Skip to main content

AWS - GuardDuty

This Integration is part of the AWS - GuardDuty Pack.#

Amazon Web Services Guard Duty Service (gd) Use this integration to detect and manage threats to your AWS system. We recommend that you use roles that have the following built-in AWS policies:

  • AmazonGuardDutyFullAccess
  • AmazonGuardDutyReadOnlyAccess

For detailed instructions about setting up authentication, see: AWS Integrations - Authentication.

Prerequisites#

It is important that you familiarize yourself with and complete all steps detailed in the Amazon AWS Integrations Configuration Guide

Some changes have been made that might affect your existing content. If you are upgrading from a previous of this integration, see Breaking Changes.

Configure AWS - GuardDuty in Cortex#

ParameterDescriptionRequired
AWS Default RegionThe AWS Region for this instance of the integration. For example, us-west-2True
Role ArnThe Amazon Resource Name (ARN) role used for EC2 instance authentication. If this is used, an access key and secret key are not required.False
Fetch incidentsFalse
Incident typeIncident typeFalse
Role Session NameA descriptive name for the assumed role session. For example, xsiam-IAM.integration-Role_SESSIONFalse
Role Session DurationThe maximum length of each session in seconds. Default: 900 seconds. The Cortex XSOAR integration will have the permissions assigned only when the session is initiated and for the defined duration.False
Access KeyThe access key ID used for authentication, that was configured during IAM user configuration. If this is used, Role ARN is not required.False
Secret KeyThe secret key used for authentication, that was configured during IAM user configuration. If this is used, Role ARN is not required.False
TimeoutThe time in seconds until a timeout exception is reached. You can specify just the read timeout (for example 60) or also the connect timeout followed after a comma (for example 60,10). If a connect timeout is not specified, a default of 10 second will be used.False
RetriesThe maximum number of retry attempts when connection or throttling errors are encountered. Set to 0 to disable retries. The default value is 5 and the limit is 10. Note: Increasing the number of retries will increase the execution time.False
How many incidents to fetch each timeDefault 10False
First fetch timestampFirst fetch query <number> <time unit>, e.g., 7 days. Default 3 daysFalse
Guard Duty Severity levelThe severity level or higher of findings to be fetched: Low, Medium, or High. For example, if you set the severity level to Medium, only findings with severity level Medium or High will be fetched.False
Archive findings After FetchYou can set whether findings that are fetched will be moved to the GuardDuty archive.False
Incidents Fetch IntervalTime interval for fetching incidents.False
Trust any certificate (not secure)False
Use system proxy settingsFalse

Fetched Incidents Data#

  • The integration fetches newly created Guard DutyFindings. Each integration instance can fetch findings from a single AWS Region.
  • Each region can have a maximum of 1,000 member accounts that are linked to a guard duty master account. For more information see the Amazon GuardDuty documentation.
  • You can set the severity level of the findings to be fetched. "Low", "Medium", "High". For example, if you set the severity level to "Medium", the integration will only fetch findings with severity level of Medium and higher.

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

aws-gd-create-detector#


Create an AWS Guard Duty Detector on the integration instance specified aws account.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:CreateDetector

Base Command#

aws-gd-create-detector

Input#

Argument NameDescriptionRequired
enabledA boolean value that specifies whether the detector is to be enabled. Possible values are: True, False. Default is True.Required
enableS3LogsThe status of S3 data event logs as a data source. Possible values are: True, False.Optional
enableKubernetesLogsThe status of Kubernetes audit logs as a data source. Possible values are: True, False.Optional
ebsVolumesMalwareProtectionDescribes the configuration for scanning EBS volumes as a data source. Possible values are: True, False.Optional
findingFrequencySpecifies how frequently updated findings are exported. Possible values are: Fifteen Minutes, One Hour, Six Hours.Optional
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.GuardDuty.Detectors.DetectorIdstringThe unique ID of the created detector.

Command Example#

!aws-gd-create-detector enabled=True region=eu-west-2

aws-gd-delete-detector#


Deletes a Amazon GuardDuty detector specified by the detector ID.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:DeleteDetector

Base Command#

aws-gd-delete-detector

Input#

Argument NameDescriptionRequired
detectorIdThe unique ID that specifies the detector that you want to delete.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-gd-delete-detector detectorId=38b1235ed3fe245279cd0c8e235db0715ac5561eb

aws-gd-get-detector#


Retrieves an Amazon GuardDuty detector specified by the detectorId.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:GetDetector

Base Command#

aws-gd-get-detector

Input#

Argument NameDescriptionRequired
detectorIdThe unique ID of the detector that you want to retrieve.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.GuardDuty.Detectors.DetectorIdstringThe unique ID of the created detector.
AWS.GuardDuty.Detectors.CreatedAtstringThe first time a resource was created.
AWS.GuardDuty.Detectors.ServiceRolestringCustomer serviceRole name or ARN for accessing customer resources.
AWS.GuardDuty.Detectors.StatusstringThe status of detector.
AWS.GuardDuty.Detectors.UpdatedAtstringThe time a resource was last updated.
AWS.GuardDuty.Detectors.CloudTrailStatusstringDescribes whether CloudTrail is enabled as a data source for the detector.
AWS.GuardDuty.Detectors.DNSLogsStatusstringDenotes whether DNS logs are enabled as a data source.
AWS.GuardDuty.Detectors.FlowLogsStatusstringDenotes whether VPC flow logs are enabled as a data source.
AWS.GuardDuty.Detectors.S3LogsStatusstringDescribes whether S3 data event logs are automatically enabled for new members of the organization.
AWS.GuardDuty.Detectors.KubernetesAuditLogsStatusstringDescribes whether Kubernetes audit logs are enabled as a data source.
AWS.GuardDuty.Detectors.MalwareProtectionStatusstringDescribes whether scanning EBS volumes is enabled as a data source.
AWS.GuardDuty.Detectors.MalwareProtectionReasonstringSpecifies the reason why scanning EBS volumes (Malware Protection) was not enabled as a data source.
AWS.GuardDuty.Detectors.TagsstringThe tags of the detector resource.

Command Example#

!aws-gd-get-detector detectorId=38b1ed3fe279fdascd0c8edb071dsf5ac5561eb region=eu-west-2

aws-gd-update-detector#


Updates an Amazon GuardDuty detector specified by the detectorId.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:UpdateDetector

Base Command#

aws-gd-update-detector

Input#

Argument NameDescriptionRequired
detectorIdThe unique ID of the detector that you want to update.Required
enableUpdated boolean value for the detector that specifies whether the detector is enabled. Possible values are: True, False. Default is True.Required
enableS3LogsThe status of S3 data event logs as a data source. Possible values are: True, False.Optional
enableKubernetesLogsThe status of Kubernetes audit logs as a data source. Possible values are: True, False.Optional
ebsVolumesMalwareProtectionDescribes the configuration for scanning EBS volumes as data source. Possible values are: True, False.Optional
findingFrequencyA value that specifies how frequently updated findings are exported. Possible values are: Fifteen Minutes, One Hour, Six Hours.Optional
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

aws-gd-update-detector detectorId=38b1ed3fe279fdascd0c8edb071dsf5ac5561eb enable=True

aws-gd-create-ip-set#


A list of trusted IP addresses on allow list for secure communication with AWS infrastructure and applications.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:CreateIPSet

Base Command#

aws-gd-create-ip-set

Input#

Argument NameDescriptionRequired
activateA boolean value that indicates whether GuardDuty is to start using the uploaded IPSet. Possible values are: True, False. Default is True.Optional
detectorIdThe unique ID of the detector that you want to update.Required
formatThe format of the file that contains the IPSet. Possible values are: TXT, STIX, OTX_CSV, ALIEN_VAULT, PROOF_POINT, FIRE_EYE.Required
locationThe URI of the file that contains the IPSet. For example (https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key).Optional
nameThe user friendly name to identify the IPSet. This name is displayed in all findings that are triggered by activity that involves IP addresses included in this IPSet.Optional
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.GuardDuty.Detectors.IPSet.IpSetIdunknownThe unique identifier for an IP Set.

Command Example#

!aws-gd-create-ip-set format=TXT location=https://s3.eu-central-1.amazonaws.com/test/ipset.txt activate=True detectorId=38b1ed3fe279czvasdd0c8edb0715azdsfc5561eb name=test region=eu-west-2

aws-gd-delete-ip-set#


Deletes the IPSet specified by the IPSet ID.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:DeleteIPSet

Base Command#

aws-gd-delete-ip-set

Input#

Argument NameDescriptionRequired
detectorIdThe detectorID that specifies the GuardDuty service whose IPSet you want to delete.Required
ipSetIdThe unique ID that specifies the IPSet that you want to delete.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-gd-delete-ip-set detectorId=38b1ed3fe279cd0c8edb0715ac5561eb ipSetId=7eb1f440be5931f168280b574a26d44d region=eu-west-2

aws-gd-list-detectors#


Lists detectorIds of all the existing Amazon GuardDuty detector resources.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:ListDetectors

Base Command#

aws-gd-list-detectors

Input#

Argument NameDescriptionRequired
limitNumber of total results to query. Default is 50.Optional
pageSpecific page to query.Optional
page_sizeNumber of total results in each page. Default is 50.Optional
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.GuardDuty.Detectors.DetectorIdstringThe unique identifier for a detector.

Command Example#

!aws-gd-list-detectors region=eu-west-2

aws-gd-update-ip-set#


Updates the IPSet specified by the IPSet ID.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:UpdateIPSet

Base Command#

aws-gd-update-ip-set

Input#

Argument NameDescriptionRequired
activateThe updated boolean value that specifies whether the IPSet is active or not. Possible values are: True, False.Optional
detectorIdThe detectorID that specifies the GuardDuty service whose IPSet you want to update.Required
ipSetIdThe unique ID that specifies the IPSet that you want to update.Required
locationThe updated URI of the file that contains the IPSet. For example (https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key).Optional
nameThe user friendly name to identify the IPSet.Optional
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-gd-update-ip-set detectorId=38b1ed3fe279cd0c8edb0715ac5561eb ipSetId=7eb1f440be5931f168280b574a26d44d activate=False region=eu-west-2

aws-gd-get-ip-set#


Retrieves the IPSet specified by the IPSet ID.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:GetIPSet

Base Command#

aws-gd-get-ip-set

Input#

Argument NameDescriptionRequired
detectorIdThe detectorID that specifies the GuardDuty service whose IPSet you want to retrieve.Required
ipSetIdThe unique ID that specifies the IPSet that you want to describe.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.GuardDuty.Detectors.IPSet.IpSetIdstringThe unique ID for the IPSet.
AWS.GuardDuty.Detectors.IPSet.FormatstringThe format of the file that contains the IPSet.
AWS.GuardDuty.Detectors.IPSet.LocationstringThe URI of the file that contains the IPSet.
AWS.GuardDuty.Detectors.IPSet.Namestringhe user friendly name to identify the IPSet.
AWS.GuardDuty.Detectors.IPSet.StatusstringThe status of ipSet file uploaded.

Command Example#

!aws-gd-get-ip-set detectorId=38b1ed3fesdf279cd0c8edbdsf071sdgfac5561eb ipSetId=7eb1sdff440be5931f1682adf80b574a26d44d region=eu-west-2

aws-gd-list-ip-sets#


Lists the IPSets of the GuardDuty service specified by the detector ID.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:ListIPSet

Base Command#

aws-gd-list-ip-sets

Input#

Argument NameDescriptionRequired
detectorIdThe unique ID of the detector that you want to retrieve.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional
limitNumber of total results to query. Default is 50.Optional
pageSpecific page to query.Optional
page_sizeNumber of total results in each page. Default is 50.Optional

Context Output#

PathTypeDescription
AWS.GuardDuty.Detectors.IPSet.IpSetIdunknownThe unique identifier for an IP Set

Command Example#

!aws-gd-list-ip-sets detectorId=38b1ed3fesdf279cd0c8edbdsf071sdgfac5561eb region=eu-west-2

aws-gd-create-threatintel-set#


Create a new ThreatIntelSet. ThreatIntelSets consist of known malicious IP addresses. GuardDuty generates findings based on ThreatIntelSets.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:CreateThreatIntelSet

Base Command#

aws-gd-create-threatintel-set

Input#

Argument NameDescriptionRequired
activateA boolean value that indicates whether GuardDuty is to start using the uploaded ThreatIntelSet. Possible values are: True, False. Default is True.Required
detectorIdThe unique ID of the detector that you want to update.Required
formatThe format of the file that contains the ThreatIntelSet. Possible values are: TXT, STIX, OTX_CSV, ALIEN_VAULT, PROOF_POINT, FIRE_EYE.Required
locationThe URI of the file that contains the ThreatIntelSet. For example (https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key).Required
nameA user-friendly ThreatIntelSet name that is displayed in all finding generated by activity that involves IP addresses included in this ThreatIntelSet.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.GuardDuty.Detectors.ThreatIntelSet.ThreatIntelSetIdstringThe unique identifier for an threat intel set.

Command Example#

!aws-gd-create-threatintel-set format=TXT location=https://s3.eu-central-1.amazonaws.com/test/threatintel.txt activate=True detectorId=38b1ed3fe279czvasdd0c8edb0715azdsfc5561eb name=test region=eu-west-2

aws-gd-delete-threatintel-set#


Deletes ThreatIntelSet specified by the ThreatIntelSet ID.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:DeleteThreatIntelSet

Base Command#

aws-gd-delete-threatintel-set

Input#

Argument NameDescriptionRequired
detectorIdThe detectorID that specifies the GuardDuty service whose ThreatIntelSet you want to delete.Required
threatIntelSetIdThe unique ID that specifies the ThreatIntelSet that you want to delete.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-gd-delete-threatintel-set detectorId=38b1ed3fe279cd0c8edb0715ac5561eb threatIntelSetId=7eb1f440be5931f168280b574a26d44d region=eu-west-2

aws-gd-get-threatintel-set#


Retrieves the ThreatIntelSet that is specified by the ThreatIntelSet ID.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:GetThreatIntelSet

Base Command#

aws-gd-get-threatintel-set

Input#

Argument NameDescriptionRequired
detectorIdThe detectorID that specifies the GuardDuty service whose ThreatIntelSet you want to describe.Required
threatIntelSetIdThe unique ID that specifies the ThreatIntelSet that you want to describe.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.GuardDuty.Detectors.ThreatIntelSet.ThreatIntelSetIdstringThe unique ID that specifies the ThreatIntelSet.
AWS.GuardDuty.Detectors.ThreatIntelSet.FormatstringThe format of the threatIntelSet.
AWS.GuardDuty.Detectors.ThreatIntelSet.LocationstringThe URI of the file that contains the ThreatIntelSet.
AWS.GuardDuty.Detectors.ThreatIntelSet.NamestringA user-friendly ThreatIntelSet name.
AWS.GuardDuty.Detectors.ThreatIntelSet.StatusstringThe status of threatIntelSet file uploaded.

Command Example#

!aws-gd-get-threatintel-set detectorId=38b1ed3fe279cd0c8edb0715ac5561eb threatIntelSetId=7eb1f440be5931f168280b574a26d44d region=eu-west-2

aws-gd-list-threatintel-sets#


Lists the ThreatIntelSets of the GuardDuty service specified by the detector ID.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:ListThreatIntelSet

Base Command#

aws-gd-list-threatintel-sets

Input#

Argument NameDescriptionRequired
detectorIdThe detectorID that specifies the GuardDuty service whose ThreatIntelSets you want to list.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional
limitNumber of total results to query. Default is 50.Optional
pageSpecific page to query.Optional
page_sizeNumber of total results in each page. Default is 50.Optional

Context Output#

PathTypeDescription
AWS.GuardDuty.Detectors.ThreatIntelSet.ThreatIntelSetIdstringThe unique identifier for an threat intel set

Command Example#

!aws-gd-list-threatintel-sets detectorId=38b1ed3fe279cd0c8edb0715ac5561eb region=eu-west-2

aws-gd-update-threatintel-set#


Updates the ThreatIntelSet specified by ThreatIntelSet ID.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:UpdateThreatIntelSet

Base Command#

aws-gd-update-threatintel-set

Input#

Argument NameDescriptionRequired
detectorIdThe detectorID that specifies the GuardDuty service whose ThreatIntelSet you want to update.Required
threatIntelSetIdThe unique ID that specifies the ThreatIntelSet that you want to update.Optional
activateThe updated boolean value that specifies whether the ThreatIntelSet is active or not. Possible values are: True, False.Optional
locationThe updated URI of the file that contains the ThreatIntelSet. For example (https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key).Optional
nameThe user-friendly ThreatIntelSet name.Optional
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-gd-update-threatintel-set detectorId=38b1ed3fe279cd0c8edb0715ac5561eb threatIntelSetId=7eb1f440be5931f168280b574a26d44d activate=False region=eu-west-2

aws-gd-list-findings#


Lists Amazon GuardDuty findings for the specified detector ID.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:ListFindings

Base Command#

aws-gd-list-findings

Input#

Argument NameDescriptionRequired
detectorIdThe ID of the detector that specifies the GuardDuty service whose findings you want to list.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional
limitNumber of total results to query. Default is 50.Optional
pageSpecific page to query.Optional
page_sizeNumber of total results in each page. Default is 50.Optional

Context Output#

PathTypeDescription
AWS.GuardDuty.Findings.FindingIdstringThe unique identifier for the Finding

Command Example#

!aws-gd-list-findings detectorId=38b1ed3fe279cd0c8edb0715ac5561eb region=eu-west-2

aws-gd-get-findings#


Describes Amazon GuardDuty findings specified by finding IDs.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:GetFindings

Base Command#

aws-gd-get-findings

Input#

Argument NameDescriptionRequired
detectorIdThe ID of the detector that specifies the GuardDuty service whose findings you want to retrieve.Required
findingIdsIDs of the findings that you want to retrieve.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional
returnRawResponseSelect 'true' to save all fields from the response to the context. Otherwise, complex fields will be stored in JSON format. Default value is False.Optional

Context Output#

PathTypeDescription
AWS.GuardDuty.Findings.AccountIdstringThe ID of the account in which the finding was generated.
AWS.GuardDuty.Findings.CreatedAtstringThe time and date when the finding was created.
AWS.GuardDuty.Findings.DescriptionstringThe description of the finding.
AWS.GuardDuty.Findings.RegionstringThe region where the finding was generated.
AWS.GuardDuty.Findings.IdstringThe ID of the finding.
AWS.GuardDuty.Findings.TitlestringThe title of the finding.
AWS.GuardDuty.Findings.SeveritystringThe severity of the finding.
AWS.GuardDuty.Findings.TypestringThe type of finding.
AWS.GuardDuty.Findings.UpdatedAtstringThe time and date when the finding was last updated.
AWS.GuardDuty.Findings.ArnstringThe ARN of the finding.
AWS.GuardDuty.Findings.ConfidencestringThe confidence score for the finding.
AWS.GuardDuty.Findings.PartitionstringThe partition associated with the finding.
AWS.GuardDuty.Findings.ResourceTypestringThe type of Amazon Web Services resource.
AWS.GuardDuty.Findings.SchemaVersionstringThe version of the schema used for the finding.
AWS.GuardDuty.Findings.ServicestringContains additional information about the generated finding.
AWS.GuardDuty.Findings.Resource.AccessKeyDetailsstringThe IAM access key details (IAM user information) of a user that engaged in the activity that prompted GuardDuty to generate a finding.
AWS.GuardDuty.Findings.Resource.InstanceDetailsstringThe information about the EC2 instance associated with the activity that prompted GuardDuty to generate a finding.
AWS.GuardDuty.Findings.Resource.EksClusterDetailsstringDetails about the EKS cluster involved in a Kubernetes finding.
AWS.GuardDuty.Findings.Resource.KubernetesDetailsstringDetails about the Kubernetes user and workload involved in a Kubernetes finding.
AWS.GuardDuty.Findings.Resource.EbsVolumeDetailsstringContains a list of scanned and skipped EBS volumes with details.
AWS.GuardDuty.Findings.Resource.EcsClusterDetailsstringContains information about the details of the ECS Cluster.
AWS.GuardDuty.Findings.Resource.ContainerDetailsstringDetails of a container.
AWS.GuardDuty.Findings.Resource.S3BucketDetailsstringContains information on the S3 bucket.

Command Example#

!aws-gd-get-findings detectorIds=4f1fc7cd7dsg26sdf4328d8dc813 findingIds=96b1ac608sdf00e5183c3dds115c36aac328b,0ab180f5801sdg954418f3806c2a45282c9

aws-gd-create-sample-findings#


Generates example findings of types specified by the list of finding types. If 'NULL' is specified for findingTypes, the API generates example findings of all supported finding types.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:CreateSampleFindings

Base Command#

aws-gd-create-sample-findings

Input#

Argument NameDescriptionRequired
detectorIdThe ID of the detector to create sample findings for.Required
findingTypesTypes of sample findings that you want to generate. Separated by comma.Optional
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-gd-create-sample-findings detectorId=4f1fc7cd7dsg2adf6sdf4328d8dc813 findingTypes=NULL region=eu-central-1

aws-gd-archive-findings#


Archives Amazon GuardDuty findings specified by the list of finding IDs.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:ArchiveFindings

Base Command#

aws-gd-archive-findings

Input#

Argument NameDescriptionRequired
detectorIdThe ID of the detector that specifies the GuardDuty service whose findings you want to archive.Required
findingIdsIDs of the findings that you want to archive. Separated by comma.Optional
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-gd-archive-findings detectorIds=4f1fc7cd7dsg26sdf4328d8dc813 findingIds=96b1ac608sdf00e5183c3dds115c36aac328b,0ab180f5801sdg954418f3806c2a45282c9

aws-gd-unarchive-findings#


Unarchives Amazon GuardDuty findings specified by the list of finding IDs.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:UnarchiveFindings

Base Command#

aws-gd-unarchive-findings

Input#

Argument NameDescriptionRequired
detectorIdThe ID of the detector that specifies the GuardDuty service whose findings you want to unarchive.Required
findingIdsIDs of the findings that you want to unarchive.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-gd-unarchive-findings detectorIds=4f1fc7cd7dsg26sdf4328d8dc813 findingIds=96b1ac608sdf00e5183c3dds115c36aac328b,0ab180f5801sdg954418f3806c2a45282c9

aws-gd-update-findings-feedback#


Marks specified Amazon GuardDuty findings as useful or not useful.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:UpdateFindingsFeedback

Base Command#

aws-gd-update-findings-feedback

Input#

Argument NameDescriptionRequired
detectorIdThe ID of the detector that specifies the GuardDuty service whose findings you want to mark as useful or not useful.Required
findingIdsIDs of the findings that you want to mark as useful or not useful.Optional
commentsAdditional feedback about the GuardDuty findings.Optional
feedbackSpecify whether the finding was useful or not. Possible values are: USEFUL, NOT_USEFUL.Optional
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-gd-update-findings-feedback detectorIds=4f1fc7cd7dsg26sdf4328d8dc813 findingIds=96b1ac608sdf00e5183c3dds115c36aac328b comments=Good Job feedback=USEFUL

aws-gd-list-members#


Describes Amazon GuardDuty members for the specified detector ID.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:ListMembers

Base Command#

aws-gd-list-members

Input#

Argument NameDescriptionRequired
detectorIdThe ID of the detector that specifies the GuardDuty service whose members you want to retrieve.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional
limitNumber of total results to query. Default is 50.Optional
pageSpecific page to query.Optional
page_sizeNumber of total results in each page. Default is 50.Optional

Context Output#

PathTypeDescription
AWS.GuardDuty.Members.AccountIdstringThe unique account ID of the member.
AWS.GuardDuty.Members.DetectorIdstringThe unique detector ID of the member.
AWS.GuardDuty.Members.MasterIdstringThe unique detector ID of the master.
AWS.GuardDuty.Members.EmailstringThe email of the member.
AWS.GuardDuty.Members.RelationshipStatusstringThe relationship status of member.
AWS.GuardDuty.Members.InvitedAtstringThe first time a member was invited.
AWS.GuardDuty.Members.UpdatedAtstringThe time a member was last updated.

Command Example#

!aws-gd-list-members detectorIds=4f1fc7cd7dsg26sdf4328d8dc813

aws-gd-get-members#


Describes Amazon GuardDuty members for the specified detector ID & account ID.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:GetMembers

Base Command#

aws-gd-get-members

Input#

Argument NameDescriptionRequired
detectorIdThe ID of the detector that specifies the GuardDuty service whose members you want to retrieve.Required
accountIdsThe ID of the account that specifies the GuardDuty service whose details you want to retrieve.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.GuardDuty.Members.AccountIdstringThe unique account ID of the member.
AWS.GuardDuty.Members.DetectorIdstringThe unique detector ID of the member.
AWS.GuardDuty.Members.MasterIdstringThe unique detector ID of the master.
AWS.GuardDuty.Members.EmailstringThe email of the member.
AWS.GuardDuty.Members.RelationshipStatusstringThe relationship status of member.
AWS.GuardDuty.Members.InvitedAtstringThe first time a member was invited.
AWS.GuardDuty.Members.UpdatedAtstringThe time a member was last updated.

Command Example#

!aws-gd-get-members detectorIds=4f1fc7cd7dsg26sdf4328d8dc813 accountIds=1f3fc2cd1dag26sdf4338d8aa813

Breaking changes from the previous version of this integration - AWS-GuardDuty#

The following sections list the changes in this version.

Commands#

Fetch incidents command - Findings that are fetched are no longer moved automatically to the GuardDuty archive.

Parameters#

The following parameters were added in this version:

  • How many incidents to fetch each time
  • First fetch timestamp
  • Archive findings After Fetch