String detectorId
The unique ID of the detector of the GuardDuty member account.
String administratorId
The account ID of the GuardDuty administrator account whose invitation you're accepting.
String invitationId
The value that is used to validate the administrator account to the member account.
String detectorId
The unique ID of the detector of the GuardDuty member account.
String masterId
The account ID of the GuardDuty administrator account whose invitation you're accepting.
String invitationId
The value that is used to validate the administrator account to the member account.
Boolean allowsPublicReadAccess
A value that indicates whether public read access for the bucket is enabled through an Access Control List (ACL).
Boolean allowsPublicWriteAccess
A value that indicates whether public write access for the bucket is enabled through an Access Control List (ACL).
String type
The error type.
String accountId
The account identifier of the GuardDuty member account.
DataSourcesFreeTrial dataSources
Describes the data source enabled for the GuardDuty member account.
List<E> features
A list of features enabled for the GuardDuty account.
BlockPublicAccess blockPublicAccess
Describes the S3 Block Public Access settings of the bucket's parent account.
String actionType
The GuardDuty finding activity type.
AwsApiCallAction awsApiCallAction
Information about the AWS_API_CALL action described in this finding.
DnsRequestAction dnsRequestAction
Information about the DNS_REQUEST action described in this finding.
NetworkConnectionAction networkConnectionAction
Information about the NETWORK_CONNECTION action described in this finding.
PortProbeAction portProbeAction
Information about the PORT_PROBE action described in this finding.
KubernetesApiCallAction kubernetesApiCallAction
Information about the Kubernetes API call action described in this finding.
RdsLoginAttemptAction rdsLoginAttemptAction
Information about RDS_LOGIN_ATTEMPT action described in this finding.
KubernetesPermissionCheckedDetails kubernetesPermissionCheckedDetails
Information whether the user has the permission to use a specific Kubernetes API.
KubernetesRoleBindingDetails kubernetesRoleBindingDetails
Information about the role binding that grants the permission defined in a Kubernetes role.
KubernetesRoleDetails kubernetesRoleDetails
Information about the Kubernetes role name and role type.
String accountId
The ID of the account used as the administrator account.
String invitationId
The value that is used to validate the administrator account to the member account.
String relationshipStatus
The status of the relationship between the administrator and member accounts.
String invitedAt
The timestamp when the invitation was sent.
String version
Version of the installed GuardDuty security agent.
Map<K,V> profiles
Information about the types of profiles.
AnomalyUnusual unusual
Information about the behavior of the anomalies.
String profileType
The type of behavior of the profile.
String profileSubtype
The frequency of the anomaly.
Observations observations
The recorded value.
String api
The Amazon Web Services API name.
String callerType
The Amazon Web Services API caller type.
DomainDetails domainDetails
The domain information for the Amazon Web Services API call.
String errorCode
The error code of the failed Amazon Web Services API action.
String userAgent
The agent through which the API request was made.
RemoteIpDetails remoteIpDetails
The remote IP information of the connection that initiated the Amazon Web Services API call.
String serviceName
The Amazon Web Services service name whose API was invoked.
RemoteAccountDetails remoteAccountDetails
The details of the Amazon Web Services account that made the API call. This field appears if the call was made from outside your account.
Map<K,V> affectedResources
The details of the Amazon Web Services account that made the API call. This field identifies the resources that were affected by this API call.
String type
The error type.
Boolean ignorePublicAcls
Indicates if S3 Block Public Access is set to IgnorePublicAcls.
Boolean restrictPublicBuckets
Indicates if S3 Block Public Access is set to RestrictPublicBuckets.
Boolean blockPublicAcls
Indicates if S3 Block Public Access is set to BlockPublicAcls.
Boolean blockPublicPolicy
Indicates if S3 Block Public Access is set to BlockPublicPolicy.
AccessControlList accessControlList
Contains information on how Access Control Policies are applied to the bucket.
BucketPolicy bucketPolicy
Contains information on the bucket policies for the S3 bucket.
BlockPublicAccess blockPublicAccess
Contains information on which account level S3 Block Public Access settings are applied to the S3 bucket.
Boolean allowsPublicReadAccess
A value that indicates whether public read access for the bucket is enabled through a bucket policy.
Boolean allowsPublicWriteAccess
A value that indicates whether public write access for the bucket is enabled through a bucket policy.
String cityName
The city name of the remote IP address.
String status
Describes whether CloudTrail is enabled as a data source for the detector.
List<E> eq
Represents the equal condition to be applied to a single field when querying for findings.
List<E> neq
Represents the not equal condition to be applied to a single field when querying for findings.
Integer gt
Represents a greater than condition to be applied to a single field when querying for findings.
Integer gte
Represents a greater than or equal condition to be applied to a single field when querying for findings.
Integer lt
Represents a less than condition to be applied to a single field when querying for findings.
Integer lte
Represents a less than or equal condition to be applied to a single field when querying for findings.
List<E> equals
Represents an equal condition to be applied to a single field when querying for findings.
List<E> notEquals
Represents a not equal condition to be applied to a single field when querying for findings.
Long greaterThan
Represents a greater than condition to be applied to a single field when querying for findings.
Long greaterThanOrEqual
Represents a greater than or equal condition to be applied to a single field when querying for findings.
Long lessThan
Represents a less than condition to be applied to a single field when querying for findings.
Long lessThanOrEqual
Represents a less than or equal condition to be applied to a single field when querying for findings.
String type
The error type.
String containerRuntime
The container runtime (such as, Docker or containerd) used to run the container.
String id
Container ID.
String name
Container name.
String image
Container image.
String imagePrefix
Part of the image name before the last slash. For example, imagePrefix for public.ecr.aws/amazonlinux/amazonlinux:latest would be public.ecr.aws/amazonlinux. If the image name is relative and does not have a slash, this field is empty.
List<E> volumeMounts
Container volume mounts.
SecurityContext securityContext
Container security context.
String instanceId
The Amazon EC2 instance ID.
String instanceType
The instance type of the Amazon EC2 instance.
String clusterArn
The cluster ARN of the Amazon ECS cluster running on the Amazon EC2 instance.
AgentDetails agentDetails
Information about the installed security agent.
String managementType
Indicates how the GuardDuty security agent is managed for this resource.
AUTO_MANAGED indicates that GuardDuty deploys and manages updates for this resource.
MANUAL indicates that you are responsible to deploy, update, and manage the GuardDuty security agent
updates for this resource.
The DISABLED status doesn't apply to Amazon EC2 instances and Amazon EKS clusters.
String clusterName
The name of the Amazon ECS cluster.
FargateDetails fargateDetails
Information about the Fargate details associated with the Amazon ECS cluster.
ContainerInstanceDetails containerInstanceDetails
Information about the Amazon ECS container running on Amazon EC2 instance.
String clusterName
Name of the EKS cluster.
Long coveredNodes
Represents the nodes within the EKS cluster that have a HEALTHY coverage status.
Long compatibleNodes
Represents all the nodes within the EKS cluster in your account.
AddonDetails addonDetails
Information about the installed EKS add-on.
String managementType
Indicates how the Amazon EKS add-on GuardDuty agent is managed for this EKS cluster.
AUTO_MANAGED indicates GuardDuty deploys and manages updates for this resource.
MANUAL indicates that you are responsible to deploy, update, and manage the Amazon EKS add-on
GuardDuty agent for this resource.
String criterionKey
An enum value representing possible filter fields.
Replace the enum value CLUSTER_NAME with EKS_CLUSTER_NAME. CLUSTER_NAME
has been deprecated.
CoverageFilterCondition filterCondition
Contains information about the condition.
String resourceId
The unique ID of the resource.
String detectorId
The unique ID of the GuardDuty detector associated with the resource.
String accountId
The unique ID of the Amazon Web Services account.
CoverageResourceDetails resourceDetails
Information about the resource for which the coverage statistics are retrieved.
String coverageStatus
Represents the status of the EKS cluster coverage.
String issue
Represents the reason why a coverage status was UNHEALTHY for the EKS cluster.
Date updatedAt
The timestamp at which the coverage details for the resource were last updated. This is in UTC format.
CoverageEksClusterDetails eksClusterDetails
EKS cluster details involved in the coverage statistics.
String resourceType
The type of Amazon Web Services resource.
CoverageEcsClusterDetails ecsClusterDetails
Information about the Amazon ECS cluster that is assessed for runtime coverage.
CoverageEc2InstanceDetails ec2InstanceDetails
This API is also used when you use GuardDuty Runtime Monitoring for your Amazon EC2 instances (currently in preview release) and is subject to change. The use of this API is subject to Section 2 of the Amazon Web Services Service Terms ("Betas and Previews").
Information about the Amazon EC2 instance assessed for runtime coverage.
Boolean enable
A Boolean value that specifies whether the detector is to be enabled.
String clientToken
The idempotency token for the create request.
String findingPublishingFrequency
A value that specifies how frequently updated findings are exported.
DataSourceConfigurations dataSources
Describes which data sources will be enabled for the detector.
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.
Map<K,V> tags
The tags to be added to a new detector resource.
List<E> features
A list of features that will be configured for the detector.
String detectorId
The unique ID of the created detector.
UnprocessedDataSourcesResult unprocessedDataSources
Specifies the data sources that couldn't be enabled when GuardDuty was enabled for the first time.
String detectorId
The ID of the detector belonging to the GuardDuty account that you want to create a filter for.
String name
The name of the filter. Valid characters include period (.), underscore (_), dash (-), and alphanumeric characters. A whitespace is considered to be an invalid character.
String description
The description of the filter. Valid characters include alphanumeric characters, and special characters such as
hyphen, period, colon, underscore, parentheses ({ }, [ ], and ( )),
forward slash, horizontal tab, vertical tab, newline, form feed, return, and whitespace.
String action
Specifies the action that is to be applied to the findings that match the filter.
Integer rank
Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
FindingCriteria findingCriteria
Represents the criteria to be used in the filter for querying findings.
You can only use the following attributes to query findings:
accountId
id
region
severity
To filter on the basis of severity, the API and CLI use the following input list for the FindingCriteria condition:
Low: ["1", "2", "3"]
Medium: ["4", "5", "6"]
High: ["7", "8", "9"]
For more information, see Severity levels for GuardDuty findings.
type
updatedAt
Type: ISO 8601 string format: YYYY-MM-DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds.
resource.accessKeyDetails.accessKeyId
resource.accessKeyDetails.principalId
resource.accessKeyDetails.userName
resource.accessKeyDetails.userType
resource.instanceDetails.iamInstanceProfile.id
resource.instanceDetails.imageId
resource.instanceDetails.instanceId
resource.instanceDetails.tags.key
resource.instanceDetails.tags.value
resource.instanceDetails.networkInterfaces.ipv6Addresses
resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress
resource.instanceDetails.networkInterfaces.publicDnsName
resource.instanceDetails.networkInterfaces.publicIp
resource.instanceDetails.networkInterfaces.securityGroups.groupId
resource.instanceDetails.networkInterfaces.securityGroups.groupName
resource.instanceDetails.networkInterfaces.subnetId
resource.instanceDetails.networkInterfaces.vpcId
resource.instanceDetails.outpostArn
resource.resourceType
resource.s3BucketDetails.publicAccess.effectivePermissions
resource.s3BucketDetails.name
resource.s3BucketDetails.tags.key
resource.s3BucketDetails.tags.value
resource.s3BucketDetails.type
service.action.actionType
service.action.awsApiCallAction.api
service.action.awsApiCallAction.callerType
service.action.awsApiCallAction.errorCode
service.action.awsApiCallAction.remoteIpDetails.city.cityName
service.action.awsApiCallAction.remoteIpDetails.country.countryName
service.action.awsApiCallAction.remoteIpDetails.ipAddressV4
service.action.awsApiCallAction.remoteIpDetails.organization.asn
service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg
service.action.awsApiCallAction.serviceName
service.action.dnsRequestAction.domain
service.action.dnsRequestAction.domainWithSuffix
service.action.networkConnectionAction.blocked
service.action.networkConnectionAction.connectionDirection
service.action.networkConnectionAction.localPortDetails.port
service.action.networkConnectionAction.protocol
service.action.networkConnectionAction.remoteIpDetails.city.cityName
service.action.networkConnectionAction.remoteIpDetails.country.countryName
service.action.networkConnectionAction.remoteIpDetails.ipAddressV4
service.action.networkConnectionAction.remoteIpDetails.organization.asn
service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg
service.action.networkConnectionAction.remotePortDetails.port
service.action.awsApiCallAction.remoteAccountDetails.affiliated
service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4
service.action.kubernetesApiCallAction.namespace
service.action.kubernetesApiCallAction.remoteIpDetails.organization.asn
service.action.kubernetesApiCallAction.requestUri
service.action.kubernetesApiCallAction.statusCode
service.action.networkConnectionAction.localIpDetails.ipAddressV4
service.action.networkConnectionAction.protocol
service.action.awsApiCallAction.serviceName
service.action.awsApiCallAction.remoteAccountDetails.accountId
service.additionalInfo.threatListName
service.resourceRole
resource.eksClusterDetails.name
resource.kubernetesDetails.kubernetesWorkloadDetails.name
resource.kubernetesDetails.kubernetesWorkloadDetails.namespace
resource.kubernetesDetails.kubernetesUserDetails.username
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix
service.ebsVolumeScanDetails.scanId
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash
resource.ecsClusterDetails.name
resource.ecsClusterDetails.taskDetails.containers.image
resource.ecsClusterDetails.taskDetails.definitionArn
resource.containerDetails.image
resource.rdsDbInstanceDetails.dbInstanceIdentifier
resource.rdsDbInstanceDetails.dbClusterIdentifier
resource.rdsDbInstanceDetails.engine
resource.rdsDbUserDetails.user
resource.rdsDbInstanceDetails.tags.key
resource.rdsDbInstanceDetails.tags.value
service.runtimeDetails.process.executableSha256
service.runtimeDetails.process.name
service.runtimeDetails.process.name
resource.lambdaDetails.functionName
resource.lambdaDetails.functionArn
resource.lambdaDetails.tags.key
resource.lambdaDetails.tags.value
String clientToken
The idempotency token for the create request.
Map<K,V> tags
The tags to be added to a new filter resource.
String name
The name of the successfully created filter.
String detectorId
The unique ID of the detector of the GuardDuty account that you want to create an IPSet for.
String name
The user-friendly name to identify the IPSet.
Allowed characters are alphanumeric, whitespace, dash (-), and underscores (_).
String format
The format of the file that contains the IPSet.
String location
The URI of the file that contains the IPSet.
Boolean activate
A Boolean value that indicates whether GuardDuty is to start using the uploaded IPSet.
String clientToken
The idempotency token for the create request.
Map<K,V> tags
The tags to be added to a new IP set resource.
String ipSetId
The ID of the IPSet resource.
String detectorId
The unique ID of the detector of the GuardDuty account that you want to associate member accounts with.
List<E> accountDetails
A list of account ID and email address pairs of the accounts that you want to associate with the GuardDuty administrator account.
String detectorId
The ID of the GuardDuty detector associated with the publishing destination.
String destinationType
The type of resource for the publishing destination. Currently only Amazon S3 buckets are supported.
DestinationProperties destinationProperties
The properties of the publishing destination, including the ARNs for the destination and the KMS key used for encryption.
String clientToken
The idempotency token for the request.
String destinationId
The ID of the publishing destination that is created.
String detectorId
The unique ID of the detector of the GuardDuty account that you want to create a threatIntelSet for.
String name
A user-friendly ThreatIntelSet name displayed in all findings that are generated by activity that involves IP addresses included in this ThreatIntelSet.
String format
The format of the file that contains the ThreatIntelSet.
String location
The URI of the file that contains the ThreatIntelSet.
Boolean activate
A Boolean value that indicates whether GuardDuty is to start using the uploaded ThreatIntelSet.
String clientToken
The idempotency token for the create request.
Map<K,V> tags
The tags to be added to a new threat list resource.
String threatIntelSetId
The ID of the ThreatIntelSet resource.
S3LogsConfiguration s3Logs
Describes whether S3 data event logs are enabled as a data source.
KubernetesConfiguration kubernetes
Describes whether any Kubernetes logs are enabled as data sources.
MalwareProtectionConfiguration malwareProtection
Describes whether Malware Protection is enabled as a data source.
CloudTrailConfigurationResult cloudTrail
An object that contains information on the status of CloudTrail as a data source.
DNSLogsConfigurationResult dNSLogs
An object that contains information on the status of DNS logs as a data source.
FlowLogsConfigurationResult flowLogs
An object that contains information on the status of VPC flow logs as a data source.
S3LogsConfigurationResult s3Logs
An object that contains information on the status of S3 Data event logs as a data source.
KubernetesConfigurationResult kubernetes
An object that contains information on the status of all Kubernetes data sources.
MalwareProtectionConfigurationResult malwareProtection
Describes the configuration of Malware Protection data sources.
Integer freeTrialDaysRemaining
A value that specifies the number of days left to use each enabled data source.
DataSourceFreeTrial cloudTrail
Describes whether any Amazon Web Services CloudTrail management event logs are enabled as data sources.
DataSourceFreeTrial dnsLogs
Describes whether any DNS logs are enabled as data sources.
DataSourceFreeTrial flowLogs
Describes whether any VPC Flow logs are enabled as data sources.
DataSourceFreeTrial s3Logs
Describes whether any S3 data event logs are enabled as data sources.
KubernetesDataSourceFreeTrial kubernetes
Describes whether any Kubernetes logs are enabled as data sources.
MalwareProtectionDataSourceFreeTrial malwareProtection
Describes whether Malware Protection is enabled as a data source.
String detectorId
The unique ID of the detector that you want to delete.
String detectorId
The unique ID of the detector that the request is associated with.
String nextToken
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
Integer maxResults
You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.
FilterCriteria filterCriteria
Represents the criteria to be used in the filter for describing scan entries.
SortCriteria sortCriteria
Represents the criteria used for sorting scan entries. The attributeName is required and it must be scanStartTime.
String detectorId
The ID of the detector to retrieve information about the delegated administrator from.
Integer maxResults
You can use this parameter to indicate the maximum number of items that you want in the response.
String nextToken
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to
the list action. For subsequent calls to the action, fill nextToken in the request with the value of
NextToken from the previous response to continue listing data.
Boolean autoEnable
Indicates whether GuardDuty is automatically enabled for accounts added to the organization.
Even though this is still supported, we recommend using AutoEnableOrganizationMembers to achieve the
similar results.
Boolean memberAccountLimitReached
Indicates whether the maximum number of allowed member accounts are already associated with the delegated administrator account for your organization.
OrganizationDataSourceConfigurationsResult dataSources
Describes which data sources are enabled automatically for member accounts.
List<E> features
A list of features that are configured for this organization.
String nextToken
The pagination parameter to be used on the next list operation to retrieve more items.
String autoEnableOrganizationMembers
Indicates the auto-enablement configuration of GuardDuty for the member accounts in the organization.
NEW: Indicates that when a new account joins the organization, they will have GuardDuty enabled
automatically.
ALL: Indicates that all accounts in the organization have GuardDuty enabled automatically. This
includes NEW accounts that join the organization and accounts that may have been suspended or
removed from the organization in GuardDuty.
NONE: Indicates that GuardDuty will not be automatically enabled for any account in the
organization. The administrator must manage GuardDuty for each account in the organization individually.
String destinationId
The ID of the publishing destination.
String destinationType
The type of publishing destination. Currently, only Amazon S3 buckets are supported.
String status
The status of the publishing destination.
Long publishingFailureStartTimestamp
The time, in epoch millisecond format, at which GuardDuty was first unable to publish findings to the destination.
DestinationProperties destinationProperties
A DestinationProperties object that includes the DestinationArn and
KmsKeyArn of the publishing destination.
Anomaly anomaly
The details about the anomalous activity that caused GuardDuty to generate the finding.
String name
Indicates the name of the feature that can be enabled for the detector.
String status
Indicates the status of the feature that is enabled for the detector.
Date updatedAt
The timestamp at which the feature object was updated.
List<E> additionalConfiguration
Additional configuration for a resource.
String adminAccountId
The Amazon Web Services Account ID for the organizations account to be disabled as a GuardDuty delegated administrator.
String detectorId
The unique ID of the detector of the GuardDuty member account.
String detectorId
The unique ID of the detector of the GuardDuty member account.
String detectorId
The unique ID of the detector of the GuardDuty account whose members you want to disassociate from the administrator account.
List<E> accountIds
A list of account IDs of the GuardDuty member accounts that you want to disassociate from the administrator account.
String status
Denotes whether DNS logs is enabled as a data source.
String domain
The domain information for the DNS query.
String protocol
The network connection protocol observed in the activity that prompted GuardDuty to generate the finding.
Boolean blocked
Indicates whether the targeted port is blocked.
String domainWithSuffix
The second and top level domain involved in the activity that prompted GuardDuty to generate this finding.
String domain
The domain information for the Amazon Web Services API call.
String scanId
Unique Id of the malware scan that generated the finding.
Date scanStartedAt
Returns the start date and time of the malware scan.
Date scanCompletedAt
Returns the completion date and time of the malware scan.
String triggerFindingId
GuardDuty finding ID that triggered a malware scan.
List<E> sources
Contains list of threat intelligence sources used to detect threats.
ScanDetections scanDetections
Contains a complete view providing malware scan result details.
String scanType
Specifies the scan type that invoked the malware scan.
String name
The name of the ECS Cluster.
String arn
The Amazon Resource Name (ARN) that identifies the cluster.
String status
The status of the ECS cluster.
Integer activeServicesCount
The number of services that are running on the cluster in an ACTIVE state.
Integer registeredContainerInstancesCount
The number of container instances registered into the cluster.
Integer runningTasksCount
The number of tasks in the cluster that are in the RUNNING state.
List<E> tags
The tags of the ECS Cluster.
EcsTaskDetails taskDetails
Contains information about the details of the ECS Task.
String arn
The Amazon Resource Name (ARN) of the task.
String definitionArn
The ARN of the task definition that creates the task.
String version
The version counter for the task.
Date taskCreatedAt
The Unix timestamp for the time when the task was created.
Date startedAt
The Unix timestamp for the time when the task started.
String startedBy
Contains the tag specified when a task is started.
List<E> tags
The tags of the ECS Task.
List<E> volumes
The list of data volume definitions for the task.
List<E> containers
The containers that's associated with the task.
String group
The name of the task group that's associated with the task.
String adminAccountId
The Amazon Web Services account ID for the organization account to be enabled as a GuardDuty delegated administrator.
List<E> issues
Runtime coverage issues identified for the resource running on Amazon Web Services Fargate.
String managementType
Indicates how the GuardDuty security agent is managed for this resource.
AUTO_MANAGED indicates that GuardDuty deploys and manages updates for this resource.
DISABLED indicates that the deployment of the GuardDuty security agent is disabled for this
resource.
The MANUAL status doesn't apply to the Amazon Web Services Fargate (Amazon ECS only) woprkloads.
String equalsValue
Represents an equal condition to be applied to a single field when querying for scan entries.
Long greaterThan
Represents a greater than condition to be applied to a single field when querying for scan entries.
Long lessThan
Represents a less than condition to be applied to a single field when querying for scan entries.
String criterionKey
An enum value representing possible scan properties to match with given scan entries.
Replace the enum value CLUSTER_NAME with EKS_CLUSTER_NAME. CLUSTER_NAME
has been deprecated.
FilterCondition filterCondition
Contains information about the condition.
String accountId
The ID of the account in which the finding was generated.
String arn
The ARN of the finding.
Double confidence
The confidence score for the finding.
String createdAt
The time and date when the finding was created.
String description
The description of the finding.
String id
The ID of the finding.
String partition
The partition associated with the finding.
String region
The Region where the finding was generated.
Resource resource
String schemaVersion
The version of the schema used for the finding.
Service service
Double severity
The severity of the finding.
String title
The title of the finding.
String type
The type of finding.
String updatedAt
The time and date when the finding was last updated.
String status
Denotes whether VPC flow logs is enabled as a data source.
String detectorId
The unique ID of the detector of the GuardDuty member account.
Administrator administrator
The administrator account details.
String detectorId
The unique ID of the GuardDuty detector associated to the coverage statistics.
CoverageFilterCriteria filterCriteria
Represents the criteria used to filter the coverage statistics
List<E> statisticsType
Represents the statistics type used to aggregate the coverage details.
CoverageStatistics coverageStatistics
Represents the count aggregated by the statusCode and resourceType.
String detectorId
The unique ID of the detector that you want to get.
String createdAt
The timestamp of when the detector was created.
String findingPublishingFrequency
The publishing frequency of the finding.
String serviceRole
The GuardDuty service role.
String status
The detector status.
String updatedAt
The last-updated timestamp for the detector.
DataSourceConfigurationsResult dataSources
Describes which data sources are enabled for the detector.
Map<K,V> tags
The tags of the detector resource.
List<E> features
Describes the features that have been enabled for the detector.
String name
The name of the filter.
String description
The description of the filter.
String action
Specifies the action that is to be applied to the findings that match the filter.
Integer rank
Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
FindingCriteria findingCriteria
Represents the criteria to be used in the filter for querying findings.
Map<K,V> tags
The tags of the filter resource.
String detectorId
The ID of the detector that specifies the GuardDuty service whose findings you want to retrieve.
List<E> findingIds
The IDs of the findings that you want to retrieve.
SortCriteria sortCriteria
Represents the criteria used for sorting findings.
String detectorId
The ID of the detector that specifies the GuardDuty service whose findings' statistics you want to retrieve.
List<E> findingStatisticTypes
The types of finding statistics to retrieve.
FindingCriteria findingCriteria
Represents the criteria that is used for querying findings.
FindingStatistics findingStatistics
The finding statistics object.
Integer invitationsCount
The number of received invitations.
String name
The user-friendly name for the IPSet.
String format
The format of the file that contains the IPSet.
String location
The URI of the file that contains the IPSet.
String status
The status of IPSet file that was uploaded.
Map<K,V> tags
The tags of the IPSet resource.
String detectorId
The unique ID of the detector that the scan setting is associated with.
ScanResourceCriteria scanResourceCriteria
Represents the criteria to be used in the filter for scanning resources.
String ebsSnapshotPreservation
An enum value representing possible snapshot preservation settings.
String detectorId
The unique ID of the detector of the GuardDuty member account.
Master master
The administrator account details.
List<E> memberDataSourceConfigurations
An object that describes which data sources are enabled for a member account.
List<E> unprocessedAccounts
A list of member account IDs that were unable to be processed along with an explanation for why they were not processed.
OrganizationDetails organizationDetails
Information about the statistics report for your organization.
String name
A user-friendly ThreatIntelSet name displayed in all findings that are generated by activity that involves IP addresses included in this ThreatIntelSet.
String format
The format of the threatIntelSet.
String location
The URI of the file that contains the ThreatIntelSet.
String status
The status of threatIntelSet file uploaded.
Map<K,V> tags
The tags of the threat list resource.
String detectorId
The ID of the detector that specifies the GuardDuty service whose usage statistics you want to retrieve.
String usageStatisticType
The type of usage statistics to retrieve.
UsageCriteria usageCriteria
Represents the criteria used for querying usage.
String unit
The currency unit you would like to view your usage statistics in. Current valid values are USD.
Integer maxResults
The maximum number of results to return in the response.
String nextToken
A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the NextToken value returned from the previous request to continue listing results after the first page.
UsageStatistics usageStatistics
The usage statistics object. If a UsageStatisticType was provided, the objects representing other types will be null.
String nextToken
The pagination parameter to be used on the next list operation to retrieve more items.
String path
Path of the file or directory on the host that the volume maps to.
String availabilityZone
The Availability Zone of the EC2 instance.
IamInstanceProfile iamInstanceProfile
The profile information of the EC2 instance.
String imageDescription
The image description of the EC2 instance.
String imageId
The image ID of the EC2 instance.
String instanceId
The ID of the EC2 instance.
String instanceState
The state of the EC2 instance.
String instanceType
The type of the EC2 instance.
String outpostArn
The Amazon Resource Name (ARN) of the Amazon Web Services Outpost. Only applicable to Amazon Web Services Outposts instances.
String launchTime
The launch time of the EC2 instance.
List<E> networkInterfaces
The elastic network interface information of the EC2 instance.
String platform
The platform of the EC2 instance.
List<E> productCodes
The product code of the EC2 instance.
List<E> tags
The tags of the EC2 instance.
String type
The error type.
String accountId
The ID of the account that the invitation was sent from.
String invitationId
The ID of the invitation. This value is used to validate the inviter account to the member account.
String relationshipStatus
The status of the relationship between the inviter and invitee accounts.
String invitedAt
The timestamp when the invitation was sent.
String detectorId
The unique ID of the detector of the GuardDuty account that you want to invite members with.
List<E> accountIds
A list of account IDs of the accounts that you want to invite to GuardDuty as members.
Boolean disableEmailNotification
A Boolean value that specifies whether you want to disable email notification to the accounts that you are inviting to GuardDuty as members.
String message
The invitation message that you want to send to the accounts that you're inviting to GuardDuty as members.
String requestUri
The Kubernetes API request URI.
String verb
The Kubernetes API request HTTP verb.
List<E> sourceIps
The IP of the Kubernetes API caller and the IPs of any proxies or load balancers between the caller and the API endpoint.
String userAgent
The user agent of the caller of the Kubernetes API.
RemoteIpDetails remoteIpDetails
Integer statusCode
The resulting HTTP response code of the Kubernetes API call action.
String parameters
Parameters related to the Kubernetes API call action.
String resource
The resource component in the Kubernetes API call action.
String subresource
The name of the sub-resource in the Kubernetes API call action.
String namespace
The name of the namespace where the Kubernetes API call action takes place.
String resourceName
The name of the resource in the Kubernetes API call action.
Boolean enable
The status of Kubernetes audit logs as a data source.
String status
A value that describes whether Kubernetes audit logs are enabled as a data source.
KubernetesAuditLogsConfiguration auditLogs
The status of Kubernetes audit logs as a data source.
KubernetesAuditLogsConfigurationResult auditLogs
Describes whether Kubernetes audit logs are enabled as a data source.
DataSourceFreeTrial auditLogs
Describes whether Kubernetes audit logs are enabled as a data source.
KubernetesUserDetails kubernetesUserDetails
Details about the Kubernetes user involved in a Kubernetes finding.
KubernetesWorkloadDetails kubernetesWorkloadDetails
Details about the Kubernetes workload involved in a Kubernetes finding.
String verb
The verb component of the Kubernetes API call. For example, when you check whether or not you have the permission
to call the CreatePod API, the verb component will be Create.
String resource
The Kubernetes resource with which your Kubernetes API call will interact.
String namespace
The namespace where the Kubernetes API action will take place.
Boolean allowed
Information whether the user has the permission to call the Kubernetes API.
String kind
The kind of the role. For role binding, this value will be RoleBinding.
String name
The name of the RoleBinding.
String uid
The unique identifier of the role binding.
String roleRefName
The name of the role being referenced. This must match the name of the Role or
ClusterRole that you want to bind to.
String roleRefKind
The type of the role being referenced. This could be either Role or ClusterRole.
String username
The username of the user who called the Kubernetes API.
String uid
The user ID of the user who called the Kubernetes API.
List<E> groups
The groups that include the user who called the Kubernetes API.
List<E> sessionName
Entity that assumes the IAM role when Kubernetes RBAC permissions are assigned to that role.
ImpersonatedUser impersonatedUser
Information about the impersonated user.
String name
Kubernetes workload name.
String type
Kubernetes workload type (e.g. Pod, Deployment, etc.).
String uid
Kubernetes workload ID.
String namespace
Kubernetes namespace that the workload is part of.
Boolean hostNetwork
Whether the hostNetwork flag is enabled for the pods included in the workload.
List<E> containers
Containers running as part of the Kubernetes workload.
List<E> volumes
Volumes used by the Kubernetes workload.
String serviceAccountName
The service account name that is associated with a Kubernetes workload.
Boolean hostIPC
Whether the host IPC flag is enabled for the pods in the workload.
Boolean hostPID
Whether the host PID flag is enabled for the pods in the workload.
String functionArn
Amazon Resource Name (ARN) of the Lambda function.
String functionName
Name of the Lambda function.
String description
Description of the Lambda function.
Date lastModifiedAt
The timestamp when the Lambda function was last modified. This field is in the UTC date string format
(2023-03-22T19:37:20.168Z).
String revisionId
The revision ID of the Lambda function version.
String functionVersion
The version of the Lambda function.
String role
The execution role of the Lambda function.
VpcConfig vpcConfig
Amazon Virtual Private Cloud configuration details associated with your Lambda function.
List<E> tags
A list of tags attached to this resource, listed in the format of key:value pair.
Date startTime
The time when the process started. This is in UTC format.
Integer namespacePid
The process ID of the child process.
Integer userId
The user ID of the user that executed the process.
String name
The name of the process.
Integer pid
The ID of the process.
String uuid
The unique ID assigned to the process by GuardDuty.
String executablePath
The absolute path of the process executable file.
Integer euid
The effective user ID that was used to execute the process.
String parentUuid
The unique ID of the parent process. This ID is assigned to the parent process by GuardDuty.
String detectorId
The unique ID of the detector whose coverage details you want to retrieve.
String nextToken
A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the NextToken value returned from the previous request to continue listing results after the first page.
Integer maxResults
The maximum number of results to return in the response.
CoverageFilterCriteria filterCriteria
Represents the criteria used to filter the coverage details.
CoverageSortCriteria sortCriteria
Represents the criteria used to sort the coverage details.
Integer maxResults
You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.
String nextToken
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
String detectorId
The unique ID of the detector that the filter is associated with.
Integer maxResults
You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.
String nextToken
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
String detectorId
The ID of the detector that specifies the GuardDuty service whose findings you want to list.
FindingCriteria findingCriteria
Represents the criteria used for querying findings. Valid values include:
JSON field name
accountId
region
confidence
id
resource.accessKeyDetails.accessKeyId
resource.accessKeyDetails.principalId
resource.accessKeyDetails.userName
resource.accessKeyDetails.userType
resource.instanceDetails.iamInstanceProfile.id
resource.instanceDetails.imageId
resource.instanceDetails.instanceId
resource.instanceDetails.networkInterfaces.ipv6Addresses
resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress
resource.instanceDetails.networkInterfaces.publicDnsName
resource.instanceDetails.networkInterfaces.publicIp
resource.instanceDetails.networkInterfaces.securityGroups.groupId
resource.instanceDetails.networkInterfaces.securityGroups.groupName
resource.instanceDetails.networkInterfaces.subnetId
resource.instanceDetails.networkInterfaces.vpcId
resource.instanceDetails.tags.key
resource.instanceDetails.tags.value
resource.resourceType
service.action.actionType
service.action.awsApiCallAction.api
service.action.awsApiCallAction.callerType
service.action.awsApiCallAction.remoteIpDetails.city.cityName
service.action.awsApiCallAction.remoteIpDetails.country.countryName
service.action.awsApiCallAction.remoteIpDetails.ipAddressV4
service.action.awsApiCallAction.remoteIpDetails.organization.asn
service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg
service.action.awsApiCallAction.serviceName
service.action.dnsRequestAction.domain
service.action.dnsRequestAction.domainWithSuffix
service.action.networkConnectionAction.blocked
service.action.networkConnectionAction.connectionDirection
service.action.networkConnectionAction.localPortDetails.port
service.action.networkConnectionAction.protocol
service.action.networkConnectionAction.remoteIpDetails.country.countryName
service.action.networkConnectionAction.remoteIpDetails.ipAddressV4
service.action.networkConnectionAction.remoteIpDetails.organization.asn
service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg
service.action.networkConnectionAction.remotePortDetails.port
service.additionalInfo.threatListName
service.archived
When this attribute is set to 'true', only archived findings are listed. When it's set to 'false', only unarchived findings are listed. When this attribute is not set, all existing findings are listed.
service.resourceRole
severity
type
updatedAt
Type: Timestamp in Unix Epoch millisecond format: 1486685375000
SortCriteria sortCriteria
Represents the criteria used for sorting findings.
Integer maxResults
You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50.
String nextToken
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
Integer maxResults
You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.
String nextToken
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
String detectorId
The unique ID of the detector that the IPSet is associated with.
Integer maxResults
You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50.
String nextToken
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
String detectorId
The unique ID of the detector the member is associated with.
Integer maxResults
You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50.
String nextToken
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
String onlyAssociated
Specifies whether to only return associated members or to return all members (including members who haven't been
invited yet or have been disassociated). Member accounts must have been previously associated with the GuardDuty
administrator account using
Create Members .
Integer maxResults
The maximum number of results to return in the response.
String nextToken
A token to use for paginating results that are returned in the response. Set the value of this parameter to null
for the first request to a list action. For subsequent calls, use the NextToken value returned from
the previous request to continue listing results after the first page.
String detectorId
The ID of the detector to retrieve publishing destinations for.
Integer maxResults
The maximum number of results to return in the response.
String nextToken
A token to use for paginating results that are returned in the response. Set the value of this parameter to null
for the first request to a list action. For subsequent calls, use the NextToken value returned from
the previous request to continue listing results after the first page.
List<E> destinations
A Destinations object that includes information about each publishing destination returned.
String nextToken
A token to use for paginating results that are returned in the response. Set the value of this parameter to null
for the first request to a list action. For subsequent calls, use the NextToken value returned from
the previous request to continue listing results after the first page.
String resourceArn
The Amazon Resource Name (ARN) for the given GuardDuty resource.
String detectorId
The unique ID of the detector that the threatIntelSet is associated with.
Integer maxResults
You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.
String nextToken
You can use this parameter to paginate results in the response. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
String ipAddressV4
The IPv4 local address of the connection.
String user
Indicates the user name which attempted to log in.
String application
Indicates the application name used to attempt log in.
Integer failedLoginAttempts
Represents the sum of failed (unsuccessful) login attempts made to establish a connection to the database instance.
Integer successfulLoginAttempts
Represents the sum of successful connections (a correct combination of login attributes) made to the database instance by the actor.
ScanEc2InstanceWithFindings scanEc2InstanceWithFindings
Describes the configuration of Malware Protection for EC2 instances with findings.
ScanEc2InstanceWithFindingsResult scanEc2InstanceWithFindings
Describes the configuration of Malware Protection for EC2 instances with findings.
String serviceRole
The GuardDuty Malware Protection service role.
DataSourceFreeTrial scanEc2InstanceWithFindings
Describes whether Malware Protection for EC2 instances with findings is enabled as a data source.
String accountId
The ID of the account used as the administrator account.
String invitationId
The value used to validate the administrator account to the member account.
String relationshipStatus
The status of the relationship between the administrator and member accounts.
String invitedAt
The timestamp when the invitation was sent.
String accountId
The ID of the member account.
String detectorId
The detector ID of the member account.
String masterId
The administrator account ID.
String email
The email address of the member account.
String relationshipStatus
The status of the relationship between the member and the administrator.
String invitedAt
The timestamp when the invitation was sent.
String updatedAt
The last-updated timestamp of the member.
String administratorId
The administrator account ID.
String name
Indicates the name of the additional configuration that is set for the member account.
String status
Indicates the status of the additional configuration that is set for the member account.
Date updatedAt
The timestamp at which the additional configuration was set for the member account. This is in UTC format.
String accountId
The account ID for the member account.
DataSourceConfigurationsResult dataSources
Contains information on the status of data sources for the account.
List<E> features
Contains information about the status of the features for the member account.
String name
Indicates the name of the feature that is enabled for the detector.
String status
Indicates the status of the feature that is enabled for the detector.
Date updatedAt
The timestamp at which the feature object was updated.
List<E> additionalConfiguration
Indicates the additional configuration of the feature that is configured for the member account.
Boolean blocked
Indicates whether EC2 blocked the network connection to your instance.
String connectionDirection
The network connection direction.
LocalPortDetails localPortDetails
The local port information of the connection.
String protocol
The network connection protocol.
LocalIpDetails localIpDetails
The local IP information of the connection.
RemoteIpDetails remoteIpDetails
The remote IP information of the connection.
RemotePortDetails remotePortDetails
The remote port information of the connection.
List<E> ipv6Addresses
A list of IPv6 addresses for the EC2 instance.
String networkInterfaceId
The ID of the network interface.
String privateDnsName
The private DNS name of the EC2 instance.
String privateIpAddress
The private IP address of the EC2 instance.
List<E> privateIpAddresses
Other private IP address information of the EC2 instance.
String publicDnsName
The public DNS name of the EC2 instance.
String publicIp
The public IP address of the EC2 instance.
List<E> securityGroups
The security groups associated with the EC2 instance.
String subnetId
The subnet ID of the EC2 instance.
String vpcId
The VPC ID of the EC2 instance.
String name
The name of the additional configuration that will be configured for the organization.
String autoEnable
The status of the additional configuration that will be configured for the organization. Use one of the following values to configure the feature status for the entire organization:
NEW: Indicates that when a new account joins the organization, they will have the additional
configuration enabled automatically.
ALL: Indicates that all accounts in the organization have the additional configuration enabled
automatically. This includes NEW accounts that join the organization and accounts that may have been
suspended or removed from the organization in GuardDuty.
It may take up to 24 hours to update the configuration for all the member accounts.
NONE: Indicates that the additional configuration will not be automatically enabled for any account
in the organization. The administrator must manage the additional configuration for each account individually.
String name
The name of the additional configuration that is configured for the member accounts within the organization.
String autoEnable
Describes the status of the additional configuration that is configured for the member accounts within the organization. One of the following values is the status for the entire organization:
NEW: Indicates that when a new account joins the organization, they will have the additional
configuration enabled automatically.
ALL: Indicates that all accounts in the organization have the additional configuration enabled
automatically. This includes NEW accounts that join the organization and accounts that may have been
suspended or removed from the organization in GuardDuty.
It may take up to 24 hours to update the configuration for all the member accounts.
NONE: Indicates that the additional configuration will not be automatically enabled for any account
in the organization. The administrator must manage the additional configuration for each account individually.
OrganizationS3LogsConfiguration s3Logs
Describes whether S3 data event logs are enabled for new members of the organization.
OrganizationKubernetesConfiguration kubernetes
Describes the configuration of Kubernetes data sources for new members of the organization.
OrganizationMalwareProtectionConfiguration malwareProtection
Describes the configuration of Malware Protection for new members of the organization.
OrganizationS3LogsConfigurationResult s3Logs
Describes whether S3 data event logs are enabled as a data source.
OrganizationKubernetesConfigurationResult kubernetes
Describes the configuration of Kubernetes data sources.
OrganizationMalwareProtectionConfigurationResult malwareProtection
Describes the configuration of Malware Protection data source for an organization.
Date updatedAt
The timestamp at which the organization statistics was last updated. This is in UTC format.
OrganizationStatistics organizationStatistics
Information about the GuardDuty coverage statistics for members in your Amazon Web Services organization.
Boolean autoEnable
Whether scanning EBS volumes should be auto-enabled for new members joining the organization.
Boolean autoEnable
An object that contains the status of whether scanning EBS volumes should be auto-enabled for new members joining the organization.
String name
The name of the feature that will be configured for the organization.
String autoEnable
Describes the status of the feature that is configured for the member accounts within the organization. One of the following values is the status for the entire organization:
NEW: Indicates that when a new account joins the organization, they will have the feature enabled
automatically.
ALL: Indicates that all accounts in the organization have the feature enabled automatically. This
includes NEW accounts that join the organization and accounts that may have been suspended or
removed from the organization in GuardDuty.
It may take up to 24 hours to update the configuration for all the member accounts.
NONE: Indicates that the feature will not be automatically enabled for any account in the
organization. The administrator must manage the feature for each account individually.
List<E> additionalConfiguration
The additional information that will be configured for the organization.
String name
The name of the feature that is configured for the member accounts within the organization.
String autoEnable
Describes the status of the feature that is configured for the member accounts within the organization.
NEW: Indicates that when a new account joins the organization, they will have the feature enabled
automatically.
ALL: Indicates that all accounts in the organization have the feature enabled automatically. This
includes NEW accounts that join the organization and accounts that may have been suspended or
removed from the organization in GuardDuty.
NONE: Indicates that the feature will not be automatically enabled for any account in the
organization. In this case, each account will be managed individually by the administrator.
List<E> additionalConfiguration
The additional configuration that is configured for the member accounts within the organization.
Boolean autoEnable
A value that contains information on whether Kubernetes audit logs should be enabled automatically as a data source for the organization.
Boolean autoEnable
Whether Kubernetes audit logs data source should be auto-enabled for new members joining the organization.
OrganizationKubernetesAuditLogsConfiguration auditLogs
Whether Kubernetes audit logs data source should be auto-enabled for new members joining the organization.
OrganizationKubernetesAuditLogsConfigurationResult auditLogs
The current configuration of Kubernetes audit logs as a data source for the organization.
OrganizationScanEc2InstanceWithFindings scanEc2InstanceWithFindings
Whether Malware Protection for EC2 instances with findings should be auto-enabled for new members joining the organization.
OrganizationScanEc2InstanceWithFindingsResult scanEc2InstanceWithFindings
Describes the configuration for scanning EC2 instances with findings for an organization.
Boolean autoEnable
A value that contains information on whether S3 data event logs will be enabled automatically as a data source for the organization.
Boolean autoEnable
A value that describes whether S3 data event logs are automatically enabled for new members of the organization.
OrganizationEbsVolumes ebsVolumes
Whether scanning EBS volumes should be auto-enabled for new members joining the organization.
OrganizationEbsVolumesResult ebsVolumes
Describes the configuration for scanning EBS volumes for an organization.
Integer totalAccountsCount
Total number of accounts in your Amazon Web Services organization.
Integer memberAccountsCount
Total number of accounts in your Amazon Web Services organization that are associated with GuardDuty.
Integer activeAccountsCount
Total number of active accounts in your Amazon Web Services organization that are associated with GuardDuty.
Integer enabledAccountsCount
Total number of accounts that have enabled GuardDuty.
List<E> countByFeature
Retrieves the coverage statistics for each feature.
String id
The canonical user ID of the bucket owner. For information about locating your canonical user ID see Finding Your Account Canonical User ID.
BucketLevelPermissions bucketLevelPermissions
Contains information about the bucket level permissions for the S3 bucket.
AccountLevelPermissions accountLevelPermissions
Contains information about the account level permissions on the S3 bucket.
LocalPortDetails localPortDetails
The local port information of the connection.
LocalIpDetails localIpDetails
The local IP information of the connection.
RemoteIpDetails remoteIpDetails
The remote IP information of the connection.
String name
The name of the process.
String executablePath
The absolute path of the process executable file.
String executableSha256
The SHA256 hash of the process executable.
Integer namespacePid
The ID of the child process.
String pwd
The present working directory of the process.
Integer pid
The ID of the process.
Date startTime
The time when the process started. This is in UTC format.
String uuid
The unique ID assigned to the process by GuardDuty.
String parentUuid
The unique ID of the parent process. This ID is assigned to the parent process by GuardDuty.
String user
The user that executed the process.
Integer userId
The unique ID of the user that executed the process.
Integer euid
The effective user ID of the user that executed the process.
List<E> lineage
Information about the process's lineage.
PermissionConfiguration permissionConfiguration
Contains information about how permissions are configured for the S3 bucket.
String effectivePermission
Describes the effective permission on this bucket after factoring all attached policies.
String dbInstanceIdentifier
The identifier associated to the database instance that was involved in the finding.
String engine
The database engine of the database instance involved in the finding.
String engineVersion
The version of the database engine that was involved in the finding.
String dbClusterIdentifier
The identifier of the database cluster that contains the database instance ID involved in the finding.
String dbInstanceArn
The Amazon Resource Name (ARN) that identifies the database instance involved in the finding.
List<E> tags
Instance tag key-value pairs associated with the database instance ID.
String user
The user name used in the anomalous login attempt.
String application
The application name used in the anomalous login attempt.
String database
The name of the database instance involved in the anomalous login attempt.
String ssl
The version of the Secure Socket Layer (SSL) used for the network.
String authMethod
The authentication method used by the user involved in the finding.
RemoteIpDetails remoteIpDetails
List<E> loginAttributes
Indicates the login attributes used in the login attempt.
String accountId
The Amazon Web Services account ID of the remote API caller.
Boolean affiliated
Details on whether the Amazon Web Services account of the remote API caller is related to your GuardDuty
environment. If this value is True the API caller is affiliated to your account in some way. If it
is False the API caller is from outside your environment.
City city
The city information of the remote IP address.
Country country
The country code of the remote IP address.
GeoLocation geoLocation
The location information of the remote IP address.
String ipAddressV4
The IPv4 remote address of the connection.
Organization organization
The ISP organization information of the remote IP address.
AccessKeyDetails accessKeyDetails
The IAM access key details (user information) of a user that engaged in the activity that prompted GuardDuty to generate a finding.
List<E> s3BucketDetails
Contains information on the S3 bucket.
InstanceDetails instanceDetails
The information about the EC2 instance associated with the activity that prompted GuardDuty to generate a finding.
EksClusterDetails eksClusterDetails
Details about the EKS cluster involved in a Kubernetes finding.
KubernetesDetails kubernetesDetails
Details about the Kubernetes user and workload involved in a Kubernetes finding.
String resourceType
The type of Amazon Web Services resource.
EbsVolumeDetails ebsVolumeDetails
Contains list of scanned and skipped EBS volumes with details.
EcsClusterDetails ecsClusterDetails
Contains information about the details of the ECS Cluster.
Container containerDetails
RdsDbInstanceDetails rdsDbInstanceDetails
Contains information about the database instance to which an anomalous login attempt was made.
RdsDbUserDetails rdsDbUserDetails
Contains information about the user details through which anomalous login attempt was made.
LambdaDetails lambdaDetails
Contains information about the Lambda function that was involved in a finding.
String instanceArn
InstanceArn that was scanned in the scan entry.
ProcessDetails modifyingProcess
Information about the process that modified the current process. This is available for multiple finding types.
Date modifiedAt
The timestamp at which the process modified the current process. The timestamp is in UTC date string format.
String scriptPath
The path to the script that was executed.
String libraryPath
The path to the new library that was loaded.
String ldPreloadValue
The value of the LD_PRELOAD environment variable.
String socketPath
The path to the docket socket that was accessed.
String runcBinaryPath
The path to the leveraged runc implementation.
String releaseAgentPath
The path in the container that modified the release agent file.
String mountSource
The path on the host that is mounted by the container.
String mountTarget
The path in the container that is mapped to the host directory.
String fileSystemType
Represents the type of mounted fileSystem.
List<E> flags
Represents options that control the behavior of a runtime operation or action. For example, a filesystem mount operation may contain a read-only flag.
String moduleName
The name of the module loaded into the kernel.
String moduleFilePath
The path to the module loaded into the kernel.
String moduleSha256
The SHA256 hash of the module.
String shellHistoryFilePath
The path to the modified shell history file.
ProcessDetails targetProcess
Information about the process that had its memory overwritten by the current process.
String addressFamily
Represents the communication protocol associated with the address. For example, the address family
AF_INET is used for IP version of 4 protocol.
Integer ianaProtocolNumber
Specifies a particular protocol within the address family. Usually there is a single protocol in address
families. For example, the address family AF_INET only has the IP protocol.
List<E> memoryRegions
Specifies the Region of a process's address space such as stack and heap.
ProcessDetails process
Information about the observed process.
RuntimeContext context
Additional information about the suspicious activity.
String arn
The Amazon Resource Name (ARN) of the S3 bucket.
String name
The name of the S3 bucket.
String type
Describes whether the bucket is a source or destination bucket.
Date createdAt
The date and time the bucket was created at.
Owner owner
The owner of the S3 bucket.
List<E> tags
All tags attached to the S3 bucket
DefaultServerSideEncryption defaultServerSideEncryption
Describes the server side encryption method used in the S3 bucket.
PublicAccess publicAccess
Describes the public access policies that apply to the S3 bucket.
Boolean enable
The status of S3 data event logs as a data source.
String status
A value that describes whether S3 data event logs are automatically enabled for new members of the organization.
String detectorId
The unique ID of the detector that the request is associated with.
String adminDetectorId
The unique detector ID of the administrator account that the request is associated with. Note that this value
will be the same as the one used for DetectorId if the account is an administrator.
String scanId
The unique scan ID associated with a scan entry.
String scanStatus
An enum value representing possible scan statuses.
String failureReason
Represents the reason for FAILED scan status.
Date scanStartTime
The timestamp of when the scan was triggered.
Date scanEndTime
The timestamp of when the scan was finished.
TriggerDetails triggerDetails
Specifies the reason why the scan was initiated.
ResourceDetails resourceDetails
Represents the resources that were scanned in the scan entry.
ScanResultDetails scanResultDetails
Represents the result of the scan.
String accountId
The ID for the account that belongs to the scan.
Long totalBytes
Represents total bytes that were scanned.
Long fileCount
Represents the number of files that were scanned.
List<E> attachedVolumes
List of volumes that were attached to the original instance to be scanned.
String scanType
Specifies the scan type that invoked the malware scan.
ScannedItemCount scannedItemCount
Total number of scanned files.
ThreatsDetectedItemCount threatsDetectedItemCount
Total number of infected files.
HighestSeverityThreatDetails highestSeverityThreatDetails
Details of the highest severity threat detected during malware scan and number of infected files.
ThreatDetectedByName threatDetectedByName
Contains details about identified threats organized by threat name.
Boolean ebsVolumes
Describes the configuration for scanning EBS volumes as data source.
EbsVolumesResult ebsVolumes
Describes the configuration of scanning EBS volumes as a data source.
String scanResult
An enum value representing possible scan results.
Action action
Information about the activity that is described in a finding.
Evidence evidence
An evidence object associated with the service.
Boolean archived
Indicates whether this finding is archived.
Integer count
The total count of the occurrences of this finding type.
String detectorId
The detector ID for the GuardDuty service.
String eventFirstSeen
The first-seen timestamp of the activity that prompted GuardDuty to generate this finding.
String eventLastSeen
The last-seen timestamp of the activity that prompted GuardDuty to generate this finding.
String resourceRole
The resource role information for this finding.
String serviceName
The name of the Amazon Web Services service (GuardDuty) that generated a finding.
String userFeedback
Feedback that was submitted about the finding.
ServiceAdditionalInfo additionalInfo
Contains additional information about the generated finding.
String featureName
The name of the feature that generated a finding.
EbsVolumeScanDetails ebsVolumeScanDetails
Returns details from the malware scan that created a finding.
RuntimeDetails runtimeDetails
Information about the process and any required context values for a specific finding
Detection detection
Contains information about the detected unusual behavior.
String resourceArn
Amazon Resource Name (ARN) of the resource for which you invoked the API.
String scanId
A unique identifier that gets generated when you invoke the API without any error. Each malware scan has a corresponding scan ID. Using this scan ID, you can monitor the status of your malware scan.
Integer itemCount
Total number of infected files identified.
Integer uniqueThreatNameCount
Total number of unique threats by name identified, as part of the malware scan.
Boolean shortened
Flag to determine if the finding contains every single infected file-path and/or every threat.
List<E> threatNames
List of identified threats with details, organized by threat name.
Integer files
Total number of infected files.
MalwareProtectionConfigurationResult malwareProtection
String detectorId
The unique ID of the detector to update.
Boolean enable
Specifies whether the detector is enabled or not enabled.
String findingPublishingFrequency
An enum value that specifies how frequently findings are exported, such as to CloudWatch Events.
DataSourceConfigurations dataSources
Describes which data sources will be updated.
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.
List<E> features
Provides the features that will be updated for the detector.
String detectorId
The unique ID of the detector that specifies the GuardDuty service where you want to update a filter.
String filterName
The name of the filter.
String description
The description of the filter. Valid characters include alphanumeric characters, and special characters such as
hyphen, period, colon, underscore, parentheses ({ }, [ ], and ( )),
forward slash, horizontal tab, vertical tab, newline, form feed, return, and whitespace.
String action
Specifies the action that is to be applied to the findings that match the filter.
Integer rank
Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
FindingCriteria findingCriteria
Represents the criteria to be used in the filter for querying findings.
String name
The name of the filter.
String detectorId
The ID of the detector associated with the findings to update feedback for.
List<E> findingIds
The IDs of the findings that you want to mark as useful or not useful.
String feedback
The feedback for the finding.
String comments
Additional feedback about the GuardDuty findings.
String detectorId
The detectorID that specifies the GuardDuty service whose IPSet you want to update.
String ipSetId
The unique ID that specifies the IPSet that you want to update.
String name
The unique ID that specifies the IPSet that you want to update.
String location
The updated URI of the file that contains the IPSet.
Boolean activate
The updated Boolean value that specifies whether the IPSet is active or not.
String detectorId
The unique ID of the detector that specifies the GuardDuty service where you want to update scan settings.
ScanResourceCriteria scanResourceCriteria
Represents the criteria to be used in the filter for selecting resources to scan.
String ebsSnapshotPreservation
An enum value representing possible snapshot preservation settings.
String detectorId
The detector ID of the administrator account.
List<E> accountIds
A list of member account IDs to be updated.
DataSourceConfigurations dataSources
Describes which data sources will be updated.
List<E> features
A list of features that will be updated for the specified member accounts.
String detectorId
The ID of the detector that configures the delegated administrator.
Boolean autoEnable
Represents whether or not to automatically enable member accounts in the organization.
Even though this is still supported, we recommend using AutoEnableOrganizationMembers to achieve the
similar results. You must provide a value for either autoEnableOrganizationMembers or
autoEnable.
OrganizationDataSourceConfigurations dataSources
Describes which data sources will be updated.
List<E> features
A list of features that will be configured for the organization.
String autoEnableOrganizationMembers
Indicates the auto-enablement configuration of GuardDuty for the member accounts in the organization. You must
provide a value for either autoEnableOrganizationMembers or autoEnable.
Use one of the following configuration values for autoEnableOrganizationMembers:
NEW: Indicates that when a new account joins the organization, they will have GuardDuty enabled
automatically.
ALL: Indicates that all accounts in the organization have GuardDuty enabled automatically. This
includes NEW accounts that join the organization and accounts that may have been suspended or
removed from the organization in GuardDuty.
It may take up to 24 hours to update the configuration for all the member accounts.
NONE: Indicates that GuardDuty will not be automatically enabled for any account in the
organization. The administrator must manage GuardDuty for each account in the organization individually.
String detectorId
The ID of the detector associated with the publishing destinations to update.
String destinationId
The ID of the publishing destination to update.
DestinationProperties destinationProperties
A DestinationProperties object that includes the DestinationArn and
KmsKeyArn of the publishing destination.
String detectorId
The detectorID that specifies the GuardDuty service whose ThreatIntelSet you want to update.
String threatIntelSetId
The unique ID that specifies the ThreatIntelSet that you want to update.
String name
The unique ID that specifies the ThreatIntelSet that you want to update.
String location
The updated URI of the file that contains the ThreateIntelSet.
Boolean activate
The updated Boolean value that specifies whether the ThreateIntelSet is active or not.
List<E> accountIds
The account IDs to aggregate usage statistics from.
List<E> dataSources
The data sources to aggregate usage statistics from.
List<E> resources
The resources to aggregate usage statistics from. Only accepts exact resource names.
List<E> features
The features to aggregate usage statistics from.
List<E> sumByAccount
The usage statistic sum organized by account ID.
List<E> topAccountsByFeature
Lists the top 50 accounts by feature that have generated the most GuardDuty usage, in the order from most to least expensive.
Currently, this doesn't support RDS_LOGIN_EVENTS.
List<E> sumByDataSource
The usage statistic sum organized by on data source.
List<E> sumByResource
The usage statistic sum organized by resource.
List<E> topResources
Lists the top 50 resources that have generated the most GuardDuty usage, in order from most to least expensive.
List<E> sumByFeature
The usage statistic sum organized by feature.
String volumeArn
EBS volume Arn information.
String volumeType
The EBS volume type.
String deviceName
The device name for the EBS volume.
Integer volumeSizeInGB
EBS volume size in GB.
String encryptionType
EBS volume encryption type.
String snapshotArn
Snapshot Arn of the EBS volume.
String kmsKeyArn
KMS key Arn used to encrypt the EBS volume.
Copyright © 2024. All rights reserved.