[ aws . guardduty ]

get-findings

Description

Describes Amazon GuardDuty findings specified by finding IDs.

See also: AWS API Documentation

Synopsis

  get-findings
--detector-id <value>
--finding-ids <value>
[--sort-criteria <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Options

--detector-id (string)

The ID of the detector that specifies the GuardDuty service whose findings you want to retrieve.

--finding-ids (list)

The IDs of the findings that you want to retrieve.

(string)

Syntax:

"string" "string" ...

--sort-criteria (structure)

Represents the criteria used for sorting findings.

AttributeName -> (string)

Represents the finding attribute, such as accountId , that sorts the findings.

OrderBy -> (string)

The order by which the sorted findings are to be displayed.

Shorthand Syntax:

AttributeName=string,OrderBy=string

JSON Syntax:

{
  "AttributeName": "string",
  "OrderBy": "ASC"|"DESC"
}

--cli-input-json | --cli-input-yaml (string) Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command. The generated JSON skeleton is not stable between versions of the AWS CLI and there are no backwards compatibility guarantees in the JSON skeleton generated.

Global Options

--debug (boolean)

Turn on debug logging.

--endpoint-url (string)

Override command’s default URL with the given URL.

--no-verify-ssl (boolean)

By default, the AWS CLI uses SSL when communicating with AWS services. For each SSL connection, the AWS CLI will verify SSL certificates. This option overrides the default behavior of verifying SSL certificates.

--no-paginate (boolean)

Disable automatic pagination.

--output (string)

The formatting style for command output.

  • json
  • text
  • table
  • yaml
  • yaml-stream

--query (string)

A JMESPath query to use in filtering the response data.

--profile (string)

Use a specific profile from your credential file.

--region (string)

The region to use. Overrides config/env settings.

--version (string)

Display the version of this tool.

--color (string)

Turn on/off color output.

  • on
  • off
  • auto

--no-sign-request (boolean)

Do not sign requests. Credentials will not be loaded if this argument is provided.

--ca-bundle (string)

The CA certificate bundle to use when verifying SSL certificates. Overrides config/env settings.

--cli-read-timeout (int)

The maximum socket read time in seconds. If the value is set to 0, the socket read will be blocking and not timeout. The default value is 60 seconds.

--cli-connect-timeout (int)

The maximum socket connect time in seconds. If the value is set to 0, the socket connect will be blocking and not timeout. The default value is 60 seconds.

--cli-binary-format (string)

The formatting style to be used for binary blobs. The default format is base64. The base64 format expects binary blobs to be provided as a base64 encoded string. The raw-in-base64-out format preserves compatibility with AWS CLI V1 behavior and binary values must be passed literally. When providing contents from a file that map to a binary blob fileb:// will always be treated as binary and use the file contents directly regardless of the cli-binary-format setting. When using file:// the file contents will need to properly formatted for the configured cli-binary-format.

  • base64
  • raw-in-base64-out

--no-cli-pager (boolean)

Disable cli pager for output.

--cli-auto-prompt (boolean)

Automatically prompt for CLI input parameters.

--no-cli-auto-prompt (boolean)

Disable automatically prompt for CLI input parameters.

Examples

Note

To use the following examples, you must have the AWS CLI installed and configured. See the Getting started guide in the AWS CLI User Guide for more information.

Unless otherwise stated, all examples have unix-like quotation rules. These examples will need to be adapted to your terminal’s quoting rules. See Using quotation marks with strings in the AWS CLI User Guide .

Example 1: To retrieve the details of a specific finding

The following get-findings example retrieves the full JSON finding details of the specified finding.

aws guardduty get-findings \
    --detector-id 12abc34d567e8fa901bc2d34eexample \
    --finding-id 1ab92989eaf0e742df4a014d5example

Output:

{
    "Findings": [
        {
            "Resource": {
                "ResourceType": "AccessKey",
                "AccessKeyDetails": {
                    "UserName": "testuser",
                    "UserType": "IAMUser",
                    "PrincipalId": "AIDACKCEVSQ6C2EXAMPLE",
                    "AccessKeyId": "ASIASZ4SI7REEEXAMPLE"
                }
            },
            "Description": "APIs commonly used to discover the users, groups, policies and permissions in an account, was invoked by IAM principal testuser under unusual circumstances. Such activity is not typically seen from this principal.",
            "Service": {
                "Count": 5,
                "Archived": false,
                "ServiceName": "guardduty",
                "EventFirstSeen": "2020-05-26T22:02:24Z",
                "ResourceRole": "TARGET",
                "EventLastSeen": "2020-05-26T22:33:55Z",
                "DetectorId": "d4b040365221be2b54a6264dcexample",
                "Action": {
                    "ActionType": "AWS_API_CALL",
                    "AwsApiCallAction": {
                        "RemoteIpDetails": {
                            "GeoLocation": {
                                "Lat": 51.5164,
                                "Lon": -0.093
                            },
                            "City": {
                                "CityName": "London"
                            },
                            "IpAddressV4": "52.94.36.7",
                            "Organization": {
                                "Org": "Amazon.com",
                                "Isp": "Amazon.com",
                                "Asn": "16509",
                                "AsnOrg": "AMAZON-02"
                            },
                            "Country": {
                                "CountryName": "United Kingdom"
                            }
                        },
                        "Api": "ListPolicyVersions",
                        "ServiceName": "iam.amazonaws.com",
                        "CallerType": "Remote IP"
                    }
                }
            },
            "Title": "Unusual user permission reconnaissance activity by testuser.",
            "Type": "Recon:IAMUser/UserPermissions",
            "Region": "us-east-1",
            "Partition": "aws",
            "Arn": "arn:aws:guardduty:us-east-1:111122223333:detector/d4b040365221be2b54a6264dcexample/finding/1ab92989eaf0e742df4a014d5example",
            "UpdatedAt": "2020-05-26T22:55:21.703Z",
            "SchemaVersion": "2.0",
            "Severity": 5,
            "Id": "1ab92989eaf0e742df4a014d5example",
            "CreatedAt": "2020-05-26T22:21:48.385Z",
            "AccountId": "111122223333"
        }
    ]
}

For more information, see Findings in the GuardDuty User Guide.

Output

Findings -> (list)

A list of findings.

(structure)

Contains information about the finding that is generated when abnormal or suspicious activity is detected.

AccountId -> (string)

The ID of the account in which the finding was generated.

Arn -> (string)

The ARN of the finding.

Confidence -> (double)

The confidence score for the finding.

CreatedAt -> (string)

The time and date when the finding was created.

Description -> (string)

The description of the finding.

Id -> (string)

The ID of the finding.

Partition -> (string)

The partition associated with the finding.

Region -> (string)

The Region where the finding was generated.

Resource -> (structure)

Contains information about the Amazon Web Services resource associated with the activity that prompted GuardDuty to generate a finding.

AccessKeyDetails -> (structure)

The IAM access key details (user information) of a user that engaged in the activity that prompted GuardDuty to generate a finding.

AccessKeyId -> (string)

The access key ID of the user.

PrincipalId -> (string)

The principal ID of the user.

UserName -> (string)

The name of the user.

UserType -> (string)

The type of the user.

S3BucketDetails -> (list)

Contains information on the S3 bucket.

(structure)

Contains information on the S3 bucket.

Arn -> (string)

The Amazon Resource Name (ARN) of the S3 bucket.

Name -> (string)

The name of the S3 bucket.

Type -> (string)

Describes whether the bucket is a source or destination bucket.

CreatedAt -> (timestamp)

The date and time the bucket was created at.

Owner -> (structure)

The owner of the S3 bucket.

Id -> (string)

The canonical user ID of the bucket owner. For information about locating your canonical user ID see Finding Your Account Canonical User ID.

Tags -> (list)

All tags attached to the S3 bucket

(structure)

Contains information about a tag associated with the EC2 instance.

Key -> (string)

The EC2 instance tag key.

Value -> (string)

The EC2 instance tag value.

DefaultServerSideEncryption -> (structure)

Describes the server side encryption method used in the S3 bucket.

EncryptionType -> (string)

The type of encryption used for objects within the S3 bucket.

KmsMasterKeyArn -> (string)

The Amazon Resource Name (ARN) of the KMS encryption key. Only available if the bucket EncryptionType is aws:kms .

PublicAccess -> (structure)

Describes the public access policies that apply to the S3 bucket.

PermissionConfiguration -> (structure)

Contains information about how permissions are configured for the S3 bucket.

BucketLevelPermissions -> (structure)

Contains information about the bucket level permissions for the S3 bucket.

AccessControlList -> (structure)

Contains information on how Access Control Policies are applied to the bucket.

AllowsPublicReadAccess -> (boolean)

A value that indicates whether public read access for the bucket is enabled through an Access Control List (ACL).

AllowsPublicWriteAccess -> (boolean)

A value that indicates whether public write access for the bucket is enabled through an Access Control List (ACL).

BucketPolicy -> (structure)

Contains information on the bucket policies for the S3 bucket.

AllowsPublicReadAccess -> (boolean)

A value that indicates whether public read access for the bucket is enabled through a bucket policy.

AllowsPublicWriteAccess -> (boolean)

A value that indicates whether public write access for the bucket is enabled through a bucket policy.

BlockPublicAccess -> (structure)

Contains information on which account level S3 Block Public Access settings are applied to the S3 bucket.

IgnorePublicAcls -> (boolean)

Indicates if S3 Block Public Access is set to IgnorePublicAcls .

RestrictPublicBuckets -> (boolean)

Indicates if S3 Block Public Access is set to RestrictPublicBuckets .

BlockPublicAcls -> (boolean)

Indicates if S3 Block Public Access is set to BlockPublicAcls .

BlockPublicPolicy -> (boolean)

Indicates if S3 Block Public Access is set to BlockPublicPolicy .

AccountLevelPermissions -> (structure)

Contains information about the account level permissions on the S3 bucket.

BlockPublicAccess -> (structure)

Describes the S3 Block Public Access settings of the bucket’s parent account.

IgnorePublicAcls -> (boolean)

Indicates if S3 Block Public Access is set to IgnorePublicAcls .

RestrictPublicBuckets -> (boolean)

Indicates if S3 Block Public Access is set to RestrictPublicBuckets .

BlockPublicAcls -> (boolean)

Indicates if S3 Block Public Access is set to BlockPublicAcls .

BlockPublicPolicy -> (boolean)

Indicates if S3 Block Public Access is set to BlockPublicPolicy .

EffectivePermission -> (string)

Describes the effective permission on this bucket after factoring all attached policies.

InstanceDetails -> (structure)

The information about the EC2 instance associated with the activity that prompted GuardDuty to generate a finding.

AvailabilityZone -> (string)

The Availability Zone of the EC2 instance.

IamInstanceProfile -> (structure)

The profile information of the EC2 instance.

Arn -> (string)

The profile ARN of the EC2 instance.

Id -> (string)

The profile ID of the EC2 instance.

ImageDescription -> (string)

The image description of the EC2 instance.

ImageId -> (string)

The image ID of the EC2 instance.

InstanceId -> (string)

The ID of the EC2 instance.

InstanceState -> (string)

The state of the EC2 instance.

InstanceType -> (string)

The type of the EC2 instance.

OutpostArn -> (string)

The Amazon Resource Name (ARN) of the Amazon Web Services Outpost. Only applicable to Amazon Web Services Outposts instances.

LaunchTime -> (string)

The launch time of the EC2 instance.

NetworkInterfaces -> (list)

The elastic network interface information of the EC2 instance.

(structure)

Contains information about the elastic network interface of the EC2 instance.

Ipv6Addresses -> (list)

A list of IPv6 addresses for the EC2 instance.

(string)

NetworkInterfaceId -> (string)

The ID of the network interface.

PrivateDnsName -> (string)

The private DNS name of the EC2 instance.

PrivateIpAddress -> (string)

The private IP address of the EC2 instance.

PrivateIpAddresses -> (list)

Other private IP address information of the EC2 instance.

(structure)

Contains other private IP address information of the EC2 instance.

PrivateDnsName -> (string)

The private DNS name of the EC2 instance.

PrivateIpAddress -> (string)

The private IP address of the EC2 instance.

PublicDnsName -> (string)

The public DNS name of the EC2 instance.

PublicIp -> (string)

The public IP address of the EC2 instance.

SecurityGroups -> (list)

The security groups associated with the EC2 instance.

(structure)

Contains information about the security groups associated with the EC2 instance.

GroupId -> (string)

The security group ID of the EC2 instance.

GroupName -> (string)

The security group name of the EC2 instance.

SubnetId -> (string)

The subnet ID of the EC2 instance.

VpcId -> (string)

The VPC ID of the EC2 instance.

Platform -> (string)

The platform of the EC2 instance.

ProductCodes -> (list)

The product code of the EC2 instance.

(structure)

Contains information about the product code for the EC2 instance.

Code -> (string)

The product code information.

ProductType -> (string)

The product code type.

Tags -> (list)

The tags of the EC2 instance.

(structure)

Contains information about a tag associated with the EC2 instance.

Key -> (string)

The EC2 instance tag key.

Value -> (string)

The EC2 instance tag value.

EksClusterDetails -> (structure)

Details about the EKS cluster involved in a Kubernetes finding.

Name -> (string)

EKS cluster name.

Arn -> (string)

EKS cluster ARN.

VpcId -> (string)

The VPC ID to which the EKS cluster is attached.

Status -> (string)

The EKS cluster status.

Tags -> (list)

The EKS cluster tags.

(structure)

Contains information about a tag associated with the EC2 instance.

Key -> (string)

The EC2 instance tag key.

Value -> (string)

The EC2 instance tag value.

CreatedAt -> (timestamp)

The timestamp when the EKS cluster was created.

KubernetesDetails -> (structure)

Details about the Kubernetes user and workload involved in a Kubernetes finding.

KubernetesUserDetails -> (structure)

Details about the Kubernetes user involved in a Kubernetes finding.

Username -> (string)

The username of the user who called the Kubernetes API.

Uid -> (string)

The user ID of the user who called the Kubernetes API.

Groups -> (list)

The groups that include the user who called the Kubernetes API.

(string)

SessionName -> (list)

Entity that assumes the IAM role when Kubernetes RBAC permissions are assigned to that role.

(string)

ImpersonatedUser -> (structure)

Information about the impersonated user.

Username -> (string)

Information about the username that was being impersonated.

Groups -> (list)

The group to which the user name belongs.

(string)

KubernetesWorkloadDetails -> (structure)

Details about the Kubernetes workload involved in a Kubernetes finding.

Name -> (string)

Kubernetes workload name.

Type -> (string)

Kubernetes workload type (e.g. Pod, Deployment, etc.).

Uid -> (string)

Kubernetes workload ID.

Namespace -> (string)

Kubernetes namespace that the workload is part of.

HostNetwork -> (boolean)

Whether the hostNetwork flag is enabled for the pods included in the workload.

Containers -> (list)

Containers running as part of the Kubernetes workload.

(structure)

Details of a container.

ContainerRuntime -> (string)

The container runtime (such as, Docker or containerd) used to run the container.

Id -> (string)

Container ID.

Name -> (string)

Container name.

Image -> (string)

Container image.

ImagePrefix -> (string)

Part of the image name before the last slash. For example, imagePrefix for public.ecr.aws/amazonlinux/amazonlinux:latest would be public.ecr.aws/amazonlinux. If the image name is relative and does not have a slash, this field is empty.

VolumeMounts -> (list)

Container volume mounts.

(structure)

Container volume mount.

Name -> (string)

Volume mount name.

MountPath -> (string)

Volume mount path.

SecurityContext -> (structure)

Container security context.

Privileged -> (boolean)

Whether the container is privileged.

AllowPrivilegeEscalation -> (boolean)

Whether or not a container or a Kubernetes pod is allowed to gain more privileges than its parent process.

Volumes -> (list)

Volumes used by the Kubernetes workload.

(structure)

Volume used by the Kubernetes workload.

Name -> (string)

Volume name.

HostPath -> (structure)

Represents a pre-existing file or directory on the host machine that the volume maps to.

Path -> (string)

Path of the file or directory on the host that the volume maps to.

ServiceAccountName -> (string)

The service account name that is associated with a Kubernetes workload.

HostIPC -> (boolean)

Whether the host IPC flag is enabled for the pods in the workload.

HostPID -> (boolean)

Whether the host PID flag is enabled for the pods in the workload.

ResourceType -> (string)

The type of Amazon Web Services resource.

EbsVolumeDetails -> (structure)

Contains list of scanned and skipped EBS volumes with details.

ScannedVolumeDetails -> (list)

List of EBS volumes that were scanned.

(structure)

Contains EBS volume details.

VolumeArn -> (string)

EBS volume Arn information.

VolumeType -> (string)

The EBS volume type.

DeviceName -> (string)

The device name for the EBS volume.

VolumeSizeInGB -> (integer)

EBS volume size in GB.

EncryptionType -> (string)

EBS volume encryption type.

SnapshotArn -> (string)

Snapshot Arn of the EBS volume.

KmsKeyArn -> (string)

KMS key Arn used to encrypt the EBS volume.

SkippedVolumeDetails -> (list)

List of EBS volumes that were skipped from the malware scan.

(structure)

Contains EBS volume details.

VolumeArn -> (string)

EBS volume Arn information.

VolumeType -> (string)

The EBS volume type.

DeviceName -> (string)

The device name for the EBS volume.

VolumeSizeInGB -> (integer)

EBS volume size in GB.

EncryptionType -> (string)

EBS volume encryption type.

SnapshotArn -> (string)

Snapshot Arn of the EBS volume.

KmsKeyArn -> (string)

KMS key Arn used to encrypt the EBS volume.

EcsClusterDetails -> (structure)

Contains information about the details of the ECS Cluster.

Name -> (string)

The name of the ECS Cluster.

Arn -> (string)

The Amazon Resource Name (ARN) that identifies the cluster.

Status -> (string)

The status of the ECS cluster.

ActiveServicesCount -> (integer)

The number of services that are running on the cluster in an ACTIVE state.

RegisteredContainerInstancesCount -> (integer)

The number of container instances registered into the cluster.

RunningTasksCount -> (integer)

The number of tasks in the cluster that are in the RUNNING state.

Tags -> (list)

The tags of the ECS Cluster.

(structure)

Contains information about a tag associated with the EC2 instance.

Key -> (string)

The EC2 instance tag key.

Value -> (string)

The EC2 instance tag value.

TaskDetails -> (structure)

Contains information about the details of the ECS Task.

Arn -> (string)

The Amazon Resource Name (ARN) of the task.

DefinitionArn -> (string)

The ARN of the task definition that creates the task.

Version -> (string)

The version counter for the task.

TaskCreatedAt -> (timestamp)

The Unix timestamp for the time when the task was created.

StartedAt -> (timestamp)

The Unix timestamp for the time when the task started.

StartedBy -> (string)

Contains the tag specified when a task is started.

Tags -> (list)

The tags of the ECS Task.

(structure)

Contains information about a tag associated with the EC2 instance.

Key -> (string)

The EC2 instance tag key.

Value -> (string)

The EC2 instance tag value.

Volumes -> (list)

The list of data volume definitions for the task.

(structure)

Volume used by the Kubernetes workload.

Name -> (string)

Volume name.

HostPath -> (structure)

Represents a pre-existing file or directory on the host machine that the volume maps to.

Path -> (string)

Path of the file or directory on the host that the volume maps to.

Containers -> (list)

The containers that’s associated with the task.

(structure)

Details of a container.

ContainerRuntime -> (string)

The container runtime (such as, Docker or containerd) used to run the container.

Id -> (string)

Container ID.

Name -> (string)

Container name.

Image -> (string)

Container image.

ImagePrefix -> (string)

Part of the image name before the last slash. For example, imagePrefix for public.ecr.aws/amazonlinux/amazonlinux:latest would be public.ecr.aws/amazonlinux. If the image name is relative and does not have a slash, this field is empty.

VolumeMounts -> (list)

Container volume mounts.

(structure)

Container volume mount.

Name -> (string)

Volume mount name.

MountPath -> (string)

Volume mount path.

SecurityContext -> (structure)

Container security context.

Privileged -> (boolean)

Whether the container is privileged.

AllowPrivilegeEscalation -> (boolean)

Whether or not a container or a Kubernetes pod is allowed to gain more privileges than its parent process.

Group -> (string)

The name of the task group that’s associated with the task.

ContainerDetails -> (structure)

Details of a container.

ContainerRuntime -> (string)

The container runtime (such as, Docker or containerd) used to run the container.

Id -> (string)

Container ID.

Name -> (string)

Container name.

Image -> (string)

Container image.

ImagePrefix -> (string)

Part of the image name before the last slash. For example, imagePrefix for public.ecr.aws/amazonlinux/amazonlinux:latest would be public.ecr.aws/amazonlinux. If the image name is relative and does not have a slash, this field is empty.

VolumeMounts -> (list)

Container volume mounts.

(structure)

Container volume mount.

Name -> (string)

Volume mount name.

MountPath -> (string)

Volume mount path.

SecurityContext -> (structure)

Container security context.

Privileged -> (boolean)

Whether the container is privileged.

AllowPrivilegeEscalation -> (boolean)

Whether or not a container or a Kubernetes pod is allowed to gain more privileges than its parent process.

RdsDbInstanceDetails -> (structure)

Contains information about the database instance to which an anomalous login attempt was made.

DbInstanceIdentifier -> (string)

The identifier associated to the database instance that was involved in the finding.

Engine -> (string)

The database engine of the database instance involved in the finding.

EngineVersion -> (string)

The version of the database engine that was involved in the finding.

DbClusterIdentifier -> (string)

The identifier of the database cluster that contains the database instance ID involved in the finding.

DbInstanceArn -> (string)

The Amazon Resource Name (ARN) that identifies the database instance involved in the finding.

Tags -> (list)

Instance tag key-value pairs associated with the database instance ID.

(structure)

Contains information about a tag associated with the EC2 instance.

Key -> (string)

The EC2 instance tag key.

Value -> (string)

The EC2 instance tag value.

RdsDbUserDetails -> (structure)

Contains information about the user details through which anomalous login attempt was made.

User -> (string)

The user name used in the anomalous login attempt.

Application -> (string)

The application name used in the anomalous login attempt.

Database -> (string)

The name of the database instance involved in the anomalous login attempt.

Ssl -> (string)

The version of the Secure Socket Layer (SSL) used for the network.

AuthMethod -> (string)

The authentication method used by the user involved in the finding.

LambdaDetails -> (structure)

Contains information about the Lambda function that was involved in a finding.

FunctionArn -> (string)

Amazon Resource Name (ARN) of the Lambda function.

FunctionName -> (string)

Name of the Lambda function.

Description -> (string)

Description of the Lambda function.

LastModifiedAt -> (timestamp)

The timestamp when the Lambda function was last modified. This field is in the UTC date string format (2023-03-22T19:37:20.168Z) .

RevisionId -> (string)

The revision ID of the Lambda function version.

FunctionVersion -> (string)

The version of the Lambda function.

Role -> (string)

The execution role of the Lambda function.

VpcConfig -> (structure)

Amazon Virtual Private Cloud configuration details associated with your Lambda function.

SubnetIds -> (list)

The identifiers of the subnets that are associated with your Lambda function.

(string)

VpcId -> (string)

The identifier of the Amazon Virtual Private Cloud.

SecurityGroups -> (list)

The identifier of the security group attached to the Lambda function.

(structure)

Contains information about the security groups associated with the EC2 instance.

GroupId -> (string)

The security group ID of the EC2 instance.

GroupName -> (string)

The security group name of the EC2 instance.

Tags -> (list)

A list of tags attached to this resource, listed in the format of key :value pair.

(structure)

Contains information about a tag associated with the EC2 instance.

Key -> (string)

The EC2 instance tag key.

Value -> (string)

The EC2 instance tag value.

SchemaVersion -> (string)

The version of the schema used for the finding.

Service -> (structure)

Contains additional information about the generated finding.

Action -> (structure)

Information about the activity that is described in a finding.

ActionType -> (string)

The GuardDuty finding activity type.

AwsApiCallAction -> (structure)

Information about the AWS_API_CALL action described in this finding.

Api -> (string)

The Amazon Web Services API name.

CallerType -> (string)

The Amazon Web Services API caller type.

DomainDetails -> (structure)

The domain information for the Amazon Web Services API call.

Domain -> (string)

The domain information for the Amazon Web Services API call.

ErrorCode -> (string)

The error code of the failed Amazon Web Services API action.

UserAgent -> (string)

The agent through which the API request was made.

RemoteIpDetails -> (structure)

The remote IP information of the connection that initiated the Amazon Web Services API call.

City -> (structure)

The city information of the remote IP address.

CityName -> (string)

The city name of the remote IP address.

Country -> (structure)

The country code of the remote IP address.

CountryCode -> (string)

The country code of the remote IP address.

CountryName -> (string)

The country name of the remote IP address.

GeoLocation -> (structure)

The location information of the remote IP address.

Lat -> (double)

The latitude information of the remote IP address.

Lon -> (double)

The longitude information of the remote IP address.

IpAddressV4 -> (string)

The IPv4 remote address of the connection.

Organization -> (structure)

The ISP organization information of the remote IP address.

Asn -> (string)

The Autonomous System Number (ASN) of the internet provider of the remote IP address.

AsnOrg -> (string)

The organization that registered this ASN.

Isp -> (string)

The ISP information for the internet provider.

Org -> (string)

The name of the internet provider.

ServiceName -> (string)

The Amazon Web Services service name whose API was invoked.

RemoteAccountDetails -> (structure)

The details of the Amazon Web Services account that made the API call. This field appears if the call was made from outside your account.

AccountId -> (string)

The Amazon Web Services account ID of the remote API caller.

Affiliated -> (boolean)

Details on whether the Amazon Web Services account of the remote API caller is related to your GuardDuty environment. If this value is True the API caller is affiliated to your account in some way. If it is False the API caller is from outside your environment.

AffectedResources -> (map)

The details of the Amazon Web Services account that made the API call. This field identifies the resources that were affected by this API call.

key -> (string)

value -> (string)

DnsRequestAction -> (structure)

Information about the DNS_REQUEST action described in this finding.

Domain -> (string)

The domain information for the DNS query.

Protocol -> (string)

The network connection protocol observed in the activity that prompted GuardDuty to generate the finding.

Blocked -> (boolean)

Indicates whether the targeted port is blocked.

DomainWithSuffix -> (string)

The second and top level domain involved in the activity that potentially prompted GuardDuty to generate this finding. For a list of top-level and second-level domains, see public suffix list .

NetworkConnectionAction -> (structure)

Information about the NETWORK_CONNECTION action described in this finding.

Blocked -> (boolean)

Indicates whether EC2 blocked the network connection to your instance.

ConnectionDirection -> (string)

The network connection direction.

LocalPortDetails -> (structure)

The local port information of the connection.

Port -> (integer)

The port number of the local connection.

PortName -> (string)

The port name of the local connection.

Protocol -> (string)

The network connection protocol.

LocalIpDetails -> (structure)

The local IP information of the connection.

IpAddressV4 -> (string)

The IPv4 local address of the connection.

RemoteIpDetails -> (structure)

The remote IP information of the connection.

City -> (structure)

The city information of the remote IP address.

CityName -> (string)

The city name of the remote IP address.

Country -> (structure)

The country code of the remote IP address.

CountryCode -> (string)

The country code of the remote IP address.

CountryName -> (string)

The country name of the remote IP address.

GeoLocation -> (structure)

The location information of the remote IP address.

Lat -> (double)

The latitude information of the remote IP address.

Lon -> (double)

The longitude information of the remote IP address.

IpAddressV4 -> (string)

The IPv4 remote address of the connection.

Organization -> (structure)

The ISP organization information of the remote IP address.

Asn -> (string)

The Autonomous System Number (ASN) of the internet provider of the remote IP address.

AsnOrg -> (string)

The organization that registered this ASN.

Isp -> (string)

The ISP information for the internet provider.

Org -> (string)

The name of the internet provider.

RemotePortDetails -> (structure)

The remote port information of the connection.

Port -> (integer)

The port number of the remote connection.

PortName -> (string)

The port name of the remote connection.

PortProbeAction -> (structure)

Information about the PORT_PROBE action described in this finding.

Blocked -> (boolean)

Indicates whether EC2 blocked the port probe to the instance, such as with an ACL.

PortProbeDetails -> (list)

A list of objects related to port probe details.

(structure)

Contains information about the port probe details.

LocalPortDetails -> (structure)

The local port information of the connection.

Port -> (integer)

The port number of the local connection.

PortName -> (string)

The port name of the local connection.

LocalIpDetails -> (structure)

The local IP information of the connection.

IpAddressV4 -> (string)

The IPv4 local address of the connection.

RemoteIpDetails -> (structure)

The remote IP information of the connection.

City -> (structure)

The city information of the remote IP address.

CityName -> (string)

The city name of the remote IP address.

Country -> (structure)

The country code of the remote IP address.

CountryCode -> (string)

The country code of the remote IP address.

CountryName -> (string)

The country name of the remote IP address.

GeoLocation -> (structure)

The location information of the remote IP address.

Lat -> (double)

The latitude information of the remote IP address.

Lon -> (double)

The longitude information of the remote IP address.

IpAddressV4 -> (string)

The IPv4 remote address of the connection.

Organization -> (structure)

The ISP organization information of the remote IP address.

Asn -> (string)

The Autonomous System Number (ASN) of the internet provider of the remote IP address.

AsnOrg -> (string)

The organization that registered this ASN.

Isp -> (string)

The ISP information for the internet provider.

Org -> (string)

The name of the internet provider.

KubernetesApiCallAction -> (structure)

Information about the Kubernetes API call action described in this finding.

RequestUri -> (string)

The Kubernetes API request URI.

Verb -> (string)

The Kubernetes API request HTTP verb.

SourceIps -> (list)

The IP of the Kubernetes API caller and the IPs of any proxies or load balancers between the caller and the API endpoint.

(string)

UserAgent -> (string)

The user agent of the caller of the Kubernetes API.

RemoteIpDetails -> (structure)

Contains information about the remote IP address of the connection.

City -> (structure)

The city information of the remote IP address.

CityName -> (string)

The city name of the remote IP address.

Country -> (structure)

The country code of the remote IP address.

CountryCode -> (string)

The country code of the remote IP address.

CountryName -> (string)

The country name of the remote IP address.

GeoLocation -> (structure)

The location information of the remote IP address.

Lat -> (double)

The latitude information of the remote IP address.

Lon -> (double)

The longitude information of the remote IP address.

IpAddressV4 -> (string)

The IPv4 remote address of the connection.

Organization -> (structure)

The ISP organization information of the remote IP address.

Asn -> (string)

The Autonomous System Number (ASN) of the internet provider of the remote IP address.

AsnOrg -> (string)

The organization that registered this ASN.

Isp -> (string)

The ISP information for the internet provider.

Org -> (string)

The name of the internet provider.

StatusCode -> (integer)

The resulting HTTP response code of the Kubernetes API call action.

Parameters -> (string)

Parameters related to the Kubernetes API call action.

Resource -> (string)

The resource component in the Kubernetes API call action.

Subresource -> (string)

The name of the sub-resource in the Kubernetes API call action.

Namespace -> (string)

The name of the namespace where the Kubernetes API call action takes place.

ResourceName -> (string)

The name of the resource in the Kubernetes API call action.

RdsLoginAttemptAction -> (structure)

Information about RDS_LOGIN_ATTEMPT action described in this finding.

RemoteIpDetails -> (structure)

Contains information about the remote IP address of the connection.

City -> (structure)

The city information of the remote IP address.

CityName -> (string)

The city name of the remote IP address.

Country -> (structure)

The country code of the remote IP address.

CountryCode -> (string)

The country code of the remote IP address.

CountryName -> (string)

The country name of the remote IP address.

GeoLocation -> (structure)

The location information of the remote IP address.

Lat -> (double)

The latitude information of the remote IP address.

Lon -> (double)

The longitude information of the remote IP address.

IpAddressV4 -> (string)

The IPv4 remote address of the connection.

Organization -> (structure)

The ISP organization information of the remote IP address.

Asn -> (string)

The Autonomous System Number (ASN) of the internet provider of the remote IP address.

AsnOrg -> (string)

The organization that registered this ASN.

Isp -> (string)

The ISP information for the internet provider.

Org -> (string)

The name of the internet provider.

LoginAttributes -> (list)

Indicates the login attributes used in the login attempt.

(structure)

Information about the login attempts.

User -> (string)

Indicates the user name which attempted to log in.

Application -> (string)

Indicates the application name used to attempt log in.

FailedLoginAttempts -> (integer)

Represents the sum of failed (unsuccessful) login attempts made to establish a connection to the database instance.

SuccessfulLoginAttempts -> (integer)

Represents the sum of successful connections (a correct combination of login attributes) made to the database instance by the actor.

KubernetesPermissionCheckedDetails -> (structure)

Information whether the user has the permission to use a specific Kubernetes API.

Verb -> (string)

The verb component of the Kubernetes API call. For example, when you check whether or not you have the permission to call the CreatePod API, the verb component will be Create .

Resource -> (string)

The Kubernetes resource with which your Kubernetes API call will interact.

Namespace -> (string)

The namespace where the Kubernetes API action will take place.

Allowed -> (boolean)

Information whether the user has the permission to call the Kubernetes API.

KubernetesRoleBindingDetails -> (structure)

Information about the role binding that grants the permission defined in a Kubernetes role.

Kind -> (string)

The kind of the role. For role binding, this value will be RoleBinding .

Name -> (string)

The name of the RoleBinding .

Uid -> (string)

The unique identifier of the role binding.

RoleRefName -> (string)

The name of the role being referenced. This must match the name of the Role or ClusterRole that you want to bind to.

RoleRefKind -> (string)

The type of the role being referenced. This could be either Role or ClusterRole .

KubernetesRoleDetails -> (structure)

Information about the Kubernetes role name and role type.

Kind -> (string)

The kind of role. For this API, the value of kind will be Role .

Name -> (string)

The name of the Kubernetes role.

Uid -> (string)

The unique identifier of the Kubernetes role name.

Evidence -> (structure)

An evidence object associated with the service.

ThreatIntelligenceDetails -> (list)

A list of threat intelligence details related to the evidence.

(structure)

An instance of a threat intelligence detail that constitutes evidence for the finding.

ThreatListName -> (string)

The name of the threat intelligence list that triggered the finding.

ThreatNames -> (list)

A list of names of the threats in the threat intelligence list that triggered the finding.

(string)

ThreatFileSha256 -> (string)

SHA256 of the file that generated the finding.

Archived -> (boolean)

Indicates whether this finding is archived.

Count -> (integer)

The total count of the occurrences of this finding type.

DetectorId -> (string)

The detector ID for the GuardDuty service.

EventFirstSeen -> (string)

The first-seen timestamp of the activity that prompted GuardDuty to generate this finding.

EventLastSeen -> (string)

The last-seen timestamp of the activity that prompted GuardDuty to generate this finding.

ResourceRole -> (string)

The resource role information for this finding.

ServiceName -> (string)

The name of the Amazon Web Services service (GuardDuty) that generated a finding.

UserFeedback -> (string)

Feedback that was submitted about the finding.

AdditionalInfo -> (structure)

Contains additional information about the generated finding.

Value -> (string)

This field specifies the value of the additional information.

Type -> (string)

Describes the type of the additional information.

FeatureName -> (string)

The name of the feature that generated a finding.

EbsVolumeScanDetails -> (structure)

Returns details from the malware scan that created a finding.

ScanId -> (string)

Unique Id of the malware scan that generated the finding.

ScanStartedAt -> (timestamp)

Returns the start date and time of the malware scan.

ScanCompletedAt -> (timestamp)

Returns the completion date and time of the malware scan.

TriggerFindingId -> (string)

GuardDuty finding ID that triggered a malware scan.

Sources -> (list)

Contains list of threat intelligence sources used to detect threats.

(string)

ScanDetections -> (structure)

Contains a complete view providing malware scan result details.

ScannedItemCount -> (structure)

Total number of scanned files.

TotalGb -> (integer)

Total GB of files scanned for malware.

Files -> (integer)

Number of files scanned.

Volumes -> (integer)

Total number of scanned volumes.

ThreatsDetectedItemCount -> (structure)

Total number of infected files.

Files -> (integer)

Total number of infected files.

HighestSeverityThreatDetails -> (structure)

Details of the highest severity threat detected during malware scan and number of infected files.

Severity -> (string)

Severity level of the highest severity threat detected.

ThreatName -> (string)

Threat name of the highest severity threat detected as part of the malware scan.

Count -> (integer)

Total number of infected files with the highest severity threat detected.

ThreatDetectedByName -> (structure)

Contains details about identified threats organized by threat name.

ItemCount -> (integer)

Total number of infected files identified.

UniqueThreatNameCount -> (integer)

Total number of unique threats by name identified, as part of the malware scan.

Shortened -> (boolean)

Flag to determine if the finding contains every single infected file-path and/or every threat.

ThreatNames -> (list)

List of identified threats with details, organized by threat name.

(structure)

Contains files infected with the given threat providing details of malware name and severity.

Name -> (string)

The name of the identified threat.

Severity -> (string)

Severity of threat identified as part of the malware scan.

ItemCount -> (integer)

Total number of files infected with given threat.

FilePaths -> (list)

List of infected files in EBS volume with details.

(structure)

Contains details of infected file including name, file path and hash.

FilePath -> (string)

The file path of the infected file.

VolumeArn -> (string)

EBS volume Arn details of the infected file.

Hash -> (string)

The hash value of the infected file.

FileName -> (string)

File name of the infected file.

ScanType -> (string)

Specifies the scan type that invoked the malware scan.

RuntimeDetails -> (structure)

Information about the process and any required context values for a specific finding

Process -> (structure)

Information about the observed process.

Name -> (string)

The name of the process.

ExecutablePath -> (string)

The absolute path of the process executable file.

ExecutableSha256 -> (string)

The SHA256 hash of the process executable.

NamespacePid -> (integer)

The ID of the child process.

Pwd -> (string)

The present working directory of the process.

Pid -> (integer)

The ID of the process.

StartTime -> (timestamp)

The time when the process started. This is in UTC format.

Uuid -> (string)

The unique ID assigned to the process by GuardDuty.

ParentUuid -> (string)

The unique ID of the parent process. This ID is assigned to the parent process by GuardDuty.

User -> (string)

The user that executed the process.

UserId -> (integer)

The unique ID of the user that executed the process.

Euid -> (integer)

The effective user ID of the user that executed the process.

Lineage -> (list)

Information about the process’s lineage.

(structure)

Information about the runtime process details.

StartTime -> (timestamp)

The time when the process started. This is in UTC format.

NamespacePid -> (integer)

The process ID of the child process.

UserId -> (integer)

The user ID of the user that executed the process.

Name -> (string)

The name of the process.

Pid -> (integer)

The ID of the process.

Uuid -> (string)

The unique ID assigned to the process by GuardDuty.

ExecutablePath -> (string)

The absolute path of the process executable file.

Euid -> (integer)

The effective user ID that was used to execute the process.

ParentUuid -> (string)

The unique ID of the parent process. This ID is assigned to the parent process by GuardDuty.

Context -> (structure)

Additional information about the suspicious activity.

ModifyingProcess -> (structure)

Information about the process that modified the current process. This is available for multiple finding types.

Name -> (string)

The name of the process.

ExecutablePath -> (string)

The absolute path of the process executable file.

ExecutableSha256 -> (string)

The SHA256 hash of the process executable.

NamespacePid -> (integer)

The ID of the child process.

Pwd -> (string)

The present working directory of the process.

Pid -> (integer)

The ID of the process.

StartTime -> (timestamp)

The time when the process started. This is in UTC format.

Uuid -> (string)

The unique ID assigned to the process by GuardDuty.

ParentUuid -> (string)

The unique ID of the parent process. This ID is assigned to the parent process by GuardDuty.

User -> (string)

The user that executed the process.

UserId -> (integer)

The unique ID of the user that executed the process.

Euid -> (integer)

The effective user ID of the user that executed the process.

Lineage -> (list)

Information about the process’s lineage.

(structure)

Information about the runtime process details.

StartTime -> (timestamp)

The time when the process started. This is in UTC format.

NamespacePid -> (integer)

The process ID of the child process.

UserId -> (integer)

The user ID of the user that executed the process.

Name -> (string)

The name of the process.

Pid -> (integer)

The ID of the process.

Uuid -> (string)

The unique ID assigned to the process by GuardDuty.

ExecutablePath -> (string)

The absolute path of the process executable file.

Euid -> (integer)

The effective user ID that was used to execute the process.

ParentUuid -> (string)

The unique ID of the parent process. This ID is assigned to the parent process by GuardDuty.

ModifiedAt -> (timestamp)

The timestamp at which the process modified the current process. The timestamp is in UTC date string format.

ScriptPath -> (string)

The path to the script that was executed.

LibraryPath -> (string)

The path to the new library that was loaded.

LdPreloadValue -> (string)

The value of the LD_PRELOAD environment variable.

SocketPath -> (string)

The path to the docket socket that was accessed.

RuncBinaryPath -> (string)

The path to the leveraged runc implementation.

ReleaseAgentPath -> (string)

The path in the container that modified the release agent file.

MountSource -> (string)

The path on the host that is mounted by the container.

MountTarget -> (string)

The path in the container that is mapped to the host directory.

FileSystemType -> (string)

Represents the type of mounted fileSystem.

Flags -> (list)

Represents options that control the behavior of a runtime operation or action. For example, a filesystem mount operation may contain a read-only flag.

(string)

ModuleName -> (string)

The name of the module loaded into the kernel.

ModuleFilePath -> (string)

The path to the module loaded into the kernel.

ModuleSha256 -> (string)

The SHA256 hash of the module.

ShellHistoryFilePath -> (string)

The path to the modified shell history file.

TargetProcess -> (structure)

Information about the process that had its memory overwritten by the current process.

Name -> (string)

The name of the process.

ExecutablePath -> (string)

The absolute path of the process executable file.

ExecutableSha256 -> (string)

The SHA256 hash of the process executable.

NamespacePid -> (integer)

The ID of the child process.

Pwd -> (string)

The present working directory of the process.

Pid -> (integer)

The ID of the process.

StartTime -> (timestamp)

The time when the process started. This is in UTC format.

Uuid -> (string)

The unique ID assigned to the process by GuardDuty.

ParentUuid -> (string)

The unique ID of the parent process. This ID is assigned to the parent process by GuardDuty.

User -> (string)

The user that executed the process.

UserId -> (integer)

The unique ID of the user that executed the process.

Euid -> (integer)

The effective user ID of the user that executed the process.

Lineage -> (list)

Information about the process’s lineage.

(structure)

Information about the runtime process details.

StartTime -> (timestamp)

The time when the process started. This is in UTC format.

NamespacePid -> (integer)

The process ID of the child process.

UserId -> (integer)

The user ID of the user that executed the process.

Name -> (string)

The name of the process.

Pid -> (integer)

The ID of the process.

Uuid -> (string)

The unique ID assigned to the process by GuardDuty.

ExecutablePath -> (string)

The absolute path of the process executable file.

Euid -> (integer)

The effective user ID that was used to execute the process.

ParentUuid -> (string)

The unique ID of the parent process. This ID is assigned to the parent process by GuardDuty.

AddressFamily -> (string)

Represents the communication protocol associated with the address. For example, the address family AF_INET is used for IP version of 4 protocol.

IanaProtocolNumber -> (integer)

Specifies a particular protocol within the address family. Usually there is a single protocol in address families. For example, the address family AF_INET only has the IP protocol.

MemoryRegions -> (list)

Specifies the Region of a process’s address space such as stack and heap.

(string)

ToolName -> (string)

Name of the potentially suspicious tool.

ToolCategory -> (string)

Category that the tool belongs to. Some of the examples are Backdoor Tool, Pentest Tool, Network Scanner, and Network Sniffer.

ServiceName -> (string)

Name of the security service that has been potentially disabled.

CommandLineExample -> (string)

Example of the command line involved in the suspicious activity.

ThreatFilePath -> (string)

The suspicious file path for which the threat intelligence details were found.

Detection -> (structure)

Contains information about the detected unusual behavior.

Anomaly -> (structure)

The details about the anomalous activity that caused GuardDuty to generate the finding.

Profiles -> (map)

Information about the types of profiles.

key -> (string)

value -> (map)

key -> (string)

value -> (list)

(structure)

Contains information about the unusual anomalies.

ProfileType -> (string)

The type of behavior of the profile.

ProfileSubtype -> (string)

The frequency of the anomaly.

Observations -> (structure)

The recorded value.

Text -> (list)

The text that was unusual.

(string)

Unusual -> (structure)

Information about the behavior of the anomalies.

Behavior -> (map)

The behavior of the anomalous activity that caused GuardDuty to generate the finding.

key -> (string)

value -> (map)

key -> (string)

value -> (structure)

Contains information about the unusual anomalies.

ProfileType -> (string)

The type of behavior of the profile.

ProfileSubtype -> (string)

The frequency of the anomaly.

Observations -> (structure)

The recorded value.

Text -> (list)

The text that was unusual.

(string)

Severity -> (double)

The severity of the finding.

Title -> (string)

The title of the finding.

Type -> (string)

The type of finding.

UpdatedAt -> (string)

The time and date when the finding was last updated.