Class: Aws::GuardDuty::Client

Inherits:

Seahorse::Client::Base

Object
Seahorse::Client::Base
Aws::GuardDuty::Client

show all

Includes:: ClientStubs

Defined in:: lib/aws-sdk-guardduty/client.rb

Overview

An API client for GuardDuty. To construct a client, you need to configure a ‘:region` and `:credentials`.

client = Aws::GuardDuty::Client.new(
  region: region_name,
  credentials: credentials,
  # ...
)

For details on configuring region and credentials see the [developer guide](/sdk-for-ruby/v3/developer-guide/setup-config.html).

See #initialize for a full list of supported configuration options.

Class Attribute Summary collapse

.identifier ⇒ Object readonly private

API Operations collapse

#accept_administrator_invitation(params = {}) ⇒ Struct

Accepts the invitation to be a member account and get monitored by a GuardDuty administrator account that sent the invitation.
#accept_invitation(params = {}) ⇒ Struct

Accepts the invitation to be monitored by a GuardDuty administrator account.
#archive_findings(params = {}) ⇒ Struct

Archives GuardDuty findings that are specified by the list of finding IDs.
#create_detector(params = {}) ⇒ Types::CreateDetectorResponse

Creates a single GuardDuty detector.
#create_filter(params = {}) ⇒ Types::CreateFilterResponse

Creates a filter using the specified finding criteria.
#create_investigation(params = {}) ⇒ Types::CreateInvestigationResponse

This API is currently available as a preview.
#create_ip_set(params = {}) ⇒ Types::CreateIPSetResponse

Creates a new IPSet, which is called a trusted IP list in the console user interface.
#create_malware_protection_plan(params = {}) ⇒ Types::CreateMalwareProtectionPlanResponse

Creates a new Malware Protection plan for the protected resource.
#create_members(params = {}) ⇒ Types::CreateMembersResponse

Creates member accounts of the current Amazon Web Services account by specifying a list of Amazon Web Services account IDs.
#create_publishing_destination(params = {}) ⇒ Types::CreatePublishingDestinationResponse

Creates a publishing destination where you can export your GuardDuty findings.
#create_sample_findings(params = {}) ⇒ Struct

Generates sample findings of types specified by the list of finding types.
#create_threat_entity_set(params = {}) ⇒ Types::CreateThreatEntitySetResponse

Creates a new threat entity set.
#create_threat_intel_set(params = {}) ⇒ Types::CreateThreatIntelSetResponse

Creates a new ThreatIntelSet.
#create_trusted_entity_set(params = {}) ⇒ Types::CreateTrustedEntitySetResponse

Creates a new trusted entity set.
#decline_invitations(params = {}) ⇒ Types::DeclineInvitationsResponse

Declines invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs.
#delete_detector(params = {}) ⇒ Struct

Deletes an Amazon GuardDuty detector that is specified by the detector ID.
#delete_filter(params = {}) ⇒ Struct

Deletes the filter specified by the filter name.
#delete_invitations(params = {}) ⇒ Types::DeleteInvitationsResponse

Deletes invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs.
#delete_ip_set(params = {}) ⇒ Struct

Deletes the IPSet specified by the ‘ipSetId`.
#delete_malware_protection_plan(params = {}) ⇒ Struct

Deletes the Malware Protection plan ID associated with the Malware Protection plan resource.
#delete_members(params = {}) ⇒ Types::DeleteMembersResponse

Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.
#delete_publishing_destination(params = {}) ⇒ Struct

Deletes the publishing definition with the specified ‘destinationId`.
#delete_threat_entity_set(params = {}) ⇒ Struct

Deletes the threat entity set that is associated with the specified ‘threatEntitySetId`.
#delete_threat_intel_set(params = {}) ⇒ Struct

Deletes the ThreatIntelSet specified by the ThreatIntelSet ID.
#delete_trusted_entity_set(params = {}) ⇒ Struct

Deletes the trusted entity set that is associated with the specified ‘trustedEntitySetId`.
#describe_malware_scans(params = {}) ⇒ Types::DescribeMalwareScansResponse

Returns a list of malware scans.
#describe_organization_configuration(params = {}) ⇒ Types::DescribeOrganizationConfigurationResponse

Returns information about the account selected as the delegated administrator for GuardDuty.
#describe_publishing_destination(params = {}) ⇒ Types::DescribePublishingDestinationResponse

Returns information about the publishing destination specified by the provided ‘destinationId`.
#disable_organization_admin_account(params = {}) ⇒ Struct

Removes the existing GuardDuty delegated administrator of the organization.
#disassociate_from_administrator_account(params = {}) ⇒ Struct

Disassociates the current GuardDuty member account from its administrator account.
#disassociate_from_master_account(params = {}) ⇒ Struct

Disassociates the current GuardDuty member account from its administrator account.
#disassociate_members(params = {}) ⇒ Types::DisassociateMembersResponse

Disassociates GuardDuty member accounts (from the current administrator account) specified by the account IDs.
#enable_organization_admin_account(params = {}) ⇒ Struct

Designates an Amazon Web Services account within the organization as your GuardDuty delegated administrator.
#get_administrator_account(params = {}) ⇒ Types::GetAdministratorAccountResponse

Provides the details of the GuardDuty administrator account associated with the current GuardDuty member account.
#get_coverage_statistics(params = {}) ⇒ Types::GetCoverageStatisticsResponse

Retrieves aggregated statistics for your account.
#get_detector(params = {}) ⇒ Types::GetDetectorResponse

Retrieves a GuardDuty detector specified by the detectorId.
#get_filter(params = {}) ⇒ Types::GetFilterResponse

Returns the details of the filter specified by the filter name.
#get_findings(params = {}) ⇒ Types::GetFindingsResponse

Describes Amazon GuardDuty findings specified by finding IDs.
#get_findings_statistics(params = {}) ⇒ Types::GetFindingsStatisticsResponse

Lists GuardDuty findings statistics for the specified detector ID.
#get_investigation(params = {}) ⇒ Types::GetInvestigationResponse

This API is currently available as a preview.
#get_invitations_count(params = {}) ⇒ Types::GetInvitationsCountResponse

Returns the count of all GuardDuty membership invitations that were sent to the current member account except the currently accepted invitation.
#get_ip_set(params = {}) ⇒ Types::GetIPSetResponse

Retrieves the IPSet specified by the ‘ipSetId`.
#get_malware_protection_plan(params = {}) ⇒ Types::GetMalwareProtectionPlanResponse

Retrieves the Malware Protection plan details associated with a Malware Protection plan ID.
#get_malware_scan(params = {}) ⇒ Types::GetMalwareScanResponse

Retrieves the detailed information for a specific malware scan.
#get_malware_scan_settings(params = {}) ⇒ Types::GetMalwareScanSettingsResponse

Returns the details of the malware scan settings.
#get_master_account(params = {}) ⇒ Types::GetMasterAccountResponse

Provides the details for the GuardDuty administrator account associated with the current GuardDuty member account.
#get_member_detectors(params = {}) ⇒ Types::GetMemberDetectorsResponse

Describes which data sources are enabled for the member account’s detector.
#get_members(params = {}) ⇒ Types::GetMembersResponse

Retrieves GuardDuty member accounts (of the current GuardDuty administrator account) specified by the account IDs.
#get_organization_statistics(params = {}) ⇒ Types::GetOrganizationStatisticsResponse

Retrieves how many active member accounts have each feature enabled within GuardDuty.
#get_remaining_free_trial_days(params = {}) ⇒ Types::GetRemainingFreeTrialDaysResponse

Provides the number of days left for each data source used in the free trial period.
#get_threat_entity_set(params = {}) ⇒ Types::GetThreatEntitySetResponse

Retrieves the threat entity set associated with the specified ‘threatEntitySetId`.
#get_threat_intel_set(params = {}) ⇒ Types::GetThreatIntelSetResponse

Retrieves the ThreatIntelSet that is specified by the ThreatIntelSet ID.
#get_trusted_entity_set(params = {}) ⇒ Types::GetTrustedEntitySetResponse

Retrieves the trusted entity set associated with the specified ‘trustedEntitySetId`.
#get_usage_statistics(params = {}) ⇒ Types::GetUsageStatisticsResponse

Lists Amazon GuardDuty usage statistics over the last 30 days for the specified detector ID.
#invite_members(params = {}) ⇒ Types::InviteMembersResponse

Invites Amazon Web Services accounts to become members of an organization administered by the Amazon Web Services account that invokes this API.
#list_coverage(params = {}) ⇒ Types::ListCoverageResponse

Lists coverage details for your GuardDuty account.
#list_detectors(params = {}) ⇒ Types::ListDetectorsResponse

Lists detectorIds of all the existing Amazon GuardDuty detector resources.
#list_filters(params = {}) ⇒ Types::ListFiltersResponse

Returns a paginated list of the current filters.
#list_findings(params = {}) ⇒ Types::ListFindingsResponse

Lists GuardDuty findings for the specified detector ID.
#list_investigations(params = {}) ⇒ Types::ListInvestigationsResponse

This API is currently available as a preview.
#list_invitations(params = {}) ⇒ Types::ListInvitationsResponse

Lists all GuardDuty membership invitations that were sent to the current Amazon Web Services account.
#list_ip_sets(params = {}) ⇒ Types::ListIPSetsResponse

Lists the IPSets of the GuardDuty service specified by the detector ID.
#list_malware_protection_plans(params = {}) ⇒ Types::ListMalwareProtectionPlansResponse

Lists the Malware Protection plan IDs associated with the protected resources in your Amazon Web Services account.
#list_malware_scans(params = {}) ⇒ Types::ListMalwareScansResponse

Returns a list of malware scans.
#list_members(params = {}) ⇒ Types::ListMembersResponse

Lists details about all member accounts for the current GuardDuty administrator account.
#list_organization_admin_accounts(params = {}) ⇒ Types::ListOrganizationAdminAccountsResponse

Lists the accounts designated as GuardDuty delegated administrators.
#list_publishing_destinations(params = {}) ⇒ Types::ListPublishingDestinationsResponse

Returns a list of publishing destinations associated with the specified ‘detectorId`.
#list_tags_for_resource(params = {}) ⇒ Types::ListTagsForResourceResponse

Lists tags for a resource.
#list_threat_entity_sets(params = {}) ⇒ Types::ListThreatEntitySetsResponse

Lists the threat entity sets associated with the specified GuardDuty detector ID.
#list_threat_intel_sets(params = {}) ⇒ Types::ListThreatIntelSetsResponse

Lists the ThreatIntelSets of the GuardDuty service specified by the detector ID.
#list_trusted_entity_sets(params = {}) ⇒ Types::ListTrustedEntitySetsResponse

Lists the trusted entity sets associated with the specified GuardDuty detector ID.
#send_object_malware_scan(params = {}) ⇒ Struct

Initiates a malware scan for a specific S3 object.
#start_malware_scan(params = {}) ⇒ Types::StartMalwareScanResponse

Initiates the malware scan.
#start_monitoring_members(params = {}) ⇒ Types::StartMonitoringMembersResponse

Turns on GuardDuty monitoring of the specified member accounts.
#stop_monitoring_members(params = {}) ⇒ Types::StopMonitoringMembersResponse

Stops GuardDuty monitoring for the specified member accounts.
#tag_resource(params = {}) ⇒ Struct

Adds tags to a resource.
#unarchive_findings(params = {}) ⇒ Struct

Unarchives GuardDuty findings specified by the ‘findingIds`.
#untag_resource(params = {}) ⇒ Struct

Removes tags from a resource.
#update_detector(params = {}) ⇒ Struct

Updates the GuardDuty detector specified by the detector ID.
#update_filter(params = {}) ⇒ Types::UpdateFilterResponse

Updates the filter specified by the filter name.
#update_findings_feedback(params = {}) ⇒ Struct

Marks the specified GuardDuty findings as useful or not useful.
#update_ip_set(params = {}) ⇒ Struct

Updates the IPSet specified by the IPSet ID.
#update_malware_protection_plan(params = {}) ⇒ Struct

Updates an existing Malware Protection plan resource.
#update_malware_scan_settings(params = {}) ⇒ Struct

Updates the malware scan settings.
#update_member_detectors(params = {}) ⇒ Types::UpdateMemberDetectorsResponse

Contains information on member accounts to be updated.
#update_organization_configuration(params = {}) ⇒ Struct

Configures the delegated administrator account with the provided values.
#update_publishing_destination(params = {}) ⇒ Struct

Updates information about the publishing destination specified by the ‘destinationId`.
#update_threat_entity_set(params = {}) ⇒ Struct

Updates the threat entity set associated with the specified ‘threatEntitySetId`.
#update_threat_intel_set(params = {}) ⇒ Struct

Updates the ThreatIntelSet specified by the ThreatIntelSet ID.
#update_trusted_entity_set(params = {}) ⇒ Struct

Updates the trusted entity set associated with the specified ‘trustedEntitySetId`.

Class Method Summary collapse

.errors_module ⇒ Object private

Instance Method Summary collapse

#build_request(operation_name, params = {}) ⇒ Object private
#initialize(options) ⇒ Client constructor

A new instance of Client.
#waiter_names ⇒ Object deprecated private Deprecated.

Constructor Details

#initialize(options) ⇒ `Client`

Returns a new instance of Client.

Parameters:

options (Hash)

Options Hash (options):

:plugins (Array<Seahorse::Client::Plugin>) — default: []] —

A list of plugins to apply to the client. Each plugin is either a class name or an instance of a plugin class.
:credentials (required, Aws::CredentialProvider) —
Your AWS credentials used for authentication. This can be any class that includes and implements ‘Aws::CredentialProvider`, or instance of any one of the following classes:
- ‘Aws::Credentials` - Used for configuring static, non-refreshing credentials.
- ‘Aws::SharedCredentials` - Used for loading static credentials from a shared file, such as `~/.aws/config`.
- ‘Aws::AssumeRoleCredentials` - Used when you need to assume a role.
- ‘Aws::AssumeRoleWebIdentityCredentials` - Used when you need to assume a role after providing credentials via the web.
- ‘Aws::SSOCredentials` - Used for loading credentials from AWS SSO using an access token generated from `aws login`.
- ‘Aws::ProcessCredentials` - Used for loading credentials from a process that outputs to stdout.
- ‘Aws::InstanceProfileCredentials` - Used for loading credentials from an EC2 IMDS on an EC2 instance.
- ‘Aws::ECSCredentials` - Used for loading credentials from instances running in ECS.
- ‘Aws::CognitoIdentityCredentials` - Used for loading credentials from the Cognito Identity service.
When ‘:credentials` are not configured directly, the following locations will be searched for credentials:
- ‘Aws.config`
- The ‘:access_key_id`, `:secret_access_key`, `:session_token`, and `:account_id` options.
- ‘ENV`, `ENV`, `ENV`, and `ENV`.
- ‘~/.aws/credentials`
- ‘~/.aws/config`
- EC2/ECS IMDS instance profile - When used by default, the timeouts are very aggressive. Construct and pass an instance of ‘Aws::InstanceProfileCredentials` or `Aws::ECSCredentials` to enable retries and extended timeouts. Instance profile credential fetching can be disabled by setting `ENV` to `true`.
:region (required, String) —
The AWS region to connect to. The configured ‘:region` is used to determine the service `:endpoint`. When not passed, a default `:region` is searched for in the following locations:
- ‘Aws.config`
- ‘ENV`
- ‘ENV`
- ‘ENV`
- ‘~/.aws/credentials`
- ‘~/.aws/config`
:access_key_id (String)
:account_id (String)
:active_endpoint_cache (Boolean) — default: false —

When set to ‘true`, a thread polling for endpoints will be running in the background every 60 secs (default). Defaults to `false`.
:adaptive_retry_wait_to_fill (Boolean) — default: true —

Used only in ‘adaptive` retry mode. When true, the request will sleep until there is sufficent client side capacity to retry the request. When false, the request will raise a `RetryCapacityNotAvailableError` and will not retry instead of sleeping.
:auth_scheme_preference (Array<String>) —

A list of preferred authentication schemes to use when making a request. Supported values are: ‘sigv4`, `sigv4a`, `httpBearerAuth`, and `noAuth`. When set using `ENV` or in shared config as `auth_scheme_preference`, the value should be a comma-separated list.
:client_side_monitoring (Boolean) — default: false —

When ‘true`, client-side metrics will be collected for all API requests from this client.
:client_side_monitoring_client_id (String) — default: "" —

Allows you to provide an identifier for this client which will be attached to all generated client side metrics. Defaults to an empty string.
:client_side_monitoring_host (String) — default: "127.0.0.1" —

Allows you to specify the DNS hostname or IPv4 or IPv6 address that the client side monitoring agent is running on, where client metrics will be published via UDP.
:client_side_monitoring_port (Integer) — default: 31000 —

Required for publishing client metrics. The port that the client side monitoring agent is running on, where client metrics will be published via UDP.
:client_side_monitoring_publisher (Aws::ClientSideMonitoring::Publisher) — default: Aws::ClientSideMonitoring::Publisher —

Allows you to provide a custom client-side monitoring publisher class. By default, will use the Client Side Monitoring Agent Publisher.
:convert_params (Boolean) — default: true —

When ‘true`, an attempt is made to coerce request parameters into the required types.
:correct_clock_skew (Boolean) — default: true —

Used only in ‘standard` and `adaptive` retry modes. Specifies whether to apply a clock skew correction and retry requests with skewed client clocks.
:defaults_mode (String) — default: "legacy" —

See DefaultsModeConfiguration for a list of the accepted modes and the configuration defaults that are included.
:disable_host_prefix_injection (Boolean) — default: false —

When ‘true`, the SDK will not prepend the modeled host prefix to the endpoint.
:disable_request_compression (Boolean) — default: false —

When set to ‘true’ the request body will not be compressed for supported operations.
:endpoint (String, URI::HTTPS, URI::HTTP) —
Normally you should not configure the ‘:endpoint` option directly. This is normally constructed from the `:region` option. Configuring `:endpoint` is normally reserved for connecting to test or custom endpoints. The endpoint should be a URI formatted like:
```
'http://example.com'
'https://example.com'
'http://example.com:123'
```
:endpoint_cache_max_entries (Integer) — default: 1000 —

Used for the maximum size limit of the LRU cache storing endpoints data for endpoint discovery enabled operations. Defaults to 1000.
:endpoint_cache_max_threads (Integer) — default: 10 —

Used for the maximum threads in use for polling endpoints to be cached, defaults to 10.
:endpoint_cache_poll_interval (Integer) — default: 60 —

When :endpoint_discovery and :active_endpoint_cache is enabled, Use this option to config the time interval in seconds for making requests fetching endpoints information. Defaults to 60 sec.
:endpoint_discovery (Boolean) — default: false —

When set to ‘true`, endpoint discovery will be enabled for operations when available.
:ignore_configured_endpoint_urls (Boolean) —

Setting to true disables use of endpoint URLs provided via environment variables and the shared configuration file.
:log_formatter (Aws::Log::Formatter) — default: Aws::Log::Formatter.default —

The log formatter.
:log_level (Symbol) — default: :info —

The log level to send messages to the ‘:logger` at.
:logger (Logger) —

The Logger instance to send log messages to. If this option is not set, logging will be disabled.
:max_attempts (Integer) — default: 3 —

An integer representing the maximum number attempts that will be made for a single request, including the initial attempt. For example, setting this value to 5 will result in a request being retried up to 4 times. Used in ‘standard` and `adaptive` retry modes.
:profile (String) — default: "default" —

Used when loading credentials from the shared credentials file at ‘HOME/.aws/credentials`. When not specified, ’default’ is used.
:request_checksum_calculation (String) — default: "when_supported" —
Determines when a checksum will be calculated for request payloads. Values are:
- ‘when_supported` - (default) When set, a checksum will be calculated for all request payloads of operations modeled with the `httpChecksum` trait where `requestChecksumRequired` is `true` and/or a `requestAlgorithmMember` is modeled.
- ‘when_required` - When set, a checksum will only be calculated for request payloads of operations modeled with the `httpChecksum` trait where `requestChecksumRequired` is `true` or where a `requestAlgorithmMember` is modeled and supplied.
:request_min_compression_size_bytes (Integer) — default: 10240 —

The minimum size in bytes that triggers compression for request bodies. The value must be non-negative integer value between 0 and 10485780 bytes inclusive.
:response_checksum_validation (String) — default: "when_supported" —
Determines when checksum validation will be performed on response payloads. Values are:
- ‘when_supported` - (default) When set, checksum validation is performed on all response payloads of operations modeled with the `httpChecksum` trait where `responseAlgorithms` is modeled, except when no modeled checksum algorithms are supported.
- ‘when_required` - When set, checksum validation is not performed on response payloads of operations unless the checksum algorithm is supported and the `requestValidationModeMember` member is set to `ENABLED`.
:retry_backoff (Proc) —

A proc or lambda used for backoff. Defaults to 2**retries * retry_base_delay. This option is only used in the ‘legacy` retry mode.
:retry_base_delay (Float) — default: 0.3 —

The base delay in seconds used by the default backoff function. This option is only used in the ‘legacy` retry mode.
:retry_jitter (Symbol) — default: :none —

A delay randomiser function used by the default backoff function. Some predefined functions can be referenced by name - :none, :equal, :full, otherwise a Proc that takes and returns a number. This option is only used in the ‘legacy` retry mode.

@see www.awsarchitectureblog.com/2015/03/backoff.html
:retry_limit (Integer) — default: 3 —

The maximum number of times to retry failed requests. Only ~ 500 level server errors and certain ~ 400 level client errors are retried. Generally, these are throttling errors, data checksum errors, networking errors, timeout errors, auth errors, endpoint discovery, and errors from expired credentials. This option is only used in the ‘legacy` retry mode.
:retry_max_delay (Integer) — default: 0 —

The maximum number of seconds to delay between retries (0 for no limit) used by the default backoff function. This option is only used in the ‘legacy` retry mode.
:retry_mode (String) — default: "legacy" —
Specifies which retry algorithm to use. Values are:
- ‘legacy` - The pre-existing retry behavior. This is the default value if no retry mode is provided.
- ‘standard` - A standardized set of retry rules across the AWS SDKs. This includes support for retry quotas, which limit the number of unsuccessful retries a client can make.
- ‘adaptive` - A retry mode that includes all the functionality of `standard` mode along with automatic client side throttling.
:sdk_ua_app_id (String) —

A unique and opaque application ID that is appended to the User-Agent header as app/sdk_ua_app_id. It should have a maximum length of 50. This variable is sourced from environment variable AWS_SDK_UA_APP_ID or the shared config profile attribute sdk_ua_app_id.
:secret_access_key (String)
:session_token (String)
:sigv4a_signing_region_set (Array) —
A list of regions that should be signed with SigV4a signing. When not passed, a default ‘:sigv4a_signing_region_set` is searched for in the following locations:
- ‘Aws.config`
- ‘ENV`
- ‘~/.aws/config`
:stub_responses (Boolean) — default: false —

Causes the client to return stubbed responses. By default fake responses are generated and returned. You can specify the response data to return or errors to raise by calling ClientStubs#stub_responses. See ClientStubs for more information.

** Please note ** When response stubbing is enabled, no HTTP requests are made, and retries are disabled.
:telemetry_provider (Aws::Telemetry::TelemetryProviderBase) — default: Aws::Telemetry::NoOpTelemetryProvider —
Allows you to provide a telemetry provider, which is used to emit telemetry data. By default, uses ‘NoOpTelemetryProvider` which will not record or emit any telemetry data. The SDK supports the following telemetry providers:
- OpenTelemetry (OTel) - To use the OTel provider, install and require the
‘opentelemetry-sdk` gem and then, pass in an instance of a `Aws::Telemetry::OTelProvider` for telemetry provider.
:token_provider (Aws::TokenProvider) —
Your Bearer token used for authentication. This can be any class that includes and implements ‘Aws::TokenProvider`, or instance of any one of the following classes:
- ‘Aws::StaticTokenProvider` - Used for configuring static, non-refreshing tokens.
- ‘Aws::SSOTokenProvider` - Used for loading tokens from AWS SSO using an access token generated from `aws login`.
When ‘:token_provider` is not configured directly, the `Aws::TokenProviderChain` will be used to search for tokens configured for your profile in shared configuration files.
:use_dualstack_endpoint (Boolean) —

When set to ‘true`, dualstack enabled endpoints (with `.aws` TLD) will be used if available.
:use_fips_endpoint (Boolean) —

When set to ‘true`, fips compatible endpoints will be used if available. When a `fips` region is used, the region is normalized and this config is set to `true`.
:validate_params (Boolean) — default: true —

When ‘true`, request parameters are validated before sending the request.
:endpoint_provider (Aws::GuardDuty::EndpointProvider) —

The endpoint provider used to resolve endpoints. Any object that responds to ‘#resolve_endpoint(parameters)` where `parameters` is a Struct similar to `Aws::GuardDuty::EndpointParameters`.
:http_continue_timeout (Float) — default: 1 —

The number of seconds to wait for a 100-continue response before sending the request body. This option has no effect unless the request has “Expect” header set to “100-continue”. Defaults to ‘nil` which disables this behaviour. This value can safely be set per request on the session.
:http_idle_timeout (Float) — default: 5 —

The number of seconds a connection is allowed to sit idle before it is considered stale. Stale connections are closed and removed from the pool before making a request.
:http_open_timeout (Float) — default: 15 —

The default number of seconds to wait for response data. This value can safely be set per-request on the session.
:http_proxy (URI::HTTP, String) —

A proxy to send requests through. Formatted like ‘proxy.com:123’.
:http_read_timeout (Float) — default: 60 —

The default number of seconds to wait for response data. This value can safely be set per-request on the session.
:http_wire_trace (Boolean) — default: false —

When ‘true`, HTTP debug output will be sent to the `:logger`.
:on_chunk_received (Proc) —

When a Proc object is provided, it will be used as callback when each chunk of the response body is received. It provides three arguments: the chunk, the number of bytes received, and the total number of bytes in the response (or nil if the server did not send a ‘content-length`).
:on_chunk_sent (Proc) —

When a Proc object is provided, it will be used as callback when each chunk of the request body is sent. It provides three arguments: the chunk, the number of bytes read from the body, and the total number of bytes in the body.
:raise_response_errors (Boolean) — default: true —

When ‘true`, response errors are raised.
:ssl_ca_bundle (String) —

Full path to the SSL certificate authority bundle file that should be used when verifying peer certificates. If you do not pass ‘:ssl_ca_bundle` or `:ssl_ca_directory` the the system default will be used if available.
:ssl_ca_directory (String) —

Full path of the directory that contains the unbundled SSL certificate authority files for verifying peer certificates. If you do not pass ‘:ssl_ca_bundle` or `:ssl_ca_directory` the the system default will be used if available.
:ssl_ca_store (String) —

Sets the X509::Store to verify peer certificate.
:ssl_cert (OpenSSL::X509::Certificate) —

Sets a client certificate when creating http connections.
:ssl_key (OpenSSL::PKey) —

Sets a client key when creating http connections.
:ssl_timeout (Float) —

Sets the SSL timeout in seconds
:ssl_verify_peer (Boolean) — default: true —

When ‘true`, SSL peer certificates are verified when establishing a connection.



471
472
473

# File 'lib/aws-sdk-guardduty/client.rb', line 471

def initialize(*args)
  super
end

Class Attribute Details

.identifier ⇒ `Object` (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.



9194
9195
9196

# File 'lib/aws-sdk-guardduty/client.rb', line 9194

def identifier
  @identifier
end

Class Method Details

.errors_module ⇒ `Object`

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.



9197
9198
9199

# File 'lib/aws-sdk-guardduty/client.rb', line 9197

def errors_module
  Errors
end

Instance Method Details

#accept_administrator_invitation(params = {}) ⇒ `Struct`

Accepts the invitation to be a member account and get monitored by a GuardDuty administrator account that sent the invitation.

Examples:

Request syntax with placeholder values


resp = client.accept_administrator_invitation({
  detector_id: "DetectorId", # required
  administrator_id: "String", # required
  invitation_id: "String", # required
})

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector of the GuardDuty member account.
:administrator_id (required, String) —

The account ID of the GuardDuty administrator account whose invitation you’re accepting.
:invitation_id (required, String) —

The value that is used to validate the administrator account to the member account.

Returns:

(Struct) —

Returns an empty response.

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 505

def accept_administrator_invitation(params = {}, options = {})
  req = build_request(:accept_administrator_invitation, params)
  req.send_request(options)
end

#accept_invitation(params = {}) ⇒ `Struct`

Accepts the invitation to be monitored by a GuardDuty administrator account.

Examples:

Request syntax with placeholder values


resp = client.accept_invitation({
  detector_id: "DetectorId", # required
  master_id: "String", # required
  invitation_id: "String", # required
})

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector of the GuardDuty member account.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:master_id (required, String) —

The account ID of the GuardDuty administrator account whose invitation you’re accepting.
:invitation_id (required, String) —

The value that is used to validate the administrator account to the member account.

Returns:

(Struct) —

Returns an empty response.

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 545

def accept_invitation(params = {}, options = {})
  req = build_request(:accept_invitation, params)
  req.send_request(options)
end

#archive_findings(params = {}) ⇒ `Struct`

Archives GuardDuty findings that are specified by the list of finding IDs.

<note markdown=“1”> Only the administrator account can archive findings. Member accounts don’t have permission to archive findings from their accounts.

</note>

Examples:

Request syntax with placeholder values


resp = client.archive_findings({
  detector_id: "DetectorId", # required
  finding_ids: ["FindingId"], # required
})

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The ID of the detector that specifies the GuardDuty service whose findings you want to archive.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:finding_ids (required, Array<String>) —

The IDs of the findings that you want to archive.

Returns:

(Struct) —

Returns an empty response.

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 585

def archive_findings(params = {}, options = {})
  req = build_request(:archive_findings, params)
  req.send_request(options)
end

#build_request(operation_name, params = {}) ⇒ `Object`

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Parameters:

params ({}) (defaults to: {})

# File 'lib/aws-sdk-guardduty/client.rb', line 9167

def build_request(operation_name, params = {})
  handlers = @handlers.for(operation_name)
  tracer = config.telemetry_provider.tracer_provider.tracer(
    Aws::Telemetry.module_to_tracer_name('Aws::GuardDuty')
  )
  context = Seahorse::Client::RequestContext.new(
    operation_name: operation_name,
    operation: config.api.operation(operation_name),
    client: self,
    params: params,
    config: config,
    tracer: tracer
  )
  context[:gem_name] = 'aws-sdk-guardduty'
  context[:gem_version] = '1.155.0'
  Seahorse::Client::Request.new(handlers, context)
end

#create_detector(params = {}) ⇒ `Types::CreateDetectorResponse`

Creates a single GuardDuty detector. A detector is a resource that represents the GuardDuty service. To start using GuardDuty, you must create a detector in each Region where you enable the service. You can have only one detector per account per Region. All data sources are enabled in a new detector by default.

When you don’t specify any ‘features`, with an exception to `RUNTIME_MONITORING`, all the optional features are enabled by default.
When you specify some of the ‘features`, any feature that is not specified in the API call gets enabled by default, with an exception to `RUNTIME_MONITORING`.

Specifying both EKS Runtime Monitoring (‘EKS_RUNTIME_MONITORING`) and Runtime Monitoring (`RUNTIME_MONITORING`) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see [Runtime Monitoring].

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see [Regions and endpoints].

[1]: docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring.html [2]: docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html

Examples:

Request syntax with placeholder values


resp = client.create_detector({
  enable: false, # required
  client_token: "ClientToken",
  finding_publishing_frequency: "FIFTEEN_MINUTES", # accepts FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS
  data_sources: {
    s3_logs: {
      enable: false, # required
    },
    kubernetes: {
      audit_logs: { # required
        enable: false, # required
      },
    },
    malware_protection: {
      scan_ec2_instance_with_findings: {
        ebs_volumes: false,
      },
    },
  },
  tags: {
    "TagKey" => "TagValue",
  },
  features: [
    {
      name: "S3_DATA_EVENTS", # accepts S3_DATA_EVENTS, EKS_AUDIT_LOGS, EBS_MALWARE_PROTECTION, RDS_LOGIN_EVENTS, LAMBDA_NETWORK_LOGS, EKS_RUNTIME_MONITORING, RUNTIME_MONITORING
      status: "ENABLED", # accepts ENABLED, DISABLED
      additional_configuration: [
        {
          name: "EKS_ADDON_MANAGEMENT", # accepts EKS_ADDON_MANAGEMENT, ECS_FARGATE_AGENT_MANAGEMENT, EC2_AGENT_MANAGEMENT
          status: "ENABLED", # accepts ENABLED, DISABLED
        },
      ],
    },
  ],
})

Response structure


resp.detector_id #=> String
resp.unprocessed_data_sources.malware_protection.scan_ec2_instance_with_findings.ebs_volumes.status #=> String, one of "ENABLED", "DISABLED"
resp.unprocessed_data_sources.malware_protection.scan_ec2_instance_with_findings.ebs_volumes.reason #=> String
resp.unprocessed_data_sources.malware_protection.service_role #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:enable (required, Boolean) —

A Boolean value that specifies whether the detector is to be enabled.
:client_token (String) —

The idempotency token for the create request.

**A suitable default value is auto-generated.** You should normally not need to pass this option.**
:finding_publishing_frequency (String) —

A value that specifies how frequently updated findings are exported.
:data_sources (Types::DataSourceConfigurations) —

Describes which data sources will be enabled for the detector.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see [Regions and endpoints].

[1]: docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html
:tags (Hash<String,String>) —

The tags to be added to a new detector resource.
:features (Array<Types::DetectorFeatureConfiguration>) —

A list of features that will be configured for the detector.

Returns:

(Types::CreateDetectorResponse) —
Returns a response object which responds to the following methods:
- #detector_id => String
- #unprocessed_data_sources => Types::UnprocessedDataSourcesResult

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 704

def create_detector(params = {}, options = {})
  req = build_request(:create_detector, params)
  req.send_request(options)
end

#create_filter(params = {}) ⇒ `Types::CreateFilterResponse`

Creates a filter using the specified finding criteria. The maximum number of saved filters per Amazon Web Services account per Region is

For more information, see [Quotas for GuardDuty].

[1]: docs.aws.amazon.com/guardduty/latest/ug/guardduty_limits.html

Examples:

Request syntax with placeholder values


resp = client.create_filter({
  detector_id: "DetectorId", # required
  name: "FilterName", # required
  description: "FilterDescription",
  action: "NOOP", # accepts NOOP, ARCHIVE
  rank: 1,
  finding_criteria: { # required
    criterion: {
      "String" => {
        eq: ["String"],
        neq: ["String"],
        gt: 1,
        gte: 1,
        lt: 1,
        lte: 1,
        equals: ["String"],
        not_equals: ["String"],
        greater_than: 1,
        greater_than_or_equal: 1,
        less_than: 1,
        less_than_or_equal: 1,
        matches: ["Match"],
        not_matches: ["NotMatch"],
      },
    },
  },
  client_token: "ClientToken",
  tags: {
    "TagKey" => "TagValue",
  },
})

Response structure


resp.name #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The detector ID associated with the GuardDuty account for which you want to create a filter.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:name (required, String) —

The name of the filter. Valid characters include period (.), underscore (_), dash (-), and alphanumeric characters. A whitespace is considered to be an invalid character.
:description (String) —

The description of the filter. Valid characters include alphanumeric characters, and special characters such as hyphen, period, colon, underscore, parentheses (‘{ }`, `[ ]`, and `( )`), forward slash, horizontal tab, vertical tab, newline, form feed, return, and whitespace.
:action (String) —

Specifies the action that is to be applied to the findings that match the filter.

Default: NOOP
:rank (Integer) —

Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
:finding_criteria (required, Types::FindingCriteria) —
Represents the criteria to be used in the filter for querying findings. The following fields are available for filtering:
- accountId
- arn
- associatedAttackSequenceArn
- confidence
- createdAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- id
- partition
- region
- resource.accessKeyDetails.accessKeyId
- resource.accessKeyDetails.principalId
- resource.accessKeyDetails.userIdentity.accessKeyId
- resource.accessKeyDetails.userIdentity.accountId
- resource.accessKeyDetails.userIdentity.arn
- resource.accessKeyDetails.userIdentity.principalId
- resource.accessKeyDetails.userIdentity.sessionContext.attributes.mfaAuthenticated
- resource.accessKeyDetails.userIdentity.sessionContext.ec2RoleDelivery
- resource.accessKeyDetails.userIdentity.sessionContext.invokedBy
- resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.accountId
- resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.arn
- resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.principalId
- resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.type
- resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.userName
- resource.accessKeyDetails.userIdentity.sessionContext.sourceIdentity
- resource.accessKeyDetails.userIdentity.sessionContext.webIdFederationData.attributes
- resource.accessKeyDetails.userIdentity.sessionContext.webIdFederationData.federatedProvider
- resource.accessKeyDetails.userIdentity.type
- resource.accessKeyDetails.userIdentity.userName
- resource.accessKeyDetails.userName
- resource.accessKeyDetails.userType
- resource.bedrockGuardrailDetails.guardrailArn
- resource.bedrockGuardrailDetails.guardrailVersion
- resource.containerDetails.containerRuntime
- resource.containerDetails.id
- resource.containerDetails.image
- resource.containerDetails.imagePrefix
- resource.containerDetails.name
- resource.containerDetails.securityContext.allowPrivilegeEscalation
- resource.containerDetails.securityContext.privileged
- resource.containerDetails.volumeMounts.mountPath
- resource.containerDetails.volumeMounts.name
- resource.ebsSnapshotDetails.snapshotArn
- resource.ebsVolumeDetails.scannedVolumeDetails.deviceName
- resource.ebsVolumeDetails.scannedVolumeDetails.encryptionType
- resource.ebsVolumeDetails.scannedVolumeDetails.kmsKeyArn
- resource.ebsVolumeDetails.scannedVolumeDetails.snapshotArn
- resource.ebsVolumeDetails.scannedVolumeDetails.volumeArn
- resource.ebsVolumeDetails.scannedVolumeDetails.volumeSizeInGB
- resource.ebsVolumeDetails.scannedVolumeDetails.volumeType
- resource.ebsVolumeDetails.skippedVolumeDetails.deviceName
- resource.ebsVolumeDetails.skippedVolumeDetails.encryptionType
- resource.ebsVolumeDetails.skippedVolumeDetails.kmsKeyArn
- resource.ebsVolumeDetails.skippedVolumeDetails.snapshotArn
- resource.ebsVolumeDetails.skippedVolumeDetails.volumeArn
- resource.ebsVolumeDetails.skippedVolumeDetails.volumeSizeInGB
- resource.ebsVolumeDetails.skippedVolumeDetails.volumeType
- resource.ec2ImageDetails.imageArn
- resource.ecsClusterDetails.activeServicesCount
- resource.ecsClusterDetails.arn
- resource.ecsClusterDetails.name
- resource.ecsClusterDetails.registeredContainerInstancesCount
- resource.ecsClusterDetails.runningTasksCount
- resource.ecsClusterDetails.status
- resource.ecsClusterDetails.tags.key
- resource.ecsClusterDetails.tags.value
- resource.ecsClusterDetails.taskDetails.arn
- resource.ecsClusterDetails.taskDetails.containers.containerRuntime
- resource.ecsClusterDetails.taskDetails.containers.id
- resource.ecsClusterDetails.taskDetails.containers.image
- resource.ecsClusterDetails.taskDetails.containers.imagePrefix
- resource.ecsClusterDetails.taskDetails.containers.name
- resource.ecsClusterDetails.taskDetails.containers.securityContext.allowPrivilegeEscalation
- resource.ecsClusterDetails.taskDetails.containers.securityContext.privileged
- resource.ecsClusterDetails.taskDetails.containers.volumeMounts.mountPath
- resource.ecsClusterDetails.taskDetails.containers.volumeMounts.name
- resource.ecsClusterDetails.taskDetails.createdAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- resource.ecsClusterDetails.taskDetails.definitionArn
- resource.ecsClusterDetails.taskDetails.group
- resource.ecsClusterDetails.taskDetails.launchType
- resource.ecsClusterDetails.taskDetails.startedAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- resource.ecsClusterDetails.taskDetails.startedBy
- resource.ecsClusterDetails.taskDetails.tags.key
- resource.ecsClusterDetails.taskDetails.tags.value
- resource.ecsClusterDetails.taskDetails.version
- resource.ecsClusterDetails.taskDetails.volumes.hostPath.path
- resource.ecsClusterDetails.taskDetails.volumes.name
- resource.eksClusterDetails.arn
- resource.eksClusterDetails.createdAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- resource.eksClusterDetails.name
- resource.eksClusterDetails.status
- resource.eksClusterDetails.tags.key
- resource.eksClusterDetails.tags.value
- resource.eksClusterDetails.vpcId
- resource.instanceDetails.availabilityZone
- resource.instanceDetails.iamInstanceProfile.arn
- resource.instanceDetails.iamInstanceProfile.id
- resource.instanceDetails.imageDescription
- resource.instanceDetails.imageId
- resource.instanceDetails.instanceId
- resource.instanceDetails.instanceState
- resource.instanceDetails.instanceType
- resource.instanceDetails.launchTime
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- resource.instanceDetails.networkInterfaces.ipv6Addresses
- resource.instanceDetails.networkInterfaces.networkInterfaceId
- resource.instanceDetails.networkInterfaces.privateDnsName
- resource.instanceDetails.networkInterfaces.privateIpAddress
- resource.instanceDetails.networkInterfaces.privateIpAddresses.privateDnsName
- resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress
- resource.instanceDetails.networkInterfaces.publicDnsName
- resource.instanceDetails.networkInterfaces.publicIp
- resource.instanceDetails.networkInterfaces.securityGroups.groupId
- resource.instanceDetails.networkInterfaces.securityGroups.groupName
- resource.instanceDetails.networkInterfaces.subnetId
- resource.instanceDetails.networkInterfaces.vpcId
- resource.instanceDetails.outpostArn
- resource.instanceDetails.platform
- resource.instanceDetails.productCodes.productCodeId
- resource.instanceDetails.productCodes.productCodeType
- resource.instanceDetails.tags.key
- resource.instanceDetails.tags.value
- resource.kubernetesDetails.kubernetesUserDetails.groups
- resource.kubernetesDetails.kubernetesUserDetails.impersonatedUser.groups
- resource.kubernetesDetails.kubernetesUserDetails.impersonatedUser.username
- resource.kubernetesDetails.kubernetesUserDetails.sessionName
- resource.kubernetesDetails.kubernetesUserDetails.uid
- resource.kubernetesDetails.kubernetesUserDetails.username
- resource.kubernetesDetails.kubernetesWorkloadDetails.containers.containerRuntime
- resource.kubernetesDetails.kubernetesWorkloadDetails.containers.id
- resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image
- resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix
- resource.kubernetesDetails.kubernetesWorkloadDetails.containers.name
- resource.kubernetesDetails.kubernetesWorkloadDetails.containers.securityContext.allowPrivilegeEscalation
- resource.kubernetesDetails.kubernetesWorkloadDetails.containers.securityContext.privileged
- resource.kubernetesDetails.kubernetesWorkloadDetails.containers.volumeMounts.mountPath
- resource.kubernetesDetails.kubernetesWorkloadDetails.containers.volumeMounts.name
- resource.kubernetesDetails.kubernetesWorkloadDetails.hostIpc
- resource.kubernetesDetails.kubernetesWorkloadDetails.hostNetwork
- resource.kubernetesDetails.kubernetesWorkloadDetails.hostPid
- resource.kubernetesDetails.kubernetesWorkloadDetails.name
- resource.kubernetesDetails.kubernetesWorkloadDetails.namespace
- resource.kubernetesDetails.kubernetesWorkloadDetails.serviceAccountName
- resource.kubernetesDetails.kubernetesWorkloadDetails.type
- resource.kubernetesDetails.kubernetesWorkloadDetails.uid
- resource.kubernetesDetails.kubernetesWorkloadDetails.volumes.hostPath.path
- resource.kubernetesDetails.kubernetesWorkloadDetails.volumes.name
- resource.lambdaDetails.description
- resource.lambdaDetails.functionArn
- resource.lambdaDetails.functionName
- resource.lambdaDetails.functionVersion
- resource.lambdaDetails.lastModifiedAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- resource.lambdaDetails.revisionId
- resource.lambdaDetails.role
- resource.lambdaDetails.tags.key
- resource.lambdaDetails.tags.value
- resource.lambdaDetails.vpcConfig.securityGroups.groupId
- resource.lambdaDetails.vpcConfig.securityGroups.groupName
- resource.lambdaDetails.vpcConfig.subnetIds
- resource.lambdaDetails.vpcConfig.vpcId
- resource.rdsDbInstanceDetails.dbClusterIdentifier
- resource.rdsDbInstanceDetails.dbInstanceArn
- resource.rdsDbInstanceDetails.dbInstanceIdentifier
- resource.rdsDbInstanceDetails.dbSecurityGroups.name
- resource.rdsDbInstanceDetails.dbSecurityGroups.status
- resource.rdsDbInstanceDetails.dbiResourceId
- resource.rdsDbInstanceDetails.engine
- resource.rdsDbInstanceDetails.engineVersion
- resource.rdsDbInstanceDetails.iamDatabaseAuthenticationEnabled
- resource.rdsDbInstanceDetails.publiclyAccessible
- resource.rdsDbInstanceDetails.vpcId
- resource.rdsDbInstanceDetails.vpcSecurityGroups.status
- resource.rdsDbInstanceDetails.vpcSecurityGroups.vpcSecurityGroupId
- resource.rdsDbUserDetails.application
- resource.rdsDbUserDetails.authMethod
- resource.rdsDbUserDetails.database
- resource.rdsDbUserDetails.ssl
- resource.rdsDbUserDetails.user
- resource.rdsLimitlessDbDetails.dbClusterIdentifier
- resource.rdsLimitlessDbDetails.dbShardGroupArn
- resource.rdsLimitlessDbDetails.dbShardGroupIdentifier
- resource.rdsLimitlessDbDetails.dbShardGroupResourceId
- resource.rdsLimitlessDbDetails.engine
- resource.rdsLimitlessDbDetails.engineVersion
- resource.rdsLimitlessDbDetails.tags.key
- resource.rdsLimitlessDbDetails.tags.value
- resource.recoveryPointDetails.backupVaultName
- resource.recoveryPointDetails.recoveryPointArn
- resource.resourceType
- resource.s3BucketDetails.arn
- resource.s3BucketDetails.createdAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- resource.s3BucketDetails.defaultServerSideEncryption.encryptionType
- resource.s3BucketDetails.defaultServerSideEncryption.kmsMasterKeyArn
- resource.s3BucketDetails.name
- resource.s3BucketDetails.owner.id
- resource.s3BucketDetails.publicAccess.effectivePermission
- resource.s3BucketDetails.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess.blockPublicAcls
- resource.s3BucketDetails.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess.blockPublicPolicy
- resource.s3BucketDetails.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess.ignorePublicAcls
- resource.s3BucketDetails.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess.restrictPublicBuckets
- resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.accessControlList.allowsPublicReadAccess
- resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.accessControlList.allowsPublicWriteAccess
- resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess.blockPublicAcls
- resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess.blockPublicPolicy
- resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess.ignorePublicAcls
- resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess.restrictPublicBuckets
- resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.bucketPolicy.allowsPublicReadAccess
- resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.bucketPolicy.allowsPublicWriteAccess
- resource.s3BucketDetails.s3ObjectDetails.eTag
- resource.s3BucketDetails.s3ObjectDetails.hash
- resource.s3BucketDetails.s3ObjectDetails.key
- resource.s3BucketDetails.s3ObjectDetails.objectArn
- resource.s3BucketDetails.s3ObjectDetails.versionId
- resource.s3BucketDetails.tags.key
- resource.s3BucketDetails.tags.value
- resource.s3BucketDetails.type
- schemaVersion
- service.action.actionType
- service.action.awsApiCallAction.api
- service.action.awsApiCallAction.callerType
- service.action.awsApiCallAction.domainDetails.domain
- service.action.awsApiCallAction.errorCode
- service.action.awsApiCallAction.remoteAccountDetails.accountId
- service.action.awsApiCallAction.remoteAccountDetails.affiliated
- service.action.awsApiCallAction.remoteAccountDetails.awsServiceName
- service.action.awsApiCallAction.remoteIpDetails.city.cityName
- service.action.awsApiCallAction.remoteIpDetails.country.countryCode
- service.action.awsApiCallAction.remoteIpDetails.country.countryName
- service.action.awsApiCallAction.remoteIpDetails.geoLocation.lat
- service.action.awsApiCallAction.remoteIpDetails.geoLocation.lon
- service.action.awsApiCallAction.remoteIpDetails.ipAddressV4
- service.action.awsApiCallAction.remoteIpDetails.ipAddressV6
- service.action.awsApiCallAction.remoteIpDetails.organization.asn
- service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg
- service.action.awsApiCallAction.remoteIpDetails.organization.isp
- service.action.awsApiCallAction.remoteIpDetails.organization.org
- service.action.awsApiCallAction.serviceName
- service.action.awsApiCallAction.userAgent
- service.action.dnsRequestAction.blocked
- service.action.dnsRequestAction.domain
- service.action.dnsRequestAction.domainWithSuffix
- service.action.dnsRequestAction.protocol
- service.action.dnsRequestAction.vpcOwnerAccountId
- service.action.kubernetesApiCallAction.namespace
- service.action.kubernetesApiCallAction.parameters
- service.action.kubernetesApiCallAction.remoteIpDetails.city.cityName
- service.action.kubernetesApiCallAction.remoteIpDetails.country.countryCode
- service.action.kubernetesApiCallAction.remoteIpDetails.country.countryName
- service.action.kubernetesApiCallAction.remoteIpDetails.geoLocation.lat
- service.action.kubernetesApiCallAction.remoteIpDetails.geoLocation.lon
- service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4
- service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV6
- service.action.kubernetesApiCallAction.remoteIpDetails.organization.asn
- service.action.kubernetesApiCallAction.remoteIpDetails.organization.asnOrg
- service.action.kubernetesApiCallAction.remoteIpDetails.organization.isp
- service.action.kubernetesApiCallAction.remoteIpDetails.organization.org
- service.action.kubernetesApiCallAction.requestUri
- service.action.kubernetesApiCallAction.resource
- service.action.kubernetesApiCallAction.resourceName
- service.action.kubernetesApiCallAction.sourceIPs
- service.action.kubernetesApiCallAction.statusCode
- service.action.kubernetesApiCallAction.subresource
- service.action.kubernetesApiCallAction.userAgent
- service.action.kubernetesApiCallAction.verb
- service.action.kubernetesPermissionCheckedDetails.allowed
- service.action.kubernetesPermissionCheckedDetails.namespace
- service.action.kubernetesPermissionCheckedDetails.resource
- service.action.kubernetesPermissionCheckedDetails.verb
- service.action.kubernetesRoleBindingDetails.kind
- service.action.kubernetesRoleBindingDetails.name
- service.action.kubernetesRoleBindingDetails.roleRefKind
- service.action.kubernetesRoleBindingDetails.roleRefName
- service.action.kubernetesRoleBindingDetails.uid
- service.action.kubernetesRoleDetails.kind
- service.action.kubernetesRoleDetails.name
- service.action.kubernetesRoleDetails.uid
- service.action.networkConnectionAction.blocked
- service.action.networkConnectionAction.connectionDirection
- service.action.networkConnectionAction.localIpDetails.ipAddressV4
- service.action.networkConnectionAction.localIpDetails.ipAddressV6
- service.action.networkConnectionAction.localNetworkInterface
- service.action.networkConnectionAction.localPortDetails.port
- service.action.networkConnectionAction.localPortDetails.portName
- service.action.networkConnectionAction.protocol
- service.action.networkConnectionAction.remoteIpDetails.city.cityName
- service.action.networkConnectionAction.remoteIpDetails.country.countryCode
- service.action.networkConnectionAction.remoteIpDetails.country.countryName
- service.action.networkConnectionAction.remoteIpDetails.geoLocation.lat
- service.action.networkConnectionAction.remoteIpDetails.geoLocation.lon
- service.action.networkConnectionAction.remoteIpDetails.ipAddressV4
- service.action.networkConnectionAction.remoteIpDetails.ipAddressV6
- service.action.networkConnectionAction.remoteIpDetails.organization.asn
- service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg
- service.action.networkConnectionAction.remoteIpDetails.organization.isp
- service.action.networkConnectionAction.remoteIpDetails.organization.org
- service.action.networkConnectionAction.remotePortDetails.port
- service.action.networkConnectionAction.remotePortDetails.portName
- service.action.portProbeAction.blocked
- service.action.portProbeAction.portProbeDetails.localIpDetails.ipAddressV4
- service.action.portProbeAction.portProbeDetails.localIpDetails.ipAddressV6
- service.action.portProbeAction.portProbeDetails.localPortDetails.port
- service.action.portProbeAction.portProbeDetails.localPortDetails.portName
- service.action.portProbeAction.portProbeDetails.remoteIpDetails.city.cityName
- service.action.portProbeAction.portProbeDetails.remoteIpDetails.country.countryCode
- service.action.portProbeAction.portProbeDetails.remoteIpDetails.country.countryName
- service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lat
- service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lon
- service.action.portProbeAction.portProbeDetails.remoteIpDetails.ipAddressV4
- service.action.portProbeAction.portProbeDetails.remoteIpDetails.ipAddressV6
- service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asn
- service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asnOrg
- service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.isp
- service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.org
- service.action.rdsLoginAttemptAction.loginAttributes.application
- service.action.rdsLoginAttemptAction.loginAttributes.failedLoginAttempts
- service.action.rdsLoginAttemptAction.loginAttributes.successfulLoginAttempts
- service.action.rdsLoginAttemptAction.loginAttributes.user
- service.action.rdsLoginAttemptAction.remoteIpDetails.city.cityName
- service.action.rdsLoginAttemptAction.remoteIpDetails.country.countryCode
- service.action.rdsLoginAttemptAction.remoteIpDetails.country.countryName
- service.action.rdsLoginAttemptAction.remoteIpDetails.geoLocation.lat
- service.action.rdsLoginAttemptAction.remoteIpDetails.geoLocation.lon
- service.action.rdsLoginAttemptAction.remoteIpDetails.ipAddressV4
- service.action.rdsLoginAttemptAction.remoteIpDetails.ipAddressV6
- service.action.rdsLoginAttemptAction.remoteIpDetails.organization.asn
- service.action.rdsLoginAttemptAction.remoteIpDetails.organization.asnOrg
- service.action.rdsLoginAttemptAction.remoteIpDetails.organization.isp
- service.action.rdsLoginAttemptAction.remoteIpDetails.organization.org
- service.additionalInfo.agentDetails.agentId
- service.additionalInfo.agentDetails.agentVersion
- service.additionalInfo.anomalies.anomalousAPIs
- service.additionalInfo.authenticationMethod
- service.additionalInfo.averagePacketSizeIn
- service.additionalInfo.averagePacketSizeOut
- service.additionalInfo.context
- service.additionalInfo.domain
- service.additionalInfo.inBytes
- service.additionalInfo.localNetworkInterfaceOwner
- service.additionalInfo.localPort
- service.additionalInfo.outBytes
- service.additionalInfo.packetsIn
- service.additionalInfo.packetsOut
- service.additionalInfo.policyArn
- service.additionalInfo.policyName
- service.additionalInfo.remotePort
- service.additionalInfo.sample
- service.additionalInfo.scannedPort
- service.additionalInfo.threatFileSha256
- service.additionalInfo.threatListName
- service.additionalInfo.threatName
- service.additionalInfo.totalBytesIn
- service.additionalInfo.totalBytesOut
- service.additionalInfo.type
- service.additionalInfo.unusual.asnOrg
- service.additionalInfo.unusual.port
- service.additionalInfo.unusualProtocol
- service.additionalInfo.userAgent.fullUserAgent
- service.additionalInfo.userAgent.userAgentCategory
- service.additionalInfo.value
- service.additionalInfo.vpcOwnerAccountId
- service.archived
- service.count
- service.detection.sequence.actors.id
- service.detection.sequence.actors.process.name
- service.detection.sequence.actors.process.path
- service.detection.sequence.actors.process.sha256
- service.detection.sequence.actors.session.createdTime
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.detection.sequence.actors.session.issuer
- service.detection.sequence.actors.session.mfaStatus
- service.detection.sequence.actors.session.uid
- service.detection.sequence.actors.user.account.account
- service.detection.sequence.actors.user.account.uid
- service.detection.sequence.actors.user.credentialUid
- service.detection.sequence.actors.user.name
- service.detection.sequence.actors.user.type
- service.detection.sequence.actors.user.uid
- service.detection.sequence.additionalSequenceTypes
- service.detection.sequence.description
- service.detection.sequence.endpoints.autonomousSystem.name
- service.detection.sequence.endpoints.autonomousSystem.number
- service.detection.sequence.endpoints.connection.direction
- service.detection.sequence.endpoints.domain
- service.detection.sequence.endpoints.id
- service.detection.sequence.endpoints.ip
- service.detection.sequence.endpoints.location.city
- service.detection.sequence.endpoints.location.country
- service.detection.sequence.endpoints.location.lat
- service.detection.sequence.endpoints.location.lon
- service.detection.sequence.endpoints.port
- service.detection.sequence.resources.accountId
- service.detection.sequence.resources.cloudPartition
- service.detection.sequence.resources.data.accessKey.principalId
- service.detection.sequence.resources.data.accessKey.userName
- service.detection.sequence.resources.data.accessKey.userType
- service.detection.sequence.resources.data.autoscalingAutoScalingGroup.ec2InstanceUids
- service.detection.sequence.resources.data.cloudformationStack.ec2InstanceUids
- service.detection.sequence.resources.data.container.image
- service.detection.sequence.resources.data.container.imageUid
- service.detection.sequence.resources.data.ec2Image.ec2InstanceUids
- service.detection.sequence.resources.data.ec2Instance.availabilityZone
- service.detection.sequence.resources.data.ec2Instance.ec2NetworkInterfaceUids
- service.detection.sequence.resources.data.ec2Instance.iamInstanceProfile.arn
- service.detection.sequence.resources.data.ec2Instance.iamInstanceProfile.id
- service.detection.sequence.resources.data.ec2Instance.imageDescription
- service.detection.sequence.resources.data.ec2Instance.instanceState
- service.detection.sequence.resources.data.ec2Instance.instanceType
- service.detection.sequence.resources.data.ec2Instance.outpostArn
- service.detection.sequence.resources.data.ec2Instance.platform
- service.detection.sequence.resources.data.ec2Instance.productCodes.productCodeId
- service.detection.sequence.resources.data.ec2Instance.productCodes.productCodeType
- service.detection.sequence.resources.data.ec2LaunchTemplate.ec2InstanceUids
- service.detection.sequence.resources.data.ec2LaunchTemplate.version
- service.detection.sequence.resources.data.ec2NetworkInterface.ipv6Addresses
- service.detection.sequence.resources.data.ec2NetworkInterface.privateIpAddresses.privateDnsName
- service.detection.sequence.resources.data.ec2NetworkInterface.privateIpAddresses.privateIpAddress
- service.detection.sequence.resources.data.ec2NetworkInterface.publicIp
- service.detection.sequence.resources.data.ec2NetworkInterface.securityGroups.groupId
- service.detection.sequence.resources.data.ec2NetworkInterface.securityGroups.groupName
- service.detection.sequence.resources.data.ec2NetworkInterface.subNetId
- service.detection.sequence.resources.data.ec2NetworkInterface.vpcId
- service.detection.sequence.resources.data.ec2Vpc.ec2InstanceUids
- service.detection.sequence.resources.data.ecsCluster.ec2InstanceUids
- service.detection.sequence.resources.data.ecsCluster.status
- service.detection.sequence.resources.data.ecsTask.containerUids
- service.detection.sequence.resources.data.ecsTask.createdAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.detection.sequence.resources.data.ecsTask.launchType
- service.detection.sequence.resources.data.ecsTask.taskDefinitionArn
- service.detection.sequence.resources.data.eksCluster.arn
- service.detection.sequence.resources.data.eksCluster.createdAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.detection.sequence.resources.data.eksCluster.ec2InstanceUids
- service.detection.sequence.resources.data.eksCluster.status
- service.detection.sequence.resources.data.eksCluster.vpcId
- service.detection.sequence.resources.data.iamInstanceProfile.ec2InstanceUids
- service.detection.sequence.resources.data.iamInstanceProfile.id
- service.detection.sequence.resources.data.kubernetesWorkload.containerUids
- service.detection.sequence.resources.data.kubernetesWorkload.namespace
- service.detection.sequence.resources.data.kubernetesWorkload.type
- service.detection.sequence.resources.data.s3Bucket.accountPublicAccess.publicAclAccess
- service.detection.sequence.resources.data.s3Bucket.accountPublicAccess.publicAclIgnoreBehavior
- service.detection.sequence.resources.data.s3Bucket.accountPublicAccess.publicBucketRestrictBehavior
- service.detection.sequence.resources.data.s3Bucket.accountPublicAccess.publicPolicyAccess
- service.detection.sequence.resources.data.s3Bucket.bucketPublicAccess.publicAclAccess
- service.detection.sequence.resources.data.s3Bucket.bucketPublicAccess.publicAclIgnoreBehavior
- service.detection.sequence.resources.data.s3Bucket.bucketPublicAccess.publicBucketRestrictBehavior
- service.detection.sequence.resources.data.s3Bucket.bucketPublicAccess.publicPolicyAccess
- service.detection.sequence.resources.data.s3Bucket.createdAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.detection.sequence.resources.data.s3Bucket.effectivePermission
- service.detection.sequence.resources.data.s3Bucket.encryptionKeyArn
- service.detection.sequence.resources.data.s3Bucket.encryptionType
- service.detection.sequence.resources.data.s3Bucket.ownerId
- service.detection.sequence.resources.data.s3Bucket.publicReadAccess
- service.detection.sequence.resources.data.s3Bucket.publicWriteAccess
- service.detection.sequence.resources.data.s3Bucket.s3ObjectUids
- service.detection.sequence.resources.data.s3Object.eTag
- service.detection.sequence.resources.data.s3Object.key
- service.detection.sequence.resources.data.s3Object.versionId
- service.detection.sequence.resources.name
- service.detection.sequence.resources.region
- service.detection.sequence.resources.resourceType
- service.detection.sequence.resources.service
- service.detection.sequence.resources.tags.key
- service.detection.sequence.resources.tags.value
- service.detection.sequence.resources.uid
- service.detection.sequence.sequenceIndicators.key
- service.detection.sequence.sequenceIndicators.title
- service.detection.sequence.sequenceIndicators.values
- service.detection.sequence.signals.actorIds
- service.detection.sequence.signals.count
- service.detection.sequence.signals.createdAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.detection.sequence.signals.description
- service.detection.sequence.signals.endpointIds
- service.detection.sequence.signals.firstSeenAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.detection.sequence.signals.lastSeenAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.detection.sequence.signals.name
- service.detection.sequence.signals.resourceUids
- service.detection.sequence.signals.severity
- service.detection.sequence.signals.signalIndicators.key
- service.detection.sequence.signals.signalIndicators.title
- service.detection.sequence.signals.signalIndicators.values
- service.detection.sequence.signals.type
- service.detection.sequence.signals.uid
- service.detection.sequence.signals.updatedAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.detection.sequence.uid
- service.detectorId
- service.ebsVolumeScanDetails.scanCompletedAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.ebsVolumeScanDetails.scanDetections.highestSeverityThreatDetails.count
- service.ebsVolumeScanDetails.scanDetections.highestSeverityThreatDetails.severity
- service.ebsVolumeScanDetails.scanDetections.highestSeverityThreatDetails.threatName
- service.ebsVolumeScanDetails.scanDetections.scannedItemCount.files
- service.ebsVolumeScanDetails.scanDetections.scannedItemCount.totalGb
- service.ebsVolumeScanDetails.scanDetections.scannedItemCount.volumes
- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.itemCount
- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.shortened
- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.fileName
- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.filePath
- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash
- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.volumeArn
- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.itemCount
- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name
- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity
- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.uniqueThreatNameCount
- service.ebsVolumeScanDetails.scanDetections.threatsDetectedItemCount.files
- service.ebsVolumeScanDetails.scanId
- service.ebsVolumeScanDetails.scanStartedAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.ebsVolumeScanDetails.scanType
- service.ebsVolumeScanDetails.sources
- service.ebsVolumeScanDetails.triggerFindingId
- service.eventFirstSeen
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.eventLastSeen
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.evidence.threatIntelligenceDetails.threatFileSha256
- service.evidence.threatIntelligenceDetails.threatListName
- service.evidence.threatIntelligenceDetails.threatNames
- service.featureName
- service.malwareScanDetails.scanCategory
- service.malwareScanDetails.scanConfiguration.incrementalScanDetails.baselineResourceArn
- service.malwareScanDetails.scanConfiguration.triggerType
- service.malwareScanDetails.scanId
- service.malwareScanDetails.scanType
- service.malwareScanDetails.threats.count
- service.malwareScanDetails.threats.hash
- service.malwareScanDetails.threats.itemDetails.additionalInfo.deviceName
- service.malwareScanDetails.threats.itemDetails.additionalInfo.versionId
- service.malwareScanDetails.threats.itemDetails.hash
- service.malwareScanDetails.threats.itemDetails.itemPath
- service.malwareScanDetails.threats.itemDetails.resourceArn
- service.malwareScanDetails.threats.itemPaths.hash
- service.malwareScanDetails.threats.itemPaths.nestedItemPath
- service.malwareScanDetails.threats.name
- service.malwareScanDetails.threats.source
- service.malwareScanDetails.uniqueThreatCount
- service.resourceRole
- service.runtimeDetails.context.addressFamily
- service.runtimeDetails.context.commandLineExample
- service.runtimeDetails.context.fileOperation
- service.runtimeDetails.context.filePath
- service.runtimeDetails.context.fileSystemType
- service.runtimeDetails.context.flags
- service.runtimeDetails.context.ianaProtocolNumber
- service.runtimeDetails.context.ldPreloadValue
- service.runtimeDetails.context.libraryPath
- service.runtimeDetails.context.memoryRegions
- service.runtimeDetails.context.modifiedAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.runtimeDetails.context.modifyingProcess.euid
- service.runtimeDetails.context.modifyingProcess.executablePath
- service.runtimeDetails.context.modifyingProcess.executableSha256
- service.runtimeDetails.context.modifyingProcess.lineage.euid
- service.runtimeDetails.context.modifyingProcess.lineage.executablePath
- service.runtimeDetails.context.modifyingProcess.lineage.name
- service.runtimeDetails.context.modifyingProcess.lineage.namespacePid
- service.runtimeDetails.context.modifyingProcess.lineage.parentUuid
- service.runtimeDetails.context.modifyingProcess.lineage.pid
- service.runtimeDetails.context.modifyingProcess.lineage.startTime
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.runtimeDetails.context.modifyingProcess.lineage.userId
- service.runtimeDetails.context.modifyingProcess.lineage.uuid
- service.runtimeDetails.context.modifyingProcess.name
- service.runtimeDetails.context.modifyingProcess.namespacePid
- service.runtimeDetails.context.modifyingProcess.parentUuid
- service.runtimeDetails.context.modifyingProcess.pid
- service.runtimeDetails.context.modifyingProcess.pwd
- service.runtimeDetails.context.modifyingProcess.startTime
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.runtimeDetails.context.modifyingProcess.user
- service.runtimeDetails.context.modifyingProcess.userId
- service.runtimeDetails.context.modifyingProcess.uuid
- service.runtimeDetails.context.moduleFilePath
- service.runtimeDetails.context.moduleName
- service.runtimeDetails.context.moduleSha256
- service.runtimeDetails.context.mountSource
- service.runtimeDetails.context.mountTarget
- service.runtimeDetails.context.relatedFilePaths
- service.runtimeDetails.context.releaseAgentPath
- service.runtimeDetails.context.runcBinaryPath
- service.runtimeDetails.context.scriptPath
- service.runtimeDetails.context.serviceName
- service.runtimeDetails.context.shellHistoryFilePath
- service.runtimeDetails.context.socketPath
- service.runtimeDetails.context.targetProcess.euid
- service.runtimeDetails.context.targetProcess.executablePath
- service.runtimeDetails.context.targetProcess.executableSha256
- service.runtimeDetails.context.targetProcess.lineage.euid
- service.runtimeDetails.context.targetProcess.lineage.executablePath
- service.runtimeDetails.context.targetProcess.lineage.name
- service.runtimeDetails.context.targetProcess.lineage.namespacePid
- service.runtimeDetails.context.targetProcess.lineage.parentUuid
- service.runtimeDetails.context.targetProcess.lineage.pid
- service.runtimeDetails.context.targetProcess.lineage.startTime
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.runtimeDetails.context.targetProcess.lineage.userId
- service.runtimeDetails.context.targetProcess.lineage.uuid
- service.runtimeDetails.context.targetProcess.name
- service.runtimeDetails.context.targetProcess.namespacePid
- service.runtimeDetails.context.targetProcess.parentUuid
- service.runtimeDetails.context.targetProcess.pid
- service.runtimeDetails.context.targetProcess.pwd
- service.runtimeDetails.context.targetProcess.startTime
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.runtimeDetails.context.targetProcess.user
- service.runtimeDetails.context.targetProcess.userId
- service.runtimeDetails.context.targetProcess.uuid
- service.runtimeDetails.context.threatFilePath
- service.runtimeDetails.context.toolCategory
- service.runtimeDetails.context.toolName
- service.runtimeDetails.process.euid
- service.runtimeDetails.process.executablePath
- service.runtimeDetails.process.executableSha256
- service.runtimeDetails.process.lineage.euid
- service.runtimeDetails.process.lineage.executablePath
- service.runtimeDetails.process.lineage.name
- service.runtimeDetails.process.lineage.namespacePid
- service.runtimeDetails.process.lineage.parentUuid
- service.runtimeDetails.process.lineage.pid
- service.runtimeDetails.process.lineage.startTime
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.runtimeDetails.process.lineage.userId
- service.runtimeDetails.process.lineage.uuid
- service.runtimeDetails.process.name
- service.runtimeDetails.process.namespacePid
- service.runtimeDetails.process.parentUuid
- service.runtimeDetails.process.pid
- service.runtimeDetails.process.pwd
- service.runtimeDetails.process.startTime
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.runtimeDetails.process.user
- service.runtimeDetails.process.userId
- service.runtimeDetails.process.uuid
- service.serviceName
- service.userFeedback
- severity
  
  To configure severity based filters, use the following for the
  
  FindingCriteria][1
  
  condition:
  - Low: ‘[“1”, “2”, “3”]`
  - Medium: ‘[“4”, “5”, “6”]`
  - High: ‘[“7”, “8”]`
  - Critical: ‘[“9”, “10”]`
  For more information, see [Findings severity levels] in the *Amazon GuardDuty User Guide*.
- type
- updatedAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_FindingCriteria.html [2]: docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings-severity.html
:client_token (String) —

The idempotency token for the create request.

**A suitable default value is auto-generated.** You should normally not need to pass this option.**
:tags (Hash<String,String>) —

The tags to be added to a new filter resource.

Returns:

(Types::CreateFilterResponse) —
Returns a response object which responds to the following methods:
- #name => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 2126

def create_filter(params = {}, options = {})
  req = build_request(:create_filter, params)
  req.send_request(options)
end

#create_investigation(params = {}) ⇒ `Types::CreateInvestigationResponse`

This API is currently available as a preview. During the preview, you can initiate up to 10 investigations per account per day, with a total limit of 100 investigations per account. This feature is available in the following Amazon Web Services Regions: US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Paris), Europe (Stockholm), and Asia Pacific (Tokyo).

Initiates a GuardDuty investigation that automatically analyzes security findings, correlates related activity, performs account-level analysis, and produces a structured investigation summary with recommended next steps.

Only the administrator account can create an investigation. Member accounts don’t have permission to create investigations from their accounts.

To use this operation, the ‘AI_ANALYST` feature must be enabled on your detector.

This feature uses Amazon Bedrock models that leverage Cross-Region Inference (CRIS), which automatically selects the optimal Amazon Web Services Region within your geography to process the investigation analysis and generate the investigation report. This maximizes available compute resources, model availability, and delivers the best customer experience. Your data remains stored only in the Region where the investigation request originates, however, investigation data and summary results may be processed outside that Region. All data is transmitted encrypted across Amazon’s secure network. For more information, see [GuardDuty Investigation].

[1]: docs.aws.amazon.com/guardduty/latest/ug/guardduty-investigation.html

Examples:

Request syntax with placeholder values


resp = client.create_investigation({
  detector_id: "DetectorId", # required
  trigger_prompt: "TriggerPrompt", # required
  client_token: "ClientToken",
})

Response structure


resp.investigation_id #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the GuardDuty detector for the account in which the investigation is created.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:trigger_prompt (required, String) —
A natural-language description of what to investigate. For example:
- ‘“Investigate finding 1ab2c3d4e5f6a7b8c9d0e1f2a3b4c5d6 in account 123456789012”`
- ‘“Analyze findings in account with id 123456789012”`
- ‘“Analyze findings in my organization”`
:client_token (String) —

The idempotency token for the create request.

**A suitable default value is auto-generated.** You should normally not need to pass this option.**

Returns:

(Types::CreateInvestigationResponse) —
Returns a response object which responds to the following methods:
- #investigation_id => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 2292

def create_investigation(params = {}, options = {})
  req = build_request(:create_investigation, params)
  req.send_request(options)
end

#create_ip_set(params = {}) ⇒ `Types::CreateIPSetResponse`

Creates a new IPSet, which is called a trusted IP list in the console user interface. An IPSet is a list of IP addresses that are trusted for secure communication with Amazon Web Services infrastructure and applications. GuardDuty doesn’t generate findings for IP addresses that are included in IPSets. Only users from the administrator account can use this operation.

Examples:

Request syntax with placeholder values


resp = client.create_ip_set({
  detector_id: "DetectorId", # required
  name: "Name", # required
  format: "TXT", # required, accepts TXT, STIX, OTX_CSV, ALIEN_VAULT, PROOF_POINT, FIRE_EYE
  location: "Location", # required
  activate: false, # required
  client_token: "ClientToken",
  tags: {
    "TagKey" => "TagValue",
  },
  expected_bucket_owner: "AccountId",
})

Response structure


resp.ip_set_id #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector of the GuardDuty account for which you want to create an IPSet.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:name (required, String) —

The user-friendly name to identify the IPSet.

Allowed characters are alphanumeric, whitespace, dash (-), and underscores (_).
:format (required, String) —

The format of the file that contains the IPSet.
:location (required, String) —

The URI of the file that contains the IPSet.
:activate (required, Boolean) —

A Boolean value that indicates whether GuardDuty is to start using the uploaded IPSet.
:client_token (String) —

The idempotency token for the create request.

**A suitable default value is auto-generated.** You should normally not need to pass this option.**
:tags (Hash<String,String>) —

The tags to be added to a new IP set resource.
:expected_bucket_owner (String) —

The Amazon Web Services account ID that owns the Amazon S3 bucket specified in the location parameter.

Returns:

(Types::CreateIPSetResponse) —
Returns a response object which responds to the following methods:
- #ip_set_id => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 2205

def create_ip_set(params = {}, options = {})
  req = build_request(:create_ip_set, params)
  req.send_request(options)
end

#create_malware_protection_plan(params = {}) ⇒ `Types::CreateMalwareProtectionPlanResponse`

Creates a new Malware Protection plan for the protected resource.

When you create a Malware Protection plan, the Amazon Web Services service terms for GuardDuty Malware Protection apply. For more information, see [Amazon Web Services service terms for GuardDuty Malware Protection].

[1]: aws.amazon.com/service-terms/#87._Amazon_GuardDuty

Examples:

Request syntax with placeholder values


resp = client.create_malware_protection_plan({
  client_token: "ClientToken",
  role: "String", # required
  protected_resource: { # required
    s3_bucket: {
      bucket_name: "String",
      object_prefixes: ["String"],
    },
  },
  actions: {
    tagging: {
      status: "ENABLED", # accepts ENABLED, DISABLED
    },
  },
  tags: {
    "TagKey" => "TagValue",
  },
})

Response structure


resp.malware_protection_plan_id #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:client_token (String) —

The idempotency token for the create request.

**A suitable default value is auto-generated.** You should normally not need to pass this option.**
:role (required, String) —

Amazon Resource Name (ARN) of the IAM role that has the permissions to scan and add tags to the associated protected resource.
:protected_resource (required, Types::CreateProtectedResource) —

Information about the protected resource that is associated with the created Malware Protection plan. Presently, ‘S3Bucket` is the only supported protected resource.
:actions (Types::MalwareProtectionPlanActions) —

Information about whether the tags will be added to the S3 object after scanning.
:tags (Hash<String,String>) —

Tags added to the Malware Protection plan resource.

Returns:

(Types::CreateMalwareProtectionPlanResponse) —
Returns a response object which responds to the following methods:
- #malware_protection_plan_id => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 2363

def create_malware_protection_plan(params = {}, options = {})
  req = build_request(:create_malware_protection_plan, params)
  req.send_request(options)
end

#create_members(params = {}) ⇒ `Types::CreateMembersResponse`

Creates member accounts of the current Amazon Web Services account by specifying a list of Amazon Web Services account IDs. This step is a prerequisite for managing the associated member accounts either by invitation or through an organization.

As a delegated administrator, using ‘CreateMembers` will enable GuardDuty in the added member accounts, with the exception of the organization delegated administrator account. A delegated administrator must enable GuardDuty prior to being added as a member.

When you use CreateMembers as an Organizations delegated administrator, GuardDuty applies your organization’s auto-enable settings to the member accounts in this request, irrespective of the accounts being new or existing members. For more information about the existing auto-enable settings for your organization, see [DescribeOrganizationConfiguration].

If you disassociate a member account that was added by invitation, the member account details obtained from this API, including the associated email addresses, will be retained. This is done so that the delegated administrator can invoke the [InviteMembers] API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the [DeleteMembers] API.

When the member accounts added through Organizations are later disassociated, you (administrator) can’t invite them by calling the InviteMembers API. You can create an association with these member accounts again only by calling the CreateMembers API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_DescribeOrganizationConfiguration.html [2]: docs.aws.amazon.com/guardduty/latest/APIReference/API_InviteMembers.html [3]: docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteMembers.html

Examples:

Request syntax with placeholder values


resp = client.create_members({
  detector_id: "DetectorId", # required
  account_details: [ # required
    {
      account_id: "AccountId", # required
      email: "Email", # required
    },
  ],
})

Response structure


resp.unprocessed_accounts #=> Array
resp.unprocessed_accounts[0].account_id #=> String
resp.unprocessed_accounts[0].result #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector of the GuardDuty account for which you want to associate member accounts.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:account_details (required, Array<Types::AccountDetail>) —

A list of account ID and email address pairs of the accounts that you want to associate with the GuardDuty administrator account.

Returns:

(Types::CreateMembersResponse) —
Returns a response object which responds to the following methods:
- #unprocessed_accounts => Array<Types::UnprocessedAccount>

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 2445

def create_members(params = {}, options = {})
  req = build_request(:create_members, params)
  req.send_request(options)
end

#create_publishing_destination(params = {}) ⇒ `Types::CreatePublishingDestinationResponse`

Creates a publishing destination where you can export your GuardDuty findings. Before you start exporting the findings, the destination resource must exist.

Examples:

Request syntax with placeholder values


resp = client.create_publishing_destination({
  detector_id: "DetectorId", # required
  destination_type: "S3", # required, accepts S3
  destination_properties: { # required
    destination_arn: "String",
    kms_key_arn: "String",
  },
  client_token: "ClientToken",
  tags: {
    "TagKey" => "TagValue",
  },
})

Response structure


resp.destination_id #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The ID of the GuardDuty detector associated with the publishing destination.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:destination_type (required, String) —

The type of resource for the publishing destination. Currently only Amazon S3 buckets are supported.
:destination_properties (required, Types::DestinationProperties) —

The properties of the publishing destination, including the ARNs for the destination and the KMS key used for encryption.
:client_token (String) —

The idempotency token for the request.

**A suitable default value is auto-generated.** You should normally not need to pass this option.**
:tags (Hash<String,String>) —

The tags to be added to a new publishing destination resource.

Returns:

(Types::CreatePublishingDestinationResponse) —
Returns a response object which responds to the following methods:
- #destination_id => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 2509

def create_publishing_destination(params = {}, options = {})
  req = build_request(:create_publishing_destination, params)
  req.send_request(options)
end

#create_sample_findings(params = {}) ⇒ `Struct`

Generates sample findings of types specified by the list of finding types. If ‘NULL’ is specified for ‘findingTypes`, the API generates sample findings of all supported finding types.

Examples:

Request syntax with placeholder values


resp = client.create_sample_findings({
  detector_id: "DetectorId", # required
  finding_types: ["FindingType"],
})

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The ID of the detector for which you need to create sample findings.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:finding_types (Array<String>) —

The types of sample findings to generate.

Returns:

(Struct) —

Returns an empty response.

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 2544

def create_sample_findings(params = {}, options = {})
  req = build_request(:create_sample_findings, params)
  req.send_request(options)
end

#create_threat_entity_set(params = {}) ⇒ `Types::CreateThreatEntitySetResponse`

Creates a new threat entity set. In a threat entity set, you can provide known malicious threat entities for your Amazon Web Services environment. GuardDuty generates findings based on the entries in the threat entity sets. Only users of the administrator account can manage entity sets, which automatically apply to member accounts.

Examples:

Request syntax with placeholder values


resp = client.create_threat_entity_set({
  detector_id: "DetectorId", # required
  name: "Name", # required
  format: "TXT", # required, accepts TXT, STIX, OTX_CSV, ALIEN_VAULT, PROOF_POINT, FIRE_EYE
  location: "Location", # required
  expected_bucket_owner: "ExpectedBucketOwner",
  activate: false, # required
  client_token: "ClientToken",
  tags: {
    "TagKey" => "TagValue",
  },
})

Response structure


resp.threat_entity_set_id #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector of the GuardDuty account for which you want to create a threat entity set.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:name (required, String) —

A user-friendly name to identify the threat entity set.

The name of your list can include lowercase letters, uppercase letters, numbers, dash (-), and underscore (_).
:format (required, String) —

The format of the file that contains the threat entity set.
:location (required, String) —

The URI of the file that contains the threat entity set. The format of the ‘Location` URL must be a valid Amazon S3 URL format. Invalid URL formats will result in an error, regardless of whether you activate the entity set or not. For more information about format of the location URLs, see [Format of location URL under Step 2: Adding trusted or threat intelligence data] in the *Amazon GuardDuty User Guide*.

[1]: docs.aws.amazon.com/guardduty/latest/ug/guardduty-lists-create-activate.html
:expected_bucket_owner (String) —

The Amazon Web Services account ID that owns the Amazon S3 bucket specified in the location parameter.
:activate (required, Boolean) —

A boolean value that indicates whether GuardDuty should start using the uploaded threat entity set to generate findings.
:client_token (String) —

The idempotency token for the create request.

**A suitable default value is auto-generated.** You should normally not need to pass this option.**
:tags (Hash<String,String>) —

The tags to be added to a new threat entity set resource.

Returns:

(Types::CreateThreatEntitySetResponse) —
Returns a response object which responds to the following methods:
- #threat_entity_set_id => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 2632

def create_threat_entity_set(params = {}, options = {})
  req = build_request(:create_threat_entity_set, params)
  req.send_request(options)
end

#create_threat_intel_set(params = {}) ⇒ `Types::CreateThreatIntelSetResponse`

Creates a new ThreatIntelSet. ThreatIntelSets consist of known malicious IP addresses. GuardDuty generates findings based on ThreatIntelSets. Only users of the administrator account can use this operation.

Examples:

Request syntax with placeholder values


resp = client.create_threat_intel_set({
  detector_id: "DetectorId", # required
  name: "Name", # required
  format: "TXT", # required, accepts TXT, STIX, OTX_CSV, ALIEN_VAULT, PROOF_POINT, FIRE_EYE
  location: "Location", # required
  activate: false, # required
  client_token: "ClientToken",
  tags: {
    "TagKey" => "TagValue",
  },
  expected_bucket_owner: "AccountId",
})

Response structure


resp.threat_intel_set_id #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector of the GuardDuty account for which you want to create a ‘threatIntelSet`.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:name (required, String) —

A user-friendly ThreatIntelSet name displayed in all findings that are generated by activity that involves IP addresses included in this ThreatIntelSet.
:format (required, String) —

The format of the file that contains the ThreatIntelSet.
:location (required, String) —

The URI of the file that contains the ThreatIntelSet.
:activate (required, Boolean) —

A Boolean value that indicates whether GuardDuty is to start using the uploaded ThreatIntelSet.
:client_token (String) —

The idempotency token for the create request.

**A suitable default value is auto-generated.** You should normally not need to pass this option.**
:tags (Hash<String,String>) —

The tags to be added to a new threat list resource.
:expected_bucket_owner (String) —

The Amazon Web Services account ID that owns the Amazon S3 bucket specified in the location parameter.

Returns:

(Types::CreateThreatIntelSetResponse) —
Returns a response object which responds to the following methods:
- #threat_intel_set_id => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 2708

def create_threat_intel_set(params = {}, options = {})
  req = build_request(:create_threat_intel_set, params)
  req.send_request(options)
end

#create_trusted_entity_set(params = {}) ⇒ `Types::CreateTrustedEntitySetResponse`

Creates a new trusted entity set. In the trusted entity set, you can provide IP addresses and domains that you believe are secure for communication in your Amazon Web Services environment. GuardDuty will not generate findings for the entries that are specified in a trusted entity set. At any given time, you can have only one trusted entity set.

Only users of the administrator account can manage the entity sets, which automatically apply to member accounts.

Examples:

Request syntax with placeholder values


resp = client.create_trusted_entity_set({
  detector_id: "DetectorId", # required
  name: "Name", # required
  format: "TXT", # required, accepts TXT, STIX, OTX_CSV, ALIEN_VAULT, PROOF_POINT, FIRE_EYE
  location: "Location", # required
  expected_bucket_owner: "ExpectedBucketOwner",
  activate: false, # required
  client_token: "ClientToken",
  tags: {
    "TagKey" => "TagValue",
  },
})

Response structure


resp.trusted_entity_set_id #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector of the GuardDuty account for which you want to create a trusted entity set.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:name (required, String) —

A user-friendly name to identify the trusted entity set.

The name of your list can include lowercase letters, uppercase letters, numbers, dash (-), and underscore (_).
:format (required, String) —

The format of the file that contains the trusted entity set.
:location (required, String) —

The URI of the file that contains the threat entity set. The format of the ‘Location` URL must be a valid Amazon S3 URL format. Invalid URL formats will result in an error, regardless of whether you activate the entity set or not. For more information about format of the location URLs, see [Format of location URL under Step 2: Adding trusted or threat intelligence data] in the *Amazon GuardDuty User Guide*.

[1]: docs.aws.amazon.com/guardduty/latest/ug/guardduty-lists-create-activate.html
:expected_bucket_owner (String) —

The Amazon Web Services account ID that owns the Amazon S3 bucket specified in the location parameter.
:activate (required, Boolean) —

A boolean value that indicates whether GuardDuty is to start using the uploaded trusted entity set.
:client_token (String) —

The idempotency token for the create request.

**A suitable default value is auto-generated.** You should normally not need to pass this option.**
:tags (Hash<String,String>) —

The tags to be added to a new trusted entity set resource.

Returns:

(Types::CreateTrustedEntitySetResponse) —
Returns a response object which responds to the following methods:
- #trusted_entity_set_id => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 2800

def create_trusted_entity_set(params = {}, options = {})
  req = build_request(:create_trusted_entity_set, params)
  req.send_request(options)
end

#decline_invitations(params = {}) ⇒ `Types::DeclineInvitationsResponse`

Declines invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs.

Examples:

Request syntax with placeholder values


resp = client.decline_invitations({
  account_ids: ["AccountId"], # required
})

Response structure


resp.unprocessed_accounts #=> Array
resp.unprocessed_accounts[0].account_id #=> String
resp.unprocessed_accounts[0].result #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:account_ids (required, Array<String>) —

A list of account IDs of the Amazon Web Services accounts that sent invitations to the current member account that you want to decline invitations from.

Returns:

(Types::DeclineInvitationsResponse) —
Returns a response object which responds to the following methods:
- #unprocessed_accounts => Array<Types::UnprocessedAccount>

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 2833

def decline_invitations(params = {}, options = {})
  req = build_request(:decline_invitations, params)
  req.send_request(options)
end

#delete_detector(params = {}) ⇒ `Struct`

Deletes an Amazon GuardDuty detector that is specified by the detector ID.

Examples:

Request syntax with placeholder values


resp = client.delete_detector({
  detector_id: "DetectorId", # required
})

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector that you want to delete.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html

Returns:

(Struct) —

Returns an empty response.

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 2863

def delete_detector(params = {}, options = {})
  req = build_request(:delete_detector, params)
  req.send_request(options)
end

#delete_filter(params = {}) ⇒ `Struct`

Deletes the filter specified by the filter name.

Examples:

Request syntax with placeholder values


resp = client.delete_filter({
  detector_id: "DetectorId", # required
  filter_name: "String", # required
})

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector that is associated with the filter.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:filter_name (required, String) —

The name of the filter that you want to delete.

Returns:

(Struct) —

Returns an empty response.

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 2896

def delete_filter(params = {}, options = {})
  req = build_request(:delete_filter, params)
  req.send_request(options)
end

#delete_invitations(params = {}) ⇒ `Types::DeleteInvitationsResponse`

Deletes invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs.

Examples:

Request syntax with placeholder values


resp = client.delete_invitations({
  account_ids: ["AccountId"], # required
})

Response structure


resp.unprocessed_accounts #=> Array
resp.unprocessed_accounts[0].account_id #=> String
resp.unprocessed_accounts[0].result #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:account_ids (required, Array<String>) —

A list of account IDs of the Amazon Web Services accounts that sent invitations to the current member account that you want to delete invitations from.

Returns:

(Types::DeleteInvitationsResponse) —
Returns a response object which responds to the following methods:
- #unprocessed_accounts => Array<Types::UnprocessedAccount>

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 2963

def delete_invitations(params = {}, options = {})
  req = build_request(:delete_invitations, params)
  req.send_request(options)
end

#delete_ip_set(params = {}) ⇒ `Struct`

Deletes the IPSet specified by the ‘ipSetId`. IPSets are called trusted IP lists in the console user interface.

Examples:

Request syntax with placeholder values


resp = client.delete_ip_set({
  detector_id: "DetectorId", # required
  ip_set_id: "String", # required
})

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector associated with the IPSet.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:ip_set_id (required, String) —

The unique ID of the IPSet to delete.

Returns:

(Struct) —

Returns an empty response.

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 2930

def delete_ip_set(params = {}, options = {})
  req = build_request(:delete_ip_set, params)
  req.send_request(options)
end

#delete_malware_protection_plan(params = {}) ⇒ `Struct`

Deletes the Malware Protection plan ID associated with the Malware Protection plan resource. Use this API only when you no longer want to protect the resource associated with this Malware Protection plan ID.

Examples:

Request syntax with placeholder values


resp = client.delete_malware_protection_plan({
  malware_protection_plan_id: "String", # required
})

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:malware_protection_plan_id (required, String) —

A unique identifier associated with Malware Protection plan resource.

Returns:

(Struct) —

Returns an empty response.

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 2987

def delete_malware_protection_plan(params = {}, options = {})
  req = build_request(:delete_malware_protection_plan, params)
  req.send_request(options)
end

#delete_members(params = {}) ⇒ `Types::DeleteMembersResponse`

Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.

With ‘autoEnableOrganizationMembers` configuration for your organization set to `ALL`, you’ll receive an error if you attempt to disable GuardDuty for a member account in your organization.

Examples:

Request syntax with placeholder values


resp = client.delete_members({
  detector_id: "DetectorId", # required
  account_ids: ["AccountId"], # required
})

Response structure


resp.unprocessed_accounts #=> Array
resp.unprocessed_accounts[0].account_id #=> String
resp.unprocessed_accounts[0].result #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector of the GuardDuty account whose members you want to delete.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:account_ids (required, Array<String>) —

A list of account IDs of the GuardDuty member accounts that you want to delete.

Returns:

(Types::DeleteMembersResponse) —
Returns a response object which responds to the following methods:
- #unprocessed_accounts => Array<Types::UnprocessedAccount>

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 3035

def delete_members(params = {}, options = {})
  req = build_request(:delete_members, params)
  req.send_request(options)
end

#delete_publishing_destination(params = {}) ⇒ `Struct`

Deletes the publishing definition with the specified ‘destinationId`.

Examples:

Request syntax with placeholder values


resp = client.delete_publishing_destination({
  detector_id: "DetectorId", # required
  destination_id: "String", # required
})

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector associated with the publishing destination to delete.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:destination_id (required, String) —

The ID of the publishing destination to delete.

Returns:

(Struct) —

Returns an empty response.

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 3069

def delete_publishing_destination(params = {}, options = {})
  req = build_request(:delete_publishing_destination, params)
  req.send_request(options)
end

#delete_threat_entity_set(params = {}) ⇒ `Struct`

Deletes the threat entity set that is associated with the specified ‘threatEntitySetId`.

Examples:

Request syntax with placeholder values


resp = client.delete_threat_entity_set({
  detector_id: "DetectorId", # required
  threat_entity_set_id: "String", # required
})

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector associated with the threat entity set resource.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:threat_entity_set_id (required, String) —

The unique ID that helps GuardDuty identify which threat entity set needs to be deleted.

Returns:

(Struct) —

Returns an empty response.

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 3105

def delete_threat_entity_set(params = {}, options = {})
  req = build_request(:delete_threat_entity_set, params)
  req.send_request(options)
end

#delete_threat_intel_set(params = {}) ⇒ `Struct`

Deletes the ThreatIntelSet specified by the ThreatIntelSet ID.

Examples:

Request syntax with placeholder values


resp = client.delete_threat_intel_set({
  detector_id: "DetectorId", # required
  threat_intel_set_id: "String", # required
})

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector that is associated with the threatIntelSet.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:threat_intel_set_id (required, String) —

The unique ID of the threatIntelSet that you want to delete.

Returns:

(Struct) —

Returns an empty response.

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 3139

def delete_threat_intel_set(params = {}, options = {})
  req = build_request(:delete_threat_intel_set, params)
  req.send_request(options)
end

#delete_trusted_entity_set(params = {}) ⇒ `Struct`

Deletes the trusted entity set that is associated with the specified ‘trustedEntitySetId`.

Examples:

Request syntax with placeholder values


resp = client.delete_trusted_entity_set({
  detector_id: "DetectorId", # required
  trusted_entity_set_id: "String", # required
})

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector associated with the trusted entity set resource.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:trusted_entity_set_id (required, String) —

The unique ID that helps GuardDuty identify which trusted entity set needs to be deleted.

Returns:

(Struct) —

Returns an empty response.

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 3175

def delete_trusted_entity_set(params = {}, options = {})
  req = build_request(:delete_trusted_entity_set, params)
  req.send_request(options)
end

#describe_malware_scans(params = {}) ⇒ `Types::DescribeMalwareScansResponse`

Returns a list of malware scans. Each member account can view the malware scans for their own accounts. An administrator can view the malware scans for all the member accounts.

[1]: docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html

The returned response is a pageable response and is Enumerable. For details on usage see PageableResponse.

Examples:

Request syntax with placeholder values


resp = client.describe_malware_scans({
  detector_id: "DetectorId", # required
  next_token: "String",
  max_results: 1,
  filter_criteria: {
    filter_criterion: [
      {
        criterion_key: "EC2_INSTANCE_ARN", # accepts EC2_INSTANCE_ARN, SCAN_ID, ACCOUNT_ID, GUARDDUTY_FINDING_ID, SCAN_START_TIME, SCAN_STATUS, SCAN_TYPE
        filter_condition: {
          equals_value: "NonEmptyString",
          greater_than: 1,
          less_than: 1,
        },
      },
    ],
  },
  sort_criteria: {
    attribute_name: "String",
    order_by: "ASC", # accepts ASC, DESC
  },
})

Response structure


resp.scans #=> Array
resp.scans[0].detector_id #=> String
resp.scans[0].admin_detector_id #=> String
resp.scans[0].scan_id #=> String
resp.scans[0].scan_status #=> String, one of "RUNNING", "COMPLETED", "FAILED", "SKIPPED"
resp.scans[0].failure_reason #=> String
resp.scans[0].scan_start_time #=> Time
resp.scans[0].scan_end_time #=> Time
resp.scans[0].trigger_details.guard_duty_finding_id #=> String
resp.scans[0].trigger_details.description #=> String
resp.scans[0].trigger_details.trigger_type #=> String, one of "BACKUP", "GUARDDUTY"
resp.scans[0].resource_details.instance_arn #=> String
resp.scans[0].scan_result_details.scan_result #=> String, one of "CLEAN", "INFECTED"
resp.scans[0].account_id #=> String
resp.scans[0].total_bytes #=> Integer
resp.scans[0].file_count #=> Integer
resp.scans[0].attached_volumes #=> Array
resp.scans[0].attached_volumes[0].volume_arn #=> String
resp.scans[0].attached_volumes[0].volume_type #=> String
resp.scans[0].attached_volumes[0].device_name #=> String
resp.scans[0].attached_volumes[0].volume_size_in_gb #=> Integer
resp.scans[0].attached_volumes[0].encryption_type #=> String
resp.scans[0].attached_volumes[0].snapshot_arn #=> String
resp.scans[0].attached_volumes[0].kms_key_arn #=> String
resp.scans[0].scan_type #=> String, one of "GUARDDUTY_INITIATED", "ON_DEMAND"
resp.next_token #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector that the request is associated with.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:next_token (String) —

You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
:max_results (Integer) —

You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.
:filter_criteria (Types::FilterCriteria) —

Represents the criteria to be used in the filter for describing scan entries.
:sort_criteria (Types::SortCriteria) —

Represents the criteria used for sorting scan entries. The [ ‘attributeName` ][1] is required and it must be `scanStartTime`.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_SortCriteria.html#guardduty-Type-SortCriteria-attributeName

Returns:

(Types::DescribeMalwareScansResponse) —
Returns a response object which responds to the following methods:
- #scans => Array<Types::Scan>
- #next_token => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 3291

def describe_malware_scans(params = {}, options = {})
  req = build_request(:describe_malware_scans, params)
  req.send_request(options)
end

#describe_organization_configuration(params = {}) ⇒ `Types::DescribeOrganizationConfigurationResponse`

Returns information about the account selected as the delegated administrator for GuardDuty.

[1]: docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html

The returned response is a pageable response and is Enumerable. For details on usage see PageableResponse.

Examples:

Request syntax with placeholder values


resp = client.describe_organization_configuration({
  detector_id: "DetectorId", # required
  max_results: 1,
  next_token: "String",
})

Response structure


resp.auto_enable #=> Boolean
resp.member_account_limit_reached #=> Boolean
resp.data_sources.s3_logs.auto_enable #=> Boolean
resp.data_sources.kubernetes.audit_logs.auto_enable #=> Boolean
resp.data_sources.malware_protection.scan_ec2_instance_with_findings.ebs_volumes.auto_enable #=> Boolean
resp.features #=> Array
resp.features[0].name #=> String, one of "S3_DATA_EVENTS", "EKS_AUDIT_LOGS", "EBS_MALWARE_PROTECTION", "RDS_LOGIN_EVENTS", "LAMBDA_NETWORK_LOGS", "EKS_RUNTIME_MONITORING", "RUNTIME_MONITORING"
resp.features[0].auto_enable #=> String, one of "NEW", "NONE", "ALL"
resp.features[0].additional_configuration #=> Array
resp.features[0].additional_configuration[0].name #=> String, one of "EKS_ADDON_MANAGEMENT", "ECS_FARGATE_AGENT_MANAGEMENT", "EC2_AGENT_MANAGEMENT"
resp.features[0].additional_configuration[0].auto_enable #=> String, one of "NEW", "NONE", "ALL"
resp.next_token #=> String
resp.auto_enable_organization_members #=> String, one of "NEW", "ALL", "NONE"

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The detector ID of the delegated administrator for which you need to retrieve the information.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:max_results (Integer) —

You can use this parameter to indicate the maximum number of items that you want in the response.
:next_token (String) —

You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill ‘nextToken` in the request with the value of `NextToken` from the previous response to continue listing data.

Returns:

(Types::DescribeOrganizationConfigurationResponse) —
Returns a response object which responds to the following methods:
- #auto_enable => Boolean
- #member_account_limit_reached => Boolean
- #data_sources => Types::OrganizationDataSourceConfigurationsResult
- #features => Array<Types::OrganizationFeatureConfigurationResult>
- #next_token => String
- #auto_enable_organization_members => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 3369

def describe_organization_configuration(params = {}, options = {})
  req = build_request(:describe_organization_configuration, params)
  req.send_request(options)
end

#describe_publishing_destination(params = {}) ⇒ `Types::DescribePublishingDestinationResponse`

Returns information about the publishing destination specified by the provided ‘destinationId`.

Examples:

Request syntax with placeholder values


resp = client.describe_publishing_destination({
  detector_id: "DetectorId", # required
  destination_id: "String", # required
})

Response structure


resp.destination_id #=> String
resp.destination_type #=> String, one of "S3"
resp.status #=> String, one of "PENDING_VERIFICATION", "PUBLISHING", "UNABLE_TO_PUBLISH_FIX_DESTINATION_PROPERTY", "STOPPED"
resp.publishing_failure_start_timestamp #=> Integer
resp.destination_properties.destination_arn #=> String
resp.destination_properties.kms_key_arn #=> String
resp.tags #=> Hash
resp.tags["TagKey"] #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector associated with the publishing destination to retrieve.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:destination_id (required, String) —

The ID of the publishing destination to retrieve.

Returns:

(Types::DescribePublishingDestinationResponse) —
Returns a response object which responds to the following methods:
- #destination_id => String
- #destination_type => String
- #status => String
- #publishing_failure_start_timestamp => Integer
- #destination_properties => Types::DestinationProperties
- #tags => Hash<String,String>

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 3422

def describe_publishing_destination(params = {}, options = {})
  req = build_request(:describe_publishing_destination, params)
  req.send_request(options)
end

#disable_organization_admin_account(params = {}) ⇒ `Struct`

Removes the existing GuardDuty delegated administrator of the organization. Only the organization’s management account can run this API operation.

Examples:

Request syntax with placeholder values


resp = client.disable_organization_admin_account({
  admin_account_id: "String", # required
})

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:admin_account_id (required, String) —

The Amazon Web Services Account ID for the organizations account to be disabled as a GuardDuty delegated administrator.

Returns:

(Struct) —

Returns an empty response.

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 3447

def disable_organization_admin_account(params = {}, options = {})
  req = build_request(:disable_organization_admin_account, params)
  req.send_request(options)
end

#disassociate_from_administrator_account(params = {}) ⇒ `Struct`

Disassociates the current GuardDuty member account from its administrator account.

When you disassociate an invited member from a GuardDuty delegated administrator, the member account details obtained from the

CreateMembers][1: API, including the associated email addresses, are

retained. This is done so that the delegated administrator can invoke the [InviteMembers] API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the

DeleteMembers][3: API.

With ‘autoEnableOrganizationMembers` configuration for your organization set to `ALL`, you’ll receive an error if you attempt to disable GuardDuty in a member account.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_CreateMembers.html [2]: docs.aws.amazon.com/guardduty/latest/APIReference/API_InviteMembers.html [3]: docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteMembers.html

Examples:

Request syntax with placeholder values


resp = client.disassociate_from_administrator_account({
  detector_id: "DetectorId", # required
})

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector of the GuardDuty member account.

Returns:

(Struct) —

Returns an empty response.

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 3489

def disassociate_from_administrator_account(params = {}, options = {})
  req = build_request(:disassociate_from_administrator_account, params)
  req.send_request(options)
end

#disassociate_from_master_account(params = {}) ⇒ `Struct`

Disassociates the current GuardDuty member account from its administrator account.

When you disassociate an invited member from a GuardDuty delegated administrator, the member account details obtained from the

CreateMembers][1: API, including the associated email addresses, are

DeleteMembers][3: API.

Examples:

Request syntax with placeholder values


resp = client.disassociate_from_master_account({
  detector_id: "DetectorId", # required
})

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector of the GuardDuty member account.

Returns:

(Struct) —

Returns an empty response.

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 3527

def disassociate_from_master_account(params = {}, options = {})
  req = build_request(:disassociate_from_master_account, params)
  req.send_request(options)
end

#disassociate_members(params = {}) ⇒ `Types::DisassociateMembersResponse`

Disassociates GuardDuty member accounts (from the current administrator account) specified by the account IDs.

When you disassociate an invited member from a GuardDuty delegated administrator, the member account details obtained from the

CreateMembers][1: API, including the associated email addresses, are

DeleteMembers][3: API.

With ‘autoEnableOrganizationMembers` configuration for your organization set to `ALL`, you’ll receive an error if you attempt to disassociate a member account before removing them from your organization.

Examples:

Request syntax with placeholder values


resp = client.disassociate_members({
  detector_id: "DetectorId", # required
  account_ids: ["AccountId"], # required
})

Response structure


resp.unprocessed_accounts #=> Array
resp.unprocessed_accounts[0].account_id #=> String
resp.unprocessed_accounts[0].result #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector of the GuardDuty account whose members you want to disassociate from the administrator account.
:account_ids (required, Array<String>) —

A list of account IDs of the GuardDuty member accounts that you want to disassociate from the administrator account.

Returns:

(Types::DisassociateMembersResponse) —
Returns a response object which responds to the following methods:
- #unprocessed_accounts => Array<Types::UnprocessedAccount>

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 3597

def disassociate_members(params = {}, options = {})
  req = build_request(:disassociate_members, params)
  req.send_request(options)
end

#enable_organization_admin_account(params = {}) ⇒ `Struct`

Designates an Amazon Web Services account within the organization as your GuardDuty delegated administrator. Only the organization’s management account can run this API operation.

Examples:

Request syntax with placeholder values


resp = client.enable_organization_admin_account({
  admin_account_id: "String", # required
})

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:admin_account_id (required, String) —

The Amazon Web Services account ID for the organization account to be enabled as a GuardDuty delegated administrator.

Returns:

(Struct) —

Returns an empty response.

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 3622

def enable_organization_admin_account(params = {}, options = {})
  req = build_request(:enable_organization_admin_account, params)
  req.send_request(options)
end

#get_administrator_account(params = {}) ⇒ `Types::GetAdministratorAccountResponse`

Provides the details of the GuardDuty administrator account associated with the current GuardDuty member account.

Based on the type of account that runs this API, the following list shows how the API behavior varies:

When the GuardDuty administrator account runs this API, it will return success (‘HTTP 200`) but no content.
When a member account runs this API, it will return the details of the GuardDuty administrator account that is associated with this calling member account.
When an individual account (not associated with an organization) runs this API, it will return success (‘HTTP 200`) but no content.

Examples:

Request syntax with placeholder values


resp = client.get_administrator_account({
  detector_id: "DetectorId", # required
})

Response structure


resp.administrator.account_id #=> String
resp.administrator.invitation_id #=> String
resp.administrator.relationship_status #=> String
resp.administrator.invited_at #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector of the GuardDuty member account.

Returns:

(Types::GetAdministratorAccountResponse) —
Returns a response object which responds to the following methods:
- #administrator => Types::Administrator

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 3667

def get_administrator_account(params = {}, options = {})
  req = build_request(:get_administrator_account, params)
  req.send_request(options)
end

#get_coverage_statistics(params = {}) ⇒ `Types::GetCoverageStatisticsResponse`

Retrieves aggregated statistics for your account. If you are a GuardDuty administrator, you can retrieve the statistics for all the resources associated with the active member accounts in your organization who have enabled Runtime Monitoring and have the GuardDuty security agent running on their resources.

Examples:

Request syntax with placeholder values


resp = client.get_coverage_statistics({
  detector_id: "DetectorId", # required
  filter_criteria: {
    filter_criterion: [
      {
        criterion_key: "ACCOUNT_ID", # accepts ACCOUNT_ID, RESOURCE_TYPE, COVERAGE_STATUS, ADDON_VERSION, CLUSTER_NAME, ECS_CLUSTER_NAME, MANAGEMENT_TYPE, EKS_CLUSTER_NAME, AGENT_VERSION, INSTANCE_ID, CLUSTER_ARN
        filter_condition: {
          equals: ["String"],
          not_equals: ["String"],
        },
      },
    ],
  },
  statistics_type: ["COUNT_BY_RESOURCE_TYPE"], # required, accepts COUNT_BY_RESOURCE_TYPE, COUNT_BY_COVERAGE_STATUS
})

Response structure


resp.coverage_statistics.count_by_resource_type #=> Hash
resp.coverage_statistics.count_by_resource_type["ResourceType"] #=> Integer
resp.coverage_statistics.count_by_coverage_status #=> Hash
resp.coverage_statistics.count_by_coverage_status["CoverageStatus"] #=> Integer

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the GuardDuty detector.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:filter_criteria (Types::CoverageFilterCriteria) —

Represents the criteria used to filter the coverage statistics.
:statistics_type (required, Array<String>) —

Represents the statistics type used to aggregate the coverage details.

Returns:

(Types::GetCoverageStatisticsResponse) —
Returns a response object which responds to the following methods:
- #coverage_statistics => Types::CoverageStatistics

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 3727

def get_coverage_statistics(params = {}, options = {})
  req = build_request(:get_coverage_statistics, params)
  req.send_request(options)
end

#get_detector(params = {}) ⇒ `Types::GetDetectorResponse`

Retrieves a GuardDuty detector specified by the detectorId.

[1]: docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html

Examples:

Request syntax with placeholder values


resp = client.get_detector({
  detector_id: "DetectorId", # required
})

Response structure


resp.created_at #=> String
resp.finding_publishing_frequency #=> String, one of "FIFTEEN_MINUTES", "ONE_HOUR", "SIX_HOURS"
resp.service_role #=> String
resp.status #=> String, one of "ENABLED", "DISABLED"
resp.updated_at #=> String
resp.data_sources.cloud_trail.status #=> String, one of "ENABLED", "DISABLED"
resp.data_sources.dns_logs.status #=> String, one of "ENABLED", "DISABLED"
resp.data_sources.flow_logs.status #=> String, one of "ENABLED", "DISABLED"
resp.data_sources.s3_logs.status #=> String, one of "ENABLED", "DISABLED"
resp.data_sources.kubernetes.audit_logs.status #=> String, one of "ENABLED", "DISABLED"
resp.data_sources.malware_protection.scan_ec2_instance_with_findings.ebs_volumes.status #=> String, one of "ENABLED", "DISABLED"
resp.data_sources.malware_protection.scan_ec2_instance_with_findings.ebs_volumes.reason #=> String
resp.data_sources.malware_protection.service_role #=> String
resp.tags #=> Hash
resp.tags["TagKey"] #=> String
resp.features #=> Array
resp.features[0].name #=> String, one of "FLOW_LOGS", "CLOUD_TRAIL", "DNS_LOGS", "S3_DATA_EVENTS", "EKS_AUDIT_LOGS", "EBS_MALWARE_PROTECTION", "RDS_LOGIN_EVENTS", "LAMBDA_NETWORK_LOGS", "EKS_RUNTIME_MONITORING", "RUNTIME_MONITORING"
resp.features[0].status #=> String, one of "ENABLED", "DISABLED"
resp.features[0].updated_at #=> Time
resp.features[0].additional_configuration #=> Array
resp.features[0].additional_configuration[0].name #=> String, one of "EKS_ADDON_MANAGEMENT", "ECS_FARGATE_AGENT_MANAGEMENT", "EC2_AGENT_MANAGEMENT"
resp.features[0].additional_configuration[0].status #=> String, one of "ENABLED", "DISABLED"
resp.features[0].additional_configuration[0].updated_at #=> Time

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector that you want to get.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html

Returns:

(Types::GetDetectorResponse) —
Returns a response object which responds to the following methods:
- #created_at => String
- #finding_publishing_frequency => String
- #service_role => String
- #status => String
- #updated_at => String
- #data_sources => Types::DataSourceConfigurationsResult
- #tags => Hash<String,String>
- #features => Array<Types::DetectorFeatureConfigurationResult>

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 3800

def get_detector(params = {}, options = {})
  req = build_request(:get_detector, params)
  req.send_request(options)
end

#get_filter(params = {}) ⇒ `Types::GetFilterResponse`

Returns the details of the filter specified by the filter name.

Examples:

Request syntax with placeholder values


resp = client.get_filter({
  detector_id: "DetectorId", # required
  filter_name: "String", # required
})

Response structure


resp.name #=> String
resp.description #=> String
resp.action #=> String, one of "NOOP", "ARCHIVE"
resp.rank #=> Integer
resp.finding_criteria.criterion #=> Hash
resp.finding_criteria.criterion["String"].eq #=> Array
resp.finding_criteria.criterion["String"].eq[0] #=> String
resp.finding_criteria.criterion["String"].neq #=> Array
resp.finding_criteria.criterion["String"].neq[0] #=> String
resp.finding_criteria.criterion["String"].gt #=> Integer
resp.finding_criteria.criterion["String"].gte #=> Integer
resp.finding_criteria.criterion["String"].lt #=> Integer
resp.finding_criteria.criterion["String"].lte #=> Integer
resp.finding_criteria.criterion["String"].equals #=> Array
resp.finding_criteria.criterion["String"].equals[0] #=> String
resp.finding_criteria.criterion["String"].not_equals #=> Array
resp.finding_criteria.criterion["String"].not_equals[0] #=> String
resp.finding_criteria.criterion["String"].greater_than #=> Integer
resp.finding_criteria.criterion["String"].greater_than_or_equal #=> Integer
resp.finding_criteria.criterion["String"].less_than #=> Integer
resp.finding_criteria.criterion["String"].less_than_or_equal #=> Integer
resp.finding_criteria.criterion["String"].matches #=> Array
resp.finding_criteria.criterion["String"].matches[0] #=> String
resp.finding_criteria.criterion["String"].not_matches #=> Array
resp.finding_criteria.criterion["String"].not_matches[0] #=> String
resp.tags #=> Hash
resp.tags["TagKey"] #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector that is associated with this filter.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:filter_name (required, String) —

The name of the filter you want to get.

Returns:

(Types::GetFilterResponse) —
Returns a response object which responds to the following methods:
- #name => String
- #description => String
- #action => String
- #rank => Integer
- #finding_criteria => Types::FindingCriteria
- #tags => Hash<String,String>

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 3870

def get_filter(params = {}, options = {})
  req = build_request(:get_filter, params)
  req.send_request(options)
end

#get_findings(params = {}) ⇒ `Types::GetFindingsResponse`

Describes Amazon GuardDuty findings specified by finding IDs.

Examples:

Request syntax with placeholder values


resp = client.get_findings({
  detector_id: "DetectorId", # required
  finding_ids: ["FindingId"], # required
  sort_criteria: {
    attribute_name: "String",
    order_by: "ASC", # accepts ASC, DESC
  },
})

Response structure


resp.findings #=> Array
resp.findings[0].account_id #=> String
resp.findings[0].arn #=> String
resp.findings[0].confidence #=> Float
resp.findings[0].created_at #=> String
resp.findings[0].description #=> String
resp.findings[0].id #=> String
resp.findings[0].partition #=> String
resp.findings[0].region #=> String
resp.findings[0].resource.access_key_details.access_key_id #=> String
resp.findings[0].resource.access_key_details.principal_id #=> String
resp.findings[0].resource.access_key_details.user_name #=> String
resp.findings[0].resource.access_key_details.user_type #=> String
resp.findings[0].resource.s3_bucket_details #=> Array
resp.findings[0].resource.s3_bucket_details[0].arn #=> String
resp.findings[0].resource.s3_bucket_details[0].name #=> String
resp.findings[0].resource.s3_bucket_details[0].type #=> String
resp.findings[0].resource.s3_bucket_details[0].created_at #=> Time
resp.findings[0].resource.s3_bucket_details[0].owner.id #=> String
resp.findings[0].resource.s3_bucket_details[0].tags #=> Array
resp.findings[0].resource.s3_bucket_details[0].tags[0].key #=> String
resp.findings[0].resource.s3_bucket_details[0].tags[0].value #=> String
resp.findings[0].resource.s3_bucket_details[0].default_server_side_encryption.encryption_type #=> String
resp.findings[0].resource.s3_bucket_details[0].default_server_side_encryption.kms_master_key_arn #=> String
resp.findings[0].resource.s3_bucket_details[0].public_access.permission_configuration.bucket_level_permissions.access_control_list.allows_public_read_access #=> Boolean
resp.findings[0].resource.s3_bucket_details[0].public_access.permission_configuration.bucket_level_permissions.access_control_list.allows_public_write_access #=> Boolean
resp.findings[0].resource.s3_bucket_details[0].public_access.permission_configuration.bucket_level_permissions.bucket_policy.allows_public_read_access #=> Boolean
resp.findings[0].resource.s3_bucket_details[0].public_access.permission_configuration.bucket_level_permissions.bucket_policy.allows_public_write_access #=> Boolean
resp.findings[0].resource.s3_bucket_details[0].public_access.permission_configuration.bucket_level_permissions.block_public_access.ignore_public_acls #=> Boolean
resp.findings[0].resource.s3_bucket_details[0].public_access.permission_configuration.bucket_level_permissions.block_public_access.restrict_public_buckets #=> Boolean
resp.findings[0].resource.s3_bucket_details[0].public_access.permission_configuration.bucket_level_permissions.block_public_access.block_public_acls #=> Boolean
resp.findings[0].resource.s3_bucket_details[0].public_access.permission_configuration.bucket_level_permissions.block_public_access.block_public_policy #=> Boolean
resp.findings[0].resource.s3_bucket_details[0].public_access.permission_configuration.account_level_permissions.block_public_access.ignore_public_acls #=> Boolean
resp.findings[0].resource.s3_bucket_details[0].public_access.permission_configuration.account_level_permissions.block_public_access.restrict_public_buckets #=> Boolean
resp.findings[0].resource.s3_bucket_details[0].public_access.permission_configuration.account_level_permissions.block_public_access.block_public_acls #=> Boolean
resp.findings[0].resource.s3_bucket_details[0].public_access.permission_configuration.account_level_permissions.block_public_access.block_public_policy #=> Boolean
resp.findings[0].resource.s3_bucket_details[0].public_access.effective_permission #=> String
resp.findings[0].resource.s3_bucket_details[0].s3_object_details #=> Array
resp.findings[0].resource.s3_bucket_details[0].s3_object_details[0].object_arn #=> String
resp.findings[0].resource.s3_bucket_details[0].s3_object_details[0].key #=> String
resp.findings[0].resource.s3_bucket_details[0].s3_object_details[0].etag #=> String
resp.findings[0].resource.s3_bucket_details[0].s3_object_details[0].hash #=> String
resp.findings[0].resource.s3_bucket_details[0].s3_object_details[0].version_id #=> String
resp.findings[0].resource.instance_details.availability_zone #=> String
resp.findings[0].resource.instance_details.iam_instance_profile.arn #=> String
resp.findings[0].resource.instance_details.iam_instance_profile.id #=> String
resp.findings[0].resource.instance_details.image_description #=> String
resp.findings[0].resource.instance_details.image_id #=> String
resp.findings[0].resource.instance_details.instance_id #=> String
resp.findings[0].resource.instance_details.instance_state #=> String
resp.findings[0].resource.instance_details.instance_type #=> String
resp.findings[0].resource.instance_details.outpost_arn #=> String
resp.findings[0].resource.instance_details.launch_time #=> String
resp.findings[0].resource.instance_details.network_interfaces #=> Array
resp.findings[0].resource.instance_details.network_interfaces[0].ipv_6_addresses #=> Array
resp.findings[0].resource.instance_details.network_interfaces[0].ipv_6_addresses[0] #=> String
resp.findings[0].resource.instance_details.network_interfaces[0].network_interface_id #=> String
resp.findings[0].resource.instance_details.network_interfaces[0].private_dns_name #=> String
resp.findings[0].resource.instance_details.network_interfaces[0].private_ip_address #=> String
resp.findings[0].resource.instance_details.network_interfaces[0].private_ip_addresses #=> Array
resp.findings[0].resource.instance_details.network_interfaces[0].private_ip_addresses[0].private_dns_name #=> String
resp.findings[0].resource.instance_details.network_interfaces[0].private_ip_addresses[0].private_ip_address #=> String
resp.findings[0].resource.instance_details.network_interfaces[0].public_dns_name #=> String
resp.findings[0].resource.instance_details.network_interfaces[0].public_ip #=> String
resp.findings[0].resource.instance_details.network_interfaces[0].security_groups #=> Array
resp.findings[0].resource.instance_details.network_interfaces[0].security_groups[0].group_id #=> String
resp.findings[0].resource.instance_details.network_interfaces[0].security_groups[0].group_name #=> String
resp.findings[0].resource.instance_details.network_interfaces[0].subnet_id #=> String
resp.findings[0].resource.instance_details.network_interfaces[0].vpc_id #=> String
resp.findings[0].resource.instance_details.platform #=> String
resp.findings[0].resource.instance_details.product_codes #=> Array
resp.findings[0].resource.instance_details.product_codes[0].code #=> String
resp.findings[0].resource.instance_details.product_codes[0].product_type #=> String
resp.findings[0].resource.instance_details.tags #=> Array
resp.findings[0].resource.instance_details.tags[0].key #=> String
resp.findings[0].resource.instance_details.tags[0].value #=> String
resp.findings[0].resource.eks_cluster_details.name #=> String
resp.findings[0].resource.eks_cluster_details.arn #=> String
resp.findings[0].resource.eks_cluster_details.vpc_id #=> String
resp.findings[0].resource.eks_cluster_details.status #=> String
resp.findings[0].resource.eks_cluster_details.tags #=> Array
resp.findings[0].resource.eks_cluster_details.tags[0].key #=> String
resp.findings[0].resource.eks_cluster_details.tags[0].value #=> String
resp.findings[0].resource.eks_cluster_details.created_at #=> Time
resp.findings[0].resource.kubernetes_details.kubernetes_user_details.username #=> String
resp.findings[0].resource.kubernetes_details.kubernetes_user_details.uid #=> String
resp.findings[0].resource.kubernetes_details.kubernetes_user_details.groups #=> Array
resp.findings[0].resource.kubernetes_details.kubernetes_user_details.groups[0] #=> String
resp.findings[0].resource.kubernetes_details.kubernetes_user_details.session_name #=> Array
resp.findings[0].resource.kubernetes_details.kubernetes_user_details.session_name[0] #=> String
resp.findings[0].resource.kubernetes_details.kubernetes_user_details.impersonated_user.username #=> String
resp.findings[0].resource.kubernetes_details.kubernetes_user_details.impersonated_user.groups #=> Array
resp.findings[0].resource.kubernetes_details.kubernetes_user_details.impersonated_user.groups[0] #=> String
resp.findings[0].resource.kubernetes_details.kubernetes_workload_details.name #=> String
resp.findings[0].resource.kubernetes_details.kubernetes_workload_details.type #=> String
resp.findings[0].resource.kubernetes_details.kubernetes_workload_details.uid #=> String
resp.findings[0].resource.kubernetes_details.kubernetes_workload_details.namespace #=> String
resp.findings[0].resource.kubernetes_details.kubernetes_workload_details.host_network #=> Boolean
resp.findings[0].resource.kubernetes_details.kubernetes_workload_details.service_account_name #=> String
resp.findings[0].resource.kubernetes_details.kubernetes_workload_details.containers #=> Array
resp.findings[0].resource.kubernetes_details.kubernetes_workload_details.containers[0].container_runtime #=> String
resp.findings[0].resource.kubernetes_details.kubernetes_workload_details.containers[0].id #=> String
resp.findings[0].resource.kubernetes_details.kubernetes_workload_details.containers[0].name #=> String
resp.findings[0].resource.kubernetes_details.kubernetes_workload_details.containers[0].image #=> String
resp.findings[0].resource.kubernetes_details.kubernetes_workload_details.containers[0].image_prefix #=> String
resp.findings[0].resource.kubernetes_details.kubernetes_workload_details.containers[0].volume_mounts #=> Array
resp.findings[0].resource.kubernetes_details.kubernetes_workload_details.containers[0].volume_mounts[0].name #=> String
resp.findings[0].resource.kubernetes_details.kubernetes_workload_details.containers[0].volume_mounts[0].mount_path #=> String
resp.findings[0].resource.kubernetes_details.kubernetes_workload_details.containers[0].security_context.privileged #=> Boolean
resp.findings[0].resource.kubernetes_details.kubernetes_workload_details.containers[0].security_context.allow_privilege_escalation #=> Boolean
resp.findings[0].resource.kubernetes_details.kubernetes_workload_details.volumes #=> Array
resp.findings[0].resource.kubernetes_details.kubernetes_workload_details.volumes[0].name #=> String
resp.findings[0].resource.kubernetes_details.kubernetes_workload_details.volumes[0].host_path.path #=> String
resp.findings[0].resource.kubernetes_details.kubernetes_workload_details.host_ipc #=> Boolean
resp.findings[0].resource.kubernetes_details.kubernetes_workload_details.host_pid #=> Boolean
resp.findings[0].resource.resource_type #=> String
resp.findings[0].resource.ebs_volume_details.scanned_volume_details #=> Array
resp.findings[0].resource.ebs_volume_details.scanned_volume_details[0].volume_arn #=> String
resp.findings[0].resource.ebs_volume_details.scanned_volume_details[0].volume_type #=> String
resp.findings[0].resource.ebs_volume_details.scanned_volume_details[0].device_name #=> String
resp.findings[0].resource.ebs_volume_details.scanned_volume_details[0].volume_size_in_gb #=> Integer
resp.findings[0].resource.ebs_volume_details.scanned_volume_details[0].encryption_type #=> String
resp.findings[0].resource.ebs_volume_details.scanned_volume_details[0].snapshot_arn #=> String
resp.findings[0].resource.ebs_volume_details.scanned_volume_details[0].kms_key_arn #=> String
resp.findings[0].resource.ebs_volume_details.skipped_volume_details #=> Array
resp.findings[0].resource.ebs_volume_details.skipped_volume_details[0].volume_arn #=> String
resp.findings[0].resource.ebs_volume_details.skipped_volume_details[0].volume_type #=> String
resp.findings[0].resource.ebs_volume_details.skipped_volume_details[0].device_name #=> String
resp.findings[0].resource.ebs_volume_details.skipped_volume_details[0].volume_size_in_gb #=> Integer
resp.findings[0].resource.ebs_volume_details.skipped_volume_details[0].encryption_type #=> String
resp.findings[0].resource.ebs_volume_details.skipped_volume_details[0].snapshot_arn #=> String
resp.findings[0].resource.ebs_volume_details.skipped_volume_details[0].kms_key_arn #=> String
resp.findings[0].resource.ecs_cluster_details.name #=> String
resp.findings[0].resource.ecs_cluster_details.arn #=> String
resp.findings[0].resource.ecs_cluster_details.status #=> String
resp.findings[0].resource.ecs_cluster_details.active_services_count #=> Integer
resp.findings[0].resource.ecs_cluster_details.registered_container_instances_count #=> Integer
resp.findings[0].resource.ecs_cluster_details.running_tasks_count #=> Integer
resp.findings[0].resource.ecs_cluster_details.tags #=> Array
resp.findings[0].resource.ecs_cluster_details.tags[0].key #=> String
resp.findings[0].resource.ecs_cluster_details.tags[0].value #=> String
resp.findings[0].resource.ecs_cluster_details.task_details.arn #=> String
resp.findings[0].resource.ecs_cluster_details.task_details.definition_arn #=> String
resp.findings[0].resource.ecs_cluster_details.task_details.version #=> String
resp.findings[0].resource.ecs_cluster_details.task_details.task_created_at #=> Time
resp.findings[0].resource.ecs_cluster_details.task_details.started_at #=> Time
resp.findings[0].resource.ecs_cluster_details.task_details.started_by #=> String
resp.findings[0].resource.ecs_cluster_details.task_details.tags #=> Array
resp.findings[0].resource.ecs_cluster_details.task_details.tags[0].key #=> String
resp.findings[0].resource.ecs_cluster_details.task_details.tags[0].value #=> String
resp.findings[0].resource.ecs_cluster_details.task_details.volumes #=> Array
resp.findings[0].resource.ecs_cluster_details.task_details.volumes[0].name #=> String
resp.findings[0].resource.ecs_cluster_details.task_details.volumes[0].host_path.path #=> String
resp.findings[0].resource.ecs_cluster_details.task_details.containers #=> Array
resp.findings[0].resource.ecs_cluster_details.task_details.containers[0].container_runtime #=> String
resp.findings[0].resource.ecs_cluster_details.task_details.containers[0].id #=> String
resp.findings[0].resource.ecs_cluster_details.task_details.containers[0].name #=> String
resp.findings[0].resource.ecs_cluster_details.task_details.containers[0].image #=> String
resp.findings[0].resource.ecs_cluster_details.task_details.containers[0].image_prefix #=> String
resp.findings[0].resource.ecs_cluster_details.task_details.containers[0].volume_mounts #=> Array
resp.findings[0].resource.ecs_cluster_details.task_details.containers[0].volume_mounts[0].name #=> String
resp.findings[0].resource.ecs_cluster_details.task_details.containers[0].volume_mounts[0].mount_path #=> String
resp.findings[0].resource.ecs_cluster_details.task_details.containers[0].security_context.privileged #=> Boolean
resp.findings[0].resource.ecs_cluster_details.task_details.containers[0].security_context.allow_privilege_escalation #=> Boolean
resp.findings[0].resource.ecs_cluster_details.task_details.group #=> String
resp.findings[0].resource.ecs_cluster_details.task_details.launch_type #=> String
resp.findings[0].resource.container_details.container_runtime #=> String
resp.findings[0].resource.container_details.id #=> String
resp.findings[0].resource.container_details.name #=> String
resp.findings[0].resource.container_details.image #=> String
resp.findings[0].resource.container_details.image_prefix #=> String
resp.findings[0].resource.container_details.volume_mounts #=> Array
resp.findings[0].resource.container_details.volume_mounts[0].name #=> String
resp.findings[0].resource.container_details.volume_mounts[0].mount_path #=> String
resp.findings[0].resource.container_details.security_context.privileged #=> Boolean
resp.findings[0].resource.container_details.security_context.allow_privilege_escalation #=> Boolean
resp.findings[0].resource.lambda_details.function_arn #=> String
resp.findings[0].resource.lambda_details.function_name #=> String
resp.findings[0].resource.lambda_details.description #=> String
resp.findings[0].resource.lambda_details.last_modified_at #=> Time
resp.findings[0].resource.lambda_details.revision_id #=> String
resp.findings[0].resource.lambda_details.function_version #=> String
resp.findings[0].resource.lambda_details.role #=> String
resp.findings[0].resource.lambda_details.vpc_config.subnet_ids #=> Array
resp.findings[0].resource.lambda_details.vpc_config.subnet_ids[0] #=> String
resp.findings[0].resource.lambda_details.vpc_config.vpc_id #=> String
resp.findings[0].resource.lambda_details.vpc_config.security_groups #=> Array
resp.findings[0].resource.lambda_details.vpc_config.security_groups[0].group_id #=> String
resp.findings[0].resource.lambda_details.vpc_config.security_groups[0].group_name #=> String
resp.findings[0].resource.lambda_details.tags #=> Array
resp.findings[0].resource.lambda_details.tags[0].key #=> String
resp.findings[0].resource.lambda_details.tags[0].value #=> String
resp.findings[0].resource.rds_db_instance_details.db_instance_identifier #=> String
resp.findings[0].resource.rds_db_instance_details.engine #=> String
resp.findings[0].resource.rds_db_instance_details.engine_version #=> String
resp.findings[0].resource.rds_db_instance_details.db_cluster_identifier #=> String
resp.findings[0].resource.rds_db_instance_details.db_instance_arn #=> String
resp.findings[0].resource.rds_db_instance_details.dbi_resource_id #=> String
resp.findings[0].resource.rds_db_instance_details.tags #=> Array
resp.findings[0].resource.rds_db_instance_details.tags[0].key #=> String
resp.findings[0].resource.rds_db_instance_details.tags[0].value #=> String
resp.findings[0].resource.rds_limitless_db_details.db_shard_group_identifier #=> String
resp.findings[0].resource.rds_limitless_db_details.db_shard_group_resource_id #=> String
resp.findings[0].resource.rds_limitless_db_details.db_shard_group_arn #=> String
resp.findings[0].resource.rds_limitless_db_details.engine #=> String
resp.findings[0].resource.rds_limitless_db_details.engine_version #=> String
resp.findings[0].resource.rds_limitless_db_details.db_cluster_identifier #=> String
resp.findings[0].resource.rds_limitless_db_details.tags #=> Array
resp.findings[0].resource.rds_limitless_db_details.tags[0].key #=> String
resp.findings[0].resource.rds_limitless_db_details.tags[0].value #=> String
resp.findings[0].resource.rds_db_user_details.user #=> String
resp.findings[0].resource.rds_db_user_details.application #=> String
resp.findings[0].resource.rds_db_user_details.database #=> String
resp.findings[0].resource.rds_db_user_details.ssl #=> String
resp.findings[0].resource.rds_db_user_details.auth_method #=> String
resp.findings[0].resource.ebs_snapshot_details.snapshot_arn #=> String
resp.findings[0].resource.ec2_image_details.image_arn #=> String
resp.findings[0].resource.recovery_point_details.recovery_point_arn #=> String
resp.findings[0].resource.recovery_point_details.backup_vault_name #=> String
resp.findings[0].schema_version #=> String
resp.findings[0].service.action.action_type #=> String
resp.findings[0].service.action.aws_api_call_action.api #=> String
resp.findings[0].service.action.aws_api_call_action.caller_type #=> String
resp.findings[0].service.action.aws_api_call_action.domain_details.domain #=> String
resp.findings[0].service.action.aws_api_call_action.error_code #=> String
resp.findings[0].service.action.aws_api_call_action.user_agent #=> String
resp.findings[0].service.action.aws_api_call_action.remote_ip_details.city.city_name #=> String
resp.findings[0].service.action.aws_api_call_action.remote_ip_details.country.country_code #=> String
resp.findings[0].service.action.aws_api_call_action.remote_ip_details.country.country_name #=> String
resp.findings[0].service.action.aws_api_call_action.remote_ip_details.geo_location.lat #=> Float
resp.findings[0].service.action.aws_api_call_action.remote_ip_details.geo_location.lon #=> Float
resp.findings[0].service.action.aws_api_call_action.remote_ip_details.ip_address_v4 #=> String
resp.findings[0].service.action.aws_api_call_action.remote_ip_details.ip_address_v6 #=> String
resp.findings[0].service.action.aws_api_call_action.remote_ip_details.organization.asn #=> String
resp.findings[0].service.action.aws_api_call_action.remote_ip_details.organization.asn_org #=> String
resp.findings[0].service.action.aws_api_call_action.remote_ip_details.organization.isp #=> String
resp.findings[0].service.action.aws_api_call_action.remote_ip_details.organization.org #=> String
resp.findings[0].service.action.aws_api_call_action.service_name #=> String
resp.findings[0].service.action.aws_api_call_action.remote_account_details.account_id #=> String
resp.findings[0].service.action.aws_api_call_action.remote_account_details.affiliated #=> Boolean
resp.findings[0].service.action.aws_api_call_action.affected_resources #=> Hash
resp.findings[0].service.action.aws_api_call_action.affected_resources["String"] #=> String
resp.findings[0].service.action.dns_request_action.domain #=> String
resp.findings[0].service.action.dns_request_action.protocol #=> String
resp.findings[0].service.action.dns_request_action.blocked #=> Boolean
resp.findings[0].service.action.dns_request_action.domain_with_suffix #=> String
resp.findings[0].service.action.dns_request_action.vpc_owner_account_id #=> String
resp.findings[0].service.action.network_connection_action.blocked #=> Boolean
resp.findings[0].service.action.network_connection_action.connection_direction #=> String
resp.findings[0].service.action.network_connection_action.local_port_details.port #=> Integer
resp.findings[0].service.action.network_connection_action.local_port_details.port_name #=> String
resp.findings[0].service.action.network_connection_action.protocol #=> String
resp.findings[0].service.action.network_connection_action.local_ip_details.ip_address_v4 #=> String
resp.findings[0].service.action.network_connection_action.local_ip_details.ip_address_v6 #=> String
resp.findings[0].service.action.network_connection_action.local_network_interface #=> String
resp.findings[0].service.action.network_connection_action.remote_ip_details.city.city_name #=> String
resp.findings[0].service.action.network_connection_action.remote_ip_details.country.country_code #=> String
resp.findings[0].service.action.network_connection_action.remote_ip_details.country.country_name #=> String
resp.findings[0].service.action.network_connection_action.remote_ip_details.geo_location.lat #=> Float
resp.findings[0].service.action.network_connection_action.remote_ip_details.geo_location.lon #=> Float
resp.findings[0].service.action.network_connection_action.remote_ip_details.ip_address_v4 #=> String
resp.findings[0].service.action.network_connection_action.remote_ip_details.ip_address_v6 #=> String
resp.findings[0].service.action.network_connection_action.remote_ip_details.organization.asn #=> String
resp.findings[0].service.action.network_connection_action.remote_ip_details.organization.asn_org #=> String
resp.findings[0].service.action.network_connection_action.remote_ip_details.organization.isp #=> String
resp.findings[0].service.action.network_connection_action.remote_ip_details.organization.org #=> String
resp.findings[0].service.action.network_connection_action.remote_port_details.port #=> Integer
resp.findings[0].service.action.network_connection_action.remote_port_details.port_name #=> String
resp.findings[0].service.action.port_probe_action.blocked #=> Boolean
resp.findings[0].service.action.port_probe_action.port_probe_details #=> Array
resp.findings[0].service.action.port_probe_action.port_probe_details[0].local_port_details.port #=> Integer
resp.findings[0].service.action.port_probe_action.port_probe_details[0].local_port_details.port_name #=> String
resp.findings[0].service.action.port_probe_action.port_probe_details[0].local_ip_details.ip_address_v4 #=> String
resp.findings[0].service.action.port_probe_action.port_probe_details[0].local_ip_details.ip_address_v6 #=> String
resp.findings[0].service.action.port_probe_action.port_probe_details[0].remote_ip_details.city.city_name #=> String
resp.findings[0].service.action.port_probe_action.port_probe_details[0].remote_ip_details.country.country_code #=> String
resp.findings[0].service.action.port_probe_action.port_probe_details[0].remote_ip_details.country.country_name #=> String
resp.findings[0].service.action.port_probe_action.port_probe_details[0].remote_ip_details.geo_location.lat #=> Float
resp.findings[0].service.action.port_probe_action.port_probe_details[0].remote_ip_details.geo_location.lon #=> Float
resp.findings[0].service.action.port_probe_action.port_probe_details[0].remote_ip_details.ip_address_v4 #=> String
resp.findings[0].service.action.port_probe_action.port_probe_details[0].remote_ip_details.ip_address_v6 #=> String
resp.findings[0].service.action.port_probe_action.port_probe_details[0].remote_ip_details.organization.asn #=> String
resp.findings[0].service.action.port_probe_action.port_probe_details[0].remote_ip_details.organization.asn_org #=> String
resp.findings[0].service.action.port_probe_action.port_probe_details[0].remote_ip_details.organization.isp #=> String
resp.findings[0].service.action.port_probe_action.port_probe_details[0].remote_ip_details.organization.org #=> String
resp.findings[0].service.action.kubernetes_api_call_action.request_uri #=> String
resp.findings[0].service.action.kubernetes_api_call_action.verb #=> String
resp.findings[0].service.action.kubernetes_api_call_action.resource #=> String
resp.findings[0].service.action.kubernetes_api_call_action.subresource #=> String
resp.findings[0].service.action.kubernetes_api_call_action.namespace #=> String
resp.findings[0].service.action.kubernetes_api_call_action.resource_name #=> String
resp.findings[0].service.action.kubernetes_api_call_action.source_ips #=> Array
resp.findings[0].service.action.kubernetes_api_call_action.source_ips[0] #=> String
resp.findings[0].service.action.kubernetes_api_call_action.user_agent #=> String
resp.findings[0].service.action.kubernetes_api_call_action.remote_ip_details.city.city_name #=> String
resp.findings[0].service.action.kubernetes_api_call_action.remote_ip_details.country.country_code #=> String
resp.findings[0].service.action.kubernetes_api_call_action.remote_ip_details.country.country_name #=> String
resp.findings[0].service.action.kubernetes_api_call_action.remote_ip_details.geo_location.lat #=> Float
resp.findings[0].service.action.kubernetes_api_call_action.remote_ip_details.geo_location.lon #=> Float
resp.findings[0].service.action.kubernetes_api_call_action.remote_ip_details.ip_address_v4 #=> String
resp.findings[0].service.action.kubernetes_api_call_action.remote_ip_details.ip_address_v6 #=> String
resp.findings[0].service.action.kubernetes_api_call_action.remote_ip_details.organization.asn #=> String
resp.findings[0].service.action.kubernetes_api_call_action.remote_ip_details.organization.asn_org #=> String
resp.findings[0].service.action.kubernetes_api_call_action.remote_ip_details.organization.isp #=> String
resp.findings[0].service.action.kubernetes_api_call_action.remote_ip_details.organization.org #=> String
resp.findings[0].service.action.kubernetes_api_call_action.status_code #=> Integer
resp.findings[0].service.action.kubernetes_api_call_action.parameters #=> String
resp.findings[0].service.action.kubernetes_permission_checked_details.verb #=> String
resp.findings[0].service.action.kubernetes_permission_checked_details.resource #=> String
resp.findings[0].service.action.kubernetes_permission_checked_details.namespace #=> String
resp.findings[0].service.action.kubernetes_permission_checked_details.allowed #=> Boolean
resp.findings[0].service.action.kubernetes_role_binding_details.kind #=> String
resp.findings[0].service.action.kubernetes_role_binding_details.name #=> String
resp.findings[0].service.action.kubernetes_role_binding_details.uid #=> String
resp.findings[0].service.action.kubernetes_role_binding_details.role_ref_name #=> String
resp.findings[0].service.action.kubernetes_role_binding_details.role_ref_kind #=> String
resp.findings[0].service.action.kubernetes_role_details.kind #=> String
resp.findings[0].service.action.kubernetes_role_details.name #=> String
resp.findings[0].service.action.kubernetes_role_details.uid #=> String
resp.findings[0].service.action.rds_login_attempt_action.remote_ip_details.city.city_name #=> String
resp.findings[0].service.action.rds_login_attempt_action.remote_ip_details.country.country_code #=> String
resp.findings[0].service.action.rds_login_attempt_action.remote_ip_details.country.country_name #=> String
resp.findings[0].service.action.rds_login_attempt_action.remote_ip_details.geo_location.lat #=> Float
resp.findings[0].service.action.rds_login_attempt_action.remote_ip_details.geo_location.lon #=> Float
resp.findings[0].service.action.rds_login_attempt_action.remote_ip_details.ip_address_v4 #=> String
resp.findings[0].service.action.rds_login_attempt_action.remote_ip_details.ip_address_v6 #=> String
resp.findings[0].service.action.rds_login_attempt_action.remote_ip_details.organization.asn #=> String
resp.findings[0].service.action.rds_login_attempt_action.remote_ip_details.organization.asn_org #=> String
resp.findings[0].service.action.rds_login_attempt_action.remote_ip_details.organization.isp #=> String
resp.findings[0].service.action.rds_login_attempt_action.remote_ip_details.organization.org #=> String
resp.findings[0].service.action.rds_login_attempt_action.login_attributes #=> Array
resp.findings[0].service.action.rds_login_attempt_action.login_attributes[0].user #=> String
resp.findings[0].service.action.rds_login_attempt_action.login_attributes[0].application #=> String
resp.findings[0].service.action.rds_login_attempt_action.login_attributes[0].failed_login_attempts #=> Integer
resp.findings[0].service.action.rds_login_attempt_action.login_attributes[0].successful_login_attempts #=> Integer
resp.findings[0].service.evidence.threat_intelligence_details #=> Array
resp.findings[0].service.evidence.threat_intelligence_details[0].threat_list_name #=> String
resp.findings[0].service.evidence.threat_intelligence_details[0].threat_names #=> Array
resp.findings[0].service.evidence.threat_intelligence_details[0].threat_names[0] #=> String
resp.findings[0].service.evidence.threat_intelligence_details[0].threat_file_sha_256 #=> String
resp.findings[0].service.archived #=> Boolean
resp.findings[0].service.count #=> Integer
resp.findings[0].service.detector_id #=> String
resp.findings[0].service.event_first_seen #=> String
resp.findings[0].service.event_last_seen #=> String
resp.findings[0].service.resource_role #=> String
resp.findings[0].service.service_name #=> String
resp.findings[0].service.user_feedback #=> String
resp.findings[0].service.additional_info.value #=> String
resp.findings[0].service.additional_info.type #=> String
resp.findings[0].service.feature_name #=> String
resp.findings[0].service.ebs_volume_scan_details.scan_id #=> String
resp.findings[0].service.ebs_volume_scan_details.scan_started_at #=> Time
resp.findings[0].service.ebs_volume_scan_details.scan_completed_at #=> Time
resp.findings[0].service.ebs_volume_scan_details.trigger_finding_id #=> String
resp.findings[0].service.ebs_volume_scan_details.sources #=> Array
resp.findings[0].service.ebs_volume_scan_details.sources[0] #=> String
resp.findings[0].service.ebs_volume_scan_details.scan_detections.scanned_item_count.total_gb #=> Integer
resp.findings[0].service.ebs_volume_scan_details.scan_detections.scanned_item_count.files #=> Integer
resp.findings[0].service.ebs_volume_scan_details.scan_detections.scanned_item_count.volumes #=> Integer
resp.findings[0].service.ebs_volume_scan_details.scan_detections.threats_detected_item_count.files #=> Integer
resp.findings[0].service.ebs_volume_scan_details.scan_detections.highest_severity_threat_details.severity #=> String
resp.findings[0].service.ebs_volume_scan_details.scan_detections.highest_severity_threat_details.threat_name #=> String
resp.findings[0].service.ebs_volume_scan_details.scan_detections.highest_severity_threat_details.count #=> Integer
resp.findings[0].service.ebs_volume_scan_details.scan_detections.threat_detected_by_name.item_count #=> Integer
resp.findings[0].service.ebs_volume_scan_details.scan_detections.threat_detected_by_name.unique_threat_name_count #=> Integer
resp.findings[0].service.ebs_volume_scan_details.scan_detections.threat_detected_by_name.shortened #=> Boolean
resp.findings[0].service.ebs_volume_scan_details.scan_detections.threat_detected_by_name.threat_names #=> Array
resp.findings[0].service.ebs_volume_scan_details.scan_detections.threat_detected_by_name.threat_names[0].name #=> String
resp.findings[0].service.ebs_volume_scan_details.scan_detections.threat_detected_by_name.threat_names[0].severity #=> String
resp.findings[0].service.ebs_volume_scan_details.scan_detections.threat_detected_by_name.threat_names[0].item_count #=> Integer
resp.findings[0].service.ebs_volume_scan_details.scan_detections.threat_detected_by_name.threat_names[0].file_paths #=> Array
resp.findings[0].service.ebs_volume_scan_details.scan_detections.threat_detected_by_name.threat_names[0].file_paths[0].file_path #=> String
resp.findings[0].service.ebs_volume_scan_details.scan_detections.threat_detected_by_name.threat_names[0].file_paths[0].volume_arn #=> String
resp.findings[0].service.ebs_volume_scan_details.scan_detections.threat_detected_by_name.threat_names[0].file_paths[0].hash #=> String
resp.findings[0].service.ebs_volume_scan_details.scan_detections.threat_detected_by_name.threat_names[0].file_paths[0].file_name #=> String
resp.findings[0].service.ebs_volume_scan_details.scan_type #=> String, one of "GUARDDUTY_INITIATED", "ON_DEMAND"
resp.findings[0].service.runtime_details.process.name #=> String
resp.findings[0].service.runtime_details.process.executable_path #=> String
resp.findings[0].service.runtime_details.process.executable_sha_256 #=> String
resp.findings[0].service.runtime_details.process.namespace_pid #=> Integer
resp.findings[0].service.runtime_details.process.pwd #=> String
resp.findings[0].service.runtime_details.process.pid #=> Integer
resp.findings[0].service.runtime_details.process.start_time #=> Time
resp.findings[0].service.runtime_details.process.uuid #=> String
resp.findings[0].service.runtime_details.process.parent_uuid #=> String
resp.findings[0].service.runtime_details.process.user #=> String
resp.findings[0].service.runtime_details.process.user_id #=> Integer
resp.findings[0].service.runtime_details.process.euid #=> Integer
resp.findings[0].service.runtime_details.process.lineage #=> Array
resp.findings[0].service.runtime_details.process.lineage[0].start_time #=> Time
resp.findings[0].service.runtime_details.process.lineage[0].namespace_pid #=> Integer
resp.findings[0].service.runtime_details.process.lineage[0].user_id #=> Integer
resp.findings[0].service.runtime_details.process.lineage[0].name #=> String
resp.findings[0].service.runtime_details.process.lineage[0].pid #=> Integer
resp.findings[0].service.runtime_details.process.lineage[0].uuid #=> String
resp.findings[0].service.runtime_details.process.lineage[0].executable_path #=> String
resp.findings[0].service.runtime_details.process.lineage[0].euid #=> Integer
resp.findings[0].service.runtime_details.process.lineage[0].parent_uuid #=> String
resp.findings[0].service.runtime_details.context.modifying_process.name #=> String
resp.findings[0].service.runtime_details.context.modifying_process.executable_path #=> String
resp.findings[0].service.runtime_details.context.modifying_process.executable_sha_256 #=> String
resp.findings[0].service.runtime_details.context.modifying_process.namespace_pid #=> Integer
resp.findings[0].service.runtime_details.context.modifying_process.pwd #=> String
resp.findings[0].service.runtime_details.context.modifying_process.pid #=> Integer
resp.findings[0].service.runtime_details.context.modifying_process.start_time #=> Time
resp.findings[0].service.runtime_details.context.modifying_process.uuid #=> String
resp.findings[0].service.runtime_details.context.modifying_process.parent_uuid #=> String
resp.findings[0].service.runtime_details.context.modifying_process.user #=> String
resp.findings[0].service.runtime_details.context.modifying_process.user_id #=> Integer
resp.findings[0].service.runtime_details.context.modifying_process.euid #=> Integer
resp.findings[0].service.runtime_details.context.modifying_process.lineage #=> Array
resp.findings[0].service.runtime_details.context.modifying_process.lineage[0].start_time #=> Time
resp.findings[0].service.runtime_details.context.modifying_process.lineage[0].namespace_pid #=> Integer
resp.findings[0].service.runtime_details.context.modifying_process.lineage[0].user_id #=> Integer
resp.findings[0].service.runtime_details.context.modifying_process.lineage[0].name #=> String
resp.findings[0].service.runtime_details.context.modifying_process.lineage[0].pid #=> Integer
resp.findings[0].service.runtime_details.context.modifying_process.lineage[0].uuid #=> String
resp.findings[0].service.runtime_details.context.modifying_process.lineage[0].executable_path #=> String
resp.findings[0].service.runtime_details.context.modifying_process.lineage[0].euid #=> Integer
resp.findings[0].service.runtime_details.context.modifying_process.lineage[0].parent_uuid #=> String
resp.findings[0].service.runtime_details.context.modified_at #=> Time
resp.findings[0].service.runtime_details.context.script_path #=> String
resp.findings[0].service.runtime_details.context.library_path #=> String
resp.findings[0].service.runtime_details.context.ld_preload_value #=> String
resp.findings[0].service.runtime_details.context.socket_path #=> String
resp.findings[0].service.runtime_details.context.runc_binary_path #=> String
resp.findings[0].service.runtime_details.context.release_agent_path #=> String
resp.findings[0].service.runtime_details.context.mount_source #=> String
resp.findings[0].service.runtime_details.context.mount_target #=> String
resp.findings[0].service.runtime_details.context.file_system_type #=> String
resp.findings[0].service.runtime_details.context.flags #=> Array
resp.findings[0].service.runtime_details.context.flags[0] #=> String
resp.findings[0].service.runtime_details.context.module_name #=> String
resp.findings[0].service.runtime_details.context.module_file_path #=> String
resp.findings[0].service.runtime_details.context.module_sha_256 #=> String
resp.findings[0].service.runtime_details.context.shell_history_file_path #=> String
resp.findings[0].service.runtime_details.context.target_process.name #=> String
resp.findings[0].service.runtime_details.context.target_process.executable_path #=> String
resp.findings[0].service.runtime_details.context.target_process.executable_sha_256 #=> String
resp.findings[0].service.runtime_details.context.target_process.namespace_pid #=> Integer
resp.findings[0].service.runtime_details.context.target_process.pwd #=> String
resp.findings[0].service.runtime_details.context.target_process.pid #=> Integer
resp.findings[0].service.runtime_details.context.target_process.start_time #=> Time
resp.findings[0].service.runtime_details.context.target_process.uuid #=> String
resp.findings[0].service.runtime_details.context.target_process.parent_uuid #=> String
resp.findings[0].service.runtime_details.context.target_process.user #=> String
resp.findings[0].service.runtime_details.context.target_process.user_id #=> Integer
resp.findings[0].service.runtime_details.context.target_process.euid #=> Integer
resp.findings[0].service.runtime_details.context.target_process.lineage #=> Array
resp.findings[0].service.runtime_details.context.target_process.lineage[0].start_time #=> Time
resp.findings[0].service.runtime_details.context.target_process.lineage[0].namespace_pid #=> Integer
resp.findings[0].service.runtime_details.context.target_process.lineage[0].user_id #=> Integer
resp.findings[0].service.runtime_details.context.target_process.lineage[0].name #=> String
resp.findings[0].service.runtime_details.context.target_process.lineage[0].pid #=> Integer
resp.findings[0].service.runtime_details.context.target_process.lineage[0].uuid #=> String
resp.findings[0].service.runtime_details.context.target_process.lineage[0].executable_path #=> String
resp.findings[0].service.runtime_details.context.target_process.lineage[0].euid #=> Integer
resp.findings[0].service.runtime_details.context.target_process.lineage[0].parent_uuid #=> String
resp.findings[0].service.runtime_details.context.address_family #=> String
resp.findings[0].service.runtime_details.context.iana_protocol_number #=> Integer
resp.findings[0].service.runtime_details.context.memory_regions #=> Array
resp.findings[0].service.runtime_details.context.memory_regions[0] #=> String
resp.findings[0].service.runtime_details.context.tool_name #=> String
resp.findings[0].service.runtime_details.context.tool_category #=> String
resp.findings[0].service.runtime_details.context.service_name #=> String
resp.findings[0].service.runtime_details.context.command_line_example #=> String
resp.findings[0].service.runtime_details.context.threat_file_path #=> String
resp.findings[0].service.runtime_details.context.file_operation #=> String
resp.findings[0].service.runtime_details.context.file_path #=> String
resp.findings[0].service.runtime_details.context.related_file_paths #=> Array
resp.findings[0].service.runtime_details.context.related_file_paths[0] #=> String
resp.findings[0].service.detection.anomaly.profiles #=> Hash
resp.findings[0].service.detection.anomaly.profiles["String"] #=> Hash
resp.findings[0].service.detection.anomaly.profiles["String"]["String"] #=> Array
resp.findings[0].service.detection.anomaly.profiles["String"]["String"][0].profile_type #=> String, one of "FREQUENCY"
resp.findings[0].service.detection.anomaly.profiles["String"]["String"][0].profile_subtype #=> String, one of "FREQUENT", "INFREQUENT", "UNSEEN", "RARE"
resp.findings[0].service.detection.anomaly.profiles["String"]["String"][0].observations.text #=> Array
resp.findings[0].service.detection.anomaly.profiles["String"]["String"][0].observations.text[0] #=> String
resp.findings[0].service.detection.anomaly.unusual.behavior #=> Hash
resp.findings[0].service.detection.anomaly.unusual.behavior["String"] #=> Hash
resp.findings[0].service.detection.anomaly.unusual.behavior["String"]["String"].profile_type #=> String, one of "FREQUENCY"
resp.findings[0].service.detection.anomaly.unusual.behavior["String"]["String"].profile_subtype #=> String, one of "FREQUENT", "INFREQUENT", "UNSEEN", "RARE"
resp.findings[0].service.detection.anomaly.unusual.behavior["String"]["String"].observations.text #=> Array
resp.findings[0].service.detection.anomaly.unusual.behavior["String"]["String"].observations.text[0] #=> String
resp.findings[0].service.detection.sequence.uid #=> String
resp.findings[0].service.detection.sequence.description #=> String
resp.findings[0].service.detection.sequence.actors #=> Array
resp.findings[0].service.detection.sequence.actors[0].id #=> String
resp.findings[0].service.detection.sequence.actors[0].user.name #=> String
resp.findings[0].service.detection.sequence.actors[0].user.uid #=> String
resp.findings[0].service.detection.sequence.actors[0].user.type #=> String
resp.findings[0].service.detection.sequence.actors[0].user.credential_uid #=> String
resp.findings[0].service.detection.sequence.actors[0].user.account.uid #=> String
resp.findings[0].service.detection.sequence.actors[0].user.account.name #=> String
resp.findings[0].service.detection.sequence.actors[0].session.uid #=> String
resp.findings[0].service.detection.sequence.actors[0].session.mfa_status #=> String, one of "ENABLED", "DISABLED"
resp.findings[0].service.detection.sequence.actors[0].session.created_time #=> Time
resp.findings[0].service.detection.sequence.actors[0].session.issuer #=> String
resp.findings[0].service.detection.sequence.actors[0].process.name #=> String
resp.findings[0].service.detection.sequence.actors[0].process.path #=> String
resp.findings[0].service.detection.sequence.actors[0].process.sha_256 #=> String
resp.findings[0].service.detection.sequence.resources #=> Array
resp.findings[0].service.detection.sequence.resources[0].uid #=> String
resp.findings[0].service.detection.sequence.resources[0].name #=> String
resp.findings[0].service.detection.sequence.resources[0].account_id #=> String
resp.findings[0].service.detection.sequence.resources[0].resource_type #=> String, one of "EC2_INSTANCE", "EC2_NETWORK_INTERFACE", "S3_BUCKET", "S3_OBJECT", "ACCESS_KEY", "EKS_CLUSTER", "KUBERNETES_WORKLOAD", "CONTAINER", "ECS_CLUSTER", "ECS_TASK", "AUTOSCALING_AUTO_SCALING_GROUP", "IAM_INSTANCE_PROFILE", "CLOUDFORMATION_STACK", "EC2_LAUNCH_TEMPLATE", "EC2_VPC", "EC2_IMAGE"
resp.findings[0].service.detection.sequence.resources[0].region #=> String
resp.findings[0].service.detection.sequence.resources[0].service #=> String
resp.findings[0].service.detection.sequence.resources[0].cloud_partition #=> String
resp.findings[0].service.detection.sequence.resources[0].tags #=> Array
resp.findings[0].service.detection.sequence.resources[0].tags[0].key #=> String
resp.findings[0].service.detection.sequence.resources[0].tags[0].value #=> String
resp.findings[0].service.detection.sequence.resources[0].data.s3_bucket.owner_id #=> String
resp.findings[0].service.detection.sequence.resources[0].data.s3_bucket.created_at #=> Time
resp.findings[0].service.detection.sequence.resources[0].data.s3_bucket.encryption_type #=> String
resp.findings[0].service.detection.sequence.resources[0].data.s3_bucket.encryption_key_arn #=> String
resp.findings[0].service.detection.sequence.resources[0].data.s3_bucket.effective_permission #=> String
resp.findings[0].service.detection.sequence.resources[0].data.s3_bucket.public_read_access #=> String, one of "BLOCKED", "ALLOWED"
resp.findings[0].service.detection.sequence.resources[0].data.s3_bucket.public_write_access #=> String, one of "BLOCKED", "ALLOWED"
resp.findings[0].service.detection.sequence.resources[0].data.s3_bucket.account_public_access.public_acl_access #=> String, one of "BLOCKED", "ALLOWED"
resp.findings[0].service.detection.sequence.resources[0].data.s3_bucket.account_public_access.public_policy_access #=> String, one of "BLOCKED", "ALLOWED"
resp.findings[0].service.detection.sequence.resources[0].data.s3_bucket.account_public_access.public_acl_ignore_behavior #=> String, one of "IGNORED", "NOT_IGNORED"
resp.findings[0].service.detection.sequence.resources[0].data.s3_bucket.account_public_access.public_bucket_restrict_behavior #=> String, one of "RESTRICTED", "NOT_RESTRICTED"
resp.findings[0].service.detection.sequence.resources[0].data.s3_bucket.bucket_public_access.public_acl_access #=> String, one of "BLOCKED", "ALLOWED"
resp.findings[0].service.detection.sequence.resources[0].data.s3_bucket.bucket_public_access.public_policy_access #=> String, one of "BLOCKED", "ALLOWED"
resp.findings[0].service.detection.sequence.resources[0].data.s3_bucket.bucket_public_access.public_acl_ignore_behavior #=> String, one of "IGNORED", "NOT_IGNORED"
resp.findings[0].service.detection.sequence.resources[0].data.s3_bucket.bucket_public_access.public_bucket_restrict_behavior #=> String, one of "RESTRICTED", "NOT_RESTRICTED"
resp.findings[0].service.detection.sequence.resources[0].data.s3_bucket.s3_object_uids #=> Array
resp.findings[0].service.detection.sequence.resources[0].data.s3_bucket.s3_object_uids[0] #=> String
resp.findings[0].service.detection.sequence.resources[0].data.ec2_instance.availability_zone #=> String
resp.findings[0].service.detection.sequence.resources[0].data.ec2_instance.image_description #=> String
resp.findings[0].service.detection.sequence.resources[0].data.ec2_instance.instance_state #=> String
resp.findings[0].service.detection.sequence.resources[0].data.ec2_instance.iam_instance_profile.arn #=> String
resp.findings[0].service.detection.sequence.resources[0].data.ec2_instance.iam_instance_profile.id #=> String
resp.findings[0].service.detection.sequence.resources[0].data.ec2_instance.instance_type #=> String
resp.findings[0].service.detection.sequence.resources[0].data.ec2_instance.outpost_arn #=> String
resp.findings[0].service.detection.sequence.resources[0].data.ec2_instance.platform #=> String
resp.findings[0].service.detection.sequence.resources[0].data.ec2_instance.product_codes #=> Array
resp.findings[0].service.detection.sequence.resources[0].data.ec2_instance.product_codes[0].code #=> String
resp.findings[0].service.detection.sequence.resources[0].data.ec2_instance.product_codes[0].product_type #=> String
resp.findings[0].service.detection.sequence.resources[0].data.ec2_instance.ec2_network_interface_uids #=> Array
resp.findings[0].service.detection.sequence.resources[0].data.ec2_instance.ec2_network_interface_uids[0] #=> String
resp.findings[0].service.detection.sequence.resources[0].data.access_key.principal_id #=> String
resp.findings[0].service.detection.sequence.resources[0].data.access_key.user_name #=> String
resp.findings[0].service.detection.sequence.resources[0].data.access_key.user_type #=> String
resp.findings[0].service.detection.sequence.resources[0].data.ec2_network_interface.ipv_6_addresses #=> Array
resp.findings[0].service.detection.sequence.resources[0].data.ec2_network_interface.ipv_6_addresses[0] #=> String
resp.findings[0].service.detection.sequence.resources[0].data.ec2_network_interface.private_ip_addresses #=> Array
resp.findings[0].service.detection.sequence.resources[0].data.ec2_network_interface.private_ip_addresses[0].private_dns_name #=> String
resp.findings[0].service.detection.sequence.resources[0].data.ec2_network_interface.private_ip_addresses[0].private_ip_address #=> String
resp.findings[0].service.detection.sequence.resources[0].data.ec2_network_interface.public_ip #=> String
resp.findings[0].service.detection.sequence.resources[0].data.ec2_network_interface.security_groups #=> Array
resp.findings[0].service.detection.sequence.resources[0].data.ec2_network_interface.security_groups[0].group_id #=> String
resp.findings[0].service.detection.sequence.resources[0].data.ec2_network_interface.security_groups[0].group_name #=> String
resp.findings[0].service.detection.sequence.resources[0].data.ec2_network_interface.sub_net_id #=> String
resp.findings[0].service.detection.sequence.resources[0].data.ec2_network_interface.vpc_id #=> String
resp.findings[0].service.detection.sequence.resources[0].data.s3_object.etag #=> String
resp.findings[0].service.detection.sequence.resources[0].data.s3_object.key #=> String
resp.findings[0].service.detection.sequence.resources[0].data.s3_object.version_id #=> String
resp.findings[0].service.detection.sequence.resources[0].data.eks_cluster.arn #=> String
resp.findings[0].service.detection.sequence.resources[0].data.eks_cluster.created_at #=> Time
resp.findings[0].service.detection.sequence.resources[0].data.eks_cluster.status #=> String, one of "CREATING", "ACTIVE", "DELETING", "FAILED", "UPDATING", "PENDING"
resp.findings[0].service.detection.sequence.resources[0].data.eks_cluster.vpc_id #=> String
resp.findings[0].service.detection.sequence.resources[0].data.eks_cluster.ec2_instance_uids #=> Array
resp.findings[0].service.detection.sequence.resources[0].data.eks_cluster.ec2_instance_uids[0] #=> String
resp.findings[0].service.detection.sequence.resources[0].data.kubernetes_workload.container_uids #=> Array
resp.findings[0].service.detection.sequence.resources[0].data.kubernetes_workload.container_uids[0] #=> String
resp.findings[0].service.detection.sequence.resources[0].data.kubernetes_workload.namespace #=> String
resp.findings[0].service.detection.sequence.resources[0].data.kubernetes_workload.kubernetes_resources_types #=> String, one of "PODS", "JOBS", "CRONJOBS", "DEPLOYMENTS", "DAEMONSETS", "STATEFULSETS", "REPLICASETS", "REPLICATIONCONTROLLERS"
resp.findings[0].service.detection.sequence.resources[0].data.container.image #=> String
resp.findings[0].service.detection.sequence.resources[0].data.container.image_uid #=> String
resp.findings[0].service.detection.sequence.resources[0].data.ecs_cluster.status #=> String, one of "ACTIVE", "PROVISIONING", "DEPROVISIONING", "FAILED", "INACTIVE"
resp.findings[0].service.detection.sequence.resources[0].data.ecs_cluster.ec2_instance_uids #=> Array
resp.findings[0].service.detection.sequence.resources[0].data.ecs_cluster.ec2_instance_uids[0] #=> String
resp.findings[0].service.detection.sequence.resources[0].data.ecs_task.created_at #=> Time
resp.findings[0].service.detection.sequence.resources[0].data.ecs_task.task_definition_arn #=> String
resp.findings[0].service.detection.sequence.resources[0].data.ecs_task.launch_type #=> String, one of "FARGATE", "EC2"
resp.findings[0].service.detection.sequence.resources[0].data.ecs_task.container_uids #=> Array
resp.findings[0].service.detection.sequence.resources[0].data.ecs_task.container_uids[0] #=> String
resp.findings[0].service.detection.sequence.resources[0].data.iam_instance_profile.ec2_instance_uids #=> Array
resp.findings[0].service.detection.sequence.resources[0].data.iam_instance_profile.ec2_instance_uids[0] #=> String
resp.findings[0].service.detection.sequence.resources[0].data.autoscaling_auto_scaling_group.ec2_instance_uids #=> Array
resp.findings[0].service.detection.sequence.resources[0].data.autoscaling_auto_scaling_group.ec2_instance_uids[0] #=> String
resp.findings[0].service.detection.sequence.resources[0].data.ec2_launch_template.ec2_instance_uids #=> Array
resp.findings[0].service.detection.sequence.resources[0].data.ec2_launch_template.ec2_instance_uids[0] #=> String
resp.findings[0].service.detection.sequence.resources[0].data.ec2_launch_template.version #=> String
resp.findings[0].service.detection.sequence.resources[0].data.ec2_vpc.ec2_instance_uids #=> Array
resp.findings[0].service.detection.sequence.resources[0].data.ec2_vpc.ec2_instance_uids[0] #=> String
resp.findings[0].service.detection.sequence.resources[0].data.ec2_image.ec2_instance_uids #=> Array
resp.findings[0].service.detection.sequence.resources[0].data.ec2_image.ec2_instance_uids[0] #=> String
resp.findings[0].service.detection.sequence.resources[0].data.cloudformation_stack.ec2_instance_uids #=> Array
resp.findings[0].service.detection.sequence.resources[0].data.cloudformation_stack.ec2_instance_uids[0] #=> String
resp.findings[0].service.detection.sequence.endpoints #=> Array
resp.findings[0].service.detection.sequence.endpoints[0].id #=> String
resp.findings[0].service.detection.sequence.endpoints[0].ip #=> String
resp.findings[0].service.detection.sequence.endpoints[0].domain #=> String
resp.findings[0].service.detection.sequence.endpoints[0].port #=> Integer
resp.findings[0].service.detection.sequence.endpoints[0].location.city #=> String
resp.findings[0].service.detection.sequence.endpoints[0].location.country #=> String
resp.findings[0].service.detection.sequence.endpoints[0].location.latitude #=> Float
resp.findings[0].service.detection.sequence.endpoints[0].location.longitude #=> Float
resp.findings[0].service.detection.sequence.endpoints[0].autonomous_system.name #=> String
resp.findings[0].service.detection.sequence.endpoints[0].autonomous_system.number #=> Integer
resp.findings[0].service.detection.sequence.endpoints[0].connection.direction #=> String, one of "INBOUND", "OUTBOUND"
resp.findings[0].service.detection.sequence.signals #=> Array
resp.findings[0].service.detection.sequence.signals[0].uid #=> String
resp.findings[0].service.detection.sequence.signals[0].type #=> String, one of "FINDING", "CLOUD_TRAIL", "S3_DATA_EVENTS", "EKS_AUDIT_LOGS", "FLOW_LOGS", "DNS_LOGS", "RUNTIME_MONITORING"
resp.findings[0].service.detection.sequence.signals[0].description #=> String
resp.findings[0].service.detection.sequence.signals[0].name #=> String
resp.findings[0].service.detection.sequence.signals[0].created_at #=> Time
resp.findings[0].service.detection.sequence.signals[0].updated_at #=> Time
resp.findings[0].service.detection.sequence.signals[0].first_seen_at #=> Time
resp.findings[0].service.detection.sequence.signals[0].last_seen_at #=> Time
resp.findings[0].service.detection.sequence.signals[0].severity #=> Float
resp.findings[0].service.detection.sequence.signals[0].count #=> Integer
resp.findings[0].service.detection.sequence.signals[0].resource_uids #=> Array
resp.findings[0].service.detection.sequence.signals[0].resource_uids[0] #=> String
resp.findings[0].service.detection.sequence.signals[0].actor_ids #=> Array
resp.findings[0].service.detection.sequence.signals[0].actor_ids[0] #=> String
resp.findings[0].service.detection.sequence.signals[0].endpoint_ids #=> Array
resp.findings[0].service.detection.sequence.signals[0].endpoint_ids[0] #=> String
resp.findings[0].service.detection.sequence.signals[0].signal_indicators #=> Array
resp.findings[0].service.detection.sequence.signals[0].signal_indicators[0].key #=> String, one of "SUSPICIOUS_USER_AGENT", "SUSPICIOUS_NETWORK", "MALICIOUS_IP", "TOR_IP", "ATTACK_TACTIC", "HIGH_RISK_API", "ATTACK_TECHNIQUE", "UNUSUAL_API_FOR_ACCOUNT", "UNUSUAL_ASN_FOR_ACCOUNT", "UNUSUAL_ASN_FOR_USER", "SUSPICIOUS_PROCESS", "MALICIOUS_DOMAIN", "MALICIOUS_PROCESS", "CRYPTOMINING_IP", "CRYPTOMINING_DOMAIN", "CRYPTOMINING_PROCESS", "MALICIOUS_FILE", "VULNERABILITY", "MALICIOUS_PACKAGE", "MISCONFIGURATION", "REACHABILITY", "SENSITIVE_DATA"
resp.findings[0].service.detection.sequence.signals[0].signal_indicators[0].values #=> Array
resp.findings[0].service.detection.sequence.signals[0].signal_indicators[0].values[0] #=> String
resp.findings[0].service.detection.sequence.signals[0].signal_indicators[0].title #=> String
resp.findings[0].service.detection.sequence.sequence_indicators #=> Array
resp.findings[0].service.detection.sequence.sequence_indicators[0].key #=> String, one of "SUSPICIOUS_USER_AGENT", "SUSPICIOUS_NETWORK", "MALICIOUS_IP", "TOR_IP", "ATTACK_TACTIC", "HIGH_RISK_API", "ATTACK_TECHNIQUE", "UNUSUAL_API_FOR_ACCOUNT", "UNUSUAL_ASN_FOR_ACCOUNT", "UNUSUAL_ASN_FOR_USER", "SUSPICIOUS_PROCESS", "MALICIOUS_DOMAIN", "MALICIOUS_PROCESS", "CRYPTOMINING_IP", "CRYPTOMINING_DOMAIN", "CRYPTOMINING_PROCESS", "MALICIOUS_FILE", "VULNERABILITY", "MALICIOUS_PACKAGE", "MISCONFIGURATION", "REACHABILITY", "SENSITIVE_DATA"
resp.findings[0].service.detection.sequence.sequence_indicators[0].values #=> Array
resp.findings[0].service.detection.sequence.sequence_indicators[0].values[0] #=> String
resp.findings[0].service.detection.sequence.sequence_indicators[0].title #=> String
resp.findings[0].service.detection.sequence.additional_sequence_types #=> Array
resp.findings[0].service.detection.sequence.additional_sequence_types[0] #=> String
resp.findings[0].service.malware_scan_details.threats #=> Array
resp.findings[0].service.malware_scan_details.threats[0].name #=> String
resp.findings[0].service.malware_scan_details.threats[0].source #=> String
resp.findings[0].service.malware_scan_details.threats[0].item_paths #=> Array
resp.findings[0].service.malware_scan_details.threats[0].item_paths[0].nested_item_path #=> String
resp.findings[0].service.malware_scan_details.threats[0].item_paths[0].hash #=> String
resp.findings[0].service.malware_scan_details.threats[0].count #=> Integer
resp.findings[0].service.malware_scan_details.threats[0].hash #=> String
resp.findings[0].service.malware_scan_details.threats[0].item_details #=> Array
resp.findings[0].service.malware_scan_details.threats[0].item_details[0].resource_arn #=> String
resp.findings[0].service.malware_scan_details.threats[0].item_details[0].item_path #=> String
resp.findings[0].service.malware_scan_details.threats[0].item_details[0].hash #=> String
resp.findings[0].service.malware_scan_details.threats[0].item_details[0].additional_info.version_id #=> String
resp.findings[0].service.malware_scan_details.threats[0].item_details[0].additional_info.device_name #=> String
resp.findings[0].service.malware_scan_details.scan_id #=> String
resp.findings[0].service.malware_scan_details.scan_type #=> String, one of "BACKUP_INITIATED", "ON_DEMAND", "GUARDDUTY_INITIATED"
resp.findings[0].service.malware_scan_details.scan_category #=> String, one of "FULL_SCAN", "INCREMENTAL_SCAN"
resp.findings[0].service.malware_scan_details.scan_configuration.trigger_type #=> String, one of "BACKUP", "GUARDDUTY"
resp.findings[0].service.malware_scan_details.scan_configuration.incremental_scan_details.baseline_resource_arn #=> String
resp.findings[0].service.malware_scan_details.unique_threat_count #=> Integer
resp.findings[0].severity #=> Float
resp.findings[0].title #=> String
resp.findings[0].type #=> String
resp.findings[0].updated_at #=> String
resp.findings[0].associated_attack_sequence_arn #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The ID of the detector that specifies the GuardDuty service whose findings you want to retrieve.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:finding_ids (required, Array<String>) —

The IDs of the findings that you want to retrieve.
:sort_criteria (Types::SortCriteria) —

Represents the criteria used for sorting findings.

Returns:

(Types::GetFindingsResponse) —
Returns a response object which responds to the following methods:
- #findings => Array<Types::Finding>

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 4575

def get_findings(params = {}, options = {})
  req = build_request(:get_findings, params)
  req.send_request(options)
end

#get_findings_statistics(params = {}) ⇒ `Types::GetFindingsStatisticsResponse`

Lists GuardDuty findings statistics for the specified detector ID.

You must provide either ‘findingStatisticTypes` or `groupBy` parameter, and not both. You can use the `maxResults` and `orderBy` parameters only when using `groupBy`.

There might be regional differences because some flags might not be available in all the Regions where GuardDuty is currently supported. For more information, see [Regions and endpoints].

[1]: docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html

Examples:

Request syntax with placeholder values


resp = client.get_findings_statistics({
  detector_id: "DetectorId", # required
  finding_statistic_types: ["COUNT_BY_SEVERITY"], # accepts COUNT_BY_SEVERITY
  finding_criteria: {
    criterion: {
      "String" => {
        eq: ["String"],
        neq: ["String"],
        gt: 1,
        gte: 1,
        lt: 1,
        lte: 1,
        equals: ["String"],
        not_equals: ["String"],
        greater_than: 1,
        greater_than_or_equal: 1,
        less_than: 1,
        less_than_or_equal: 1,
        matches: ["Match"],
        not_matches: ["NotMatch"],
      },
    },
  },
  group_by: "ACCOUNT", # accepts ACCOUNT, DATE, FINDING_TYPE, RESOURCE, SEVERITY
  order_by: "ASC", # accepts ASC, DESC
  max_results: 1,
})

Response structure


resp.finding_statistics.count_by_severity #=> Hash
resp.finding_statistics.count_by_severity["String"] #=> Integer
resp.finding_statistics.grouped_by_account #=> Array
resp.finding_statistics.grouped_by_account[0].account_id #=> String
resp.finding_statistics.grouped_by_account[0].last_generated_at #=> Time
resp.finding_statistics.grouped_by_account[0].total_findings #=> Integer
resp.finding_statistics.grouped_by_date #=> Array
resp.finding_statistics.grouped_by_date[0].date #=> Time
resp.finding_statistics.grouped_by_date[0].last_generated_at #=> Time
resp.finding_statistics.grouped_by_date[0].severity #=> Float
resp.finding_statistics.grouped_by_date[0].total_findings #=> Integer
resp.finding_statistics.grouped_by_finding_type #=> Array
resp.finding_statistics.grouped_by_finding_type[0].finding_type #=> String
resp.finding_statistics.grouped_by_finding_type[0].last_generated_at #=> Time
resp.finding_statistics.grouped_by_finding_type[0].total_findings #=> Integer
resp.finding_statistics.grouped_by_resource #=> Array
resp.finding_statistics.grouped_by_resource[0].account_id #=> String
resp.finding_statistics.grouped_by_resource[0].last_generated_at #=> Time
resp.finding_statistics.grouped_by_resource[0].resource_id #=> String
resp.finding_statistics.grouped_by_resource[0].resource_type #=> String
resp.finding_statistics.grouped_by_resource[0].total_findings #=> Integer
resp.finding_statistics.grouped_by_severity #=> Array
resp.finding_statistics.grouped_by_severity[0].last_generated_at #=> Time
resp.finding_statistics.grouped_by_severity[0].severity #=> Float
resp.finding_statistics.grouped_by_severity[0].total_findings #=> Integer
resp.next_token #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The ID of the detector whose findings statistics you want to retrieve.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:finding_statistic_types (Array<String>) —

The types of finding statistics to retrieve.
:finding_criteria (Types::FindingCriteria) —

Represents the criteria that is used for querying findings.
:group_by (String) —

Displays the findings statistics grouped by one of the listed valid values.
:order_by (String) —

Displays the sorted findings in the requested order. The default value of ‘orderBy` is `DESC`.

You can use this parameter only with the ‘groupBy` parameter.
:max_results (Integer) —

The maximum number of results to be returned in the response. The default value is 25.

You can use this parameter only with the ‘groupBy` parameter.

Returns:

(Types::GetFindingsStatisticsResponse) —
Returns a response object which responds to the following methods:
- #finding_statistics => Types::FindingStatistics
- #next_token => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 4694

def get_findings_statistics(params = {}, options = {})
  req = build_request(:get_findings_statistics, params)
  req.send_request(options)
end

#get_investigation(params = {}) ⇒ `Types::GetInvestigationResponse`

This API is currently available as a preview. This feature is available in the following Amazon Web Services Regions: US East (N. Virginia), US East (Ohio), US West (Oregon), Canada (Central), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Paris), Europe (Stockholm), and Asia Pacific (Tokyo).

Retrieves the results and status of a specific GuardDuty investigation.

An administrator account can retrieve any investigation within the organization. Member accounts can only retrieve investigations that belong to them.

Examples:

Request syntax with placeholder values


resp = client.get_investigation({
  detector_id: "DetectorId", # required
  investigation_id: "InvestigationId", # required
})

Response structure


resp.investigation.investigation_id #=> String
resp.investigation.status #=> String, one of "RUNNING", "COMPLETED", "FAILED"
resp.investigation.trigger_prompt #=> String
resp.investigation.triggered_by #=> String
resp.investigation.metadata.version #=> String
resp.investigation.metadata.product.name #=> String
resp.investigation.metadata.product.feature #=> String
resp.investigation.cloud.provider #=> String, one of "AWS"
resp.investigation.cloud.region #=> String
resp.investigation.cloud.account #=> String
resp.investigation.risk_level #=> String, one of "Info", "Low", "Medium", "High", "Critical"
resp.investigation.risk #=> String
resp.investigation.confidence #=> String, one of "Unknown", "Low", "Medium", "High"
resp.investigation.summary #=> String
resp.investigation.start_time #=> Time
resp.investigation.end_time #=> Time
resp.investigation.error #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the GuardDuty detector associated with the investigation.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:investigation_id (required, String) —

The unique identifier of the investigation to retrieve.

Returns:

(Types::GetInvestigationResponse) —
Returns a response object which responds to the following methods:
- #investigation => Types::Investigation

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 4811

def get_investigation(params = {}, options = {})
  req = build_request(:get_investigation, params)
  req.send_request(options)
end

#get_invitations_count(params = {}) ⇒ `Types::GetInvitationsCountResponse`

Returns the count of all GuardDuty membership invitations that were sent to the current member account except the currently accepted invitation.

Examples:

Response structure


resp.invitations_count #=> Integer

Parameters:

params (Hash) (defaults to: {}) —

({})

Returns:

(Types::GetInvitationsCountResponse) —
Returns a response object which responds to the following methods:
- #invitations_count => Integer

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 4832

def get_invitations_count(params = {}, options = {})
  req = build_request(:get_invitations_count, params)
  req.send_request(options)
end

#get_ip_set(params = {}) ⇒ `Types::GetIPSetResponse`

Retrieves the IPSet specified by the ‘ipSetId`.

Examples:

Request syntax with placeholder values


resp = client.get_ip_set({
  detector_id: "DetectorId", # required
  ip_set_id: "String", # required
})

Response structure


resp.name #=> String
resp.format #=> String, one of "TXT", "STIX", "OTX_CSV", "ALIEN_VAULT", "PROOF_POINT", "FIRE_EYE"
resp.location #=> String
resp.status #=> String, one of "INACTIVE", "ACTIVATING", "ACTIVE", "DEACTIVATING", "ERROR", "DELETE_PENDING", "DELETED"
resp.tags #=> Hash
resp.tags["TagKey"] #=> String
resp.expected_bucket_owner #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector that is associated with the IPSet.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:ip_set_id (required, String) —

The unique ID of the IPSet to retrieve.

Returns:

(Types::GetIPSetResponse) —
Returns a response object which responds to the following methods:
- #name => String
- #format => String
- #location => String
- #status => String
- #tags => Hash<String,String>
- #expected_bucket_owner => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 4744

def get_ip_set(params = {}, options = {})
  req = build_request(:get_ip_set, params)
  req.send_request(options)
end

#get_malware_protection_plan(params = {}) ⇒ `Types::GetMalwareProtectionPlanResponse`

Retrieves the Malware Protection plan details associated with a Malware Protection plan ID.

Examples:

Request syntax with placeholder values


resp = client.get_malware_protection_plan({
  malware_protection_plan_id: "String", # required
})

Response structure


resp.arn #=> String
resp.role #=> String
resp.protected_resource.s3_bucket.bucket_name #=> String
resp.protected_resource.s3_bucket.object_prefixes #=> Array
resp.protected_resource.s3_bucket.object_prefixes[0] #=> String
resp.actions.tagging.status #=> String, one of "ENABLED", "DISABLED"
resp.created_at #=> Time
resp.status #=> String, one of "ACTIVE", "WARNING", "ERROR"
resp.status_reasons #=> Array
resp.status_reasons[0].code #=> String
resp.status_reasons[0].message #=> String
resp.tags #=> Hash
resp.tags["TagKey"] #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:malware_protection_plan_id (required, String) —

A unique identifier associated with Malware Protection plan resource.

Returns:

(Types::GetMalwareProtectionPlanResponse) —
Returns a response object which responds to the following methods:
- #arn => String
- #role => String
- #protected_resource => Types::CreateProtectedResource
- #actions => Types::MalwareProtectionPlanActions
- #created_at => Time
- #status => String
- #status_reasons => Array<Types::MalwareProtectionPlanStatusReason>
- #tags => Hash<String,String>

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 4880

def get_malware_protection_plan(params = {}, options = {})
  req = build_request(:get_malware_protection_plan, params)
  req.send_request(options)
end

#get_malware_scan(params = {}) ⇒ `Types::GetMalwareScanResponse`

Retrieves the detailed information for a specific malware scan. Each member account can view the malware scan details for their own account. An administrator can view malware scan details for all accounts in the organization.

[1]: docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html

Examples:

Request syntax with placeholder values


resp = client.get_malware_scan({
  scan_id: "String", # required
})

Response structure


resp.scan_id #=> String
resp.detector_id #=> String
resp.admin_detector_id #=> String
resp.resource_arn #=> String
resp.resource_type #=> String, one of "EBS_RECOVERY_POINT", "EBS_SNAPSHOT", "EBS_VOLUME", "EC2_AMI", "EC2_INSTANCE", "EC2_RECOVERY_POINT", "S3_RECOVERY_POINT", "S3_BUCKET", "S3_POINT_IN_TIME_RECOVERY"
resp.scanned_resources_count #=> Integer
resp.skipped_resources_count #=> Integer
resp.failed_resources_count #=> Integer
resp.scanned_resources #=> Array
resp.scanned_resources[0].scanned_resource_arn #=> String
resp.scanned_resources[0].scanned_resource_type #=> String, one of "EBS_RECOVERY_POINT", "EBS_SNAPSHOT", "EBS_VOLUME", "EC2_AMI", "EC2_INSTANCE", "EC2_RECOVERY_POINT", "S3_RECOVERY_POINT", "S3_BUCKET", "S3_POINT_IN_TIME_RECOVERY"
resp.scanned_resources[0].scanned_resource_status #=> String, one of "RUNNING", "COMPLETED", "COMPLETED_WITH_ISSUES", "FAILED", "SKIPPED"
resp.scanned_resources[0].scan_status_reason #=> String, one of "ACCESS_DENIED", "RESOURCE_NOT_FOUND", "SNAPSHOT_SIZE_LIMIT_EXCEEDED", "RESOURCE_UNAVAILABLE", "INCONSISTENT_SOURCE", "INCREMENTAL_NO_DIFFERENCE", "NO_EBS_VOLUMES_FOUND", "UNSUPPORTED_PRODUCT_CODE_TYPE", "AMI_SNAPSHOT_LIMIT_EXCEEDED", "UNRELATED_RESOURCES", "BASE_RESOURCE_NOT_SCANNED", "BASE_CREATED_AFTER_TARGET", "UNSUPPORTED_FOR_INCREMENTAL", "UNSUPPORTED_AMI", "UNSUPPORTED_SNAPSHOT", "UNSUPPORTED_COMPOSITE_RECOVERY_POINT", "ALL_FILES_SKIPPED_OR_FAILED"
resp.scanned_resources[0].resource_details.ebs_volume.volume_arn #=> String
resp.scanned_resources[0].resource_details.ebs_volume.volume_type #=> String
resp.scanned_resources[0].resource_details.ebs_volume.device_name #=> String
resp.scanned_resources[0].resource_details.ebs_volume.volume_size_in_gb #=> Integer
resp.scanned_resources[0].resource_details.ebs_volume.encryption_type #=> String
resp.scanned_resources[0].resource_details.ebs_volume.snapshot_arn #=> String
resp.scanned_resources[0].resource_details.ebs_volume.kms_key_arn #=> String
resp.scanned_resources[0].resource_details.ebs_snapshot.device_name #=> String
resp.scan_configuration.role #=> String
resp.scan_configuration.trigger_details.guard_duty_finding_id #=> String
resp.scan_configuration.trigger_details.description #=> String
resp.scan_configuration.trigger_details.trigger_type #=> String, one of "BACKUP", "GUARDDUTY"
resp.scan_configuration.incremental_scan_details.baseline_resource_arn #=> String
resp.scan_configuration.recovery_point.backup_vault_name #=> String
resp.scan_configuration.recovery_point.continuous_scan_details.start_time #=> Time
resp.scan_configuration.recovery_point.continuous_scan_details.end_time #=> Time
resp.scan_category #=> String, one of "FULL_SCAN", "INCREMENTAL_SCAN"
resp.scan_status #=> String, one of "RUNNING", "COMPLETED", "COMPLETED_WITH_ISSUES", "FAILED", "SKIPPED"
resp.scan_status_reason #=> String, one of "ACCESS_DENIED", "RESOURCE_NOT_FOUND", "SNAPSHOT_SIZE_LIMIT_EXCEEDED", "RESOURCE_UNAVAILABLE", "INCONSISTENT_SOURCE", "INCREMENTAL_NO_DIFFERENCE", "NO_EBS_VOLUMES_FOUND", "UNSUPPORTED_PRODUCT_CODE_TYPE", "AMI_SNAPSHOT_LIMIT_EXCEEDED", "UNRELATED_RESOURCES", "BASE_RESOURCE_NOT_SCANNED", "BASE_CREATED_AFTER_TARGET", "UNSUPPORTED_FOR_INCREMENTAL", "UNSUPPORTED_AMI", "UNSUPPORTED_SNAPSHOT", "UNSUPPORTED_COMPOSITE_RECOVERY_POINT", "ALL_FILES_SKIPPED_OR_FAILED"
resp.scan_type #=> String, one of "BACKUP_INITIATED", "ON_DEMAND", "GUARDDUTY_INITIATED"
resp.scan_started_at #=> Time
resp.scan_completed_at #=> Time
resp.scan_result_details.scan_result_status #=> String, one of "NO_THREATS_FOUND", "THREATS_FOUND"
resp.scan_result_details.skipped_file_count #=> Integer
resp.scan_result_details.failed_file_count #=> Integer
resp.scan_result_details.threat_found_file_count #=> Integer
resp.scan_result_details.total_file_count #=> Integer
resp.scan_result_details.total_bytes #=> Integer
resp.scan_result_details.unique_threat_count #=> Integer
resp.scan_result_details.threats #=> Array
resp.scan_result_details.threats[0].name #=> String
resp.scan_result_details.threats[0].source #=> String, one of "AMAZON", "BITDEFENDER"
resp.scan_result_details.threats[0].count #=> Integer
resp.scan_result_details.threats[0].hash #=> String
resp.scan_result_details.threats[0].item_details #=> Array
resp.scan_result_details.threats[0].item_details[0].resource_arn #=> String
resp.scan_result_details.threats[0].item_details[0].item_path #=> String
resp.scan_result_details.threats[0].item_details[0].hash #=> String
resp.scan_result_details.threats[0].item_details[0].additional_info.version_id #=> String
resp.scan_result_details.threats[0].item_details[0].additional_info.device_name #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:scan_id (required, String) —

A unique identifier that gets generated when you invoke the API without any error. Each malware scan has a corresponding scan ID. Using this scan ID, you can monitor the status of your malware scan.

Returns:

(Types::GetMalwareScanResponse) —
Returns a response object which responds to the following methods:
- #scan_id => String
- #detector_id => String
- #admin_detector_id => String
- #resource_arn => String
- #resource_type => String
- #scanned_resources_count => Integer
- #skipped_resources_count => Integer
- #failed_resources_count => Integer
- #scanned_resources => Array<Types::ScannedResource>
- #scan_configuration => Types::ScanConfiguration
- #scan_category => String
- #scan_status => String
- #scan_status_reason => String
- #scan_type => String
- #scan_started_at => Time
- #scan_completed_at => Time
- #scan_result_details => Types::GetMalwareScanResultDetails

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 4990

def get_malware_scan(params = {}, options = {})
  req = build_request(:get_malware_scan, params)
  req.send_request(options)
end

#get_malware_scan_settings(params = {}) ⇒ `Types::GetMalwareScanSettingsResponse`

Returns the details of the malware scan settings.

[1]: docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html

Examples:

Request syntax with placeholder values


resp = client.get_malware_scan_settings({
  detector_id: "DetectorId", # required
})

Response structure


resp.scan_resource_criteria.include #=> Hash
resp.scan_resource_criteria.include["ScanCriterionKey"].map_equals #=> Array
resp.scan_resource_criteria.include["ScanCriterionKey"].map_equals[0].key #=> String
resp.scan_resource_criteria.include["ScanCriterionKey"].map_equals[0].value #=> String
resp.scan_resource_criteria.exclude #=> Hash
resp.scan_resource_criteria.exclude["ScanCriterionKey"].map_equals #=> Array
resp.scan_resource_criteria.exclude["ScanCriterionKey"].map_equals[0].key #=> String
resp.scan_resource_criteria.exclude["ScanCriterionKey"].map_equals[0].value #=> String
resp.ebs_snapshot_preservation #=> String, one of "NO_RETENTION", "RETENTION_WITH_FINDING"

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector that is associated with this scan.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html

Returns:

(Types::GetMalwareScanSettingsResponse) —
Returns a response object which responds to the following methods:
- #scan_resource_criteria => Types::ScanResourceCriteria
- #ebs_snapshot_preservation => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 5043

def get_malware_scan_settings(params = {}, options = {})
  req = build_request(:get_malware_scan_settings, params)
  req.send_request(options)
end

#get_master_account(params = {}) ⇒ `Types::GetMasterAccountResponse`

Provides the details for the GuardDuty administrator account associated with the current GuardDuty member account.

Examples:

Request syntax with placeholder values


resp = client.get_master_account({
  detector_id: "DetectorId", # required
})

Response structure


resp.master.account_id #=> String
resp.master.invitation_id #=> String
resp.master.relationship_status #=> String
resp.master.invited_at #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector of the GuardDuty member account.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html

Returns:

(Types::GetMasterAccountResponse) —
Returns a response object which responds to the following methods:
- #master => Types::Master

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 5082

def get_master_account(params = {}, options = {})
  req = build_request(:get_master_account, params)
  req.send_request(options)
end

#get_member_detectors(params = {}) ⇒ `Types::GetMemberDetectorsResponse`

Describes which data sources are enabled for the member account’s detector.

[1]: docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html

Examples:

Request syntax with placeholder values


resp = client.get_member_detectors({
  detector_id: "DetectorId", # required
  account_ids: ["AccountId"], # required
})

Response structure


resp.member_data_source_configurations #=> Array
resp.member_data_source_configurations[0].account_id #=> String
resp.member_data_source_configurations[0].data_sources.cloud_trail.status #=> String, one of "ENABLED", "DISABLED"
resp.member_data_source_configurations[0].data_sources.dns_logs.status #=> String, one of "ENABLED", "DISABLED"
resp.member_data_source_configurations[0].data_sources.flow_logs.status #=> String, one of "ENABLED", "DISABLED"
resp.member_data_source_configurations[0].data_sources.s3_logs.status #=> String, one of "ENABLED", "DISABLED"
resp.member_data_source_configurations[0].data_sources.kubernetes.audit_logs.status #=> String, one of "ENABLED", "DISABLED"
resp.member_data_source_configurations[0].data_sources.malware_protection.scan_ec2_instance_with_findings.ebs_volumes.status #=> String, one of "ENABLED", "DISABLED"
resp.member_data_source_configurations[0].data_sources.malware_protection.scan_ec2_instance_with_findings.ebs_volumes.reason #=> String
resp.member_data_source_configurations[0].data_sources.malware_protection.service_role #=> String
resp.member_data_source_configurations[0].features #=> Array
resp.member_data_source_configurations[0].features[0].name #=> String, one of "S3_DATA_EVENTS", "EKS_AUDIT_LOGS", "EBS_MALWARE_PROTECTION", "RDS_LOGIN_EVENTS", "LAMBDA_NETWORK_LOGS", "EKS_RUNTIME_MONITORING", "RUNTIME_MONITORING"
resp.member_data_source_configurations[0].features[0].status #=> String, one of "ENABLED", "DISABLED"
resp.member_data_source_configurations[0].features[0].updated_at #=> Time
resp.member_data_source_configurations[0].features[0].additional_configuration #=> Array
resp.member_data_source_configurations[0].features[0].additional_configuration[0].name #=> String, one of "EKS_ADDON_MANAGEMENT", "ECS_FARGATE_AGENT_MANAGEMENT", "EC2_AGENT_MANAGEMENT"
resp.member_data_source_configurations[0].features[0].additional_configuration[0].status #=> String, one of "ENABLED", "DISABLED"
resp.member_data_source_configurations[0].features[0].additional_configuration[0].updated_at #=> Time
resp.unprocessed_accounts #=> Array
resp.unprocessed_accounts[0].account_id #=> String
resp.unprocessed_accounts[0].result #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The detector ID for the administrator account.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:account_ids (required, Array<String>) —

A list of member account IDs.

Returns:

(Types::GetMemberDetectorsResponse) —
Returns a response object which responds to the following methods:
- #member_data_source_configurations => Array<Types::MemberDataSourceConfiguration>
- #unprocessed_accounts => Array<Types::UnprocessedAccount>

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 5152

def get_member_detectors(params = {}, options = {})
  req = build_request(:get_member_detectors, params)
  req.send_request(options)
end

#get_members(params = {}) ⇒ `Types::GetMembersResponse`

Retrieves GuardDuty member accounts (of the current GuardDuty administrator account) specified by the account IDs.

Examples:

Request syntax with placeholder values


resp = client.get_members({
  detector_id: "DetectorId", # required
  account_ids: ["AccountId"], # required
})

Response structure


resp.members #=> Array
resp.members[0].account_id #=> String
resp.members[0].detector_id #=> String
resp.members[0].master_id #=> String
resp.members[0].email #=> String
resp.members[0].relationship_status #=> String
resp.members[0].invited_at #=> String
resp.members[0].updated_at #=> String
resp.members[0].administrator_id #=> String
resp.unprocessed_accounts #=> Array
resp.unprocessed_accounts[0].account_id #=> String
resp.unprocessed_accounts[0].result #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector of the GuardDuty account whose members you want to retrieve.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:account_ids (required, Array<String>) —

A list of account IDs of the GuardDuty member accounts that you want to describe.

Returns:

(Types::GetMembersResponse) —
Returns a response object which responds to the following methods:
- #members => Array<Types::Member>
- #unprocessed_accounts => Array<Types::UnprocessedAccount>

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 5206

def get_members(params = {}, options = {})
  req = build_request(:get_members, params)
  req.send_request(options)
end

#get_organization_statistics(params = {}) ⇒ `Types::GetOrganizationStatisticsResponse`

Retrieves how many active member accounts have each feature enabled within GuardDuty. Only a delegated GuardDuty administrator of an organization can run this API.

When you create a new organization, it might take up to 24 hours to generate the statistics for the entire organization.

Examples:

Response structure


resp.organization_details.updated_at #=> Time
resp.organization_details.organization_statistics.total_accounts_count #=> Integer
resp.organization_details.organization_statistics.member_accounts_count #=> Integer
resp.organization_details.organization_statistics.active_accounts_count #=> Integer
resp.organization_details.organization_statistics.enabled_accounts_count #=> Integer
resp.organization_details.organization_statistics.count_by_feature #=> Array
resp.organization_details.organization_statistics.count_by_feature[0].name #=> String, one of "S3_DATA_EVENTS", "EKS_AUDIT_LOGS", "EBS_MALWARE_PROTECTION", "RDS_LOGIN_EVENTS", "LAMBDA_NETWORK_LOGS", "EKS_RUNTIME_MONITORING", "RUNTIME_MONITORING"
resp.organization_details.organization_statistics.count_by_feature[0].enabled_accounts_count #=> Integer
resp.organization_details.organization_statistics.count_by_feature[0].additional_configuration #=> Array
resp.organization_details.organization_statistics.count_by_feature[0].additional_configuration[0].name #=> String, one of "EKS_ADDON_MANAGEMENT", "ECS_FARGATE_AGENT_MANAGEMENT", "EC2_AGENT_MANAGEMENT"
resp.organization_details.organization_statistics.count_by_feature[0].additional_configuration[0].enabled_accounts_count #=> Integer

Parameters:

params (Hash) (defaults to: {}) —

({})

Returns:

(Types::GetOrganizationStatisticsResponse) —
Returns a response object which responds to the following methods:
- #organization_details => Types::OrganizationDetails

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 5240

def get_organization_statistics(params = {}, options = {})
  req = build_request(:get_organization_statistics, params)
  req.send_request(options)
end

#get_remaining_free_trial_days(params = {}) ⇒ `Types::GetRemainingFreeTrialDaysResponse`

Provides the number of days left for each data source used in the free trial period.

Examples:

Request syntax with placeholder values


resp = client.get_remaining_free_trial_days({
  detector_id: "DetectorId", # required
  account_ids: ["AccountId"], # required
})

Response structure


resp.accounts #=> Array
resp.accounts[0].account_id #=> String
resp.accounts[0].data_sources.cloud_trail.free_trial_days_remaining #=> Integer
resp.accounts[0].data_sources.dns_logs.free_trial_days_remaining #=> Integer
resp.accounts[0].data_sources.flow_logs.free_trial_days_remaining #=> Integer
resp.accounts[0].data_sources.s3_logs.free_trial_days_remaining #=> Integer
resp.accounts[0].data_sources.kubernetes.audit_logs.free_trial_days_remaining #=> Integer
resp.accounts[0].data_sources.malware_protection.scan_ec2_instance_with_findings.free_trial_days_remaining #=> Integer
resp.accounts[0].features #=> Array
resp.accounts[0].features[0].name #=> String, one of "FLOW_LOGS", "CLOUD_TRAIL", "DNS_LOGS", "S3_DATA_EVENTS", "EKS_AUDIT_LOGS", "EBS_MALWARE_PROTECTION", "RDS_LOGIN_EVENTS", "LAMBDA_NETWORK_LOGS", "EKS_RUNTIME_MONITORING", "EC2_RUNTIME_MONITORING", "FARGATE_RUNTIME_MONITORING"
resp.accounts[0].features[0].free_trial_days_remaining #=> Integer
resp.unprocessed_accounts #=> Array
resp.unprocessed_accounts[0].account_id #=> String
resp.unprocessed_accounts[0].result #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector of the GuardDuty member account.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:account_ids (required, Array<String>) —

A list of account identifiers of the GuardDuty member account.

Returns:

(Types::GetRemainingFreeTrialDaysResponse) —
Returns a response object which responds to the following methods:
- #accounts => Array<Types::AccountFreeTrialInfo>
- #unprocessed_accounts => Array<Types::UnprocessedAccount>

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 5294

def get_remaining_free_trial_days(params = {}, options = {})
  req = build_request(:get_remaining_free_trial_days, params)
  req.send_request(options)
end

#get_threat_entity_set(params = {}) ⇒ `Types::GetThreatEntitySetResponse`

Retrieves the threat entity set associated with the specified ‘threatEntitySetId`.

Examples:

Request syntax with placeholder values


resp = client.get_threat_entity_set({
  detector_id: "DetectorId", # required
  threat_entity_set_id: "String", # required
})

Response structure


resp.name #=> String
resp.format #=> String, one of "TXT", "STIX", "OTX_CSV", "ALIEN_VAULT", "PROOF_POINT", "FIRE_EYE"
resp.location #=> String
resp.expected_bucket_owner #=> String
resp.status #=> String, one of "INACTIVE", "ACTIVATING", "ACTIVE", "DEACTIVATING", "ERROR", "DELETE_PENDING", "DELETED"
resp.tags #=> Hash
resp.tags["TagKey"] #=> String
resp.created_at #=> Time
resp.updated_at #=> Time
resp.error_details #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector associated with the threat entity set resource.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:threat_entity_set_id (required, String) —

The unique ID that helps GuardDuty identify the threat entity set.

Returns:

(Types::GetThreatEntitySetResponse) —
Returns a response object which responds to the following methods:
- #name => String
- #format => String
- #location => String
- #expected_bucket_owner => String
- #status => String
- #tags => Hash<String,String>
- #created_at => Time
- #updated_at => Time
- #error_details => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 5352

def get_threat_entity_set(params = {}, options = {})
  req = build_request(:get_threat_entity_set, params)
  req.send_request(options)
end

#get_threat_intel_set(params = {}) ⇒ `Types::GetThreatIntelSetResponse`

Retrieves the ThreatIntelSet that is specified by the ThreatIntelSet ID.

Examples:

Request syntax with placeholder values


resp = client.get_threat_intel_set({
  detector_id: "DetectorId", # required
  threat_intel_set_id: "String", # required
})

Response structure


resp.name #=> String
resp.format #=> String, one of "TXT", "STIX", "OTX_CSV", "ALIEN_VAULT", "PROOF_POINT", "FIRE_EYE"
resp.location #=> String
resp.status #=> String, one of "INACTIVE", "ACTIVATING", "ACTIVE", "DEACTIVATING", "ERROR", "DELETE_PENDING", "DELETED"
resp.tags #=> Hash
resp.tags["TagKey"] #=> String
resp.expected_bucket_owner #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector that is associated with the threatIntelSet.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:threat_intel_set_id (required, String) —

The unique ID of the threatIntelSet that you want to get.

Returns:

(Types::GetThreatIntelSetResponse) —
Returns a response object which responds to the following methods:
- #name => String
- #format => String
- #location => String
- #status => String
- #tags => Hash<String,String>
- #expected_bucket_owner => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 5404

def get_threat_intel_set(params = {}, options = {})
  req = build_request(:get_threat_intel_set, params)
  req.send_request(options)
end

#get_trusted_entity_set(params = {}) ⇒ `Types::GetTrustedEntitySetResponse`

Retrieves the trusted entity set associated with the specified ‘trustedEntitySetId`.

Examples:

Request syntax with placeholder values


resp = client.get_trusted_entity_set({
  detector_id: "DetectorId", # required
  trusted_entity_set_id: "String", # required
})

Response structure


resp.name #=> String
resp.format #=> String, one of "TXT", "STIX", "OTX_CSV", "ALIEN_VAULT", "PROOF_POINT", "FIRE_EYE"
resp.location #=> String
resp.expected_bucket_owner #=> String
resp.status #=> String, one of "INACTIVE", "ACTIVATING", "ACTIVE", "DEACTIVATING", "ERROR", "DELETE_PENDING", "DELETED"
resp.tags #=> Hash
resp.tags["TagKey"] #=> String
resp.created_at #=> Time
resp.updated_at #=> Time
resp.error_details #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the GuardDuty detector associated with this trusted entity set.
:trusted_entity_set_id (required, String) —

The unique ID that helps GuardDuty identify the trusted entity set.

Returns:

(Types::GetTrustedEntitySetResponse) —
Returns a response object which responds to the following methods:
- #name => String
- #format => String
- #location => String
- #expected_bucket_owner => String
- #status => String
- #tags => Hash<String,String>
- #created_at => Time
- #updated_at => Time
- #error_details => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 5455

def get_trusted_entity_set(params = {}, options = {})
  req = build_request(:get_trusted_entity_set, params)
  req.send_request(options)
end

#get_usage_statistics(params = {}) ⇒ `Types::GetUsageStatisticsResponse`

Lists Amazon GuardDuty usage statistics over the last 30 days for the specified detector ID. For newly enabled detectors or data sources, the cost returned will include only the usage so far under 30 days. This may differ from the cost metrics in the console, which project usage over 30 days to provide a monthly cost estimate. For more information, see [Understanding How Usage Costs are Calculated].

[1]: docs.aws.amazon.com/guardduty/latest/ug/monitoring_costs.html#usage-calculations

The returned response is a pageable response and is Enumerable. For details on usage see PageableResponse.

Examples:

Request syntax with placeholder values


resp = client.get_usage_statistics({
  detector_id: "DetectorId", # required
  usage_statistic_type: "SUM_BY_ACCOUNT", # required, accepts SUM_BY_ACCOUNT, SUM_BY_DATA_SOURCE, SUM_BY_RESOURCE, TOP_RESOURCES, SUM_BY_FEATURES, TOP_ACCOUNTS_BY_FEATURE
  usage_criteria: { # required
    account_ids: ["AccountId"],
    data_sources: ["FLOW_LOGS"], # accepts FLOW_LOGS, CLOUD_TRAIL, DNS_LOGS, S3_LOGS, KUBERNETES_AUDIT_LOGS, EC2_MALWARE_SCAN
    resources: ["String"],
    features: ["FLOW_LOGS"], # accepts FLOW_LOGS, CLOUD_TRAIL, DNS_LOGS, S3_DATA_EVENTS, EKS_AUDIT_LOGS, EBS_MALWARE_PROTECTION, RDS_LOGIN_EVENTS, LAMBDA_NETWORK_LOGS, EKS_RUNTIME_MONITORING, EC2_RUNTIME_MONITORING, FARGATE_RUNTIME_MONITORING, RDS_DBI_PROTECTION_PROVISIONED, RDS_DBI_PROTECTION_SERVERLESS
  },
  unit: "String",
  max_results: 1,
  next_token: "String",
})

Response structure


resp.usage_statistics.sum_by_account #=> Array
resp.usage_statistics.sum_by_account[0].account_id #=> String
resp.usage_statistics.sum_by_account[0].total.amount #=> String
resp.usage_statistics.sum_by_account[0].total.unit #=> String
resp.usage_statistics.top_accounts_by_feature #=> Array
resp.usage_statistics.top_accounts_by_feature[0].feature #=> String, one of "FLOW_LOGS", "CLOUD_TRAIL", "DNS_LOGS", "S3_DATA_EVENTS", "EKS_AUDIT_LOGS", "EBS_MALWARE_PROTECTION", "RDS_LOGIN_EVENTS", "LAMBDA_NETWORK_LOGS", "EKS_RUNTIME_MONITORING", "EC2_RUNTIME_MONITORING", "FARGATE_RUNTIME_MONITORING", "RDS_DBI_PROTECTION_PROVISIONED", "RDS_DBI_PROTECTION_SERVERLESS"
resp.usage_statistics.top_accounts_by_feature[0].accounts #=> Array
resp.usage_statistics.top_accounts_by_feature[0].accounts[0].account_id #=> String
resp.usage_statistics.top_accounts_by_feature[0].accounts[0].total.amount #=> String
resp.usage_statistics.top_accounts_by_feature[0].accounts[0].total.unit #=> String
resp.usage_statistics.sum_by_data_source #=> Array
resp.usage_statistics.sum_by_data_source[0].data_source #=> String, one of "FLOW_LOGS", "CLOUD_TRAIL", "DNS_LOGS", "S3_LOGS", "KUBERNETES_AUDIT_LOGS", "EC2_MALWARE_SCAN"
resp.usage_statistics.sum_by_data_source[0].total.amount #=> String
resp.usage_statistics.sum_by_data_source[0].total.unit #=> String
resp.usage_statistics.sum_by_resource #=> Array
resp.usage_statistics.sum_by_resource[0].resource #=> String
resp.usage_statistics.sum_by_resource[0].total.amount #=> String
resp.usage_statistics.sum_by_resource[0].total.unit #=> String
resp.usage_statistics.top_resources #=> Array
resp.usage_statistics.top_resources[0].resource #=> String
resp.usage_statistics.top_resources[0].total.amount #=> String
resp.usage_statistics.top_resources[0].total.unit #=> String
resp.usage_statistics.sum_by_feature #=> Array
resp.usage_statistics.sum_by_feature[0].feature #=> String, one of "FLOW_LOGS", "CLOUD_TRAIL", "DNS_LOGS", "S3_DATA_EVENTS", "EKS_AUDIT_LOGS", "EBS_MALWARE_PROTECTION", "RDS_LOGIN_EVENTS", "LAMBDA_NETWORK_LOGS", "EKS_RUNTIME_MONITORING", "EC2_RUNTIME_MONITORING", "FARGATE_RUNTIME_MONITORING", "RDS_DBI_PROTECTION_PROVISIONED", "RDS_DBI_PROTECTION_SERVERLESS"
resp.usage_statistics.sum_by_feature[0].total.amount #=> String
resp.usage_statistics.sum_by_feature[0].total.unit #=> String
resp.next_token #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The ID of the detector that specifies the GuardDuty service whose usage statistics you want to retrieve.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:usage_statistic_type (required, String) —

The type of usage statistics to retrieve.
:usage_criteria (required, Types::UsageCriteria) —

Represents the criteria used for querying usage.
:unit (String) —

The currency unit you would like to view your usage statistics in. Current valid values are USD.
:max_results (Integer) —

The maximum number of results to return in the response.
:next_token (String) —

A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the NextToken value returned from the previous request to continue listing results after the first page.

Returns:

(Types::GetUsageStatisticsResponse) —
Returns a response object which responds to the following methods:
- #usage_statistics => Types::UsageStatistics
- #next_token => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 5559

def get_usage_statistics(params = {}, options = {})
  req = build_request(:get_usage_statistics, params)
  req.send_request(options)
end

#invite_members(params = {}) ⇒ `Types::InviteMembersResponse`

Invites Amazon Web Services accounts to become members of an organization administered by the Amazon Web Services account that invokes this API. If you are using Amazon Web Services Organizations to manage your GuardDuty environment, this step is not needed. For more information, see [Managing accounts with organizations].

To invite Amazon Web Services accounts, the first step is to ensure that GuardDuty has been enabled in the potential member accounts. You can now invoke this API to add accounts by invitation. The invited accounts can either accept or decline the invitation from their GuardDuty accounts. Each invited Amazon Web Services account can choose to accept the invitation from only one Amazon Web Services account. For more information, see [Managing GuardDuty accounts by invitation].

After the invite has been accepted and you choose to disassociate a member account (by using [DisassociateMembers]) from your account, the details of the member account obtained by invoking [CreateMembers], including the associated email addresses, will be retained. This is done so that you can invoke InviteMembers without the need to invoke [CreateMembers] again. To remove the details associated with a member account, you must also invoke [DeleteMembers].

[1]: docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html [2]: docs.aws.amazon.com/guardduty/latest/ug/guardduty_invitations.html [3]: docs.aws.amazon.com/guardduty/latest/APIReference/API_DisassociateMembers.html [4]: docs.aws.amazon.com/guardduty/latest/APIReference/API_CreateMembers.html [5]: docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteMembers.html [6]: docs.aws.amazon.com/guardduty/latest/APIReference/API_InviteMembers.html

Examples:

Request syntax with placeholder values


resp = client.invite_members({
  detector_id: "DetectorId", # required
  account_ids: ["AccountId"], # required
  disable_email_notification: false,
  message: "String",
})

Response structure


resp.unprocessed_accounts #=> Array
resp.unprocessed_accounts[0].account_id #=> String
resp.unprocessed_accounts[0].result #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector of the GuardDuty account with which you want to invite members.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:account_ids (required, Array<String>) —

A list of account IDs of the accounts that you want to invite to GuardDuty as members.
:disable_email_notification (Boolean) —

A Boolean value that specifies whether you want to disable email notification to the accounts that you are inviting to GuardDuty as members.
:message (String) —

The invitation message that you want to send to the accounts that you’re inviting to GuardDuty as members.

Returns:

(Types::InviteMembersResponse) —
Returns a response object which responds to the following methods:
- #unprocessed_accounts => Array<Types::UnprocessedAccount>

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 5657

def invite_members(params = {}, options = {})
  req = build_request(:invite_members, params)
  req.send_request(options)
end

#list_coverage(params = {}) ⇒ `Types::ListCoverageResponse`

Lists coverage details for your GuardDuty account. If you’re a GuardDuty administrator, you can retrieve all resources associated with the active member accounts in your organization.

Make sure the accounts have Runtime Monitoring enabled and GuardDuty agent running on their resources.

The returned response is a pageable response and is Enumerable. For details on usage see PageableResponse.

Examples:

Request syntax with placeholder values


resp = client.list_coverage({
  detector_id: "DetectorId", # required
  next_token: "String",
  max_results: 1,
  filter_criteria: {
    filter_criterion: [
      {
        criterion_key: "ACCOUNT_ID", # accepts ACCOUNT_ID, RESOURCE_TYPE, COVERAGE_STATUS, ADDON_VERSION, CLUSTER_NAME, ECS_CLUSTER_NAME, MANAGEMENT_TYPE, EKS_CLUSTER_NAME, AGENT_VERSION, INSTANCE_ID, CLUSTER_ARN
        filter_condition: {
          equals: ["String"],
          not_equals: ["String"],
        },
      },
    ],
  },
  sort_criteria: {
    attribute_name: "ACCOUNT_ID", # accepts ACCOUNT_ID, COVERAGE_STATUS, ISSUE, ADDON_VERSION, UPDATED_AT, CLUSTER_NAME, EKS_CLUSTER_NAME, ECS_CLUSTER_NAME, INSTANCE_ID
    order_by: "ASC", # accepts ASC, DESC
  },
})

Response structure


resp.resources #=> Array
resp.resources[0].resource_id #=> String
resp.resources[0].detector_id #=> String
resp.resources[0].account_id #=> String
resp.resources[0].resource_details.eks_cluster_details.cluster_name #=> String
resp.resources[0].resource_details.eks_cluster_details.covered_nodes #=> Integer
resp.resources[0].resource_details.eks_cluster_details.compatible_nodes #=> Integer
resp.resources[0].resource_details.eks_cluster_details.addon_details.addon_version #=> String
resp.resources[0].resource_details.eks_cluster_details.addon_details.addon_status #=> String
resp.resources[0].resource_details.eks_cluster_details.management_type #=> String, one of "AUTO_MANAGED", "MANUAL", "DISABLED"
resp.resources[0].resource_details.ecs_cluster_details.cluster_name #=> String
resp.resources[0].resource_details.ecs_cluster_details.fargate_details.issues #=> Array
resp.resources[0].resource_details.ecs_cluster_details.fargate_details.issues[0] #=> String
resp.resources[0].resource_details.ecs_cluster_details.fargate_details.management_type #=> String, one of "AUTO_MANAGED", "MANUAL", "DISABLED"
resp.resources[0].resource_details.ecs_cluster_details.container_instance_details.covered_container_instances #=> Integer
resp.resources[0].resource_details.ecs_cluster_details.container_instance_details.compatible_container_instances #=> Integer
resp.resources[0].resource_details.ec2_instance_details.instance_id #=> String
resp.resources[0].resource_details.ec2_instance_details.instance_type #=> String
resp.resources[0].resource_details.ec2_instance_details.cluster_arn #=> String
resp.resources[0].resource_details.ec2_instance_details.agent_details.version #=> String
resp.resources[0].resource_details.ec2_instance_details.management_type #=> String, one of "AUTO_MANAGED", "MANUAL", "DISABLED"
resp.resources[0].resource_details.resource_type #=> String, one of "EKS", "ECS", "EC2"
resp.resources[0].coverage_status #=> String, one of "HEALTHY", "UNHEALTHY"
resp.resources[0].issue #=> String
resp.resources[0].updated_at #=> Time
resp.next_token #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector whose coverage details you want to retrieve.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:next_token (String) —

A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the NextToken value returned from the previous request to continue listing results after the first page.
:max_results (Integer) —

The maximum number of results to return in the response.
:filter_criteria (Types::CoverageFilterCriteria) —

Represents the criteria used to filter the coverage details.
:sort_criteria (Types::CoverageSortCriteria) —

Represents the criteria used to sort the coverage details.

Returns:

(Types::ListCoverageResponse) —
Returns a response object which responds to the following methods:
- #resources => Array<Types::CoverageResource>
- #next_token => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 5759

def list_coverage(params = {}, options = {})
  req = build_request(:list_coverage, params)
  req.send_request(options)
end

#list_detectors(params = {}) ⇒ `Types::ListDetectorsResponse`

Lists detectorIds of all the existing Amazon GuardDuty detector resources.

The returned response is a pageable response and is Enumerable. For details on usage see PageableResponse.

Examples:

Request syntax with placeholder values


resp = client.list_detectors({
  max_results: 1,
  next_token: "String",
})

Response structure


resp.detector_ids #=> Array
resp.detector_ids[0] #=> String
resp.next_token #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:max_results (Integer) —

You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.
:next_token (String) —

You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.

Returns:

(Types::ListDetectorsResponse) —
Returns a response object which responds to the following methods:
- #detector_ids => Array<String>
- #next_token => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 5803

def list_detectors(params = {}, options = {})
  req = build_request(:list_detectors, params)
  req.send_request(options)
end

#list_filters(params = {}) ⇒ `Types::ListFiltersResponse`

Returns a paginated list of the current filters.

The returned response is a pageable response and is Enumerable. For details on usage see PageableResponse.

Examples:

Request syntax with placeholder values


resp = client.list_filters({
  detector_id: "DetectorId", # required
  max_results: 1,
  next_token: "String",
})

Response structure


resp.filter_names #=> Array
resp.filter_names[0] #=> String
resp.next_token #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector that is associated with the filter.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:max_results (Integer) —

You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.
:next_token (String) —

You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.

Returns:

(Types::ListFiltersResponse) —
Returns a response object which responds to the following methods:
- #filter_names => Array<String>
- #next_token => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 5857

def list_filters(params = {}, options = {})
  req = build_request(:list_filters, params)
  req.send_request(options)
end

#list_findings(params = {}) ⇒ `Types::ListFindingsResponse`

Lists GuardDuty findings for the specified detector ID.

There might be regional differences because some flags might not be available in all the Regions where GuardDuty is currently supported. For more information, see [Regions and endpoints].

[1]: docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html

The returned response is a pageable response and is Enumerable. For details on usage see PageableResponse.

Examples:

Request syntax with placeholder values


resp = client.list_findings({
  detector_id: "DetectorId", # required
  finding_criteria: {
    criterion: {
      "String" => {
        eq: ["String"],
        neq: ["String"],
        gt: 1,
        gte: 1,
        lt: 1,
        lte: 1,
        equals: ["String"],
        not_equals: ["String"],
        greater_than: 1,
        greater_than_or_equal: 1,
        less_than: 1,
        less_than_or_equal: 1,
        matches: ["Match"],
        not_matches: ["NotMatch"],
      },
    },
  },
  sort_criteria: {
    attribute_name: "String",
    order_by: "ASC", # accepts ASC, DESC
  },
  max_results: 1,
  next_token: "String",
})

Response structure


resp.finding_ids #=> Array
resp.finding_ids[0] #=> String
resp.next_token #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The ID of the detector that specifies the GuardDuty service whose findings you want to list.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:finding_criteria (Types::FindingCriteria) —
Represents the criteria used for querying findings. Valid values include:
- JSON field name
- accountId
- region
- confidence
- id
- resource.accessKeyDetails.accessKeyId
- resource.accessKeyDetails.principalId
- resource.accessKeyDetails.userName
- resource.accessKeyDetails.userType
- resource.instanceDetails.iamInstanceProfile.id
- resource.instanceDetails.imageId
- resource.instanceDetails.instanceId
- resource.instanceDetails.networkInterfaces.ipv6Addresses
- resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress
- resource.instanceDetails.networkInterfaces.publicDnsName
- resource.instanceDetails.networkInterfaces.publicIp
- resource.instanceDetails.networkInterfaces.securityGroups.groupId
- resource.instanceDetails.networkInterfaces.securityGroups.groupName
- resource.instanceDetails.networkInterfaces.subnetId
- resource.instanceDetails.networkInterfaces.vpcId
- resource.instanceDetails.tags.key
- resource.instanceDetails.tags.value
- resource.resourceType
- service.action.actionType
- service.action.awsApiCallAction.api
- service.action.awsApiCallAction.callerType
- service.action.awsApiCallAction.remoteIpDetails.city.cityName
- service.action.awsApiCallAction.remoteIpDetails.country.countryName
- service.action.awsApiCallAction.remoteIpDetails.ipAddressV4
- service.action.awsApiCallAction.remoteIpDetails.organization.asn
- service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg
- service.action.awsApiCallAction.serviceName
- service.action.dnsRequestAction.domain
- service.action.dnsRequestAction.domainWithSuffix
- service.action.networkConnectionAction.blocked
- service.action.networkConnectionAction.connectionDirection
- service.action.networkConnectionAction.localPortDetails.port
- service.action.networkConnectionAction.protocol
- service.action.networkConnectionAction.remoteIpDetails.country.countryName
- service.action.networkConnectionAction.remoteIpDetails.ipAddressV4
- service.action.networkConnectionAction.remoteIpDetails.organization.asn
- service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg
- service.action.networkConnectionAction.remotePortDetails.port
- service.additionalInfo.threatListName
- service.archived
  
  When this attribute is set to ‘true’, only archived findings are listed. When it’s set to ‘false’, only unarchived findings are listed. When this attribute is not set, all existing findings are listed.
- service.ebsVolumeScanDetails.scanId
- service.resourceRole
- severity
- type
- updatedAt
  
  Type: Timestamp in Unix Epoch millisecond format: 1486685375000
:sort_criteria (Types::SortCriteria) —

Represents the criteria used for sorting findings.
:max_results (Integer) —

You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50.
:next_token (String) —

You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.

Returns:

(Types::ListFindingsResponse) —
Returns a response object which responds to the following methods:
- #finding_ids => Array<String>
- #next_token => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 6058

def list_findings(params = {}, options = {})
  req = build_request(:list_findings, params)
  req.send_request(options)
end

#list_investigations(params = {}) ⇒ `Types::ListInvestigationsResponse`

Returns a list of investigations associated with the specified GuardDuty detector.

An administrator account sees all investigations across the organization. Member accounts see only the investigations that belong to them.

The returned response is a pageable response and is Enumerable. For details on usage see PageableResponse.

Examples:

Request syntax with placeholder values


resp = client.list_investigations({
  detector_id: "DetectorId", # required
  sort_criteria: {
    attribute_name: "START_TIME", # accepts START_TIME, END_TIME, STATUS, RISK_LEVEL, CONFIDENCE
    order_by: "ASC", # accepts ASC, DESC
  },
  max_results: 1,
  next_token: "NextToken",
})

Response structure


resp.investigations #=> Array
resp.investigations[0].investigation_id #=> String
resp.investigations[0].status #=> String, one of "RUNNING", "COMPLETED", "FAILED"
resp.investigations[0].trigger_prompt #=> String
resp.investigations[0].risk_level #=> String, one of "Info", "Low", "Medium", "High", "Critical"
resp.investigations[0].confidence #=> String, one of "Unknown", "Low", "Medium", "High"
resp.investigations[0].title #=> String
resp.investigations[0].account_id #=> String
resp.investigations[0].start_time #=> Time
resp.investigations[0].end_time #=> Time
resp.next_token #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the GuardDuty detector whose investigations you want to list.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:sort_criteria (Types::InvestigationSortCriteria) —

Represents the criteria used for sorting investigations.
:max_results (Integer) —

You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50.
:next_token (String) —

You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.

Returns:

(Types::ListInvestigationsResponse) —
Returns a response object which responds to the following methods:
- #investigations => Array<Types::InvestigationSummary>
- #next_token => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 6194

def list_investigations(params = {}, options = {})
  req = build_request(:list_investigations, params)
  req.send_request(options)
end

#list_invitations(params = {}) ⇒ `Types::ListInvitationsResponse`

Lists all GuardDuty membership invitations that were sent to the current Amazon Web Services account.

The returned response is a pageable response and is Enumerable. For details on usage see PageableResponse.

Examples:

Request syntax with placeholder values


resp = client.list_invitations({
  max_results: 1,
  next_token: "String",
})

Response structure


resp.invitations #=> Array
resp.invitations[0].account_id #=> String
resp.invitations[0].invitation_id #=> String
resp.invitations[0].relationship_status #=> String
resp.invitations[0].invited_at #=> String
resp.next_token #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:max_results (Integer) —

You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.
:next_token (String) —

You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.

Returns:

(Types::ListInvitationsResponse) —
Returns a response object which responds to the following methods:
- #invitations => Array<Types::Invitation>
- #next_token => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 6241

def list_invitations(params = {}, options = {})
  req = build_request(:list_invitations, params)
  req.send_request(options)
end

#list_ip_sets(params = {}) ⇒ `Types::ListIPSetsResponse`

Lists the IPSets of the GuardDuty service specified by the detector ID. If you use this operation from a member account, the IPSets returned are the IPSets from the associated administrator account.

The returned response is a pageable response and is Enumerable. For details on usage see PageableResponse.

Examples:

Request syntax with placeholder values


resp = client.list_ip_sets({
  detector_id: "DetectorId", # required
  max_results: 1,
  next_token: "String",
})

Response structure


resp.ip_set_ids #=> Array
resp.ip_set_ids[0] #=> String
resp.next_token #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector that is associated with IPSet.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:max_results (Integer) —

You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50.
:next_token (String) —

You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.

Returns:

(Types::ListIPSetsResponse) —
Returns a response object which responds to the following methods:
- #ip_set_ids => Array<String>
- #next_token => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 6114

def list_ip_sets(params = {}, options = {})
  req = build_request(:list_ip_sets, params)
  req.send_request(options)
end

#list_malware_protection_plans(params = {}) ⇒ `Types::ListMalwareProtectionPlansResponse`

Lists the Malware Protection plan IDs associated with the protected resources in your Amazon Web Services account.

Examples:

Request syntax with placeholder values


resp = client.list_malware_protection_plans({
  next_token: "String",
})

Response structure


resp.malware_protection_plans #=> Array
resp.malware_protection_plans[0].malware_protection_plan_id #=> String
resp.next_token #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:next_token (String) —

You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of ‘NextToken` from the previous response to continue listing data. The default page size is 100 plans.

Returns:

(Types::ListMalwareProtectionPlansResponse) —
Returns a response object which responds to the following methods:
- #malware_protection_plans => Array<Types::MalwareProtectionPlanSummary>
- #next_token => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 6277

def list_malware_protection_plans(params = {}, options = {})
  req = build_request(:list_malware_protection_plans, params)
  req.send_request(options)
end

#list_malware_scans(params = {}) ⇒ `Types::ListMalwareScansResponse`

Returns a list of malware scans. Each member account can view the malware scans for their own accounts. An administrator can view the malware scans for all of its members’ accounts.

The returned response is a pageable response and is Enumerable. For details on usage see PageableResponse.

Examples:

Request syntax with placeholder values


resp = client.list_malware_scans({
  max_results: 1,
  next_token: "String",
  filter_criteria: {
    list_malware_scans_filter_criterion: [
      {
        list_malware_scans_criterion_key: "RESOURCE_ARN", # accepts RESOURCE_ARN, SCAN_ID, ACCOUNT_ID, GUARDDUTY_FINDING_ID, RESOURCE_TYPE, SCAN_START_TIME, SCAN_STATUS, SCAN_TYPE
        filter_condition: {
          equals_value: "NonEmptyString",
          greater_than: 1,
          less_than: 1,
        },
      },
    ],
  },
  sort_criteria: {
    attribute_name: "String",
    order_by: "ASC", # accepts ASC, DESC
  },
})

Response structure


resp.scans #=> Array
resp.scans[0].resource_arn #=> String
resp.scans[0].resource_type #=> String, one of "EBS_RECOVERY_POINT", "EBS_SNAPSHOT", "EBS_VOLUME", "EC2_AMI", "EC2_INSTANCE", "EC2_RECOVERY_POINT", "S3_RECOVERY_POINT", "S3_BUCKET", "S3_POINT_IN_TIME_RECOVERY"
resp.scans[0].scan_id #=> String
resp.scans[0].scan_status #=> String, one of "RUNNING", "COMPLETED", "COMPLETED_WITH_ISSUES", "FAILED", "SKIPPED"
resp.scans[0].scan_result_status #=> String, one of "NO_THREATS_FOUND", "THREATS_FOUND"
resp.scans[0].scan_type #=> String, one of "BACKUP_INITIATED", "ON_DEMAND", "GUARDDUTY_INITIATED"
resp.scans[0].scan_started_at #=> Time
resp.scans[0].scan_completed_at #=> Time
resp.next_token #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:max_results (Integer) —

You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.
:next_token (String) —

You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing results.
:filter_criteria (Types::ListMalwareScansFilterCriteria) —

Represents the criteria used to filter the malware scan entries.
:sort_criteria (Types::SortCriteria) —

Represents the criteria used for sorting malware scan entries.

Returns:

(Types::ListMalwareScansResponse) —
Returns a response object which responds to the following methods:
- #scans => Array<Types::MalwareScan>
- #next_token => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 6351

def list_malware_scans(params = {}, options = {})
  req = build_request(:list_malware_scans, params)
  req.send_request(options)
end

#list_members(params = {}) ⇒ `Types::ListMembersResponse`

Lists details about all member accounts for the current GuardDuty administrator account.

The returned response is a pageable response and is Enumerable. For details on usage see PageableResponse.

Examples:

Request syntax with placeholder values


resp = client.list_members({
  detector_id: "DetectorId", # required
  max_results: 1,
  next_token: "String",
  only_associated: "String",
})

Response structure


resp.members #=> Array
resp.members[0].account_id #=> String
resp.members[0].detector_id #=> String
resp.members[0].master_id #=> String
resp.members[0].email #=> String
resp.members[0].relationship_status #=> String
resp.members[0].invited_at #=> String
resp.members[0].updated_at #=> String
resp.members[0].administrator_id #=> String
resp.next_token #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector that is associated with the member.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:max_results (Integer) —

You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50.
:next_token (String) —

You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
:only_associated (String) —

Specifies whether to only return associated members or to return all members (including members who haven’t been invited yet or have been disassociated). Member accounts must have been previously associated with the GuardDuty administrator account using [ ‘Create Members` ][1].

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_CreateMembers.html

Returns:

(Types::ListMembersResponse) —
Returns a response object which responds to the following methods:
- #members => Array<Types::Member>
- #next_token => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 6425

def list_members(params = {}, options = {})
  req = build_request(:list_members, params)
  req.send_request(options)
end

#list_organization_admin_accounts(params = {}) ⇒ `Types::ListOrganizationAdminAccountsResponse`

Lists the accounts designated as GuardDuty delegated administrators. Only the organization’s management account can run this API operation.

The returned response is a pageable response and is Enumerable. For details on usage see PageableResponse.

Examples:

Request syntax with placeholder values


resp = client.list_organization_admin_accounts({
  max_results: 1,
  next_token: "String",
})

Response structure


resp.admin_accounts #=> Array
resp.admin_accounts[0].admin_account_id #=> String
resp.admin_accounts[0].admin_status #=> String, one of "ENABLED", "DISABLE_IN_PROGRESS"
resp.next_token #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:max_results (Integer) —

The maximum number of results to return in the response.
:next_token (String) —

A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the ‘NextToken` value returned from the previous request to continue listing results after the first page.

Returns:

(Types::ListOrganizationAdminAccountsResponse) —
Returns a response object which responds to the following methods:
- #admin_accounts => Array<Types::AdminAccount>
- #next_token => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 6469

def list_organization_admin_accounts(params = {}, options = {})
  req = build_request(:list_organization_admin_accounts, params)
  req.send_request(options)
end

#list_publishing_destinations(params = {}) ⇒ `Types::ListPublishingDestinationsResponse`

Returns a list of publishing destinations associated with the specified ‘detectorId`.

The returned response is a pageable response and is Enumerable. For details on usage see PageableResponse.

Examples:

Request syntax with placeholder values


resp = client.list_publishing_destinations({
  detector_id: "DetectorId", # required
  max_results: 1,
  next_token: "String",
})

Response structure


resp.destinations #=> Array
resp.destinations[0].destination_id #=> String
resp.destinations[0].destination_type #=> String, one of "S3"
resp.destinations[0].status #=> String, one of "PENDING_VERIFICATION", "PUBLISHING", "UNABLE_TO_PUBLISH_FIX_DESTINATION_PROPERTY", "STOPPED"
resp.next_token #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The detector ID for which you want to retrieve the publishing destination.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:max_results (Integer) —

The maximum number of results to return in the response.
:next_token (String) —

A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the ‘NextToken` value returned from the previous request to continue listing results after the first page.

Returns:

(Types::ListPublishingDestinationsResponse) —
Returns a response object which responds to the following methods:
- #destinations => Array<Types::Destination>
- #next_token => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 6525

def list_publishing_destinations(params = {}, options = {})
  req = build_request(:list_publishing_destinations, params)
  req.send_request(options)
end

#list_tags_for_resource(params = {}) ⇒ `Types::ListTagsForResourceResponse`

Lists tags for a resource. Tagging is currently supported for detectors, finding filters, IP sets, threat intel sets, and publishing destination, with a limit of 50 tags per resource. When invoked, this operation returns all assigned tags for a given resource.

Examples:

Request syntax with placeholder values


resp = client.list_tags_for_resource({
  resource_arn: "GuardDutyArn", # required
})

Response structure


resp.tags #=> Hash
resp.tags["TagKey"] #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:resource_arn (required, String) —

The Amazon Resource Name (ARN) for the given GuardDuty resource.

Returns:

(Types::ListTagsForResourceResponse) —
Returns a response object which responds to the following methods:
- #tags => Hash<String,String>

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 6557

def list_tags_for_resource(params = {}, options = {})
  req = build_request(:list_tags_for_resource, params)
  req.send_request(options)
end

#list_threat_entity_sets(params = {}) ⇒ `Types::ListThreatEntitySetsResponse`

Lists the threat entity sets associated with the specified GuardDuty detector ID. If you use this operation from a member account, the threat entity sets that are returned as a response, belong to the administrator account.

The returned response is a pageable response and is Enumerable. For details on usage see PageableResponse.

Examples:

Request syntax with placeholder values


resp = client.list_threat_entity_sets({
  detector_id: "DetectorId", # required
  max_results: 1,
  next_token: "String",
})

Response structure


resp.threat_entity_set_ids #=> Array
resp.threat_entity_set_ids[0] #=> String
resp.next_token #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the GuardDuty detector that is associated with this threat entity set.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:max_results (Integer) —

You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50.
:next_token (String) —

You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.

Returns:

(Types::ListThreatEntitySetsResponse) —
Returns a response object which responds to the following methods:
- #threat_entity_set_ids => Array<String>
- #next_token => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 6614

def list_threat_entity_sets(params = {}, options = {})
  req = build_request(:list_threat_entity_sets, params)
  req.send_request(options)
end

#list_threat_intel_sets(params = {}) ⇒ `Types::ListThreatIntelSetsResponse`

Lists the ThreatIntelSets of the GuardDuty service specified by the detector ID. If you use this operation from a member account, the ThreatIntelSets associated with the administrator account are returned.

The returned response is a pageable response and is Enumerable. For details on usage see PageableResponse.

Examples:

Request syntax with placeholder values


resp = client.list_threat_intel_sets({
  detector_id: "DetectorId", # required
  max_results: 1,
  next_token: "String",
})

Response structure


resp.threat_intel_set_ids #=> Array
resp.threat_intel_set_ids[0] #=> String
resp.next_token #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector that is associated with the threatIntelSet.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:max_results (Integer) —

You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.
:next_token (String) —

You can use this parameter to paginate results in the response. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.

Returns:

(Types::ListThreatIntelSetsResponse) —
Returns a response object which responds to the following methods:
- #threat_intel_set_ids => Array<String>
- #next_token => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 6672

def list_threat_intel_sets(params = {}, options = {})
  req = build_request(:list_threat_intel_sets, params)
  req.send_request(options)
end

#list_trusted_entity_sets(params = {}) ⇒ `Types::ListTrustedEntitySetsResponse`

Lists the trusted entity sets associated with the specified GuardDuty detector ID. If you use this operation from a member account, the trusted entity sets that are returned as a response, belong to the administrator account.

The returned response is a pageable response and is Enumerable. For details on usage see PageableResponse.

Examples:

Request syntax with placeholder values


resp = client.list_trusted_entity_sets({
  detector_id: "DetectorId", # required
  max_results: 1,
  next_token: "String",
})

Response structure


resp.trusted_entity_set_ids #=> Array
resp.trusted_entity_set_ids[0] #=> String
resp.next_token #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the GuardDuty detector that is associated with this threat entity set.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:max_results (Integer) —

You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50.
:next_token (String) —

You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.

Returns:

(Types::ListTrustedEntitySetsResponse) —
Returns a response object which responds to the following methods:
- #trusted_entity_set_ids => Array<String>
- #next_token => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 6729

def list_trusted_entity_sets(params = {}, options = {})
  req = build_request(:list_trusted_entity_sets, params)
  req.send_request(options)
end

#send_object_malware_scan(params = {}) ⇒ `Struct`

Initiates a malware scan for a specific S3 object. This API allows you to perform on-demand malware scanning of individual objects in S3 buckets that have Malware Protection for S3 enabled.

When you use this API, the Amazon Web Services service terms for GuardDuty Malware Protection apply. For more information, see [Amazon Web Services service terms for GuardDuty Malware Protection].

[1]: aws.amazon.com/service-terms/#87._Amazon_GuardDuty

Examples:

Request syntax with placeholder values


resp = client.send_object_malware_scan({
  s3_object: {
    bucket: "String",
    key: "String",
    version_id: "String",
  },
})

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:s3_object (Types::S3ObjectForSendObjectMalwareScan) —

The S3 object information for the object you want to scan. The bucket must have a Malware Protection plan configured to use this API.

Returns:

(Struct) —

Returns an empty response.

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 6766

def send_object_malware_scan(params = {}, options = {})
  req = build_request(:send_object_malware_scan, params)
  req.send_request(options)
end

#start_malware_scan(params = {}) ⇒ `Types::StartMalwareScanResponse`

Initiates the malware scan. Invoking this API will automatically create the [Service-linked role] in the corresponding account if the resourceArn belongs to an EC2 instance.

When the malware scan starts, you can use the associated scan ID to track the status of the scan. For more information, see

ListMalwareScans][2: and [GetMalwareScan].

When you use this API, the Amazon Web Services service terms for GuardDuty Malware Protection apply. For more information, see [Amazon Web Services service terms for GuardDuty Malware Protection].

[1]: docs.aws.amazon.com/guardduty/latest/ug/slr-permissions-malware-protection.html [2]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListMalwareScans.html [3]: docs.aws.amazon.com/guardduty/latest/APIReference/API_GetMalwareScan.html [4]: aws.amazon.com/service-terms/#87._Amazon_GuardDuty

Examples:

Request syntax with placeholder values


resp = client.start_malware_scan({
  resource_arn: "ResourceArn", # required
  client_token: "ClientToken",
  scan_configuration: {
    role: "NonEmptyString", # required
    incremental_scan_details: {
      baseline_resource_arn: "NonEmptyString", # required
    },
    recovery_point: {
      backup_vault_name: "String", # required
      continuous_scan_details: {
        start_time: Time.now,
        end_time: Time.now, # required
      },
    },
  },
})

Response structure


resp.scan_id #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:resource_arn (required, String) —

Amazon Resource Name (ARN) of the resource for which you invoked the API.
:client_token (String) —

The idempotency token for the create request.

**A suitable default value is auto-generated.** You should normally not need to pass this option.**
:scan_configuration (Types::StartMalwareScanConfiguration) —

Contains information about the configuration to be used for the malware scan.

Returns:

(Types::StartMalwareScanResponse) —
Returns a response object which responds to the following methods:
- #scan_id => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 6836

def start_malware_scan(params = {}, options = {})
  req = build_request(:start_malware_scan, params)
  req.send_request(options)
end

#start_monitoring_members(params = {}) ⇒ `Types::StartMonitoringMembersResponse`

Turns on GuardDuty monitoring of the specified member accounts. Use this operation to restart monitoring of accounts that you stopped monitoring with the [StopMonitoringMembers] operation.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_StopMonitoringMembers.html

Examples:

Request syntax with placeholder values


resp = client.start_monitoring_members({
  detector_id: "DetectorId", # required
  account_ids: ["AccountId"], # required
})

Response structure


resp.unprocessed_accounts #=> Array
resp.unprocessed_accounts[0].account_id #=> String
resp.unprocessed_accounts[0].result #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector of the GuardDuty administrator account associated with the member accounts to monitor.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:account_ids (required, Array<String>) —

A list of account IDs of the GuardDuty member accounts to start monitoring.

Returns:

(Types::StartMonitoringMembersResponse) —
Returns a response object which responds to the following methods:
- #unprocessed_accounts => Array<Types::UnprocessedAccount>

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 6885

def start_monitoring_members(params = {}, options = {})
  req = build_request(:start_monitoring_members, params)
  req.send_request(options)
end

#stop_monitoring_members(params = {}) ⇒ `Types::StopMonitoringMembersResponse`

Stops GuardDuty monitoring for the specified member accounts. Use the ‘StartMonitoringMembers` operation to restart monitoring for those accounts.

With ‘autoEnableOrganizationMembers` configuration for your organization set to `ALL`, you’ll receive an error if you attempt to stop monitoring the member accounts in your organization.

Examples:

Request syntax with placeholder values


resp = client.stop_monitoring_members({
  detector_id: "DetectorId", # required
  account_ids: ["AccountId"], # required
})

Response structure


resp.unprocessed_accounts #=> Array
resp.unprocessed_accounts[0].account_id #=> String
resp.unprocessed_accounts[0].result #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector associated with the GuardDuty administrator account that is monitoring member accounts.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:account_ids (required, Array<String>) —

A list of account IDs for the member accounts to stop monitoring.

Returns:

(Types::StopMonitoringMembersResponse) —
Returns a response object which responds to the following methods:
- #unprocessed_accounts => Array<Types::UnprocessedAccount>

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 6933

def stop_monitoring_members(params = {}, options = {})
  req = build_request(:stop_monitoring_members, params)
  req.send_request(options)
end

#tag_resource(params = {}) ⇒ `Struct`

Adds tags to a resource.

Examples:

Request syntax with placeholder values


resp = client.tag_resource({
  resource_arn: "GuardDutyArn", # required
  tags: { # required
    "TagKey" => "TagValue",
  },
})

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:resource_arn (required, String) —

The Amazon Resource Name (ARN) for the GuardDuty resource to apply a tag to.
:tags (required, Hash<String,String>) —

The tags to be added to a resource.

Returns:

(Struct) —

Returns an empty response.

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 6962

def tag_resource(params = {}, options = {})
  req = build_request(:tag_resource, params)
  req.send_request(options)
end

#unarchive_findings(params = {}) ⇒ `Struct`

Unarchives GuardDuty findings specified by the ‘findingIds`.

Examples:

Request syntax with placeholder values


resp = client.unarchive_findings({
  detector_id: "DetectorId", # required
  finding_ids: ["FindingId"], # required
})

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The ID of the detector associated with the findings to unarchive.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:finding_ids (required, Array<String>) —

The IDs of the findings to unarchive.

Returns:

(Struct) —

Returns an empty response.

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 6995

def unarchive_findings(params = {}, options = {})
  req = build_request(:unarchive_findings, params)
  req.send_request(options)
end

#untag_resource(params = {}) ⇒ `Struct`

Removes tags from a resource.

Examples:

Request syntax with placeholder values


resp = client.untag_resource({
  resource_arn: "GuardDutyArn", # required
  tag_keys: ["TagKey"], # required
})

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:resource_arn (required, String) —

The Amazon Resource Name (ARN) for the resource to remove tags from.
:tag_keys (required, Array<String>) —

The tag keys to remove from the resource.

Returns:

(Struct) —

Returns an empty response.

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 7021

def untag_resource(params = {}, options = {})
  req = build_request(:untag_resource, params)
  req.send_request(options)
end

#update_detector(params = {}) ⇒ `Struct`

Updates the GuardDuty detector specified by the detector ID.

[1]: docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring.html [2]: docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html

Examples:

Request syntax with placeholder values


resp = client.update_detector({
  detector_id: "DetectorId", # required
  enable: false,
  finding_publishing_frequency: "FIFTEEN_MINUTES", # accepts FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS
  data_sources: {
    s3_logs: {
      enable: false, # required
    },
    kubernetes: {
      audit_logs: { # required
        enable: false, # required
      },
    },
    malware_protection: {
      scan_ec2_instance_with_findings: {
        ebs_volumes: false,
      },
    },
  },
  features: [
    {
      name: "S3_DATA_EVENTS", # accepts S3_DATA_EVENTS, EKS_AUDIT_LOGS, EBS_MALWARE_PROTECTION, RDS_LOGIN_EVENTS, LAMBDA_NETWORK_LOGS, EKS_RUNTIME_MONITORING, RUNTIME_MONITORING
      status: "ENABLED", # accepts ENABLED, DISABLED
      additional_configuration: [
        {
          name: "EKS_ADDON_MANAGEMENT", # accepts EKS_ADDON_MANAGEMENT, ECS_FARGATE_AGENT_MANAGEMENT, EC2_AGENT_MANAGEMENT
          status: "ENABLED", # accepts ENABLED, DISABLED
        },
      ],
    },
  ],
})

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector to update.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:enable (Boolean) —

Specifies whether the detector is enabled or not enabled.
:finding_publishing_frequency (String) —

An enum value that specifies how frequently findings are exported, such as to CloudWatch Events.
:data_sources (Types::DataSourceConfigurations) —

Describes which data sources will be updated.

There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see [Regions and endpoints].

[1]: docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html
:features (Array<Types::DetectorFeatureConfiguration>) —

Provides the features that will be updated for the detector.

Returns:

(Struct) —

Returns an empty response.

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 7117

def update_detector(params = {}, options = {})
  req = build_request(:update_detector, params)
  req.send_request(options)
end

#update_filter(params = {}) ⇒ `Types::UpdateFilterResponse`

Updates the filter specified by the filter name.

Examples:

Request syntax with placeholder values


resp = client.update_filter({
  detector_id: "DetectorId", # required
  filter_name: "String", # required
  description: "FilterDescription",
  action: "NOOP", # accepts NOOP, ARCHIVE
  rank: 1,
  finding_criteria: {
    criterion: {
      "String" => {
        eq: ["String"],
        neq: ["String"],
        gt: 1,
        gte: 1,
        lt: 1,
        lte: 1,
        equals: ["String"],
        not_equals: ["String"],
        greater_than: 1,
        greater_than_or_equal: 1,
        less_than: 1,
        less_than_or_equal: 1,
        matches: ["Match"],
        not_matches: ["NotMatch"],
      },
    },
  },
})

Response structure


resp.name #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector that specifies the GuardDuty service where you want to update a filter.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:filter_name (required, String) —

The name of the filter.
:description (String) —

The description of the filter. Valid characters include alphanumeric characters, and special characters such as hyphen, period, colon, underscore, parentheses (‘{ }`, `[ ]`, and `( )`), forward slash, horizontal tab, vertical tab, newline, form feed, return, and whitespace.
:action (String) —

Specifies the action that is to be applied to the findings that match the filter.

Default: NOOP
:rank (Integer) —

Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
:finding_criteria (Types::FindingCriteria) —
Represents the criteria to be used in the filter for querying findings. The following fields are available for filtering:
- accountId
- arn
- associatedAttackSequenceArn
- confidence
- createdAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- id
- partition
- region
- resource.accessKeyDetails.accessKeyId
- resource.accessKeyDetails.principalId
- resource.accessKeyDetails.userIdentity.accessKeyId
- resource.accessKeyDetails.userIdentity.accountId
- resource.accessKeyDetails.userIdentity.arn
- resource.accessKeyDetails.userIdentity.principalId
- resource.accessKeyDetails.userIdentity.sessionContext.attributes.mfaAuthenticated
- resource.accessKeyDetails.userIdentity.sessionContext.ec2RoleDelivery
- resource.accessKeyDetails.userIdentity.sessionContext.invokedBy
- resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.accountId
- resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.arn
- resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.principalId
- resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.type
- resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.userName
- resource.accessKeyDetails.userIdentity.sessionContext.sourceIdentity
- resource.accessKeyDetails.userIdentity.sessionContext.webIdFederationData.attributes
- resource.accessKeyDetails.userIdentity.sessionContext.webIdFederationData.federatedProvider
- resource.accessKeyDetails.userIdentity.type
- resource.accessKeyDetails.userIdentity.userName
- resource.accessKeyDetails.userName
- resource.accessKeyDetails.userType
- resource.bedrockGuardrailDetails.guardrailArn
- resource.bedrockGuardrailDetails.guardrailVersion
- resource.containerDetails.containerRuntime
- resource.containerDetails.id
- resource.containerDetails.image
- resource.containerDetails.imagePrefix
- resource.containerDetails.name
- resource.containerDetails.securityContext.allowPrivilegeEscalation
- resource.containerDetails.securityContext.privileged
- resource.containerDetails.volumeMounts.mountPath
- resource.containerDetails.volumeMounts.name
- resource.ebsSnapshotDetails.snapshotArn
- resource.ebsVolumeDetails.scannedVolumeDetails.deviceName
- resource.ebsVolumeDetails.scannedVolumeDetails.encryptionType
- resource.ebsVolumeDetails.scannedVolumeDetails.kmsKeyArn
- resource.ebsVolumeDetails.scannedVolumeDetails.snapshotArn
- resource.ebsVolumeDetails.scannedVolumeDetails.volumeArn
- resource.ebsVolumeDetails.scannedVolumeDetails.volumeSizeInGB
- resource.ebsVolumeDetails.scannedVolumeDetails.volumeType
- resource.ebsVolumeDetails.skippedVolumeDetails.deviceName
- resource.ebsVolumeDetails.skippedVolumeDetails.encryptionType
- resource.ebsVolumeDetails.skippedVolumeDetails.kmsKeyArn
- resource.ebsVolumeDetails.skippedVolumeDetails.snapshotArn
- resource.ebsVolumeDetails.skippedVolumeDetails.volumeArn
- resource.ebsVolumeDetails.skippedVolumeDetails.volumeSizeInGB
- resource.ebsVolumeDetails.skippedVolumeDetails.volumeType
- resource.ec2ImageDetails.imageArn
- resource.ecsClusterDetails.activeServicesCount
- resource.ecsClusterDetails.arn
- resource.ecsClusterDetails.name
- resource.ecsClusterDetails.registeredContainerInstancesCount
- resource.ecsClusterDetails.runningTasksCount
- resource.ecsClusterDetails.status
- resource.ecsClusterDetails.tags.key
- resource.ecsClusterDetails.tags.value
- resource.ecsClusterDetails.taskDetails.arn
- resource.ecsClusterDetails.taskDetails.containers.containerRuntime
- resource.ecsClusterDetails.taskDetails.containers.id
- resource.ecsClusterDetails.taskDetails.containers.image
- resource.ecsClusterDetails.taskDetails.containers.imagePrefix
- resource.ecsClusterDetails.taskDetails.containers.name
- resource.ecsClusterDetails.taskDetails.containers.securityContext.allowPrivilegeEscalation
- resource.ecsClusterDetails.taskDetails.containers.securityContext.privileged
- resource.ecsClusterDetails.taskDetails.containers.volumeMounts.mountPath
- resource.ecsClusterDetails.taskDetails.containers.volumeMounts.name
- resource.ecsClusterDetails.taskDetails.createdAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- resource.ecsClusterDetails.taskDetails.definitionArn
- resource.ecsClusterDetails.taskDetails.group
- resource.ecsClusterDetails.taskDetails.launchType
- resource.ecsClusterDetails.taskDetails.startedAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- resource.ecsClusterDetails.taskDetails.startedBy
- resource.ecsClusterDetails.taskDetails.tags.key
- resource.ecsClusterDetails.taskDetails.tags.value
- resource.ecsClusterDetails.taskDetails.version
- resource.ecsClusterDetails.taskDetails.volumes.hostPath.path
- resource.ecsClusterDetails.taskDetails.volumes.name
- resource.eksClusterDetails.arn
- resource.eksClusterDetails.createdAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- resource.eksClusterDetails.name
- resource.eksClusterDetails.status
- resource.eksClusterDetails.tags.key
- resource.eksClusterDetails.tags.value
- resource.eksClusterDetails.vpcId
- resource.instanceDetails.availabilityZone
- resource.instanceDetails.iamInstanceProfile.arn
- resource.instanceDetails.iamInstanceProfile.id
- resource.instanceDetails.imageDescription
- resource.instanceDetails.imageId
- resource.instanceDetails.instanceId
- resource.instanceDetails.instanceState
- resource.instanceDetails.instanceType
- resource.instanceDetails.launchTime
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- resource.instanceDetails.networkInterfaces.ipv6Addresses
- resource.instanceDetails.networkInterfaces.networkInterfaceId
- resource.instanceDetails.networkInterfaces.privateDnsName
- resource.instanceDetails.networkInterfaces.privateIpAddress
- resource.instanceDetails.networkInterfaces.privateIpAddresses.privateDnsName
- resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress
- resource.instanceDetails.networkInterfaces.publicDnsName
- resource.instanceDetails.networkInterfaces.publicIp
- resource.instanceDetails.networkInterfaces.securityGroups.groupId
- resource.instanceDetails.networkInterfaces.securityGroups.groupName
- resource.instanceDetails.networkInterfaces.subnetId
- resource.instanceDetails.networkInterfaces.vpcId
- resource.instanceDetails.outpostArn
- resource.instanceDetails.platform
- resource.instanceDetails.productCodes.productCodeId
- resource.instanceDetails.productCodes.productCodeType
- resource.instanceDetails.tags.key
- resource.instanceDetails.tags.value
- resource.kubernetesDetails.kubernetesUserDetails.groups
- resource.kubernetesDetails.kubernetesUserDetails.impersonatedUser.groups
- resource.kubernetesDetails.kubernetesUserDetails.impersonatedUser.username
- resource.kubernetesDetails.kubernetesUserDetails.sessionName
- resource.kubernetesDetails.kubernetesUserDetails.uid
- resource.kubernetesDetails.kubernetesUserDetails.username
- resource.kubernetesDetails.kubernetesWorkloadDetails.containers.containerRuntime
- resource.kubernetesDetails.kubernetesWorkloadDetails.containers.id
- resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image
- resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix
- resource.kubernetesDetails.kubernetesWorkloadDetails.containers.name
- resource.kubernetesDetails.kubernetesWorkloadDetails.containers.securityContext.allowPrivilegeEscalation
- resource.kubernetesDetails.kubernetesWorkloadDetails.containers.securityContext.privileged
- resource.kubernetesDetails.kubernetesWorkloadDetails.containers.volumeMounts.mountPath
- resource.kubernetesDetails.kubernetesWorkloadDetails.containers.volumeMounts.name
- resource.kubernetesDetails.kubernetesWorkloadDetails.hostIpc
- resource.kubernetesDetails.kubernetesWorkloadDetails.hostNetwork
- resource.kubernetesDetails.kubernetesWorkloadDetails.hostPid
- resource.kubernetesDetails.kubernetesWorkloadDetails.name
- resource.kubernetesDetails.kubernetesWorkloadDetails.namespace
- resource.kubernetesDetails.kubernetesWorkloadDetails.serviceAccountName
- resource.kubernetesDetails.kubernetesWorkloadDetails.type
- resource.kubernetesDetails.kubernetesWorkloadDetails.uid
- resource.kubernetesDetails.kubernetesWorkloadDetails.volumes.hostPath.path
- resource.kubernetesDetails.kubernetesWorkloadDetails.volumes.name
- resource.lambdaDetails.description
- resource.lambdaDetails.functionArn
- resource.lambdaDetails.functionName
- resource.lambdaDetails.functionVersion
- resource.lambdaDetails.lastModifiedAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- resource.lambdaDetails.revisionId
- resource.lambdaDetails.role
- resource.lambdaDetails.tags.key
- resource.lambdaDetails.tags.value
- resource.lambdaDetails.vpcConfig.securityGroups.groupId
- resource.lambdaDetails.vpcConfig.securityGroups.groupName
- resource.lambdaDetails.vpcConfig.subnetIds
- resource.lambdaDetails.vpcConfig.vpcId
- resource.rdsDbInstanceDetails.dbClusterIdentifier
- resource.rdsDbInstanceDetails.dbInstanceArn
- resource.rdsDbInstanceDetails.dbInstanceIdentifier
- resource.rdsDbInstanceDetails.dbSecurityGroups.name
- resource.rdsDbInstanceDetails.dbSecurityGroups.status
- resource.rdsDbInstanceDetails.dbiResourceId
- resource.rdsDbInstanceDetails.engine
- resource.rdsDbInstanceDetails.engineVersion
- resource.rdsDbInstanceDetails.iamDatabaseAuthenticationEnabled
- resource.rdsDbInstanceDetails.publiclyAccessible
- resource.rdsDbInstanceDetails.vpcId
- resource.rdsDbInstanceDetails.vpcSecurityGroups.status
- resource.rdsDbInstanceDetails.vpcSecurityGroups.vpcSecurityGroupId
- resource.rdsDbUserDetails.application
- resource.rdsDbUserDetails.authMethod
- resource.rdsDbUserDetails.database
- resource.rdsDbUserDetails.ssl
- resource.rdsDbUserDetails.user
- resource.rdsLimitlessDbDetails.dbClusterIdentifier
- resource.rdsLimitlessDbDetails.dbShardGroupArn
- resource.rdsLimitlessDbDetails.dbShardGroupIdentifier
- resource.rdsLimitlessDbDetails.dbShardGroupResourceId
- resource.rdsLimitlessDbDetails.engine
- resource.rdsLimitlessDbDetails.engineVersion
- resource.rdsLimitlessDbDetails.tags.key
- resource.rdsLimitlessDbDetails.tags.value
- resource.recoveryPointDetails.backupVaultName
- resource.recoveryPointDetails.recoveryPointArn
- resource.resourceType
- resource.s3BucketDetails.arn
- resource.s3BucketDetails.createdAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- resource.s3BucketDetails.defaultServerSideEncryption.encryptionType
- resource.s3BucketDetails.defaultServerSideEncryption.kmsMasterKeyArn
- resource.s3BucketDetails.name
- resource.s3BucketDetails.owner.id
- resource.s3BucketDetails.publicAccess.effectivePermission
- resource.s3BucketDetails.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess.blockPublicAcls
- resource.s3BucketDetails.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess.blockPublicPolicy
- resource.s3BucketDetails.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess.ignorePublicAcls
- resource.s3BucketDetails.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess.restrictPublicBuckets
- resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.accessControlList.allowsPublicReadAccess
- resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.accessControlList.allowsPublicWriteAccess
- resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess.blockPublicAcls
- resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess.blockPublicPolicy
- resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess.ignorePublicAcls
- resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess.restrictPublicBuckets
- resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.bucketPolicy.allowsPublicReadAccess
- resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.bucketPolicy.allowsPublicWriteAccess
- resource.s3BucketDetails.s3ObjectDetails.eTag
- resource.s3BucketDetails.s3ObjectDetails.hash
- resource.s3BucketDetails.s3ObjectDetails.key
- resource.s3BucketDetails.s3ObjectDetails.objectArn
- resource.s3BucketDetails.s3ObjectDetails.versionId
- resource.s3BucketDetails.tags.key
- resource.s3BucketDetails.tags.value
- resource.s3BucketDetails.type
- schemaVersion
- service.action.actionType
- service.action.awsApiCallAction.api
- service.action.awsApiCallAction.callerType
- service.action.awsApiCallAction.domainDetails.domain
- service.action.awsApiCallAction.errorCode
- service.action.awsApiCallAction.remoteAccountDetails.accountId
- service.action.awsApiCallAction.remoteAccountDetails.affiliated
- service.action.awsApiCallAction.remoteAccountDetails.awsServiceName
- service.action.awsApiCallAction.remoteIpDetails.city.cityName
- service.action.awsApiCallAction.remoteIpDetails.country.countryCode
- service.action.awsApiCallAction.remoteIpDetails.country.countryName
- service.action.awsApiCallAction.remoteIpDetails.geoLocation.lat
- service.action.awsApiCallAction.remoteIpDetails.geoLocation.lon
- service.action.awsApiCallAction.remoteIpDetails.ipAddressV4
- service.action.awsApiCallAction.remoteIpDetails.ipAddressV6
- service.action.awsApiCallAction.remoteIpDetails.organization.asn
- service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg
- service.action.awsApiCallAction.remoteIpDetails.organization.isp
- service.action.awsApiCallAction.remoteIpDetails.organization.org
- service.action.awsApiCallAction.serviceName
- service.action.awsApiCallAction.userAgent
- service.action.dnsRequestAction.blocked
- service.action.dnsRequestAction.domain
- service.action.dnsRequestAction.domainWithSuffix
- service.action.dnsRequestAction.protocol
- service.action.dnsRequestAction.vpcOwnerAccountId
- service.action.kubernetesApiCallAction.namespace
- service.action.kubernetesApiCallAction.parameters
- service.action.kubernetesApiCallAction.remoteIpDetails.city.cityName
- service.action.kubernetesApiCallAction.remoteIpDetails.country.countryCode
- service.action.kubernetesApiCallAction.remoteIpDetails.country.countryName
- service.action.kubernetesApiCallAction.remoteIpDetails.geoLocation.lat
- service.action.kubernetesApiCallAction.remoteIpDetails.geoLocation.lon
- service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4
- service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV6
- service.action.kubernetesApiCallAction.remoteIpDetails.organization.asn
- service.action.kubernetesApiCallAction.remoteIpDetails.organization.asnOrg
- service.action.kubernetesApiCallAction.remoteIpDetails.organization.isp
- service.action.kubernetesApiCallAction.remoteIpDetails.organization.org
- service.action.kubernetesApiCallAction.requestUri
- service.action.kubernetesApiCallAction.resource
- service.action.kubernetesApiCallAction.resourceName
- service.action.kubernetesApiCallAction.sourceIPs
- service.action.kubernetesApiCallAction.statusCode
- service.action.kubernetesApiCallAction.subresource
- service.action.kubernetesApiCallAction.userAgent
- service.action.kubernetesApiCallAction.verb
- service.action.kubernetesPermissionCheckedDetails.allowed
- service.action.kubernetesPermissionCheckedDetails.namespace
- service.action.kubernetesPermissionCheckedDetails.resource
- service.action.kubernetesPermissionCheckedDetails.verb
- service.action.kubernetesRoleBindingDetails.kind
- service.action.kubernetesRoleBindingDetails.name
- service.action.kubernetesRoleBindingDetails.roleRefKind
- service.action.kubernetesRoleBindingDetails.roleRefName
- service.action.kubernetesRoleBindingDetails.uid
- service.action.kubernetesRoleDetails.kind
- service.action.kubernetesRoleDetails.name
- service.action.kubernetesRoleDetails.uid
- service.action.networkConnectionAction.blocked
- service.action.networkConnectionAction.connectionDirection
- service.action.networkConnectionAction.localIpDetails.ipAddressV4
- service.action.networkConnectionAction.localIpDetails.ipAddressV6
- service.action.networkConnectionAction.localNetworkInterface
- service.action.networkConnectionAction.localPortDetails.port
- service.action.networkConnectionAction.localPortDetails.portName
- service.action.networkConnectionAction.protocol
- service.action.networkConnectionAction.remoteIpDetails.city.cityName
- service.action.networkConnectionAction.remoteIpDetails.country.countryCode
- service.action.networkConnectionAction.remoteIpDetails.country.countryName
- service.action.networkConnectionAction.remoteIpDetails.geoLocation.lat
- service.action.networkConnectionAction.remoteIpDetails.geoLocation.lon
- service.action.networkConnectionAction.remoteIpDetails.ipAddressV4
- service.action.networkConnectionAction.remoteIpDetails.ipAddressV6
- service.action.networkConnectionAction.remoteIpDetails.organization.asn
- service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg
- service.action.networkConnectionAction.remoteIpDetails.organization.isp
- service.action.networkConnectionAction.remoteIpDetails.organization.org
- service.action.networkConnectionAction.remotePortDetails.port
- service.action.networkConnectionAction.remotePortDetails.portName
- service.action.portProbeAction.blocked
- service.action.portProbeAction.portProbeDetails.localIpDetails.ipAddressV4
- service.action.portProbeAction.portProbeDetails.localIpDetails.ipAddressV6
- service.action.portProbeAction.portProbeDetails.localPortDetails.port
- service.action.portProbeAction.portProbeDetails.localPortDetails.portName
- service.action.portProbeAction.portProbeDetails.remoteIpDetails.city.cityName
- service.action.portProbeAction.portProbeDetails.remoteIpDetails.country.countryCode
- service.action.portProbeAction.portProbeDetails.remoteIpDetails.country.countryName
- service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lat
- service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lon
- service.action.portProbeAction.portProbeDetails.remoteIpDetails.ipAddressV4
- service.action.portProbeAction.portProbeDetails.remoteIpDetails.ipAddressV6
- service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asn
- service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asnOrg
- service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.isp
- service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.org
- service.action.rdsLoginAttemptAction.loginAttributes.application
- service.action.rdsLoginAttemptAction.loginAttributes.failedLoginAttempts
- service.action.rdsLoginAttemptAction.loginAttributes.successfulLoginAttempts
- service.action.rdsLoginAttemptAction.loginAttributes.user
- service.action.rdsLoginAttemptAction.remoteIpDetails.city.cityName
- service.action.rdsLoginAttemptAction.remoteIpDetails.country.countryCode
- service.action.rdsLoginAttemptAction.remoteIpDetails.country.countryName
- service.action.rdsLoginAttemptAction.remoteIpDetails.geoLocation.lat
- service.action.rdsLoginAttemptAction.remoteIpDetails.geoLocation.lon
- service.action.rdsLoginAttemptAction.remoteIpDetails.ipAddressV4
- service.action.rdsLoginAttemptAction.remoteIpDetails.ipAddressV6
- service.action.rdsLoginAttemptAction.remoteIpDetails.organization.asn
- service.action.rdsLoginAttemptAction.remoteIpDetails.organization.asnOrg
- service.action.rdsLoginAttemptAction.remoteIpDetails.organization.isp
- service.action.rdsLoginAttemptAction.remoteIpDetails.organization.org
- service.additionalInfo.agentDetails.agentId
- service.additionalInfo.agentDetails.agentVersion
- service.additionalInfo.anomalies.anomalousAPIs
- service.additionalInfo.authenticationMethod
- service.additionalInfo.averagePacketSizeIn
- service.additionalInfo.averagePacketSizeOut
- service.additionalInfo.context
- service.additionalInfo.domain
- service.additionalInfo.inBytes
- service.additionalInfo.localNetworkInterfaceOwner
- service.additionalInfo.localPort
- service.additionalInfo.outBytes
- service.additionalInfo.packetsIn
- service.additionalInfo.packetsOut
- service.additionalInfo.policyArn
- service.additionalInfo.policyName
- service.additionalInfo.remotePort
- service.additionalInfo.sample
- service.additionalInfo.scannedPort
- service.additionalInfo.threatFileSha256
- service.additionalInfo.threatListName
- service.additionalInfo.threatName
- service.additionalInfo.totalBytesIn
- service.additionalInfo.totalBytesOut
- service.additionalInfo.type
- service.additionalInfo.unusual.asnOrg
- service.additionalInfo.unusual.port
- service.additionalInfo.unusualProtocol
- service.additionalInfo.userAgent.fullUserAgent
- service.additionalInfo.userAgent.userAgentCategory
- service.additionalInfo.value
- service.additionalInfo.vpcOwnerAccountId
- service.archived
- service.count
- service.detection.sequence.actors.id
- service.detection.sequence.actors.process.name
- service.detection.sequence.actors.process.path
- service.detection.sequence.actors.process.sha256
- service.detection.sequence.actors.session.createdTime
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.detection.sequence.actors.session.issuer
- service.detection.sequence.actors.session.mfaStatus
- service.detection.sequence.actors.session.uid
- service.detection.sequence.actors.user.account.account
- service.detection.sequence.actors.user.account.uid
- service.detection.sequence.actors.user.credentialUid
- service.detection.sequence.actors.user.name
- service.detection.sequence.actors.user.type
- service.detection.sequence.actors.user.uid
- service.detection.sequence.additionalSequenceTypes
- service.detection.sequence.description
- service.detection.sequence.endpoints.autonomousSystem.name
- service.detection.sequence.endpoints.autonomousSystem.number
- service.detection.sequence.endpoints.connection.direction
- service.detection.sequence.endpoints.domain
- service.detection.sequence.endpoints.id
- service.detection.sequence.endpoints.ip
- service.detection.sequence.endpoints.location.city
- service.detection.sequence.endpoints.location.country
- service.detection.sequence.endpoints.location.lat
- service.detection.sequence.endpoints.location.lon
- service.detection.sequence.endpoints.port
- service.detection.sequence.resources.accountId
- service.detection.sequence.resources.cloudPartition
- service.detection.sequence.resources.data.accessKey.principalId
- service.detection.sequence.resources.data.accessKey.userName
- service.detection.sequence.resources.data.accessKey.userType
- service.detection.sequence.resources.data.autoscalingAutoScalingGroup.ec2InstanceUids
- service.detection.sequence.resources.data.cloudformationStack.ec2InstanceUids
- service.detection.sequence.resources.data.container.image
- service.detection.sequence.resources.data.container.imageUid
- service.detection.sequence.resources.data.ec2Image.ec2InstanceUids
- service.detection.sequence.resources.data.ec2Instance.availabilityZone
- service.detection.sequence.resources.data.ec2Instance.ec2NetworkInterfaceUids
- service.detection.sequence.resources.data.ec2Instance.iamInstanceProfile.arn
- service.detection.sequence.resources.data.ec2Instance.iamInstanceProfile.id
- service.detection.sequence.resources.data.ec2Instance.imageDescription
- service.detection.sequence.resources.data.ec2Instance.instanceState
- service.detection.sequence.resources.data.ec2Instance.instanceType
- service.detection.sequence.resources.data.ec2Instance.outpostArn
- service.detection.sequence.resources.data.ec2Instance.platform
- service.detection.sequence.resources.data.ec2Instance.productCodes.productCodeId
- service.detection.sequence.resources.data.ec2Instance.productCodes.productCodeType
- service.detection.sequence.resources.data.ec2LaunchTemplate.ec2InstanceUids
- service.detection.sequence.resources.data.ec2LaunchTemplate.version
- service.detection.sequence.resources.data.ec2NetworkInterface.ipv6Addresses
- service.detection.sequence.resources.data.ec2NetworkInterface.privateIpAddresses.privateDnsName
- service.detection.sequence.resources.data.ec2NetworkInterface.privateIpAddresses.privateIpAddress
- service.detection.sequence.resources.data.ec2NetworkInterface.publicIp
- service.detection.sequence.resources.data.ec2NetworkInterface.securityGroups.groupId
- service.detection.sequence.resources.data.ec2NetworkInterface.securityGroups.groupName
- service.detection.sequence.resources.data.ec2NetworkInterface.subNetId
- service.detection.sequence.resources.data.ec2NetworkInterface.vpcId
- service.detection.sequence.resources.data.ec2Vpc.ec2InstanceUids
- service.detection.sequence.resources.data.ecsCluster.ec2InstanceUids
- service.detection.sequence.resources.data.ecsCluster.status
- service.detection.sequence.resources.data.ecsTask.containerUids
- service.detection.sequence.resources.data.ecsTask.createdAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.detection.sequence.resources.data.ecsTask.launchType
- service.detection.sequence.resources.data.ecsTask.taskDefinitionArn
- service.detection.sequence.resources.data.eksCluster.arn
- service.detection.sequence.resources.data.eksCluster.createdAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.detection.sequence.resources.data.eksCluster.ec2InstanceUids
- service.detection.sequence.resources.data.eksCluster.status
- service.detection.sequence.resources.data.eksCluster.vpcId
- service.detection.sequence.resources.data.iamInstanceProfile.ec2InstanceUids
- service.detection.sequence.resources.data.iamInstanceProfile.id
- service.detection.sequence.resources.data.kubernetesWorkload.containerUids
- service.detection.sequence.resources.data.kubernetesWorkload.namespace
- service.detection.sequence.resources.data.kubernetesWorkload.type
- service.detection.sequence.resources.data.s3Bucket.accountPublicAccess.publicAclAccess
- service.detection.sequence.resources.data.s3Bucket.accountPublicAccess.publicAclIgnoreBehavior
- service.detection.sequence.resources.data.s3Bucket.accountPublicAccess.publicBucketRestrictBehavior
- service.detection.sequence.resources.data.s3Bucket.accountPublicAccess.publicPolicyAccess
- service.detection.sequence.resources.data.s3Bucket.bucketPublicAccess.publicAclAccess
- service.detection.sequence.resources.data.s3Bucket.bucketPublicAccess.publicAclIgnoreBehavior
- service.detection.sequence.resources.data.s3Bucket.bucketPublicAccess.publicBucketRestrictBehavior
- service.detection.sequence.resources.data.s3Bucket.bucketPublicAccess.publicPolicyAccess
- service.detection.sequence.resources.data.s3Bucket.createdAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.detection.sequence.resources.data.s3Bucket.effectivePermission
- service.detection.sequence.resources.data.s3Bucket.encryptionKeyArn
- service.detection.sequence.resources.data.s3Bucket.encryptionType
- service.detection.sequence.resources.data.s3Bucket.ownerId
- service.detection.sequence.resources.data.s3Bucket.publicReadAccess
- service.detection.sequence.resources.data.s3Bucket.publicWriteAccess
- service.detection.sequence.resources.data.s3Bucket.s3ObjectUids
- service.detection.sequence.resources.data.s3Object.eTag
- service.detection.sequence.resources.data.s3Object.key
- service.detection.sequence.resources.data.s3Object.versionId
- service.detection.sequence.resources.name
- service.detection.sequence.resources.region
- service.detection.sequence.resources.resourceType
- service.detection.sequence.resources.service
- service.detection.sequence.resources.tags.key
- service.detection.sequence.resources.tags.value
- service.detection.sequence.resources.uid
- service.detection.sequence.sequenceIndicators.key
- service.detection.sequence.sequenceIndicators.title
- service.detection.sequence.sequenceIndicators.values
- service.detection.sequence.signals.actorIds
- service.detection.sequence.signals.count
- service.detection.sequence.signals.createdAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.detection.sequence.signals.description
- service.detection.sequence.signals.endpointIds
- service.detection.sequence.signals.firstSeenAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.detection.sequence.signals.lastSeenAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.detection.sequence.signals.name
- service.detection.sequence.signals.resourceUids
- service.detection.sequence.signals.severity
- service.detection.sequence.signals.signalIndicators.key
- service.detection.sequence.signals.signalIndicators.title
- service.detection.sequence.signals.signalIndicators.values
- service.detection.sequence.signals.type
- service.detection.sequence.signals.uid
- service.detection.sequence.signals.updatedAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.detection.sequence.uid
- service.detectorId
- service.ebsVolumeScanDetails.scanCompletedAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.ebsVolumeScanDetails.scanDetections.highestSeverityThreatDetails.count
- service.ebsVolumeScanDetails.scanDetections.highestSeverityThreatDetails.severity
- service.ebsVolumeScanDetails.scanDetections.highestSeverityThreatDetails.threatName
- service.ebsVolumeScanDetails.scanDetections.scannedItemCount.files
- service.ebsVolumeScanDetails.scanDetections.scannedItemCount.totalGb
- service.ebsVolumeScanDetails.scanDetections.scannedItemCount.volumes
- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.itemCount
- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.shortened
- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.fileName
- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.filePath
- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash
- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.volumeArn
- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.itemCount
- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name
- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity
- service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.uniqueThreatNameCount
- service.ebsVolumeScanDetails.scanDetections.threatsDetectedItemCount.files
- service.ebsVolumeScanDetails.scanId
- service.ebsVolumeScanDetails.scanStartedAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.ebsVolumeScanDetails.scanType
- service.ebsVolumeScanDetails.sources
- service.ebsVolumeScanDetails.triggerFindingId
- service.eventFirstSeen
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.eventLastSeen
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.evidence.threatIntelligenceDetails.threatFileSha256
- service.evidence.threatIntelligenceDetails.threatListName
- service.evidence.threatIntelligenceDetails.threatNames
- service.featureName
- service.malwareScanDetails.scanCategory
- service.malwareScanDetails.scanConfiguration.incrementalScanDetails.baselineResourceArn
- service.malwareScanDetails.scanConfiguration.triggerType
- service.malwareScanDetails.scanId
- service.malwareScanDetails.scanType
- service.malwareScanDetails.threats.count
- service.malwareScanDetails.threats.hash
- service.malwareScanDetails.threats.itemDetails.additionalInfo.deviceName
- service.malwareScanDetails.threats.itemDetails.additionalInfo.versionId
- service.malwareScanDetails.threats.itemDetails.hash
- service.malwareScanDetails.threats.itemDetails.itemPath
- service.malwareScanDetails.threats.itemDetails.resourceArn
- service.malwareScanDetails.threats.itemPaths.hash
- service.malwareScanDetails.threats.itemPaths.nestedItemPath
- service.malwareScanDetails.threats.name
- service.malwareScanDetails.threats.source
- service.malwareScanDetails.uniqueThreatCount
- service.resourceRole
- service.runtimeDetails.context.addressFamily
- service.runtimeDetails.context.commandLineExample
- service.runtimeDetails.context.fileOperation
- service.runtimeDetails.context.filePath
- service.runtimeDetails.context.fileSystemType
- service.runtimeDetails.context.flags
- service.runtimeDetails.context.ianaProtocolNumber
- service.runtimeDetails.context.ldPreloadValue
- service.runtimeDetails.context.libraryPath
- service.runtimeDetails.context.memoryRegions
- service.runtimeDetails.context.modifiedAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.runtimeDetails.context.modifyingProcess.euid
- service.runtimeDetails.context.modifyingProcess.executablePath
- service.runtimeDetails.context.modifyingProcess.executableSha256
- service.runtimeDetails.context.modifyingProcess.lineage.euid
- service.runtimeDetails.context.modifyingProcess.lineage.executablePath
- service.runtimeDetails.context.modifyingProcess.lineage.name
- service.runtimeDetails.context.modifyingProcess.lineage.namespacePid
- service.runtimeDetails.context.modifyingProcess.lineage.parentUuid
- service.runtimeDetails.context.modifyingProcess.lineage.pid
- service.runtimeDetails.context.modifyingProcess.lineage.startTime
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.runtimeDetails.context.modifyingProcess.lineage.userId
- service.runtimeDetails.context.modifyingProcess.lineage.uuid
- service.runtimeDetails.context.modifyingProcess.name
- service.runtimeDetails.context.modifyingProcess.namespacePid
- service.runtimeDetails.context.modifyingProcess.parentUuid
- service.runtimeDetails.context.modifyingProcess.pid
- service.runtimeDetails.context.modifyingProcess.pwd
- service.runtimeDetails.context.modifyingProcess.startTime
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.runtimeDetails.context.modifyingProcess.user
- service.runtimeDetails.context.modifyingProcess.userId
- service.runtimeDetails.context.modifyingProcess.uuid
- service.runtimeDetails.context.moduleFilePath
- service.runtimeDetails.context.moduleName
- service.runtimeDetails.context.moduleSha256
- service.runtimeDetails.context.mountSource
- service.runtimeDetails.context.mountTarget
- service.runtimeDetails.context.relatedFilePaths
- service.runtimeDetails.context.releaseAgentPath
- service.runtimeDetails.context.runcBinaryPath
- service.runtimeDetails.context.scriptPath
- service.runtimeDetails.context.serviceName
- service.runtimeDetails.context.shellHistoryFilePath
- service.runtimeDetails.context.socketPath
- service.runtimeDetails.context.targetProcess.euid
- service.runtimeDetails.context.targetProcess.executablePath
- service.runtimeDetails.context.targetProcess.executableSha256
- service.runtimeDetails.context.targetProcess.lineage.euid
- service.runtimeDetails.context.targetProcess.lineage.executablePath
- service.runtimeDetails.context.targetProcess.lineage.name
- service.runtimeDetails.context.targetProcess.lineage.namespacePid
- service.runtimeDetails.context.targetProcess.lineage.parentUuid
- service.runtimeDetails.context.targetProcess.lineage.pid
- service.runtimeDetails.context.targetProcess.lineage.startTime
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.runtimeDetails.context.targetProcess.lineage.userId
- service.runtimeDetails.context.targetProcess.lineage.uuid
- service.runtimeDetails.context.targetProcess.name
- service.runtimeDetails.context.targetProcess.namespacePid
- service.runtimeDetails.context.targetProcess.parentUuid
- service.runtimeDetails.context.targetProcess.pid
- service.runtimeDetails.context.targetProcess.pwd
- service.runtimeDetails.context.targetProcess.startTime
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.runtimeDetails.context.targetProcess.user
- service.runtimeDetails.context.targetProcess.userId
- service.runtimeDetails.context.targetProcess.uuid
- service.runtimeDetails.context.threatFilePath
- service.runtimeDetails.context.toolCategory
- service.runtimeDetails.context.toolName
- service.runtimeDetails.process.euid
- service.runtimeDetails.process.executablePath
- service.runtimeDetails.process.executableSha256
- service.runtimeDetails.process.lineage.euid
- service.runtimeDetails.process.lineage.executablePath
- service.runtimeDetails.process.lineage.name
- service.runtimeDetails.process.lineage.namespacePid
- service.runtimeDetails.process.lineage.parentUuid
- service.runtimeDetails.process.lineage.pid
- service.runtimeDetails.process.lineage.startTime
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.runtimeDetails.process.lineage.userId
- service.runtimeDetails.process.lineage.uuid
- service.runtimeDetails.process.name
- service.runtimeDetails.process.namespacePid
- service.runtimeDetails.process.parentUuid
- service.runtimeDetails.process.pid
- service.runtimeDetails.process.pwd
- service.runtimeDetails.process.startTime
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
- service.runtimeDetails.process.user
- service.runtimeDetails.process.userId
- service.runtimeDetails.process.uuid
- service.serviceName
- service.userFeedback
- severity
  
  To configure severity based filters, use the following for the
  
  FindingCriteria][1
  
  condition:
  - Low: ‘[“1”, “2”, “3”]`
  - Medium: ‘[“4”, “5”, “6”]`
  - High: ‘[“7”, “8”]`
  - Critical: ‘[“9”, “10”]`
  For more information, see [Findings severity levels] in the *Amazon GuardDuty User Guide*.
- type
- updatedAt
  
  Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_FindingCriteria.html [2]: docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings-severity.html

Returns:

(Types::UpdateFilterResponse) —
Returns a response object which responds to the following methods:
- #name => String

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 8518

def update_filter(params = {}, options = {})
  req = build_request(:update_filter, params)
  req.send_request(options)
end

#update_findings_feedback(params = {}) ⇒ `Struct`

Marks the specified GuardDuty findings as useful or not useful.

Examples:

Request syntax with placeholder values


resp = client.update_findings_feedback({
  detector_id: "DetectorId", # required
  finding_ids: ["FindingId"], # required
  feedback: "USEFUL", # required, accepts USEFUL, NOT_USEFUL
  comments: "SensitiveString",
})

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The ID of the detector that is associated with the findings for which you want to update the feedback.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:finding_ids (required, Array<String>) —

The IDs of the findings that you want to mark as useful or not useful.
:feedback (required, String) —

The feedback for the finding.
:comments (String) —

Additional feedback about the GuardDuty findings.

Returns:

(Struct) —

Returns an empty response.

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 8560

def update_findings_feedback(params = {}, options = {})
  req = build_request(:update_findings_feedback, params)
  req.send_request(options)
end

#update_ip_set(params = {}) ⇒ `Struct`

Updates the IPSet specified by the IPSet ID.

Examples:

Request syntax with placeholder values


resp = client.update_ip_set({
  detector_id: "DetectorId", # required
  ip_set_id: "String", # required
  name: "Name",
  location: "Location",
  activate: false,
  expected_bucket_owner: "AccountId",
})

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The detectorID that specifies the GuardDuty service whose IPSet you want to update.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:ip_set_id (required, String) —

The unique ID that specifies the IPSet that you want to update.
:name (String) —

The unique ID that specifies the IPSet that you want to update.
:location (String) —

The updated URI of the file that contains the IPSet.
:activate (Boolean) —

The updated Boolean value that specifies whether the IPSet is active or not.
:expected_bucket_owner (String) —

The Amazon Web Services account ID that owns the Amazon S3 bucket specified in the location parameter.

Returns:

(Struct) —

Returns an empty response.

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 8612

def update_ip_set(params = {}, options = {})
  req = build_request(:update_ip_set, params)
  req.send_request(options)
end

#update_malware_protection_plan(params = {}) ⇒ `Struct`

Updates an existing Malware Protection plan resource.

Examples:

Request syntax with placeholder values


resp = client.update_malware_protection_plan({
  malware_protection_plan_id: "String", # required
  role: "String",
  actions: {
    tagging: {
      status: "ENABLED", # accepts ENABLED, DISABLED
    },
  },
  protected_resource: {
    s3_bucket: {
      object_prefixes: ["String"],
    },
  },
})

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:malware_protection_plan_id (required, String) —

A unique identifier associated with the Malware Protection plan.
:role (String) —

Amazon Resource Name (ARN) of the IAM role with permissions to scan and add tags to the associated protected resource.
:actions (Types::MalwareProtectionPlanActions) —

Information about whether the tags will be added to the S3 object after scanning.
:protected_resource (Types::UpdateProtectedResource) —

Information about the protected resource that is associated with the created Malware Protection plan. Presently, ‘S3Bucket` is the only supported protected resource.

Returns:

(Struct) —

Returns an empty response.

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 8658

def update_malware_protection_plan(params = {}, options = {})
  req = build_request(:update_malware_protection_plan, params)
  req.send_request(options)
end

#update_malware_scan_settings(params = {}) ⇒ `Struct`

Updates the malware scan settings.

[1]: docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html

Examples:

Request syntax with placeholder values


resp = client.update_malware_scan_settings({
  detector_id: "DetectorId", # required
  scan_resource_criteria: {
    include: {
      "EC2_INSTANCE_TAG" => {
        map_equals: [ # required
          {
            key: "TagKey", # required
            value: "TagValue",
          },
        ],
      },
    },
    exclude: {
      "EC2_INSTANCE_TAG" => {
        map_equals: [ # required
          {
            key: "TagKey", # required
            value: "TagValue",
          },
        ],
      },
    },
  },
  ebs_snapshot_preservation: "NO_RETENTION", # accepts NO_RETENTION, RETENTION_WITH_FINDING
})

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the detector that specifies the GuardDuty service where you want to update scan settings.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:scan_resource_criteria (Types::ScanResourceCriteria) —

Represents the criteria to be used in the filter for selecting resources to scan.
:ebs_snapshot_preservation (String) —

An enum value representing possible snapshot preservation settings.

Returns:

(Struct) —

Returns an empty response.

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 8727

def update_malware_scan_settings(params = {}, options = {})
  req = build_request(:update_malware_scan_settings, params)
  req.send_request(options)
end

#update_member_detectors(params = {}) ⇒ `Types::UpdateMemberDetectorsResponse`

Contains information on member accounts to be updated.

[1]: docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring.html [2]: docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html

Examples:

Request syntax with placeholder values


resp = client.update_member_detectors({
  detector_id: "DetectorId", # required
  account_ids: ["AccountId"], # required
  data_sources: {
    s3_logs: {
      enable: false, # required
    },
    kubernetes: {
      audit_logs: { # required
        enable: false, # required
      },
    },
    malware_protection: {
      scan_ec2_instance_with_findings: {
        ebs_volumes: false,
      },
    },
  },
  features: [
    {
      name: "S3_DATA_EVENTS", # accepts S3_DATA_EVENTS, EKS_AUDIT_LOGS, EBS_MALWARE_PROTECTION, RDS_LOGIN_EVENTS, LAMBDA_NETWORK_LOGS, EKS_RUNTIME_MONITORING, RUNTIME_MONITORING
      status: "ENABLED", # accepts ENABLED, DISABLED
      additional_configuration: [
        {
          name: "EKS_ADDON_MANAGEMENT", # accepts EKS_ADDON_MANAGEMENT, ECS_FARGATE_AGENT_MANAGEMENT, EC2_AGENT_MANAGEMENT
          status: "ENABLED", # accepts ENABLED, DISABLED
        },
      ],
    },
  ],
})

Response structure


resp.unprocessed_accounts #=> Array
resp.unprocessed_accounts[0].account_id #=> String
resp.unprocessed_accounts[0].result #=> String

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The detector ID of the administrator account.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:account_ids (required, Array<String>) —

A list of member account IDs to be updated.
:data_sources (Types::DataSourceConfigurations) —

Describes which data sources will be updated.
:features (Array<Types::MemberFeaturesConfiguration>) —

A list of features that will be updated for the specified member accounts.

Returns:

(Types::UpdateMemberDetectorsResponse) —
Returns a response object which responds to the following methods:
- #unprocessed_accounts => Array<Types::UnprocessedAccount>

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 8818

def update_member_detectors(params = {}, options = {})
  req = build_request(:update_member_detectors, params)
  req.send_request(options)
end

#update_organization_configuration(params = {}) ⇒ `Struct`

Configures the delegated administrator account with the provided values. You must provide a value for either ‘autoEnableOrganizationMembers` or `autoEnable`, but not both.

[1]: docs.aws.amazon.com/guardduty/latest/ug/runtime-monitoring.html [2]: docs.aws.amazon.com/guardduty/latest/ug/guardduty_regions.html

Examples:

Request syntax with placeholder values


resp = client.update_organization_configuration({
  detector_id: "DetectorId", # required
  auto_enable: false,
  data_sources: {
    s3_logs: {
      auto_enable: false, # required
    },
    kubernetes: {
      audit_logs: { # required
        auto_enable: false, # required
      },
    },
    malware_protection: {
      scan_ec2_instance_with_findings: {
        ebs_volumes: {
          auto_enable: false,
        },
      },
    },
  },
  features: [
    {
      name: "S3_DATA_EVENTS", # accepts S3_DATA_EVENTS, EKS_AUDIT_LOGS, EBS_MALWARE_PROTECTION, RDS_LOGIN_EVENTS, LAMBDA_NETWORK_LOGS, EKS_RUNTIME_MONITORING, RUNTIME_MONITORING
      auto_enable: "NEW", # accepts NEW, NONE, ALL
      additional_configuration: [
        {
          name: "EKS_ADDON_MANAGEMENT", # accepts EKS_ADDON_MANAGEMENT, ECS_FARGATE_AGENT_MANAGEMENT, EC2_AGENT_MANAGEMENT
          auto_enable: "NEW", # accepts NEW, NONE, ALL
        },
      ],
    },
  ],
  auto_enable_organization_members: "NEW", # accepts NEW, ALL, NONE
})

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The ID of the detector that configures the delegated administrator.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:auto_enable (Boolean) —

Represents whether to automatically enable member accounts in the organization. This applies to only new member accounts, not the existing member accounts. When a new account joins the organization, the chosen features will be enabled for them by default.

Even though this is still supported, we recommend using ‘AutoEnableOrganizationMembers` to achieve the similar results. You must provide a value for either `autoEnableOrganizationMembers` or `autoEnable`.
:data_sources (Types::OrganizationDataSourceConfigurations) —

Describes which data sources will be updated.
:features (Array<Types::OrganizationFeatureConfiguration>) —

A list of features that will be configured for the organization.
:auto_enable_organization_members (String) —
Indicates the auto-enablement configuration of GuardDuty for the member accounts in the organization. You must provide a value for either ‘autoEnableOrganizationMembers` or `autoEnable`.

Use one of the following configuration values for ‘autoEnableOrganizationMembers`:
- ‘NEW`: Indicates that when a new account joins the organization, they will have GuardDuty enabled automatically.
- ‘ALL`: Indicates that all accounts in the organization have GuardDuty enabled automatically. This includes `NEW` accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty.
  
  It may take up to 24 hours to update the configuration for all the member accounts.
- ‘NONE`: Indicates that GuardDuty will not be automatically enabled for any account in the organization. The administrator must manage GuardDuty for each account in the organization individually.
  
  When you update the auto-enable setting from ‘ALL` or `NEW` to `NONE`, this action doesn’t disable the corresponding option for your existing accounts. This configuration will apply to the new accounts that join the organization. After you update the auto-enable settings, no new account will have the corresponding option as enabled.

Returns:

(Struct) —

Returns an empty response.

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 8943

def update_organization_configuration(params = {}, options = {})
  req = build_request(:update_organization_configuration, params)
  req.send_request(options)
end

#update_publishing_destination(params = {}) ⇒ `Struct`

Updates information about the publishing destination specified by the ‘destinationId`.

Examples:

Request syntax with placeholder values


resp = client.update_publishing_destination({
  detector_id: "DetectorId", # required
  destination_id: "String", # required
  destination_properties: {
    destination_arn: "String",
    kms_key_arn: "String",
  },
})

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The ID of the detector associated with the publishing destinations to update.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:destination_id (required, String) —

The ID of the publishing destination to update.
:destination_properties (Types::DestinationProperties) —

A ‘DestinationProperties` object that includes the `DestinationArn` and `KmsKeyArn` of the publishing destination.

Returns:

(Struct) —

Returns an empty response.

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 8986

def update_publishing_destination(params = {}, options = {})
  req = build_request(:update_publishing_destination, params)
  req.send_request(options)
end

#update_threat_entity_set(params = {}) ⇒ `Struct`

Updates the threat entity set associated with the specified ‘threatEntitySetId`.

Examples:

Request syntax with placeholder values


resp = client.update_threat_entity_set({
  detector_id: "DetectorId", # required
  threat_entity_set_id: "String", # required
  name: "Name",
  location: "Location",
  expected_bucket_owner: "ExpectedBucketOwner",
  activate: false,
})

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the GuardDuty detector associated with the threat entity set that you want to update.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:threat_entity_set_id (required, String) —

The ID returned by GuardDuty after updating the threat entity set resource.
:name (String) —

A user-friendly name to identify the trusted entity set.

The name of your list can include lowercase letters, uppercase letters, numbers, dash (-), and underscore (_).
:location (String) —

The URI of the file that contains the trusted entity set.
:expected_bucket_owner (String) —

The Amazon Web Services account ID that owns the Amazon S3 bucket specified in the location parameter.
:activate (Boolean) —

A boolean value that indicates whether GuardDuty is to start using this updated threat entity set. After you update an entity set, you will need to activate it again. It might take up to 15 minutes for the updated entity set to be effective.

Returns:

(Struct) —

Returns an empty response.

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 9045

def update_threat_entity_set(params = {}, options = {})
  req = build_request(:update_threat_entity_set, params)
  req.send_request(options)
end

#update_threat_intel_set(params = {}) ⇒ `Struct`

Updates the ThreatIntelSet specified by the ThreatIntelSet ID.

Examples:

Request syntax with placeholder values


resp = client.update_threat_intel_set({
  detector_id: "DetectorId", # required
  threat_intel_set_id: "String", # required
  name: "Name",
  location: "Location",
  activate: false,
  expected_bucket_owner: "AccountId",
})

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The detectorID that specifies the GuardDuty service whose ThreatIntelSet you want to update.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:threat_intel_set_id (required, String) —

The unique ID that specifies the ThreatIntelSet that you want to update.
:name (String) —

The unique ID that specifies the ThreatIntelSet that you want to update.
:location (String) —

The updated URI of the file that contains the ThreateIntelSet.
:activate (Boolean) —

The updated Boolean value that specifies whether the ThreateIntelSet is active or not.
:expected_bucket_owner (String) —

The Amazon Web Services account ID that owns the Amazon S3 bucket specified in the location parameter.

Returns:

(Struct) —

Returns an empty response.

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 9099

def update_threat_intel_set(params = {}, options = {})
  req = build_request(:update_threat_intel_set, params)
  req.send_request(options)
end

#update_trusted_entity_set(params = {}) ⇒ `Struct`

Updates the trusted entity set associated with the specified ‘trustedEntitySetId`.

Examples:

Request syntax with placeholder values


resp = client.update_trusted_entity_set({
  detector_id: "DetectorId", # required
  trusted_entity_set_id: "String", # required
  name: "Name",
  location: "Location",
  expected_bucket_owner: "ExpectedBucketOwner",
  activate: false,
})

Parameters:

params (Hash) (defaults to: {}) —

({})

Options Hash (params):

:detector_id (required, String) —

The unique ID of the GuardDuty detector associated with the threat entity set that you want to update.

To find the ‘detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors] API.

[1]: docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html
:trusted_entity_set_id (required, String) —

The ID returned by GuardDuty after updating the trusted entity set resource.
:name (String) —

A user-friendly name to identify the trusted entity set.

The name of your list can include lowercase letters, uppercase letters, numbers, dash (-), and underscore (_).
:location (String) —

The URI of the file that contains the trusted entity set.
:expected_bucket_owner (String) —

The Amazon Web Services account ID that owns the Amazon S3 bucket specified in the location parameter.
:activate (Boolean) —

A boolean value that indicates whether GuardDuty is to start using this updated trusted entity set. After you update an entity set, you will need to activate it again. It might take up to 15 minutes for the updated entity set to be effective.

Returns:

(Struct) —

Returns an empty response.

See Also:

AWS API Documentation

# File 'lib/aws-sdk-guardduty/client.rb', line 9158

def update_trusted_entity_set(params = {}, options = {})
  req = build_request(:update_trusted_entity_set, params)
  req.send_request(options)
end

#waiter_names ⇒ `Object`

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Deprecated.



9187
9188
9189

# File 'lib/aws-sdk-guardduty/client.rb', line 9187

def waiter_names
  []
end

Class: Aws::GuardDuty::Client

Overview

Class Attribute Summary collapse

API Operations collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(options) ⇒ Client

Class Attribute Details

.identifier ⇒ Object (readonly)

Class Method Details

.errors_module ⇒ Object

Instance Method Details

#accept_administrator_invitation(params = {}) ⇒ Struct

Examples:

Request syntax with placeholder values

#accept_invitation(params = {}) ⇒ Struct

Examples:

Request syntax with placeholder values

#archive_findings(params = {}) ⇒ Struct

Examples:

Request syntax with placeholder values

#build_request(operation_name, params = {}) ⇒ Object

#create_detector(params = {}) ⇒ Types::CreateDetectorResponse

Examples:

Request syntax with placeholder values

Response structure

#create_filter(params = {}) ⇒ Types::CreateFilterResponse

Examples:

Request syntax with placeholder values

Response structure

#create_investigation(params = {}) ⇒ Types::CreateInvestigationResponse

Examples:

Request syntax with placeholder values

Response structure

#create_ip_set(params = {}) ⇒ Types::CreateIPSetResponse

Examples:

Request syntax with placeholder values

Response structure

#create_malware_protection_plan(params = {}) ⇒ Types::CreateMalwareProtectionPlanResponse

Examples:

Request syntax with placeholder values

Response structure

#create_members(params = {}) ⇒ Types::CreateMembersResponse

Examples:

Request syntax with placeholder values

Response structure

#create_publishing_destination(params = {}) ⇒ Types::CreatePublishingDestinationResponse

Examples:

Request syntax with placeholder values

Response structure

#create_sample_findings(params = {}) ⇒ Struct

Examples:

Request syntax with placeholder values

#create_threat_entity_set(params = {}) ⇒ Types::CreateThreatEntitySetResponse

Examples:

Request syntax with placeholder values

Response structure

#create_threat_intel_set(params = {}) ⇒ Types::CreateThreatIntelSetResponse

Examples:

Request syntax with placeholder values

Response structure

#create_trusted_entity_set(params = {}) ⇒ Types::CreateTrustedEntitySetResponse

Examples:

Request syntax with placeholder values

Response structure

#decline_invitations(params = {}) ⇒ Types::DeclineInvitationsResponse

Examples:

Request syntax with placeholder values

Response structure

#delete_detector(params = {}) ⇒ Struct

Examples:

Request syntax with placeholder values

#delete_filter(params = {}) ⇒ Struct

Examples:

Request syntax with placeholder values

#delete_invitations(params = {}) ⇒ Types::DeleteInvitationsResponse

Examples:

Request syntax with placeholder values

Response structure

#initialize(options) ⇒ `Client`

.identifier ⇒ `Object` (readonly)

.errors_module ⇒ `Object`

#accept_administrator_invitation(params = {}) ⇒ `Struct`

#accept_invitation(params = {}) ⇒ `Struct`

#archive_findings(params = {}) ⇒ `Struct`

#build_request(operation_name, params = {}) ⇒ `Object`

#create_detector(params = {}) ⇒ `Types::CreateDetectorResponse`

#create_filter(params = {}) ⇒ `Types::CreateFilterResponse`

#create_investigation(params = {}) ⇒ `Types::CreateInvestigationResponse`

#create_ip_set(params = {}) ⇒ `Types::CreateIPSetResponse`

#create_malware_protection_plan(params = {}) ⇒ `Types::CreateMalwareProtectionPlanResponse`

#create_members(params = {}) ⇒ `Types::CreateMembersResponse`

#create_publishing_destination(params = {}) ⇒ `Types::CreatePublishingDestinationResponse`

#create_sample_findings(params = {}) ⇒ `Struct`

#create_threat_entity_set(params = {}) ⇒ `Types::CreateThreatEntitySetResponse`

#create_threat_intel_set(params = {}) ⇒ `Types::CreateThreatIntelSetResponse`

#create_trusted_entity_set(params = {}) ⇒ `Types::CreateTrustedEntitySetResponse`

#decline_invitations(params = {}) ⇒ `Types::DeclineInvitationsResponse`

#delete_detector(params = {}) ⇒ `Struct`

#delete_filter(params = {}) ⇒ `Struct`

#delete_invitations(params = {}) ⇒ `Types::DeleteInvitationsResponse`

#delete_ip_set(params = {}) ⇒ `Struct`

#delete_malware_protection_plan(params = {}) ⇒ `Struct`

#delete_members(params = {}) ⇒ `Types::DeleteMembersResponse`

#delete_publishing_destination(params = {}) ⇒ `Struct`

#delete_threat_entity_set(params = {}) ⇒ `Struct`

#delete_threat_intel_set(params = {}) ⇒ `Struct`

#delete_trusted_entity_set(params = {}) ⇒ `Struct`

#describe_malware_scans(params = {}) ⇒ `Types::DescribeMalwareScansResponse`

#describe_organization_configuration(params = {}) ⇒ `Types::DescribeOrganizationConfigurationResponse`

#describe_publishing_destination(params = {}) ⇒ `Types::DescribePublishingDestinationResponse`

#disable_organization_admin_account(params = {}) ⇒ `Struct`

#disassociate_from_administrator_account(params = {}) ⇒ `Struct`

#disassociate_from_master_account(params = {}) ⇒ `Struct`

#disassociate_members(params = {}) ⇒ `Types::DisassociateMembersResponse`

#enable_organization_admin_account(params = {}) ⇒ `Struct`

#get_administrator_account(params = {}) ⇒ `Types::GetAdministratorAccountResponse`

#get_coverage_statistics(params = {}) ⇒ `Types::GetCoverageStatisticsResponse`

#get_detector(params = {}) ⇒ `Types::GetDetectorResponse`

#get_filter(params = {}) ⇒ `Types::GetFilterResponse`

#get_findings(params = {}) ⇒ `Types::GetFindingsResponse`