integrations.sh
← all integrations

amazonaws.com – guardduty

OpenAPI apis-guru cloud

Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the following data sources: VPC flow logs, Amazon Web Services CloudTrail management event logs, CloudTrail S3 data event logs, EKS audit logs, DNS logs, and Amazon EBS volume data. It uses threat intelligence feeds, such as lists of malicious IPs and domains, and machine learning to identify unexpected, potentially unauthorized, and malicious activity within your Amazon Web Services environment. This can include issues like escalations of privileges, uses of exposed credentials, or communication with malicious IPs, domains, or presence of malware on your Amazon EC2 instances and container workloads. For example, GuardDuty can detect compromised EC2 instances and container workloads serving malware, or mining bitcoin.

GuardDuty also monitors Amazon Web Services account access behavior for signs of compromise, such as unauthorized infrastructure deployments like EC2 instances deployed in a Region that has never been used, or unusual API calls like a password policy change to reduce password strength.

GuardDuty informs you about the status of your Amazon Web Services environment by producing security findings that you can view in the GuardDuty console or through Amazon EventBridge. For more information, see the .

Homepage
https://api.apis.guru/v2/specs/amazonaws.com:guardduty/2017-11-28.json
Provider
amazonaws.com:guardduty / guardduty
OpenAPI version
3.0.0
Spec (JSON)
https://api.apis.guru/v2/specs/amazonaws.com/guardduty/2017-11-28/openapi.json
Spec (YAML)
https://api.apis.guru/v2/specs/amazonaws.com/guardduty/2017-11-28/openapi.yaml

Tools (69)

Extracted live via the executor SDK.

  • admin.disableOrganizationAdminAccount

    Disables an Amazon Web Services account within the Organization as the GuardDuty delegated administrator.

  • admin.enableOrganizationAdminAccount

    Enables an Amazon Web Services account within the organization as the GuardDuty delegated administrator.

  • admin.listOrganizationAdminAccounts

    Lists the accounts configured as GuardDuty delegated administrators.

  • detector.acceptAdministratorInvitation

    Accepts the invitation to be a member account and get monitored by a GuardDuty administrator account that sent the invitation.

  • detector.acceptInvitation

    Accepts the invitation to be monitored by a GuardDuty administrator account.

  • detector.archiveFindings

    Archives GuardDuty findings that are specified by the list of finding IDs.

    Only the administrator account can archive findings. Member accounts don't have permission to archive findings from their accounts.

  • detector.createDetector

    Creates a single Amazon GuardDuty detector. A detector is a resource that represents the GuardDuty service. To start using GuardDuty, you must create a detector in each Region where you enable the service. You can have only one detector per account per Region. All data sources are enabled in a new detector by default.

    There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see .

  • detector.createFilter

    Creates a filter using the specified finding criteria. The maximum number of saved filters per Amazon Web Services account per Region is 100. For more information, see .

  • detector.createIpSet

    Creates a new IPSet, which is called a trusted IP list in the console user interface. An IPSet is a list of IP addresses that are trusted for secure communication with Amazon Web Services infrastructure and applications. GuardDuty doesn't generate findings for IP addresses that are included in IPSets. Only users from the administrator account can use this operation.

  • detector.createMembers

    Creates member accounts of the current Amazon Web Services account by specifying a list of Amazon Web Services account IDs. This step is a prerequisite for managing the associated member accounts either by invitation or through an organization.

    When using Create Members as an organizations delegated administrator this action will enable GuardDuty in the added member accounts, with the exception of the organization delegated administrator account, which must enable GuardDuty prior to being added as a member.

    If you are adding accounts by invitation, use this action after GuardDuty has bee enabled in potential member accounts and before using .

  • detector.createPublishingDestination

    Creates a publishing destination to export findings to. The resource to export findings to must exist before you use this operation.

  • detector.createSampleFindings

    Generates sample findings of types specified by the list of finding types. If 'NULL' is specified for findingTypes, the API generates sample findings of all supported finding types.

  • detector.createThreatIntelSet

    Creates a new ThreatIntelSet. ThreatIntelSets consist of known malicious IP addresses. GuardDuty generates findings based on ThreatIntelSets. Only users of the administrator account can use this operation.

  • detector.deleteDetector

    Deletes an Amazon GuardDuty detector that is specified by the detector ID.

  • detector.deleteFilter

    Deletes the filter specified by the filter name.

  • detector.deleteIpSet

    Deletes the IPSet specified by the ipSetId. IPSets are called trusted IP lists in the console user interface.

  • detector.deleteMembers

    Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.

    With autoEnableOrganizationMembers configuration for your organization set to ALL, you'll receive an error if you attempt to disable GuardDuty for a member account in your organization.

  • detector.deletePublishingDestination

    Deletes the publishing definition with the specified destinationId.

  • detector.deleteThreatIntelSet

    Deletes the ThreatIntelSet specified by the ThreatIntelSet ID.

  • detector.describeMalwareScans

    Returns a list of malware scans. Each member account can view the malware scans for their own accounts. An administrator can view the malware scans for all the member accounts.

    There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see .

  • detector.describeOrganizationConfiguration

    Returns information about the account selected as the delegated administrator for GuardDuty.

    There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see .

  • detector.describePublishingDestination

    Returns information about the publishing destination specified by the provided destinationId.

  • detector.disassociateFromAdministratorAccount

    Disassociates the current GuardDuty member account from its administrator account.

    With autoEnableOrganizationMembers configuration for your organization set to ALL, you'll receive an error if you attempt to disable GuardDuty in a member account.

  • detector.disassociateFromMasterAccount

    Disassociates the current GuardDuty member account from its administrator account.

  • detector.disassociateMembers

    Disassociates GuardDuty member accounts (to the current administrator account) specified by the account IDs.

    With autoEnableOrganizationMembers configuration for your organization set to ALL, you'll receive an error if you attempt to disassociate a member account before removing them from your Amazon Web Services organization.

  • detector.getAdministratorAccount

    Provides the details for the GuardDuty administrator account associated with the current GuardDuty member account.

  • detector.getCoverageStatistics

    Retrieves aggregated statistics for your account. If you are a GuardDuty administrator, you can retrieve the statistics for all the resources associated with the active member accounts in your organization who have enabled EKS Runtime Monitoring and have the GuardDuty agent running on their EKS nodes.

  • detector.getDetector

    Retrieves an Amazon GuardDuty detector specified by the detectorId.

    There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see .

  • detector.getFilter

    Returns the details of the filter specified by the filter name.

  • detector.getFindings

    Describes Amazon GuardDuty findings specified by finding IDs.

  • detector.getFindingsStatistics

    Lists Amazon GuardDuty findings statistics for the specified detector ID.

  • detector.getIpSet

    Retrieves the IPSet specified by the ipSetId.

  • detector.getMalwareScanSettings

    Returns the details of the malware scan settings.

    There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see .

  • detector.getMasterAccount

    Provides the details for the GuardDuty administrator account associated with the current GuardDuty member account.

  • detector.getMemberDetectors

    Describes which data sources are enabled for the member account's detector.

    There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see .

  • detector.getMembers

    Retrieves GuardDuty member accounts (of the current GuardDuty administrator account) specified by the account IDs.

  • detector.getRemainingFreeTrialDays

    Provides the number of days left for each data source used in the free trial period.

  • detector.getThreatIntelSet

    Retrieves the ThreatIntelSet that is specified by the ThreatIntelSet ID.

  • detector.getUsageStatistics

    Lists Amazon GuardDuty usage statistics over the last 30 days for the specified detector ID. For newly enabled detectors or data sources, the cost returned will include only the usage so far under 30 days. This may differ from the cost metrics in the console, which project usage over 30 days to provide a monthly cost estimate. For more information, see .

  • detector.inviteMembers

    Invites other Amazon Web Services accounts (created as members of the current Amazon Web Services account by CreateMembers) to enable GuardDuty, and allow the current Amazon Web Services account to view and manage these accounts' findings on their behalf as the GuardDuty administrator account.

  • detector.listCoverage

    Lists coverage details for your GuardDuty account. If you're a GuardDuty administrator, you can retrieve all resources associated with the active member accounts in your organization.

    Make sure the accounts have EKS Runtime Monitoring enabled and GuardDuty agent running on their EKS nodes.

  • detector.listDetectors

    Lists detectorIds of all the existing Amazon GuardDuty detector resources.

  • detector.listFilters

    Returns a paginated list of the current filters.

  • detector.listFindings

    Lists Amazon GuardDuty findings for the specified detector ID.

  • detector.listIpSets

    Lists the IPSets of the GuardDuty service specified by the detector ID. If you use this operation from a member account, the IPSets returned are the IPSets from the associated administrator account.

  • detector.listMembers

    Lists details about all member accounts for the current GuardDuty administrator account.

  • detector.listPublishingDestinations

    Returns a list of publishing destinations associated with the specified detectorId.

  • detector.listThreatIntelSets

    Lists the ThreatIntelSets of the GuardDuty service specified by the detector ID. If you use this operation from a member account, the ThreatIntelSets associated with the administrator account are returned.

  • detector.startMonitoringMembers

    Turns on GuardDuty monitoring of the specified member accounts. Use this operation to restart monitoring of accounts that you stopped monitoring with the operation.

  • detector.stopMonitoringMembers

    Stops GuardDuty monitoring for the specified member accounts. Use the StartMonitoringMembers operation to restart monitoring for those accounts.

    With autoEnableOrganizationMembers configuration for your organization set to ALL, you'll receive an error if you attempt to stop monitoring the member accounts in your organization.

  • detector.unarchiveFindings

    Unarchives GuardDuty findings specified by the findingIds.

  • detector.updateDetector

    Updates the Amazon GuardDuty detector specified by the detectorId.

    There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see .

  • detector.updateFilter

    Updates the filter specified by the filter name.

  • detector.updateFindingsFeedback

    Marks the specified GuardDuty findings as useful or not useful.

  • detector.updateIpSet

    Updates the IPSet specified by the IPSet ID.

  • detector.updateMalwareScanSettings

    Updates the malware scan settings.

    There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see .

  • detector.updateMemberDetectors

    Contains information on member accounts to be updated.

    There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see .

  • detector.updateOrganizationConfiguration

    Configures the delegated administrator account with the provided values. You must provide the value for either autoEnableOrganizationMembers or autoEnable.

    There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see .

  • detector.updatePublishingDestination

    Updates information about the publishing destination specified by the destinationId.

  • detector.updateThreatIntelSet

    Updates the ThreatIntelSet specified by the ThreatIntelSet ID.

  • invitation.declineInvitations

    Declines invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs.

  • invitation.deleteInvitations

    Deletes invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs.

  • invitation.getInvitationsCount

    Returns the count of all GuardDuty membership invitations that were sent to the current member account except the currently accepted invitation.

  • invitation.listInvitations

    Lists all GuardDuty membership invitations that were sent to the current Amazon Web Services account.

  • tags.listTagsForResource

    Lists tags for a resource. Tagging is currently supported for detectors, finding filters, IP sets, and threat intel sets, with a limit of 50 tags per resource. When invoked, this operation returns all assigned tags for a given resource.

  • tags.tagResource

    Adds tags to a resource.

  • tags.untagResource

    Removes tags from a resource.

  • openapi.previewSpec

    Preview an OpenAPI document before adding it as a source

  • openapi.addSource

    Add an OpenAPI source and register its operations as tools