AWS - GuardDuty
AWS - GuardDuty Pack.#
This Integration is part of theUse this integration to detect and manage threats to your AWS system. We recommend that you use roles that have the following bulit-in AWS policies:
- AmazonGuardDutyFullAccess
- AmazonGuardDutyReadOnlyAccess
For detailed instructions about setting up authentication, see: AWS Integrations - Authentication.
#
PrerequisiesIt is important that you familiarize yourself with and complete all steps detailed in the Amazon AWS Integrations Configuration Guide
#
Configure AWS - GuardDuty on Cortex XSOARNavigate to Settings > Integrations > Servers & Services.
Search for AWS - GuardDuty.
Click Add instance to create and configure a new integration instance.
Parameter Required AWS Default Region False Role Arn False Fetch incidents False Incident type False Role Session Name False Role Session Duration False Guard Duty Severity level False Access Key False Secret Key False Timeout False Retries False Click Test to validate the URLs, token, and connection.
#
Fetched Incidents Data- The integration fetches newly created Guard DutyFindings. Findings that are fetched are moved to Guard duty archive. Each integration instance can fetch findings from a single AWS Region.
- Each region can have a maximum of 1,000 member accounts that are linked to a guard duty master account. For more information see the Amazon GuardDuty documentation.
- You can set the severity level of the findings to be fetched. "Low", "Medium", "High". For example, if you set the severity level to "Medium", the integration will only fetch findings with severity level of Medium and higher.
- Findings in archived status will not be retrieved.
- The initial fetch interval is one minute.
#
CommandsYou can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
aws-gd-create-detectorCreate an AWS Guard Duty Detector on the integration instance specified aws account.
#
AWS IAM Policy PermissionEffect: Allow
Action: guardduty:CreateDetector
#
Base Commandaws-gd-create-detector
#
InputArgument Name | Description | Required |
---|---|---|
enabled | A boolean value that specifies whether the detector is to be enabled. Possible values are: True, False. Default is True. | Required |
region | The AWS Region, if not specified the default region will be used. | Optional |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
AWS.GuardDuty.Detectors.DetectorId | string | The unique ID of the created detector. |
#
Command Example!aws-gd-create-detector enabled=True region=eu-west-2
#
aws-gd-delete-detectorDeletes a Amazon GuardDuty detector specified by the detector ID.
#
AWS IAM Policy PermissionEffect: Allow
Action: guardduty:DeleteDetector
#
Base Commandaws-gd-delete-detector
#
InputArgument Name | Description | Required |
---|---|---|
detectorId | The unique ID that specifies the detector that you want to delete. | Required |
region | The AWS Region, if not specified the default region will be used. | Optional |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!aws-gd-delete-detector detectorId=38b1235ed3fe245279cd0c8e235db0715ac5561eb
#
aws-gd-get-detectorRetrieves an Amazon GuardDuty detector specified by the detectorId.
#
AWS IAM Policy PermissionEffect: Allow
Action: guardduty:GetDetector
#
Base Commandaws-gd-get-detector
#
InputArgument Name | Description | Required |
---|---|---|
detectorId | The unique ID of the detector that you want to retrieve. | Required |
region | The AWS Region, if not specified the default region will be used. | Optional |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
AWS.GuardDuty.Detectors.DetectorId | string | The unique ID of the created detector. |
AWS.GuardDuty.Detectors.CreatedAt | string | The first time a resource was created. |
AWS.GuardDuty.Detectors.ServiceRole | string | Customer serviceRole name or ARN for accessing customer resources. |
AWS.GuardDuty.Detectors.Status | string | The status of detector. |
AWS.GuardDuty.Detectors.UpdatedAt | string | The time a resource was last updated. |
#
Command Example!aws-gd-get-detector detectorId=38b1ed3fe279fdascd0c8edb071dsf5ac5561eb region=eu-west-2
#
aws-gd-update-detectorUpdates an Amazon GuardDuty detector specified by the detectorId.
#
AWS IAM Policy PermissionEffect: Allow
Action: guardduty:UpdateDetector
#
Base Commandaws-gd-update-detector
#
InputArgument Name | Description | Required |
---|---|---|
detectorId | The unique ID of the detector that you want to update. | Required |
enable | Updated boolean value for the detector that specifies whether the detector is enabled. Possible values are: True, False. Default is True. | Required |
region | The AWS Region, if not specified the default region will be used. | Optional |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Exampleaws-gd-update-detector detectorId=38b1ed3fe279fdascd0c8edb071dsf5ac5561eb enable=True
#
aws-gd-create-ip-setA list of trusted IP addresses on allow list for secure communication with AWS infrastructure and applications.
#
AWS IAM Policy PermissionEffect: Allow
Action: guardduty:CreateIPSet
#
Base Commandaws-gd-create-ip-set
#
InputArgument Name | Description | Required |
---|---|---|
activate | A boolean value that indicates whether GuardDuty is to start using the uploaded IPSet. Possible values are: True, False. Default is True. | Optional |
detectorId | The unique ID of the detector that you want to update. | Required |
format | The format of the file that contains the IPSet. Possible values are: TXT, STIX, OTX_CSV, ALIEN_VAULT, PROOF_POINT, FIRE_EYE. | Required |
location | The URI of the file that contains the IPSet. For example (https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key). | Optional |
name | The user friendly name to identify the IPSet. This name is displayed in all findings that are triggered by activity that involves IP addresses included in this IPSet. | Optional |
region | The AWS Region, if not specified the default region will be used. | Optional |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
AWS.GuardDuty.Detectors.IPSet.IpSetId | unknown | The unique identifier for an IP Set. |
#
Command Example!aws-gd-create-ip-set format=TXT location=https://s3.eu-central-1.amazonaws.com/test/ipset.txt activate=True detectorId=38b1ed3fe279czvasdd0c8edb0715azdsfc5561eb name=test region=eu-west-2
#
aws-gd-delete-ip-setDeletes the IPSet specified by the IPSet ID.
#
AWS IAM Policy PermissionEffect: Allow
Action: guardduty:DeleteIPSet
#
Base Commandaws-gd-delete-ip-set
#
InputArgument Name | Description | Required |
---|---|---|
detectorId | The detectorID that specifies the GuardDuty service whose IPSet you want to delete. | Required |
ipSetId | The unique ID that specifies the IPSet that you want to delete. | Required |
region | The AWS Region, if not specified the default region will be used. | Optional |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!aws-gd-delete-ip-set detectorId=38b1ed3fe279cd0c8edb0715ac5561eb ipSetId=7eb1f440be5931f168280b574a26d44d region=eu-west-2
#
aws-gd-list-detectorsLists detectorIds of all the existing Amazon GuardDuty detector resources.
#
AWS IAM Policy PermissionEffect: Allow
Action: guardduty:ListDetectors
#
Base Commandaws-gd-list-detectors
#
InputArgument Name | Description | Required |
---|---|---|
region | The AWS Region, if not specified the default region will be used. | Optional |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
AWS.GuardDuty.Detectors.DetectorId | string | The unique identifier for a detector. |
#
Command Example!aws-gd-list-detectors region=eu-west-2
#
aws-gd-update-ip-setUpdates the IPSet specified by the IPSet ID.
#
AWS IAM Policy PermissionEffect: Allow
Action: guardduty:UpdateIPSet
#
Base Commandaws-gd-update-ip-set
#
InputArgument Name | Description | Required |
---|---|---|
activate | The updated boolean value that specifies whether the IPSet is active or not. Possible values are: True, False. | Optional |
detectorId | The detectorID that specifies the GuardDuty service whose IPSet you want to update. | Required |
ipSetId | The unique ID that specifies the IPSet that you want to update. | Required |
location | The updated URI of the file that contains the IPSet. For example (https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key). | Optional |
name | The user friendly name to identify the IPSet. | Optional |
region | The AWS Region, if not specified the default region will be used. | Optional |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!aws-gd-update-ip-set detectorId=38b1ed3fe279cd0c8edb0715ac5561eb ipSetId=7eb1f440be5931f168280b574a26d44d activate=False region=eu-west-2
#
aws-gd-get-ip-setRetrieves the IPSet specified by the IPSet ID.
#
AWS IAM Policy PermissionEffect: Allow
Action: guardduty:GetIPSet
#
Base Commandaws-gd-get-ip-set
#
InputArgument Name | Description | Required |
---|---|---|
detectorId | The detectorID that specifies the GuardDuty service whose IPSet you want to retrieve. | Required |
ipSetId | The unique ID that specifies the IPSet that you want to describe. | Required |
region | The AWS Region, if not specified the default region will be used. | Optional |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
AWS.GuardDuty.Detectors.IPSet.IpSetId | string | The unique ID for the IPSet. |
AWS.GuardDuty.Detectors.IPSet.Format | string | The format of the file that contains the IPSet. |
AWS.GuardDuty.Detectors.IPSet.Location | string | The URI of the file that contains the IPSet. |
AWS.GuardDuty.Detectors.IPSet.Name | string | he user friendly name to identify the IPSet. |
AWS.GuardDuty.Detectors.IPSet.Status | string | The status of ipSet file uploaded. |
#
Command Example!aws-gd-get-ip-set detectorId=38b1ed3fesdf279cd0c8edbdsf071sdgfac5561eb ipSetId=7eb1sdff440be5931f1682adf80b574a26d44d region=eu-west-2
#
aws-gd-list-ip-setsLists the IPSets of the GuardDuty service specified by the detector ID.
#
AWS IAM Policy PermissionEffect: Allow
Action: guardduty:ListIPSet
#
Base Commandaws-gd-list-ip-sets
#
InputArgument Name | Description | Required |
---|---|---|
detectorId | The unique ID of the detector that you want to retrieve. | Required |
region | The AWS Region, if not specified the default region will be used. | Optional |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
AWS.GuardDuty.Detectors.IPSet.IpSetId | unknown | The unique identifier for an IP Set |
#
Command Example!aws-gd-list-ip-sets detectorId=38b1ed3fesdf279cd0c8edbdsf071sdgfac5561eb region=eu-west-2
#
aws-gd-create-threatintel-setCreate a new ThreatIntelSet. ThreatIntelSets consist of known malicious IP addresses. GuardDuty generates findings based on ThreatIntelSets.
#
AWS IAM Policy PermissionEffect: Allow
Action: guardduty:CreateThreatIntelSet
#
Base Commandaws-gd-create-threatintel-set
#
InputArgument Name | Description | Required |
---|---|---|
activate | A boolean value that indicates whether GuardDuty is to start using the uploaded ThreatIntelSet. Possible values are: True, False. Default is True. | Required |
detectorId | The unique ID of the detector that you want to update. | Required |
format | The format of the file that contains the ThreatIntelSet. Possible values are: TXT, STIX, OTX_CSV, ALIEN_VAULT, PROOF_POINT, FIRE_EYE. | Required |
location | The URI of the file that contains the ThreatIntelSet. For example (https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key). | Required |
name | A user-friendly ThreatIntelSet name that is displayed in all finding generated by activity that involves IP addresses included in this ThreatIntelSet. | Required |
region | The AWS Region, if not specified the default region will be used. | Optional |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
AWS.GuardDuty.Detectors.ThreatIntelSet.ThreatIntelSetId | string | The unique identifier for an threat intel set. |
#
Command Example!aws-gd-create-threatintel-set format=TXT location=https://s3.eu-central-1.amazonaws.com/test/threatintel.txt activate=True detectorId=38b1ed3fe279czvasdd0c8edb0715azdsfc5561eb name=test region=eu-west-2
#
aws-gd-delete-threatintel-setDeletes ThreatIntelSet specified by the ThreatIntelSet ID.
#
AWS IAM Policy PermissionEffect: Allow
Action: guardduty:DeleteThreatIntelSet
#
Base Commandaws-gd-delete-threatintel-set
#
InputArgument Name | Description | Required |
---|---|---|
detectorId | The detectorID that specifies the GuardDuty service whose ThreatIntelSet you want to delete. | Required |
threatIntelSetId | The unique ID that specifies the ThreatIntelSet that you want to delete. | Required |
region | The AWS Region, if not specified the default region will be used. | Optional |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!aws-gd-delete-threatintel-set detectorId=38b1ed3fe279cd0c8edb0715ac5561eb threatIntelSetId=7eb1f440be5931f168280b574a26d44d region=eu-west-2
#
aws-gd-get-threatintel-setRetrieves the ThreatIntelSet that is specified by the ThreatIntelSet ID.
#
AWS IAM Policy PermissionEffect: Allow
Action: guardduty:GetThreatIntelSet
#
Base Commandaws-gd-get-threatintel-set
#
InputArgument Name | Description | Required |
---|---|---|
detectorId | The detectorID that specifies the GuardDuty service whose ThreatIntelSet you want to describe. | Required |
threatIntelSetId | The unique ID that specifies the ThreatIntelSet that you want to describe. | Required |
region | The AWS Region, if not specified the default region will be used. | Optional |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
AWS.GuardDuty.Detectors.ThreatIntelSet.ThreatIntelSetId | string | The unique ID that specifies the ThreatIntelSet. |
AWS.GuardDuty.Detectors.ThreatIntelSet.Format | string | The format of the threatIntelSet. |
AWS.GuardDuty.Detectors.ThreatIntelSet.Location | string | The URI of the file that contains the ThreatIntelSet. |
AWS.GuardDuty.Detectors.ThreatIntelSet.Name | string | A user-friendly ThreatIntelSet name. |
AWS.GuardDuty.Detectors.ThreatIntelSet.Status | string | The status of threatIntelSet file uploaded. |
#
Command Example!aws-gd-get-threatintel-set detectorId=38b1ed3fe279cd0c8edb0715ac5561eb threatIntelSetId=7eb1f440be5931f168280b574a26d44d region=eu-west-2
#
aws-gd-list-threatintel-setsLists the ThreatIntelSets of the GuardDuty service specified by the detector ID.
#
AWS IAM Policy PermissionEffect: Allow
Action: guardduty:ListThreatIntelSet
#
Base Commandaws-gd-list-threatintel-sets
#
InputArgument Name | Description | Required |
---|---|---|
detectorId | The detectorID that specifies the GuardDuty service whose ThreatIntelSets you want to list. | Required |
region | The AWS Region, if not specified the default region will be used. | Optional |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
AWS.GuardDuty.Detectors.ThreatIntelSet.ThreatIntelSetId | string | The unique identifier for an threat intel set |
#
Command Example!aws-gd-list-threatintel-sets detectorId=38b1ed3fe279cd0c8edb0715ac5561eb region=eu-west-2
#
aws-gd-update-threatintel-setUpdates the ThreatIntelSet specified by ThreatIntelSet ID.
#
AWS IAM Policy PermissionEffect: Allow
Action: guardduty:UpdateThreatIntelSet
#
Base Commandaws-gd-update-threatintel-set
#
InputArgument Name | Description | Required |
---|---|---|
detectorId | The detectorID that specifies the GuardDuty service whose ThreatIntelSet you want to update. | Required |
threatIntelSetId | The unique ID that specifies the ThreatIntelSet that you want to update. | Optional |
activate | The updated boolean value that specifies whether the ThreatIntelSet is active or not. Possible values are: True, False. | Optional |
location | The updated URI of the file that contains the ThreatIntelSet. For example (https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key). | Optional |
name | The user-friendly ThreatIntelSet name. | Optional |
region | The AWS Region, if not specified the default region will be used. | Optional |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!aws-gd-update-threatintel-set detectorId=38b1ed3fe279cd0c8edb0715ac5561eb threatIntelSetId=7eb1f440be5931f168280b574a26d44d activate=False region=eu-west-2
#
aws-gd-list-findingsLists Amazon GuardDuty findings for the specified detector ID.
#
AWS IAM Policy PermissionEffect: Allow
Action: guardduty:ListFindings
#
Base Commandaws-gd-list-findings
#
InputArgument Name | Description | Required |
---|---|---|
detectorId | The ID of the detector that specifies the GuardDuty service whose findings you want to list. | Required |
region | The AWS Region, if not specified the default region will be used. | Optional |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
AWS.GuardDuty.Findings.FindingId | string | The unique identifier for the Finding |
#
Command Example!aws-gd-list-findings detectorId=38b1ed3fe279cd0c8edb0715ac5561eb region=eu-west-2
#
aws-gd-get-findingsDescribes Amazon GuardDuty findings specified by finding IDs.
#
AWS IAM Policy PermissionEffect: Allow
Action: guardduty:GetFindings
#
Base Commandaws-gd-get-findings
#
InputArgument Name | Description | Required |
---|---|---|
detectorId | The ID of the detector that specifies the GuardDuty service whose findings you want to retrieve. | Required |
findingIds | IDs of the findings that you want to retrieve. | Required |
region | The AWS Region, if not specified the default region will be used. | Optional |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!aws-gd-get-findings detectorIds=4f1fc7cd7dsg26sdf4328d8dc813 findingIds=96b1ac608sdf00e5183c3dds115c36aac328b,0ab180f5801sdg954418f3806c2a45282c9
#
aws-gd-create-sample-findingsGenerates example findings of types specified by the list of finding types. If 'NULL' is specified for findingTypes, the API generates example findings of all supported finding types.
#
AWS IAM Policy PermissionEffect: Allow
Action: guardduty:CreateSampleFindings
#
Base Commandaws-gd-create-sample-findings
#
InputArgument Name | Description | Required |
---|---|---|
detectorId | The ID of the detector to create sample findings for. | Required |
findingTypes | Types of sample findings that you want to generate. Separated by comma. | Optional |
region | The AWS Region, if not specified the default region will be used. | Optional |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!aws-gd-create-sample-findings detectorId=4f1fc7cd7dsg2adf6sdf4328d8dc813 findingTypes=NULL region=eu-central-1
#
aws-gd-archive-findingsArchives Amazon GuardDuty findings specified by the list of finding IDs.
#
AWS IAM Policy PermissionEffect: Allow
Action: guardduty:ArchiveFindings
#
Base Commandaws-gd-archive-findings
#
InputArgument Name | Description | Required |
---|---|---|
detectorId | The ID of the detector that specifies the GuardDuty service whose findings you want to archive. | Required |
findingIds | IDs of the findings that you want to archive. Separated by comma. | Optional |
region | The AWS Region, if not specified the default region will be used. | Optional |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!aws-gd-archive-findings detectorIds=4f1fc7cd7dsg26sdf4328d8dc813 findingIds=96b1ac608sdf00e5183c3dds115c36aac328b,0ab180f5801sdg954418f3806c2a45282c9
#
aws-gd-unarchive-findingsUnarchives Amazon GuardDuty findings specified by the list of finding IDs.
#
AWS IAM Policy PermissionEffect: Allow
Action: guardduty:UnarchiveFindings
#
Base Commandaws-gd-unarchive-findings
#
InputArgument Name | Description | Required |
---|---|---|
detectorId | The ID of the detector that specifies the GuardDuty service whose findings you want to unarchive. | Required |
findingIds | IDs of the findings that you want to unarchive. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!aws-gd-unarchive-findings detectorIds=4f1fc7cd7dsg26sdf4328d8dc813 findingIds=96b1ac608sdf00e5183c3dds115c36aac328b,0ab180f5801sdg954418f3806c2a45282c9
#
aws-gd-update-findings-feedbackMarks specified Amazon GuardDuty findings as useful or not useful.
#
AWS IAM Policy PermissionEffect: Allow
Action: guardduty:UpdateFindingsFeedback
#
Base Commandaws-gd-update-findings-feedback
#
InputArgument Name | Description | Required |
---|---|---|
detectorId | The ID of the detector that specifies the GuardDuty service whose findings you want to mark as useful or not useful. | Required |
findingIds | IDs of the findings that you want to mark as useful or not useful. | Optional |
comments | Additional feedback about the GuardDuty findings. | Optional |
feedback | Specify whether the finding was useful or not. Possible values are: USEFUL, NOT_USEFUL. | Optional |
region | The AWS Region, if not specified the default region will be used. | Optional |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!aws-gd-update-findings-feedback detectorIds=4f1fc7cd7dsg26sdf4328d8dc813 findingIds=96b1ac608sdf00e5183c3dds115c36aac328b comments=Good Job feedback=USEFUL
#
aws-gd-list-membersDescribes Amazon GuardDuty members for the specified detector ID.
#
AWS IAM Policy PermissionEffect: Allow
Action: guardduty:ListMembers
#
Base Commandaws-gd-list-members
#
InputArgument Name | Description | Required |
---|---|---|
detectorId | The ID of the detector that specifies the GuardDuty service whose members you want to retrieve. | Required |
region | The AWS Region, if not specified the default region will be used. | Optional |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
AWS.GuardDuty.Members.AccountId | string | The unique account ID of the member. |
AWS.GuardDuty.Members.DetectorId | string | The unique detector ID of the member. |
AWS.GuardDuty.Members.MasterId | string | The unique detector ID of the master. |
AWS.GuardDuty.Members.Email | string | The email of the member. |
AWS.GuardDuty.Members.RelationshipStatus | string | The relationship status of member. |
AWS.GuardDuty.Members.InvitedAt | string | The first time a member was invited. |
AWS.GuardDuty.Members.UpdatedAt | string | The time a member was last updated. |
#
Command Example!aws-gd-list-members detectorIds=4f1fc7cd7dsg26sdf4328d8dc813
#
aws-gd-get-membersDescribes Amazon GuardDuty members for the specified detector ID & account ID.
#
AWS IAM Policy PermissionEffect: Allow
Action: guardduty:GetMembers
#
Base Commandaws-gd-get-members
#
InputArgument Name | Description | Required |
---|---|---|
detectorId | The ID of the detector that specifies the GuardDuty service whose members you want to retrieve. | Required |
accountIds | The ID of the account that specifies the GuardDuty service whose details you want to retrieve. | Required |
region | The AWS Region, if not specified the default region will be used. | Optional |
roleArn | The Amazon Resource Name (ARN) of the role to assume. | Optional |
roleSessionName | An identifier for the assumed role session. | Optional |
roleSessionDuration | The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
AWS.GuardDuty.Members.AccountId | string | The unique account ID of the member. |
AWS.GuardDuty.Members.DetectorId | string | The unique detector ID of the member. |
AWS.GuardDuty.Members.MasterId | string | The unique detector ID of the master. |
AWS.GuardDuty.Members.Email | string | The email of the member. |
AWS.GuardDuty.Members.RelationshipStatus | string | The relationship status of member. |
AWS.GuardDuty.Members.InvitedAt | string | The first time a member was invited. |
AWS.GuardDuty.Members.UpdatedAt | string | The time a member was last updated. |
#
Command Example!aws-gd-get-members detectorIds=4f1fc7cd7dsg26sdf4328d8dc813 accountIds=1f3fc2cd1dag26sdf4338d8aa813