, 'Lte': 123, 'Equals': [ 'string', ], 'NotEquals': [ 'string', ], 'GreaterThan': 123, 'GreaterThanOrEqual': 123, 'LessThan': 123, 'LessThanOrEqual': 123 } } }, SortCriteria={ 'AttributeName': 'string', 'OrderBy': 'ASC'|'DESC' }, PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The ID of the detector that specifies the GuardDuty service whose findings you want to list. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **FindingCriteria** (*dict*) -- Represents the criteria used for querying findings. Valid values include: * JSON field name * accountId * region * confidence * id * resource.accessKeyDetails.accessKeyId * resource.accessKeyDetails.principalId * resource.accessKeyDetails.userName * resource.accessKeyDetails.userType * resource.instanceDetails.iamInstanceProfile.id * resource.instanceDetails.imageId * resource.instanceDetails.instanceId * resource.instanceDetails.networkInterfaces.ipv6Addresses * resource.instanceDetails.networkInterfaces.privateIpAddr esses.privateIpAddress * resource.instanceDetails.networkInterfaces.publicDnsName * resource.instanceDetails.networkInterfaces.publicIp * resource.instanceDetails.networkInterfaces.securityGroup s.groupId * resource.instanceDetails.networkInterfaces.securityGroup s.groupName * resource.instanceDetails.networkInterfaces.subnetId * resource.instanceDetails.networkInterfaces.vpcId * resource.instanceDetails.tags.key * resource.instanceDetails.tags.value * resource.resourceType * service.action.actionType * service.action.awsApiCallAction.api * service.action.awsApiCallAction.callerType * service.action.awsApiCallAction.remoteIpDetails.city.cit yName * service.action.awsApiCallAction.remoteIpDetails.country. countryName * service.action.awsApiCallAction.remoteIpDetails.ipAddres sV4 * service.action.awsApiCallAction.remoteIpDetails.organiza tion.asn * service.action.awsApiCallAction.remoteIpDetails.organiza tion.asnOrg * service.action.awsApiCallAction.serviceName * service.action.dnsRequestAction.domain * service.action.dnsRequestAction.domainWithSuffix * service.action.networkConnectionAction.blocked * service.action.networkConnectionAction.connectionDirecti on * service.action.networkConnectionAction.localPortDetails. port * service.action.networkConnectionAction.protocol * service.action.networkConnectionAction.remoteIpDetails.c ountry.countryName * service.action.networkConnectionAction.remoteIpDetails.i pAddressV4 * service.action.networkConnectionAction.remoteIpDetails.o rganization.asn * service.action.networkConnectionAction.remoteIpDetails.o rganization.asnOrg * service.action.networkConnectionAction.remotePortDetails .port * service.additionalInfo.threatListName * service.archived When this attribute is set to 'true', only archived findings are listed. When it's set to 'false', only unarchived findings are listed. When this attribute is not set, all existing findings are listed. * service.ebsVolumeScanDetails.scanId * service.resourceRole * severity * type * updatedAt Type: Timestamp in Unix Epoch millisecond format: 1486685375000 * **Criterion** *(dict) --* Represents a map of finding properties that match specified conditions and values when querying findings. * *(string) --* * *(dict) --* Contains information about the condition. * **Eq** *(list) --* Represents the *equal* condition to be applied to a single field when querying for findings. * *(string) --* * **Neq** *(list) --* Represents the *not equal* condition to be applied to a single field when querying for findings. * *(string) --* * **Gt** *(integer) --* Represents a *greater than* condition to be applied to a single field when querying for findings. * **Gte** *(integer) --* Represents a *greater than or equal* condition to be applied to a single field when querying for findings. * **Lt** *(integer) --* Represents a *less than* condition to be applied to a single field when querying for findings. * **Lte** *(integer) --* Represents a *less than or equal* condition to be applied to a single field when querying for findings. * **Equals** *(list) --* Represents an *equal* condition to be applied to a single field when querying for findings. * *(string) --* * **NotEquals** *(list) --* Represents a *not equal* condition to be applied to a single field when querying for findings. * *(string) --* * **GreaterThan** *(integer) --* Represents a *greater than* condition to be applied to a single field when querying for findings. * **GreaterThanOrEqual** *(integer) --* Represents a *greater than or equal* condition to be applied to a single field when querying for findings. * **LessThan** *(integer) --* Represents a *less than* condition to be applied to a single field when querying for findings. * **LessThanOrEqual** *(integer) --* Represents a *less than or equal* condition to be applied to a single field when querying for findings. * **SortCriteria** (*dict*) -- Represents the criteria used for sorting findings. * **AttributeName** *(string) --* Represents the finding attribute, such as "accountId", that sorts the findings. * **OrderBy** *(string) --* The order by which the sorted findings are to be displayed. * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'FindingIds': [ 'string', ], } **Response Structure** * *(dict) --* * **FindingIds** *(list) --* The IDs of the findings that you're listing. * *(string) --* GuardDuty / Paginator / ListDetectors ListDetectors ************* class GuardDuty.Paginator.ListDetectors paginator = client.get_paginator('list_detectors') paginate(**kwargs) Creates an iterator that will paginate through responses from "GuardDuty.Client.list_detectors()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max- items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'DetectorIds': [ 'string', ], } **Response Structure** * *(dict) --* * **DetectorIds** *(list) --* A list of detector IDs. * *(string) --* GuardDuty / Paginator / DescribeMalwareScans DescribeMalwareScans ******************** class GuardDuty.Paginator.DescribeMalwareScans paginator = client.get_paginator('describe_malware_scans') paginate(**kwargs) Creates an iterator that will paginate through responses from "GuardDuty.Client.describe_malware_scans()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( DetectorId='string', FilterCriteria={ 'FilterCriterion': [ { 'CriterionKey': 'EC2_INSTANCE_ARN'|'SCAN_ID'|'ACCOUNT_ID'|'GUARDDUTY_FINDING_ID'|'SCAN_START_TIME'|'SCAN_STATUS'|'SCAN_TYPE', 'FilterCondition': { 'EqualsValue': 'string', 'GreaterThan': 123, 'LessThan': 123 } }, ] }, SortCriteria={ 'AttributeName': 'string', 'OrderBy': 'ASC'|'DESC' }, PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector that the request is associated with. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **FilterCriteria** (*dict*) -- Represents the criteria to be used in the filter for describing scan entries. * **FilterCriterion** *(list) --* Represents a condition that when matched will be added to the response of the operation. * *(dict) --* Represents a condition that when matched will be added to the response of the operation. Irrespective of using any filter criteria, an administrator account can view the scan entries for all of its member accounts. However, each member account can view the scan entries only for their own account. * **CriterionKey** *(string) --* An enum value representing possible scan properties to match with given scan entries. * **FilterCondition** *(dict) --* Contains information about the condition. * **EqualsValue** *(string) --* Represents an *equal* condition to be applied to a single field when querying for scan entries. * **GreaterThan** *(integer) --* Represents a *greater than* condition to be applied to a single field when querying for scan entries. * **LessThan** *(integer) --* Represents a *less than* condition to be applied to a single field when querying for scan entries. * **SortCriteria** (*dict*) -- Represents the criteria used for sorting scan entries. The attributeName is required and it must be "scanStartTime". * **AttributeName** *(string) --* Represents the finding attribute, such as "accountId", that sorts the findings. * **OrderBy** *(string) --* The order by which the sorted findings are to be displayed. * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'Scans': [ { 'DetectorId': 'string', 'AdminDetectorId': 'string', 'ScanId': 'string', 'ScanStatus': 'RUNNING'|'COMPLETED'|'FAILED'|'SKIPPED', 'FailureReason': 'string', 'ScanStartTime': datetime(2015, 1, 1), 'ScanEndTime': datetime(2015, 1, 1), 'TriggerDetails': { 'GuardDutyFindingId': 'string', 'Description': 'string' }, 'ResourceDetails': { 'InstanceArn': 'string' }, 'ScanResultDetails': { 'ScanResult': 'CLEAN'|'INFECTED' }, 'AccountId': 'string', 'TotalBytes': 123, 'FileCount': 123, 'AttachedVolumes': [ { 'VolumeArn': 'string', 'VolumeType': 'string', 'DeviceName': 'string', 'VolumeSizeInGB': 123, 'EncryptionType': 'string', 'SnapshotArn': 'string', 'KmsKeyArn': 'string' }, ], 'ScanType': 'GUARDDUTY_INITIATED'|'ON_DEMAND' }, ], } **Response Structure** * *(dict) --* * **Scans** *(list) --* Contains information about malware scans associated with GuardDuty Malware Protection for EC2. * *(dict) --* Contains information about malware scans associated with GuardDuty Malware Protection for EC2. * **DetectorId** *(string) --* The unique ID of the detector that is associated with the request. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **AdminDetectorId** *(string) --* The unique detector ID of the administrator account that the request is associated with. If the account is an administrator, the "AdminDetectorId" will be the same as the one used for "DetectorId". To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **ScanId** *(string) --* The unique scan ID associated with a scan entry. * **ScanStatus** *(string) --* An enum value representing possible scan statuses. * **FailureReason** *(string) --* Represents the reason for "FAILED" scan status. * **ScanStartTime** *(datetime) --* The timestamp of when the scan was triggered. * **ScanEndTime** *(datetime) --* The timestamp of when the scan was finished. * **TriggerDetails** *(dict) --* Specifies the reason why the scan was initiated. * **GuardDutyFindingId** *(string) --* The ID of the GuardDuty finding that triggered the malware scan. * **Description** *(string) --* The description of the scan trigger. * **ResourceDetails** *(dict) --* Represents the resources that were scanned in the scan entry. * **InstanceArn** *(string) --* Instance ARN that was scanned in the scan entry. * **ScanResultDetails** *(dict) --* Represents the result of the scan. * **ScanResult** *(string) --* An enum value representing possible scan results. * **AccountId** *(string) --* The ID for the account that belongs to the scan. * **TotalBytes** *(integer) --* Represents total bytes that were scanned. * **FileCount** *(integer) --* Represents the number of files that were scanned. * **AttachedVolumes** *(list) --* List of volumes that were attached to the original instance to be scanned. * *(dict) --* Contains EBS volume details. * **VolumeArn** *(string) --* EBS volume ARN information. * **VolumeType** *(string) --* The EBS volume type. * **DeviceName** *(string) --* The device name for the EBS volume. * **VolumeSizeInGB** *(integer) --* EBS volume size in GB. * **EncryptionType** *(string) --* EBS volume encryption type. * **SnapshotArn** *(string) --* Snapshot ARN of the EBS volume. * **KmsKeyArn** *(string) --* KMS key ARN used to encrypt the EBS volume. * **ScanType** *(string) --* Specifies the scan type that invoked the malware scan. GuardDuty / Paginator / ListCoverage ListCoverage ************ class GuardDuty.Paginator.ListCoverage paginator = client.get_paginator('list_coverage') paginate(**kwargs) Creates an iterator that will paginate through responses from "GuardDuty.Client.list_coverage()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( DetectorId='string', FilterCriteria={ 'FilterCriterion': [ { 'CriterionKey': 'ACCOUNT_ID'|'CLUSTER_NAME'|'RESOURCE_TYPE'|'COVERAGE_STATUS'|'ADDON_VERSION'|'MANAGEMENT_TYPE'|'EKS_CLUSTER_NAME'|'ECS_CLUSTER_NAME'|'AGENT_VERSION'|'INSTANCE_ID'|'CLUSTER_ARN', 'FilterCondition': { 'Equals': [ 'string', ], 'NotEquals': [ 'string', ] } }, ] }, SortCriteria={ 'AttributeName': 'ACCOUNT_ID'|'CLUSTER_NAME'|'COVERAGE_STATUS'|'ISSUE'|'ADDON_VERSION'|'UPDATED_AT'|'EKS_CLUSTER_NAME'|'ECS_CLUSTER_NAME'|'INSTANCE_ID', 'OrderBy': 'ASC'|'DESC' }, PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector whose coverage details you want to retrieve. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **FilterCriteria** (*dict*) -- Represents the criteria used to filter the coverage details. * **FilterCriterion** *(list) --* Represents a condition that when matched will be added to the response of the operation. * *(dict) --* Represents a condition that when matched will be added to the response of the operation. * **CriterionKey** *(string) --* An enum value representing possible filter fields. Note: Replace the enum value "CLUSTER_NAME" with "EKS_CLUSTER_NAME". "CLUSTER_NAME" has been deprecated. * **FilterCondition** *(dict) --* Contains information about the condition. * **Equals** *(list) --* Represents an equal condition that is applied to a single field while retrieving the coverage details. * *(string) --* * **NotEquals** *(list) --* Represents a not equal condition that is applied to a single field while retrieving the coverage details. * *(string) --* * **SortCriteria** (*dict*) -- Represents the criteria used to sort the coverage details. * **AttributeName** *(string) --* Represents the field name used to sort the coverage details. Note: Replace the enum value "CLUSTER_NAME" with "EKS_CLUSTER_NAME". "CLUSTER_NAME" has been deprecated. * **OrderBy** *(string) --* The order in which the sorted findings are to be displayed. * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'Resources': [ { 'ResourceId': 'string', 'DetectorId': 'string', 'AccountId': 'string', 'ResourceDetails': { 'EksClusterDetails': { 'ClusterName': 'string', 'CoveredNodes': 123, 'CompatibleNodes': 123, 'AddonDetails': { 'AddonVersion': 'string', 'AddonStatus': 'string' }, 'ManagementType': 'AUTO_MANAGED'|'MANUAL'|'DISABLED' }, 'ResourceType': 'EKS'|'ECS'|'EC2', 'EcsClusterDetails': { 'ClusterName': 'string', 'FargateDetails': { 'Issues': [ 'string', ], 'ManagementType': 'AUTO_MANAGED'|'MANUAL'|'DISABLED' }, 'ContainerInstanceDetails': { 'CoveredContainerInstances': 123, 'CompatibleContainerInstances': 123 } }, 'Ec2InstanceDetails': { 'InstanceId': 'string', 'InstanceType': 'string', 'ClusterArn': 'string', 'AgentDetails': { 'Version': 'string' }, 'ManagementType': 'AUTO_MANAGED'|'MANUAL'|'DISABLED' } }, 'CoverageStatus': 'HEALTHY'|'UNHEALTHY', 'Issue': 'string', 'UpdatedAt': datetime(2015, 1, 1) }, ], } **Response Structure** * *(dict) --* * **Resources** *(list) --* A list of resources and their attributes providing cluster details. * *(dict) --* Information about the resource of the GuardDuty account. * **ResourceId** *(string) --* The unique ID of the resource. * **DetectorId** *(string) --* The unique ID of the GuardDuty detector associated with the resource. * **AccountId** *(string) --* The unique ID of the Amazon Web Services account. * **ResourceDetails** *(dict) --* Information about the resource for which the coverage statistics are retrieved. * **EksClusterDetails** *(dict) --* EKS cluster details involved in the coverage statistics. * **ClusterName** *(string) --* Name of the EKS cluster. * **CoveredNodes** *(integer) --* Represents the nodes within the EKS cluster that have a "HEALTHY" coverage status. * **CompatibleNodes** *(integer) --* Represents all the nodes within the EKS cluster in your account. * **AddonDetails** *(dict) --* Information about the installed EKS add-on. * **AddonVersion** *(string) --* Version of the installed EKS add-on. * **AddonStatus** *(string) --* Status of the installed EKS add-on. * **ManagementType** *(string) --* Indicates how the Amazon EKS add-on GuardDuty agent is managed for this EKS cluster. "AUTO_MANAGED" indicates GuardDuty deploys and manages updates for this resource. "MANUAL" indicates that you are responsible to deploy, update, and manage the Amazon EKS add-on GuardDuty agent for this resource. * **ResourceType** *(string) --* The type of Amazon Web Services resource. * **EcsClusterDetails** *(dict) --* Information about the Amazon ECS cluster that is assessed for runtime coverage. * **ClusterName** *(string) --* The name of the Amazon ECS cluster. * **FargateDetails** *(dict) --* Information about the Fargate details associated with the Amazon ECS cluster. * **Issues** *(list) --* Runtime coverage issues identified for the resource running on Amazon Web Services Fargate. * *(string) --* * **ManagementType** *(string) --* Indicates how the GuardDuty security agent is managed for this resource. * "AUTO_MANAGED" indicates that GuardDuty deploys and manages updates for this resource. * "DISABLED" indicates that the deployment of the GuardDuty security agent is disabled for this resource. Note: The "MANUAL" status doesn't apply to the Amazon Web Services Fargate (Amazon ECS only) woprkloads. * **ContainerInstanceDetails** *(dict) --* Information about the Amazon ECS container running on Amazon EC2 instance. * **CoveredContainerInstances** *(integer) --* Represents the nodes in the Amazon ECS cluster that has a "HEALTHY" coverage status. * **CompatibleContainerInstances** *(integer) --* Represents total number of nodes in the Amazon ECS cluster. * **Ec2InstanceDetails** *(dict) --* Information about the Amazon EC2 instance assessed for runtime coverage. * **InstanceId** *(string) --* The Amazon EC2 instance ID. * **InstanceType** *(string) --* The instance type of the Amazon EC2 instance. * **ClusterArn** *(string) --* The cluster ARN of the Amazon ECS cluster running on the Amazon EC2 instance. * **AgentDetails** *(dict) --* Information about the installed security agent. * **Version** *(string) --* Version of the installed GuardDuty security agent. * **ManagementType** *(string) --* Indicates how the GuardDuty security agent is managed for this resource. * "AUTO_MANAGED" indicates that GuardDuty deploys and manages updates for this resource. * "MANUAL" indicates that you are responsible to deploy, update, and manage the GuardDuty security agent updates for this resource. Note: The "DISABLED" status doesn't apply to Amazon EC2 instances and Amazon EKS clusters. * **CoverageStatus** *(string) --* Represents the status of the EKS cluster coverage. * **Issue** *(string) --* Represents the reason why a coverage status was "UNHEALTHY" for the EKS cluster. * **UpdatedAt** *(datetime) --* The timestamp at which the coverage details for the resource were last updated. This is in UTC format. GuardDuty / Client / get_findings get_findings ************ GuardDuty.Client.get_findings(**kwargs) Describes Amazon GuardDuty findings specified by finding IDs. See also: AWS API Documentation **Request Syntax** response = client.get_findings( DetectorId='string', FindingIds=[ 'string', ], SortCriteria={ 'AttributeName': 'string', 'OrderBy': 'ASC'|'DESC' } ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The ID of the detector that specifies the GuardDuty service whose findings you want to retrieve. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **FindingIds** (*list*) -- **[REQUIRED]** The IDs of the findings that you want to retrieve. * *(string) --* * **SortCriteria** (*dict*) -- Represents the criteria used for sorting findings. * **AttributeName** *(string) --* Represents the finding attribute, such as "accountId", that sorts the findings. * **OrderBy** *(string) --* The order by which the sorted findings are to be displayed. Return type: dict Returns: **Response Syntax** { 'Findings': [ { 'AccountId': 'string', 'Arn': 'string', 'Confidence': 123.0, 'CreatedAt': 'string', 'Description': 'string', 'Id': 'string', 'Partition': 'string', 'Region': 'string', 'Resource': { 'AccessKeyDetails': { 'AccessKeyId': 'string', 'PrincipalId': 'string', 'UserName': 'string', 'UserType': 'string' }, 'S3BucketDetails': [ { 'Arn': 'string', 'Name': 'string', 'Type': 'string', 'CreatedAt': datetime(2015, 1, 1), 'Owner': { 'Id': 'string' }, 'Tags': [ { 'Key': 'string', 'Value': 'string' }, ], 'DefaultServerSideEncryption': { 'EncryptionType': 'string', 'KmsMasterKeyArn': 'string' }, 'PublicAccess': { 'PermissionConfiguration': { 'BucketLevelPermissions': { 'AccessControlList': { 'AllowsPublicReadAccess': True|False, 'AllowsPublicWriteAccess': True|False }, 'BucketPolicy': { 'AllowsPublicReadAccess': True|False, 'AllowsPublicWriteAccess': True|False }, 'BlockPublicAccess': { 'IgnorePublicAcls': True|False, 'RestrictPublicBuckets': True|False, 'BlockPublicAcls': True|False, 'BlockPublicPolicy': True|False } }, 'AccountLevelPermissions': { 'BlockPublicAccess': { 'IgnorePublicAcls': True|False, 'RestrictPublicBuckets': True|False, 'BlockPublicAcls': True|False, 'BlockPublicPolicy': True|False } } }, 'EffectivePermission': 'string' }, 'S3ObjectDetails': [ { 'ObjectArn': 'string', 'Key': 'string', 'ETag': 'string', 'Hash': 'string', 'VersionId': 'string' }, ] }, ], 'InstanceDetails': { 'AvailabilityZone': 'string', 'IamInstanceProfile': { 'Arn': 'string', 'Id': 'string' }, 'ImageDescription': 'string', 'ImageId': 'string', 'InstanceId': 'string', 'InstanceState': 'string', 'InstanceType': 'string', 'OutpostArn': 'string', 'LaunchTime': 'string', 'NetworkInterfaces': [ { 'Ipv6Addresses': [ 'string', ], 'NetworkInterfaceId': 'string', 'PrivateDnsName': 'string', 'PrivateIpAddress': 'string', 'PrivateIpAddresses': [ { 'PrivateDnsName': 'string', 'PrivateIpAddress': 'string' }, ], 'PublicDnsName': 'string', 'PublicIp': 'string', 'SecurityGroups': [ { 'GroupId': 'string', 'GroupName': 'string' }, ], 'SubnetId': 'string', 'VpcId': 'string' }, ], 'Platform': 'string', 'ProductCodes': [ { 'Code': 'string', 'ProductType': 'string' }, ], 'Tags': [ { 'Key': 'string', 'Value': 'string' }, ] }, 'EksClusterDetails': { 'Name': 'string', 'Arn': 'string', 'VpcId': 'string', 'Status': 'string', 'Tags': [ { 'Key': 'string', 'Value': 'string' }, ], 'CreatedAt': datetime(2015, 1, 1) }, 'KubernetesDetails': { 'KubernetesUserDetails': { 'Username': 'string', 'Uid': 'string', 'Groups': [ 'string', ], 'SessionName': [ 'string', ], 'ImpersonatedUser': { 'Username': 'string', 'Groups': [ 'string', ] } }, 'KubernetesWorkloadDetails': { 'Name': 'string', 'Type': 'string', 'Uid': 'string', 'Namespace': 'string', 'HostNetwork': True|False, 'Containers': [ { 'ContainerRuntime': 'string', 'Id': 'string', 'Name': 'string', 'Image': 'string', 'ImagePrefix': 'string', 'VolumeMounts': [ { 'Name': 'string', 'MountPath': 'string' }, ], 'SecurityContext': { 'Privileged': True|False, 'AllowPrivilegeEscalation': True|False } }, ], 'Volumes': [ { 'Name': 'string', 'HostPath': { 'Path': 'string' } }, ], 'ServiceAccountName': 'string', 'HostIPC': True|False, 'HostPID': True|False } }, 'ResourceType': 'string', 'EbsVolumeDetails': { 'ScannedVolumeDetails': [ { 'VolumeArn': 'string', 'VolumeType': 'string', 'DeviceName': 'string', 'VolumeSizeInGB': 123, 'EncryptionType': 'string', 'SnapshotArn': 'string', 'KmsKeyArn': 'string' }, ], 'SkippedVolumeDetails': [ { 'VolumeArn': 'string', 'VolumeType': 'string', 'DeviceName': 'string', 'VolumeSizeInGB': 123, 'EncryptionType': 'string', 'SnapshotArn': 'string', 'KmsKeyArn': 'string' }, ] }, 'EcsClusterDetails': { 'Name': 'string', 'Arn': 'string', 'Status': 'string', 'ActiveServicesCount': 123, 'RegisteredContainerInstancesCount': 123, 'RunningTasksCount': 123, 'Tags': [ { 'Key': 'string', 'Value': 'string' }, ], 'TaskDetails': { 'Arn': 'string', 'DefinitionArn': 'string', 'Version': 'string', 'TaskCreatedAt': datetime(2015, 1, 1), 'StartedAt': datetime(2015, 1, 1), 'StartedBy': 'string', 'Tags': [ { 'Key': 'string', 'Value': 'string' }, ], 'Volumes': [ { 'Name': 'string', 'HostPath': { 'Path': 'string' } }, ], 'Containers': [ { 'ContainerRuntime': 'string', 'Id': 'string', 'Name': 'string', 'Image': 'string', 'ImagePrefix': 'string', 'VolumeMounts': [ { 'Name': 'string', 'MountPath': 'string' }, ], 'SecurityContext': { 'Privileged': True|False, 'AllowPrivilegeEscalation': True|False } }, ], 'Group': 'string', 'LaunchType': 'string' } }, 'ContainerDetails': { 'ContainerRuntime': 'string', 'Id': 'string', 'Name': 'string', 'Image': 'string', 'ImagePrefix': 'string', 'VolumeMounts': [ { 'Name': 'string', 'MountPath': 'string' }, ], 'SecurityContext': { 'Privileged': True|False, 'AllowPrivilegeEscalation': True|False } }, 'RdsDbInstanceDetails': { 'DbInstanceIdentifier': 'string', 'Engine': 'string', 'EngineVersion': 'string', 'DbClusterIdentifier': 'string', 'DbInstanceArn': 'string', 'Tags': [ { 'Key': 'string', 'Value': 'string' }, ] }, 'RdsLimitlessDbDetails': { 'DbShardGroupIdentifier': 'string', 'DbShardGroupResourceId': 'string', 'DbShardGroupArn': 'string', 'Engine': 'string', 'EngineVersion': 'string', 'DbClusterIdentifier': 'string', 'Tags': [ { 'Key': 'string', 'Value': 'string' }, ] }, 'RdsDbUserDetails': { 'User': 'string', 'Application': 'string', 'Database': 'string', 'Ssl': 'string', 'AuthMethod': 'string' }, 'LambdaDetails': { 'FunctionArn': 'string', 'FunctionName': 'string', 'Description': 'string', 'LastModifiedAt': datetime(2015, 1, 1), 'RevisionId': 'string', 'FunctionVersion': 'string', 'Role': 'string', 'VpcConfig': { 'SubnetIds': [ 'string', ], 'VpcId': 'string', 'SecurityGroups': [ { 'GroupId': 'string', 'GroupName': 'string' }, ] }, 'Tags': [ { 'Key': 'string', 'Value': 'string' }, ] } }, 'SchemaVersion': 'string', 'Service': { 'Action': { 'ActionType': 'string', 'AwsApiCallAction': { 'Api': 'string', 'CallerType': 'string', 'DomainDetails': { 'Domain': 'string' }, 'ErrorCode': 'string', 'UserAgent': 'string', 'RemoteIpDetails': { 'City': { 'CityName': 'string' }, 'Country': { 'CountryCode': 'string', 'CountryName': 'string' }, 'GeoLocation': { 'Lat': 123.0, 'Lon': 123.0 }, 'IpAddressV4': 'string', 'IpAddressV6': 'string', 'Organization': { 'Asn': 'string', 'AsnOrg': 'string', 'Isp': 'string', 'Org': 'string' } }, 'ServiceName': 'string', 'RemoteAccountDetails': { 'AccountId': 'string', 'Affiliated': True|False }, 'AffectedResources': { 'string': 'string' } }, 'DnsRequestAction': { 'Domain': 'string', 'Protocol': 'string', 'Blocked': True|False, 'DomainWithSuffix': 'string', 'VpcOwnerAccountId': 'string' }, 'NetworkConnectionAction': { 'Blocked': True|False, 'ConnectionDirection': 'string', 'LocalPortDetails': { 'Port': 123, 'PortName': 'string' }, 'Protocol': 'string', 'LocalIpDetails': { 'IpAddressV4': 'string', 'IpAddressV6': 'string' }, 'LocalNetworkInterface': 'string', 'RemoteIpDetails': { 'City': { 'CityName': 'string' }, 'Country': { 'CountryCode': 'string', 'CountryName': 'string' }, 'GeoLocation': { 'Lat': 123.0, 'Lon': 123.0 }, 'IpAddressV4': 'string', 'IpAddressV6': 'string', 'Organization': { 'Asn': 'string', 'AsnOrg': 'string', 'Isp': 'string', 'Org': 'string' } }, 'RemotePortDetails': { 'Port': 123, 'PortName': 'string' } }, 'PortProbeAction': { 'Blocked': True|False, 'PortProbeDetails': [ { 'LocalPortDetails': { 'Port': 123, 'PortName': 'string' }, 'LocalIpDetails': { 'IpAddressV4': 'string', 'IpAddressV6': 'string' }, 'RemoteIpDetails': { 'City': { 'CityName': 'string' }, 'Country': { 'CountryCode': 'string', 'CountryName': 'string' }, 'GeoLocation': { 'Lat': 123.0, 'Lon': 123.0 }, 'IpAddressV4': 'string', 'IpAddressV6': 'string', 'Organization': { 'Asn': 'string', 'AsnOrg': 'string', 'Isp': 'string', 'Org': 'string' } } }, ] }, 'KubernetesApiCallAction': { 'RequestUri': 'string', 'Verb': 'string', 'SourceIps': [ 'string', ], 'UserAgent': 'string', 'RemoteIpDetails': { 'City': { 'CityName': 'string' }, 'Country': { 'CountryCode': 'string', 'CountryName': 'string' }, 'GeoLocation': { 'Lat': 123.0, 'Lon': 123.0 }, 'IpAddressV4': 'string', 'IpAddressV6': 'string', 'Organization': { 'Asn': 'string', 'AsnOrg': 'string', 'Isp': 'string', 'Org': 'string' } }, 'StatusCode': 123, 'Parameters': 'string', 'Resource': 'string', 'Subresource': 'string', 'Namespace': 'string', 'ResourceName': 'string' }, 'RdsLoginAttemptAction': { 'RemoteIpDetails': { 'City': { 'CityName': 'string' }, 'Country': { 'CountryCode': 'string', 'CountryName': 'string' }, 'GeoLocation': { 'Lat': 123.0, 'Lon': 123.0 }, 'IpAddressV4': 'string', 'IpAddressV6': 'string', 'Organization': { 'Asn': 'string', 'AsnOrg': 'string', 'Isp': 'string', 'Org': 'string' } }, 'LoginAttributes': [ { 'User': 'string', 'Application': 'string', 'FailedLoginAttempts': 123, 'SuccessfulLoginAttempts': 123 }, ] }, 'KubernetesPermissionCheckedDetails': { 'Verb': 'string', 'Resource': 'string', 'Namespace': 'string', 'Allowed': True|False }, 'KubernetesRoleBindingDetails': { 'Kind': 'string', 'Name': 'string', 'Uid': 'string', 'RoleRefName': 'string', 'RoleRefKind': 'string' }, 'KubernetesRoleDetails': { 'Kind': 'string', 'Name': 'string', 'Uid': 'string' } }, 'Evidence': { 'ThreatIntelligenceDetails': [ { 'ThreatListName': 'string', 'ThreatNames': [ 'string', ], 'ThreatFileSha256': 'string' }, ] }, 'Archived': True|False, 'Count': 123, 'DetectorId': 'string', 'EventFirstSeen': 'string', 'EventLastSeen': 'string', 'ResourceRole': 'string', 'ServiceName': 'string', 'UserFeedback': 'string', 'AdditionalInfo': { 'Value': 'string', 'Type': 'string' }, 'FeatureName': 'string', 'EbsVolumeScanDetails': { 'ScanId': 'string', 'ScanStartedAt': datetime(2015, 1, 1), 'ScanCompletedAt': datetime(2015, 1, 1), 'TriggerFindingId': 'string', 'Sources': [ 'string', ], 'ScanDetections': { 'ScannedItemCount': { 'TotalGb': 123, 'Files': 123, 'Volumes': 123 }, 'ThreatsDetectedItemCount': { 'Files': 123 }, 'HighestSeverityThreatDetails': { 'Severity': 'string', 'ThreatName': 'string', 'Count': 123 }, 'ThreatDetectedByName': { 'ItemCount': 123, 'UniqueThreatNameCount': 123, 'Shortened': True|False, 'ThreatNames': [ { 'Name': 'string', 'Severity': 'string', 'ItemCount': 123, 'FilePaths': [ { 'FilePath': 'string', 'VolumeArn': 'string', 'Hash': 'string', 'FileName': 'string' }, ] }, ] } }, 'ScanType': 'GUARDDUTY_INITIATED'|'ON_DEMAND' }, 'RuntimeDetails': { 'Process': { 'Name': 'string', 'ExecutablePath': 'string', 'ExecutableSha256': 'string', 'NamespacePid': 123, 'Pwd': 'string', 'Pid': 123, 'StartTime': datetime(2015, 1, 1), 'Uuid': 'string', 'ParentUuid': 'string', 'User': 'string', 'UserId': 123, 'Euid': 123, 'Lineage': [ { 'StartTime': datetime(2015, 1, 1), 'NamespacePid': 123, 'UserId': 123, 'Name': 'string', 'Pid': 123, 'Uuid': 'string', 'ExecutablePath': 'string', 'Euid': 123, 'ParentUuid': 'string' }, ] }, 'Context': { 'ModifyingProcess': { 'Name': 'string', 'ExecutablePath': 'string', 'ExecutableSha256': 'string', 'NamespacePid': 123, 'Pwd': 'string', 'Pid': 123, 'StartTime': datetime(2015, 1, 1), 'Uuid': 'string', 'ParentUuid': 'string', 'User': 'string', 'UserId': 123, 'Euid': 123, 'Lineage': [ { 'StartTime': datetime(2015, 1, 1), 'NamespacePid': 123, 'UserId': 123, 'Name': 'string', 'Pid': 123, 'Uuid': 'string', 'ExecutablePath': 'string', 'Euid': 123, 'ParentUuid': 'string' }, ] }, 'ModifiedAt': datetime(2015, 1, 1), 'ScriptPath': 'string', 'LibraryPath': 'string', 'LdPreloadValue': 'string', 'SocketPath': 'string', 'RuncBinaryPath': 'string', 'ReleaseAgentPath': 'string', 'MountSource': 'string', 'MountTarget': 'string', 'FileSystemType': 'string', 'Flags': [ 'string', ], 'ModuleName': 'string', 'ModuleFilePath': 'string', 'ModuleSha256': 'string', 'ShellHistoryFilePath': 'string', 'TargetProcess': { 'Name': 'string', 'ExecutablePath': 'string', 'ExecutableSha256': 'string', 'NamespacePid': 123, 'Pwd': 'string', 'Pid': 123, 'StartTime': datetime(2015, 1, 1), 'Uuid': 'string', 'ParentUuid': 'string', 'User': 'string', 'UserId': 123, 'Euid': 123, 'Lineage': [ { 'StartTime': datetime(2015, 1, 1), 'NamespacePid': 123, 'UserId': 123, 'Name': 'string', 'Pid': 123, 'Uuid': 'string', 'ExecutablePath': 'string', 'Euid': 123, 'ParentUuid': 'string' }, ] }, 'AddressFamily': 'string', 'IanaProtocolNumber': 123, 'MemoryRegions': [ 'string', ], 'ToolName': 'string', 'ToolCategory': 'string', 'ServiceName': 'string', 'CommandLineExample': 'string', 'ThreatFilePath': 'string' } }, 'Detection': { 'Anomaly': { 'Profiles': { 'string': { 'string': [ { 'ProfileType': 'FREQUENCY', 'ProfileSubtype': 'FREQUENT'|'INFREQUENT'|'UNSEEN'|'RARE', 'Observations': { 'Text': [ 'string', ] } }, ] } }, 'Unusual': { 'Behavior': { 'string': { 'string': { 'ProfileType': 'FREQUENCY', 'ProfileSubtype': 'FREQUENT'|'INFREQUENT'|'UNSEEN'|'RARE', 'Observations': { 'Text': [ 'string', ] } } } } } }, 'Sequence': { 'Uid': 'string', 'Description': 'string', 'Actors': [ { 'Id': 'string', 'User': { 'Name': 'string', 'Uid': 'string', 'Type': 'string', 'CredentialUid': 'string', 'Account': { 'Uid': 'string', 'Name': 'string' } }, 'Session': { 'Uid': 'string', 'MfaStatus': 'ENABLED'|'DISABLED', 'CreatedTime': datetime(2015, 1, 1), 'Issuer': 'string' }, 'Process': { 'Name': 'string', 'Path': 'string', 'Sha256': 'string' } }, ], 'Resources': [ { 'Uid': 'string', 'Name': 'string', 'AccountId': 'string', 'ResourceType': 'EC2_INSTANCE'|'EC2_NETWORK_INTERFACE'|'S3_BUCKET'|'S3_OBJECT'|'ACCESS_KEY'|'EKS_CLUSTER'|'KUBERNETES_WORKLOAD'|'CONTAINER', 'Region': 'string', 'Service': 'string', 'CloudPartition': 'string', 'Tags': [ { 'Key': 'string', 'Value': 'string' }, ], 'Data': { 'S3Bucket': { 'OwnerId': 'string', 'CreatedAt': datetime(2015, 1, 1), 'EncryptionType': 'string', 'EncryptionKeyArn': 'string', 'EffectivePermission': 'string', 'PublicReadAccess': 'BLOCKED'|'ALLOWED', 'PublicWriteAccess': 'BLOCKED'|'ALLOWED', 'AccountPublicAccess': { 'PublicAclAccess': 'BLOCKED'|'ALLOWED', 'PublicPolicyAccess': 'BLOCKED'|'ALLOWED', 'PublicAclIgnoreBehavior': 'IGNORED'|'NOT_IGNORED', 'PublicBucketRestrictBehavior': 'RESTRICTED'|'NOT_RESTRICTED' }, 'BucketPublicAccess': { 'PublicAclAccess': 'BLOCKED'|'ALLOWED', 'PublicPolicyAccess': 'BLOCKED'|'ALLOWED', 'PublicAclIgnoreBehavior': 'IGNORED'|'NOT_IGNORED', 'PublicBucketRestrictBehavior': 'RESTRICTED'|'NOT_RESTRICTED' }, 'S3ObjectUids': [ 'string', ] }, 'Ec2Instance': { 'AvailabilityZone': 'string', 'ImageDescription': 'string', 'InstanceState': 'string', 'IamInstanceProfile': { 'Arn': 'string', 'Id': 'string' }, 'InstanceType': 'string', 'OutpostArn': 'string', 'Platform': 'string', 'ProductCodes': [ { 'Code': 'string', 'ProductType': 'string' }, ], 'Ec2NetworkInterfaceUids': [ 'string', ] }, 'AccessKey': { 'PrincipalId': 'string', 'UserName': 'string', 'UserType': 'string' }, 'Ec2NetworkInterface': { 'Ipv6Addresses': [ 'string', ], 'PrivateIpAddresses': [ { 'PrivateDnsName': 'string', 'PrivateIpAddress': 'string' }, ], 'PublicIp': 'string', 'SecurityGroups': [ { 'GroupId': 'string', 'GroupName': 'string' }, ], 'SubNetId': 'string', 'VpcId': 'string' }, 'S3Object': { 'ETag': 'string', 'Key': 'string', 'VersionId': 'string' }, 'EksCluster': { 'Arn': 'string', 'CreatedAt': datetime(2015, 1, 1), 'Status': 'CREATING'|'ACTIVE'|'DELETING'|'FAILED'|'UPDATING'|'PENDING', 'VpcId': 'string', 'Ec2InstanceUids': [ 'string', ] }, 'KubernetesWorkload': { 'ContainerUids': [ 'string', ], 'Namespace': 'string', 'KubernetesResourcesTypes': 'PODS'|'JOBS'|'CRONJOBS'|'DEPLOYMENTS'|'DAEMONSETS'|'STATEFULSETS'|'REPLICASETS'|'REPLICATIONCONTROLLERS' }, 'Container': { 'Image': 'string', 'ImageUid': 'string' } } }, ], 'Endpoints': [ { 'Id': 'string', 'Ip': 'string', 'Domain': 'string', 'Port': 123, 'Location': { 'City': 'string', 'Country': 'string', 'Latitude': 123.0, 'Longitude': 123.0 }, 'AutonomousSystem': { 'Name': 'string', 'Number': 123 }, 'Connection': { 'Direction': 'INBOUND'|'OUTBOUND' } }, ], 'Signals': [ { 'Uid': 'string', 'Type': 'FINDING'|'CLOUD_TRAIL'|'S3_DATA_EVENTS'|'EKS_AUDIT_LOGS'|'FLOW_LOGS'|'DNS_LOGS'|'RUNTIME_MONITORING', 'Description': 'string', 'Name': 'string', 'CreatedAt': datetime(2015, 1, 1), 'UpdatedAt': datetime(2015, 1, 1), 'FirstSeenAt': datetime(2015, 1, 1), 'LastSeenAt': datetime(2015, 1, 1), 'Severity': 123.0, 'Count': 123, 'ResourceUids': [ 'string', ], 'ActorIds': [ 'string', ], 'EndpointIds': [ 'string', ], 'SignalIndicators': [ { 'Key': 'SUSPICIOUS_USER_AGENT'|'SUSPICIOUS_NETWORK'|'MALICIOUS_IP'|'TOR_IP'|'ATTACK_TACTIC'|'HIGH_RISK_API'|'ATTACK_TECHNIQUE'|'UNUSUAL_API_FOR_ACCOUNT'|'UNUSUAL_ASN_FOR_ACCOUNT'|'UNUSUAL_ASN_FOR_USER'|'SUSPICIOUS_PROCESS'|'MALICIOUS_DOMAIN'|'MALICIOUS_PROCESS'|'CRYPTOMINING_IP'|'CRYPTOMINING_DOMAIN'|'CRYPTOMINING_PROCESS', 'Values': [ 'string', ], 'Title': 'string' }, ] }, ], 'SequenceIndicators': [ { 'Key': 'SUSPICIOUS_USER_AGENT'|'SUSPICIOUS_NETWORK'|'MALICIOUS_IP'|'TOR_IP'|'ATTACK_TACTIC'|'HIGH_RISK_API'|'ATTACK_TECHNIQUE'|'UNUSUAL_API_FOR_ACCOUNT'|'UNUSUAL_ASN_FOR_ACCOUNT'|'UNUSUAL_ASN_FOR_USER'|'SUSPICIOUS_PROCESS'|'MALICIOUS_DOMAIN'|'MALICIOUS_PROCESS'|'CRYPTOMINING_IP'|'CRYPTOMINING_DOMAIN'|'CRYPTOMINING_PROCESS', 'Values': [ 'string', ], 'Title': 'string' }, ], 'AdditionalSequenceTypes': [ 'string', ] } }, 'MalwareScanDetails': { 'Threats': [ { 'Name': 'string', 'Source': 'string', 'ItemPaths': [ { 'NestedItemPath': 'string', 'Hash': 'string' }, ] }, ] } }, 'Severity': 123.0, 'Title': 'string', 'Type': 'string', 'UpdatedAt': 'string', 'AssociatedAttackSequenceArn': 'string' }, ] } **Response Structure** # This section is too large to render. # Please see the AWS API Documentation linked below. AWS API Documentation **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / update_ip_set update_ip_set ************* GuardDuty.Client.update_ip_set(**kwargs) Updates the IPSet specified by the IPSet ID. See also: AWS API Documentation **Request Syntax** response = client.update_ip_set( DetectorId='string', IpSetId='string', Name='string', Location='string', Activate=True|False, ExpectedBucketOwner='string' ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The detectorID that specifies the GuardDuty service whose IPSet you want to update. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **IpSetId** (*string*) -- **[REQUIRED]** The unique ID that specifies the IPSet that you want to update. * **Name** (*string*) -- The unique ID that specifies the IPSet that you want to update. * **Location** (*string*) -- The updated URI of the file that contains the IPSet. * **Activate** (*boolean*) -- The updated Boolean value that specifies whether the IPSet is active or not. * **ExpectedBucketOwner** (*string*) -- The Amazon Web Services account ID that owns the Amazon S3 bucket specified in the **location** parameter. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" * "GuardDuty.Client.exceptions.AccessDeniedException" GuardDuty / Client / delete_threat_intel_set delete_threat_intel_set *********************** GuardDuty.Client.delete_threat_intel_set(**kwargs) Deletes the ThreatIntelSet specified by the ThreatIntelSet ID. See also: AWS API Documentation **Request Syntax** response = client.delete_threat_intel_set( DetectorId='string', ThreatIntelSetId='string' ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector that is associated with the threatIntelSet. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **ThreatIntelSetId** (*string*) -- **[REQUIRED]** The unique ID of the threatIntelSet that you want to delete. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / get_paginator get_paginator ************* GuardDuty.Client.get_paginator(operation_name) Create a paginator for an operation. Parameters: **operation_name** (*string*) -- The operation name. This is the same name as the method name on the client. For example, if the method name is "create_foo", and you'd normally invoke the operation as "client.create_foo(**kwargs)", if the "create_foo" operation can be paginated, you can use the call "client.get_paginator("create_foo")". Raises: **OperationNotPageableError** -- Raised if the operation is not pageable. You can use the "client.can_paginate" method to check if an operation is pageable. Return type: "botocore.paginate.Paginator" Returns: A paginator object. GuardDuty / Client / create_publishing_destination create_publishing_destination ***************************** GuardDuty.Client.create_publishing_destination(**kwargs) Creates a publishing destination where you can export your GuardDuty findings. Before you start exporting the findings, the destination resource must exist. See also: AWS API Documentation **Request Syntax** response = client.create_publishing_destination( DetectorId='string', DestinationType='S3', DestinationProperties={ 'DestinationArn': 'string', 'KmsKeyArn': 'string' }, ClientToken='string' ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The ID of the GuardDuty detector associated with the publishing destination. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **DestinationType** (*string*) -- **[REQUIRED]** The type of resource for the publishing destination. Currently only Amazon S3 buckets are supported. * **DestinationProperties** (*dict*) -- **[REQUIRED]** The properties of the publishing destination, including the ARNs for the destination and the KMS key used for encryption. * **DestinationArn** *(string) --* The ARN of the resource to publish to. To specify an S3 bucket folder use the following format: "arn:aws:s3:::DOC-EXAMPLE-BUCKET/myFolder/" * **KmsKeyArn** *(string) --* The ARN of the KMS key to use for encryption. * **ClientToken** (*string*) -- The idempotency token for the request. This field is autopopulated if not provided. Return type: dict Returns: **Response Syntax** { 'DestinationId': 'string' } **Response Structure** * *(dict) --* * **DestinationId** *(string) --* The ID of the publishing destination that is created. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / create_malware_protection_plan create_malware_protection_plan ****************************** GuardDuty.Client.create_malware_protection_plan(**kwargs) Creates a new Malware Protection plan for the protected resource. When you create a Malware Protection plan, the Amazon Web Services service terms for GuardDuty Malware Protection apply. For more information, see Amazon Web Services service terms for GuardDuty Malware Protection. See also: AWS API Documentation **Request Syntax** response = client.create_malware_protection_plan( ClientToken='string', Role='string', ProtectedResource={ 'S3Bucket': { 'BucketName': 'string', 'ObjectPrefixes': [ 'string', ] } }, Actions={ 'Tagging': { 'Status': 'ENABLED'|'DISABLED' } }, Tags={ 'string': 'string' } ) Parameters: * **ClientToken** (*string*) -- The idempotency token for the create request. This field is autopopulated if not provided. * **Role** (*string*) -- **[REQUIRED]** Amazon Resource Name (ARN) of the IAM role that has the permissions to scan and add tags to the associated protected resource. * **ProtectedResource** (*dict*) -- **[REQUIRED]** Information about the protected resource that is associated with the created Malware Protection plan. Presently, "S3Bucket" is the only supported protected resource. * **S3Bucket** *(dict) --* Information about the protected S3 bucket resource. * **BucketName** *(string) --* Name of the S3 bucket. * **ObjectPrefixes** *(list) --* Information about the specified object prefixes. The S3 object will be scanned only if it belongs to any of the specified object prefixes. * *(string) --* * **Actions** (*dict*) -- Information about whether the tags will be added to the S3 object after scanning. * **Tagging** *(dict) --* Indicates whether the scanned S3 object will have tags about the scan result. * **Status** *(string) --* Indicates whether or not the tags will added. * **Tags** (*dict*) -- Tags added to the Malware Protection plan resource. * *(string) --* * *(string) --* Return type: dict Returns: **Response Syntax** { 'MalwareProtectionPlanId': 'string' } **Response Structure** * *(dict) --* * **MalwareProtectionPlanId** *(string) --* A unique identifier associated with the Malware Protection plan resource. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.AccessDeniedException" * "GuardDuty.Client.exceptions.ConflictException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / list_filters list_filters ************ GuardDuty.Client.list_filters(**kwargs) Returns a paginated list of the current filters. See also: AWS API Documentation **Request Syntax** response = client.list_filters( DetectorId='string', MaxResults=123, NextToken='string' ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector that is associated with the filter. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **MaxResults** (*integer*) -- You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50. * **NextToken** (*string*) -- You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data. Return type: dict Returns: **Response Syntax** { 'FilterNames': [ 'string', ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **FilterNames** *(list) --* A list of filter names. * *(string) --* * **NextToken** *(string) --* The pagination parameter to be used on the next list operation to retrieve more items. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / list_ip_sets list_ip_sets ************ GuardDuty.Client.list_ip_sets(**kwargs) Lists the IPSets of the GuardDuty service specified by the detector ID. If you use this operation from a member account, the IPSets returned are the IPSets from the associated administrator account. See also: AWS API Documentation **Request Syntax** response = client.list_ip_sets( DetectorId='string', MaxResults=123, NextToken='string' ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector that is associated with IPSet. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **MaxResults** (*integer*) -- You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50. * **NextToken** (*string*) -- You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data. Return type: dict Returns: **Response Syntax** { 'IpSetIds': [ 'string', ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **IpSetIds** *(list) --* The IDs of the IPSet resources. * *(string) --* * **NextToken** *(string) --* The pagination parameter to be used on the next list operation to retrieve more items. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / invite_members invite_members ************** GuardDuty.Client.invite_members(**kwargs) Invites Amazon Web Services accounts to become members of an organization administered by the Amazon Web Services account that invokes this API. If you are using Amazon Web Services Organizations to manage your GuardDuty environment, this step is not needed. For more information, see Managing accounts with organizations. To invite Amazon Web Services accounts, the first step is to ensure that GuardDuty has been enabled in the potential member accounts. You can now invoke this API to add accounts by invitation. The invited accounts can either accept or decline the invitation from their GuardDuty accounts. Each invited Amazon Web Services account can choose to accept the invitation from only one Amazon Web Services account. For more information, see Managing GuardDuty accounts by invitation. After the invite has been accepted and you choose to disassociate a member account (by using DisassociateMembers) from your account, the details of the member account obtained by invoking CreateMembers, including the associated email addresses, will be retained. This is done so that you can invoke InviteMembers without the need to invoke CreateMembers again. To remove the details associated with a member account, you must also invoke DeleteMembers. If you disassociate a member account that was added by invitation, the member account details obtained from this API, including the associated email addresses, will be retained. This is done so that the delegated administrator can invoke the InviteMembers API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the DeleteMembers API. When the member accounts added through Organizations are later disassociated, you (administrator) can't invite them by calling the InviteMembers API. You can create an association with these member accounts again only by calling the CreateMembers API. See also: AWS API Documentation **Request Syntax** response = client.invite_members( DetectorId='string', AccountIds=[ 'string', ], DisableEmailNotification=True|False, Message='string' ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector of the GuardDuty account with which you want to invite members. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **AccountIds** (*list*) -- **[REQUIRED]** A list of account IDs of the accounts that you want to invite to GuardDuty as members. * *(string) --* * **DisableEmailNotification** (*boolean*) -- A Boolean value that specifies whether you want to disable email notification to the accounts that you are inviting to GuardDuty as members. * **Message** (*string*) -- The invitation message that you want to send to the accounts that you're inviting to GuardDuty as members. Return type: dict Returns: **Response Syntax** { 'UnprocessedAccounts': [ { 'AccountId': 'string', 'Result': 'string' }, ] } **Response Structure** * *(dict) --* * **UnprocessedAccounts** *(list) --* A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed. * *(dict) --* Contains information about the accounts that weren't processed. * **AccountId** *(string) --* The Amazon Web Services account ID. * **Result** *(string) --* A reason why the account hasn't been processed. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / get_threat_intel_set get_threat_intel_set ******************** GuardDuty.Client.get_threat_intel_set(**kwargs) Retrieves the ThreatIntelSet that is specified by the ThreatIntelSet ID. See also: AWS API Documentation **Request Syntax** response = client.get_threat_intel_set( DetectorId='string', ThreatIntelSetId='string' ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector that is associated with the threatIntelSet. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **ThreatIntelSetId** (*string*) -- **[REQUIRED]** The unique ID of the threatIntelSet that you want to get. Return type: dict Returns: **Response Syntax** { 'Name': 'string', 'Format': 'TXT'|'STIX'|'OTX_CSV'|'ALIEN_VAULT'|'PROOF_POINT'|'FIRE_EYE', 'Location': 'string', 'Status': 'INACTIVE'|'ACTIVATING'|'ACTIVE'|'DEACTIVATING'|'ERROR'|'DELETE_PENDING'|'DELETED', 'Tags': { 'string': 'string' }, 'ExpectedBucketOwner': 'string' } **Response Structure** * *(dict) --* * **Name** *(string) --* A user-friendly ThreatIntelSet name displayed in all findings that are generated by activity that involves IP addresses included in this ThreatIntelSet. * **Format** *(string) --* The format of the threatIntelSet. * **Location** *(string) --* The URI of the file that contains the ThreatIntelSet. * **Status** *(string) --* The status of threatIntelSet file uploaded. * **Tags** *(dict) --* The tags of the threat list resource. * *(string) --* * *(string) --* * **ExpectedBucketOwner** *(string) --* The Amazon Web Services account ID that owns the Amazon S3 bucket specified in the **location** parameter. This field appears in the response only if it was provided during ThreatIntelSet creation or update. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / get_malware_protection_plan get_malware_protection_plan *************************** GuardDuty.Client.get_malware_protection_plan(**kwargs) Retrieves the Malware Protection plan details associated with a Malware Protection plan ID. See also: AWS API Documentation **Request Syntax** response = client.get_malware_protection_plan( MalwareProtectionPlanId='string' ) Parameters: **MalwareProtectionPlanId** (*string*) -- **[REQUIRED]** A unique identifier associated with Malware Protection plan resource. Return type: dict Returns: **Response Syntax** { 'Arn': 'string', 'Role': 'string', 'ProtectedResource': { 'S3Bucket': { 'BucketName': 'string', 'ObjectPrefixes': [ 'string', ] } }, 'Actions': { 'Tagging': { 'Status': 'ENABLED'|'DISABLED' } }, 'CreatedAt': datetime(2015, 1, 1), 'Status': 'ACTIVE'|'WARNING'|'ERROR', 'StatusReasons': [ { 'Code': 'string', 'Message': 'string' }, ], 'Tags': { 'string': 'string' } } **Response Structure** * *(dict) --* * **Arn** *(string) --* Amazon Resource Name (ARN) of the protected resource. * **Role** *(string) --* Amazon Resource Name (ARN) of the IAM role that includes the permissions to scan and add tags to the associated protected resource. * **ProtectedResource** *(dict) --* Information about the protected resource that is associated with the created Malware Protection plan. Presently, "S3Bucket" is the only supported protected resource. * **S3Bucket** *(dict) --* Information about the protected S3 bucket resource. * **BucketName** *(string) --* Name of the S3 bucket. * **ObjectPrefixes** *(list) --* Information about the specified object prefixes. The S3 object will be scanned only if it belongs to any of the specified object prefixes. * *(string) --* * **Actions** *(dict) --* Information about whether the tags will be added to the S3 object after scanning. * **Tagging** *(dict) --* Indicates whether the scanned S3 object will have tags about the scan result. * **Status** *(string) --* Indicates whether or not the tags will added. * **CreatedAt** *(datetime) --* The timestamp when the Malware Protection plan resource was created. * **Status** *(string) --* Malware Protection plan status. * **StatusReasons** *(list) --* Information about the issue code and message associated to the status of your Malware Protection plan. * *(dict) --* Information about the issue code and message associated to the status of your Malware Protection plan. * **Code** *(string) --* Issue code. * **Message** *(string) --* Issue message that specifies the reason. For information about potential troubleshooting steps, see Troubleshooting Malware Protection for S3 status issues in the *Amazon GuardDuty User Guide*. * **Tags** *(dict) --* Tags added to the Malware Protection plan resource. * *(string) --* * *(string) --* **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.AccessDeniedException" * "GuardDuty.Client.exceptions.InternalServerErrorException" * "GuardDuty.Client.exceptions.ResourceNotFoundException" GuardDuty / Client / can_paginate can_paginate ************ GuardDuty.Client.can_paginate(operation_name) Check if an operation can be paginated. Parameters: **operation_name** (*string*) -- The operation name. This is the same name as the method name on the client. For example, if the method name is "create_foo", and you'd normally invoke the operation as "client.create_foo(**kwargs)", if the "create_foo" operation can be paginated, you can use the call "client.get_paginator("create_foo")". Returns: "True" if the operation can be paginated, "False" otherwise. GuardDuty / Client / delete_publishing_destination delete_publishing_destination ***************************** GuardDuty.Client.delete_publishing_destination(**kwargs) Deletes the publishing definition with the specified "destinationId". See also: AWS API Documentation **Request Syntax** response = client.delete_publishing_destination( DetectorId='string', DestinationId='string' ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector associated with the publishing destination to delete. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **DestinationId** (*string*) -- **[REQUIRED]** The ID of the publishing destination to delete. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / disassociate_members disassociate_members ******************** GuardDuty.Client.disassociate_members(**kwargs) Disassociates GuardDuty member accounts (from the current administrator account) specified by the account IDs. When you disassociate an invited member from a GuardDuty delegated administrator, the member account details obtained from the CreateMembers API, including the associated email addresses, are retained. This is done so that the delegated administrator can invoke the InviteMembers API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the DeleteMembers API. With "autoEnableOrganizationMembers" configuration for your organization set to "ALL", you'll receive an error if you attempt to disassociate a member account before removing them from your organization. If you disassociate a member account that was added by invitation, the member account details obtained from this API, including the associated email addresses, will be retained. This is done so that the delegated administrator can invoke the InviteMembers API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the DeleteMembers API. When the member accounts added through Organizations are later disassociated, you (administrator) can't invite them by calling the InviteMembers API. You can create an association with these member accounts again only by calling the CreateMembers API. See also: AWS API Documentation **Request Syntax** response = client.disassociate_members( DetectorId='string', AccountIds=[ 'string', ] ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector of the GuardDuty account whose members you want to disassociate from the administrator account. * **AccountIds** (*list*) -- **[REQUIRED]** A list of account IDs of the GuardDuty member accounts that you want to disassociate from the administrator account. * *(string) --* Return type: dict Returns: **Response Syntax** { 'UnprocessedAccounts': [ { 'AccountId': 'string', 'Result': 'string' }, ] } **Response Structure** * *(dict) --* * **UnprocessedAccounts** *(list) --* A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed. * *(dict) --* Contains information about the accounts that weren't processed. * **AccountId** *(string) --* The Amazon Web Services account ID. * **Result** *(string) --* A reason why the account hasn't been processed. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / get_administrator_account get_administrator_account ************************* GuardDuty.Client.get_administrator_account(**kwargs) Provides the details of the GuardDuty administrator account associated with the current GuardDuty member account. Based on the type of account that runs this API, the following list shows how the API behavior varies: * When the GuardDuty administrator account runs this API, it will return success ( "HTTP 200") but no content. * When a member account runs this API, it will return the details of the GuardDuty administrator account that is associated with this calling member account. * When an individual account (not associated with an organization) runs this API, it will return success ( "HTTP 200") but no content. See also: AWS API Documentation **Request Syntax** response = client.get_administrator_account( DetectorId='string' ) Parameters: **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector of the GuardDuty member account. Return type: dict Returns: **Response Syntax** { 'Administrator': { 'AccountId': 'string', 'InvitationId': 'string', 'RelationshipStatus': 'string', 'InvitedAt': 'string' } } **Response Structure** * *(dict) --* * **Administrator** *(dict) --* The administrator account details. * **AccountId** *(string) --* The ID of the account used as the administrator account. * **InvitationId** *(string) --* The value that is used to validate the administrator account to the member account. * **RelationshipStatus** *(string) --* The status of the relationship between the administrator and member accounts. * **InvitedAt** *(string) --* The timestamp when the invitation was sent. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / get_organization_statistics get_organization_statistics *************************** GuardDuty.Client.get_organization_statistics() Retrieves how many active member accounts have each feature enabled within GuardDuty. Only a delegated GuardDuty administrator of an organization can run this API. When you create a new organization, it might take up to 24 hours to generate the statistics for the entire organization. See also: AWS API Documentation **Request Syntax** response = client.get_organization_statistics() Return type: dict Returns: **Response Syntax** { 'OrganizationDetails': { 'UpdatedAt': datetime(2015, 1, 1), 'OrganizationStatistics': { 'TotalAccountsCount': 123, 'MemberAccountsCount': 123, 'ActiveAccountsCount': 123, 'EnabledAccountsCount': 123, 'CountByFeature': [ { 'Name': 'S3_DATA_EVENTS'|'EKS_AUDIT_LOGS'|'EBS_MALWARE_PROTECTION'|'RDS_LOGIN_EVENTS'|'EKS_RUNTIME_MONITORING'|'LAMBDA_NETWORK_LOGS'|'RUNTIME_MONITORING', 'EnabledAccountsCount': 123, 'AdditionalConfiguration': [ { 'Name': 'EKS_ADDON_MANAGEMENT'|'ECS_FARGATE_AGENT_MANAGEMENT'|'EC2_AGENT_MANAGEMENT', 'EnabledAccountsCount': 123 }, ] }, ] } } } **Response Structure** * *(dict) --* * **OrganizationDetails** *(dict) --* Information about the statistics report for your organization. * **UpdatedAt** *(datetime) --* The timestamp at which the organization statistics was last updated. This is in UTC format. * **OrganizationStatistics** *(dict) --* Information about the GuardDuty coverage statistics for members in your Amazon Web Services organization. * **TotalAccountsCount** *(integer) --* Total number of accounts in your Amazon Web Services organization. * **MemberAccountsCount** *(integer) --* Total number of accounts in your Amazon Web Services organization that are associated with GuardDuty. * **ActiveAccountsCount** *(integer) --* Total number of active accounts in your Amazon Web Services organization that are associated with GuardDuty. * **EnabledAccountsCount** *(integer) --* Total number of accounts that have enabled GuardDuty. * **CountByFeature** *(list) --* Retrieves the coverage statistics for each feature. * *(dict) --* Information about the number of accounts that have enabled a specific feature. * **Name** *(string) --* Name of the feature. * **EnabledAccountsCount** *(integer) --* Total number of accounts that have enabled a specific feature. * **AdditionalConfiguration** *(list) --* Name of the additional configuration. * *(dict) --* Information about the coverage statistic for the additional configuration of the feature. * **Name** *(string) --* Name of the additional configuration within a feature. * **EnabledAccountsCount** *(integer) --* Total number of accounts that have enabled the additional configuration. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / list_invitations list_invitations **************** GuardDuty.Client.list_invitations(**kwargs) Lists all GuardDuty membership invitations that were sent to the current Amazon Web Services account. See also: AWS API Documentation **Request Syntax** response = client.list_invitations( MaxResults=123, NextToken='string' ) Parameters: * **MaxResults** (*integer*) -- You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50. * **NextToken** (*string*) -- You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data. Return type: dict Returns: **Response Syntax** { 'Invitations': [ { 'AccountId': 'string', 'InvitationId': 'string', 'RelationshipStatus': 'string', 'InvitedAt': 'string' }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **Invitations** *(list) --* A list of invitation descriptions. * *(dict) --* Contains information about the invitation to become a member account. * **AccountId** *(string) --* The ID of the account that the invitation was sent from. * **InvitationId** *(string) --* The ID of the invitation. This value is used to validate the inviter account to the member account. * **RelationshipStatus** *(string) --* The status of the relationship between the inviter and invitee accounts. * **InvitedAt** *(string) --* The timestamp when the invitation was sent. * **NextToken** *(string) --* The pagination parameter to be used on the next list operation to retrieve more items. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / get_usage_statistics get_usage_statistics ******************** GuardDuty.Client.get_usage_statistics(**kwargs) Lists Amazon GuardDuty usage statistics over the last 30 days for the specified detector ID. For newly enabled detectors or data sources, the cost returned will include only the usage so far under 30 days. This may differ from the cost metrics in the console, which project usage over 30 days to provide a monthly cost estimate. For more information, see Understanding How Usage Costs are Calculated. See also: AWS API Documentation **Request Syntax** response = client.get_usage_statistics( DetectorId='string', UsageStatisticType='SUM_BY_ACCOUNT'|'SUM_BY_DATA_SOURCE'|'SUM_BY_RESOURCE'|'TOP_RESOURCES'|'SUM_BY_FEATURES'|'TOP_ACCOUNTS_BY_FEATURE', UsageCriteria={ 'AccountIds': [ 'string', ], 'DataSources': [ 'FLOW_LOGS'|'CLOUD_TRAIL'|'DNS_LOGS'|'S3_LOGS'|'KUBERNETES_AUDIT_LOGS'|'EC2_MALWARE_SCAN', ], 'Resources': [ 'string', ], 'Features': [ 'FLOW_LOGS'|'CLOUD_TRAIL'|'DNS_LOGS'|'S3_DATA_EVENTS'|'EKS_AUDIT_LOGS'|'EBS_MALWARE_PROTECTION'|'RDS_LOGIN_EVENTS'|'LAMBDA_NETWORK_LOGS'|'EKS_RUNTIME_MONITORING'|'FARGATE_RUNTIME_MONITORING'|'EC2_RUNTIME_MONITORING'|'RDS_DBI_PROTECTION_PROVISIONED'|'RDS_DBI_PROTECTION_SERVERLESS', ] }, Unit='string', MaxResults=123, NextToken='string' ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The ID of the detector that specifies the GuardDuty service whose usage statistics you want to retrieve. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **UsageStatisticType** (*string*) -- **[REQUIRED]** The type of usage statistics to retrieve. * **UsageCriteria** (*dict*) -- **[REQUIRED]** Represents the criteria used for querying usage. * **AccountIds** *(list) --* The account IDs to aggregate usage statistics from. * *(string) --* * **DataSources** *(list) --* The data sources to aggregate usage statistics from. * *(string) --* * **Resources** *(list) --* The resources to aggregate usage statistics from. Only accepts exact resource names. * *(string) --* * **Features** *(list) --* The features to aggregate usage statistics from. * *(string) --* * **Unit** (*string*) -- The currency unit you would like to view your usage statistics in. Current valid values are USD. * **MaxResults** (*integer*) -- The maximum number of results to return in the response. * **NextToken** (*string*) -- A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the NextToken value returned from the previous request to continue listing results after the first page. Return type: dict Returns: **Response Syntax** { 'UsageStatistics': { 'SumByAccount': [ { 'AccountId': 'string', 'Total': { 'Amount': 'string', 'Unit': 'string' } }, ], 'TopAccountsByFeature': [ { 'Feature': 'FLOW_LOGS'|'CLOUD_TRAIL'|'DNS_LOGS'|'S3_DATA_EVENTS'|'EKS_AUDIT_LOGS'|'EBS_MALWARE_PROTECTION'|'RDS_LOGIN_EVENTS'|'LAMBDA_NETWORK_LOGS'|'EKS_RUNTIME_MONITORING'|'FARGATE_RUNTIME_MONITORING'|'EC2_RUNTIME_MONITORING'|'RDS_DBI_PROTECTION_PROVISIONED'|'RDS_DBI_PROTECTION_SERVERLESS', 'Accounts': [ { 'AccountId': 'string', 'Total': { 'Amount': 'string', 'Unit': 'string' } }, ] }, ], 'SumByDataSource': [ { 'DataSource': 'FLOW_LOGS'|'CLOUD_TRAIL'|'DNS_LOGS'|'S3_LOGS'|'KUBERNETES_AUDIT_LOGS'|'EC2_MALWARE_SCAN', 'Total': { 'Amount': 'string', 'Unit': 'string' } }, ], 'SumByResource': [ { 'Resource': 'string', 'Total': { 'Amount': 'string', 'Unit': 'string' } }, ], 'TopResources': [ { 'Resource': 'string', 'Total': { 'Amount': 'string', 'Unit': 'string' } }, ], 'SumByFeature': [ { 'Feature': 'FLOW_LOGS'|'CLOUD_TRAIL'|'DNS_LOGS'|'S3_DATA_EVENTS'|'EKS_AUDIT_LOGS'|'EBS_MALWARE_PROTECTION'|'RDS_LOGIN_EVENTS'|'LAMBDA_NETWORK_LOGS'|'EKS_RUNTIME_MONITORING'|'FARGATE_RUNTIME_MONITORING'|'EC2_RUNTIME_MONITORING'|'RDS_DBI_PROTECTION_PROVISIONED'|'RDS_DBI_PROTECTION_SERVERLESS', 'Total': { 'Amount': 'string', 'Unit': 'string' } }, ] }, 'NextToken': 'string' } **Response Structure** * *(dict) --* * **UsageStatistics** *(dict) --* The usage statistics object. If a UsageStatisticType was provided, the objects representing other types will be null. * **SumByAccount** *(list) --* The usage statistic sum organized by account ID. * *(dict) --* Contains information on the total of usage based on account IDs. * **AccountId** *(string) --* The Account ID that generated usage. * **Total** *(dict) --* Represents the total of usage for the Account ID. * **Amount** *(string) --* The total usage. * **Unit** *(string) --* The currency unit that the amount is given in. * **TopAccountsByFeature** *(list) --* Lists the top 50 accounts by feature that have generated the most GuardDuty usage, in the order from most to least expensive. Currently, this doesn't support "RDS_LOGIN_EVENTS". * *(dict) --* Information about the usage statistics, calculated by top accounts by feature. * **Feature** *(string) --* Features by which you can generate the usage statistics. "RDS_LOGIN_EVENTS" is currently not supported with "topAccountsByFeature". * **Accounts** *(list) --* The accounts that contributed to the total usage cost. * *(dict) --* Contains information on the total of usage based on the topmost 50 account IDs. * **AccountId** *(string) --* The unique account ID. * **Total** *(dict) --* Contains the total usage with the corresponding currency unit for that value. * **Amount** *(string) --* The total usage. * **Unit** *(string) --* The currency unit that the amount is given in. * **SumByDataSource** *(list) --* The usage statistic sum organized by on data source. * *(dict) --* Contains information on the result of usage based on data source type. * **DataSource** *(string) --* The data source type that generated usage. * **Total** *(dict) --* Represents the total of usage for the specified data source. * **Amount** *(string) --* The total usage. * **Unit** *(string) --* The currency unit that the amount is given in. * **SumByResource** *(list) --* The usage statistic sum organized by resource. * *(dict) --* Contains information on the sum of usage based on an Amazon Web Services resource. * **Resource** *(string) --* The Amazon Web Services resource that generated usage. * **Total** *(dict) --* Represents the sum total of usage for the specified resource type. * **Amount** *(string) --* The total usage. * **Unit** *(string) --* The currency unit that the amount is given in. * **TopResources** *(list) --* Lists the top 50 resources that have generated the most GuardDuty usage, in order from most to least expensive. * *(dict) --* Contains information on the sum of usage based on an Amazon Web Services resource. * **Resource** *(string) --* The Amazon Web Services resource that generated usage. * **Total** *(dict) --* Represents the sum total of usage for the specified resource type. * **Amount** *(string) --* The total usage. * **Unit** *(string) --* The currency unit that the amount is given in. * **SumByFeature** *(list) --* The usage statistic sum organized by feature. * *(dict) --* Contains information about the result of the total usage based on the feature. * **Feature** *(string) --* The feature that generated the usage cost. * **Total** *(dict) --* Contains the total usage with the corresponding currency unit for that value. * **Amount** *(string) --* The total usage. * **Unit** *(string) --* The currency unit that the amount is given in. * **NextToken** *(string) --* The pagination parameter to be used on the next list operation to retrieve more items. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / create_ip_set create_ip_set ************* GuardDuty.Client.create_ip_set(**kwargs) Creates a new IPSet, which is called a trusted IP list in the console user interface. An IPSet is a list of IP addresses that are trusted for secure communication with Amazon Web Services infrastructure and applications. GuardDuty doesn't generate findings for IP addresses that are included in IPSets. Only users from the administrator account can use this operation. See also: AWS API Documentation **Request Syntax** response = client.create_ip_set( DetectorId='string', Name='string', Format='TXT'|'STIX'|'OTX_CSV'|'ALIEN_VAULT'|'PROOF_POINT'|'FIRE_EYE', Location='string', Activate=True|False, ClientToken='string', Tags={ 'string': 'string' }, ExpectedBucketOwner='string' ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector of the GuardDuty account for which you want to create an IPSet. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **Name** (*string*) -- **[REQUIRED]** The user-friendly name to identify the IPSet. Allowed characters are alphanumeric, whitespace, dash (-), and underscores (_). * **Format** (*string*) -- **[REQUIRED]** The format of the file that contains the IPSet. * **Location** (*string*) -- **[REQUIRED]** The URI of the file that contains the IPSet. * **Activate** (*boolean*) -- **[REQUIRED]** A Boolean value that indicates whether GuardDuty is to start using the uploaded IPSet. * **ClientToken** (*string*) -- The idempotency token for the create request. This field is autopopulated if not provided. * **Tags** (*dict*) -- The tags to be added to a new IP set resource. * *(string) --* * *(string) --* * **ExpectedBucketOwner** (*string*) -- The Amazon Web Services account ID that owns the Amazon S3 bucket specified in the **location** parameter. Return type: dict Returns: **Response Syntax** { 'IpSetId': 'string' } **Response Structure** * *(dict) --* * **IpSetId** *(string) --* The ID of the IPSet resource. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" * "GuardDuty.Client.exceptions.AccessDeniedException" GuardDuty / Client / delete_ip_set delete_ip_set ************* GuardDuty.Client.delete_ip_set(**kwargs) Deletes the IPSet specified by the "ipSetId". IPSets are called trusted IP lists in the console user interface. See also: AWS API Documentation **Request Syntax** response = client.delete_ip_set( DetectorId='string', IpSetId='string' ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector associated with the IPSet. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **IpSetId** (*string*) -- **[REQUIRED]** The unique ID of the IPSet to delete. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / get_invitations_count get_invitations_count ********************* GuardDuty.Client.get_invitations_count() Returns the count of all GuardDuty membership invitations that were sent to the current member account except the currently accepted invitation. See also: AWS API Documentation **Request Syntax** response = client.get_invitations_count() Return type: dict Returns: **Response Syntax** { 'InvitationsCount': 123 } **Response Structure** * *(dict) --* * **InvitationsCount** *(integer) --* The number of received invitations. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / delete_detector delete_detector *************** GuardDuty.Client.delete_detector(**kwargs) Deletes an Amazon GuardDuty detector that is specified by the detector ID. See also: AWS API Documentation **Request Syntax** response = client.delete_detector( DetectorId='string' ) Parameters: **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector that you want to delete. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / list_detectors list_detectors ************** GuardDuty.Client.list_detectors(**kwargs) Lists detectorIds of all the existing Amazon GuardDuty detector resources. See also: AWS API Documentation **Request Syntax** response = client.list_detectors( MaxResults=123, NextToken='string' ) Parameters: * **MaxResults** (*integer*) -- You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50. * **NextToken** (*string*) -- You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data. Return type: dict Returns: **Response Syntax** { 'DetectorIds': [ 'string', ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **DetectorIds** *(list) --* A list of detector IDs. * *(string) --* * **NextToken** *(string) --* The pagination parameter to be used on the next list operation to retrieve more items. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / delete_invitations delete_invitations ****************** GuardDuty.Client.delete_invitations(**kwargs) Deletes invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs. See also: AWS API Documentation **Request Syntax** response = client.delete_invitations( AccountIds=[ 'string', ] ) Parameters: **AccountIds** (*list*) -- **[REQUIRED]** A list of account IDs of the Amazon Web Services accounts that sent invitations to the current member account that you want to delete invitations from. * *(string) --* Return type: dict Returns: **Response Syntax** { 'UnprocessedAccounts': [ { 'AccountId': 'string', 'Result': 'string' }, ] } **Response Structure** * *(dict) --* * **UnprocessedAccounts** *(list) --* A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed. * *(dict) --* Contains information about the accounts that weren't processed. * **AccountId** *(string) --* The Amazon Web Services account ID. * **Result** *(string) --* A reason why the account hasn't been processed. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / create_members create_members ************** GuardDuty.Client.create_members(**kwargs) Creates member accounts of the current Amazon Web Services account by specifying a list of Amazon Web Services account IDs. This step is a prerequisite for managing the associated member accounts either by invitation or through an organization. As a delegated administrator, using "CreateMembers" will enable GuardDuty in the added member accounts, with the exception of the organization delegated administrator account. A delegated administrator must enable GuardDuty prior to being added as a member. When you use CreateMembers as an Organizations delegated administrator, GuardDuty applies your organization's auto-enable settings to the member accounts in this request, irrespective of the accounts being new or existing members. For more information about the existing auto-enable settings for your organization, see DescribeOrganizationConfiguration. If you disassociate a member account that was added by invitation, the member account details obtained from this API, including the associated email addresses, will be retained. This is done so that the delegated administrator can invoke the InviteMembers API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the DeleteMembers API. When the member accounts added through Organizations are later disassociated, you (administrator) can't invite them by calling the InviteMembers API. You can create an association with these member accounts again only by calling the CreateMembers API. See also: AWS API Documentation **Request Syntax** response = client.create_members( DetectorId='string', AccountDetails=[ { 'AccountId': 'string', 'Email': 'string' }, ] ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector of the GuardDuty account for which you want to associate member accounts. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **AccountDetails** (*list*) -- **[REQUIRED]** A list of account ID and email address pairs of the accounts that you want to associate with the GuardDuty administrator account. * *(dict) --* Contains information about the account. * **AccountId** *(string) --* **[REQUIRED]** The member account ID. * **Email** *(string) --* **[REQUIRED]** The email address of the member account. The rules for a valid email address: * The email address must be a minimum of 6 and a maximum of 64 characters long. * All characters must be 7-bit ASCII characters. * There must be one and only one @ symbol, which separates the local name from the domain name. * The local name can't contain any of the following characters: whitespace, " ' ( ) < > [ ] : ' , | % & * The local name can't begin with a dot (.). * The domain name can consist of only the characters [a-z], [A-Z], [0-9], hyphen (-), or dot (.). * The domain name can't begin or end with a dot (.) or hyphen (-). * The domain name must contain at least one dot. Return type: dict Returns: **Response Syntax** { 'UnprocessedAccounts': [ { 'AccountId': 'string', 'Result': 'string' }, ] } **Response Structure** * *(dict) --* * **UnprocessedAccounts** *(list) --* A list of objects that include the "accountIds" of the unprocessed accounts and a result string that explains why each was unprocessed. * *(dict) --* Contains information about the accounts that weren't processed. * **AccountId** *(string) --* The Amazon Web Services account ID. * **Result** *(string) --* A reason why the account hasn't been processed. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / get_filter get_filter ********** GuardDuty.Client.get_filter(**kwargs) Returns the details of the filter specified by the filter name. See also: AWS API Documentation **Request Syntax** response = client.get_filter( DetectorId='string', FilterName='string' ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector that is associated with this filter. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **FilterName** (*string*) -- **[REQUIRED]** The name of the filter you want to get. Return type: dict Returns: **Response Syntax** { 'Name': 'string', 'Description': 'string', 'Action': 'NOOP'|'ARCHIVE', 'Rank': 123, 'FindingCriteria': { 'Criterion': { 'string': { 'Eq': [ 'string', ], 'Neq': [ 'string', ], 'Gt': 123, 'Gte': 123, 'Lt': 123, 'Lte': 123, 'Equals': [ 'string', ], 'NotEquals': [ 'string', ], 'GreaterThan': 123, 'GreaterThanOrEqual': 123, 'LessThan': 123, 'LessThanOrEqual': 123 } } }, 'Tags': { 'string': 'string' } } **Response Structure** * *(dict) --* * **Name** *(string) --* The name of the filter. * **Description** *(string) --* The description of the filter. * **Action** *(string) --* Specifies the action that is to be applied to the findings that match the filter. * **Rank** *(integer) --* Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings. * **FindingCriteria** *(dict) --* Represents the criteria to be used in the filter for querying findings. * **Criterion** *(dict) --* Represents a map of finding properties that match specified conditions and values when querying findings. * *(string) --* * *(dict) --* Contains information about the condition. * **Eq** *(list) --* Represents the *equal* condition to be applied to a single field when querying for findings. * *(string) --* * **Neq** *(list) --* Represents the *not equal* condition to be applied to a single field when querying for findings. * *(string) --* * **Gt** *(integer) --* Represents a *greater than* condition to be applied to a single field when querying for findings. * **Gte** *(integer) --* Represents a *greater than or equal* condition to be applied to a single field when querying for findings. * **Lt** *(integer) --* Represents a *less than* condition to be applied to a single field when querying for findings. * **Lte** *(integer) --* Represents a *less than or equal* condition to be applied to a single field when querying for findings. * **Equals** *(list) --* Represents an *equal* condition to be applied to a single field when querying for findings. * *(string) --* * **NotEquals** *(list) --* Represents a *not equal* condition to be applied to a single field when querying for findings. * *(string) --* * **GreaterThan** *(integer) --* Represents a *greater than* condition to be applied to a single field when querying for findings. * **GreaterThanOrEqual** *(integer) --* Represents a *greater than or equal* condition to be applied to a single field when querying for findings. * **LessThan** *(integer) --* Represents a *less than* condition to be applied to a single field when querying for findings. * **LessThanOrEqual** *(integer) --* Represents a *less than or equal* condition to be applied to a single field when querying for findings. * **Tags** *(dict) --* The tags of the filter resource. * *(string) --* * *(string) --* **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / get_detector get_detector ************ GuardDuty.Client.get_detector(**kwargs) Retrieves a GuardDuty detector specified by the detectorId. There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints. See also: AWS API Documentation **Request Syntax** response = client.get_detector( DetectorId='string' ) Parameters: **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector that you want to get. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. Return type: dict Returns: **Response Syntax** { 'CreatedAt': 'string', 'FindingPublishingFrequency': 'FIFTEEN_MINUTES'|'ONE_HOUR'|'SIX_HOURS', 'ServiceRole': 'string', 'Status': 'ENABLED'|'DISABLED', 'UpdatedAt': 'string', 'DataSources': { 'CloudTrail': { 'Status': 'ENABLED'|'DISABLED' }, 'DNSLogs': { 'Status': 'ENABLED'|'DISABLED' }, 'FlowLogs': { 'Status': 'ENABLED'|'DISABLED' }, 'S3Logs': { 'Status': 'ENABLED'|'DISABLED' }, 'Kubernetes': { 'AuditLogs': { 'Status': 'ENABLED'|'DISABLED' } }, 'MalwareProtection': { 'ScanEc2InstanceWithFindings': { 'EbsVolumes': { 'Status': 'ENABLED'|'DISABLED', 'Reason': 'string' } }, 'ServiceRole': 'string' } }, 'Tags': { 'string': 'string' }, 'Features': [ { 'Name': 'FLOW_LOGS'|'CLOUD_TRAIL'|'DNS_LOGS'|'S3_DATA_EVENTS'|'EKS_AUDIT_LOGS'|'EBS_MALWARE_PROTECTION'|'RDS_LOGIN_EVENTS'|'EKS_RUNTIME_MONITORING'|'LAMBDA_NETWORK_LOGS'|'RUNTIME_MONITORING', 'Status': 'ENABLED'|'DISABLED', 'UpdatedAt': datetime(2015, 1, 1), 'AdditionalConfiguration': [ { 'Name': 'EKS_ADDON_MANAGEMENT'|'ECS_FARGATE_AGENT_MANAGEMENT'|'EC2_AGENT_MANAGEMENT', 'Status': 'ENABLED'|'DISABLED', 'UpdatedAt': datetime(2015, 1, 1) }, ] }, ] } **Response Structure** * *(dict) --* * **CreatedAt** *(string) --* The timestamp of when the detector was created. * **FindingPublishingFrequency** *(string) --* The publishing frequency of the finding. * **ServiceRole** *(string) --* The GuardDuty service role. * **Status** *(string) --* The detector status. * **UpdatedAt** *(string) --* The last-updated timestamp for the detector. * **DataSources** *(dict) --* Describes which data sources are enabled for the detector. * **CloudTrail** *(dict) --* An object that contains information on the status of CloudTrail as a data source. * **Status** *(string) --* Describes whether CloudTrail is enabled as a data source for the detector. * **DNSLogs** *(dict) --* An object that contains information on the status of DNS logs as a data source. * **Status** *(string) --* Denotes whether DNS logs is enabled as a data source. * **FlowLogs** *(dict) --* An object that contains information on the status of VPC flow logs as a data source. * **Status** *(string) --* Denotes whether VPC flow logs is enabled as a data source. * **S3Logs** *(dict) --* An object that contains information on the status of S3 Data event logs as a data source. * **Status** *(string) --* A value that describes whether S3 data event logs are automatically enabled for new members of the organization. * **Kubernetes** *(dict) --* An object that contains information on the status of all Kubernetes data sources. * **AuditLogs** *(dict) --* Describes whether Kubernetes audit logs are enabled as a data source. * **Status** *(string) --* A value that describes whether Kubernetes audit logs are enabled as a data source. * **MalwareProtection** *(dict) --* Describes the configuration of Malware Protection data sources. * **ScanEc2InstanceWithFindings** *(dict) --* Describes the configuration of Malware Protection for EC2 instances with findings. * **EbsVolumes** *(dict) --* Describes the configuration of scanning EBS volumes as a data source. * **Status** *(string) --* Describes whether scanning EBS volumes is enabled as a data source. * **Reason** *(string) --* Specifies the reason why scanning EBS volumes (Malware Protection) was not enabled as a data source. * **ServiceRole** *(string) --* The GuardDuty Malware Protection service role. * **Tags** *(dict) --* The tags of the detector resource. * *(string) --* * *(string) --* * **Features** *(list) --* Describes the features that have been enabled for the detector. * *(dict) --* Contains information about a GuardDuty feature. Specifying both EKS Runtime Monitoring ( "EKS_RUNTIME_MONITORING") and Runtime Monitoring ( "RUNTIME_MONITORING") will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring. * **Name** *(string) --* Indicates the name of the feature that can be enabled for the detector. * **Status** *(string) --* Indicates the status of the feature that is enabled for the detector. * **UpdatedAt** *(datetime) --* The timestamp at which the feature object was updated. * **AdditionalConfiguration** *(list) --* Additional configuration for a resource. * *(dict) --* Information about the additional configuration. * **Name** *(string) --* Name of the additional configuration. * **Status** *(string) --* Status of the additional configuration. * **UpdatedAt** *(datetime) --* The timestamp at which the additional configuration was last updated. This is in UTC format. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / describe_organization_configuration describe_organization_configuration *********************************** GuardDuty.Client.describe_organization_configuration(**kwargs) Returns information about the account selected as the delegated administrator for GuardDuty. There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints. See also: AWS API Documentation **Request Syntax** response = client.describe_organization_configuration( DetectorId='string', MaxResults=123, NextToken='string' ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The detector ID of the delegated administrator for which you need to retrieve the information. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **MaxResults** (*integer*) -- You can use this parameter to indicate the maximum number of items that you want in the response. * **NextToken** (*string*) -- You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill "nextToken" in the request with the value of "NextToken" from the previous response to continue listing data. Return type: dict Returns: **Response Syntax** { 'AutoEnable': True|False, 'MemberAccountLimitReached': True|False, 'DataSources': { 'S3Logs': { 'AutoEnable': True|False }, 'Kubernetes': { 'AuditLogs': { 'AutoEnable': True|False } }, 'MalwareProtection': { 'ScanEc2InstanceWithFindings': { 'EbsVolumes': { 'AutoEnable': True|False } } } }, 'Features': [ { 'Name': 'S3_DATA_EVENTS'|'EKS_AUDIT_LOGS'|'EBS_MALWARE_PROTECTION'|'RDS_LOGIN_EVENTS'|'EKS_RUNTIME_MONITORING'|'LAMBDA_NETWORK_LOGS'|'RUNTIME_MONITORING', 'AutoEnable': 'NEW'|'NONE'|'ALL', 'AdditionalConfiguration': [ { 'Name': 'EKS_ADDON_MANAGEMENT'|'ECS_FARGATE_AGENT_MANAGEMENT'|'EC2_AGENT_MANAGEMENT', 'AutoEnable': 'NEW'|'NONE'|'ALL' }, ] }, ], 'NextToken': 'string', 'AutoEnableOrganizationMembers': 'NEW'|'ALL'|'NONE' } **Response Structure** * *(dict) --* * **AutoEnable** *(boolean) --* Indicates whether GuardDuty is automatically enabled for accounts added to the organization. Even though this is still supported, we recommend using "AutoEnableOrganizationMembers" to achieve the similar results. * **MemberAccountLimitReached** *(boolean) --* Indicates whether the maximum number of allowed member accounts are already associated with the delegated administrator account for your organization. * **DataSources** *(dict) --* Describes which data sources are enabled automatically for member accounts. * **S3Logs** *(dict) --* Describes whether S3 data event logs are enabled as a data source. * **AutoEnable** *(boolean) --* A value that describes whether S3 data event logs are automatically enabled for new members of the organization. * **Kubernetes** *(dict) --* Describes the configuration of Kubernetes data sources. * **AuditLogs** *(dict) --* The current configuration of Kubernetes audit logs as a data source for the organization. * **AutoEnable** *(boolean) --* Whether Kubernetes audit logs data source should be auto-enabled for new members joining the organization. * **MalwareProtection** *(dict) --* Describes the configuration of Malware Protection data source for an organization. * **ScanEc2InstanceWithFindings** *(dict) --* Describes the configuration for scanning EC2 instances with findings for an organization. * **EbsVolumes** *(dict) --* Describes the configuration for scanning EBS volumes for an organization. * **AutoEnable** *(boolean) --* An object that contains the status of whether scanning EBS volumes should be auto-enabled for new members joining the organization. * **Features** *(list) --* A list of features that are configured for this organization. * *(dict) --* A list of features which will be configured for the organization. * **Name** *(string) --* The name of the feature that is configured for the member accounts within the organization. * **AutoEnable** *(string) --* Describes the status of the feature that is configured for the member accounts within the organization. * "NEW": Indicates that when a new account joins the organization, they will have the feature enabled automatically. * "ALL": Indicates that all accounts in the organization have the feature enabled automatically. This includes "NEW" accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty. * "NONE": Indicates that the feature will not be automatically enabled for any account in the organization. In this case, each account will be managed individually by the administrator. * **AdditionalConfiguration** *(list) --* The additional configuration that is configured for the member accounts within the organization. * *(dict) --* A list of additional configuration which will be configured for the organization. * **Name** *(string) --* The name of the additional configuration that is configured for the member accounts within the organization. These values are applicable to only Runtime Monitoring protection plan. * **AutoEnable** *(string) --* Describes the status of the additional configuration that is configured for the member accounts within the organization. One of the following values is the status for the entire organization: * "NEW": Indicates that when a new account joins the organization, they will have the additional configuration enabled automatically. * "ALL": Indicates that all accounts in the organization have the additional configuration enabled automatically. This includes "NEW" accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty. It may take up to 24 hours to update the configuration for all the member accounts. * "NONE": Indicates that the additional configuration will not be automatically enabled for any account in the organization. The administrator must manage the additional configuration for each account individually. * **NextToken** *(string) --* The pagination parameter to be used on the next list operation to retrieve more items. * **AutoEnableOrganizationMembers** *(string) --* Indicates the auto-enablement configuration of GuardDuty or any of the corresponding protection plans for the member accounts in the organization. * "NEW": Indicates that when a new account joins the organization, they will have GuardDuty or any of the corresponding protection plans enabled automatically. * "ALL": Indicates that all accounts in the organization have GuardDuty and any of the corresponding protection plans enabled automatically. This includes "NEW" accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty. * "NONE": Indicates that GuardDuty or any of the corresponding protection plans will not be automatically enabled for any account in the organization. The administrator must manage GuardDuty for each account in the organization individually. When you update the auto- enable setting from "ALL" or "NEW" to "NONE", this action doesn't disable the corresponding option for your existing accounts. This configuration will apply to the new accounts that join the organization. After you update the auto-enable settings, no new account will have the corresponding option as enabled. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / list_members list_members ************ GuardDuty.Client.list_members(**kwargs) Lists details about all member accounts for the current GuardDuty administrator account. See also: AWS API Documentation **Request Syntax** response = client.list_members( DetectorId='string', MaxResults=123, NextToken='string', OnlyAssociated='string' ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector that is associated with the member. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **MaxResults** (*integer*) -- You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50. * **NextToken** (*string*) -- You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data. * **OnlyAssociated** (*string*) -- Specifies whether to only return associated members or to return all members (including members who haven't been invited yet or have been disassociated). Member accounts must have been previously associated with the GuardDuty administrator account using Create Members. Return type: dict Returns: **Response Syntax** { 'Members': [ { 'AccountId': 'string', 'DetectorId': 'string', 'MasterId': 'string', 'Email': 'string', 'RelationshipStatus': 'string', 'InvitedAt': 'string', 'UpdatedAt': 'string', 'AdministratorId': 'string' }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **Members** *(list) --* A list of members. Note: The values for "email" and "invitedAt" are available only if the member accounts are added by invitation. * *(dict) --* Contains information about the member account. * **AccountId** *(string) --* The ID of the member account. * **DetectorId** *(string) --* The detector ID of the member account. * **MasterId** *(string) --* The administrator account ID. * **Email** *(string) --* The email address of the member account. * **RelationshipStatus** *(string) --* The status of the relationship between the member and the administrator. * **InvitedAt** *(string) --* The timestamp when the invitation was sent. * **UpdatedAt** *(string) --* The last-updated timestamp of the member. * **AdministratorId** *(string) --* The administrator account ID. * **NextToken** *(string) --* The pagination parameter to be used on the next list operation to retrieve more items. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / delete_members delete_members ************** GuardDuty.Client.delete_members(**kwargs) Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs. With "autoEnableOrganizationMembers" configuration for your organization set to "ALL", you'll receive an error if you attempt to disable GuardDuty for a member account in your organization. See also: AWS API Documentation **Request Syntax** response = client.delete_members( DetectorId='string', AccountIds=[ 'string', ] ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector of the GuardDuty account whose members you want to delete. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **AccountIds** (*list*) -- **[REQUIRED]** A list of account IDs of the GuardDuty member accounts that you want to delete. * *(string) --* Return type: dict Returns: **Response Syntax** { 'UnprocessedAccounts': [ { 'AccountId': 'string', 'Result': 'string' }, ] } **Response Structure** * *(dict) --* * **UnprocessedAccounts** *(list) --* The accounts that could not be processed. * *(dict) --* Contains information about the accounts that weren't processed. * **AccountId** *(string) --* The Amazon Web Services account ID. * **Result** *(string) --* A reason why the account hasn't been processed. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / list_tags_for_resource list_tags_for_resource ********************** GuardDuty.Client.list_tags_for_resource(**kwargs) Lists tags for a resource. Tagging is currently supported for detectors, finding filters, IP sets, threat intel sets, and publishing destination, with a limit of 50 tags per resource. When invoked, this operation returns all assigned tags for a given resource. See also: AWS API Documentation **Request Syntax** response = client.list_tags_for_resource( ResourceArn='string' ) Parameters: **ResourceArn** (*string*) -- **[REQUIRED]** The Amazon Resource Name (ARN) for the given GuardDuty resource. Return type: dict Returns: **Response Syntax** { 'Tags': { 'string': 'string' } } **Response Structure** * *(dict) --* * **Tags** *(dict) --* The tags associated with the resource. * *(string) --* * *(string) --* **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.AccessDeniedException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / get_malware_scan_settings get_malware_scan_settings ************************* GuardDuty.Client.get_malware_scan_settings(**kwargs) Returns the details of the malware scan settings. There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints. See also: AWS API Documentation **Request Syntax** response = client.get_malware_scan_settings( DetectorId='string' ) Parameters: **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector that is associated with this scan. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. Return type: dict Returns: **Response Syntax** { 'ScanResourceCriteria': { 'Include': { 'string': { 'MapEquals': [ { 'Key': 'string', 'Value': 'string' }, ] } }, 'Exclude': { 'string': { 'MapEquals': [ { 'Key': 'string', 'Value': 'string' }, ] } } }, 'EbsSnapshotPreservation': 'NO_RETENTION'|'RETENTION_WITH_FINDING' } **Response Structure** * *(dict) --* * **ScanResourceCriteria** *(dict) --* Represents the criteria to be used in the filter for scanning resources. * **Include** *(dict) --* Represents condition that when matched will allow a malware scan for a certain resource. * *(string) --* An enum value representing possible resource properties to match with given scan condition. * *(dict) --* Contains information about the condition. * **MapEquals** *(list) --* Represents an *mapEqual* condition to be applied to a single field when triggering for malware scan. * *(dict) --* Represents the "key:value" pair to be matched against given resource property. * **Key** *(string) --* Represents the **key** in the map condition. * **Value** *(string) --* Represents optional **value** in the map condition. If not specified, only the **key** will be matched. * **Exclude** *(dict) --* Represents condition that when matched will prevent a malware scan for a certain resource. * *(string) --* An enum value representing possible resource properties to match with given scan condition. * *(dict) --* Contains information about the condition. * **MapEquals** *(list) --* Represents an *mapEqual* condition to be applied to a single field when triggering for malware scan. * *(dict) --* Represents the "key:value" pair to be matched against given resource property. * **Key** *(string) --* Represents the **key** in the map condition. * **Value** *(string) --* Represents optional **value** in the map condition. If not specified, only the **key** will be matched. * **EbsSnapshotPreservation** *(string) --* An enum value representing possible snapshot preservation settings. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / update_findings_feedback update_findings_feedback ************************ GuardDuty.Client.update_findings_feedback(**kwargs) Marks the specified GuardDuty findings as useful or not useful. See also: AWS API Documentation **Request Syntax** response = client.update_findings_feedback( DetectorId='string', FindingIds=[ 'string', ], Feedback='USEFUL'|'NOT_USEFUL', Comments='string' ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The ID of the detector that is associated with the findings for which you want to update the feedback. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **FindingIds** (*list*) -- **[REQUIRED]** The IDs of the findings that you want to mark as useful or not useful. * *(string) --* * **Feedback** (*string*) -- **[REQUIRED]** The feedback for the finding. * **Comments** (*string*) -- Additional feedback about the GuardDuty findings. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / update_malware_protection_plan update_malware_protection_plan ****************************** GuardDuty.Client.update_malware_protection_plan(**kwargs) Updates an existing Malware Protection plan resource. See also: AWS API Documentation **Request Syntax** response = client.update_malware_protection_plan( MalwareProtectionPlanId='string', Role='string', Actions={ 'Tagging': { 'Status': 'ENABLED'|'DISABLED' } }, ProtectedResource={ 'S3Bucket': { 'ObjectPrefixes': [ 'string', ] } } ) Parameters: * **MalwareProtectionPlanId** (*string*) -- **[REQUIRED]** A unique identifier associated with the Malware Protection plan. * **Role** (*string*) -- Amazon Resource Name (ARN) of the IAM role with permissions to scan and add tags to the associated protected resource. * **Actions** (*dict*) -- Information about whether the tags will be added to the S3 object after scanning. * **Tagging** *(dict) --* Indicates whether the scanned S3 object will have tags about the scan result. * **Status** *(string) --* Indicates whether or not the tags will added. * **ProtectedResource** (*dict*) -- Information about the protected resource that is associated with the created Malware Protection plan. Presently, "S3Bucket" is the only supported protected resource. * **S3Bucket** *(dict) --* Information about the protected S3 bucket resource. * **ObjectPrefixes** *(list) --* Information about the specified object prefixes. The S3 object will be scanned only if it belongs to any of the specified object prefixes. * *(string) --* Returns: None **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.AccessDeniedException" * "GuardDuty.Client.exceptions.ResourceNotFoundException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / untag_resource untag_resource ************** GuardDuty.Client.untag_resource(**kwargs) Removes tags from a resource. See also: AWS API Documentation **Request Syntax** response = client.untag_resource( ResourceArn='string', TagKeys=[ 'string', ] ) Parameters: * **ResourceArn** (*string*) -- **[REQUIRED]** The Amazon Resource Name (ARN) for the resource to remove tags from. * **TagKeys** (*list*) -- **[REQUIRED]** The tag keys to remove from the resource. * *(string) --* Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.AccessDeniedException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / create_threat_intel_set create_threat_intel_set *********************** GuardDuty.Client.create_threat_intel_set(**kwargs) Creates a new ThreatIntelSet. ThreatIntelSets consist of known malicious IP addresses. GuardDuty generates findings based on ThreatIntelSets. Only users of the administrator account can use this operation. See also: AWS API Documentation **Request Syntax** response = client.create_threat_intel_set( DetectorId='string', Name='string', Format='TXT'|'STIX'|'OTX_CSV'|'ALIEN_VAULT'|'PROOF_POINT'|'FIRE_EYE', Location='string', Activate=True|False, ClientToken='string', Tags={ 'string': 'string' }, ExpectedBucketOwner='string' ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector of the GuardDuty account for which you want to create a "ThreatIntelSet". To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **Name** (*string*) -- **[REQUIRED]** A user-friendly ThreatIntelSet name displayed in all findings that are generated by activity that involves IP addresses included in this ThreatIntelSet. * **Format** (*string*) -- **[REQUIRED]** The format of the file that contains the ThreatIntelSet. * **Location** (*string*) -- **[REQUIRED]** The URI of the file that contains the ThreatIntelSet. * **Activate** (*boolean*) -- **[REQUIRED]** A Boolean value that indicates whether GuardDuty is to start using the uploaded ThreatIntelSet. * **ClientToken** (*string*) -- The idempotency token for the create request. This field is autopopulated if not provided. * **Tags** (*dict*) -- The tags to be added to a new threat list resource. * *(string) --* * *(string) --* * **ExpectedBucketOwner** (*string*) -- The Amazon Web Services account ID that owns the Amazon S3 bucket specified in the **location** parameter. Return type: dict Returns: **Response Syntax** { 'ThreatIntelSetId': 'string' } **Response Structure** * *(dict) --* * **ThreatIntelSetId** *(string) --* The ID of the ThreatIntelSet resource. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" * "GuardDuty.Client.exceptions.AccessDeniedException" GuardDuty / Client / update_threat_intel_set update_threat_intel_set *********************** GuardDuty.Client.update_threat_intel_set(**kwargs) Updates the ThreatIntelSet specified by the ThreatIntelSet ID. See also: AWS API Documentation **Request Syntax** response = client.update_threat_intel_set( DetectorId='string', ThreatIntelSetId='string', Name='string', Location='string', Activate=True|False, ExpectedBucketOwner='string' ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The detectorID that specifies the GuardDuty service whose ThreatIntelSet you want to update. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **ThreatIntelSetId** (*string*) -- **[REQUIRED]** The unique ID that specifies the ThreatIntelSet that you want to update. * **Name** (*string*) -- The unique ID that specifies the ThreatIntelSet that you want to update. * **Location** (*string*) -- The updated URI of the file that contains the ThreateIntelSet. * **Activate** (*boolean*) -- The updated Boolean value that specifies whether the ThreateIntelSet is active or not. * **ExpectedBucketOwner** (*string*) -- The Amazon Web Services account ID that owns the Amazon S3 bucket specified in the **location** parameter. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" * "GuardDuty.Client.exceptions.AccessDeniedException" GuardDuty / Client / list_publishing_destinations list_publishing_destinations **************************** GuardDuty.Client.list_publishing_destinations(**kwargs) Returns a list of publishing destinations associated with the specified "detectorId". See also: AWS API Documentation **Request Syntax** response = client.list_publishing_destinations( DetectorId='string', MaxResults=123, NextToken='string' ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The detector ID for which you want to retrieve the publishing destination. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **MaxResults** (*integer*) -- The maximum number of results to return in the response. * **NextToken** (*string*) -- A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the "NextToken" value returned from the previous request to continue listing results after the first page. Return type: dict Returns: **Response Syntax** { 'Destinations': [ { 'DestinationId': 'string', 'DestinationType': 'S3', 'Status': 'PENDING_VERIFICATION'|'PUBLISHING'|'UNABLE_TO_PUBLISH_FIX_DESTINATION_PROPERTY'|'STOPPED' }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **Destinations** *(list) --* A "Destinations" object that includes information about each publishing destination returned. * *(dict) --* Contains information about the publishing destination, including the ID, type, and status. * **DestinationId** *(string) --* The unique ID of the publishing destination. * **DestinationType** *(string) --* The type of resource used for the publishing destination. Currently, only Amazon S3 buckets are supported. * **Status** *(string) --* The status of the publishing destination. * **NextToken** *(string) --* A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the "NextToken" value returned from the previous request to continue listing results after the first page. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / disassociate_from_administrator_account disassociate_from_administrator_account *************************************** GuardDuty.Client.disassociate_from_administrator_account(**kwargs) Disassociates the current GuardDuty member account from its administrator account. When you disassociate an invited member from a GuardDuty delegated administrator, the member account details obtained from the CreateMembers API, including the associated email addresses, are retained. This is done so that the delegated administrator can invoke the InviteMembers API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the DeleteMembers API. With "autoEnableOrganizationMembers" configuration for your organization set to "ALL", you'll receive an error if you attempt to disable GuardDuty in a member account. See also: AWS API Documentation **Request Syntax** response = client.disassociate_from_administrator_account( DetectorId='string' ) Parameters: **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector of the GuardDuty member account. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / get_waiter get_waiter ********** GuardDuty.Client.get_waiter(waiter_name) Returns an object that can wait for some condition. Parameters: **waiter_name** (*str*) -- The name of the waiter to get. See the waiters section of the service docs for a list of available waiters. Returns: The specified waiter object. Return type: "botocore.waiter.Waiter" GuardDuty / Client / create_sample_findings create_sample_findings ********************** GuardDuty.Client.create_sample_findings(**kwargs) Generates sample findings of types specified by the list of finding types. If 'NULL' is specified for "findingTypes", the API generates sample findings of all supported finding types. See also: AWS API Documentation **Request Syntax** response = client.create_sample_findings( DetectorId='string', FindingTypes=[ 'string', ] ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The ID of the detector for which you need to create sample findings. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **FindingTypes** (*list*) -- The types of sample findings to generate. * *(string) --* Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / disable_organization_admin_account disable_organization_admin_account ********************************** GuardDuty.Client.disable_organization_admin_account(**kwargs) Removes the existing GuardDuty delegated administrator of the organization. Only the organization's management account can run this API operation. See also: AWS API Documentation **Request Syntax** response = client.disable_organization_admin_account( AdminAccountId='string' ) Parameters: **AdminAccountId** (*string*) -- **[REQUIRED]** The Amazon Web Services Account ID for the organizations account to be disabled as a GuardDuty delegated administrator. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / describe_publishing_destination describe_publishing_destination ******************************* GuardDuty.Client.describe_publishing_destination(**kwargs) Returns information about the publishing destination specified by the provided "destinationId". See also: AWS API Documentation **Request Syntax** response = client.describe_publishing_destination( DetectorId='string', DestinationId='string' ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector associated with the publishing destination to retrieve. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **DestinationId** (*string*) -- **[REQUIRED]** The ID of the publishing destination to retrieve. Return type: dict Returns: **Response Syntax** { 'DestinationId': 'string', 'DestinationType': 'S3', 'Status': 'PENDING_VERIFICATION'|'PUBLISHING'|'UNABLE_TO_PUBLISH_FIX_DESTINATION_PROPERTY'|'STOPPED', 'PublishingFailureStartTimestamp': 123, 'DestinationProperties': { 'DestinationArn': 'string', 'KmsKeyArn': 'string' } } **Response Structure** * *(dict) --* * **DestinationId** *(string) --* The ID of the publishing destination. * **DestinationType** *(string) --* The type of publishing destination. Currently, only Amazon S3 buckets are supported. * **Status** *(string) --* The status of the publishing destination. * **PublishingFailureStartTimestamp** *(integer) --* The time, in epoch millisecond format, at which GuardDuty was first unable to publish findings to the destination. * **DestinationProperties** *(dict) --* A "DestinationProperties" object that includes the "DestinationArn" and "KmsKeyArn" of the publishing destination. * **DestinationArn** *(string) --* The ARN of the resource to publish to. To specify an S3 bucket folder use the following format: "arn:aws:s3:::DOC-EXAMPLE-BUCKET/myFolder/" * **KmsKeyArn** *(string) --* The ARN of the KMS key to use for encryption. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / get_master_account get_master_account ****************** GuardDuty.Client.get_master_account(**kwargs) Provides the details for the GuardDuty administrator account associated with the current GuardDuty member account. Danger: This operation is deprecated and may not function as expected. This operation should not be used going forward and is only kept for the purpose of backwards compatiblity. See also: AWS API Documentation **Request Syntax** response = client.get_master_account( DetectorId='string' ) Parameters: **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector of the GuardDuty member account. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. Return type: dict Returns: **Response Syntax** { 'Master': { 'AccountId': 'string', 'InvitationId': 'string', 'RelationshipStatus': 'string', 'InvitedAt': 'string' } } **Response Structure** * *(dict) --* * **Master** *(dict) --* The administrator account details. * **AccountId** *(string) --* The ID of the account used as the administrator account. * **InvitationId** *(string) --* The value used to validate the administrator account to the member account. * **RelationshipStatus** *(string) --* The status of the relationship between the administrator and member accounts. * **InvitedAt** *(string) --* The timestamp when the invitation was sent. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / archive_findings archive_findings **************** GuardDuty.Client.archive_findings(**kwargs) Archives GuardDuty findings that are specified by the list of finding IDs. Note: Only the administrator account can archive findings. Member accounts don't have permission to archive findings from their accounts. See also: AWS API Documentation **Request Syntax** response = client.archive_findings( DetectorId='string', FindingIds=[ 'string', ] ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The ID of the detector that specifies the GuardDuty service whose findings you want to archive. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **FindingIds** (*list*) -- **[REQUIRED]** The IDs of the findings that you want to archive. * *(string) --* Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / describe_malware_scans describe_malware_scans ********************** GuardDuty.Client.describe_malware_scans(**kwargs) Returns a list of malware scans. Each member account can view the malware scans for their own accounts. An administrator can view the malware scans for all the member accounts. There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints. See also: AWS API Documentation **Request Syntax** response = client.describe_malware_scans( DetectorId='string', NextToken='string', MaxResults=123, FilterCriteria={ 'FilterCriterion': [ { 'CriterionKey': 'EC2_INSTANCE_ARN'|'SCAN_ID'|'ACCOUNT_ID'|'GUARDDUTY_FINDING_ID'|'SCAN_START_TIME'|'SCAN_STATUS'|'SCAN_TYPE', 'FilterCondition': { 'EqualsValue': 'string', 'GreaterThan': 123, 'LessThan': 123 } }, ] }, SortCriteria={ 'AttributeName': 'string', 'OrderBy': 'ASC'|'DESC' } ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector that the request is associated with. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **NextToken** (*string*) -- You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data. * **MaxResults** (*integer*) -- You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50. * **FilterCriteria** (*dict*) -- Represents the criteria to be used in the filter for describing scan entries. * **FilterCriterion** *(list) --* Represents a condition that when matched will be added to the response of the operation. * *(dict) --* Represents a condition that when matched will be added to the response of the operation. Irrespective of using any filter criteria, an administrator account can view the scan entries for all of its member accounts. However, each member account can view the scan entries only for their own account. * **CriterionKey** *(string) --* An enum value representing possible scan properties to match with given scan entries. * **FilterCondition** *(dict) --* Contains information about the condition. * **EqualsValue** *(string) --* Represents an *equal* condition to be applied to a single field when querying for scan entries. * **GreaterThan** *(integer) --* Represents a *greater than* condition to be applied to a single field when querying for scan entries. * **LessThan** *(integer) --* Represents a *less than* condition to be applied to a single field when querying for scan entries. * **SortCriteria** (*dict*) -- Represents the criteria used for sorting scan entries. The attributeName is required and it must be "scanStartTime". * **AttributeName** *(string) --* Represents the finding attribute, such as "accountId", that sorts the findings. * **OrderBy** *(string) --* The order by which the sorted findings are to be displayed. Return type: dict Returns: **Response Syntax** { 'Scans': [ { 'DetectorId': 'string', 'AdminDetectorId': 'string', 'ScanId': 'string', 'ScanStatus': 'RUNNING'|'COMPLETED'|'FAILED'|'SKIPPED', 'FailureReason': 'string', 'ScanStartTime': datetime(2015, 1, 1), 'ScanEndTime': datetime(2015, 1, 1), 'TriggerDetails': { 'GuardDutyFindingId': 'string', 'Description': 'string' }, 'ResourceDetails': { 'InstanceArn': 'string' }, 'ScanResultDetails': { 'ScanResult': 'CLEAN'|'INFECTED' }, 'AccountId': 'string', 'TotalBytes': 123, 'FileCount': 123, 'AttachedVolumes': [ { 'VolumeArn': 'string', 'VolumeType': 'string', 'DeviceName': 'string', 'VolumeSizeInGB': 123, 'EncryptionType': 'string', 'SnapshotArn': 'string', 'KmsKeyArn': 'string' }, ], 'ScanType': 'GUARDDUTY_INITIATED'|'ON_DEMAND' }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **Scans** *(list) --* Contains information about malware scans associated with GuardDuty Malware Protection for EC2. * *(dict) --* Contains information about malware scans associated with GuardDuty Malware Protection for EC2. * **DetectorId** *(string) --* The unique ID of the detector that is associated with the request. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **AdminDetectorId** *(string) --* The unique detector ID of the administrator account that the request is associated with. If the account is an administrator, the "AdminDetectorId" will be the same as the one used for "DetectorId". To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **ScanId** *(string) --* The unique scan ID associated with a scan entry. * **ScanStatus** *(string) --* An enum value representing possible scan statuses. * **FailureReason** *(string) --* Represents the reason for "FAILED" scan status. * **ScanStartTime** *(datetime) --* The timestamp of when the scan was triggered. * **ScanEndTime** *(datetime) --* The timestamp of when the scan was finished. * **TriggerDetails** *(dict) --* Specifies the reason why the scan was initiated. * **GuardDutyFindingId** *(string) --* The ID of the GuardDuty finding that triggered the malware scan. * **Description** *(string) --* The description of the scan trigger. * **ResourceDetails** *(dict) --* Represents the resources that were scanned in the scan entry. * **InstanceArn** *(string) --* Instance ARN that was scanned in the scan entry. * **ScanResultDetails** *(dict) --* Represents the result of the scan. * **ScanResult** *(string) --* An enum value representing possible scan results. * **AccountId** *(string) --* The ID for the account that belongs to the scan. * **TotalBytes** *(integer) --* Represents total bytes that were scanned. * **FileCount** *(integer) --* Represents the number of files that were scanned. * **AttachedVolumes** *(list) --* List of volumes that were attached to the original instance to be scanned. * *(dict) --* Contains EBS volume details. * **VolumeArn** *(string) --* EBS volume ARN information. * **VolumeType** *(string) --* The EBS volume type. * **DeviceName** *(string) --* The device name for the EBS volume. * **VolumeSizeInGB** *(integer) --* EBS volume size in GB. * **EncryptionType** *(string) --* EBS volume encryption type. * **SnapshotArn** *(string) --* Snapshot ARN of the EBS volume. * **KmsKeyArn** *(string) --* KMS key ARN used to encrypt the EBS volume. * **ScanType** *(string) --* Specifies the scan type that invoked the malware scan. * **NextToken** *(string) --* The pagination parameter to be used on the next list operation to retrieve more items. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / update_detector update_detector *************** GuardDuty.Client.update_detector(**kwargs) Updates the GuardDuty detector specified by the detector ID. Specifying both EKS Runtime Monitoring ( "EKS_RUNTIME_MONITORING") and Runtime Monitoring ( "RUNTIME_MONITORING") will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring. There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints. See also: AWS API Documentation **Request Syntax** response = client.update_detector( DetectorId='string', Enable=True|False, FindingPublishingFrequency='FIFTEEN_MINUTES'|'ONE_HOUR'|'SIX_HOURS', DataSources={ 'S3Logs': { 'Enable': True|False }, 'Kubernetes': { 'AuditLogs': { 'Enable': True|False } }, 'MalwareProtection': { 'ScanEc2InstanceWithFindings': { 'EbsVolumes': True|False } } }, Features=[ { 'Name': 'S3_DATA_EVENTS'|'EKS_AUDIT_LOGS'|'EBS_MALWARE_PROTECTION'|'RDS_LOGIN_EVENTS'|'EKS_RUNTIME_MONITORING'|'LAMBDA_NETWORK_LOGS'|'RUNTIME_MONITORING', 'Status': 'ENABLED'|'DISABLED', 'AdditionalConfiguration': [ { 'Name': 'EKS_ADDON_MANAGEMENT'|'ECS_FARGATE_AGENT_MANAGEMENT'|'EC2_AGENT_MANAGEMENT', 'Status': 'ENABLED'|'DISABLED' }, ] }, ] ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector to update. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **Enable** (*boolean*) -- Specifies whether the detector is enabled or not enabled. * **FindingPublishingFrequency** (*string*) -- An enum value that specifies how frequently findings are exported, such as to CloudWatch Events. * **DataSources** (*dict*) -- Describes which data sources will be updated. There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints. * **S3Logs** *(dict) --* Describes whether S3 data event logs are enabled as a data source. * **Enable** *(boolean) --* **[REQUIRED]** The status of S3 data event logs as a data source. * **Kubernetes** *(dict) --* Describes whether any Kubernetes logs are enabled as data sources. * **AuditLogs** *(dict) --* **[REQUIRED]** The status of Kubernetes audit logs as a data source. * **Enable** *(boolean) --* **[REQUIRED]** The status of Kubernetes audit logs as a data source. * **MalwareProtection** *(dict) --* Describes whether Malware Protection is enabled as a data source. * **ScanEc2InstanceWithFindings** *(dict) --* Describes the configuration of Malware Protection for EC2 instances with findings. * **EbsVolumes** *(boolean) --* Describes the configuration for scanning EBS volumes as data source. * **Features** (*list*) -- Provides the features that will be updated for the detector. * *(dict) --* Contains information about a GuardDuty feature. Specifying both EKS Runtime Monitoring ( "EKS_RUNTIME_MONITORING") and Runtime Monitoring ( "RUNTIME_MONITORING") will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring. * **Name** *(string) --* The name of the feature. * **Status** *(string) --* The status of the feature. * **AdditionalConfiguration** *(list) --* Additional configuration for a resource. * *(dict) --* Information about the additional configuration for a feature in your GuardDuty account. * **Name** *(string) --* Name of the additional configuration. * **Status** *(string) --* Status of the additional configuration. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / get_member_detectors get_member_detectors ******************** GuardDuty.Client.get_member_detectors(**kwargs) Describes which data sources are enabled for the member account's detector. There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints. See also: AWS API Documentation **Request Syntax** response = client.get_member_detectors( DetectorId='string', AccountIds=[ 'string', ] ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The detector ID for the administrator account. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **AccountIds** (*list*) -- **[REQUIRED]** A list of member account IDs. * *(string) --* Return type: dict Returns: **Response Syntax** { 'MemberDataSourceConfigurations': [ { 'AccountId': 'string', 'DataSources': { 'CloudTrail': { 'Status': 'ENABLED'|'DISABLED' }, 'DNSLogs': { 'Status': 'ENABLED'|'DISABLED' }, 'FlowLogs': { 'Status': 'ENABLED'|'DISABLED' }, 'S3Logs': { 'Status': 'ENABLED'|'DISABLED' }, 'Kubernetes': { 'AuditLogs': { 'Status': 'ENABLED'|'DISABLED' } }, 'MalwareProtection': { 'ScanEc2InstanceWithFindings': { 'EbsVolumes': { 'Status': 'ENABLED'|'DISABLED', 'Reason': 'string' } }, 'ServiceRole': 'string' } }, 'Features': [ { 'Name': 'S3_DATA_EVENTS'|'EKS_AUDIT_LOGS'|'EBS_MALWARE_PROTECTION'|'RDS_LOGIN_EVENTS'|'EKS_RUNTIME_MONITORING'|'LAMBDA_NETWORK_LOGS'|'RUNTIME_MONITORING', 'Status': 'ENABLED'|'DISABLED', 'UpdatedAt': datetime(2015, 1, 1), 'AdditionalConfiguration': [ { 'Name': 'EKS_ADDON_MANAGEMENT'|'ECS_FARGATE_AGENT_MANAGEMENT'|'EC2_AGENT_MANAGEMENT', 'Status': 'ENABLED'|'DISABLED', 'UpdatedAt': datetime(2015, 1, 1) }, ] }, ] }, ], 'UnprocessedAccounts': [ { 'AccountId': 'string', 'Result': 'string' }, ] } **Response Structure** * *(dict) --* * **MemberDataSourceConfigurations** *(list) --* An object that describes which data sources are enabled for a member account. * *(dict) --* Contains information on which data sources are enabled for a member account. * **AccountId** *(string) --* The account ID for the member account. * **DataSources** *(dict) --* Contains information on the status of data sources for the account. * **CloudTrail** *(dict) --* An object that contains information on the status of CloudTrail as a data source. * **Status** *(string) --* Describes whether CloudTrail is enabled as a data source for the detector. * **DNSLogs** *(dict) --* An object that contains information on the status of DNS logs as a data source. * **Status** *(string) --* Denotes whether DNS logs is enabled as a data source. * **FlowLogs** *(dict) --* An object that contains information on the status of VPC flow logs as a data source. * **Status** *(string) --* Denotes whether VPC flow logs is enabled as a data source. * **S3Logs** *(dict) --* An object that contains information on the status of S3 Data event logs as a data source. * **Status** *(string) --* A value that describes whether S3 data event logs are automatically enabled for new members of the organization. * **Kubernetes** *(dict) --* An object that contains information on the status of all Kubernetes data sources. * **AuditLogs** *(dict) --* Describes whether Kubernetes audit logs are enabled as a data source. * **Status** *(string) --* A value that describes whether Kubernetes audit logs are enabled as a data source. * **MalwareProtection** *(dict) --* Describes the configuration of Malware Protection data sources. * **ScanEc2InstanceWithFindings** *(dict) --* Describes the configuration of Malware Protection for EC2 instances with findings. * **EbsVolumes** *(dict) --* Describes the configuration of scanning EBS volumes as a data source. * **Status** *(string) --* Describes whether scanning EBS volumes is enabled as a data source. * **Reason** *(string) --* Specifies the reason why scanning EBS volumes (Malware Protection) was not enabled as a data source. * **ServiceRole** *(string) --* The GuardDuty Malware Protection service role. * **Features** *(list) --* Contains information about the status of the features for the member account. * *(dict) --* Contains information about the features for the member account. * **Name** *(string) --* Indicates the name of the feature that is enabled for the detector. * **Status** *(string) --* Indicates the status of the feature that is enabled for the detector. * **UpdatedAt** *(datetime) --* The timestamp at which the feature object was updated. * **AdditionalConfiguration** *(list) --* Indicates the additional configuration of the feature that is configured for the member account. * *(dict) --* Information about the additional configuration for the member account. * **Name** *(string) --* Indicates the name of the additional configuration that is set for the member account. * **Status** *(string) --* Indicates the status of the additional configuration that is set for the member account. * **UpdatedAt** *(datetime) --* The timestamp at which the additional configuration was set for the member account. This is in UTC format. * **UnprocessedAccounts** *(list) --* A list of member account IDs that were unable to be processed along with an explanation for why they were not processed. * *(dict) --* Contains information about the accounts that weren't processed. * **AccountId** *(string) --* The Amazon Web Services account ID. * **Result** *(string) --* A reason why the account hasn't been processed. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / delete_malware_protection_plan delete_malware_protection_plan ****************************** GuardDuty.Client.delete_malware_protection_plan(**kwargs) Deletes the Malware Protection plan ID associated with the Malware Protection plan resource. Use this API only when you no longer want to protect the resource associated with this Malware Protection plan ID. See also: AWS API Documentation **Request Syntax** response = client.delete_malware_protection_plan( MalwareProtectionPlanId='string' ) Parameters: **MalwareProtectionPlanId** (*string*) -- **[REQUIRED]** A unique identifier associated with Malware Protection plan resource. Returns: None **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.AccessDeniedException" * "GuardDuty.Client.exceptions.InternalServerErrorException" * "GuardDuty.Client.exceptions.ResourceNotFoundException" GuardDuty / Client / get_members get_members *********** GuardDuty.Client.get_members(**kwargs) Retrieves GuardDuty member accounts (of the current GuardDuty administrator account) specified by the account IDs. See also: AWS API Documentation **Request Syntax** response = client.get_members( DetectorId='string', AccountIds=[ 'string', ] ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector of the GuardDuty account whose members you want to retrieve. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **AccountIds** (*list*) -- **[REQUIRED]** A list of account IDs of the GuardDuty member accounts that you want to describe. * *(string) --* Return type: dict Returns: **Response Syntax** { 'Members': [ { 'AccountId': 'string', 'DetectorId': 'string', 'MasterId': 'string', 'Email': 'string', 'RelationshipStatus': 'string', 'InvitedAt': 'string', 'UpdatedAt': 'string', 'AdministratorId': 'string' }, ], 'UnprocessedAccounts': [ { 'AccountId': 'string', 'Result': 'string' }, ] } **Response Structure** * *(dict) --* * **Members** *(list) --* A list of members. * *(dict) --* Contains information about the member account. * **AccountId** *(string) --* The ID of the member account. * **DetectorId** *(string) --* The detector ID of the member account. * **MasterId** *(string) --* The administrator account ID. * **Email** *(string) --* The email address of the member account. * **RelationshipStatus** *(string) --* The status of the relationship between the member and the administrator. * **InvitedAt** *(string) --* The timestamp when the invitation was sent. * **UpdatedAt** *(string) --* The last-updated timestamp of the member. * **AdministratorId** *(string) --* The administrator account ID. * **UnprocessedAccounts** *(list) --* A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed. * *(dict) --* Contains information about the accounts that weren't processed. * **AccountId** *(string) --* The Amazon Web Services account ID. * **Result** *(string) --* A reason why the account hasn't been processed. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / update_organization_configuration update_organization_configuration ********************************* GuardDuty.Client.update_organization_configuration(**kwargs) Configures the delegated administrator account with the provided values. You must provide a value for either "autoEnableOrganizationMembers" or "autoEnable", but not both. Specifying both EKS Runtime Monitoring ( "EKS_RUNTIME_MONITORING") and Runtime Monitoring ( "RUNTIME_MONITORING") will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring. There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints. See also: AWS API Documentation **Request Syntax** response = client.update_organization_configuration( DetectorId='string', AutoEnable=True|False, DataSources={ 'S3Logs': { 'AutoEnable': True|False }, 'Kubernetes': { 'AuditLogs': { 'AutoEnable': True|False } }, 'MalwareProtection': { 'ScanEc2InstanceWithFindings': { 'EbsVolumes': { 'AutoEnable': True|False } } } }, Features=[ { 'Name': 'S3_DATA_EVENTS'|'EKS_AUDIT_LOGS'|'EBS_MALWARE_PROTECTION'|'RDS_LOGIN_EVENTS'|'EKS_RUNTIME_MONITORING'|'LAMBDA_NETWORK_LOGS'|'RUNTIME_MONITORING', 'AutoEnable': 'NEW'|'NONE'|'ALL', 'AdditionalConfiguration': [ { 'Name': 'EKS_ADDON_MANAGEMENT'|'ECS_FARGATE_AGENT_MANAGEMENT'|'EC2_AGENT_MANAGEMENT', 'AutoEnable': 'NEW'|'NONE'|'ALL' }, ] }, ], AutoEnableOrganizationMembers='NEW'|'ALL'|'NONE' ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The ID of the detector that configures the delegated administrator. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **AutoEnable** (*boolean*) -- Represents whether to automatically enable member accounts in the organization. This applies to only new member accounts, not the existing member accounts. When a new account joins the organization, the chosen features will be enabled for them by default. Even though this is still supported, we recommend using "AutoEnableOrganizationMembers" to achieve the similar results. You must provide a value for either "autoEnableOrganizationMembers" or "autoEnable". * **DataSources** (*dict*) -- Describes which data sources will be updated. * **S3Logs** *(dict) --* Describes whether S3 data event logs are enabled for new members of the organization. * **AutoEnable** *(boolean) --* **[REQUIRED]** A value that contains information on whether S3 data event logs will be enabled automatically as a data source for the organization. * **Kubernetes** *(dict) --* Describes the configuration of Kubernetes data sources for new members of the organization. * **AuditLogs** *(dict) --* **[REQUIRED]** Whether Kubernetes audit logs data source should be auto- enabled for new members joining the organization. * **AutoEnable** *(boolean) --* **[REQUIRED]** A value that contains information on whether Kubernetes audit logs should be enabled automatically as a data source for the organization. * **MalwareProtection** *(dict) --* Describes the configuration of Malware Protection for new members of the organization. * **ScanEc2InstanceWithFindings** *(dict) --* Whether Malware Protection for EC2 instances with findings should be auto-enabled for new members joining the organization. * **EbsVolumes** *(dict) --* Whether scanning EBS volumes should be auto-enabled for new members joining the organization. * **AutoEnable** *(boolean) --* Whether scanning EBS volumes should be auto-enabled for new members joining the organization. * **Features** (*list*) -- A list of features that will be configured for the organization. * *(dict) --* A list of features which will be configured for the organization. * **Name** *(string) --* The name of the feature that will be configured for the organization. * **AutoEnable** *(string) --* Describes the status of the feature that is configured for the member accounts within the organization. One of the following values is the status for the entire organization: * "NEW": Indicates that when a new account joins the organization, they will have the feature enabled automatically. * "ALL": Indicates that all accounts in the organization have the feature enabled automatically. This includes "NEW" accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty. It may take up to 24 hours to update the configuration for all the member accounts. * "NONE": Indicates that the feature will not be automatically enabled for any account in the organization. The administrator must manage the feature for each account individually. * **AdditionalConfiguration** *(list) --* The additional information that will be configured for the organization. * *(dict) --* A list of additional configurations which will be configured for the organization. Additional configuration applies to only GuardDuty Runtime Monitoring protection plan. * **Name** *(string) --* The name of the additional configuration that will be configured for the organization. These values are applicable to only Runtime Monitoring protection plan. * **AutoEnable** *(string) --* The status of the additional configuration that will be configured for the organization. Use one of the following values to configure the feature status for the entire organization: * "NEW": Indicates that when a new account joins the organization, they will have the additional configuration enabled automatically. * "ALL": Indicates that all accounts in the organization have the additional configuration enabled automatically. This includes "NEW" accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty. It may take up to 24 hours to update the configuration for all the member accounts. * "NONE": Indicates that the additional configuration will not be automatically enabled for any account in the organization. The administrator must manage the additional configuration for each account individually. * **AutoEnableOrganizationMembers** (*string*) -- Indicates the auto-enablement configuration of GuardDuty for the member accounts in the organization. You must provide a value for either "autoEnableOrganizationMembers" or "autoEnable". Use one of the following configuration values for "autoEnableOrganizationMembers": * "NEW": Indicates that when a new account joins the organization, they will have GuardDuty enabled automatically. * "ALL": Indicates that all accounts in the organization have GuardDuty enabled automatically. This includes "NEW" accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty. It may take up to 24 hours to update the configuration for all the member accounts. * "NONE": Indicates that GuardDuty will not be automatically enabled for any account in the organization. The administrator must manage GuardDuty for each account in the organization individually. When you update the auto-enable setting from "ALL" or "NEW" to "NONE", this action doesn't disable the corresponding option for your existing accounts. This configuration will apply to the new accounts that join the organization. After you update the auto-enable settings, no new account will have the corresponding option as enabled. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / stop_monitoring_members stop_monitoring_members *********************** GuardDuty.Client.stop_monitoring_members(**kwargs) Stops GuardDuty monitoring for the specified member accounts. Use the "StartMonitoringMembers" operation to restart monitoring for those accounts. With "autoEnableOrganizationMembers" configuration for your organization set to "ALL", you'll receive an error if you attempt to stop monitoring the member accounts in your organization. See also: AWS API Documentation **Request Syntax** response = client.stop_monitoring_members( DetectorId='string', AccountIds=[ 'string', ] ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector associated with the GuardDuty administrator account that is monitoring member accounts. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **AccountIds** (*list*) -- **[REQUIRED]** A list of account IDs for the member accounts to stop monitoring. * *(string) --* Return type: dict Returns: **Response Syntax** { 'UnprocessedAccounts': [ { 'AccountId': 'string', 'Result': 'string' }, ] } **Response Structure** * *(dict) --* * **UnprocessedAccounts** *(list) --* A list of objects that contain an accountId for each account that could not be processed, and a result string that indicates why the account was not processed. * *(dict) --* Contains information about the accounts that weren't processed. * **AccountId** *(string) --* The Amazon Web Services account ID. * **Result** *(string) --* A reason why the account hasn't been processed. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / get_ip_set get_ip_set ********** GuardDuty.Client.get_ip_set(**kwargs) Retrieves the IPSet specified by the "ipSetId". See also: AWS API Documentation **Request Syntax** response = client.get_ip_set( DetectorId='string', IpSetId='string' ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector that is associated with the IPSet. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **IpSetId** (*string*) -- **[REQUIRED]** The unique ID of the IPSet to retrieve. Return type: dict Returns: **Response Syntax** { 'Name': 'string', 'Format': 'TXT'|'STIX'|'OTX_CSV'|'ALIEN_VAULT'|'PROOF_POINT'|'FIRE_EYE', 'Location': 'string', 'Status': 'INACTIVE'|'ACTIVATING'|'ACTIVE'|'DEACTIVATING'|'ERROR'|'DELETE_PENDING'|'DELETED', 'Tags': { 'string': 'string' }, 'ExpectedBucketOwner': 'string' } **Response Structure** * *(dict) --* * **Name** *(string) --* The user-friendly name for the IPSet. * **Format** *(string) --* The format of the file that contains the IPSet. * **Location** *(string) --* The URI of the file that contains the IPSet. * **Status** *(string) --* The status of IPSet file that was uploaded. * **Tags** *(dict) --* The tags of the IPSet resource. * *(string) --* * *(string) --* * **ExpectedBucketOwner** *(string) --* The Amazon Web Services account ID that owns the Amazon S3 bucket specified in the **location** parameter. This field appears in the response only if it was provided during IPSet creation or update. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / list_malware_protection_plans list_malware_protection_plans ***************************** GuardDuty.Client.list_malware_protection_plans(**kwargs) Lists the Malware Protection plan IDs associated with the protected resources in your Amazon Web Services account. See also: AWS API Documentation **Request Syntax** response = client.list_malware_protection_plans( NextToken='string' ) Parameters: **NextToken** (*string*) -- You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of "NextToken" from the previous response to continue listing data. Return type: dict Returns: **Response Syntax** { 'MalwareProtectionPlans': [ { 'MalwareProtectionPlanId': 'string' }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **MalwareProtectionPlans** *(list) --* A list of unique identifiers associated with each Malware Protection plan. * *(dict) --* Information about the Malware Protection plan resource. * **MalwareProtectionPlanId** *(string) --* A unique identifier associated with Malware Protection plan. * **NextToken** *(string) --* You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of "NextToken" from the previous response to continue listing data. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.AccessDeniedException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / list_organization_admin_accounts list_organization_admin_accounts ******************************** GuardDuty.Client.list_organization_admin_accounts(**kwargs) Lists the accounts designated as GuardDuty delegated administrators. Only the organization's management account can run this API operation. See also: AWS API Documentation **Request Syntax** response = client.list_organization_admin_accounts( MaxResults=123, NextToken='string' ) Parameters: * **MaxResults** (*integer*) -- The maximum number of results to return in the response. * **NextToken** (*string*) -- A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the "NextToken" value returned from the previous request to continue listing results after the first page. Return type: dict Returns: **Response Syntax** { 'AdminAccounts': [ { 'AdminAccountId': 'string', 'AdminStatus': 'ENABLED'|'DISABLE_IN_PROGRESS' }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **AdminAccounts** *(list) --* A list of accounts configured as GuardDuty delegated administrators. * *(dict) --* The account within the organization specified as the GuardDuty delegated administrator. * **AdminAccountId** *(string) --* The Amazon Web Services account ID for the account. * **AdminStatus** *(string) --* Indicates whether the account is enabled as the delegated administrator. * **NextToken** *(string) --* The pagination parameter to be used on the next list operation to retrieve more items. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / get_remaining_free_trial_days get_remaining_free_trial_days ***************************** GuardDuty.Client.get_remaining_free_trial_days(**kwargs) Provides the number of days left for each data source used in the free trial period. See also: AWS API Documentation **Request Syntax** response = client.get_remaining_free_trial_days( DetectorId='string', AccountIds=[ 'string', ] ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector of the GuardDuty member account. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **AccountIds** (*list*) -- A list of account identifiers of the GuardDuty member account. * *(string) --* Return type: dict Returns: **Response Syntax** { 'Accounts': [ { 'AccountId': 'string', 'DataSources': { 'CloudTrail': { 'FreeTrialDaysRemaining': 123 }, 'DnsLogs': { 'FreeTrialDaysRemaining': 123 }, 'FlowLogs': { 'FreeTrialDaysRemaining': 123 }, 'S3Logs': { 'FreeTrialDaysRemaining': 123 }, 'Kubernetes': { 'AuditLogs': { 'FreeTrialDaysRemaining': 123 } }, 'MalwareProtection': { 'ScanEc2InstanceWithFindings': { 'FreeTrialDaysRemaining': 123 } } }, 'Features': [ { 'Name': 'FLOW_LOGS'|'CLOUD_TRAIL'|'DNS_LOGS'|'S3_DATA_EVENTS'|'EKS_AUDIT_LOGS'|'EBS_MALWARE_PROTECTION'|'RDS_LOGIN_EVENTS'|'EKS_RUNTIME_MONITORING'|'LAMBDA_NETWORK_LOGS'|'FARGATE_RUNTIME_MONITORING'|'EC2_RUNTIME_MONITORING', 'FreeTrialDaysRemaining': 123 }, ] }, ], 'UnprocessedAccounts': [ { 'AccountId': 'string', 'Result': 'string' }, ] } **Response Structure** * *(dict) --* * **Accounts** *(list) --* The member accounts which were included in a request and were processed successfully. * *(dict) --* Provides details of the GuardDuty member account that uses a free trial service. * **AccountId** *(string) --* The account identifier of the GuardDuty member account. * **DataSources** *(dict) --* Describes the data source enabled for the GuardDuty member account. * **CloudTrail** *(dict) --* Describes whether any Amazon Web Services CloudTrail management event logs are enabled as data sources. * **FreeTrialDaysRemaining** *(integer) --* A value that specifies the number of days left to use each enabled data source. * **DnsLogs** *(dict) --* Describes whether any DNS logs are enabled as data sources. * **FreeTrialDaysRemaining** *(integer) --* A value that specifies the number of days left to use each enabled data source. * **FlowLogs** *(dict) --* Describes whether any VPC Flow logs are enabled as data sources. * **FreeTrialDaysRemaining** *(integer) --* A value that specifies the number of days left to use each enabled data source. * **S3Logs** *(dict) --* Describes whether any S3 data event logs are enabled as data sources. * **FreeTrialDaysRemaining** *(integer) --* A value that specifies the number of days left to use each enabled data source. * **Kubernetes** *(dict) --* Describes whether any Kubernetes logs are enabled as data sources. * **AuditLogs** *(dict) --* Describes whether Kubernetes audit logs are enabled as a data source. * **FreeTrialDaysRemaining** *(integer) --* A value that specifies the number of days left to use each enabled data source. * **MalwareProtection** *(dict) --* Describes whether Malware Protection is enabled as a data source. * **ScanEc2InstanceWithFindings** *(dict) --* Describes whether Malware Protection for EC2 instances with findings is enabled as a data source. * **FreeTrialDaysRemaining** *(integer) --* A value that specifies the number of days left to use each enabled data source. * **Features** *(list) --* A list of features enabled for the GuardDuty account. * *(dict) --* Contains information about the free trial period for a feature. * **Name** *(string) --* The name of the feature for which the free trial is configured. * **FreeTrialDaysRemaining** *(integer) --* The number of the remaining free trial days for the feature. * **UnprocessedAccounts** *(list) --* The member account that was included in a request but for which the request could not be processed. * *(dict) --* Contains information about the accounts that weren't processed. * **AccountId** *(string) --* The Amazon Web Services account ID. * **Result** *(string) --* A reason why the account hasn't been processed. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / decline_invitations decline_invitations ******************* GuardDuty.Client.decline_invitations(**kwargs) Declines invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs. See also: AWS API Documentation **Request Syntax** response = client.decline_invitations( AccountIds=[ 'string', ] ) Parameters: **AccountIds** (*list*) -- **[REQUIRED]** A list of account IDs of the Amazon Web Services accounts that sent invitations to the current member account that you want to decline invitations from. * *(string) --* Return type: dict Returns: **Response Syntax** { 'UnprocessedAccounts': [ { 'AccountId': 'string', 'Result': 'string' }, ] } **Response Structure** * *(dict) --* * **UnprocessedAccounts** *(list) --* A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed. * *(dict) --* Contains information about the accounts that weren't processed. * **AccountId** *(string) --* The Amazon Web Services account ID. * **Result** *(string) --* A reason why the account hasn't been processed. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / create_detector create_detector *************** GuardDuty.Client.create_detector(**kwargs) Creates a single GuardDuty detector. A detector is a resource that represents the GuardDuty service. To start using GuardDuty, you must create a detector in each Region where you enable the service. You can have only one detector per account per Region. All data sources are enabled in a new detector by default. * When you don't specify any "features", with an exception to "RUNTIME_MONITORING", all the optional features are enabled by default. * When you specify some of the "features", any feature that is not specified in the API call gets enabled by default, with an exception to "RUNTIME_MONITORING". Specifying both EKS Runtime Monitoring ( "EKS_RUNTIME_MONITORING") and Runtime Monitoring ( "RUNTIME_MONITORING") will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring. There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints. See also: AWS API Documentation **Request Syntax** response = client.create_detector( Enable=True|False, ClientToken='string', FindingPublishingFrequency='FIFTEEN_MINUTES'|'ONE_HOUR'|'SIX_HOURS', DataSources={ 'S3Logs': { 'Enable': True|False }, 'Kubernetes': { 'AuditLogs': { 'Enable': True|False } }, 'MalwareProtection': { 'ScanEc2InstanceWithFindings': { 'EbsVolumes': True|False } } }, Tags={ 'string': 'string' }, Features=[ { 'Name': 'S3_DATA_EVENTS'|'EKS_AUDIT_LOGS'|'EBS_MALWARE_PROTECTION'|'RDS_LOGIN_EVENTS'|'EKS_RUNTIME_MONITORING'|'LAMBDA_NETWORK_LOGS'|'RUNTIME_MONITORING', 'Status': 'ENABLED'|'DISABLED', 'AdditionalConfiguration': [ { 'Name': 'EKS_ADDON_MANAGEMENT'|'ECS_FARGATE_AGENT_MANAGEMENT'|'EC2_AGENT_MANAGEMENT', 'Status': 'ENABLED'|'DISABLED' }, ] }, ] ) Parameters: * **Enable** (*boolean*) -- **[REQUIRED]** A Boolean value that specifies whether the detector is to be enabled. * **ClientToken** (*string*) -- The idempotency token for the create request. This field is autopopulated if not provided. * **FindingPublishingFrequency** (*string*) -- A value that specifies how frequently updated findings are exported. * **DataSources** (*dict*) -- Describes which data sources will be enabled for the detector. There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints. * **S3Logs** *(dict) --* Describes whether S3 data event logs are enabled as a data source. * **Enable** *(boolean) --* **[REQUIRED]** The status of S3 data event logs as a data source. * **Kubernetes** *(dict) --* Describes whether any Kubernetes logs are enabled as data sources. * **AuditLogs** *(dict) --* **[REQUIRED]** The status of Kubernetes audit logs as a data source. * **Enable** *(boolean) --* **[REQUIRED]** The status of Kubernetes audit logs as a data source. * **MalwareProtection** *(dict) --* Describes whether Malware Protection is enabled as a data source. * **ScanEc2InstanceWithFindings** *(dict) --* Describes the configuration of Malware Protection for EC2 instances with findings. * **EbsVolumes** *(boolean) --* Describes the configuration for scanning EBS volumes as data source. * **Tags** (*dict*) -- The tags to be added to a new detector resource. * *(string) --* * *(string) --* * **Features** (*list*) -- A list of features that will be configured for the detector. * *(dict) --* Contains information about a GuardDuty feature. Specifying both EKS Runtime Monitoring ( "EKS_RUNTIME_MONITORING") and Runtime Monitoring ( "RUNTIME_MONITORING") will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring. * **Name** *(string) --* The name of the feature. * **Status** *(string) --* The status of the feature. * **AdditionalConfiguration** *(list) --* Additional configuration for a resource. * *(dict) --* Information about the additional configuration for a feature in your GuardDuty account. * **Name** *(string) --* Name of the additional configuration. * **Status** *(string) --* Status of the additional configuration. Return type: dict Returns: **Response Syntax** { 'DetectorId': 'string', 'UnprocessedDataSources': { 'MalwareProtection': { 'ScanEc2InstanceWithFindings': { 'EbsVolumes': { 'Status': 'ENABLED'|'DISABLED', 'Reason': 'string' } }, 'ServiceRole': 'string' } } } **Response Structure** * *(dict) --* * **DetectorId** *(string) --* The unique ID of the created detector. * **UnprocessedDataSources** *(dict) --* Specifies the data sources that couldn't be enabled when GuardDuty was enabled for the first time. * **MalwareProtection** *(dict) --* An object that contains information on the status of all Malware Protection data sources. * **ScanEc2InstanceWithFindings** *(dict) --* Describes the configuration of Malware Protection for EC2 instances with findings. * **EbsVolumes** *(dict) --* Describes the configuration of scanning EBS volumes as a data source. * **Status** *(string) --* Describes whether scanning EBS volumes is enabled as a data source. * **Reason** *(string) --* Specifies the reason why scanning EBS volumes (Malware Protection) was not enabled as a data source. * **ServiceRole** *(string) --* The GuardDuty Malware Protection service role. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / list_coverage list_coverage ************* GuardDuty.Client.list_coverage(**kwargs) Lists coverage details for your GuardDuty account. If you're a GuardDuty administrator, you can retrieve all resources associated with the active member accounts in your organization. Make sure the accounts have Runtime Monitoring enabled and GuardDuty agent running on their resources. See also: AWS API Documentation **Request Syntax** response = client.list_coverage( DetectorId='string', NextToken='string', MaxResults=123, FilterCriteria={ 'FilterCriterion': [ { 'CriterionKey': 'ACCOUNT_ID'|'CLUSTER_NAME'|'RESOURCE_TYPE'|'COVERAGE_STATUS'|'ADDON_VERSION'|'MANAGEMENT_TYPE'|'EKS_CLUSTER_NAME'|'ECS_CLUSTER_NAME'|'AGENT_VERSION'|'INSTANCE_ID'|'CLUSTER_ARN', 'FilterCondition': { 'Equals': [ 'string', ], 'NotEquals': [ 'string', ] } }, ] }, SortCriteria={ 'AttributeName': 'ACCOUNT_ID'|'CLUSTER_NAME'|'COVERAGE_STATUS'|'ISSUE'|'ADDON_VERSION'|'UPDATED_AT'|'EKS_CLUSTER_NAME'|'ECS_CLUSTER_NAME'|'INSTANCE_ID', 'OrderBy': 'ASC'|'DESC' } ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector whose coverage details you want to retrieve. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **NextToken** (*string*) -- A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the NextToken value returned from the previous request to continue listing results after the first page. * **MaxResults** (*integer*) -- The maximum number of results to return in the response. * **FilterCriteria** (*dict*) -- Represents the criteria used to filter the coverage details. * **FilterCriterion** *(list) --* Represents a condition that when matched will be added to the response of the operation. * *(dict) --* Represents a condition that when matched will be added to the response of the operation. * **CriterionKey** *(string) --* An enum value representing possible filter fields. Note: Replace the enum value "CLUSTER_NAME" with "EKS_CLUSTER_NAME". "CLUSTER_NAME" has been deprecated. * **FilterCondition** *(dict) --* Contains information about the condition. * **Equals** *(list) --* Represents an equal condition that is applied to a single field while retrieving the coverage details. * *(string) --* * **NotEquals** *(list) --* Represents a not equal condition that is applied to a single field while retrieving the coverage details. * *(string) --* * **SortCriteria** (*dict*) -- Represents the criteria used to sort the coverage details. * **AttributeName** *(string) --* Represents the field name used to sort the coverage details. Note: Replace the enum value "CLUSTER_NAME" with "EKS_CLUSTER_NAME". "CLUSTER_NAME" has been deprecated. * **OrderBy** *(string) --* The order in which the sorted findings are to be displayed. Return type: dict Returns: **Response Syntax** { 'Resources': [ { 'ResourceId': 'string', 'DetectorId': 'string', 'AccountId': 'string', 'ResourceDetails': { 'EksClusterDetails': { 'ClusterName': 'string', 'CoveredNodes': 123, 'CompatibleNodes': 123, 'AddonDetails': { 'AddonVersion': 'string', 'AddonStatus': 'string' }, 'ManagementType': 'AUTO_MANAGED'|'MANUAL'|'DISABLED' }, 'ResourceType': 'EKS'|'ECS'|'EC2', 'EcsClusterDetails': { 'ClusterName': 'string', 'FargateDetails': { 'Issues': [ 'string', ], 'ManagementType': 'AUTO_MANAGED'|'MANUAL'|'DISABLED' }, 'ContainerInstanceDetails': { 'CoveredContainerInstances': 123, 'CompatibleContainerInstances': 123 } }, 'Ec2InstanceDetails': { 'InstanceId': 'string', 'InstanceType': 'string', 'ClusterArn': 'string', 'AgentDetails': { 'Version': 'string' }, 'ManagementType': 'AUTO_MANAGED'|'MANUAL'|'DISABLED' } }, 'CoverageStatus': 'HEALTHY'|'UNHEALTHY', 'Issue': 'string', 'UpdatedAt': datetime(2015, 1, 1) }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **Resources** *(list) --* A list of resources and their attributes providing cluster details. * *(dict) --* Information about the resource of the GuardDuty account. * **ResourceId** *(string) --* The unique ID of the resource. * **DetectorId** *(string) --* The unique ID of the GuardDuty detector associated with the resource. * **AccountId** *(string) --* The unique ID of the Amazon Web Services account. * **ResourceDetails** *(dict) --* Information about the resource for which the coverage statistics are retrieved. * **EksClusterDetails** *(dict) --* EKS cluster details involved in the coverage statistics. * **ClusterName** *(string) --* Name of the EKS cluster. * **CoveredNodes** *(integer) --* Represents the nodes within the EKS cluster that have a "HEALTHY" coverage status. * **CompatibleNodes** *(integer) --* Represents all the nodes within the EKS cluster in your account. * **AddonDetails** *(dict) --* Information about the installed EKS add-on. * **AddonVersion** *(string) --* Version of the installed EKS add-on. * **AddonStatus** *(string) --* Status of the installed EKS add-on. * **ManagementType** *(string) --* Indicates how the Amazon EKS add-on GuardDuty agent is managed for this EKS cluster. "AUTO_MANAGED" indicates GuardDuty deploys and manages updates for this resource. "MANUAL" indicates that you are responsible to deploy, update, and manage the Amazon EKS add-on GuardDuty agent for this resource. * **ResourceType** *(string) --* The type of Amazon Web Services resource. * **EcsClusterDetails** *(dict) --* Information about the Amazon ECS cluster that is assessed for runtime coverage. * **ClusterName** *(string) --* The name of the Amazon ECS cluster. * **FargateDetails** *(dict) --* Information about the Fargate details associated with the Amazon ECS cluster. * **Issues** *(list) --* Runtime coverage issues identified for the resource running on Amazon Web Services Fargate. * *(string) --* * **ManagementType** *(string) --* Indicates how the GuardDuty security agent is managed for this resource. * "AUTO_MANAGED" indicates that GuardDuty deploys and manages updates for this resource. * "DISABLED" indicates that the deployment of the GuardDuty security agent is disabled for this resource. Note: The "MANUAL" status doesn't apply to the Amazon Web Services Fargate (Amazon ECS only) woprkloads. * **ContainerInstanceDetails** *(dict) --* Information about the Amazon ECS container running on Amazon EC2 instance. * **CoveredContainerInstances** *(integer) --* Represents the nodes in the Amazon ECS cluster that has a "HEALTHY" coverage status. * **CompatibleContainerInstances** *(integer) --* Represents total number of nodes in the Amazon ECS cluster. * **Ec2InstanceDetails** *(dict) --* Information about the Amazon EC2 instance assessed for runtime coverage. * **InstanceId** *(string) --* The Amazon EC2 instance ID. * **InstanceType** *(string) --* The instance type of the Amazon EC2 instance. * **ClusterArn** *(string) --* The cluster ARN of the Amazon ECS cluster running on the Amazon EC2 instance. * **AgentDetails** *(dict) --* Information about the installed security agent. * **Version** *(string) --* Version of the installed GuardDuty security agent. * **ManagementType** *(string) --* Indicates how the GuardDuty security agent is managed for this resource. * "AUTO_MANAGED" indicates that GuardDuty deploys and manages updates for this resource. * "MANUAL" indicates that you are responsible to deploy, update, and manage the GuardDuty security agent updates for this resource. Note: The "DISABLED" status doesn't apply to Amazon EC2 instances and Amazon EKS clusters. * **CoverageStatus** *(string) --* Represents the status of the EKS cluster coverage. * **Issue** *(string) --* Represents the reason why a coverage status was "UNHEALTHY" for the EKS cluster. * **UpdatedAt** *(datetime) --* The timestamp at which the coverage details for the resource were last updated. This is in UTC format. * **NextToken** *(string) --* The pagination parameter to be used on the next list operation to retrieve more items. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / close close ***** GuardDuty.Client.close() Closes underlying endpoint connections. GuardDuty / Client / start_monitoring_members start_monitoring_members ************************ GuardDuty.Client.start_monitoring_members(**kwargs) Turns on GuardDuty monitoring of the specified member accounts. Use this operation to restart monitoring of accounts that you stopped monitoring with the StopMonitoringMembers operation. See also: AWS API Documentation **Request Syntax** response = client.start_monitoring_members( DetectorId='string', AccountIds=[ 'string', ] ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector of the GuardDuty administrator account associated with the member accounts to monitor. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **AccountIds** (*list*) -- **[REQUIRED]** A list of account IDs of the GuardDuty member accounts to start monitoring. * *(string) --* Return type: dict Returns: **Response Syntax** { 'UnprocessedAccounts': [ { 'AccountId': 'string', 'Result': 'string' }, ] } **Response Structure** * *(dict) --* * **UnprocessedAccounts** *(list) --* A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed. * *(dict) --* Contains information about the accounts that weren't processed. * **AccountId** *(string) --* The Amazon Web Services account ID. * **Result** *(string) --* A reason why the account hasn't been processed. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / update_malware_scan_settings update_malware_scan_settings **************************** GuardDuty.Client.update_malware_scan_settings(**kwargs) Updates the malware scan settings. There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints. See also: AWS API Documentation **Request Syntax** response = client.update_malware_scan_settings( DetectorId='string', ScanResourceCriteria={ 'Include': { 'string': { 'MapEquals': [ { 'Key': 'string', 'Value': 'string' }, ] } }, 'Exclude': { 'string': { 'MapEquals': [ { 'Key': 'string', 'Value': 'string' }, ] } } }, EbsSnapshotPreservation='NO_RETENTION'|'RETENTION_WITH_FINDING' ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector that specifies the GuardDuty service where you want to update scan settings. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **ScanResourceCriteria** (*dict*) -- Represents the criteria to be used in the filter for selecting resources to scan. * **Include** *(dict) --* Represents condition that when matched will allow a malware scan for a certain resource. * *(string) --* An enum value representing possible resource properties to match with given scan condition. * *(dict) --* Contains information about the condition. * **MapEquals** *(list) --* **[REQUIRED]** Represents an *mapEqual* condition to be applied to a single field when triggering for malware scan. * *(dict) --* Represents the "key:value" pair to be matched against given resource property. * **Key** *(string) --* **[REQUIRED]** Represents the **key** in the map condition. * **Value** *(string) --* Represents optional **value** in the map condition. If not specified, only the **key** will be matched. * **Exclude** *(dict) --* Represents condition that when matched will prevent a malware scan for a certain resource. * *(string) --* An enum value representing possible resource properties to match with given scan condition. * *(dict) --* Contains information about the condition. * **MapEquals** *(list) --* **[REQUIRED]** Represents an *mapEqual* condition to be applied to a single field when triggering for malware scan. * *(dict) --* Represents the "key:value" pair to be matched against given resource property. * **Key** *(string) --* **[REQUIRED]** Represents the **key** in the map condition. * **Value** *(string) --* Represents optional **value** in the map condition. If not specified, only the **key** will be matched. * **EbsSnapshotPreservation** (*string*) -- An enum value representing possible snapshot preservation settings. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / get_findings_statistics get_findings_statistics *********************** GuardDuty.Client.get_findings_statistics(**kwargs) Lists GuardDuty findings statistics for the specified detector ID. You must provide either "findingStatisticTypes" or "groupBy" parameter, and not both. You can use the "maxResults" and "orderBy" parameters only when using "groupBy". There might be regional differences because some flags might not be available in all the Regions where GuardDuty is currently supported. For more information, see Regions and endpoints. See also: AWS API Documentation **Request Syntax** response = client.get_findings_statistics( DetectorId='string', FindingStatisticTypes=[ 'COUNT_BY_SEVERITY', ], FindingCriteria={ 'Criterion': { 'string': { 'Eq': [ 'string', ], 'Neq': [ 'string', ], 'Gt': 123, 'Gte': 123, 'Lt': 123, 'Lte': 123, 'Equals': [ 'string', ], 'NotEquals': [ 'string', ], 'GreaterThan': 123, 'GreaterThanOrEqual': 123, 'LessThan': 123, 'LessThanOrEqual': 123 } } }, GroupBy='ACCOUNT'|'DATE'|'FINDING_TYPE'|'RESOURCE'|'SEVERITY', OrderBy='ASC'|'DESC', MaxResults=123 ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The ID of the detector whose findings statistics you want to retrieve. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **FindingStatisticTypes** (*list*) -- The types of finding statistics to retrieve. * *(string) --* * **FindingCriteria** (*dict*) -- Represents the criteria that is used for querying findings. * **Criterion** *(dict) --* Represents a map of finding properties that match specified conditions and values when querying findings. * *(string) --* * *(dict) --* Contains information about the condition. * **Eq** *(list) --* Represents the *equal* condition to be applied to a single field when querying for findings. * *(string) --* * **Neq** *(list) --* Represents the *not equal* condition to be applied to a single field when querying for findings. * *(string) --* * **Gt** *(integer) --* Represents a *greater than* condition to be applied to a single field when querying for findings. * **Gte** *(integer) --* Represents a *greater than or equal* condition to be applied to a single field when querying for findings. * **Lt** *(integer) --* Represents a *less than* condition to be applied to a single field when querying for findings. * **Lte** *(integer) --* Represents a *less than or equal* condition to be applied to a single field when querying for findings. * **Equals** *(list) --* Represents an *equal* condition to be applied to a single field when querying for findings. * *(string) --* * **NotEquals** *(list) --* Represents a *not equal* condition to be applied to a single field when querying for findings. * *(string) --* * **GreaterThan** *(integer) --* Represents a *greater than* condition to be applied to a single field when querying for findings. * **GreaterThanOrEqual** *(integer) --* Represents a *greater than or equal* condition to be applied to a single field when querying for findings. * **LessThan** *(integer) --* Represents a *less than* condition to be applied to a single field when querying for findings. * **LessThanOrEqual** *(integer) --* Represents a *less than or equal* condition to be applied to a single field when querying for findings. * **GroupBy** (*string*) -- Displays the findings statistics grouped by one of the listed valid values. * **OrderBy** (*string*) -- Displays the sorted findings in the requested order. The default value of "orderBy" is "DESC". You can use this parameter only with the "groupBy" parameter. * **MaxResults** (*integer*) -- The maximum number of results to be returned in the response. The default value is 25. You can use this parameter only with the "groupBy" parameter. Return type: dict Returns: **Response Syntax** { 'FindingStatistics': { 'CountBySeverity': { 'string': 123 }, 'GroupedByAccount': [ { 'AccountId': 'string', 'LastGeneratedAt': datetime(2015, 1, 1), 'TotalFindings': 123 }, ], 'GroupedByDate': [ { 'Date': datetime(2015, 1, 1), 'LastGeneratedAt': datetime(2015, 1, 1), 'Severity': 123.0, 'TotalFindings': 123 }, ], 'GroupedByFindingType': [ { 'FindingType': 'string', 'LastGeneratedAt': datetime(2015, 1, 1), 'TotalFindings': 123 }, ], 'GroupedByResource': [ { 'AccountId': 'string', 'LastGeneratedAt': datetime(2015, 1, 1), 'ResourceId': 'string', 'ResourceType': 'string', 'TotalFindings': 123 }, ], 'GroupedBySeverity': [ { 'LastGeneratedAt': datetime(2015, 1, 1), 'Severity': 123.0, 'TotalFindings': 123 }, ] }, 'NextToken': 'string' } **Response Structure** * *(dict) --* * **FindingStatistics** *(dict) --* The finding statistics object. * **CountBySeverity** *(dict) --* Represents a list of map of severity to count statistics for a set of findings. * *(string) --* * *(integer) --* * **GroupedByAccount** *(list) --* Represents a list of map of accounts with a findings count associated with each account. * *(dict) --* Represents a list of map of accounts with the number of findings associated with each account. * **AccountId** *(string) --* The ID of the Amazon Web Services account. * **LastGeneratedAt** *(datetime) --* The timestamp at which the finding for this account was last generated. * **TotalFindings** *(integer) --* The total number of findings associated with an account. * **GroupedByDate** *(list) --* Represents a list of map of dates with a count of total findings generated on each date per severity level. * *(dict) --* Represents list a map of dates with a count of total findings generated on each date. * **Date** *(datetime) --* The timestamp when the total findings count is observed. For example, "Date" would look like ""2024-09-05T17:00:00-07:00"" whereas "LastGeneratedAt" would look like 2024-09-05T17:12:29-07:00". * **LastGeneratedAt** *(datetime) --* The timestamp at which the last finding in the findings count, was generated. * **Severity** *(float) --* The severity of the findings generated on each date. * **TotalFindings** *(integer) --* The total number of findings that were generated per severity level on each date. * **GroupedByFindingType** *(list) --* Represents a list of map of finding types with a count of total findings generated for each type. Based on the "orderBy" parameter, this request returns either the most occurring finding types or the least occurring finding types. If the "orderBy" parameter is "ASC", this will represent the least occurring finding types in your account; otherwise, this will represent the most occurring finding types. The default value of "orderBy" is "DESC". * *(dict) --* Information about each finding type associated with the "groupedByFindingType" statistics. * **FindingType** *(string) --* Name of the finding type. * **LastGeneratedAt** *(datetime) --* The timestamp at which this finding type was last generated in your environment. * **TotalFindings** *(integer) --* The total number of findings associated with generated for each distinct finding type. * **GroupedByResource** *(list) --* Represents a list of map of top resources with a count of total findings. * *(dict) --* Information about each resource type associated with the "groupedByResource" statistics. * **AccountId** *(string) --* The ID of the Amazon Web Services account. * **LastGeneratedAt** *(datetime) --* The timestamp at which the statistics for this resource was last generated. * **ResourceId** *(string) --* ID associated with each resource. The following list provides the mapping of the resource type and resource ID. **Mapping of resource and resource ID** * AccessKey - "resource.accessKeyDetails.accessKeyId" * Container - "resource.containerDetails.id" * ECSCluster - "resource.ecsClusterDetails.name" * EKSCluster - "resource.eksClusterDetails.name" * Instance - "resource.instanceDetails.instanceId" * KubernetesCluster - "resource.kubernetesDetails.kub ernetesWorkloadDetails.name" * Lambda - "resource.lambdaDetails.functionName" * RDSDBInstance - "resource.rdsDbInstanceDetails.dbInstanceIdentifier" * S3Bucket - "resource.s3BucketDetails.name" * S3Object - "resource.s3BucketDetails.name" * **ResourceType** *(string) --* The type of resource. * **TotalFindings** *(integer) --* The total number of findings associated with this resource. * **GroupedBySeverity** *(list) --* Represents a list of map of total findings for each severity level. * *(dict) --* Information about severity level for each finding type. * **LastGeneratedAt** *(datetime) --* The timestamp at which a finding type for a specific severity was last generated. * **Severity** *(float) --* The severity level associated with each finding type. * **TotalFindings** *(integer) --* The total number of findings associated with this severity. * **NextToken** *(string) --* The pagination parameter to be used on the next list operation to retrieve more items. This parameter is currently not supported. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / update_filter update_filter ************* GuardDuty.Client.update_filter(**kwargs) Updates the filter specified by the filter name. See also: AWS API Documentation **Request Syntax** response = client.update_filter( DetectorId='string', FilterName='string', Description='string', Action='NOOP'|'ARCHIVE', Rank=123, FindingCriteria={ 'Criterion': { 'string': { 'Eq': [ 'string', ], 'Neq': [ 'string', ], 'Gt': 123, 'Gte': 123, 'Lt': 123, 'Lte': 123, 'Equals': [ 'string', ], 'NotEquals': [ 'string', ], 'GreaterThan': 123, 'GreaterThanOrEqual': 123, 'LessThan': 123, 'LessThanOrEqual': 123 } } } ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector that specifies the GuardDuty service where you want to update a filter. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **FilterName** (*string*) -- **[REQUIRED]** The name of the filter. * **Description** (*string*) -- The description of the filter. Valid characters include alphanumeric characters, and special characters such as hyphen, period, colon, underscore, parentheses ( "{ }", "[ ]", and "( )"), forward slash, horizontal tab, vertical tab, newline, form feed, return, and whitespace. * **Action** (*string*) -- Specifies the action that is to be applied to the findings that match the filter. * **Rank** (*integer*) -- Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings. * **FindingCriteria** (*dict*) -- Represents the criteria to be used in the filter for querying findings. * **Criterion** *(dict) --* Represents a map of finding properties that match specified conditions and values when querying findings. * *(string) --* * *(dict) --* Contains information about the condition. * **Eq** *(list) --* Represents the *equal* condition to be applied to a single field when querying for findings. * *(string) --* * **Neq** *(list) --* Represents the *not equal* condition to be applied to a single field when querying for findings. * *(string) --* * **Gt** *(integer) --* Represents a *greater than* condition to be applied to a single field when querying for findings. * **Gte** *(integer) --* Represents a *greater than or equal* condition to be applied to a single field when querying for findings. * **Lt** *(integer) --* Represents a *less than* condition to be applied to a single field when querying for findings. * **Lte** *(integer) --* Represents a *less than or equal* condition to be applied to a single field when querying for findings. * **Equals** *(list) --* Represents an *equal* condition to be applied to a single field when querying for findings. * *(string) --* * **NotEquals** *(list) --* Represents a *not equal* condition to be applied to a single field when querying for findings. * *(string) --* * **GreaterThan** *(integer) --* Represents a *greater than* condition to be applied to a single field when querying for findings. * **GreaterThanOrEqual** *(integer) --* Represents a *greater than or equal* condition to be applied to a single field when querying for findings. * **LessThan** *(integer) --* Represents a *less than* condition to be applied to a single field when querying for findings. * **LessThanOrEqual** *(integer) --* Represents a *less than or equal* condition to be applied to a single field when querying for findings. Return type: dict Returns: **Response Syntax** { 'Name': 'string' } **Response Structure** * *(dict) --* * **Name** *(string) --* The name of the filter. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / list_threat_intel_sets list_threat_intel_sets ********************** GuardDuty.Client.list_threat_intel_sets(**kwargs) Lists the ThreatIntelSets of the GuardDuty service specified by the detector ID. If you use this operation from a member account, the ThreatIntelSets associated with the administrator account are returned. See also: AWS API Documentation **Request Syntax** response = client.list_threat_intel_sets( DetectorId='string', MaxResults=123, NextToken='string' ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector that is associated with the threatIntelSet. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **MaxResults** (*integer*) -- You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50. * **NextToken** (*string*) -- You can use this parameter to paginate results in the response. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data. Return type: dict Returns: **Response Syntax** { 'ThreatIntelSetIds': [ 'string', ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **ThreatIntelSetIds** *(list) --* The IDs of the ThreatIntelSet resources. * *(string) --* * **NextToken** *(string) --* The pagination parameter to be used on the next list operation to retrieve more items. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / list_findings list_findings ************* GuardDuty.Client.list_findings(**kwargs) Lists GuardDuty findings for the specified detector ID. There might be regional differences because some flags might not be available in all the Regions where GuardDuty is currently supported. For more information, see Regions and endpoints. See also: AWS API Documentation **Request Syntax** response = client.list_findings( DetectorId='string', FindingCriteria={ 'Criterion': { 'string': { 'Eq': [ 'string', ], 'Neq': [ 'string', ], 'Gt': 123, 'Gte': 123, 'Lt': 123, 'Lte': 123, 'Equals': [ 'string', ], 'NotEquals': [ 'string', ], 'GreaterThan': 123, 'GreaterThanOrEqual': 123, 'LessThan': 123, 'LessThanOrEqual': 123 } } }, SortCriteria={ 'AttributeName': 'string', 'OrderBy': 'ASC'|'DESC' }, MaxResults=123, NextToken='string' ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The ID of the detector that specifies the GuardDuty service whose findings you want to list. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **FindingCriteria** (*dict*) -- Represents the criteria used for querying findings. Valid values include: * JSON field name * accountId * region * confidence * id * resource.accessKeyDetails.accessKeyId * resource.accessKeyDetails.principalId * resource.accessKeyDetails.userName * resource.accessKeyDetails.userType * resource.instanceDetails.iamInstanceProfile.id * resource.instanceDetails.imageId * resource.instanceDetails.instanceId * resource.instanceDetails.networkInterfaces.ipv6Addresses * resource.instanceDetails.networkInterfaces.privateIpAddress es.privateIpAddress * resource.instanceDetails.networkInterfaces.publicDnsName * resource.instanceDetails.networkInterfaces.publicIp * resource.instanceDetails.networkInterfaces.securityGroups.g roupId * resource.instanceDetails.networkInterfaces.securityGroups.g roupName * resource.instanceDetails.networkInterfaces.subnetId * resource.instanceDetails.networkInterfaces.vpcId * resource.instanceDetails.tags.key * resource.instanceDetails.tags.value * resource.resourceType * service.action.actionType * service.action.awsApiCallAction.api * service.action.awsApiCallAction.callerType * service.action.awsApiCallAction.remoteIpDetails.city.cityNa me * service.action.awsApiCallAction.remoteIpDetails.country.cou ntryName * service.action.awsApiCallAction.remoteIpDetails.ipAddressV4 * service.action.awsApiCallAction.remoteIpDetails.organizatio n.asn * service.action.awsApiCallAction.remoteIpDetails.organizatio n.asnOrg * service.action.awsApiCallAction.serviceName * service.action.dnsRequestAction.domain * service.action.dnsRequestAction.domainWithSuffix * service.action.networkConnectionAction.blocked * service.action.networkConnectionAction.connectionDirection * service.action.networkConnectionAction.localPortDetails.port * service.action.networkConnectionAction.protocol * service.action.networkConnectionAction.remoteIpDetails.coun try.countryName * service.action.networkConnectionAction.remoteIpDetails.ipAd dressV4 * service.action.networkConnectionAction.remoteIpDetails.orga nization.asn * service.action.networkConnectionAction.remoteIpDetails.orga nization.asnOrg * service.action.networkConnectionAction.remotePortDetails.po rt * service.additionalInfo.threatListName * service.archived When this attribute is set to 'true', only archived findings are listed. When it's set to 'false', only unarchived findings are listed. When this attribute is not set, all existing findings are listed. * service.ebsVolumeScanDetails.scanId * service.resourceRole * severity * type * updatedAt Type: Timestamp in Unix Epoch millisecond format: 1486685375000 * **Criterion** *(dict) --* Represents a map of finding properties that match specified conditions and values when querying findings. * *(string) --* * *(dict) --* Contains information about the condition. * **Eq** *(list) --* Represents the *equal* condition to be applied to a single field when querying for findings. * *(string) --* * **Neq** *(list) --* Represents the *not equal* condition to be applied to a single field when querying for findings. * *(string) --* * **Gt** *(integer) --* Represents a *greater than* condition to be applied to a single field when querying for findings. * **Gte** *(integer) --* Represents a *greater than or equal* condition to be applied to a single field when querying for findings. * **Lt** *(integer) --* Represents a *less than* condition to be applied to a single field when querying for findings. * **Lte** *(integer) --* Represents a *less than or equal* condition to be applied to a single field when querying for findings. * **Equals** *(list) --* Represents an *equal* condition to be applied to a single field when querying for findings. * *(string) --* * **NotEquals** *(list) --* Represents a *not equal* condition to be applied to a single field when querying for findings. * *(string) --* * **GreaterThan** *(integer) --* Represents a *greater than* condition to be applied to a single field when querying for findings. * **GreaterThanOrEqual** *(integer) --* Represents a *greater than or equal* condition to be applied to a single field when querying for findings. * **LessThan** *(integer) --* Represents a *less than* condition to be applied to a single field when querying for findings. * **LessThanOrEqual** *(integer) --* Represents a *less than or equal* condition to be applied to a single field when querying for findings. * **SortCriteria** (*dict*) -- Represents the criteria used for sorting findings. * **AttributeName** *(string) --* Represents the finding attribute, such as "accountId", that sorts the findings. * **OrderBy** *(string) --* The order by which the sorted findings are to be displayed. * **MaxResults** (*integer*) -- You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50. * **NextToken** (*string*) -- You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data. Return type: dict Returns: **Response Syntax** { 'FindingIds': [ 'string', ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **FindingIds** *(list) --* The IDs of the findings that you're listing. * *(string) --* * **NextToken** *(string) --* The pagination parameter to be used on the next list operation to retrieve more items. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / tag_resource tag_resource ************ GuardDuty.Client.tag_resource(**kwargs) Adds tags to a resource. See also: AWS API Documentation **Request Syntax** response = client.tag_resource( ResourceArn='string', Tags={ 'string': 'string' } ) Parameters: * **ResourceArn** (*string*) -- **[REQUIRED]** The Amazon Resource Name (ARN) for the GuardDuty resource to apply a tag to. * **Tags** (*dict*) -- **[REQUIRED]** The tags to be added to a resource. * *(string) --* * *(string) --* Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.AccessDeniedException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / start_malware_scan start_malware_scan ****************** GuardDuty.Client.start_malware_scan(**kwargs) Initiates the malware scan. Invoking this API will automatically create the Service-linked role in the corresponding account. When the malware scan starts, you can use the associated scan ID to track the status of the scan. For more information, see DescribeMalwareScans. See also: AWS API Documentation **Request Syntax** response = client.start_malware_scan( ResourceArn='string' ) Parameters: **ResourceArn** (*string*) -- **[REQUIRED]** Amazon Resource Name (ARN) of the resource for which you invoked the API. Return type: dict Returns: **Response Syntax** { 'ScanId': 'string' } **Response Structure** * *(dict) --* * **ScanId** *(string) --* A unique identifier that gets generated when you invoke the API without any error. Each malware scan has a corresponding scan ID. Using this scan ID, you can monitor the status of your malware scan. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.ConflictException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / accept_invitation accept_invitation ***************** GuardDuty.Client.accept_invitation(**kwargs) Accepts the invitation to be monitored by a GuardDuty administrator account. Danger: This operation is deprecated and may not function as expected. This operation should not be used going forward and is only kept for the purpose of backwards compatiblity. See also: AWS API Documentation **Request Syntax** response = client.accept_invitation( DetectorId='string', MasterId='string', InvitationId='string' ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector of the GuardDuty member account. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **MasterId** (*string*) -- **[REQUIRED]** The account ID of the GuardDuty administrator account whose invitation you're accepting. * **InvitationId** (*string*) -- **[REQUIRED]** The value that is used to validate the administrator account to the member account. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / disassociate_from_master_account disassociate_from_master_account ******************************** GuardDuty.Client.disassociate_from_master_account(**kwargs) Disassociates the current GuardDuty member account from its administrator account. When you disassociate an invited member from a GuardDuty delegated administrator, the member account details obtained from the CreateMembers API, including the associated email addresses, are retained. This is done so that the delegated administrator can invoke the InviteMembers API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the DeleteMembers API. Danger: This operation is deprecated and may not function as expected. This operation should not be used going forward and is only kept for the purpose of backwards compatiblity. See also: AWS API Documentation **Request Syntax** response = client.disassociate_from_master_account( DetectorId='string' ) Parameters: **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector of the GuardDuty member account. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / get_coverage_statistics get_coverage_statistics *********************** GuardDuty.Client.get_coverage_statistics(**kwargs) Retrieves aggregated statistics for your account. If you are a GuardDuty administrator, you can retrieve the statistics for all the resources associated with the active member accounts in your organization who have enabled Runtime Monitoring and have the GuardDuty security agent running on their resources. See also: AWS API Documentation **Request Syntax** response = client.get_coverage_statistics( DetectorId='string', FilterCriteria={ 'FilterCriterion': [ { 'CriterionKey': 'ACCOUNT_ID'|'CLUSTER_NAME'|'RESOURCE_TYPE'|'COVERAGE_STATUS'|'ADDON_VERSION'|'MANAGEMENT_TYPE'|'EKS_CLUSTER_NAME'|'ECS_CLUSTER_NAME'|'AGENT_VERSION'|'INSTANCE_ID'|'CLUSTER_ARN', 'FilterCondition': { 'Equals': [ 'string', ], 'NotEquals': [ 'string', ] } }, ] }, StatisticsType=[ 'COUNT_BY_RESOURCE_TYPE'|'COUNT_BY_COVERAGE_STATUS', ] ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the GuardDuty detector. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **FilterCriteria** (*dict*) -- Represents the criteria used to filter the coverage statistics. * **FilterCriterion** *(list) --* Represents a condition that when matched will be added to the response of the operation. * *(dict) --* Represents a condition that when matched will be added to the response of the operation. * **CriterionKey** *(string) --* An enum value representing possible filter fields. Note: Replace the enum value "CLUSTER_NAME" with "EKS_CLUSTER_NAME". "CLUSTER_NAME" has been deprecated. * **FilterCondition** *(dict) --* Contains information about the condition. * **Equals** *(list) --* Represents an equal condition that is applied to a single field while retrieving the coverage details. * *(string) --* * **NotEquals** *(list) --* Represents a not equal condition that is applied to a single field while retrieving the coverage details. * *(string) --* * **StatisticsType** (*list*) -- **[REQUIRED]** Represents the statistics type used to aggregate the coverage details. * *(string) --* Return type: dict Returns: **Response Syntax** { 'CoverageStatistics': { 'CountByResourceType': { 'string': 123 }, 'CountByCoverageStatus': { 'string': 123 } } } **Response Structure** * *(dict) --* * **CoverageStatistics** *(dict) --* Represents the count aggregated by the "statusCode" and "resourceType". * **CountByResourceType** *(dict) --* Represents coverage statistics for EKS clusters aggregated by resource type. * *(string) --* * *(integer) --* * **CountByCoverageStatus** *(dict) --* Represents coverage statistics for EKS clusters aggregated by coverage status. * *(string) --* * *(integer) --* **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / create_filter create_filter ************* GuardDuty.Client.create_filter(**kwargs) Creates a filter using the specified finding criteria. The maximum number of saved filters per Amazon Web Services account per Region is 100. For more information, see Quotas for GuardDuty. See also: AWS API Documentation **Request Syntax** response = client.create_filter( DetectorId='string', Name='string', Description='string', Action='NOOP'|'ARCHIVE', Rank=123, FindingCriteria={ 'Criterion': { 'string': { 'Eq': [ 'string', ], 'Neq': [ 'string', ], 'Gt': 123, 'Gte': 123, 'Lt': 123, 'Lte': 123, 'Equals': [ 'string', ], 'NotEquals': [ 'string', ], 'GreaterThan': 123, 'GreaterThanOrEqual': 123, 'LessThan': 123, 'LessThanOrEqual': 123 } } }, ClientToken='string', Tags={ 'string': 'string' } ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The detector ID associated with the GuardDuty account for which you want to create a filter. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **Name** (*string*) -- **[REQUIRED]** The name of the filter. Valid characters include period (.), underscore (_), dash (-), and alphanumeric characters. A whitespace is considered to be an invalid character. * **Description** (*string*) -- The description of the filter. Valid characters include alphanumeric characters, and special characters such as hyphen, period, colon, underscore, parentheses ( "{ }", "[ ]", and "( )"), forward slash, horizontal tab, vertical tab, newline, form feed, return, and whitespace. * **Action** (*string*) -- Specifies the action that is to be applied to the findings that match the filter. * **Rank** (*integer*) -- Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings. * **FindingCriteria** (*dict*) -- **[REQUIRED]** Represents the criteria to be used in the filter for querying findings. You can only use the following attributes to query findings: * accountId * id * region * severity To filter on the basis of severity, the API and CLI use the following input list for the FindingCriteria condition: * **Low**: "["1", "2", "3"]" * **Medium**: "["4", "5", "6"]" * **High**: "["7", "8"]" * **Critical**: "["9", "10"]" For more information, see Findings severity levels in the *Amazon GuardDuty User Guide*. * type * updatedAt Type: ISO 8601 string format: YYYY-MM- DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds. * resource.accessKeyDetails.accessKeyId * resource.accessKeyDetails.principalId * resource.accessKeyDetails.userName * resource.accessKeyDetails.userType * resource.instanceDetails.iamInstanceProfile.id * resource.instanceDetails.imageId * resource.instanceDetails.instanceId * resource.instanceDetails.tags.key * resource.instanceDetails.tags.value * resource.instanceDetails.networkInterfaces.ipv6Addresses * resource.instanceDetails.networkInterfaces.privateIpAddress es.privateIpAddress * resource.instanceDetails.networkInterfaces.publicDnsName * resource.instanceDetails.networkInterfaces.publicIp * resource.instanceDetails.networkInterfaces.securityGroups.g roupId * resource.instanceDetails.networkInterfaces.securityGroups.g roupName * resource.instanceDetails.networkInterfaces.subnetId * resource.instanceDetails.networkInterfaces.vpcId * resource.instanceDetails.outpostArn * resource.resourceType * resource.s3BucketDetails.publicAccess.effectivePermissions * resource.s3BucketDetails.name * resource.s3BucketDetails.tags.key * resource.s3BucketDetails.tags.value * resource.s3BucketDetails.type * service.action.actionType * service.action.awsApiCallAction.api * service.action.awsApiCallAction.callerType * service.action.awsApiCallAction.errorCode * service.action.awsApiCallAction.remoteIpDetails.city.cityNa me * service.action.awsApiCallAction.remoteIpDetails.country.cou ntryName * service.action.awsApiCallAction.remoteIpDetails.ipAddressV4 * service.action.awsApiCallAction.remoteIpDetails.ipAddressV6 * service.action.awsApiCallAction.remoteIpDetails.organizatio n.asn * service.action.awsApiCallAction.remoteIpDetails.organizatio n.asnOrg * service.action.awsApiCallAction.serviceName * service.action.dnsRequestAction.domain * service.action.dnsRequestAction.domainWithSuffix * service.action.dnsRequestAction.vpcOwnerAccountId * service.action.networkConnectionAction.blocked * service.action.networkConnectionAction.connectionDirection * service.action.networkConnectionAction.localPortDetails.port * service.action.networkConnectionAction.protocol * service.action.networkConnectionAction.remoteIpDetails.city .cityName * service.action.networkConnectionAction.remoteIpDetails.coun try.countryName * service.action.networkConnectionAction.remoteIpDetails.ipAd dressV4 * service.action.networkConnectionAction.remoteIpDetails.ipAd dressV6 * service.action.networkConnectionAction.remoteIpDetails.orga nization.asn * service.action.networkConnectionAction.remoteIpDetails.orga nization.asnOrg * service.action.networkConnectionAction.remotePortDetails.po rt * service.action.awsApiCallAction.remoteAccountDetails.affili ated * service.action.kubernetesApiCallAction.remoteIpDetails.ipAd dressV4 * service.action.kubernetesApiCallAction.remoteIpDetails.ipAd dressV6 * service.action.kubernetesApiCallAction.namespace * service.action.kubernetesApiCallAction.remoteIpDetails.orga nization.asn * service.action.kubernetesApiCallAction.requestUri * service.action.kubernetesApiCallAction.statusCode * service.action.networkConnectionAction.localIpDetails.ipAdd ressV4 * service.action.networkConnectionAction.localIpDetails.ipAdd ressV6 * service.action.networkConnectionAction.protocol * service.action.awsApiCallAction.serviceName * service.action.awsApiCallAction.remoteAccountDetails.accoun tId * service.additionalInfo.threatListName * service.resourceRole * resource.eksClusterDetails.name * resource.kubernetesDetails.kubernetesWorkloadDetails.name * resource.kubernetesDetails.kubernetesWorkloadDetails.namesp ace * resource.kubernetesDetails.kubernetesUserDetails.username * resource.kubernetesDetails.kubernetesWorkloadDetails.contai ners.image * resource.kubernetesDetails.kubernetesWorkloadDetails.contai ners.imagePrefix * service.ebsVolumeScanDetails.scanId * service.ebsVolumeScanDetails.scanDetections.threatDetectedB yName.threatNames.name * service.ebsVolumeScanDetails.scanDetections.threatDetectedB yName.threatNames.severity * service.ebsVolumeScanDetails.scanDetections.threatDetectedB yName.threatNames.filePaths.hash * resource.ecsClusterDetails.name * resource.ecsClusterDetails.taskDetails.containers.image * resource.ecsClusterDetails.taskDetails.definitionArn * resource.containerDetails.image * resource.rdsDbInstanceDetails.dbInstanceIdentifier * resource.rdsDbInstanceDetails.dbClusterIdentifier * resource.rdsDbInstanceDetails.engine * resource.rdsDbUserDetails.user * resource.rdsDbInstanceDetails.tags.key * resource.rdsDbInstanceDetails.tags.value * service.runtimeDetails.process.executableSha256 * service.runtimeDetails.process.name * service.runtimeDetails.process.executablePath * resource.lambdaDetails.functionName * resource.lambdaDetails.functionArn * resource.lambdaDetails.tags.key * resource.lambdaDetails.tags.value * **Criterion** *(dict) --* Represents a map of finding properties that match specified conditions and values when querying findings. * *(string) --* * *(dict) --* Contains information about the condition. * **Eq** *(list) --* Represents the *equal* condition to be applied to a single field when querying for findings. * *(string) --* * **Neq** *(list) --* Represents the *not equal* condition to be applied to a single field when querying for findings. * *(string) --* * **Gt** *(integer) --* Represents a *greater than* condition to be applied to a single field when querying for findings. * **Gte** *(integer) --* Represents a *greater than or equal* condition to be applied to a single field when querying for findings. * **Lt** *(integer) --* Represents a *less than* condition to be applied to a single field when querying for findings. * **Lte** *(integer) --* Represents a *less than or equal* condition to be applied to a single field when querying for findings. * **Equals** *(list) --* Represents an *equal* condition to be applied to a single field when querying for findings. * *(string) --* * **NotEquals** *(list) --* Represents a *not equal* condition to be applied to a single field when querying for findings. * *(string) --* * **GreaterThan** *(integer) --* Represents a *greater than* condition to be applied to a single field when querying for findings. * **GreaterThanOrEqual** *(integer) --* Represents a *greater than or equal* condition to be applied to a single field when querying for findings. * **LessThan** *(integer) --* Represents a *less than* condition to be applied to a single field when querying for findings. * **LessThanOrEqual** *(integer) --* Represents a *less than or equal* condition to be applied to a single field when querying for findings. * **ClientToken** (*string*) -- The idempotency token for the create request. This field is autopopulated if not provided. * **Tags** (*dict*) -- The tags to be added to a new filter resource. * *(string) --* * *(string) --* Return type: dict Returns: **Response Syntax** { 'Name': 'string' } **Response Structure** * *(dict) --* * **Name** *(string) --* The name of the successfully created filter. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / accept_administrator_invitation accept_administrator_invitation ******************************* GuardDuty.Client.accept_administrator_invitation(**kwargs) Accepts the invitation to be a member account and get monitored by a GuardDuty administrator account that sent the invitation. See also: AWS API Documentation **Request Syntax** response = client.accept_administrator_invitation( DetectorId='string', AdministratorId='string', InvitationId='string' ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector of the GuardDuty member account. * **AdministratorId** (*string*) -- **[REQUIRED]** The account ID of the GuardDuty administrator account whose invitation you're accepting. * **InvitationId** (*string*) -- **[REQUIRED]** The value that is used to validate the administrator account to the member account. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / update_member_detectors update_member_detectors *********************** GuardDuty.Client.update_member_detectors(**kwargs) Contains information on member accounts to be updated. Specifying both EKS Runtime Monitoring ( "EKS_RUNTIME_MONITORING") and Runtime Monitoring ( "RUNTIME_MONITORING") will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring. There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints. See also: AWS API Documentation **Request Syntax** response = client.update_member_detectors( DetectorId='string', AccountIds=[ 'string', ], DataSources={ 'S3Logs': { 'Enable': True|False }, 'Kubernetes': { 'AuditLogs': { 'Enable': True|False } }, 'MalwareProtection': { 'ScanEc2InstanceWithFindings': { 'EbsVolumes': True|False } } }, Features=[ { 'Name': 'S3_DATA_EVENTS'|'EKS_AUDIT_LOGS'|'EBS_MALWARE_PROTECTION'|'RDS_LOGIN_EVENTS'|'EKS_RUNTIME_MONITORING'|'LAMBDA_NETWORK_LOGS'|'RUNTIME_MONITORING', 'Status': 'ENABLED'|'DISABLED', 'AdditionalConfiguration': [ { 'Name': 'EKS_ADDON_MANAGEMENT'|'ECS_FARGATE_AGENT_MANAGEMENT'|'EC2_AGENT_MANAGEMENT', 'Status': 'ENABLED'|'DISABLED' }, ] }, ] ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The detector ID of the administrator account. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **AccountIds** (*list*) -- **[REQUIRED]** A list of member account IDs to be updated. * *(string) --* * **DataSources** (*dict*) -- Describes which data sources will be updated. * **S3Logs** *(dict) --* Describes whether S3 data event logs are enabled as a data source. * **Enable** *(boolean) --* **[REQUIRED]** The status of S3 data event logs as a data source. * **Kubernetes** *(dict) --* Describes whether any Kubernetes logs are enabled as data sources. * **AuditLogs** *(dict) --* **[REQUIRED]** The status of Kubernetes audit logs as a data source. * **Enable** *(boolean) --* **[REQUIRED]** The status of Kubernetes audit logs as a data source. * **MalwareProtection** *(dict) --* Describes whether Malware Protection is enabled as a data source. * **ScanEc2InstanceWithFindings** *(dict) --* Describes the configuration of Malware Protection for EC2 instances with findings. * **EbsVolumes** *(boolean) --* Describes the configuration for scanning EBS volumes as data source. * **Features** (*list*) -- A list of features that will be updated for the specified member accounts. * *(dict) --* Contains information about the features for the member account. * **Name** *(string) --* The name of the feature. * **Status** *(string) --* The status of the feature. * **AdditionalConfiguration** *(list) --* Additional configuration of the feature for the member account. * *(dict) --* Information about the additional configuration for the member account. * **Name** *(string) --* Name of the additional configuration. * **Status** *(string) --* Status of the additional configuration. Return type: dict Returns: **Response Syntax** { 'UnprocessedAccounts': [ { 'AccountId': 'string', 'Result': 'string' }, ] } **Response Structure** * *(dict) --* * **UnprocessedAccounts** *(list) --* A list of member account IDs that were unable to be processed along with an explanation for why they were not processed. * *(dict) --* Contains information about the accounts that weren't processed. * **AccountId** *(string) --* The Amazon Web Services account ID. * **Result** *(string) --* A reason why the account hasn't been processed. **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / delete_filter delete_filter ************* GuardDuty.Client.delete_filter(**kwargs) Deletes the filter specified by the filter name. See also: AWS API Documentation **Request Syntax** response = client.delete_filter( DetectorId='string', FilterName='string' ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The unique ID of the detector that is associated with the filter. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **FilterName** (*string*) -- **[REQUIRED]** The name of the filter that you want to delete. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / update_publishing_destination update_publishing_destination ***************************** GuardDuty.Client.update_publishing_destination(**kwargs) Updates information about the publishing destination specified by the "destinationId". See also: AWS API Documentation **Request Syntax** response = client.update_publishing_destination( DetectorId='string', DestinationId='string', DestinationProperties={ 'DestinationArn': 'string', 'KmsKeyArn': 'string' } ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The ID of the detector associated with the publishing destinations to update. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **DestinationId** (*string*) -- **[REQUIRED]** The ID of the publishing destination to update. * **DestinationProperties** (*dict*) -- A "DestinationProperties" object that includes the "DestinationArn" and "KmsKeyArn" of the publishing destination. * **DestinationArn** *(string) --* The ARN of the resource to publish to. To specify an S3 bucket folder use the following format: "arn:aws:s3:::DOC-EXAMPLE-BUCKET/myFolder/" * **KmsKeyArn** *(string) --* The ARN of the KMS key to use for encryption. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / enable_organization_admin_account enable_organization_admin_account ********************************* GuardDuty.Client.enable_organization_admin_account(**kwargs) Designates an Amazon Web Services account within the organization as your GuardDuty delegated administrator. Only the organization's management account can run this API operation. See also: AWS API Documentation **Request Syntax** response = client.enable_organization_admin_account( AdminAccountId='string' ) Parameters: **AdminAccountId** (*string*) -- **[REQUIRED]** The Amazon Web Services account ID for the organization account to be enabled as a GuardDuty delegated administrator. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException" GuardDuty / Client / unarchive_findings unarchive_findings ****************** GuardDuty.Client.unarchive_findings(**kwargs) Unarchives GuardDuty findings specified by the "findingIds". See also: AWS API Documentation **Request Syntax** response = client.unarchive_findings( DetectorId='string', FindingIds=[ 'string', ] ) Parameters: * **DetectorId** (*string*) -- **[REQUIRED]** The ID of the detector associated with the findings to unarchive. To find the "detectorId" in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API. * **FindingIds** (*list*) -- **[REQUIRED]** The IDs of the findings to unarchive. * *(string) --* Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "GuardDuty.Client.exceptions.BadRequestException" * "GuardDuty.Client.exceptions.InternalServerErrorException"