Skip to main content

AWS - GuardDuty

Use this integration to detect and manage threats to your AWS system. We recommend that you use roles that have the following bulit-in AWS policies:

  • AmazonGuardDutyFullAccess
  • AmazonGuardDutyReadOnlyAccess

Prerequisites#

It is important that you familiarize yourself with and complete all steps detailed in the Amazon AWS Integrations Configuration Guide

Configure AWS - GuardDuty on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for AWS - GuardDuty.

  3. Click Add instance to create and configure a new integration instance.

    ParameterRequired
    AWS Default RegionFalse
    Role ArnFalse
    Fetch incidentsFalse
    Incident typeFalse
    Role Session NameFalse
    Role Session DurationFalse
    Guard Duty Severity levelFalse
  4. Click Test to validate the URLs, token, and connection.

Fetched Incidents Data#

  • The integration fetches newly created Guard DutyFindings. Findings that are fetched are moved to Guard duty archive. Each integration instance can fetch findings from a single AWS Region.
  • Each region can have a maximum of 1,000 member accounts that are linked to a guard duty master account. For more information see the Amazon GuardDuty documentation.
  • You can set the severity level of the findings to be fetched. "Low", "Medium", "High". For example, if you set the severity level to "Medium", the integration will only fetch findings with severity level of Medium and higher.
  • Findings in archived status will not be retrieved.
  • The initial fetch interval is one minute.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

aws-gd-create-detector#


Create an AWS Guard Duty Detector on the integration instance specified aws account.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:CreateDetector

Base Command#

aws-gd-create-detector

Input#

Argument NameDescriptionRequired
enabledA boolean value that specifies whether the detector is to be enabled. Possible values are: True, False. Default is True.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.GuardDuty.Detectors.DetectorIdstringThe unique ID of the created detector.

Command Example#

!aws-gd-create-detector enabled=True region=eu-west-2

aws-gd-delete-detector#


Deletes a Amazon GuardDuty detector specified by the detector ID.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:DeleteDetector

Base Command#

aws-gd-delete-detector

Input#

Argument NameDescriptionRequired
detectorIdThe unique ID that specifies the detector that you want to delete.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-gd-delete-detector detectorId=38b1235ed3fe245279cd0c8e235db0715ac5561eb

aws-gd-get-detector#


Retrieves an Amazon GuardDuty detector specified by the detectorId.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:GetDetector

Base Command#

aws-gd-get-detector

Input#

Argument NameDescriptionRequired
detectorIdThe unique ID of the detector that you want to retrieve.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.GuardDuty.Detectors.DetectorIdstringThe unique ID of the created detector.
AWS.GuardDuty.Detectors.CreatedAtstringThe first time a resource was created.
AWS.GuardDuty.Detectors.ServiceRolestringCustomer serviceRole name or ARN for accessing customer resources.
AWS.GuardDuty.Detectors.StatusstringThe status of detector.
AWS.GuardDuty.Detectors.UpdatedAtstringThe time a resource was last updated.

Command Example#

!aws-gd-get-detector detectorId=38b1ed3fe279fdascd0c8edb071dsf5ac5561eb region=eu-west-2

aws-gd-update-detector#


Updates an Amazon GuardDuty detector specified by the detectorId.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:UpdateDetector

Base Command#

aws-gd-update-detector

Input#

Argument NameDescriptionRequired
detectorIdThe unique ID of the detector that you want to update.Required
enableUpdated boolean value for the detector that specifies whether the detector is enabled. Possible values are: True, False. Default is True.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

aws-gd-update-detector detectorId=38b1ed3fe279fdascd0c8edb071dsf5ac5561eb enable=True

aws-gd-create-ip-set#


A list of trusted IP addresses that have been whitelisted for secure communication with AWS infrastructure and applications.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:CreateIPSet

Base Command#

aws-gd-create-ip-set

Input#

Argument NameDescriptionRequired
activateA boolean value that indicates whether GuardDuty is to start using the uploaded IPSet. Possible values are: True, False. Default is True.Optional
detectorIdThe unique ID of the detector that you want to update.Required
formatThe format of the file that contains the IPSet. Possible values are: TXT, STIX, OTX_CSV, ALIEN_VAULT, PROOF_POINT, FIRE_EYE.Required
locationThe URI of the file that contains the IPSet. For example (https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key).Optional
nameThe user friendly name to identify the IPSet. This name is displayed in all findings that are triggered by activity that involves IP addresses included in this IPSet.Optional
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.GuardDuty.Detectors.IPSet.IpSetIdunknownThe unique identifier for an IP Set.

Command Example#

!aws-gd-create-ip-set format=TXT location=https://s3.eu-central-1.amazonaws.com/test/ipset.txt activate=True detectorId=38b1ed3fe279czvasdd0c8edb0715azdsfc5561eb name=test region=eu-west-2

aws-gd-delete-ip-set#


Deletes the IPSet specified by the IPSet ID.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:DeleteIPSet

Base Command#

aws-gd-delete-ip-set

Input#

Argument NameDescriptionRequired
detectorIdThe detectorID that specifies the GuardDuty service whose IPSet you want to delete.Required
ipSetIdThe unique ID that specifies the IPSet that you want to delete.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-gd-delete-ip-set detectorId=38b1ed3fe279cd0c8edb0715ac5561eb ipSetId=7eb1f440be5931f168280b574a26d44d region=eu-west-2

aws-gd-list-detectors#


Lists detectorIds of all the existing Amazon GuardDuty detector resources.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:ListDetectors

Base Command#

aws-gd-list-detectors

Input#

Argument NameDescriptionRequired
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.GuardDuty.Detectors.DetectorIdstringThe unique identifier for a detector.

Command Example#

!aws-gd-list-detectors region=eu-west-2

aws-gd-update-ip-set#


Updates the IPSet specified by the IPSet ID.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:UpdateIPSet

Base Command#

aws-gd-update-ip-set

Input#

Argument NameDescriptionRequired
activateThe updated boolean value that specifies whether the IPSet is active or not. Possible values are: True, False.Optional
detectorIdThe detectorID that specifies the GuardDuty service whose IPSet you want to update.Required
ipSetIdThe unique ID that specifies the IPSet that you want to update.Required
locationThe updated URI of the file that contains the IPSet. For example (https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key).Optional
nameThe user friendly name to identify the IPSet.Optional
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-gd-update-ip-set detectorId=38b1ed3fe279cd0c8edb0715ac5561eb ipSetId=7eb1f440be5931f168280b574a26d44d activate=False region=eu-west-2

aws-gd-get-ip-set#


Retrieves the IPSet specified by the IPSet ID.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:GetIPSet

Base Command#

aws-gd-get-ip-set

Input#

Argument NameDescriptionRequired
detectorIdThe detectorID that specifies the GuardDuty service whose IPSet you want to retrieve.Required
ipSetIdThe unique ID that specifies the IPSet that you want to describe.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.GuardDuty.Detectors.IPSet.IpSetIdstringThe unique ID for the IPSet.
AWS.GuardDuty.Detectors.IPSet.FormatstringThe format of the file that contains the IPSet.
AWS.GuardDuty.Detectors.IPSet.LocationstringThe URI of the file that contains the IPSet.
AWS.GuardDuty.Detectors.IPSet.Namestringhe user friendly name to identify the IPSet.
AWS.GuardDuty.Detectors.IPSet.StatusstringThe status of ipSet file uploaded.

Command Example#

!aws-gd-get-ip-set detectorId=38b1ed3fesdf279cd0c8edbdsf071sdgfac5561eb ipSetId=7eb1sdff440be5931f1682adf80b574a26d44d region=eu-west-2

aws-gd-list-ip-sets#


Lists the IPSets of the GuardDuty service specified by the detector ID.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:ListIPSet

Base Command#

aws-gd-list-ip-sets

Input#

Argument NameDescriptionRequired
detectorIdThe unique ID of the detector that you want to retrieve.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.GuardDuty.Detectors.IPSet.IpSetIdunknownThe unique identifier for an IP Set

Command Example#

!aws-gd-list-ip-sets detectorId=38b1ed3fesdf279cd0c8edbdsf071sdgfac5561eb region=eu-west-2

aws-gd-create-threatintel-set#


Create a new ThreatIntelSet. ThreatIntelSets consist of known malicious IP addresses. GuardDuty generates findings based on ThreatIntelSets.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:CreateThreatIntelSet

Base Command#

aws-gd-create-threatintel-set

Input#

Argument NameDescriptionRequired
activateA boolean value that indicates whether GuardDuty is to start using the uploaded ThreatIntelSet. Possible values are: True, False. Default is True.Required
detectorIdThe unique ID of the detector that you want to update.Required
formatThe format of the file that contains the ThreatIntelSet. Possible values are: TXT, STIX, OTX_CSV, ALIEN_VAULT, PROOF_POINT, FIRE_EYE.Required
locationThe URI of the file that contains the ThreatIntelSet. For example (https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key).Required
nameA user-friendly ThreatIntelSet name that is displayed in all finding generated by activity that involves IP addresses included in this ThreatIntelSet.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.GuardDuty.Detectors.ThreatIntelSet.ThreatIntelSetIdstringThe unique identifier for an threat intel set.

Command Example#

!aws-gd-create-threatintel-set format=TXT location=https://s3.eu-central-1.amazonaws.com/test/threatintel.txt activate=True detectorId=38b1ed3fe279czvasdd0c8edb0715azdsfc5561eb name=test region=eu-west-2

aws-gd-delete-threatintel-set#


Deletes ThreatIntelSet specified by the ThreatIntelSet ID.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:DeleteThreatIntelSet

Base Command#

aws-gd-delete-threatintel-set

Input#

Argument NameDescriptionRequired
detectorIdThe detectorID that specifies the GuardDuty service whose ThreatIntelSet you want to delete.Required
threatIntelSetIdThe unique ID that specifies the ThreatIntelSet that you want to delete.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-gd-delete-threatintel-set detectorId=38b1ed3fe279cd0c8edb0715ac5561eb threatIntelSetId=7eb1f440be5931f168280b574a26d44d region=eu-west-2

aws-gd-get-threatintel-set#


Retrieves the ThreatIntelSet that is specified by the ThreatIntelSet ID.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:GetThreatIntelSet

Base Command#

aws-gd-get-threatintel-set

Input#

Argument NameDescriptionRequired
detectorIdThe detectorID that specifies the GuardDuty service whose ThreatIntelSet you want to describe.Required
threatIntelSetIdThe unique ID that specifies the ThreatIntelSet that you want to describe.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.GuardDuty.Detectors.ThreatIntelSet.ThreatIntelSetIdstringThe unique ID that specifies the ThreatIntelSet.
AWS.GuardDuty.Detectors.ThreatIntelSet.FormatstringThe format of the threatIntelSet.
AWS.GuardDuty.Detectors.ThreatIntelSet.LocationstringThe URI of the file that contains the ThreatIntelSet.
AWS.GuardDuty.Detectors.ThreatIntelSet.NamestringA user-friendly ThreatIntelSet name.
AWS.GuardDuty.Detectors.ThreatIntelSet.StatusstringThe status of threatIntelSet file uploaded.

Command Example#

!aws-gd-get-threatintel-set detectorId=38b1ed3fe279cd0c8edb0715ac5561eb threatIntelSetId=7eb1f440be5931f168280b574a26d44d region=eu-west-2

aws-gd-list-threatintel-sets#


Lists the ThreatIntelSets of the GuardDuty service specified by the detector ID.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:ListThreatIntelSet

Base Command#

aws-gd-list-threatintel-sets

Input#

Argument NameDescriptionRequired
detectorIdThe detectorID that specifies the GuardDuty service whose ThreatIntelSets you want to list.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.GuardDuty.Detectors.ThreatIntelSet.ThreatIntelSetIdstringThe unique identifier for an threat intel set

Command Example#

!aws-gd-list-threatintel-sets detectorId=38b1ed3fe279cd0c8edb0715ac5561eb region=eu-west-2

aws-gd-update-threatintel-set#


Updates the ThreatIntelSet specified by ThreatIntelSet ID.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:UpdateThreatIntelSet

Base Command#

aws-gd-update-threatintel-set

Input#

Argument NameDescriptionRequired
detectorIdThe detectorID that specifies the GuardDuty service whose ThreatIntelSet you want to update.Required
threatIntelSetIdThe unique ID that specifies the ThreatIntelSet that you want to update.Optional
activateThe updated boolean value that specifies whether the ThreatIntelSet is active or not. Possible values are: True, False.Optional
locationThe updated URI of the file that contains the ThreatIntelSet. For example (https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key).Optional
nameThe user-friendly ThreatIntelSet name.Optional
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-gd-update-threatintel-set detectorId=38b1ed3fe279cd0c8edb0715ac5561eb threatIntelSetId=7eb1f440be5931f168280b574a26d44d activate=False region=eu-west-2

aws-gd-list-findings#


Lists Amazon GuardDuty findings for the specified detector ID.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:ListFindings

Base Command#

aws-gd-list-findings

Input#

Argument NameDescriptionRequired
detectorIdThe ID of the detector that specifies the GuardDuty service whose findings you want to list.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.GuardDuty.Findings.FindingIdstringThe unique identifier for the Finding

Command Example#

!aws-gd-list-findings detectorId=38b1ed3fe279cd0c8edb0715ac5561eb region=eu-west-2

aws-gd-get-findings#


Describes Amazon GuardDuty findings specified by finding IDs.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:GetFindings

Base Command#

aws-gd-get-findings

Input#

Argument NameDescriptionRequired
detectorIdThe ID of the detector that specifies the GuardDuty service whose findings you want to retrieve.Required
findingIdsIDs of the findings that you want to retrieve.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-gd-get-findings detectorIds=4f1fc7cd7dsg26sdf4328d8dc813 findingIds=96b1ac608sdf00e5183c3dds115c36aac328b,0ab180f5801sdg954418f3806c2a45282c9

aws-gd-create-sample-findings#


Generates example findings of types specified by the list of finding types. If 'NULL' is specified for findingTypes, the API generates example findings of all supported finding types.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:CreateSampleFindings

Base Command#

aws-gd-create-sample-findings

Input#

Argument NameDescriptionRequired
detectorIdThe ID of the detector to create sample findings for.Required
findingTypesTypes of sample findings that you want to generate. Separated by comma.Optional
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-gd-create-sample-findings detectorId=4f1fc7cd7dsg2adf6sdf4328d8dc813 findingTypes=NULL region=eu-central-1

aws-gd-archive-findings#


Archives Amazon GuardDuty findings specified by the list of finding IDs.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:ArchiveFindings

Base Command#

aws-gd-archive-findings

Input#

Argument NameDescriptionRequired
detectorIdThe ID of the detector that specifies the GuardDuty service whose findings you want to archive.Required
findingIdsIDs of the findings that you want to archive. Separated by comma.Optional
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-gd-archive-findings detectorIds=4f1fc7cd7dsg26sdf4328d8dc813 findingIds=96b1ac608sdf00e5183c3dds115c36aac328b,0ab180f5801sdg954418f3806c2a45282c9

aws-gd-unarchive-findings#


Unarchives Amazon GuardDuty findings specified by the list of finding IDs.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:UnarchiveFindings

Base Command#

aws-gd-unarchive-findings

Input#

Argument NameDescriptionRequired
detectorIdThe ID of the detector that specifies the GuardDuty service whose findings you want to unarchive.Required
findingIdsIDs of the findings that you want to unarchive.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-gd-unarchive-findings detectorIds=4f1fc7cd7dsg26sdf4328d8dc813 findingIds=96b1ac608sdf00e5183c3dds115c36aac328b,0ab180f5801sdg954418f3806c2a45282c9

aws-gd-update-findings-feedback#


Marks specified Amazon GuardDuty findings as useful or not useful.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:UpdateFindingsFeedback

Base Command#

aws-gd-update-findings-feedback

Input#

Argument NameDescriptionRequired
detectorIdThe ID of the detector that specifies the GuardDuty service whose findings you want to mark as useful or not useful.Required
findingIdsIDs of the findings that you want to mark as useful or not useful.Optional
commentsAdditional feedback about the GuardDuty findings.Optional
feedbackSpecify whether the finding was useful or not. Possible values are: USEFUL, NOT_USEFUL.Optional
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

There is no context output for this command.

Command Example#

!aws-gd-update-findings-feedback detectorIds=4f1fc7cd7dsg26sdf4328d8dc813 findingIds=96b1ac608sdf00e5183c3dds115c36aac328b comments=Good Job feedback=USEFUL

aws-gd-list-members#


Describes Amazon GuardDuty members for the specified detector ID.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:ListMembers

Base Command#

aws-gd-list-members

Input#

Argument NameDescriptionRequired
detectorIdThe ID of the detector that specifies the GuardDuty service whose members you want to retrieve.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.GuardDuty.Members.AccountIdstringThe unique account ID of the member.
AWS.GuardDuty.Members.DetectorIdstringThe unique detector ID of the member.
AWS.GuardDuty.Members.MasterIdstringThe unique detector ID of the master.
AWS.GuardDuty.Members.EmailstringThe email of the member.
AWS.GuardDuty.Members.RelationshipStatusstringThe relationship status of member.
AWS.GuardDuty.Members.InvitedAtstringThe first time a member was invited.
AWS.GuardDuty.Members.UpdatedAtstringThe time a member was last updated.

Command Example#

!aws-gd-list-members detectorIds=4f1fc7cd7dsg26sdf4328d8dc813

aws-gd-get-members#


Describes Amazon GuardDuty members for the specified detector ID & account ID.

AWS IAM Policy Permission#

Effect: Allow
Action: guardduty:GetMembers

Base Command#

aws-gd-get-members

Input#

Argument NameDescriptionRequired
detectorIdThe ID of the detector that specifies the GuardDuty service whose members you want to retrieve.Required
accountIdsThe ID of the account that specifies the GuardDuty service whose details you want to retrieve.Required
regionThe AWS Region, if not specified the default region will be used.Optional
roleArnThe Amazon Resource Name (ARN) of the role to assume.Optional
roleSessionNameAn identifier for the assumed role session.Optional
roleSessionDurationThe duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role.Optional

Context Output#

PathTypeDescription
AWS.GuardDuty.Members.AccountIdstringThe unique account ID of the member.
AWS.GuardDuty.Members.DetectorIdstringThe unique detector ID of the member.
AWS.GuardDuty.Members.MasterIdstringThe unique detector ID of the master.
AWS.GuardDuty.Members.EmailstringThe email of the member.
AWS.GuardDuty.Members.RelationshipStatusstringThe relationship status of member.
AWS.GuardDuty.Members.InvitedAtstringThe first time a member was invited.
AWS.GuardDuty.Members.UpdatedAtstringThe time a member was last updated.

Command Example#

!aws-gd-get-members detectorIds=4f1fc7cd7dsg26sdf4328d8dc813 accountIds=1f3fc2cd1dag26sdf4338d8aa813