AWS - GuardDuty
Use this integration to detect and manage threats to your AWS system.
We recommend that you use roles that have the following bulit-in AWS policies:
- AmazonGuardDutyFullAccess
- AmazonGuardDutyReadOnlyAccess
Prerequisites
It is important that you familiarize yourself with and complete all steps detailed in the Amazon AWS Integrations Configuration Guide .
Configure the AWS GuardDuty Integration on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for AWS - GuardDuty.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance
- AWS Default Region
- Role Arn
- Fetch incidents
- Incident type
- GuardDuty Severity Level (Low, Medium, High)
- Role Session Name
- Role Session Duration
- Click Test to validate the URLs and token.
Fetched Incidents Data
- The integration fetches newly created Guard DutyFindings. Findings that are fetched are moved to Guard duty archive. Each integration instance can fetch findings from a single AWS Region.
- Each region can have a maximum of 1,000 member accounts that are linked to a guard duty master account. For more information see the Amazon GuardDuty documentation .
-
You can set the severity level of the findings to be fetched. "Low", "Medium", "High".
For example, if you set the severity level to "Medium", the integration will only fetch findings with severity level of Medium and higher. - Findings in archived status will not be retrieved.
- The initial fetch interval is one minute.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Create an Amazon GuardDuty detector: aws-gd-create-detector
- Delete an Amazon GuardDuty detector: aws-gd-delete-detector
- Retrieve an Amazon GuardDuty detector: aws-gd-get-detector
- Update an Amazon GuardDuty detector: aws-gd-update-detector
- Create an IP whitelist: aws-gd-create-ip-set
- Delete an IP whitelist: aws-gd-delete-ip-set
- List all Amazon GuardDuty detectors: aws-gd-list-detectors
- Update an IP whitelist: aws-gd-update-ip-set
- Get IP whitelist information: aws-gd-get-ip-set
- List all IP whitelists: aws-gd-list-ip-sets
- Create a threat intelligence set: aws-gd-create-threatintel-set
- Delete a threat intelligence set: aws-gd-delete-threatintel-set
- Get threat intelligence set information: aws-gd-threatintel-set
- List all threat intelligence sets: aws-gd-list-threatintel-sets
- Update a threat intelligence set: aws-gd-update-threatintel-set
- List Amazon GuardDuty findings for a specific detector: aws-gd-list-findings
- Describe Amazon GuardDuty findings for a specific detector: aws-gd-get-findings
- Generate example findings: aws-gd-create-sample-findings
- Archive Amazon GuardDuty findings: aws-gd-archive-findings
- Un-archive Amazon GuardDuty findings: aws-gd-unarchive-findings
- Mark Amazon GuardDuty findings as useful or not useful: aws-gd-update-findings-feedback
Create an Amazon GuardDuty detector: aws-gd-create-detector
Creates an Amazon GuardDuty detector on the AWS account specified in the integration instance.
Command Example
!aws-gd-create-detector enabled=True region=eu-west-2
AWS IAM Policy Permission
Effect:
Allow
Action:
guardduty:CreateDetector
Input
Parameter | Description |
enabled | A boolean value that specifies whether to enable the detector |
region | AWS region (if not specified, the default region is used) |
roleArn | Amazon Resource Name (ARN) of the role to assume |
roleSessionName | Identifier for the assumed role session |
roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
Path | Description |
AWS.GuardDuty.Detectors.DetectorId | Unique ID of the created detector |
Raw Output
{ "DetectorId":"38b1235ed3fe245279cd0c8e235db0715ac5561eb" }
Delete an Amazon GuardDuty detector: aws-gd-delete-detector
Deletes an Amazon GuardDuty detector on the AWS account specified in the integration instance.
Command Example
!aws-gd-delete-detector detectorId=38b1235ed3fe245279cd0c8e235db0715ac5561eb
AWS IAM Policy Permission
Effect:
Allow
Action:
guardduty:DeleteDetector
Input
Parameter | Description |
enabled | A boolean value that specifies whether to enable the detector |
region | AWS region (if not specified, the default region is used) |
roleArn | Amazon Resource Name (ARN) of the role to assume |
roleSessionName | Identifier for the assumed role session |
roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
There is no context output for this command.
Raw Output
The Detector 38b1235ed3fe245279cd0c8e235db0715ac5561eb has been deleted.
Retrieve an Amazon GuardDuty detector: aws-gd-get-detector
Retrives an Amazon GuardDuty detector by detectorId.
Command Example
!aws-gd-get-detector detectorId=38b1ed3fe279fdascd0c8edb071dsf5ac5561eb region=eu-west-2
AWS IAM Policy Permission
Effect:
Allow
Action:
guardduty:GetDetector
Input
Parameter | Description |
detectorId | Unique ID of the detector that you want to retrieve |
region | AWS region (if not specified, the default region is used) |
roleArn | Amazon Resource Name (ARN) of the role to assume |
roleSessionName | Identifier for the assumed role session |
roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
Path | Description |
AWS.GuardDuty.Detectors.DetectorId | Unique ID of the created detector |
AWS.GuardDuty.Detectors.CreatedAt | The first time a resource was created |
AWS.GuardDuty.Detectors.ServiceRole | Customer serviceRole name or ARN for accessing customer resources |
AWS.GuardDuty.Detectors.Status | Status of the detector |
AWS.GuardDuty.Detectors.UpdatedAt | The time a resource was last updated |
Raw Output
{ "CreatedAt":"2018-06-07T13:46:37.031Z", "DetectorId":"38b1ed3fe279cd0c8edb0715ac5561eb", "ServiceRole":"arn:aws:iam::123456789:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty", "Status":"DISABLED", "UpdatedAt":"2018-06-07T13:46:37.031Z" }
Update an Amazon GuardDuty detector: aws-gd-update-detector
Updates an Amazon GuardDuty detector by detectorId.
Command Example
!aws-gd-get-detector detectorId=38b1ed3fe279fdascd0c8edb071dsf5ac5561eb enable=True
AWS IAM Policy Permission
Effect:
Allow
Action:
guardduty:UpdateDetector
Input
Parameter | Description |
detectorId | Unique ID of the detector that you want to retrieve |
enable | Updated boolean value for the detector that specifies whether the detector is enabled |
region | AWS region (if not specified, the default region is used) |
roleArn | Amazon Resource Name (ARN) of the role to assume |
roleSessionName | Identifier for the assumed role session |
roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
There is no context output for this command.
Raw Output
The Detector 38b1ed3fe279fdascd0c8edb071dsf5ac5561eb was updated.
Create an IP white list: aws-gd-create-ip-set
Creates a list of trusted IP addresses (IPSet) that were white listed for secure communication with AWS insfrastructure and applications.
Command Example
!aws-gd-create-ip-set format=TXT location=https://s3.eu-central-1.amazonaws.com/test/ipset.txt activate=True detectorId=38b1ed3fe279czvasdd0c8edb0715azdsfc5561eb name=test region=eu-west-2
AWS IAM Policy Permission
Effect:
Allow
Action:
guardduty:CreateIPSet
Input
Parameter | Description |
activate |
A boolean value that indicates whether GuardDuty uses
the uploaded IPSet |
detectorId | Unique ID of the detector that you want to update |
format | Format of the file that contains the IPSet. |
location | URI of the file that contains the IPSet, for example, https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key |
name | Friendly name for the IPSet, which displays in all findings that are triggered by activities that involve IP addresses included in this IPSet |
region | AWS region (if not specified, the default region is used) |
roleArn | Amazon Resource Name (ARN) of the role to assume |
roleSessionName | Identifier for the assumed role session |
roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
Path | Description |
AWS.GuardDuty.IPSet.IpSetId | A list of trusted IP addresses that have been whitelisted for secure communication with AWS infrastructure and applications |
Raw Output
{ "DetectorId":"38b1ed3fe279czvasdd0c8edb0715azdsfc5561eb", "IpSetId":"7eb1f440be5931f168280b574a26d44d" }
Delete an IP whitelist: aws-gd-delete-ip-set
Deletes the IPSet specified by IPSet ID.
Command Example
!aws-gd-delete-ip-set detectorId=38b1ed3fe279cd0c8edb0715ac5561eb ipSetId=7eb1f440be5931f168280b574a26d44d region=eu-west-2
AWS IAM Policy Permission
Effect:
Allow
Action:
guardduty:DeleteIPSet
Input
Parameter | Description |
detectorId | Unique ID of the detector that you want to update |
ipSetId | Unique ID of the IPSet to delete |
region | AWS region (if not specified, the default region is used) |
roleArn | Amazon Resource Name (ARN) of the role to assume |
roleSessionName | Identifier for the assumed role session |
roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
There is no context output for this command.
Raw Output
The IPSet 7eb1f440be593asd1f168280b57asd4a26d44d has been deleted from Detector 38b1ed3fe279cdasd0c8edb0715ac5561eb.
List all Amazon GuardDuty detectors: aws-gd-list-detectors
Lists all Amazon GuardDuty detectors.
Command Example
!aws-gd-list-detectors region=eu-west-2
AWS IAM Policy Permission
Effect:
Allow
Action:
guardduty:ListDetectors
Input
Parameter | Description |
region | AWS region (if not specified, the default region is used) |
roleArn | Amazon Resource Name (ARN) of the role to assume |
roleSessionName | Identifier for the assumed role session |
roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
Path | Description |
AWS.GuardDuty.Detectors.detectorId | Unique ID of the detector |
Raw Output
{ "DetectorId":"38b1ed3fe279czvasdd0c8edb0715azdsfc5561eb" }
Update an IP whitelist: aws-gd-update-ip-set
Updates the IPSet specified by the IPSet ID.
Command Example
!aws-gd-update-ip-set detectorId=38b1ed3fe279cd0c8edb0715ac5561eb ipSetId=7eb1f440be5931f168280b574a26d44d activate=False region=eu-west-2
AWS IAM Policy Permission
Effect:
Allow
Action:
guardduty:UpdateIPSet
Input
Parameter | Description |
activate |
A boolean value that indicates whether GuardDuty uses
the uploaded IPSet |
detectorId | Unique ID of the detector that you want to update |
ipSetId | Unique ID that specifies the IPSet that you want to update |
location | URI of the file that contains the IPSet, for example, https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key |
name | Friendly name for the IPSet, which displays in all findings that are triggered by activities that involve IP addresses included in this IPSet |
region | AWS region (if not specified, the default region is used) |
roleArn | Amazon Resource Name (ARN) of the role to assume |
roleSessionName | Identifier for the assumed role session |
roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
There is no context output for this command.
Raw Output
The IPSet {0} was been updated.
Get IP whitelist information: aws-gd-get-ip-set
Retrives information for an IPSet.
Command Example
!aws-gd-get-ip-set detectorId=38b1ed3fesdf279cd0c8edbdsf071sdgfac5561eb ipSetId=7eb1sdff440be5931f1682adf80b574a26d44d region=eu-west-2
AWS IAM Policy Permission
Effect:
Allow
Action:
guardduty:GetIPSet
Input
Parameter | Description |
detectorId | The detectorID that specifies the GuardDuty service whose IPSet you want to retrieve |
ipSetId | Unique ID that specifies the IPSet that you want to describe |
region | AWS region (if not specified, the default region is used) |
roleArn | Amazon Resource Name (ARN) of the role to assume |
roleSessionName | Identifier for the assumed role session |
roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
Path | Description |
AWS.GuardDuty.Detectors.IPSet.IpSetId | Unique ID for the IPSet |
AWS.GuardDuty.Detectors.IPSet.Format | Format of the file that contains the IPSet |
AWS.GuardDuty.Detectors.IPSet.Location | URI of the file that contains the IPSet |
AWS.GuardDuty.Detectors.IPSet.Name | Friendly name to identify the IPSet |
AWS.GuardDuty.Detectors.IPSet.Status | Status of the uploaded IPSet file |
Raw Output
{ "DetectorId":"38b1edsfd3fe279cd0dsfc8edb07sdf15asdfc5561eb", "Format":"TXT", "IpSetId":"7eb1f440sdfafbe5931f168280dsfb574a26d44d", "Location":"https://s3.eu-central-1.amazonaws.com/test/ipset.txt", "Name":"test", "Status":"DELETED" }
List all IP whitelists: aws-gd-list-ip-sets
Lists all IPSets in GuardDuty.
Command Example
!aws-gd-list-ip-sets detectorId=38b1ed3fesdf279cd0c8edbdsf071sdgfac5561eb region=eu-west-2
AWS IAM Policy Permission
Effect:
Allow
Action:
guardduty:ListIPSets
Input
Parameter | Description |
detectorId | Unique ID of the detector that you want to retrieve |
region | AWS region (if not specified, the default region is used) |
roleArn | Amazon Resource Name (ARN) of the role to assume |
roleSessionName | Identifier for the assumed role session |
roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
Path | Description |
AWS.GuardDuty.Detectors.IPSet.IpSetId | Unique ID for the IPSet |
Raw Output
[ { "DetectorId":"38b1ed3sadfe279cd0c8edb071asd5ac5561eb" }, { "IpSetId":"0eb1f4asd4bc5ed4720995f3esad4c4aad0266" } ]
Create a threat intelligence set: aws-gd-create-threatintel-set
Creates a list of known malicious IP addresses (ThreatIntelSet). GuardDuty generates findings based on ThreatIntelSets.
Command Example
!aws-gd-create-threatintel-set format=TXT location=https://s3.eu-central-1.amazonaws.com/test/threatintel.txt activate=True detectorId=38b1ed3fe279czvasdd0c8edb0715azdsfc5561eb name=test region=eu-west-2
AWS IAM Policy Permission
Effect:
Allow
Action:
guardduty:CreateThreatIntelSet
Input
Parameter | Description |
activate |
A boolean value that indicates whether GuardDuty uses
the uploaded ThreatIntelSet |
detectorId | Unique ID of the detector that you want to update |
format | Format of the file that contains the ThreatIntelSet |
location | URI of the file that contains the ThreatIntelSet, for example, https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key |
name | Friendly name for the ThreatIntelSet, which displays in all findings that are triggered by activities that involve IP addresses included in this ThreatIntelSet |
region | AWS region (if not specified, the default region is used) |
roleArn | Amazon Resource Name (ARN) of the role to assume |
roleSessionName | Identifier for the assumed role session |
roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
Path | Description |
AWS.GuardDuty.Detectors.ThreatIntelSet.ThreatIntelSetId | Unique identifier for a ThreatIntelSet |
Raw Output
{ "ThreatIntelSetId":"0eb1f4asd4bc5ed4720995f3esad4c4aad0266" }
Delete a threat intelligence set: aws-gd-delete-threatintel-set
Deletes a specified ThreatIntelSet ID.
Command Example
!aws-gd-delete-threatintel-set detectorId=38b1ed3fe279cd0c8edb0715ac5561eb threatIntelSetId=7eb1f440be5931f168280b574a26d44d region=eu-west-2
AWS IAM Policy Permission
Effect:
Allow
Action:
guardduty:DeleteThreatIntelSet
Input
Parameter | Description |
activate |
A boolean value that indicates whether GuardDuty uses
the uploaded ThreatIntelSet |
detectorId | Unique ID of the detector that you want to update |
format | Format of the file that contains the ThreatIntelSet |
location | URI of the file that contains the ThreatIntelSet, for example, https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key |
name | Friendly name for the ThreatIntelSet, which displays in all findings that are triggered by activities that involve IP addresses included in this ThreatIntelSet |
region | AWS region (if not specified, the default region is used) |
roleArn | Amazon Resource Name (ARN) of the role to assume |
roleSessionName | Identifier for the assumed role session |
roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
There is no context output for this command.
Raw Output
The ThreatIntel Set 7eb1f440be5931f168280b574a26d44d was deleted from Detector 38b1ed3fe279cd0c8edb0715ac5561eb.
Get threat intelligence set information: aws-gd-threatintel-set
Retrieves the ThreatIntelSet specified by the ThreatIntelSet ID.
Command Example
!aws-gd-get-threatintel-set detectorId=38b1ed3fe279cd0c8edb0715ac5561eb threatIntelSetId=7eb1f440be5931f168280b574a26d44d region=eu-west-2
AWS IAM Policy Permission
Effect:
Allow
Action:
guardduty:GetThreatIntelSet
Input
Parameter | Description |
detectorId | Unique ID of the detector that you want to update |
threatIntelSetId | Unique ID that specifies the ThreatIntelSet that you want to describe |
region | AWS region (if not specified, the default region is used) |
roleArn | Amazon Resource Name (ARN) of the role to assume |
roleSessionName | Identifier for the assumed role session |
roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
Path | Description |
AWS.GuardDuty.Detectors.ThreatIntelSet.ThreatIntelSetId | The unique ID that specifies the ThreatIntelSet |
AWS.GuardDuty.Detectors.ThreatIntelSet.Format | The format of the threatIntelSet |
AWS.GuardDuty.Detectors.ThreatIntelSet.Location.Name | The URI of the file that contains the ThreatIntelSet |
AWS.GuardDuty.Detectors.ThreatIntelSet.Name | Friendly ThreatIntelSet name |
AWS.GuardDuty.Detectors.ThreatIntelSet.Status | Status of the uploaded threatIntelSet file |
Raw Output
{ "DetectorId":"38b1ed3fe279cd0c8edb0715ac5561eb", "ThreatIntelSetId":"7eb1f440be5931f168280b574a26d44d ", 'Format':"TXT", 'Location':"https://s3.eu-central-1.amazonaws.com/test/threatintel.txt", 'Name':"Test", 'Status':"DELETED" }
List all threat intelligence sets: aws-gd-list-threatintel-sets
Lists all ThreatIntelSets in GuardDuty.
Command Example
!aws-gd-list-threatintel-sets detectorId=38b1ed3fe279cd0c8edb0715ac5561eb region=eu-west-2
AWS IAM Policy Permission
Effect:
Allow
Action:
guardduty:ListThreatIntelSet
Input
Parameter | Description |
detectorId | The detectorID that specifies the GuardDuty service whose ThreatIntelSets you want to list |
region | AWS region (if not specified, the default region is used) |
roleArn | Amazon Resource Name (ARN) of the role to assume |
roleSessionName | Identifier for the assumed role session |
roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
Path | Description |
AWS.GuardDuty.Detectors.ThreatIntelSet.ThreatIntelSetId | The unique ID that specifies the ThreatIntelSet |
Raw Output
[ { "DetectorId":"38b1ed3fe279cd0c8edb0715ac5561eb" }, { "ThreatIntelSetId":"7eb1f440be5931f168280b574a26d44d" } ]
Update a threat intelligence set: aws-gd-update-threatintel-set
Updates a specified ThreatIntelSet ID.
Command Example
!aws-gd-update-threatintel-set detectorId=38b1ed3fe279cd0c8edb0715ac5561eb threatIntelSetId=7eb1f440be5931f168280b574a26d44d activate=False region=eu-west-2
AWS IAM Policy Permission
Effect:
Allow
Action:
guardduty:UpdateThreatIntelSet
Input
Parameter | Description |
activate | The updated boolean value that specifies whether the ThreateIntelSet is active |
detectorId | The detectorID that specifies the GuardDuty service whose ThreatIntelSet you want to update |
threatIntelSetId | The unique ID that specifies the ThreatIntelSet that you want to update |
location | URI of the file that contains the ThreatIntelSet, for example, https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key |
name | Friendly name for the ThreatIntelSet |
region | AWS region (if not specified, the default region is used) |
roleArn | Amazon Resource Name (ARN) of the role to assume |
roleSessionName | Identifier for the assumed role session |
roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
There is no context output for this command.
Raw Output
The ThreatIntel Set 7eb1f440be5931f168280b574a26d44d was updated.
List Amazon GuardDuty findings for a specific detector: aws-gd-list-findings
Lists all Amazon GuardDuty findings for the specified detector ID.
Command Example
!aws-gd-list-findings detectorId=38b1ed3fe279cd0c8edb0715ac5561eb region=eu-west-2
AWS IAM Policy Permission
Effect:
Allow
Action:
guardduty:ListFindings
Input
Parameter | Description |
detectorId | The detectorID that specifies the GuardDuty service whose findings you want to list |
region | AWS region (if not specified, the default region is used) |
roleArn | Amazon Resource Name (ARN) of the role to assume |
roleSessionName | Identifier for the assumed role session |
roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
Path | Description |
AWS.GuardDuty.Findings.FindingId | Lists Amazon GuardDuty findings for the specified detector ID |
Raw Output
[ { "FindingId":"2eb1ecee343f42b66b6f1a394dc3c21b" }, { "FindingId":"c6b180f7c27aff7ee204c7a2620a9cb3" }, { "FindingId":"e6b180f1d95d58f56a85e76c45a2cb34" }, { "FindingId":"f6b1d610567b6172bce359b564aba920" }, { "FindingId":"e6b180f1d22bdbcf4519004c9264f393" } ]
Describe Amazon GuardDuty findings for a specific detector: aws-gd-get-findings
Describes Amazon GuardDuty findings specified by finding IDs.
Command Example
!aws-gd-get-findings detectorIds=4f1fc7cd7dsg26sdf4328d8dc813 findingIds=96b1ac608sdf00e5183c3dds115c36aac328b,0ab180f5801sdg954418f3806c2a45282c9
AWS IAM Policy Permission
Effect:
Allow
Action:
guardduty:GetFindings
Input
Parameter | Description |
detectorId | The detectorID that specifies the GuardDuty service whose findings you want to retrieve |
findingIds | IDs of the findings that you want to retrieve |
region | AWS region (if not specified, the default region is used) |
roleArn | Amazon Resource Name (ARN) of the role to assume |
roleSessionName | Identifier for the assumed role session |
roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
There is no context output for this command.
Raw Output
[ { "AccountId":"123456789", "Arn":"arn:aws:guardduty:eu-central-1:123456789:detector/20b180e9f14sdgf1fc7cd7264sdg328d8dc813/finding/0ab180f580sdg1954418f3806c2a45282c9", "CreatedAt":"2018-04-26T12:26:08.306Z", "Description":"EC2 instance has an unprotected port which is being probed by a known malicious host.", "Id":"0ab180f5801954418f3806c2a45282c9", "Region":"eu-central-1", "Title":"Unprotected port on EC2 instance i-123456789 is being probed.", "Type":"Recon:EC2/PortProbeUnprotectedPort" }, { "AccountId":"123456789", "Arn":"arn:aws:guardduty:eu-central-1:123456789:detector/20b180e9sdgf14f1fc7cd7264dsg328d8dc813/finding/96b1ac60sdg800e5183csdg3d115c36aac328b", "CreatedAt":"2018-05-13T09:07:13.564Z", "Description":"EC2 instance has an unprotected port which is being probed by a known malicious host.", "Id":"96b1ac60800e5183c3d115c36aac328b", "Region":"eu-central-1", "Title":"Unprotected port on EC2 instance i-123456789 is being probed.", "Type":"Recon:EC2/PortProbeUnprotectedPort" } ]
Generate example findings: aws-gd-create-sample-findings
Generates example findings of types specified by the list of findings.
Command Example
!aws-gd-create-sample-findings detectorId=4f1fc7cd7dsg2adf6sdf4328d8dc813 findingTypes=NULL region=eu-central-1
AWS IAM Policy Permission
Effect:
Allow
Action:
guardduty:CreateSampleFindings
Input
Parameter | Description |
detectorId | The ID of the detector to create sample findings for |
findingTypes | Types of sample findings that you want to generate (separated with a comma ",") |
region | AWS region (if not specified, the default region is used) |
roleArn | Amazon Resource Name (ARN) of the role to assume |
roleSessionName | Identifier for the assumed role session |
roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
There is no context output for this command.
Raw Output
Sample Findings were generated.
Archive Amazon GuardDuty findings: aws-gd-archive-findings
Archives Amazon GuardDuty findings specified by the list of finding IDs.
Command Example
!aws-gd-archive-findings detectorIds=4f1fc7cd7dsg26sdf4328d8dc813 findingIds=96b1ac608sdf00e5183c3dds115c36aac328b,0ab180f5801sdg954418f3806c2a45282c9
AWS IAM Policy Permission
Effect:
Allow
Action:
guardduty:ArchiveFindings
Input
Parameter | Description |
detectorId | The ID of the detector that specifies the GuardDuty service whose findings you want to archive |
findingIds | Types of sample findings that you want to archive (separated with a comma ",") |
region | AWS region (if not specified, the default region is used) |
roleArn | Amazon Resource Name (ARN) of the role to assume |
roleSessionName | Identifier for the assumed role session |
roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
There is no context output for this command.
Raw Output
Findings were archived.
Unarchive Amazon GuardDuty findings: aws-gd-unarchive-findings
Unarchives Amazon GuardDuty findings specified by the list of finding IDs.
Command Example
!aws-gd-unarchive-findings detectorIds=4f1fc7cd7dsg26sdf4328d8dc813 findingIds=96b1ac608sdf00e5183c3dds115c36aac328b,0ab180f5801sdg954418f3806c2a45282c9
AWS IAM Policy Permission
Effect:
Allow
Action:
guardduty:UnarchiveFindings
Input
Parameter | Description |
detectorId | The ID of the detector that specifies the GuardDuty service whose findings you want to unarchive |
findingIds | Types of sample findings that you want to unarchive (separated with a comma ",") |
region | AWS region (if not specified, the default region is used) |
roleArn | Amazon Resource Name (ARN) of the role to assume |
roleSessionName | Identifier for the assumed role session |
roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
There is no context output for this command.
Raw Output
Findings were unarchived.
Mark Amazon GuardDuty findings as useful or not useful: aws-gd-update-findings-feedback
Marks the specified Amazon GuardDuty findings as useful or not useful.
Command Example
!aws-gd-update-findings-feedback detectorIds=4f1fc7cd7dsg26sdf4328d8dc813 findingIds=96b1ac608sdf00e5183c3dds115c36aac328b comments=Good Job feedback=USEFUL
AWS IAM Policy Permission
Effect:
Allow
Action:
guardduty:UpdateFindingsFeedback
Input
Parameter | Description |
detectorId | The ID of the detector that specifies the GuardDuty service whose findings you want to mark as useful or not useful |
findingIds | Types of sample findings that you want to mark as useful or not useful (separated with a comma ",") |
region | AWS region (if not specified, the default region is used) |
roleArn | Amazon Resource Name (ARN) of the role to assume |
roleSessionName | Identifier for the assumed role session |
roleSessionDuration | Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role) |
Context Output
There is no context output for this command.
Raw Output
Findings feedback was sent.