String graphArn
The ARN of the behavior graph that the member account is accepting the invitation for.
The member account status in the behavior graph must be INVITED.
String errorCode
The SDK default error code associated with the access denied exception.
String errorCodeReason
The SDK default explanation of why access was denied.
String subErrorCode
The error code associated with the access denied exception.
String subErrorCodeReason
An explanation of why access was denied.
String accountId
The Amazon Web Services account identifier of the Detective administrator account for the organization.
String graphArn
The ARN of the organization behavior graph.
Date delegationTime
The date and time when the Detective administrator account was enabled. The value is an ISO8601 formatted string.
For example, 2021-08-18T16:35:56.284Z.
String graphArn
The ARN of the new behavior graph.
String graphArn
The ARN of the behavior graph.
String message
Customized message text to include in the invitation email message to the invited member accounts.
Boolean disableEmailNotification
if set to true, then the invited accounts do not receive email notifications. By default, this is
set to false, and the invited accounts receive email notifications.
Organization accounts in the organization behavior graph do not receive email notifications.
List<E> accounts
The list of Amazon Web Services accounts to invite or to enable. You can invite or enable up to 50 accounts at a time. For each invited account, the account list contains the account identifier and the Amazon Web Services account root user email address. For organization accounts in the organization behavior graph, the email address is not required.
List<E> members
The set of member account invitation or enablement requests that Detective was able to process. This includes accounts that are being verified, that failed verification, and that passed verification and are being sent an invitation or are being enabled.
List<E> unprocessedAccounts
The list of accounts for which Detective was unable to process the invitation or enablement request. For each account, the list provides the reason why the request could not be processed. The list includes accounts that are already member accounts in the behavior graph.
Long volumeUsageInBytes
Total volume of data in bytes per day ingested for a given data source package.
Date volumeUsageUpdateTime
The data and time when the member account data volume was last updated. The value is an ISO8601 formatted string.
For example, 2021-08-18T16:35:56.284Z.
String graphArn
The ARN of the behavior graph to disable.
List<E> accountIds
The list of Amazon Web Services account identifiers for the member accounts that Detective successfully removed from the behavior graph.
List<E> unprocessedAccounts
The list of member accounts that Detective was not able to remove from the behavior graph. For each member account, provides the reason that the deletion could not be processed.
String graphArn
The ARN of the organization behavior graph.
Boolean autoEnable
Indicates whether to automatically enable new organization accounts as member accounts in the organization behavior graph.
String graphArn
The ARN of the behavior graph to remove the member account from.
The member account's member status in the behavior graph must be ENABLED.
String accountId
The Amazon Web Services account identifier of the account to designate as the Detective administrator account for the organization.
StringFilter severity
Filter the investigation results based on the severity.
StringFilter status
Filter the investigation results based on the status.
StringFilter state
Filter the investigation results based on the state.
StringFilter entityArn
Filter the investigation results based on the Amazon Resource Name (ARN) of the entity.
DateFilter createdTime
Filter the investigation results based on when the investigation was created.
String graphArn
The Amazon Resource Name (ARN) of the behavior graph.
String investigationId
The investigation ID of the investigation report.
String entityArn
The unique Amazon Resource Name (ARN). Detective supports IAM user ARNs and IAM role ARNs.
String entityType
Type of entity. For example, Amazon Web Services accounts, such as an IAM user and/or IAM role.
Date createdTime
The creation time of the investigation report in UTC time stamp format.
Date scopeStartTime
The start date and time used to set the scope time within which you want to generate the investigation report.
The value is an UTC ISO8601 formatted string. For example, 2021-08-18T16:35:56.284Z.
Date scopeEndTime
The data and time when the investigation began. The value is an UTC ISO8601 formatted string. For example,
2021-08-18T16:35:56.284Z.
String status
The status based on the completion status of the investigation.
String severity
The severity assigned is based on the likelihood and impact of the indicators of compromise discovered in the investigation.
String state
The current state of the investigation. An archived investigation indicates that you have completed reviewing the investigation.
String graphArn
The ARN of the behavior graph for which to request the member details.
List<E> accountIds
The list of Amazon Web Services account identifiers for the member account for which to return member details. You can request details for up to 50 member accounts at a time.
You cannot use GetMembers to retrieve information about member accounts that were removed from the
behavior graph.
List<E> memberDetails
The member account details that Detective is returning in response to the request.
List<E> unprocessedAccounts
The requested member accounts for which Detective was unable to return member details.
For each account, provides the reason why the request could not be processed.
String startingIpAddress
IP address where the resource was first used in the impossible travel.
String endingIpAddress
IP address where the resource was last used in the impossible travel.
String startingLocation
Location where the resource was first used in the impossible travel.
String endingLocation
Location where the resource was last used in the impossible travel.
Integer hourlyTimeDelta
Returns the time difference between the first and last timestamp the resource was used.
String indicatorType
The type of indicator.
IndicatorDetail indicatorDetail
Details about the indicators of compromise that are used to determine if a resource is involved in a security incident. An indicator of compromise (IOC) is an artifact observed in or on a network, system, or environment that can (with a high level of confidence) identify malicious activity or a security incident.
TTPsObservedDetail tTPsObservedDetail
Details about the indicator of compromise.
ImpossibleTravelDetail impossibleTravelDetail
Identifies unusual and impossible user activity for an account.
FlaggedIpAddressDetail flaggedIpAddressDetail
Suspicious IP addresses that are flagged, which indicates critical or severe threats based on threat intelligence by Detective. This indicator is derived from Amazon Web Services threat intelligence.
NewGeolocationDetail newGeolocationDetail
Contains details about the new geographic location.
NewAsoDetail newAsoDetail
Contains details about the new Autonomous System Organization (ASO).
NewUserAgentDetail newUserAgentDetail
Contains details about the new user agent.
RelatedFindingDetail relatedFindingDetail
Contains details about related findings.
RelatedFindingGroupDetail relatedFindingGroupDetail
Contains details about related finding groups.
String investigationId
The investigation ID of the investigation report.
String severity
Severity based on the likelihood and impact of the indicators of compromise discovered in the investigation.
String status
Status based on the completion status of the investigation.
String state
The current state of the investigation. An archived investigation indicates you have completed reviewing the investigation.
Date createdTime
The time stamp of the creation time of the investigation report. The value is an UTC ISO8601 formatted string.
For example, 2021-08-18T16:35:56.284Z.
String entityArn
The unique Amazon Resource Name (ARN) of the IAM user and IAM role.
String entityType
Type of entity. For example, Amazon Web Services accounts, such as IAM user and role.
String graphArn
The ARN of the behavior graph.
String nextToken
For requests to get the next page of results, the pagination token that was returned with the previous set of results. The initial request does not include a pagination token.
Integer maxResults
The maximum number of results to return.
Map<K,V> datasourcePackages
Details on the data source packages active in the behavior graph.
String nextToken
For requests to get the next page of results, the pagination token that was returned with the previous set of results. The initial request does not include a pagination token.
String nextToken
For requests to get the next page of results, the pagination token that was returned with the previous set of results. The initial request does not include a pagination token.
Integer maxResults
The maximum number of graphs to return at a time. The total must be less than the overall limit on the number of results to return, which is currently 200.
String graphArn
The Amazon Resource Name (ARN) of the behavior graph.
String investigationId
The investigation ID of the investigation report.
String indicatorType
For the list of indicators of compromise that are generated by Detective investigations, see Detective investigations.
String nextToken
Lists if there are more results available. The value of nextToken is a unique pagination token for each page. Repeat the call using the returned token to retrieve the next page. Keep all other arguments unchanged.
Each pagination token expires after 24 hours. Using an expired pagination token will return a Validation Exception error.
Integer maxResults
Lists the maximum number of indicators in a page.
String graphArn
The Amazon Resource Name (ARN) of the behavior graph.
String investigationId
The investigation ID of the investigation report.
String nextToken
Lists if there are more results available. The value of nextToken is a unique pagination token for each page. Repeat the call using the returned token to retrieve the next page. Keep all other arguments unchanged.
Each pagination token expires after 24 hours. Using an expired pagination token will return a Validation Exception error.
List<E> indicators
Lists the indicators of compromise.
String graphArn
The Amazon Resource Name (ARN) of the behavior graph.
String nextToken
Lists if there are more results available. The value of nextToken is a unique pagination token for each page. Repeat the call using the returned token to retrieve the next page. Keep all other arguments unchanged.
Each pagination token expires after 24 hours. Using an expired pagination token will return a Validation Exception error.
Integer maxResults
Lists the maximum number of investigations in a page.
FilterCriteria filterCriteria
Filters the investigation results based on a criteria.
SortCriteria sortCriteria
Sorts the investigation results based on a criteria.
List<E> investigationDetails
Lists the summary of uncommon behavior or malicious activity which indicates a compromise.
String nextToken
Lists if there are more results available. The value of nextToken is a unique pagination token for each page. Repeat the call using the returned token to retrieve the next page. Keep all other arguments unchanged.
Each pagination token expires after 24 hours.
String nextToken
For requests to retrieve the next page of results, the pagination token that was returned with the previous page of results. The initial request does not include a pagination token.
Integer maxResults
The maximum number of behavior graph invitations to return in the response. The total must be less than the overall limit on the number of results to return, which is currently 200.
String graphArn
The ARN of the behavior graph for which to retrieve the list of member accounts.
String nextToken
For requests to retrieve the next page of member account results, the pagination token that was returned with the previous page of results. The initial request does not include a pagination token.
Integer maxResults
The maximum number of member accounts to include in the response. The total must be less than the overall limit on the number of results to return, which is currently 200.
List<E> memberDetails
The list of member accounts in the behavior graph.
For invited accounts, the results include member accounts that did not pass verification and member accounts that have not yet accepted the invitation to the behavior graph. The results do not include member accounts that were removed from the behavior graph.
For the organization behavior graph, the results do not include organization accounts that the Detective administrator account has not enabled as member accounts.
String nextToken
If there are more member accounts remaining in the results, then use this pagination token to request the next page of member accounts.
String resourceArn
The ARN of the behavior graph for which to retrieve the tag values.
String accountId
The Amazon Web Services account identifier for the member account.
String emailAddress
The Amazon Web Services account root user email address for the member account.
String graphArn
The ARN of the behavior graph.
String masterId
The Amazon Web Services account identifier of the administrator account for the behavior graph.
String administratorId
The Amazon Web Services account identifier of the administrator account for the behavior graph.
String status
The current membership status of the member account. The status can have one of the following values:
INVITED - For invited accounts only. Indicates that the member was sent an invitation but has not
yet responded.
VERIFICATION_IN_PROGRESS - For invited accounts only, indicates that Detective is verifying that the
account identifier and email address provided for the member account match. If they do match, then Detective
sends the invitation. If the email address and account identifier don't match, then the member cannot be added to
the behavior graph.
For organization accounts in the organization behavior graph, indicates that Detective is verifying that the account belongs to the organization.
VERIFICATION_FAILED - For invited accounts only. Indicates that the account and email address
provided for the member account do not match, and Detective did not send an invitation to the account.
ENABLED - Indicates that the member account currently contributes data to the behavior graph. For
invited accounts, the member account accepted the invitation. For organization accounts in the organization
behavior graph, the Detective administrator account enabled the organization account as a member account.
ACCEPTED_BUT_DISABLED - The account accepted the invitation, or was enabled by the Detective
administrator account, but is prevented from contributing data to the behavior graph. DisabledReason
provides the reason why the member account is not enabled.
Invited accounts that declined an invitation or that were removed from the behavior graph are not included. In the organization behavior graph, organization accounts that the Detective administrator account did not enable are not included.
String disabledReason
For member accounts with a status of ACCEPTED_BUT_DISABLED, the reason that the member account is
not enabled.
The reason can have one of the following values:
VOLUME_TOO_HIGH - Indicates that adding the member account would cause the data volume for the
behavior graph to be too high.
VOLUME_UNKNOWN - Indicates that Detective is unable to verify the data volume for the member
account. This is usually because the member account is not enrolled in Amazon GuardDuty.
Date invitedTime
For invited accounts, the date and time that Detective sent the invitation to the account. The value is an
ISO8601 formatted string. For example, 2021-08-18T16:35:56.284Z.
Date updatedTime
The date and time that the member account was last updated. The value is an ISO8601 formatted string. For
example, 2021-08-18T16:35:56.284Z.
Long volumeUsageInBytes
The data volume in bytes per day for the member account.
Date volumeUsageUpdatedTime
The data and time when the member account data volume was last updated. The value is an ISO8601 formatted string.
For example, 2021-08-18T16:35:56.284Z.
Double percentOfGraphUtilization
The member account data volume as a percentage of the maximum allowed data volume. 0 indicates 0 percent, and 100 indicates 100 percent.
Note that this is not the percentage of the behavior graph data volume.
For example, the data volume for the behavior graph is 80 GB per day. The maximum data volume is 160 GB per day.
If the data volume for the member account is 40 GB per day, then PercentOfGraphUtilization is 25. It
represents 25% of the maximum allowed data volume.
Date percentOfGraphUtilizationUpdatedTime
The date and time when the graph utilization percentage was last updated. The value is an ISO8601 formatted
string. For example, 2021-08-18T16:35:56.284Z.
String invitationType
The type of behavior graph membership.
For an organization account in the organization behavior graph, the type is ORGANIZATION.
For an account that was invited to a behavior graph, the type is INVITATION.
Map<K,V> volumeUsageByDatasourcePackage
Details on the volume of usage for each data source package in a behavior graph.
Map<K,V> datasourcePackageIngestStates
The state of a data source package for the behavior graph.
String graphArn
The ARN of the behavior graph to reject the invitation to.
The member account's current member status in the behavior graph must be INVITED.
String id
The unique identifier for the finding group.
String graphArn
The Amazon Resource Name (ARN) of the behavior graph.
String entityArn
The unique Amazon Resource Name (ARN) of the IAM user and IAM role.
Date scopeStartTime
The data and time when the investigation began. The value is an UTC ISO8601 formatted string. For example,
2021-08-18T16:35:56.284Z.
Date scopeEndTime
The data and time when the investigation ended. The value is an UTC ISO8601 formatted string. For example,
2021-08-18T16:35:56.284Z.
String investigationId
The investigation ID of the investigation report.
String value
The string filter value.
String resourceArn
The ARN of the behavior graph to assign the tags to.
Map<K,V> tags
The tags to assign to the behavior graph. You can add up to 50 tags. For each tag, you provide the tag key and the tag value. Each tag key can contain up to 128 characters. Each tag value can contain up to 256 characters.
Date timestamp
The data and time when data collection began for a source package. The value is an ISO8601 formatted string. For
example, 2021-08-18T16:35:56.284Z.
String tactic
The tactic used, identified by the investigation.
String technique
The technique used, identified by the investigation.
String procedure
The procedure used, identified by the investigation.
String ipAddress
The IP address where the tactics, techniques, and procedure (TTP) was observed.
String aPIName
The name of the API where the tactics, techniques, and procedure (TTP) was observed.
Long aPISuccessCount
The total number of successful API requests.
Long aPIFailureCount
The total number of failed API requests.
String graphArn
The Amazon Resource Name (ARN) of the behavior graph.
String investigationId
The investigation ID of the investigation report.
String state
The current state of the investigation. An archived investigation indicates you have completed reviewing the investigation.
Copyright © 2025. All rights reserved.