Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the following foundational data sources - VPC flow logs, Amazon Web Services CloudTrail management event logs, CloudTrail S3 data event logs, EKS audit logs, DNS logs, Amazon EBS volume data, runtime activity belonging to container workloads, such as Amazon EKS, Amazon ECS (including Amazon Web Services Fargate), and Amazon EC2 instances. It uses threat intelligence feeds, such as lists of malicious IPs and domains, and machine learning to identify unexpected, potentially unauthorized, and malicious activity within your Amazon Web Services environment. This can include issues like escalations of privileges, uses of exposed credentials, or communication with malicious IPs, domains, or presence of malware on your Amazon EC2 instances and container workloads. For example, GuardDuty can detect compromised EC2 instances and container workloads serving malware, or mining bitcoin.
GuardDuty also monitors Amazon Web Services account access behavior for signs of compromise, such as unauthorized infrastructure deployments like EC2 instances deployed in a Region that has never been used, or unusual API calls like a password policy change to reduce password strength.
GuardDuty informs you about the status of your Amazon Web Services environment by producing security findings that you can view in the GuardDuty console or through Amazon EventBridge. For more information, see the Amazon GuardDuty User Guide .
", "operations": { "AcceptAdministratorInvitation": "Accepts the invitation to be a member account and get monitored by a GuardDuty administrator account that sent the invitation.
", "AcceptInvitation": "Accepts the invitation to be monitored by a GuardDuty administrator account.
", "ArchiveFindings": "Archives GuardDuty findings that are specified by the list of finding IDs.
Only the administrator account can archive findings. Member accounts don't have permission to archive findings from their accounts.
Creates a single GuardDuty detector. A detector is a resource that represents the GuardDuty service. To start using GuardDuty, you must create a detector in each Region where you enable the service. You can have only one detector per account per Region. All data sources are enabled in a new detector by default.
When you don't specify any features, with an exception to RUNTIME_MONITORING, all the optional features are enabled by default.
When you specify some of the features, any feature that is not specified in the API call gets enabled by default, with an exception to RUNTIME_MONITORING.
Specifying both EKS Runtime Monitoring (EKS_RUNTIME_MONITORING) and Runtime Monitoring (RUNTIME_MONITORING) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring.
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.
", "CreateFilter": "Creates a filter using the specified finding criteria. The maximum number of saved filters per Amazon Web Services account per Region is 100. For more information, see Quotas for GuardDuty.
", "CreateIPSet": "Creates a new IPSet, which is called a trusted IP list in the console user interface. An IPSet is a list of IP addresses that are trusted for secure communication with Amazon Web Services infrastructure and applications. GuardDuty doesn't generate findings for IP addresses that are included in IPSets. Only users from the administrator account can use this operation.
", "CreateMalwareProtectionPlan": "Creates a new Malware Protection plan for the protected resource.
When you create a Malware Protection plan, the Amazon Web Services service terms for GuardDuty Malware Protection apply. For more information, see Amazon Web Services service terms for GuardDuty Malware Protection.
", "CreateMembers": "Creates member accounts of the current Amazon Web Services account by specifying a list of Amazon Web Services account IDs. This step is a prerequisite for managing the associated member accounts either by invitation or through an organization.
As a delegated administrator, using CreateMembers will enable GuardDuty in the added member accounts, with the exception of the organization delegated administrator account. A delegated administrator must enable GuardDuty prior to being added as a member.
When you use CreateMembers as an Organizations delegated administrator, GuardDuty applies your organization's auto-enable settings to the member accounts in this request, irrespective of the accounts being new or existing members. For more information about the existing auto-enable settings for your organization, see DescribeOrganizationConfiguration.
If you disassociate a member account that was added by invitation, the member account details obtained from this API, including the associated email addresses, will be retained. This is done so that the delegated administrator can invoke the InviteMembers API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the DeleteMembers API.
When the member accounts added through Organizations are later disassociated, you (administrator) can't invite them by calling the InviteMembers API. You can create an association with these member accounts again only by calling the CreateMembers API.
", "CreatePublishingDestination": "Creates a publishing destination where you can export your GuardDuty findings. Before you start exporting the findings, the destination resource must exist.
", "CreateSampleFindings": "Generates sample findings of types specified by the list of finding types. If 'NULL' is specified for findingTypes, the API generates sample findings of all supported finding types.
Creates a new threat entity set. In a threat entity set, you can provide known malicious IP addresses and domains for your Amazon Web Services environment. GuardDuty generates findings based on the entries in the threat entity sets. Only users of the administrator account can manage entity sets, which automatically apply to member accounts.
", "CreateThreatIntelSet": "Creates a new ThreatIntelSet. ThreatIntelSets consist of known malicious IP addresses. GuardDuty generates findings based on ThreatIntelSets. Only users of the administrator account can use this operation.
", "CreateTrustedEntitySet": "Creates a new trusted entity set. In the trusted entity set, you can provide IP addresses and domains that you believe are secure for communication in your Amazon Web Services environment. GuardDuty will not generate findings for the entries that are specified in a trusted entity set. At any given time, you can have only one trusted entity set.
Only users of the administrator account can manage the entity sets, which automatically apply to member accounts.
", "DeclineInvitations": "Declines invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs.
", "DeleteDetector": "Deletes an Amazon GuardDuty detector that is specified by the detector ID.
", "DeleteFilter": "Deletes the filter specified by the filter name.
", "DeleteIPSet": "Deletes the IPSet specified by the ipSetId. IPSets are called trusted IP lists in the console user interface.
Deletes invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs.
", "DeleteMalwareProtectionPlan": "Deletes the Malware Protection plan ID associated with the Malware Protection plan resource. Use this API only when you no longer want to protect the resource associated with this Malware Protection plan ID.
", "DeleteMembers": "Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.
With autoEnableOrganizationMembers configuration for your organization set to ALL, you'll receive an error if you attempt to disable GuardDuty for a member account in your organization.
Deletes the publishing definition with the specified destinationId.
Deletes the threat entity set that is associated with the specified threatEntitySetId.
Deletes the ThreatIntelSet specified by the ThreatIntelSet ID.
", "DeleteTrustedEntitySet": "Deletes the trusted entity set that is associated with the specified trustedEntitySetId.
Returns a list of malware scans. Each member account can view the malware scans for their own accounts. An administrator can view the malware scans for all the member accounts.
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.
", "DescribeOrganizationConfiguration": "Returns information about the account selected as the delegated administrator for GuardDuty.
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.
", "DescribePublishingDestination": "Returns information about the publishing destination specified by the provided destinationId.
Removes the existing GuardDuty delegated administrator of the organization. Only the organization's management account can run this API operation.
", "DisassociateFromAdministratorAccount": "Disassociates the current GuardDuty member account from its administrator account.
When you disassociate an invited member from a GuardDuty delegated administrator, the member account details obtained from the CreateMembers API, including the associated email addresses, are retained. This is done so that the delegated administrator can invoke the InviteMembers API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the DeleteMembers API.
With autoEnableOrganizationMembers configuration for your organization set to ALL, you'll receive an error if you attempt to disable GuardDuty in a member account.
Disassociates the current GuardDuty member account from its administrator account.
When you disassociate an invited member from a GuardDuty delegated administrator, the member account details obtained from the CreateMembers API, including the associated email addresses, are retained. This is done so that the delegated administrator can invoke the InviteMembers API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the DeleteMembers API.
", "DisassociateMembers": "Disassociates GuardDuty member accounts (from the current administrator account) specified by the account IDs.
When you disassociate an invited member from a GuardDuty delegated administrator, the member account details obtained from the CreateMembers API, including the associated email addresses, are retained. This is done so that the delegated administrator can invoke the InviteMembers API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the DeleteMembers API.
With autoEnableOrganizationMembers configuration for your organization set to ALL, you'll receive an error if you attempt to disassociate a member account before removing them from your organization.
If you disassociate a member account that was added by invitation, the member account details obtained from this API, including the associated email addresses, will be retained. This is done so that the delegated administrator can invoke the InviteMembers API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the DeleteMembers API.
When the member accounts added through Organizations are later disassociated, you (administrator) can't invite them by calling the InviteMembers API. You can create an association with these member accounts again only by calling the CreateMembers API.
", "EnableOrganizationAdminAccount": "Designates an Amazon Web Services account within the organization as your GuardDuty delegated administrator. Only the organization's management account can run this API operation.
", "GetAdministratorAccount": "Provides the details of the GuardDuty administrator account associated with the current GuardDuty member account.
Based on the type of account that runs this API, the following list shows how the API behavior varies:
When the GuardDuty administrator account runs this API, it will return success (HTTP 200) but no content.
When a member account runs this API, it will return the details of the GuardDuty administrator account that is associated with this calling member account.
When an individual account (not associated with an organization) runs this API, it will return success (HTTP 200) but no content.
Retrieves aggregated statistics for your account. If you are a GuardDuty administrator, you can retrieve the statistics for all the resources associated with the active member accounts in your organization who have enabled Runtime Monitoring and have the GuardDuty security agent running on their resources.
", "GetDetector": "Retrieves a GuardDuty detector specified by the detectorId.
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.
", "GetFilter": "Returns the details of the filter specified by the filter name.
", "GetFindings": "Describes Amazon GuardDuty findings specified by finding IDs.
", "GetFindingsStatistics": "Lists GuardDuty findings statistics for the specified detector ID.
You must provide either findingStatisticTypes or groupBy parameter, and not both. You can use the maxResults and orderBy parameters only when using groupBy.
There might be regional differences because some flags might not be available in all the Regions where GuardDuty is currently supported. For more information, see Regions and endpoints.
", "GetIPSet": "Retrieves the IPSet specified by the ipSetId.
Returns the count of all GuardDuty membership invitations that were sent to the current member account except the currently accepted invitation.
", "GetMalwareProtectionPlan": "Retrieves the Malware Protection plan details associated with a Malware Protection plan ID.
", "GetMalwareScanSettings": "Returns the details of the malware scan settings.
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.
", "GetMasterAccount": "Provides the details for the GuardDuty administrator account associated with the current GuardDuty member account.
", "GetMemberDetectors": "Describes which data sources are enabled for the member account's detector.
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.
", "GetMembers": "Retrieves GuardDuty member accounts (of the current GuardDuty administrator account) specified by the account IDs.
", "GetOrganizationStatistics": "Retrieves how many active member accounts have each feature enabled within GuardDuty. Only a delegated GuardDuty administrator of an organization can run this API.
When you create a new organization, it might take up to 24 hours to generate the statistics for the entire organization.
", "GetRemainingFreeTrialDays": "Provides the number of days left for each data source used in the free trial period.
", "GetThreatEntitySet": "Retrieves the threat entity set associated with the specified threatEntitySetId.
Retrieves the ThreatIntelSet that is specified by the ThreatIntelSet ID.
", "GetTrustedEntitySet": "Retrieves the trusted entity set associated with the specified trustedEntitySetId.
Lists Amazon GuardDuty usage statistics over the last 30 days for the specified detector ID. For newly enabled detectors or data sources, the cost returned will include only the usage so far under 30 days. This may differ from the cost metrics in the console, which project usage over 30 days to provide a monthly cost estimate. For more information, see Understanding How Usage Costs are Calculated.
", "InviteMembers": "Invites Amazon Web Services accounts to become members of an organization administered by the Amazon Web Services account that invokes this API. If you are using Amazon Web Services Organizations to manage your GuardDuty environment, this step is not needed. For more information, see Managing accounts with organizations.
To invite Amazon Web Services accounts, the first step is to ensure that GuardDuty has been enabled in the potential member accounts. You can now invoke this API to add accounts by invitation. The invited accounts can either accept or decline the invitation from their GuardDuty accounts. Each invited Amazon Web Services account can choose to accept the invitation from only one Amazon Web Services account. For more information, see Managing GuardDuty accounts by invitation.
After the invite has been accepted and you choose to disassociate a member account (by using DisassociateMembers) from your account, the details of the member account obtained by invoking CreateMembers, including the associated email addresses, will be retained. This is done so that you can invoke InviteMembers without the need to invoke CreateMembers again. To remove the details associated with a member account, you must also invoke DeleteMembers.
If you disassociate a member account that was added by invitation, the member account details obtained from this API, including the associated email addresses, will be retained. This is done so that the delegated administrator can invoke the InviteMembers API without the need to invoke the CreateMembers API again. To remove the details associated with a member account, the delegated administrator must invoke the DeleteMembers API.
When the member accounts added through Organizations are later disassociated, you (administrator) can't invite them by calling the InviteMembers API. You can create an association with these member accounts again only by calling the CreateMembers API.
", "ListCoverage": "Lists coverage details for your GuardDuty account. If you're a GuardDuty administrator, you can retrieve all resources associated with the active member accounts in your organization.
Make sure the accounts have Runtime Monitoring enabled and GuardDuty agent running on their resources.
", "ListDetectors": "Lists detectorIds of all the existing Amazon GuardDuty detector resources.
", "ListFilters": "Returns a paginated list of the current filters.
", "ListFindings": "Lists GuardDuty findings for the specified detector ID.
There might be regional differences because some flags might not be available in all the Regions where GuardDuty is currently supported. For more information, see Regions and endpoints.
", "ListIPSets": "Lists the IPSets of the GuardDuty service specified by the detector ID. If you use this operation from a member account, the IPSets returned are the IPSets from the associated administrator account.
", "ListInvitations": "Lists all GuardDuty membership invitations that were sent to the current Amazon Web Services account.
", "ListMalwareProtectionPlans": "Lists the Malware Protection plan IDs associated with the protected resources in your Amazon Web Services account.
", "ListMembers": "Lists details about all member accounts for the current GuardDuty administrator account.
", "ListOrganizationAdminAccounts": "Lists the accounts designated as GuardDuty delegated administrators. Only the organization's management account can run this API operation.
", "ListPublishingDestinations": "Returns a list of publishing destinations associated with the specified detectorId.
Lists tags for a resource. Tagging is currently supported for detectors, finding filters, IP sets, threat intel sets, and publishing destination, with a limit of 50 tags per resource. When invoked, this operation returns all assigned tags for a given resource.
", "ListThreatEntitySets": "Lists the threat entity sets associated with the specified GuardDuty detector ID. If you use this operation from a member account, the threat entity sets that are returned as a response, belong to the administrator account.
", "ListThreatIntelSets": "Lists the ThreatIntelSets of the GuardDuty service specified by the detector ID. If you use this operation from a member account, the ThreatIntelSets associated with the administrator account are returned.
", "ListTrustedEntitySets": "Lists the trusted entity sets associated with the specified GuardDuty detector ID. If you use this operation from a member account, the trusted entity sets that are returned as a response, belong to the administrator account.
", "StartMalwareScan": "Initiates the malware scan. Invoking this API will automatically create the Service-linked role in the corresponding account.
When the malware scan starts, you can use the associated scan ID to track the status of the scan. For more information, see DescribeMalwareScans.
", "StartMonitoringMembers": "Turns on GuardDuty monitoring of the specified member accounts. Use this operation to restart monitoring of accounts that you stopped monitoring with the StopMonitoringMembers operation.
", "StopMonitoringMembers": "Stops GuardDuty monitoring for the specified member accounts. Use the StartMonitoringMembers operation to restart monitoring for those accounts.
With autoEnableOrganizationMembers configuration for your organization set to ALL, you'll receive an error if you attempt to stop monitoring the member accounts in your organization.
Adds tags to a resource.
", "UnarchiveFindings": "Unarchives GuardDuty findings specified by the findingIds.
Removes tags from a resource.
", "UpdateDetector": "Updates the GuardDuty detector specified by the detector ID.
Specifying both EKS Runtime Monitoring (EKS_RUNTIME_MONITORING) and Runtime Monitoring (RUNTIME_MONITORING) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring.
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.
", "UpdateFilter": "Updates the filter specified by the filter name.
", "UpdateFindingsFeedback": "Marks the specified GuardDuty findings as useful or not useful.
", "UpdateIPSet": "Updates the IPSet specified by the IPSet ID.
", "UpdateMalwareProtectionPlan": "Updates an existing Malware Protection plan resource.
", "UpdateMalwareScanSettings": "Updates the malware scan settings.
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.
", "UpdateMemberDetectors": "Contains information on member accounts to be updated.
Specifying both EKS Runtime Monitoring (EKS_RUNTIME_MONITORING) and Runtime Monitoring (RUNTIME_MONITORING) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring.
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.
", "UpdateOrganizationConfiguration": "Configures the delegated administrator account with the provided values. You must provide a value for either autoEnableOrganizationMembers or autoEnable, but not both.
Specifying both EKS Runtime Monitoring (EKS_RUNTIME_MONITORING) and Runtime Monitoring (RUNTIME_MONITORING) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring.
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.
", "UpdatePublishingDestination": "Updates information about the publishing destination specified by the destinationId.
Updates the threat entity set associated with the specified threatEntitySetId.
Updates the ThreatIntelSet specified by the ThreatIntelSet ID.
", "UpdateTrustedEntitySet": "Updates the trusted entity set associated with the specified trustedEntitySetId.
Contains information on the current access control policies for the bucket.
", "refs": { "BucketLevelPermissions$AccessControlList": "Contains information on how Access Control Policies are applied to the bucket.
" } }, "AccessDeniedException": { "base": "An access denied exception object.
", "refs": {} }, "AccessKey": { "base": "Contains information about the access keys.
", "refs": { "ResourceData$AccessKey": "Contains information about the IAM access key details of a user that involved in the GuardDuty finding.
" } }, "AccessKeyDetails": { "base": "Contains information about the access keys.
", "refs": { "Resource$AccessKeyDetails": "The IAM access key details (user information) of a user that engaged in the activity that prompted GuardDuty to generate a finding.
" } }, "Account": { "base": "Contains information about the account.
", "refs": { "User$Account": "Contains information about the Amazon Web Services account.
" } }, "AccountDetail": { "base": "Contains information about the account.
", "refs": { "AccountDetails$member": null } }, "AccountDetails": { "base": null, "refs": { "CreateMembersRequest$AccountDetails": "A list of account ID and email address pairs of the accounts that you want to associate with the GuardDuty administrator account.
" } }, "AccountFreeTrialInfo": { "base": "Provides details of the GuardDuty member account that uses a free trial service.
", "refs": { "AccountFreeTrialInfos$member": null } }, "AccountFreeTrialInfos": { "base": null, "refs": { "GetRemainingFreeTrialDaysResponse$Accounts": "The member accounts which were included in a request and were processed successfully.
" } }, "AccountId": { "base": null, "refs": { "AccountDetail$AccountId": "The member account ID.
", "AccountIds$member": null, "Administrator$AccountId": "The ID of the account used as the administrator account.
", "CoverageResource$AccountId": "The unique ID of the Amazon Web Services account.
", "CreateIPSetRequest$ExpectedBucketOwner": "The Amazon Web Services account ID that owns the Amazon S3 bucket specified in the location parameter.
", "CreateThreatIntelSetRequest$ExpectedBucketOwner": "The Amazon Web Services account ID that owns the Amazon S3 bucket specified in the location parameter.
", "DnsRequestAction$VpcOwnerAccountId": "The Amazon Web Services account ID that owns the VPC through which the DNS request was made.
", "GetIPSetResponse$ExpectedBucketOwner": "The Amazon Web Services account ID that owns the Amazon S3 bucket specified in the location parameter. This field appears in the response only if it was provided during IPSet creation or update.
", "GetThreatIntelSetResponse$ExpectedBucketOwner": "The Amazon Web Services account ID that owns the Amazon S3 bucket specified in the location parameter. This field appears in the response only if it was provided during ThreatIntelSet creation or update.
", "Invitation$AccountId": "The ID of the account that the invitation was sent from.
", "Master$AccountId": "The ID of the account used as the administrator account.
", "Member$AccountId": "The ID of the member account.
", "MemberDataSourceConfiguration$AccountId": "The account ID for the member account.
", "Scan$AccountId": "The ID for the account that belongs to the scan.
", "UnprocessedAccount$AccountId": "The Amazon Web Services account ID.
", "UpdateIPSetRequest$ExpectedBucketOwner": "The Amazon Web Services account ID that owns the Amazon S3 bucket specified in the location parameter.
", "UpdateThreatIntelSetRequest$ExpectedBucketOwner": "The Amazon Web Services account ID that owns the Amazon S3 bucket specified in the location parameter.
", "UsageAccountResult$AccountId": "The Account ID that generated usage.
", "UsageTopAccountResult$AccountId": "The unique account ID.
" } }, "AccountIds": { "base": null, "refs": { "DeclineInvitationsRequest$AccountIds": "A list of account IDs of the Amazon Web Services accounts that sent invitations to the current member account that you want to decline invitations from.
", "DeleteInvitationsRequest$AccountIds": "A list of account IDs of the Amazon Web Services accounts that sent invitations to the current member account that you want to delete invitations from.
", "DeleteMembersRequest$AccountIds": "A list of account IDs of the GuardDuty member accounts that you want to delete.
", "DisassociateMembersRequest$AccountIds": "A list of account IDs of the GuardDuty member accounts that you want to disassociate from the administrator account.
", "GetMemberDetectorsRequest$AccountIds": "A list of member account IDs.
", "GetMembersRequest$AccountIds": "A list of account IDs of the GuardDuty member accounts that you want to describe.
", "GetRemainingFreeTrialDaysRequest$AccountIds": "A list of account identifiers of the GuardDuty member account.
", "InviteMembersRequest$AccountIds": "A list of account IDs of the accounts that you want to invite to GuardDuty as members.
", "StartMonitoringMembersRequest$AccountIds": "A list of account IDs of the GuardDuty member accounts to start monitoring.
", "StopMonitoringMembersRequest$AccountIds": "A list of account IDs for the member accounts to stop monitoring.
", "UpdateMemberDetectorsRequest$AccountIds": "A list of member account IDs to be updated.
", "UsageCriteria$AccountIds": "The account IDs to aggregate usage statistics from.
" } }, "AccountLevelPermissions": { "base": "Contains information about the account level permissions on the S3 bucket.
", "refs": { "PermissionConfiguration$AccountLevelPermissions": "Contains information about the account level permissions on the S3 bucket.
" } }, "AccountStatistics": { "base": "Represents a list of map of accounts with the number of findings associated with each account.
", "refs": { "GroupedByAccount$member": null } }, "Action": { "base": "Contains information about actions.
", "refs": { "Service$Action": "Information about the activity that is described in a finding.
" } }, "Actor": { "base": "Information about the actors involved in an attack sequence.
", "refs": { "Actors$member": null } }, "ActorIds": { "base": null, "refs": { "Signal$ActorIds": "Information about the IDs of the threat actors involved in the signal.
" } }, "ActorProcess": { "base": "Contains information about a process involved in a GuardDuty finding, including process identification, execution details, and file information.
", "refs": { "Actor$Process": "Contains information about the process associated with the threat actor. This includes details such as process name, path, execution time, and unique identifiers that help track the actor's activities within the system.
" } }, "Actors": { "base": null, "refs": { "Sequence$Actors": "Contains information about the actors involved in the attack sequence.
" } }, "AdditionalSequenceTypes": { "base": null, "refs": { "Sequence$AdditionalSequenceTypes": "Additional types of sequences that may be associated with the attack sequence finding, providing further context about the nature of the detected threat.
" } }, "AddonDetails": { "base": "Information about the installed EKS add-on (GuardDuty security agent).
", "refs": { "CoverageEksClusterDetails$AddonDetails": "Information about the installed EKS add-on.
" } }, "AdminAccount": { "base": "The account within the organization specified as the GuardDuty delegated administrator.
", "refs": { "AdminAccounts$member": null } }, "AdminAccounts": { "base": null, "refs": { "ListOrganizationAdminAccountsResponse$AdminAccounts": "A list of accounts configured as GuardDuty delegated administrators.
" } }, "AdminStatus": { "base": null, "refs": { "AdminAccount$AdminStatus": "Indicates whether the account is enabled as the delegated administrator.
" } }, "Administrator": { "base": "Contains information about the administrator account and invitation.
", "refs": { "GetAdministratorAccountResponse$Administrator": "The administrator account details.
" } }, "AffectedResources": { "base": null, "refs": { "AwsApiCallAction$AffectedResources": "The details of the Amazon Web Services account that made the API call. This field identifies the resources that were affected by this API call.
" } }, "AgentDetails": { "base": "Information about the installed GuardDuty security agent.
", "refs": { "CoverageEc2InstanceDetails$AgentDetails": "Information about the installed security agent.
" } }, "Anomaly": { "base": "Contains information about the anomalies.
", "refs": { "Detection$Anomaly": "The details about the anomalous activity that caused GuardDuty to generate the finding.
" } }, "AnomalyObject": { "base": "Contains information about the unusual anomalies.
", "refs": { "AnomalyProfileFeatureObjects$member": null, "AnomalyUnusualBehaviorFeature$value": null } }, "AnomalyProfileFeatureObjects": { "base": null, "refs": { "AnomalyProfileFeatures$value": null } }, "AnomalyProfileFeatures": { "base": null, "refs": { "AnomalyProfiles$value": null } }, "AnomalyProfiles": { "base": null, "refs": { "Anomaly$Profiles": "Information about the types of profiles.
" } }, "AnomalyUnusual": { "base": "Contains information about the behavior of the anomaly that is new to GuardDuty.
", "refs": { "Anomaly$Unusual": "Information about the behavior of the anomalies.
" } }, "AnomalyUnusualBehaviorFeature": { "base": null, "refs": { "Behavior$value": null } }, "ArchiveFindingsRequest": { "base": null, "refs": {} }, "ArchiveFindingsResponse": { "base": null, "refs": {} }, "AutoEnableMembers": { "base": null, "refs": { "DescribeOrganizationConfigurationResponse$AutoEnableOrganizationMembers": "Indicates the auto-enablement configuration of GuardDuty or any of the corresponding protection plans for the member accounts in the organization.
NEW: Indicates that when a new account joins the organization, they will have GuardDuty or any of the corresponding protection plans enabled automatically.
ALL: Indicates that all accounts in the organization have GuardDuty and any of the corresponding protection plans enabled automatically. This includes NEW accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty.
NONE: Indicates that GuardDuty or any of the corresponding protection plans will not be automatically enabled for any account in the organization. The administrator must manage GuardDuty for each account in the organization individually.
When you update the auto-enable setting from ALL or NEW to NONE, this action doesn't disable the corresponding option for your existing accounts. This configuration will apply to the new accounts that join the organization. After you update the auto-enable settings, no new account will have the corresponding option as enabled.
Indicates the auto-enablement configuration of GuardDuty for the member accounts in the organization. You must provide a value for either autoEnableOrganizationMembers or autoEnable.
Use one of the following configuration values for autoEnableOrganizationMembers:
NEW: Indicates that when a new account joins the organization, they will have GuardDuty enabled automatically.
ALL: Indicates that all accounts in the organization have GuardDuty enabled automatically. This includes NEW accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty.
It may take up to 24 hours to update the configuration for all the member accounts.
NONE: Indicates that GuardDuty will not be automatically enabled for any account in the organization. The administrator must manage GuardDuty for each account in the organization individually.
When you update the auto-enable setting from ALL or NEW to NONE, this action doesn't disable the corresponding option for your existing accounts. This configuration will apply to the new accounts that join the organization. After you update the auto-enable settings, no new account will have the corresponding option as enabled.
Contains information about the Autonomous System (AS) associated with the network endpoints involved in an attack sequence.
", "refs": { "NetworkEndpoint$AutonomousSystem": "The Autonomous System (AS) of the network endpoint.
" } }, "AwsApiCallAction": { "base": "Contains information about the API action.
", "refs": { "Action$AwsApiCallAction": "Information about the AWS_API_CALL action described in this finding.
" } }, "BadRequestException": { "base": "A bad request exception object.
", "refs": {} }, "Behavior": { "base": null, "refs": { "AnomalyUnusual$Behavior": "The behavior of the anomalous activity that caused GuardDuty to generate the finding.
" } }, "BlockPublicAccess": { "base": "Contains information on how the bucker owner's S3 Block Public Access settings are being applied to the S3 bucket. See S3 Block Public Access for more information.
", "refs": { "AccountLevelPermissions$BlockPublicAccess": "Describes the S3 Block Public Access settings of the bucket's parent account.
", "BucketLevelPermissions$BlockPublicAccess": "Contains information on which account level S3 Block Public Access settings are applied to the S3 bucket.
" } }, "Boolean": { "base": null, "refs": { "AccessControlList$AllowsPublicReadAccess": "A value that indicates whether public read access for the bucket is enabled through an Access Control List (ACL).
", "AccessControlList$AllowsPublicWriteAccess": "A value that indicates whether public write access for the bucket is enabled through an Access Control List (ACL).
", "BlockPublicAccess$IgnorePublicAcls": "Indicates if S3 Block Public Access is set to IgnorePublicAcls.
Indicates if S3 Block Public Access is set to RestrictPublicBuckets.
Indicates if S3 Block Public Access is set to BlockPublicAcls.
Indicates if S3 Block Public Access is set to BlockPublicPolicy.
A value that indicates whether public read access for the bucket is enabled through a bucket policy.
", "BucketPolicy$AllowsPublicWriteAccess": "A value that indicates whether public write access for the bucket is enabled through a bucket policy.
", "CreateDetectorRequest$Enable": "A Boolean value that specifies whether the detector is to be enabled.
", "CreateIPSetRequest$Activate": "A Boolean value that indicates whether GuardDuty is to start using the uploaded IPSet.
", "CreateThreatEntitySetRequest$Activate": "A boolean value that indicates whether GuardDuty should start using the uploaded threat entity set to generate findings.
", "CreateThreatIntelSetRequest$Activate": "A Boolean value that indicates whether GuardDuty is to start using the uploaded ThreatIntelSet.
", "CreateTrustedEntitySetRequest$Activate": "A boolean value that indicates whether GuardDuty is to start using the uploaded trusted entity set.
", "DescribeOrganizationConfigurationResponse$AutoEnable": "Indicates whether GuardDuty is automatically enabled for accounts added to the organization.
Even though this is still supported, we recommend using AutoEnableOrganizationMembers to achieve the similar results.
Indicates whether the maximum number of allowed member accounts are already associated with the delegated administrator account for your organization.
", "DnsRequestAction$Blocked": "Indicates whether the targeted port is blocked.
", "InviteMembersRequest$DisableEmailNotification": "A Boolean value that specifies whether you want to disable email notification to the accounts that you are inviting to GuardDuty as members.
", "KubernetesAuditLogsConfiguration$Enable": "The status of Kubernetes audit logs as a data source.
", "KubernetesPermissionCheckedDetails$Allowed": "Information whether the user has the permission to call the Kubernetes API.
", "KubernetesWorkloadDetails$HostNetwork": "Whether the hostNetwork flag is enabled for the pods included in the workload.
", "KubernetesWorkloadDetails$HostIPC": "Whether the host IPC flag is enabled for the pods in the workload.
", "KubernetesWorkloadDetails$HostPID": "Whether the host PID flag is enabled for the pods in the workload.
", "NetworkConnectionAction$Blocked": "Indicates whether EC2 blocked the network connection to your instance.
", "OrganizationEbsVolumes$AutoEnable": "Whether scanning EBS volumes should be auto-enabled for new members joining the organization.
", "OrganizationEbsVolumesResult$AutoEnable": "An object that contains the status of whether scanning EBS volumes should be auto-enabled for new members joining the organization.
", "OrganizationKubernetesAuditLogsConfiguration$AutoEnable": "A value that contains information on whether Kubernetes audit logs should be enabled automatically as a data source for the organization.
", "OrganizationKubernetesAuditLogsConfigurationResult$AutoEnable": "Whether Kubernetes audit logs data source should be auto-enabled for new members joining the organization.
", "OrganizationS3LogsConfiguration$AutoEnable": "A value that contains information on whether S3 data event logs will be enabled automatically as a data source for the organization.
", "OrganizationS3LogsConfigurationResult$AutoEnable": "A value that describes whether S3 data event logs are automatically enabled for new members of the organization.
", "PortProbeAction$Blocked": "Indicates whether EC2 blocked the port probe to the instance, such as with an ACL.
", "RemoteAccountDetails$Affiliated": "Details on whether the Amazon Web Services account of the remote API caller is related to your GuardDuty environment. If this value is True the API caller is affiliated to your account in some way. If it is False the API caller is from outside your environment.
The status of S3 data event logs as a data source.
", "ScanEc2InstanceWithFindings$EbsVolumes": "Describes the configuration for scanning EBS volumes as data source.
", "SecurityContext$Privileged": "Whether the container is privileged.
", "SecurityContext$AllowPrivilegeEscalation": "Whether or not a container or a Kubernetes pod is allowed to gain more privileges than its parent process.
", "Service$Archived": "Indicates whether this finding is archived.
", "ThreatDetectedByName$Shortened": "Flag to determine if the finding contains every single infected file-path and/or every threat.
", "UpdateDetectorRequest$Enable": "Specifies whether the detector is enabled or not enabled.
", "UpdateIPSetRequest$Activate": "The updated Boolean value that specifies whether the IPSet is active or not.
", "UpdateOrganizationConfigurationRequest$AutoEnable": "Represents whether to automatically enable member accounts in the organization. This applies to only new member accounts, not the existing member accounts. When a new account joins the organization, the chosen features will be enabled for them by default.
Even though this is still supported, we recommend using AutoEnableOrganizationMembers to achieve the similar results. You must provide a value for either autoEnableOrganizationMembers or autoEnable.
A boolean value that indicates whether GuardDuty is to start using this updated threat entity set. After you update an entity set, you will need to activate it again. It might take up to 15 minutes for the updated entity set to be effective.
", "UpdateThreatIntelSetRequest$Activate": "The updated Boolean value that specifies whether the ThreateIntelSet is active or not.
", "UpdateTrustedEntitySetRequest$Activate": "A boolean value that indicates whether GuardDuty is to start using this updated trusted entity set. After you update an entity set, you will need to activate it again. It might take up to 15 minutes for the updated entity set to be effective.
" } }, "BucketLevelPermissions": { "base": "Contains information about the bucket level permissions for the S3 bucket.
", "refs": { "PermissionConfiguration$BucketLevelPermissions": "Contains information about the bucket level permissions for the S3 bucket.
" } }, "BucketPolicy": { "base": "Contains information on the current bucket policies for the S3 bucket.
", "refs": { "BucketLevelPermissions$BucketPolicy": "Contains information on the bucket policies for the S3 bucket.
" } }, "City": { "base": "Contains information about the city associated with the IP address.
", "refs": { "RemoteIpDetails$City": "The city information of the remote IP address.
" } }, "ClientToken": { "base": null, "refs": { "CreateDetectorRequest$ClientToken": "The idempotency token for the create request.
", "CreateFilterRequest$ClientToken": "The idempotency token for the create request.
", "CreateIPSetRequest$ClientToken": "The idempotency token for the create request.
", "CreateMalwareProtectionPlanRequest$ClientToken": "The idempotency token for the create request.
", "CreatePublishingDestinationRequest$ClientToken": "The idempotency token for the request.
", "CreateThreatEntitySetRequest$ClientToken": "The idempotency token for the create request.
", "CreateThreatIntelSetRequest$ClientToken": "The idempotency token for the create request.
", "CreateTrustedEntitySetRequest$ClientToken": "The idempotency token for the create request.
" } }, "CloudTrailConfigurationResult": { "base": "Contains information on the status of CloudTrail as a data source for the detector.
", "refs": { "DataSourceConfigurationsResult$CloudTrail": "An object that contains information on the status of CloudTrail as a data source.
" } }, "ClusterStatus": { "base": null, "refs": { "EksCluster$Status": "The current status of the Amazon EKS cluster.
" } }, "Condition": { "base": "Contains information about the condition.
", "refs": { "Criterion$value": null } }, "ConflictException": { "base": "A request conflict exception object.
", "refs": {} }, "Container": { "base": "Details of a container.
", "refs": { "Containers$member": null, "Resource$ContainerDetails": null } }, "ContainerFindingResource": { "base": "Contains information about container resources involved in a GuardDuty finding. This structure provides details about containers that were identified as part of suspicious or malicious activity.
", "refs": { "ResourceData$Container": "Contains detailed information about the container associated with the activity that prompted GuardDuty to generate a finding.
" } }, "ContainerImageUid": { "base": null, "refs": { "ContainerFindingResource$ImageUid": "The unique ID associated with the container image.
" } }, "ContainerInstanceDetails": { "base": "Contains information about the Amazon EC2 instance that is running the Amazon ECS container.
", "refs": { "CoverageEcsClusterDetails$ContainerInstanceDetails": "Information about the Amazon ECS container running on Amazon EC2 instance.
" } }, "ContainerUid": { "base": null, "refs": { "ContainerUids$member": null } }, "ContainerUids": { "base": null, "refs": { "KubernetesWorkload$ContainerUids": "A list of unique identifiers for the containers that are part of the Kubernetes workload.
" } }, "Containers": { "base": null, "refs": { "EcsTaskDetails$Containers": "The containers that's associated with the task.
", "KubernetesWorkloadDetails$Containers": "Containers running as part of the Kubernetes workload.
" } }, "CountByCoverageStatus": { "base": null, "refs": { "CoverageStatistics$CountByCoverageStatus": "Represents coverage statistics for EKS clusters aggregated by coverage status.
" } }, "CountByResourceType": { "base": null, "refs": { "CoverageStatistics$CountByResourceType": "Represents coverage statistics for EKS clusters aggregated by resource type.
" } }, "CountBySeverity": { "base": null, "refs": { "FindingStatistics$CountBySeverity": "Represents a list of map of severity to count statistics for a set of findings.
" } }, "Country": { "base": "Contains information about the country where the remote IP address is located.
", "refs": { "RemoteIpDetails$Country": "The country code of the remote IP address.
" } }, "CoverageEc2InstanceDetails": { "base": "Contains information about the Amazon EC2 instance runtime coverage details.
", "refs": { "CoverageResourceDetails$Ec2InstanceDetails": "Information about the Amazon EC2 instance assessed for runtime coverage.
" } }, "CoverageEcsClusterDetails": { "base": "Contains information about Amazon ECS cluster runtime coverage details.
", "refs": { "CoverageResourceDetails$EcsClusterDetails": "Information about the Amazon ECS cluster that is assessed for runtime coverage.
" } }, "CoverageEksClusterDetails": { "base": "Information about the EKS cluster that has a coverage status.
", "refs": { "CoverageResourceDetails$EksClusterDetails": "EKS cluster details involved in the coverage statistics.
" } }, "CoverageFilterCondition": { "base": "Represents a condition that when matched will be added to the response of the operation.
", "refs": { "CoverageFilterCriterion$FilterCondition": "Contains information about the condition.
" } }, "CoverageFilterCriteria": { "base": "Represents the criteria used in the filter.
", "refs": { "GetCoverageStatisticsRequest$FilterCriteria": "Represents the criteria used to filter the coverage statistics.
", "ListCoverageRequest$FilterCriteria": "Represents the criteria used to filter the coverage details.
" } }, "CoverageFilterCriterion": { "base": "Represents a condition that when matched will be added to the response of the operation.
", "refs": { "CoverageFilterCriterionList$member": null } }, "CoverageFilterCriterionKey": { "base": null, "refs": { "CoverageFilterCriterion$CriterionKey": "An enum value representing possible filter fields.
Replace the enum value CLUSTER_NAME with EKS_CLUSTER_NAME. CLUSTER_NAME has been deprecated.
Represents a condition that when matched will be added to the response of the operation.
" } }, "CoverageResource": { "base": "Information about the resource of the GuardDuty account.
", "refs": { "CoverageResources$member": null } }, "CoverageResourceDetails": { "base": "Information about the resource for each individual EKS cluster.
", "refs": { "CoverageResource$ResourceDetails": "Information about the resource for which the coverage statistics are retrieved.
" } }, "CoverageResources": { "base": null, "refs": { "ListCoverageResponse$Resources": "A list of resources and their attributes providing cluster details.
" } }, "CoverageSortCriteria": { "base": "Information about the sorting criteria used in the coverage statistics.
", "refs": { "ListCoverageRequest$SortCriteria": "Represents the criteria used to sort the coverage details.
" } }, "CoverageSortKey": { "base": null, "refs": { "CoverageSortCriteria$AttributeName": "Represents the field name used to sort the coverage details.
Replace the enum value CLUSTER_NAME with EKS_CLUSTER_NAME. CLUSTER_NAME has been deprecated.
Information about the coverage statistics for a resource.
", "refs": { "GetCoverageStatisticsResponse$CoverageStatistics": "Represents the count aggregated by the statusCode and resourceType.
Represents the statistics type used to aggregate the coverage details.
" } }, "CoverageStatus": { "base": null, "refs": { "CountByCoverageStatus$key": null, "CoverageResource$CoverageStatus": "Represents the status of the EKS cluster coverage.
" } }, "CreateDetectorRequest": { "base": null, "refs": {} }, "CreateDetectorResponse": { "base": null, "refs": {} }, "CreateFilterRequest": { "base": null, "refs": {} }, "CreateFilterResponse": { "base": null, "refs": {} }, "CreateIPSetRequest": { "base": null, "refs": {} }, "CreateIPSetResponse": { "base": null, "refs": {} }, "CreateMalwareProtectionPlanRequest": { "base": null, "refs": {} }, "CreateMalwareProtectionPlanResponse": { "base": null, "refs": {} }, "CreateMembersRequest": { "base": null, "refs": {} }, "CreateMembersResponse": { "base": null, "refs": {} }, "CreateProtectedResource": { "base": "Information about the protected resource that is associated with the created Malware Protection plan. Presently, S3Bucket is the only supported protected resource.
Information about the protected resource that is associated with the created Malware Protection plan. Presently, S3Bucket is the only supported protected resource.
Information about the protected resource that is associated with the created Malware Protection plan. Presently, S3Bucket is the only supported protected resource.
Information about the protected S3 bucket resource.
", "refs": { "CreateProtectedResource$S3Bucket": "Information about the protected S3 bucket resource.
" } }, "CreateSampleFindingsRequest": { "base": null, "refs": {} }, "CreateSampleFindingsResponse": { "base": null, "refs": {} }, "CreateThreatEntitySetRequest": { "base": null, "refs": {} }, "CreateThreatEntitySetResponse": { "base": null, "refs": {} }, "CreateThreatIntelSetRequest": { "base": null, "refs": {} }, "CreateThreatIntelSetResponse": { "base": null, "refs": {} }, "CreateTrustedEntitySetRequest": { "base": null, "refs": {} }, "CreateTrustedEntitySetResponse": { "base": null, "refs": {} }, "Criterion": { "base": null, "refs": { "FindingCriteria$Criterion": "Represents a map of finding properties that match specified conditions and values when querying findings.
" } }, "CriterionKey": { "base": null, "refs": { "FilterCriterion$CriterionKey": "An enum value representing possible scan properties to match with given scan entries.
" } }, "DNSLogsConfigurationResult": { "base": "Contains information on the status of DNS logs as a data source.
", "refs": { "DataSourceConfigurationsResult$DNSLogs": "An object that contains information on the status of DNS logs as a data source.
" } }, "DataSource": { "base": null, "refs": { "DataSourceList$member": null, "UsageDataSourceResult$DataSource": "The data source type that generated usage.
" } }, "DataSourceConfigurations": { "base": "Contains information about which data sources are enabled.
", "refs": { "CreateDetectorRequest$DataSources": "Describes which data sources will be enabled for the detector.
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.
", "UpdateDetectorRequest$DataSources": "Describes which data sources will be updated.
There might be regional differences because some data sources might not be available in all the Amazon Web Services Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.
", "UpdateMemberDetectorsRequest$DataSources": "Describes which data sources will be updated.
" } }, "DataSourceConfigurationsResult": { "base": "Contains information on the status of data sources for the detector.
", "refs": { "GetDetectorResponse$DataSources": "Describes which data sources are enabled for the detector.
", "MemberDataSourceConfiguration$DataSources": "Contains information on the status of data sources for the account.
" } }, "DataSourceFreeTrial": { "base": "Contains information about which data sources are enabled for the GuardDuty member account.
", "refs": { "DataSourcesFreeTrial$CloudTrail": "Describes whether any Amazon Web Services CloudTrail management event logs are enabled as data sources.
", "DataSourcesFreeTrial$DnsLogs": "Describes whether any DNS logs are enabled as data sources.
", "DataSourcesFreeTrial$FlowLogs": "Describes whether any VPC Flow logs are enabled as data sources.
", "DataSourcesFreeTrial$S3Logs": "Describes whether any S3 data event logs are enabled as data sources.
", "KubernetesDataSourceFreeTrial$AuditLogs": "Describes whether Kubernetes audit logs are enabled as a data source.
", "MalwareProtectionDataSourceFreeTrial$ScanEc2InstanceWithFindings": "Describes whether Malware Protection for EC2 instances with findings is enabled as a data source.
" } }, "DataSourceList": { "base": null, "refs": { "UsageCriteria$DataSources": "The data sources to aggregate usage statistics from.
" } }, "DataSourceStatus": { "base": null, "refs": { "CloudTrailConfigurationResult$Status": "Describes whether CloudTrail is enabled as a data source for the detector.
", "DNSLogsConfigurationResult$Status": "Denotes whether DNS logs is enabled as a data source.
", "EbsVolumesResult$Status": "Describes whether scanning EBS volumes is enabled as a data source.
", "FlowLogsConfigurationResult$Status": "Denotes whether VPC flow logs is enabled as a data source.
", "KubernetesAuditLogsConfigurationResult$Status": "A value that describes whether Kubernetes audit logs are enabled as a data source.
", "S3LogsConfigurationResult$Status": "A value that describes whether S3 data event logs are automatically enabled for new members of the organization.
" } }, "DataSourcesFreeTrial": { "base": "Contains information about which data sources are enabled for the GuardDuty member account.
", "refs": { "AccountFreeTrialInfo$DataSources": "Describes the data source enabled for the GuardDuty member account.
" } }, "DateStatistics": { "base": "Represents list a map of dates with a count of total findings generated on each date.
", "refs": { "GroupedByDate$member": null } }, "DeclineInvitationsRequest": { "base": null, "refs": {} }, "DeclineInvitationsResponse": { "base": null, "refs": {} }, "DefaultServerSideEncryption": { "base": "Contains information on the server side encryption method used in the S3 bucket. See S3 Server-Side Encryption for more information.
", "refs": { "S3BucketDetail$DefaultServerSideEncryption": "Describes the server side encryption method used in the S3 bucket.
" } }, "DeleteDetectorRequest": { "base": null, "refs": {} }, "DeleteDetectorResponse": { "base": null, "refs": {} }, "DeleteFilterRequest": { "base": null, "refs": {} }, "DeleteFilterResponse": { "base": null, "refs": {} }, "DeleteIPSetRequest": { "base": null, "refs": {} }, "DeleteIPSetResponse": { "base": null, "refs": {} }, "DeleteInvitationsRequest": { "base": null, "refs": {} }, "DeleteInvitationsResponse": { "base": null, "refs": {} }, "DeleteMalwareProtectionPlanRequest": { "base": null, "refs": {} }, "DeleteMembersRequest": { "base": null, "refs": {} }, "DeleteMembersResponse": { "base": null, "refs": {} }, "DeletePublishingDestinationRequest": { "base": null, "refs": {} }, "DeletePublishingDestinationResponse": { "base": null, "refs": {} }, "DeleteThreatEntitySetRequest": { "base": null, "refs": {} }, "DeleteThreatEntitySetResponse": { "base": null, "refs": {} }, "DeleteThreatIntelSetRequest": { "base": null, "refs": {} }, "DeleteThreatIntelSetResponse": { "base": null, "refs": {} }, "DeleteTrustedEntitySetRequest": { "base": null, "refs": {} }, "DeleteTrustedEntitySetResponse": { "base": null, "refs": {} }, "DescribeMalwareScansRequest": { "base": null, "refs": {} }, "DescribeMalwareScansResponse": { "base": null, "refs": {} }, "DescribeOrganizationConfigurationRequest": { "base": null, "refs": {} }, "DescribeOrganizationConfigurationResponse": { "base": null, "refs": {} }, "DescribePublishingDestinationRequest": { "base": null, "refs": {} }, "DescribePublishingDestinationResponse": { "base": null, "refs": {} }, "Destination": { "base": "Contains information about the publishing destination, including the ID, type, and status.
", "refs": { "Destinations$member": null } }, "DestinationProperties": { "base": "Contains the Amazon Resource Name (ARN) of the resource to publish to, such as an S3 bucket, and the ARN of the KMS key to use to encrypt published findings.
", "refs": { "CreatePublishingDestinationRequest$DestinationProperties": "The properties of the publishing destination, including the ARNs for the destination and the KMS key used for encryption.
", "DescribePublishingDestinationResponse$DestinationProperties": "A DestinationProperties object that includes the DestinationArn and KmsKeyArn of the publishing destination.
A DestinationProperties object that includes the DestinationArn and KmsKeyArn of the publishing destination.
The type of resource for the publishing destination. Currently only Amazon S3 buckets are supported.
", "DescribePublishingDestinationResponse$DestinationType": "The type of publishing destination. Currently, only Amazon S3 buckets are supported.
", "Destination$DestinationType": "The type of resource used for the publishing destination. Currently, only Amazon S3 buckets are supported.
" } }, "Destinations": { "base": null, "refs": { "ListPublishingDestinationsResponse$Destinations": "A Destinations object that includes information about each publishing destination returned.
Contains information about the detected behavior.
", "refs": { "Service$Detection": "Contains information about the detected unusual behavior.
" } }, "DetectorAdditionalConfiguration": { "base": "Information about the additional configuration for a feature in your GuardDuty account.
", "refs": { "DetectorAdditionalConfigurations$member": null } }, "DetectorAdditionalConfigurationResult": { "base": "Information about the additional configuration.
", "refs": { "DetectorAdditionalConfigurationResults$member": null } }, "DetectorAdditionalConfigurationResults": { "base": null, "refs": { "DetectorFeatureConfigurationResult$AdditionalConfiguration": "Additional configuration for a resource.
" } }, "DetectorAdditionalConfigurations": { "base": null, "refs": { "DetectorFeatureConfiguration$AdditionalConfiguration": "Additional configuration for a resource.
" } }, "DetectorFeature": { "base": null, "refs": { "DetectorFeatureConfiguration$Name": "The name of the feature.
" } }, "DetectorFeatureConfiguration": { "base": "Contains information about a GuardDuty feature.
Specifying both EKS Runtime Monitoring (EKS_RUNTIME_MONITORING) and Runtime Monitoring (RUNTIME_MONITORING) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring.
Contains information about a GuardDuty feature.
Specifying both EKS Runtime Monitoring (EKS_RUNTIME_MONITORING) and Runtime Monitoring (RUNTIME_MONITORING) will cause an error. You can add only one of these two features because Runtime Monitoring already includes the threat detection for Amazon EKS resources. For more information, see Runtime Monitoring.
A list of features that will be configured for the detector.
", "UpdateDetectorRequest$Features": "Provides the features that will be updated for the detector.
" } }, "DetectorFeatureConfigurationsResults": { "base": null, "refs": { "GetDetectorResponse$Features": "Describes the features that have been enabled for the detector.
" } }, "DetectorFeatureResult": { "base": null, "refs": { "DetectorFeatureConfigurationResult$Name": "Indicates the name of the feature that can be enabled for the detector.
" } }, "DetectorId": { "base": null, "refs": { "AcceptAdministratorInvitationRequest$DetectorId": "The unique ID of the detector of the GuardDuty member account.
", "AcceptInvitationRequest$DetectorId": "The unique ID of the detector of the GuardDuty member account.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The ID of the detector that specifies the GuardDuty service whose findings you want to archive.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the GuardDuty detector associated with the resource.
", "CreateDetectorResponse$DetectorId": "The unique ID of the created detector.
", "CreateFilterRequest$DetectorId": "The detector ID associated with the GuardDuty account for which you want to create a filter.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector of the GuardDuty account for which you want to create an IPSet.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector of the GuardDuty account for which you want to associate member accounts.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The ID of the GuardDuty detector associated with the publishing destination.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The ID of the detector for which you need to create sample findings.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector of the GuardDuty account for which you want to create a threat entity set.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector of the GuardDuty account for which you want to create a threatIntelSet.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector of the GuardDuty account for which you want to create a trusted entity set.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector that you want to delete.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector that is associated with the filter.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector associated with the IPSet.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector of the GuardDuty account whose members you want to delete.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector associated with the publishing destination to delete.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector associated with the threat entity set resource.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector that is associated with the threatIntelSet.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector associated with the trusted entity set resource.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector that the request is associated with.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The detector ID of the delegated administrator for which you need to retrieve the information.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector associated with the publishing destination to retrieve.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector of the GuardDuty member account.
", "DisassociateFromMasterAccountRequest$DetectorId": "The unique ID of the detector of the GuardDuty member account.
", "DisassociateMembersRequest$DetectorId": "The unique ID of the detector of the GuardDuty account whose members you want to disassociate from the administrator account.
", "GetAdministratorAccountRequest$DetectorId": "The unique ID of the detector of the GuardDuty member account.
", "GetCoverageStatisticsRequest$DetectorId": "The unique ID of the GuardDuty detector.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector that you want to get.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector that is associated with this filter.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The ID of the detector that specifies the GuardDuty service whose findings you want to retrieve.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The ID of the detector whose findings statistics you want to retrieve.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector that is associated with the IPSet.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector that is associated with this scan.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector of the GuardDuty member account.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The detector ID for the administrator account.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector of the GuardDuty account whose members you want to retrieve.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector of the GuardDuty member account.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector associated with the threat entity set resource.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector that is associated with the threatIntelSet.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the GuardDuty detector associated with this trusted entity set.
", "GetUsageStatisticsRequest$DetectorId": "The ID of the detector that specifies the GuardDuty service whose usage statistics you want to retrieve.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector of the GuardDuty account with which you want to invite members.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector whose coverage details you want to retrieve.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector that is associated with the filter.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The ID of the detector that specifies the GuardDuty service whose findings you want to list.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector that is associated with IPSet.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector that is associated with the member.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The detector ID for which you want to retrieve the publishing destination.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the GuardDuty detector that is associated with this threat entity set.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector that is associated with the threatIntelSet.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the GuardDuty detector that is associated with this threat entity set.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The detector ID of the member account.
", "Scan$DetectorId": "The unique ID of the detector that is associated with the request.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique detector ID of the administrator account that the request is associated with. If the account is an administrator, the AdminDetectorId will be the same as the one used for DetectorId.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The detector ID for the GuardDuty service.
", "StartMonitoringMembersRequest$DetectorId": "The unique ID of the detector of the GuardDuty administrator account associated with the member accounts to monitor.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector associated with the GuardDuty administrator account that is monitoring member accounts.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The ID of the detector associated with the findings to unarchive.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector to update.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector that specifies the GuardDuty service where you want to update a filter.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The ID of the detector that is associated with the findings for which you want to update the feedback.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The detectorID that specifies the GuardDuty service whose IPSet you want to update.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the detector that specifies the GuardDuty service where you want to update scan settings.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The detector ID of the administrator account.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The ID of the detector that configures the delegated administrator.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The ID of the detector associated with the publishing destinations to update.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the GuardDuty detector associated with the threat entity set that you want to update.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The detectorID that specifies the GuardDuty service whose ThreatIntelSet you want to update.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
The unique ID of the GuardDuty detector associated with the threat entity set that you want to update.
To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
A list of detector IDs.
" } }, "DetectorStatus": { "base": null, "refs": { "GetDetectorResponse$Status": "The detector status.
" } }, "DisableOrganizationAdminAccountRequest": { "base": null, "refs": {} }, "DisableOrganizationAdminAccountResponse": { "base": null, "refs": {} }, "DisassociateFromAdministratorAccountRequest": { "base": null, "refs": {} }, "DisassociateFromAdministratorAccountResponse": { "base": null, "refs": {} }, "DisassociateFromMasterAccountRequest": { "base": null, "refs": {} }, "DisassociateFromMasterAccountResponse": { "base": null, "refs": {} }, "DisassociateMembersRequest": { "base": null, "refs": {} }, "DisassociateMembersResponse": { "base": null, "refs": {} }, "DnsRequestAction": { "base": "Contains information about the DNS_REQUEST action described in this finding.
", "refs": { "Action$DnsRequestAction": "Information about the DNS_REQUEST action described in this finding.
" } }, "DomainDetails": { "base": "Contains information about the domain.
", "refs": { "AwsApiCallAction$DomainDetails": "The domain information for the Amazon Web Services API call.
" } }, "Double": { "base": null, "refs": { "DateStatistics$Severity": "The severity of the findings generated on each date.
", "Finding$Confidence": "The confidence score for the finding.
", "Finding$Severity": "The severity of the finding.
", "GeoLocation$Lat": "The latitude information of the remote IP address.
", "GeoLocation$Lon": "The longitude information of the remote IP address.
", "NetworkGeoLocation$Latitude": "The latitude information of the endpoint location.
", "NetworkGeoLocation$Longitude": "The longitude information of the endpoint location.
", "SeverityStatistics$Severity": "The severity level associated with each finding type.
", "Signal$Severity": "The severity associated with the signal. For more information about severity, see Findings severity levels in the Amazon GuardDuty User Guide.
" } }, "EbsSnapshotPreservation": { "base": null, "refs": { "GetMalwareScanSettingsResponse$EbsSnapshotPreservation": "An enum value representing possible snapshot preservation settings.
", "UpdateMalwareScanSettingsRequest$EbsSnapshotPreservation": "An enum value representing possible snapshot preservation settings.
" } }, "EbsVolumeDetails": { "base": "Contains list of scanned and skipped EBS volumes with details.
", "refs": { "Resource$EbsVolumeDetails": "Contains list of scanned and skipped EBS volumes with details.
" } }, "EbsVolumeScanDetails": { "base": "Contains details from the malware scan that created a finding.
", "refs": { "Service$EbsVolumeScanDetails": "Returns details from the malware scan that created a finding.
" } }, "EbsVolumesResult": { "base": "Describes the configuration of scanning EBS volumes as a data source.
", "refs": { "ScanEc2InstanceWithFindingsResult$EbsVolumes": "Describes the configuration of scanning EBS volumes as a data source.
" } }, "Ec2Instance": { "base": "Details about the potentially impacted Amazon EC2 instance resource.
", "refs": { "ResourceData$Ec2Instance": "Contains information about the Amazon EC2 instance.
" } }, "Ec2InstanceUid": { "base": null, "refs": { "Ec2InstanceUids$member": null } }, "Ec2InstanceUids": { "base": null, "refs": { "EksCluster$Ec2InstanceUids": "A list of unique identifiers for the Amazon EC2 instances that serve as worker nodes in the Amazon EKS cluster.
" } }, "Ec2NetworkInterface": { "base": "Contains information about the elastic network interface of the Amazon EC2 instance.
", "refs": { "ResourceData$Ec2NetworkInterface": "Contains information about the elastic network interface of the Amazon EC2 instance.
" } }, "Ec2NetworkInterfaceUids": { "base": null, "refs": { "Ec2Instance$Ec2NetworkInterfaceUids": "The ID of the network interface.
" } }, "EcsClusterDetails": { "base": "Contains information about the details of the ECS Cluster.
", "refs": { "Resource$EcsClusterDetails": "Contains information about the details of the ECS Cluster.
" } }, "EcsTaskDetails": { "base": "Contains information about the task in an ECS cluster.
", "refs": { "EcsClusterDetails$TaskDetails": "Contains information about the details of the ECS Task.
" } }, "EksCluster": { "base": "Contains information about the Amazon EKS cluster involved in a GuardDuty finding, including cluster identification, status, and network configuration.
", "refs": { "ResourceData$EksCluster": "Contains detailed information about the Amazon EKS cluster associated with the activity that prompted GuardDuty to generate a finding.
" } }, "EksClusterDetails": { "base": "Details about the EKS cluster involved in a Kubernetes finding.
", "refs": { "Resource$EksClusterDetails": "Details about the EKS cluster involved in a Kubernetes finding.
" } }, "Email": { "base": null, "refs": { "AccountDetail$Email": "The email address of the member account. The following list includes the rules for a valid email address:
The email address must be a minimum of 6 and a maximum of 64 characters long.
All characters must be 7-bit ASCII characters.
There must be one and only one @ symbol, which separates the local name from the domain name.
The local name can't contain any of the following characters:
whitespace, \" ' ( ) < > [ ] : ' , \\ | % &
The local name can't begin with a dot (.).
The domain name can consist of only the characters [a-z], [A-Z], [0-9], hyphen (-), or dot (.).
The domain name can't begin or end with a dot (.) or hyphen (-).
The domain name must contain at least one dot.
The email address of the member account.
" } }, "EnableOrganizationAdminAccountRequest": { "base": null, "refs": {} }, "EnableOrganizationAdminAccountResponse": { "base": null, "refs": {} }, "EndpointIds": { "base": null, "refs": { "Signal$EndpointIds": "Information about the endpoint IDs associated with this signal.
" } }, "Eq": { "base": null, "refs": { "Condition$Eq": "Represents the equal condition to be applied to a single field when querying for findings.
" } }, "Equals": { "base": null, "refs": { "Condition$Equals": "Represents an equal condition to be applied to a single field when querying for findings.
", "CoverageFilterCondition$Equals": "Represents an equal condition that is applied to a single field while retrieving the coverage details.
" } }, "Evidence": { "base": "Contains information about the reason that the finding was generated.
", "refs": { "Service$Evidence": "An evidence object associated with the service.
" } }, "ExpectedBucketOwner": { "base": null, "refs": { "CreateThreatEntitySetRequest$ExpectedBucketOwner": "The Amazon Web Services account ID that owns the Amazon S3 bucket specified in the location parameter.
", "CreateTrustedEntitySetRequest$ExpectedBucketOwner": "The Amazon Web Services account ID that owns the Amazon S3 bucket specified in the location parameter.
", "GetThreatEntitySetResponse$ExpectedBucketOwner": "The Amazon Web Services account ID that owns the Amazon S3 bucket specified in the location parameter.
", "GetTrustedEntitySetResponse$ExpectedBucketOwner": "The Amazon Web Services account ID that owns the Amazon S3 bucket specified in the location parameter.
", "UpdateThreatEntitySetRequest$ExpectedBucketOwner": "The Amazon Web Services account ID that owns the Amazon S3 bucket specified in the location parameter.
", "UpdateTrustedEntitySetRequest$ExpectedBucketOwner": "The Amazon Web Services account ID that owns the Amazon S3 bucket specified in the location parameter.
" } }, "FargateDetails": { "base": "Contains information about Amazon Web Services Fargate details associated with an Amazon ECS cluster.
", "refs": { "CoverageEcsClusterDetails$FargateDetails": "Information about the Fargate details associated with the Amazon ECS cluster.
" } }, "FeatureAdditionalConfiguration": { "base": null, "refs": { "DetectorAdditionalConfiguration$Name": "Name of the additional configuration.
", "DetectorAdditionalConfigurationResult$Name": "Name of the additional configuration.
" } }, "FeatureStatus": { "base": null, "refs": { "DetectorAdditionalConfiguration$Status": "Status of the additional configuration.
", "DetectorAdditionalConfigurationResult$Status": "Status of the additional configuration.
", "DetectorFeatureConfiguration$Status": "The status of the feature.
", "DetectorFeatureConfigurationResult$Status": "Indicates the status of the feature that is enabled for the detector.
", "MemberAdditionalConfiguration$Status": "Status of the additional configuration.
", "MemberAdditionalConfigurationResult$Status": "Indicates the status of the additional configuration that is set for the member account.
", "MemberFeaturesConfiguration$Status": "The status of the feature.
", "MemberFeaturesConfigurationResult$Status": "Indicates the status of the feature that is enabled for the detector.
" } }, "Feedback": { "base": null, "refs": { "UpdateFindingsFeedbackRequest$Feedback": "The feedback for the finding.
" } }, "FilePaths": { "base": null, "refs": { "ScanThreatName$FilePaths": "List of infected files in EBS volume with details.
" } }, "FilterAction": { "base": null, "refs": { "CreateFilterRequest$Action": "Specifies the action that is to be applied to the findings that match the filter.
", "GetFilterResponse$Action": "Specifies the action that is to be applied to the findings that match the filter.
", "UpdateFilterRequest$Action": "Specifies the action that is to be applied to the findings that match the filter.
" } }, "FilterCondition": { "base": "Contains information about the condition.
", "refs": { "FilterCriterion$FilterCondition": "Contains information about the condition.
" } }, "FilterCriteria": { "base": "Represents the criteria to be used in the filter for describing scan entries.
", "refs": { "DescribeMalwareScansRequest$FilterCriteria": "Represents the criteria to be used in the filter for describing scan entries.
" } }, "FilterCriterion": { "base": "Represents a condition that when matched will be added to the response of the operation. Irrespective of using any filter criteria, an administrator account can view the scan entries for all of its member accounts. However, each member account can view the scan entries only for their own account.
", "refs": { "FilterCriterionList$member": null } }, "FilterCriterionList": { "base": null, "refs": { "FilterCriteria$FilterCriterion": "Represents a condition that when matched will be added to the response of the operation.
" } }, "FilterDescription": { "base": null, "refs": { "CreateFilterRequest$Description": "The description of the filter. Valid characters include alphanumeric characters, and special characters such as hyphen, period, colon, underscore, parentheses ({ }, [ ], and ( )), forward slash, horizontal tab, vertical tab, newline, form feed, return, and whitespace.
The description of the filter.
", "UpdateFilterRequest$Description": "The description of the filter. Valid characters include alphanumeric characters, and special characters such as hyphen, period, colon, underscore, parentheses ({ }, [ ], and ( )), forward slash, horizontal tab, vertical tab, newline, form feed, return, and whitespace.
The name of the filter. Valid characters include period (.), underscore (_), dash (-), and alphanumeric characters. A whitespace is considered to be an invalid character.
", "CreateFilterResponse$Name": "The name of the successfully created filter.
", "FilterNames$member": null, "GetFilterResponse$Name": "The name of the filter.
", "UpdateFilterResponse$Name": "The name of the filter.
" } }, "FilterNames": { "base": null, "refs": { "ListFiltersResponse$FilterNames": "A list of filter names.
" } }, "FilterRank": { "base": null, "refs": { "CreateFilterRequest$Rank": "Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
", "GetFilterResponse$Rank": "Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
", "UpdateFilterRequest$Rank": "Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
" } }, "Finding": { "base": "Contains information about the finding that is generated when abnormal or suspicious activity is detected.
", "refs": { "Findings$member": null } }, "FindingCriteria": { "base": "Contains information about the criteria used for querying findings.
", "refs": { "CreateFilterRequest$FindingCriteria": "Represents the criteria to be used in the filter for querying findings.
You can only use the following attributes to query findings:
accountId
id
region
severity
To filter on the basis of severity, the API and CLI use the following input list for the FindingCriteria condition:
Low: [\"1\", \"2\", \"3\"]
Medium: [\"4\", \"5\", \"6\"]
High: [\"7\", \"8\"]
Critical: [\"9\", \"10\"]
For more information, see Findings severity levels in the Amazon GuardDuty User Guide.
type
updatedAt
Type: ISO 8601 string format: YYYY-MM-DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds.
resource.accessKeyDetails.accessKeyId
resource.accessKeyDetails.principalId
resource.accessKeyDetails.userName
resource.accessKeyDetails.userType
resource.instanceDetails.iamInstanceProfile.id
resource.instanceDetails.imageId
resource.instanceDetails.instanceId
resource.instanceDetails.tags.key
resource.instanceDetails.tags.value
resource.instanceDetails.networkInterfaces.ipv6Addresses
resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress
resource.instanceDetails.networkInterfaces.publicDnsName
resource.instanceDetails.networkInterfaces.publicIp
resource.instanceDetails.networkInterfaces.securityGroups.groupId
resource.instanceDetails.networkInterfaces.securityGroups.groupName
resource.instanceDetails.networkInterfaces.subnetId
resource.instanceDetails.networkInterfaces.vpcId
resource.instanceDetails.outpostArn
resource.resourceType
resource.s3BucketDetails.publicAccess.effectivePermissions
resource.s3BucketDetails.name
resource.s3BucketDetails.tags.key
resource.s3BucketDetails.tags.value
resource.s3BucketDetails.type
service.action.actionType
service.action.awsApiCallAction.api
service.action.awsApiCallAction.callerType
service.action.awsApiCallAction.errorCode
service.action.awsApiCallAction.remoteIpDetails.city.cityName
service.action.awsApiCallAction.remoteIpDetails.country.countryName
service.action.awsApiCallAction.remoteIpDetails.ipAddressV4
service.action.awsApiCallAction.remoteIpDetails.ipAddressV6
service.action.awsApiCallAction.remoteIpDetails.organization.asn
service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg
service.action.awsApiCallAction.serviceName
service.action.dnsRequestAction.domain
service.action.dnsRequestAction.domainWithSuffix
service.action.dnsRequestAction.vpcOwnerAccountId
service.action.networkConnectionAction.blocked
service.action.networkConnectionAction.connectionDirection
service.action.networkConnectionAction.localPortDetails.port
service.action.networkConnectionAction.protocol
service.action.networkConnectionAction.remoteIpDetails.city.cityName
service.action.networkConnectionAction.remoteIpDetails.country.countryName
service.action.networkConnectionAction.remoteIpDetails.ipAddressV4
service.action.networkConnectionAction.remoteIpDetails.ipAddressV6
service.action.networkConnectionAction.remoteIpDetails.organization.asn
service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg
service.action.networkConnectionAction.remotePortDetails.port
service.action.awsApiCallAction.remoteAccountDetails.affiliated
service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4
service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV6
service.action.kubernetesApiCallAction.namespace
service.action.kubernetesApiCallAction.remoteIpDetails.organization.asn
service.action.kubernetesApiCallAction.requestUri
service.action.kubernetesApiCallAction.statusCode
service.action.networkConnectionAction.localIpDetails.ipAddressV4
service.action.networkConnectionAction.localIpDetails.ipAddressV6
service.action.networkConnectionAction.protocol
service.action.awsApiCallAction.serviceName
service.action.awsApiCallAction.remoteAccountDetails.accountId
service.additionalInfo.threatListName
service.resourceRole
resource.eksClusterDetails.name
resource.kubernetesDetails.kubernetesWorkloadDetails.name
resource.kubernetesDetails.kubernetesWorkloadDetails.namespace
resource.kubernetesDetails.kubernetesUserDetails.username
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix
service.ebsVolumeScanDetails.scanId
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash
resource.ecsClusterDetails.name
resource.ecsClusterDetails.taskDetails.containers.image
resource.ecsClusterDetails.taskDetails.definitionArn
resource.containerDetails.image
resource.rdsDbInstanceDetails.dbInstanceIdentifier
resource.rdsDbInstanceDetails.dbClusterIdentifier
resource.rdsDbInstanceDetails.engine
resource.rdsDbUserDetails.user
resource.rdsDbInstanceDetails.tags.key
resource.rdsDbInstanceDetails.tags.value
service.runtimeDetails.process.executableSha256
service.runtimeDetails.process.name
service.runtimeDetails.process.executablePath
resource.lambdaDetails.functionName
resource.lambdaDetails.functionArn
resource.lambdaDetails.tags.key
resource.lambdaDetails.tags.value
Represents the criteria to be used in the filter for querying findings.
", "GetFindingsStatisticsRequest$FindingCriteria": "Represents the criteria that is used for querying findings.
", "ListFindingsRequest$FindingCriteria": "Represents the criteria used for querying findings. Valid values include:
JSON field name
accountId
region
confidence
id
resource.accessKeyDetails.accessKeyId
resource.accessKeyDetails.principalId
resource.accessKeyDetails.userName
resource.accessKeyDetails.userType
resource.instanceDetails.iamInstanceProfile.id
resource.instanceDetails.imageId
resource.instanceDetails.instanceId
resource.instanceDetails.networkInterfaces.ipv6Addresses
resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress
resource.instanceDetails.networkInterfaces.publicDnsName
resource.instanceDetails.networkInterfaces.publicIp
resource.instanceDetails.networkInterfaces.securityGroups.groupId
resource.instanceDetails.networkInterfaces.securityGroups.groupName
resource.instanceDetails.networkInterfaces.subnetId
resource.instanceDetails.networkInterfaces.vpcId
resource.instanceDetails.tags.key
resource.instanceDetails.tags.value
resource.resourceType
service.action.actionType
service.action.awsApiCallAction.api
service.action.awsApiCallAction.callerType
service.action.awsApiCallAction.remoteIpDetails.city.cityName
service.action.awsApiCallAction.remoteIpDetails.country.countryName
service.action.awsApiCallAction.remoteIpDetails.ipAddressV4
service.action.awsApiCallAction.remoteIpDetails.organization.asn
service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg
service.action.awsApiCallAction.serviceName
service.action.dnsRequestAction.domain
service.action.dnsRequestAction.domainWithSuffix
service.action.networkConnectionAction.blocked
service.action.networkConnectionAction.connectionDirection
service.action.networkConnectionAction.localPortDetails.port
service.action.networkConnectionAction.protocol
service.action.networkConnectionAction.remoteIpDetails.country.countryName
service.action.networkConnectionAction.remoteIpDetails.ipAddressV4
service.action.networkConnectionAction.remoteIpDetails.organization.asn
service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg
service.action.networkConnectionAction.remotePortDetails.port
service.additionalInfo.threatListName
service.archived
When this attribute is set to 'true', only archived findings are listed. When it's set to 'false', only unarchived findings are listed. When this attribute is not set, all existing findings are listed.
service.ebsVolumeScanDetails.scanId
service.resourceRole
severity
type
updatedAt
Type: Timestamp in Unix Epoch millisecond format: 1486685375000
Represents the criteria to be used in the filter for querying findings.
" } }, "FindingId": { "base": null, "refs": { "FindingIds$member": null } }, "FindingIds": { "base": null, "refs": { "ArchiveFindingsRequest$FindingIds": "The IDs of the findings that you want to archive.
", "GetFindingsRequest$FindingIds": "The IDs of the findings that you want to retrieve.
", "ListFindingsResponse$FindingIds": "The IDs of the findings that you're listing.
", "UnarchiveFindingsRequest$FindingIds": "The IDs of the findings to unarchive.
", "UpdateFindingsFeedbackRequest$FindingIds": "The IDs of the findings that you want to mark as useful or not useful.
" } }, "FindingPublishingFrequency": { "base": null, "refs": { "CreateDetectorRequest$FindingPublishingFrequency": "A value that specifies how frequently updated findings are exported.
", "GetDetectorResponse$FindingPublishingFrequency": "The publishing frequency of the finding.
", "UpdateDetectorRequest$FindingPublishingFrequency": "An enum value that specifies how frequently findings are exported, such as to CloudWatch Events.
" } }, "FindingResourceType": { "base": null, "refs": { "ResourceV2$ResourceType": "The type of the Amazon Web Services resource.
" } }, "FindingStatisticType": { "base": null, "refs": { "FindingStatisticTypes$member": null } }, "FindingStatisticTypes": { "base": null, "refs": { "GetFindingsStatisticsRequest$FindingStatisticTypes": "The types of finding statistics to retrieve.
" } }, "FindingStatistics": { "base": "Contains information about finding statistics.
", "refs": { "GetFindingsStatisticsResponse$FindingStatistics": "The finding statistics object.
" } }, "FindingType": { "base": null, "refs": { "AdditionalSequenceTypes$member": null, "Finding$Type": "The type of finding.
", "FindingTypes$member": null } }, "FindingTypeStatistics": { "base": "Information about each finding type associated with the groupedByFindingType statistics.
The types of sample findings to generate.
" } }, "Findings": { "base": null, "refs": { "GetFindingsResponse$Findings": "A list of findings.
" } }, "FlagsList": { "base": null, "refs": { "RuntimeContext$Flags": "Represents options that control the behavior of a runtime operation or action. For example, a filesystem mount operation may contain a read-only flag.
" } }, "FlowLogsConfigurationResult": { "base": "Contains information on the status of VPC flow logs as a data source.
", "refs": { "DataSourceConfigurationsResult$FlowLogs": "An object that contains information on the status of VPC flow logs as a data source.
" } }, "FreeTrialFeatureConfigurationResult": { "base": "Contains information about the free trial period for a feature.
", "refs": { "FreeTrialFeatureConfigurationsResults$member": null } }, "FreeTrialFeatureConfigurationsResults": { "base": null, "refs": { "AccountFreeTrialInfo$Features": "A list of features enabled for the GuardDuty account.
" } }, "FreeTrialFeatureResult": { "base": null, "refs": { "FreeTrialFeatureConfigurationResult$Name": "The name of the feature for which the free trial is configured.
" } }, "GeoLocation": { "base": "Contains information about the location of the remote IP address. By default, GuardDuty returns Geolocation with Lat and Lon as 0.0.
The location information of the remote IP address.
" } }, "GetAdministratorAccountRequest": { "base": null, "refs": {} }, "GetAdministratorAccountResponse": { "base": null, "refs": {} }, "GetCoverageStatisticsRequest": { "base": null, "refs": {} }, "GetCoverageStatisticsResponse": { "base": null, "refs": {} }, "GetDetectorRequest": { "base": null, "refs": {} }, "GetDetectorResponse": { "base": null, "refs": {} }, "GetFilterRequest": { "base": null, "refs": {} }, "GetFilterResponse": { "base": null, "refs": {} }, "GetFindingsRequest": { "base": null, "refs": {} }, "GetFindingsResponse": { "base": null, "refs": {} }, "GetFindingsStatisticsRequest": { "base": null, "refs": {} }, "GetFindingsStatisticsResponse": { "base": null, "refs": {} }, "GetIPSetRequest": { "base": null, "refs": {} }, "GetIPSetResponse": { "base": null, "refs": {} }, "GetInvitationsCountRequest": { "base": null, "refs": {} }, "GetInvitationsCountResponse": { "base": null, "refs": {} }, "GetMalwareProtectionPlanRequest": { "base": null, "refs": {} }, "GetMalwareProtectionPlanResponse": { "base": null, "refs": {} }, "GetMalwareScanSettingsRequest": { "base": null, "refs": {} }, "GetMalwareScanSettingsResponse": { "base": null, "refs": {} }, "GetMasterAccountRequest": { "base": null, "refs": {} }, "GetMasterAccountResponse": { "base": null, "refs": {} }, "GetMemberDetectorsRequest": { "base": null, "refs": {} }, "GetMemberDetectorsResponse": { "base": null, "refs": {} }, "GetMembersRequest": { "base": null, "refs": {} }, "GetMembersResponse": { "base": null, "refs": {} }, "GetOrganizationStatisticsResponse": { "base": null, "refs": {} }, "GetRemainingFreeTrialDaysRequest": { "base": null, "refs": {} }, "GetRemainingFreeTrialDaysResponse": { "base": null, "refs": {} }, "GetThreatEntitySetRequest": { "base": null, "refs": {} }, "GetThreatEntitySetResponse": { "base": null, "refs": {} }, "GetThreatIntelSetRequest": { "base": null, "refs": {} }, "GetThreatIntelSetResponse": { "base": null, "refs": {} }, "GetTrustedEntitySetRequest": { "base": null, "refs": {} }, "GetTrustedEntitySetResponse": { "base": null, "refs": {} }, "GetUsageStatisticsRequest": { "base": null, "refs": {} }, "GetUsageStatisticsResponse": { "base": null, "refs": {} }, "GroupByType": { "base": null, "refs": { "GetFindingsStatisticsRequest$GroupBy": "Displays the findings statistics grouped by one of the listed valid values.
" } }, "GroupedByAccount": { "base": null, "refs": { "FindingStatistics$GroupedByAccount": "Represents a list of map of accounts with a findings count associated with each account.
" } }, "GroupedByDate": { "base": null, "refs": { "FindingStatistics$GroupedByDate": "Represents a list of map of dates with a count of total findings generated on each date per severity level.
" } }, "GroupedByFindingType": { "base": null, "refs": { "FindingStatistics$GroupedByFindingType": "Represents a list of map of finding types with a count of total findings generated for each type.
Based on the orderBy parameter, this request returns either the most occurring finding types or the least occurring finding types. If the orderBy parameter is ASC, this will represent the least occurring finding types in your account; otherwise, this will represent the most occurring finding types. The default value of orderBy is DESC.
Represents a list of map of top resources with a count of total findings.
" } }, "GroupedBySeverity": { "base": null, "refs": { "FindingStatistics$GroupedBySeverity": "Represents a list of map of total findings for each severity level.
" } }, "Groups": { "base": null, "refs": { "ImpersonatedUser$Groups": "The group to which the user name belongs.
The groups that include the user who called the Kubernetes API.
" } }, "GuardDutyArn": { "base": null, "refs": { "ListTagsForResourceRequest$ResourceArn": "The Amazon Resource Name (ARN) for the given GuardDuty resource.
", "TagResourceRequest$ResourceArn": "The Amazon Resource Name (ARN) for the GuardDuty resource to apply a tag to.
", "UntagResourceRequest$ResourceArn": "The Amazon Resource Name (ARN) for the resource to remove tags from.
" } }, "HighestSeverityThreatDetails": { "base": "Contains details of the highest severity threat detected during scan and number of infected files.
", "refs": { "ScanDetections$HighestSeverityThreatDetails": "Details of the highest severity threat detected during malware scan and number of infected files.
" } }, "HostPath": { "base": "Represents a pre-existing file or directory on the host machine that the volume maps to.
", "refs": { "Volume$HostPath": "Represents a pre-existing file or directory on the host machine that the volume maps to.
" } }, "IamInstanceProfile": { "base": "Contains information about the EC2 instance profile.
", "refs": { "Ec2Instance$IamInstanceProfile": null, "InstanceDetails$IamInstanceProfile": "The profile information of the EC2 instance.
" } }, "ImpersonatedUser": { "base": "Contains information about the impersonated user.
", "refs": { "KubernetesUserDetails$ImpersonatedUser": "Information about the impersonated user.
" } }, "Indicator": { "base": "Contains information about the indicators that include a set of signals observed in an attack sequence.
", "refs": { "Indicators$member": null } }, "IndicatorTitle": { "base": null, "refs": { "Indicator$Title": "Title describing the indicator.
" } }, "IndicatorType": { "base": null, "refs": { "Indicator$Key": "Specific indicator keys observed in the attack sequence. For description of the valid values for key, see Attack sequence finding details in the Amazon GuardDuty User Guide.
" } }, "IndicatorValueString": { "base": null, "refs": { "IndicatorValues$member": null } }, "IndicatorValues": { "base": null, "refs": { "Indicator$Values": "Values associated with each indicator key. For example, if the indicator key is SUSPICIOUS_NETWORK, then the value will be the name of the network. If the indicator key is ATTACK_TACTIC, then the value will be one of the MITRE tactics.
Contains information about the indicators observed in the attack sequence.
", "Signal$SignalIndicators": "Contains information about the indicators associated with the signals.
" } }, "InstanceArn": { "base": null, "refs": { "ResourceDetails$InstanceArn": "Instance ARN that was scanned in the scan entry.
" } }, "InstanceDetails": { "base": "Contains information about the details of an instance.
", "refs": { "Resource$InstanceDetails": "The information about the EC2 instance associated with the activity that prompted GuardDuty to generate a finding.
" } }, "Integer": { "base": null, "refs": { "AccountStatistics$TotalFindings": "The total number of findings associated with an account.
", "AutonomousSystem$Number": "The unique number that identifies the Autonomous System (AS).
", "Condition$Gt": "Represents a greater than condition to be applied to a single field when querying for findings.
", "Condition$Gte": "Represents a greater than or equal condition to be applied to a single field when querying for findings.
", "Condition$Lt": "Represents a less than condition to be applied to a single field when querying for findings.
", "Condition$Lte": "Represents a less than or equal condition to be applied to a single field when querying for findings.
", "CountBySeverity$value": null, "DataSourceFreeTrial$FreeTrialDaysRemaining": "A value that specifies the number of days left to use each enabled data source.
", "DateStatistics$TotalFindings": "The total number of findings that were generated per severity level on each date.
", "EcsClusterDetails$ActiveServicesCount": "The number of services that are running on the cluster in an ACTIVE state.
", "EcsClusterDetails$RegisteredContainerInstancesCount": "The number of container instances registered into the cluster.
", "EcsClusterDetails$RunningTasksCount": "The number of tasks in the cluster that are in the RUNNING state.
", "FindingTypeStatistics$TotalFindings": "The total number of findings associated with generated for each distinct finding type.
", "FreeTrialFeatureConfigurationResult$FreeTrialDaysRemaining": "The number of the remaining free trial days for the feature.
", "GetInvitationsCountResponse$InvitationsCount": "The number of received invitations.
", "HighestSeverityThreatDetails$Count": "Total number of infected files with the highest severity threat detected.
", "KubernetesApiCallAction$StatusCode": "The resulting HTTP response code of the Kubernetes API call action.
", "LineageObject$NamespacePid": "The process ID of the child process.
", "LineageObject$UserId": "The user ID of the user that executed the process.
", "LineageObject$Pid": "The ID of the process.
", "LineageObject$Euid": "The effective user ID that was used to execute the process.
", "LocalPortDetails$Port": "The port number of the local connection.
", "LoginAttribute$FailedLoginAttempts": "Represents the sum of failed (unsuccessful) login attempts made to establish a connection to the database instance.
", "LoginAttribute$SuccessfulLoginAttempts": "Represents the sum of successful connections (a correct combination of login attributes) made to the database instance by the actor.
", "NetworkEndpoint$Port": "The port number associated with the network endpoint.
", "OrganizationFeatureStatistics$EnabledAccountsCount": "Total number of accounts that have enabled a specific feature.
", "OrganizationFeatureStatisticsAdditionalConfiguration$EnabledAccountsCount": "Total number of accounts that have enabled the additional configuration.
", "OrganizationStatistics$TotalAccountsCount": "Total number of accounts in your Amazon Web Services organization.
", "OrganizationStatistics$MemberAccountsCount": "Total number of accounts in your Amazon Web Services organization that are associated with GuardDuty.
", "OrganizationStatistics$ActiveAccountsCount": "Total number of active accounts in your Amazon Web Services organization that are associated with GuardDuty.
", "OrganizationStatistics$EnabledAccountsCount": "Total number of accounts that have enabled GuardDuty.
", "ProcessDetails$NamespacePid": "The ID of the child process.
", "ProcessDetails$Pid": "The ID of the process.
", "ProcessDetails$UserId": "The unique ID of the user that executed the process.
", "ProcessDetails$Euid": "The effective user ID of the user that executed the process.
", "RemotePortDetails$Port": "The port number of the remote connection.
", "ResourceStatistics$TotalFindings": "The total number of findings associated with this resource.
", "RuntimeContext$IanaProtocolNumber": "Specifies a particular protocol within the address family. Usually there is a single protocol in address families. For example, the address family AF_INET only has the IP protocol.
Total number of files infected with given threat.
", "ScannedItemCount$TotalGb": "Total GB of files scanned for malware.
", "ScannedItemCount$Files": "Number of files scanned.
", "ScannedItemCount$Volumes": "Total number of scanned volumes.
", "Service$Count": "The total count of the occurrences of this finding type.
", "SeverityStatistics$TotalFindings": "The total number of findings associated with this severity.
", "Signal$Count": "The number of times this signal was observed.
", "ThreatDetectedByName$ItemCount": "Total number of infected files identified.
", "ThreatDetectedByName$UniqueThreatNameCount": "Total number of unique threats by name identified, as part of the malware scan.
", "ThreatsDetectedItemCount$Files": "Total number of infected files.
", "VolumeDetail$VolumeSizeInGB": "EBS volume size in GB.
" } }, "IntegerValueWithMax": { "base": null, "refs": { "DescribeMalwareScansRequest$MaxResults": "You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.
" } }, "InternalServerErrorException": { "base": "An internal server error exception object.
", "refs": {} }, "Invitation": { "base": "Contains information about the invitation to become a member account.
", "refs": { "Invitations$member": null } }, "Invitations": { "base": null, "refs": { "ListInvitationsResponse$Invitations": "A list of invitation descriptions.
" } }, "InviteMembersRequest": { "base": null, "refs": {} }, "InviteMembersResponse": { "base": null, "refs": {} }, "IpSetFormat": { "base": null, "refs": { "CreateIPSetRequest$Format": "The format of the file that contains the IPSet.
", "GetIPSetResponse$Format": "The format of the file that contains the IPSet.
" } }, "IpSetIds": { "base": null, "refs": { "ListIPSetsResponse$IpSetIds": "The IDs of the IPSet resources.
" } }, "IpSetStatus": { "base": null, "refs": { "GetIPSetResponse$Status": "The status of IPSet file that was uploaded.
" } }, "Ipv6Addresses": { "base": null, "refs": { "Ec2NetworkInterface$Ipv6Addresses": "A list of IPv6 addresses for the Amazon EC2 instance.
", "NetworkInterface$Ipv6Addresses": "A list of IPv6 addresses for the EC2 instance.
" } }, "Issues": { "base": null, "refs": { "FargateDetails$Issues": "Runtime coverage issues identified for the resource running on Amazon Web Services Fargate.
" } }, "ItemPath": { "base": "Information about the nested item path and hash of the protected resource.
", "refs": { "ItemPaths$member": null } }, "ItemPaths": { "base": null, "refs": { "Threat$ItemPaths": "Information about the nested item path and hash of the protected resource.
" } }, "KubernetesApiCallAction": { "base": "Information about the Kubernetes API call action described in this finding.
", "refs": { "Action$KubernetesApiCallAction": "Information about the Kubernetes API call action described in this finding.
" } }, "KubernetesAuditLogsConfiguration": { "base": "Describes whether Kubernetes audit logs are enabled as a data source.
", "refs": { "KubernetesConfiguration$AuditLogs": "The status of Kubernetes audit logs as a data source.
" } }, "KubernetesAuditLogsConfigurationResult": { "base": "Describes whether Kubernetes audit logs are enabled as a data source.
", "refs": { "KubernetesConfigurationResult$AuditLogs": "Describes whether Kubernetes audit logs are enabled as a data source.
" } }, "KubernetesConfiguration": { "base": "Describes whether any Kubernetes data sources are enabled.
", "refs": { "DataSourceConfigurations$Kubernetes": "Describes whether any Kubernetes logs are enabled as data sources.
" } }, "KubernetesConfigurationResult": { "base": "Describes whether any Kubernetes logs will be enabled as a data source.
", "refs": { "DataSourceConfigurationsResult$Kubernetes": "An object that contains information on the status of all Kubernetes data sources.
" } }, "KubernetesDataSourceFreeTrial": { "base": "Provides details about the Kubernetes resources when it is enabled as a data source.
", "refs": { "DataSourcesFreeTrial$Kubernetes": "Describes whether any Kubernetes logs are enabled as data sources.
" } }, "KubernetesDetails": { "base": "Details about Kubernetes resources such as a Kubernetes user or workload resource involved in a Kubernetes finding.
", "refs": { "Resource$KubernetesDetails": "Details about the Kubernetes user and workload involved in a Kubernetes finding.
" } }, "KubernetesPermissionCheckedDetails": { "base": "Information about the Kubernetes API for which you check if you have permission to call.
", "refs": { "Action$KubernetesPermissionCheckedDetails": "Information whether the user has the permission to use a specific Kubernetes API.
" } }, "KubernetesResourcesTypes": { "base": null, "refs": { "KubernetesWorkload$KubernetesResourcesTypes": "The types of Kubernetes resources involved in the workload.
" } }, "KubernetesRoleBindingDetails": { "base": "Contains information about the role binding that grants the permission defined in a Kubernetes role.
", "refs": { "Action$KubernetesRoleBindingDetails": "Information about the role binding that grants the permission defined in a Kubernetes role.
" } }, "KubernetesRoleDetails": { "base": "Information about the Kubernetes role name and role type.
", "refs": { "Action$KubernetesRoleDetails": "Information about the Kubernetes role name and role type.
" } }, "KubernetesUserDetails": { "base": "Details about the Kubernetes user involved in a Kubernetes finding.
", "refs": { "KubernetesDetails$KubernetesUserDetails": "Details about the Kubernetes user involved in a Kubernetes finding.
" } }, "KubernetesWorkload": { "base": "Contains information about Kubernetes workloads involved in a GuardDuty finding, including pods, deployments, and other Kubernetes resources.
", "refs": { "ResourceData$KubernetesWorkload": "Contains detailed information about the Kubernetes workload associated with the activity that prompted GuardDuty to generate a finding.
" } }, "KubernetesWorkloadDetails": { "base": "Details about the Kubernetes workload involved in a Kubernetes finding.
", "refs": { "KubernetesDetails$KubernetesWorkloadDetails": "Details about the Kubernetes workload involved in a Kubernetes finding.
" } }, "LambdaDetails": { "base": "Information about the Lambda function involved in the finding.
", "refs": { "Resource$LambdaDetails": "Contains information about the Lambda function that was involved in a finding.
" } }, "Lineage": { "base": null, "refs": { "ProcessDetails$Lineage": "Information about the process's lineage.
" } }, "LineageObject": { "base": "Information about the runtime process details.
", "refs": { "Lineage$member": null } }, "ListCoverageRequest": { "base": null, "refs": {} }, "ListCoverageResponse": { "base": null, "refs": {} }, "ListDetectorsRequest": { "base": null, "refs": {} }, "ListDetectorsResponse": { "base": null, "refs": {} }, "ListFiltersRequest": { "base": null, "refs": {} }, "ListFiltersResponse": { "base": null, "refs": {} }, "ListFindingsRequest": { "base": null, "refs": {} }, "ListFindingsResponse": { "base": null, "refs": {} }, "ListIPSetsRequest": { "base": null, "refs": {} }, "ListIPSetsResponse": { "base": null, "refs": {} }, "ListInvitationsRequest": { "base": null, "refs": {} }, "ListInvitationsResponse": { "base": null, "refs": {} }, "ListMalwareProtectionPlansRequest": { "base": null, "refs": {} }, "ListMalwareProtectionPlansResponse": { "base": null, "refs": {} }, "ListMembersRequest": { "base": null, "refs": {} }, "ListMembersResponse": { "base": null, "refs": {} }, "ListOrganizationAdminAccountsRequest": { "base": null, "refs": {} }, "ListOrganizationAdminAccountsResponse": { "base": null, "refs": {} }, "ListPublishingDestinationsRequest": { "base": null, "refs": {} }, "ListPublishingDestinationsResponse": { "base": null, "refs": {} }, "ListTagsForResourceRequest": { "base": null, "refs": {} }, "ListTagsForResourceResponse": { "base": null, "refs": {} }, "ListThreatEntitySetsRequest": { "base": null, "refs": {} }, "ListThreatEntitySetsResponse": { "base": null, "refs": {} }, "ListThreatIntelSetsRequest": { "base": null, "refs": {} }, "ListThreatIntelSetsResponse": { "base": null, "refs": {} }, "ListTrustedEntitySetsRequest": { "base": null, "refs": {} }, "ListTrustedEntitySetsResponse": { "base": null, "refs": {} }, "LocalIpDetails": { "base": "Contains information about the local IP address of the connection.
", "refs": { "NetworkConnectionAction$LocalIpDetails": "The local IP information of the connection.
", "PortProbeDetail$LocalIpDetails": "The local IP information of the connection.
" } }, "LocalPortDetails": { "base": "Contains information about the port for the local connection.
", "refs": { "NetworkConnectionAction$LocalPortDetails": "The local port information of the connection.
", "PortProbeDetail$LocalPortDetails": "The local port information of the connection.
" } }, "Location": { "base": null, "refs": { "CreateIPSetRequest$Location": "The URI of the file that contains the IPSet.
", "CreateThreatEntitySetRequest$Location": "The URI of the file that contains the threat entity set.
", "CreateThreatIntelSetRequest$Location": "The URI of the file that contains the ThreatIntelSet.
", "CreateTrustedEntitySetRequest$Location": "The URI of the file that contains the trusted entity set.
", "GetIPSetResponse$Location": "The URI of the file that contains the IPSet.
", "GetThreatEntitySetResponse$Location": "The URI of the file that contains the threat entity set.
", "GetThreatIntelSetResponse$Location": "The URI of the file that contains the ThreatIntelSet.
", "GetTrustedEntitySetResponse$Location": "The URI of the file that contains the trusted entity set.
", "UpdateIPSetRequest$Location": "The updated URI of the file that contains the IPSet.
", "UpdateThreatEntitySetRequest$Location": "The URI of the file that contains the trusted entity set.
", "UpdateThreatIntelSetRequest$Location": "The updated URI of the file that contains the ThreateIntelSet.
", "UpdateTrustedEntitySetRequest$Location": "The URI of the file that contains the trusted entity set.
" } }, "LoginAttribute": { "base": "Information about the login attempts.
", "refs": { "LoginAttributes$member": null } }, "LoginAttributes": { "base": null, "refs": { "RdsLoginAttemptAction$LoginAttributes": "Indicates the login attributes used in the login attempt.
" } }, "Long": { "base": null, "refs": { "Condition$GreaterThan": "Represents a greater than condition to be applied to a single field when querying for findings.
", "Condition$GreaterThanOrEqual": "Represents a greater than or equal condition to be applied to a single field when querying for findings.
", "Condition$LessThan": "Represents a less than condition to be applied to a single field when querying for findings.
", "Condition$LessThanOrEqual": "Represents a less than or equal condition to be applied to a single field when querying for findings.
", "ContainerInstanceDetails$CoveredContainerInstances": "Represents the nodes in the Amazon ECS cluster that has a HEALTHY coverage status.
Represents total number of nodes in the Amazon ECS cluster.
", "CountByCoverageStatus$value": null, "CountByResourceType$value": null, "CoverageEksClusterDetails$CoveredNodes": "Represents the nodes within the EKS cluster that have a HEALTHY coverage status.
Represents all the nodes within the EKS cluster in your account.
", "DescribePublishingDestinationResponse$PublishingFailureStartTimestamp": "The time, in epoch millisecond format, at which GuardDuty was first unable to publish findings to the destination.
" } }, "LongValue": { "base": null, "refs": { "FilterCondition$GreaterThan": "Represents a greater than condition to be applied to a single field when querying for scan entries.
", "FilterCondition$LessThan": "Represents a less than condition to be applied to a single field when querying for scan entries.
" } }, "MalwareProtectionConfiguration": { "base": "Describes whether Malware Protection will be enabled as a data source.
", "refs": { "DataSourceConfigurations$MalwareProtection": "Describes whether Malware Protection is enabled as a data source.
" } }, "MalwareProtectionConfigurationResult": { "base": "An object that contains information on the status of all Malware Protection data sources.
", "refs": { "DataSourceConfigurationsResult$MalwareProtection": "Describes the configuration of Malware Protection data sources.
", "UnprocessedDataSourcesResult$MalwareProtection": null } }, "MalwareProtectionDataSourceFreeTrial": { "base": "Provides details about Malware Protection when it is enabled as a data source.
", "refs": { "DataSourcesFreeTrial$MalwareProtection": "Describes whether Malware Protection is enabled as a data source.
" } }, "MalwareProtectionPlanActions": { "base": "Information about whether the tags will be added to the S3 object after scanning.
", "refs": { "CreateMalwareProtectionPlanRequest$Actions": "Information about whether the tags will be added to the S3 object after scanning.
", "GetMalwareProtectionPlanResponse$Actions": "Information about whether the tags will be added to the S3 object after scanning.
", "UpdateMalwareProtectionPlanRequest$Actions": "Information about whether the tags will be added to the S3 object after scanning.
" } }, "MalwareProtectionPlanObjectPrefixesList": { "base": null, "refs": { "CreateS3BucketResource$ObjectPrefixes": "Information about the specified object prefixes. The S3 object will be scanned only if it belongs to any of the specified object prefixes.
", "UpdateS3BucketResource$ObjectPrefixes": "Information about the specified object prefixes. The S3 object will be scanned only if it belongs to any of the specified object prefixes.
" } }, "MalwareProtectionPlanStatus": { "base": null, "refs": { "GetMalwareProtectionPlanResponse$Status": "Malware Protection plan status.
" } }, "MalwareProtectionPlanStatusReason": { "base": "Information about the issue code and message associated to the status of your Malware Protection plan.
", "refs": { "MalwareProtectionPlanStatusReasonsList$member": null } }, "MalwareProtectionPlanStatusReasonsList": { "base": null, "refs": { "GetMalwareProtectionPlanResponse$StatusReasons": "Information about the issue code and message associated to the status of your Malware Protection plan.
" } }, "MalwareProtectionPlanSummary": { "base": "Information about the Malware Protection plan resource.
", "refs": { "MalwareProtectionPlansSummary$member": null } }, "MalwareProtectionPlanTaggingAction": { "base": "Information about adding tags to the scanned S3 object after the scan result.
", "refs": { "MalwareProtectionPlanActions$Tagging": "Indicates whether the scanned S3 object will have tags about the scan result.
" } }, "MalwareProtectionPlanTaggingActionStatus": { "base": null, "refs": { "MalwareProtectionPlanTaggingAction$Status": "Indicates whether or not the tags will added.
" } }, "MalwareProtectionPlansSummary": { "base": null, "refs": { "ListMalwareProtectionPlansResponse$MalwareProtectionPlans": "A list of unique identifiers associated with each Malware Protection plan.
" } }, "MalwareScanDetails": { "base": "Information about the malware scan that generated a GuardDuty finding.
", "refs": { "Service$MalwareScanDetails": "Returns details from the malware scan that generated a GuardDuty finding.
" } }, "ManagementType": { "base": null, "refs": { "CoverageEc2InstanceDetails$ManagementType": "Indicates how the GuardDuty security agent is managed for this resource.
AUTO_MANAGED indicates that GuardDuty deploys and manages updates for this resource.
MANUAL indicates that you are responsible to deploy, update, and manage the GuardDuty security agent updates for this resource.
The DISABLED status doesn't apply to Amazon EC2 instances and Amazon EKS clusters.
Indicates how the Amazon EKS add-on GuardDuty agent is managed for this EKS cluster.
AUTO_MANAGED indicates GuardDuty deploys and manages updates for this resource.
MANUAL indicates that you are responsible to deploy, update, and manage the Amazon EKS add-on GuardDuty agent for this resource.
Indicates how the GuardDuty security agent is managed for this resource.
AUTO_MANAGED indicates that GuardDuty deploys and manages updates for this resource.
DISABLED indicates that the deployment of the GuardDuty security agent is disabled for this resource.
The MANUAL status doesn't apply to the Amazon Web Services Fargate (Amazon ECS only) woprkloads.
Represents an mapEqual condition to be applied to a single field when triggering for malware scan.
" } }, "Master": { "base": "Contains information about the administrator account and invitation.
", "refs": { "GetMasterAccountResponse$Master": "The administrator account details.
" } }, "MaxResults": { "base": null, "refs": { "DescribeOrganizationConfigurationRequest$MaxResults": "You can use this parameter to indicate the maximum number of items that you want in the response.
", "GetUsageStatisticsRequest$MaxResults": "The maximum number of results to return in the response.
", "ListCoverageRequest$MaxResults": "The maximum number of results to return in the response.
", "ListDetectorsRequest$MaxResults": "You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.
", "ListFiltersRequest$MaxResults": "You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.
", "ListFindingsRequest$MaxResults": "You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50.
", "ListIPSetsRequest$MaxResults": "You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50.
", "ListInvitationsRequest$MaxResults": "You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.
", "ListMembersRequest$MaxResults": "You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50. The maximum value is 50.
", "ListOrganizationAdminAccountsRequest$MaxResults": "The maximum number of results to return in the response.
", "ListPublishingDestinationsRequest$MaxResults": "The maximum number of results to return in the response.
", "ListThreatEntitySetsRequest$MaxResults": "You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50.
", "ListThreatIntelSetsRequest$MaxResults": "You can use this parameter to indicate the maximum number of items that you want in the response. The default value is 50. The maximum value is 50.
", "ListTrustedEntitySetsRequest$MaxResults": "You can use this parameter to indicate the maximum number of items you want in the response. The default value is 50.
" } }, "MaxResults100": { "base": null, "refs": { "GetFindingsStatisticsRequest$MaxResults": "The maximum number of results to be returned in the response. The default value is 25.
You can use this parameter only with the groupBy parameter.
Contains information about the member account.
", "refs": { "Members$member": null } }, "MemberAdditionalConfiguration": { "base": "Information about the additional configuration for the member account.
", "refs": { "MemberAdditionalConfigurations$member": null } }, "MemberAdditionalConfigurationResult": { "base": "Information about the additional configuration for the member account.
", "refs": { "MemberAdditionalConfigurationResults$member": null } }, "MemberAdditionalConfigurationResults": { "base": null, "refs": { "MemberFeaturesConfigurationResult$AdditionalConfiguration": "Indicates the additional configuration of the feature that is configured for the member account.
" } }, "MemberAdditionalConfigurations": { "base": null, "refs": { "MemberFeaturesConfiguration$AdditionalConfiguration": "Additional configuration of the feature for the member account.
" } }, "MemberDataSourceConfiguration": { "base": "Contains information on which data sources are enabled for a member account.
", "refs": { "MemberDataSourceConfigurations$member": null } }, "MemberDataSourceConfigurations": { "base": null, "refs": { "GetMemberDetectorsResponse$MemberDataSourceConfigurations": "An object that describes which data sources are enabled for a member account.
" } }, "MemberFeaturesConfiguration": { "base": "Contains information about the features for the member account.
", "refs": { "MemberFeaturesConfigurations$member": null } }, "MemberFeaturesConfigurationResult": { "base": "Contains information about the features for the member account.
", "refs": { "MemberFeaturesConfigurationsResults$member": null } }, "MemberFeaturesConfigurations": { "base": null, "refs": { "UpdateMemberDetectorsRequest$Features": "A list of features that will be updated for the specified member accounts.
" } }, "MemberFeaturesConfigurationsResults": { "base": null, "refs": { "MemberDataSourceConfiguration$Features": "Contains information about the status of the features for the member account.
" } }, "Members": { "base": null, "refs": { "GetMembersResponse$Members": "A list of members.
", "ListMembersResponse$Members": "A list of members.
The values for email and invitedAt are available only if the member accounts are added by invitation.
Specifies the Region of a process's address space such as stack and heap.
" } }, "MfaStatus": { "base": null, "refs": { "Session$MfaStatus": "Indicates whether or not multi-factor authencation (MFA) was used during authentication.
In Amazon Web Services CloudTrail, you can find this value as userIdentity.sessionContext.attributes.mfaAuthenticated.
The user-friendly name to identify the IPSet.
Allowed characters are alphanumeric, whitespace, dash (-), and underscores (_).
", "CreateThreatEntitySetRequest$Name": "A user-friendly name to identify the threat entity set.
The name of your list can include lowercase letters, uppercase letters, numbers, dash (-), and underscore (_).
", "CreateThreatIntelSetRequest$Name": "A user-friendly ThreatIntelSet name displayed in all findings that are generated by activity that involves IP addresses included in this ThreatIntelSet.
", "CreateTrustedEntitySetRequest$Name": "A user-friendly name to identify the trusted entity set.
The name of your list can include lowercase letters, uppercase letters, numbers, dash (-), and underscore (_).
", "GetIPSetResponse$Name": "The user-friendly name for the IPSet.
", "GetThreatEntitySetResponse$Name": "The name of the threat entity set associated with the specified threatEntitySetId.
A user-friendly ThreatIntelSet name displayed in all findings that are generated by activity that involves IP addresses included in this ThreatIntelSet.
", "GetTrustedEntitySetResponse$Name": "The name of the threat entity set associated with the specified trustedEntitySetId.
The unique ID that specifies the IPSet that you want to update.
", "UpdateThreatEntitySetRequest$Name": "A user-friendly name to identify the trusted entity set.
The name of your list can include lowercase letters, uppercase letters, numbers, dash (-), and underscore (_).
", "UpdateThreatIntelSetRequest$Name": "The unique ID that specifies the ThreatIntelSet that you want to update.
", "UpdateTrustedEntitySetRequest$Name": "A user-friendly name to identify the trusted entity set.
The name of your list can include lowercase letters, uppercase letters, numbers, dash (-), and underscore (_).
" } }, "Neq": { "base": null, "refs": { "Condition$Neq": "Represents the not equal condition to be applied to a single field when querying for findings.
" } }, "NetworkConnection": { "base": "Contains information about the network connection.
", "refs": { "NetworkEndpoint$Connection": "Information about the network connection.
" } }, "NetworkConnectionAction": { "base": "Contains information about the NETWORK_CONNECTION action described in the finding.
", "refs": { "Action$NetworkConnectionAction": "Information about the NETWORK_CONNECTION action described in this finding.
" } }, "NetworkDirection": { "base": null, "refs": { "NetworkConnection$Direction": "The direction in which the network traffic is flowing.
" } }, "NetworkEndpoint": { "base": "Contains information about network endpoints that were observed in the attack sequence.
", "refs": { "NetworkEndpoints$member": null } }, "NetworkEndpoints": { "base": null, "refs": { "Sequence$Endpoints": "Contains information about the network endpoints that were used in the attack sequence.
" } }, "NetworkGeoLocation": { "base": "Contains information about network endpoint location.
", "refs": { "NetworkEndpoint$Location": "Information about the location of the network endpoint.
" } }, "NetworkInterface": { "base": "Contains information about the elastic network interface of the EC2 instance.
", "refs": { "NetworkInterfaces$member": null } }, "NetworkInterfaces": { "base": null, "refs": { "InstanceDetails$NetworkInterfaces": "The elastic network interface information of the EC2 instance.
" } }, "NonEmptyString": { "base": null, "refs": { "FilterCondition$EqualsValue": "Represents an equal condition to be applied to a single field when querying for scan entries.
", "Scan$ScanId": "The unique scan ID associated with a scan entry.
", "Scan$FailureReason": "Represents the reason for FAILED scan status.
A unique identifier that gets generated when you invoke the API without any error. Each malware scan has a corresponding scan ID. Using this scan ID, you can monitor the status of your malware scan.
", "TriggerDetails$GuardDutyFindingId": "The ID of the GuardDuty finding that triggered the malware scan.
", "TriggerDetails$Description": "The description of the scan trigger.
" } }, "NotEquals": { "base": null, "refs": { "Condition$NotEquals": "Represents a not equal condition to be applied to a single field when querying for findings.
", "CoverageFilterCondition$NotEquals": "Represents a not equal condition that is applied to a single field while retrieving the coverage details.
" } }, "ObservationTexts": { "base": null, "refs": { "Observations$Text": "The text that was unusual.
" } }, "Observations": { "base": "Contains information about the observed behavior.
", "refs": { "AnomalyObject$Observations": "The recorded value.
" } }, "OrderBy": { "base": null, "refs": { "CoverageSortCriteria$OrderBy": "The order in which the sorted findings are to be displayed.
", "GetFindingsStatisticsRequest$OrderBy": "Displays the sorted findings in the requested order. The default value of orderBy is DESC.
You can use this parameter only with the groupBy parameter.
The order by which the sorted findings are to be displayed.
" } }, "OrgFeature": { "base": null, "refs": { "MemberFeaturesConfiguration$Name": "The name of the feature.
", "MemberFeaturesConfigurationResult$Name": "Indicates the name of the feature that is enabled for the detector.
", "OrganizationFeatureConfiguration$Name": "The name of the feature that will be configured for the organization.
", "OrganizationFeatureConfigurationResult$Name": "The name of the feature that is configured for the member accounts within the organization.
", "OrganizationFeatureStatistics$Name": "Name of the feature.
" } }, "OrgFeatureAdditionalConfiguration": { "base": null, "refs": { "MemberAdditionalConfiguration$Name": "Name of the additional configuration.
", "MemberAdditionalConfigurationResult$Name": "Indicates the name of the additional configuration that is set for the member account.
", "OrganizationAdditionalConfiguration$Name": "The name of the additional configuration that will be configured for the organization. These values are applicable to only Runtime Monitoring protection plan.
", "OrganizationAdditionalConfigurationResult$Name": "The name of the additional configuration that is configured for the member accounts within the organization. These values are applicable to only Runtime Monitoring protection plan.
", "OrganizationFeatureStatisticsAdditionalConfiguration$Name": "Name of the additional configuration within a feature.
" } }, "OrgFeatureStatus": { "base": null, "refs": { "OrganizationAdditionalConfiguration$AutoEnable": "The status of the additional configuration that will be configured for the organization. Use one of the following values to configure the feature status for the entire organization:
NEW: Indicates that when a new account joins the organization, they will have the additional configuration enabled automatically.
ALL: Indicates that all accounts in the organization have the additional configuration enabled automatically. This includes NEW accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty.
It may take up to 24 hours to update the configuration for all the member accounts.
NONE: Indicates that the additional configuration will not be automatically enabled for any account in the organization. The administrator must manage the additional configuration for each account individually.
Describes the status of the additional configuration that is configured for the member accounts within the organization. One of the following values is the status for the entire organization:
NEW: Indicates that when a new account joins the organization, they will have the additional configuration enabled automatically.
ALL: Indicates that all accounts in the organization have the additional configuration enabled automatically. This includes NEW accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty.
It may take up to 24 hours to update the configuration for all the member accounts.
NONE: Indicates that the additional configuration will not be automatically enabled for any account in the organization. The administrator must manage the additional configuration for each account individually.
Describes the status of the feature that is configured for the member accounts within the organization. One of the following values is the status for the entire organization:
NEW: Indicates that when a new account joins the organization, they will have the feature enabled automatically.
ALL: Indicates that all accounts in the organization have the feature enabled automatically. This includes NEW accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty.
It may take up to 24 hours to update the configuration for all the member accounts.
NONE: Indicates that the feature will not be automatically enabled for any account in the organization. The administrator must manage the feature for each account individually.
Describes the status of the feature that is configured for the member accounts within the organization.
NEW: Indicates that when a new account joins the organization, they will have the feature enabled automatically.
ALL: Indicates that all accounts in the organization have the feature enabled automatically. This includes NEW accounts that join the organization and accounts that may have been suspended or removed from the organization in GuardDuty.
NONE: Indicates that the feature will not be automatically enabled for any account in the organization. In this case, each account will be managed individually by the administrator.
Contains information about the ISP organization of the remote IP address.
", "refs": { "RemoteIpDetails$Organization": "The ISP organization information of the remote IP address.
" } }, "OrganizationAdditionalConfiguration": { "base": "A list of additional configurations which will be configured for the organization.
Additional configuration applies to only GuardDuty Runtime Monitoring protection plan.
", "refs": { "OrganizationAdditionalConfigurations$member": null } }, "OrganizationAdditionalConfigurationResult": { "base": "A list of additional configuration which will be configured for the organization.
", "refs": { "OrganizationAdditionalConfigurationResults$member": null } }, "OrganizationAdditionalConfigurationResults": { "base": null, "refs": { "OrganizationFeatureConfigurationResult$AdditionalConfiguration": "The additional configuration that is configured for the member accounts within the organization.
" } }, "OrganizationAdditionalConfigurations": { "base": null, "refs": { "OrganizationFeatureConfiguration$AdditionalConfiguration": "The additional information that will be configured for the organization.
" } }, "OrganizationDataSourceConfigurations": { "base": "An object that contains information on which data sources will be configured to be automatically enabled for new members within the organization.
", "refs": { "UpdateOrganizationConfigurationRequest$DataSources": "Describes which data sources will be updated.
" } }, "OrganizationDataSourceConfigurationsResult": { "base": "An object that contains information on which data sources are automatically enabled for new members within the organization.
", "refs": { "DescribeOrganizationConfigurationResponse$DataSources": "Describes which data sources are enabled automatically for member accounts.
" } }, "OrganizationDetails": { "base": "Information about GuardDuty coverage statistics for members in your Amazon Web Services organization.
", "refs": { "GetOrganizationStatisticsResponse$OrganizationDetails": "Information about the statistics report for your organization.
" } }, "OrganizationEbsVolumes": { "base": "Organization-wide EBS volumes scan configuration.
", "refs": { "OrganizationScanEc2InstanceWithFindings$EbsVolumes": "Whether scanning EBS volumes should be auto-enabled for new members joining the organization.
" } }, "OrganizationEbsVolumesResult": { "base": "An object that contains information on the status of whether EBS volumes scanning will be enabled as a data source for an organization.
", "refs": { "OrganizationScanEc2InstanceWithFindingsResult$EbsVolumes": "Describes the configuration for scanning EBS volumes for an organization.
" } }, "OrganizationFeatureConfiguration": { "base": "A list of features which will be configured for the organization.
", "refs": { "OrganizationFeaturesConfigurations$member": null } }, "OrganizationFeatureConfigurationResult": { "base": "A list of features which will be configured for the organization.
", "refs": { "OrganizationFeaturesConfigurationsResults$member": null } }, "OrganizationFeatureStatistics": { "base": "Information about the number of accounts that have enabled a specific feature.
", "refs": { "OrganizationFeatureStatisticsResults$member": null } }, "OrganizationFeatureStatisticsAdditionalConfiguration": { "base": "Information about the coverage statistic for the additional configuration of the feature.
", "refs": { "OrganizationFeatureStatisticsAdditionalConfigurations$member": null } }, "OrganizationFeatureStatisticsAdditionalConfigurations": { "base": null, "refs": { "OrganizationFeatureStatistics$AdditionalConfiguration": "Name of the additional configuration.
" } }, "OrganizationFeatureStatisticsResults": { "base": null, "refs": { "OrganizationStatistics$CountByFeature": "Retrieves the coverage statistics for each feature.
" } }, "OrganizationFeaturesConfigurations": { "base": null, "refs": { "UpdateOrganizationConfigurationRequest$Features": "A list of features that will be configured for the organization.
" } }, "OrganizationFeaturesConfigurationsResults": { "base": null, "refs": { "DescribeOrganizationConfigurationResponse$Features": "A list of features that are configured for this organization.
" } }, "OrganizationKubernetesAuditLogsConfiguration": { "base": "Organization-wide Kubernetes audit logs configuration.
", "refs": { "OrganizationKubernetesConfiguration$AuditLogs": "Whether Kubernetes audit logs data source should be auto-enabled for new members joining the organization.
" } }, "OrganizationKubernetesAuditLogsConfigurationResult": { "base": "The current configuration of Kubernetes audit logs as a data source for the organization.
", "refs": { "OrganizationKubernetesConfigurationResult$AuditLogs": "The current configuration of Kubernetes audit logs as a data source for the organization.
" } }, "OrganizationKubernetesConfiguration": { "base": "Organization-wide Kubernetes data sources configurations.
", "refs": { "OrganizationDataSourceConfigurations$Kubernetes": "Describes the configuration of Kubernetes data sources for new members of the organization.
" } }, "OrganizationKubernetesConfigurationResult": { "base": "The current configuration of all Kubernetes data sources for the organization.
", "refs": { "OrganizationDataSourceConfigurationsResult$Kubernetes": "Describes the configuration of Kubernetes data sources.
" } }, "OrganizationMalwareProtectionConfiguration": { "base": "Organization-wide Malware Protection configurations.
", "refs": { "OrganizationDataSourceConfigurations$MalwareProtection": "Describes the configuration of Malware Protection for new members of the organization.
" } }, "OrganizationMalwareProtectionConfigurationResult": { "base": "An object that contains information on the status of all Malware Protection data source for an organization.
", "refs": { "OrganizationDataSourceConfigurationsResult$MalwareProtection": "Describes the configuration of Malware Protection data source for an organization.
" } }, "OrganizationS3LogsConfiguration": { "base": "Describes whether S3 data event logs will be automatically enabled for new members of the organization.
", "refs": { "OrganizationDataSourceConfigurations$S3Logs": "Describes whether S3 data event logs are enabled for new members of the organization.
" } }, "OrganizationS3LogsConfigurationResult": { "base": "The current configuration of S3 data event logs as a data source for the organization.
", "refs": { "OrganizationDataSourceConfigurationsResult$S3Logs": "Describes whether S3 data event logs are enabled as a data source.
" } }, "OrganizationScanEc2InstanceWithFindings": { "base": "Organization-wide EC2 instances with findings scan configuration.
", "refs": { "OrganizationMalwareProtectionConfiguration$ScanEc2InstanceWithFindings": "Whether Malware Protection for EC2 instances with findings should be auto-enabled for new members joining the organization.
" } }, "OrganizationScanEc2InstanceWithFindingsResult": { "base": "An object that contains information on the status of scanning EC2 instances with findings for an organization.
", "refs": { "OrganizationMalwareProtectionConfigurationResult$ScanEc2InstanceWithFindings": "Describes the configuration for scanning EC2 instances with findings for an organization.
" } }, "OrganizationStatistics": { "base": "Information about the coverage statistics of the features for the entire Amazon Web Services organization.
When you create a new Amazon Web Services organization, it might take up to 24 hours to generate the statistics summary for this organization.
", "refs": { "OrganizationDetails$OrganizationStatistics": "Information about the GuardDuty coverage statistics for members in your Amazon Web Services organization.
" } }, "Owner": { "base": "Contains information on the owner of the bucket.
", "refs": { "S3BucketDetail$Owner": "The owner of the S3 bucket.
" } }, "PermissionConfiguration": { "base": "Contains information about how permissions are configured for the S3 bucket.
", "refs": { "PublicAccess$PermissionConfiguration": "Contains information about how permissions are configured for the S3 bucket.
" } }, "PortProbeAction": { "base": "Contains information about the PORT_PROBE action described in the finding.
", "refs": { "Action$PortProbeAction": "Information about the PORT_PROBE action described in this finding.
" } }, "PortProbeDetail": { "base": "Contains information about the port probe details.
", "refs": { "PortProbeDetails$member": null } }, "PortProbeDetails": { "base": null, "refs": { "PortProbeAction$PortProbeDetails": "A list of objects related to port probe details.
" } }, "PositiveLong": { "base": null, "refs": { "Scan$TotalBytes": "Represents total bytes that were scanned.
", "Scan$FileCount": "Represents the number of files that were scanned.
" } }, "PrivateIpAddressDetails": { "base": "Contains other private IP address information of the EC2 instance.
", "refs": { "PrivateIpAddresses$member": null } }, "PrivateIpAddresses": { "base": null, "refs": { "Ec2NetworkInterface$PrivateIpAddresses": "Other private IP address information of the Amazon EC2 instance.
", "NetworkInterface$PrivateIpAddresses": "Other private IP address information of the EC2 instance.
" } }, "ProcessDetails": { "base": "Information about the observed process.
", "refs": { "RuntimeContext$ModifyingProcess": "Information about the process that modified the current process. This is available for multiple finding types.
", "RuntimeContext$TargetProcess": "Information about the process that had its memory overwritten by the current process.
", "RuntimeDetails$Process": "Information about the observed process.
" } }, "ProcessName": { "base": null, "refs": { "ActorProcess$Name": "The name of the process as it appears in the system.
" } }, "ProcessPath": { "base": null, "refs": { "ActorProcess$Path": "The full file path to the process executable on the system.
" } }, "ProcessSha256": { "base": null, "refs": { "ActorProcess$Sha256": "The SHA256 hash of the process executable file, which can be used for identification and verification purposes.
" } }, "ProductCode": { "base": "Contains information about the product code for the EC2 instance.
", "refs": { "ProductCodes$member": null } }, "ProductCodes": { "base": null, "refs": { "Ec2Instance$ProductCodes": "The product code of the Amazon EC2 instance.
", "InstanceDetails$ProductCodes": "The product code of the EC2 instance.
" } }, "ProfileSubtype": { "base": null, "refs": { "AnomalyObject$ProfileSubtype": "The frequency of the anomaly.
" } }, "ProfileType": { "base": null, "refs": { "AnomalyObject$ProfileType": "The type of behavior of the profile.
" } }, "PublicAccess": { "base": "Describes the public access policies that apply to the S3 bucket.
", "refs": { "S3BucketDetail$PublicAccess": "Describes the public access policies that apply to the S3 bucket.
" } }, "PublicAccessConfiguration": { "base": "Describes public access policies that apply to the Amazon S3 bucket.
For information about each of the following settings, see Blocking public access to your Amazon S3 storage in the Amazon S3 User Guide.
", "refs": { "S3Bucket$AccountPublicAccess": "Contains information about the public access policies that apply to the Amazon S3 bucket at the account level.
", "S3Bucket$BucketPublicAccess": "Contains information about public access policies that apply to the Amazon S3 bucket.
" } }, "PublicAccessStatus": { "base": null, "refs": { "PublicAccessConfiguration$PublicAclAccess": "Indicates whether or not there is a setting that allows public access to the Amazon S3 buckets through access control lists (ACLs).
", "PublicAccessConfiguration$PublicPolicyAccess": "Indicates whether or not there is a setting that allows public access to the Amazon S3 bucket policy.
", "S3Bucket$PublicReadAccess": "Indicates whether or not the public read access is allowed for an Amazon S3 bucket.
", "S3Bucket$PublicWriteAccess": "Indicates whether or not the public write access is allowed for an Amazon S3 bucket.
" } }, "PublicAclIgnoreBehavior": { "base": null, "refs": { "PublicAccessConfiguration$PublicAclIgnoreBehavior": "Indicates whether or not there is a setting that ignores all public access control lists (ACLs) on the Amazon S3 bucket and the objects that it contains.
" } }, "PublicBucketRestrictBehavior": { "base": null, "refs": { "PublicAccessConfiguration$PublicBucketRestrictBehavior": "Indicates whether or not there is a setting that restricts access to the bucket with specified policies.
" } }, "PublishingStatus": { "base": null, "refs": { "DescribePublishingDestinationResponse$Status": "The status of the publishing destination.
", "Destination$Status": "The status of the publishing destination.
" } }, "RdsDbInstanceDetails": { "base": "Contains information about the resource type RDSDBInstance involved in a GuardDuty finding.
Contains information about the database instance to which an anomalous login attempt was made.
" } }, "RdsDbUserDetails": { "base": "Contains information about the user and authentication details for a database instance involved in the finding.
", "refs": { "Resource$RdsDbUserDetails": "Contains information about the user details through which anomalous login attempt was made.
" } }, "RdsLimitlessDbDetails": { "base": "Contains information about the resource type RDSLimitlessDB that is involved in a GuardDuty finding.
Contains information about the RDS Limitless database that was involved in a GuardDuty finding.
" } }, "RdsLoginAttemptAction": { "base": "Indicates that a login attempt was made to the potentially compromised database from a remote IP address.
", "refs": { "Action$RdsLoginAttemptAction": "Information about RDS_LOGIN_ATTEMPT action described in this finding.
Contains details about the remote Amazon Web Services account that made the API call.
", "refs": { "AwsApiCallAction$RemoteAccountDetails": "The details of the Amazon Web Services account that made the API call. This field appears if the call was made from outside your account.
" } }, "RemoteIpDetails": { "base": "Contains information about the remote IP address of the connection.
", "refs": { "AwsApiCallAction$RemoteIpDetails": "The remote IP information of the connection that initiated the Amazon Web Services API call.
", "KubernetesApiCallAction$RemoteIpDetails": null, "NetworkConnectionAction$RemoteIpDetails": "The remote IP information of the connection.
", "PortProbeDetail$RemoteIpDetails": "The remote IP information of the connection.
", "RdsLoginAttemptAction$RemoteIpDetails": null } }, "RemotePortDetails": { "base": "Contains information about the remote port.
", "refs": { "NetworkConnectionAction$RemotePortDetails": "The remote port information of the connection.
" } }, "Resource": { "base": "Contains information about the Amazon Web Services resource associated with the activity that prompted GuardDuty to generate a finding.
", "refs": { "Finding$Resource": null } }, "ResourceArn": { "base": null, "refs": { "StartMalwareScanRequest$ResourceArn": "Amazon Resource Name (ARN) of the resource for which you invoked the API.
" } }, "ResourceData": { "base": "Contains information about the Amazon Web Services resource that is associated with the activity that prompted GuardDuty to generate a finding.
", "refs": { "ResourceV2$Data": "Contains information about the Amazon Web Services resource associated with the activity that prompted GuardDuty to generate a finding.
" } }, "ResourceDetails": { "base": "Represents the resources that were scanned in the scan entry.
", "refs": { "Scan$ResourceDetails": "Represents the resources that were scanned in the scan entry.
" } }, "ResourceList": { "base": null, "refs": { "UsageCriteria$Resources": "The resources to aggregate usage statistics from. Only accepts exact resource names.
" } }, "ResourceNotFoundException": { "base": "The requested resource can't be found.
", "refs": {} }, "ResourceStatistics": { "base": "Information about each resource type associated with the groupedByResource statistics.
The type of Amazon Web Services resource.
" } }, "ResourceUids": { "base": null, "refs": { "Signal$ResourceUids": "Information about the unique identifiers of the resources involved in the signal.
" } }, "ResourceV2": { "base": "Contains information about the Amazon Web Services resource that is associated with the GuardDuty finding.
", "refs": { "Resources$member": null } }, "Resources": { "base": null, "refs": { "Sequence$Resources": "Contains information about the resources involved in the attack sequence.
" } }, "RuntimeContext": { "base": "Additional information about the suspicious activity.
", "refs": { "RuntimeDetails$Context": "Additional information about the suspicious activity.
" } }, "RuntimeDetails": { "base": "Information about the process and any required context values for a specific finding.
", "refs": { "Service$RuntimeDetails": "Information about the process and any required context values for a specific finding
" } }, "S3Bucket": { "base": "Contains information about the Amazon S3 bucket policies and encryption.
", "refs": { "ResourceData$S3Bucket": "Contains information about the Amazon S3 bucket.
" } }, "S3BucketDetail": { "base": "Contains information on the S3 bucket.
", "refs": { "S3BucketDetails$member": null } }, "S3BucketDetails": { "base": null, "refs": { "Resource$S3BucketDetails": "Contains information on the S3 bucket.
" } }, "S3LogsConfiguration": { "base": "Describes whether S3 data event logs will be enabled as a data source.
", "refs": { "DataSourceConfigurations$S3Logs": "Describes whether S3 data event logs are enabled as a data source.
" } }, "S3LogsConfigurationResult": { "base": "Describes whether S3 data event logs will be enabled as a data source.
", "refs": { "DataSourceConfigurationsResult$S3Logs": "An object that contains information on the status of S3 Data event logs as a data source.
" } }, "S3Object": { "base": "Contains information about the Amazon S3 object.
", "refs": { "ResourceData$S3Object": "Contains information about the Amazon S3 object.
" } }, "S3ObjectDetail": { "base": "Information about the S3 object that was scanned
", "refs": { "S3ObjectDetails$member": null } }, "S3ObjectDetails": { "base": null, "refs": { "S3BucketDetail$S3ObjectDetails": "Information about the S3 object that was scanned.
" } }, "S3ObjectUids": { "base": null, "refs": { "S3Bucket$S3ObjectUids": "Represents a list of Amazon S3 object identifiers.
" } }, "Scan": { "base": "Contains information about malware scans associated with GuardDuty Malware Protection for EC2.
", "refs": { "Scans$member": null } }, "ScanCondition": { "base": "Contains information about the condition.
", "refs": { "ScanCriterion$value": null } }, "ScanConditionPair": { "base": "Represents the key:value pair to be matched against given resource property.
Represents a map of resource properties that match specified conditions and values when triggering malware scans.
", "refs": { "ScanResourceCriteria$Include": "Represents condition that when matched will allow a malware scan for a certain resource.
", "ScanResourceCriteria$Exclude": "Represents condition that when matched will prevent a malware scan for a certain resource.
" } }, "ScanCriterionKey": { "base": "An enum value representing possible resource properties to match with given scan condition.
", "refs": { "ScanCriterion$key": null } }, "ScanDetections": { "base": "Contains a complete view providing malware scan result details.
", "refs": { "EbsVolumeScanDetails$ScanDetections": "Contains a complete view providing malware scan result details.
" } }, "ScanEc2InstanceWithFindings": { "base": "Describes whether Malware Protection for EC2 instances with findings will be enabled as a data source.
", "refs": { "MalwareProtectionConfiguration$ScanEc2InstanceWithFindings": "Describes the configuration of Malware Protection for EC2 instances with findings.
" } }, "ScanEc2InstanceWithFindingsResult": { "base": "An object that contains information on the status of whether Malware Protection for EC2 instances with findings will be enabled as a data source.
", "refs": { "MalwareProtectionConfigurationResult$ScanEc2InstanceWithFindings": "Describes the configuration of Malware Protection for EC2 instances with findings.
" } }, "ScanFilePath": { "base": "Contains details of infected file including name, file path and hash.
", "refs": { "FilePaths$member": null } }, "ScanResourceCriteria": { "base": "Contains information about criteria used to filter resources before triggering malware scan.
", "refs": { "GetMalwareScanSettingsResponse$ScanResourceCriteria": "Represents the criteria to be used in the filter for scanning resources.
", "UpdateMalwareScanSettingsRequest$ScanResourceCriteria": "Represents the criteria to be used in the filter for selecting resources to scan.
" } }, "ScanResult": { "base": null, "refs": { "ScanResultDetails$ScanResult": "An enum value representing possible scan results.
" } }, "ScanResultDetails": { "base": "Represents the result of the scan.
", "refs": { "Scan$ScanResultDetails": "Represents the result of the scan.
" } }, "ScanStatus": { "base": null, "refs": { "Scan$ScanStatus": "An enum value representing possible scan statuses.
" } }, "ScanThreatName": { "base": "Contains files infected with the given threat providing details of malware name and severity.
", "refs": { "ScanThreatNames$member": null } }, "ScanThreatNames": { "base": null, "refs": { "ThreatDetectedByName$ThreatNames": "List of identified threats with details, organized by threat name.
" } }, "ScanType": { "base": null, "refs": { "EbsVolumeScanDetails$ScanType": "Specifies the scan type that invoked the malware scan.
", "Scan$ScanType": "Specifies the scan type that invoked the malware scan.
" } }, "ScannedItemCount": { "base": "Total number of scanned files.
", "refs": { "ScanDetections$ScannedItemCount": "Total number of scanned files.
" } }, "Scans": { "base": null, "refs": { "DescribeMalwareScansResponse$Scans": "Contains information about malware scans associated with GuardDuty Malware Protection for EC2.
" } }, "SecurityContext": { "base": "Container security context.
", "refs": { "Container$SecurityContext": "Container security context.
" } }, "SecurityGroup": { "base": "Contains information about the security groups associated with the EC2 instance.
", "refs": { "SecurityGroups$member": null } }, "SecurityGroups": { "base": null, "refs": { "Ec2NetworkInterface$SecurityGroups": "The security groups associated with the Amazon EC2 instance.
", "NetworkInterface$SecurityGroups": "The security groups associated with the EC2 instance.
", "VpcConfig$SecurityGroups": "The identifier of the security group attached to the Lambda function.
" } }, "SensitiveString": { "base": null, "refs": { "LocalIpDetails$IpAddressV4": "The IPv4 local address of the connection.
", "LocalIpDetails$IpAddressV6": "The IPv6 local address of the connection.
", "NetworkInterface$PrivateIpAddress": "The private IP address of the EC2 instance.
", "PrivateIpAddressDetails$PrivateIpAddress": "The private IP address of the EC2 instance.
", "RemoteIpDetails$IpAddressV4": "The IPv4 remote address of the connection.
", "RemoteIpDetails$IpAddressV6": "The IPv6 remote address of the connection.
" } }, "Sequence": { "base": "Contains information about the GuardDuty attack sequence finding.
", "refs": { "Detection$Sequence": "The details about the attack sequence.
" } }, "SequenceDescription": { "base": null, "refs": { "Sequence$Description": "Description of the attack sequence.
" } }, "Service": { "base": "Contains additional information about the generated finding.
", "refs": { "Finding$Service": null } }, "ServiceAdditionalInfo": { "base": "Additional information about the generated finding.
", "refs": { "Service$AdditionalInfo": "Contains additional information about the generated finding.
" } }, "Session": { "base": "Contains information about the authenticated session.
", "refs": { "Actor$Session": "Contains information about the user session where the activity initiated.
" } }, "SessionNameList": { "base": null, "refs": { "KubernetesUserDetails$SessionName": "Entity that assumes the IAM role when Kubernetes RBAC permissions are assigned to that role.
" } }, "SeverityStatistics": { "base": "Information about severity level for each finding type.
", "refs": { "GroupedBySeverity$member": null } }, "Signal": { "base": "Contains information about the signals involved in the attack sequence.
", "refs": { "Signals$member": null } }, "SignalDescription": { "base": null, "refs": { "Signal$Description": "The description of the signal.
" } }, "SignalType": { "base": null, "refs": { "Signal$Type": "The type of the signal used to identify an attack sequence.
Signals can be GuardDuty findings or activities observed in data sources that GuardDuty monitors. For more information, see Foundational data sources in the Amazon GuardDuty User Guide.
A signal type can be one of the valid values listed in this API. Here are the related descriptions:
FINDING - Individually generated GuardDuty finding.
CLOUD_TRAIL - Activity observed from CloudTrail logs
S3_DATA_EVENTS - Activity observed from CloudTrail data events for S3. Activities associated with this type will show up only when you have enabled GuardDuty S3 Protection feature in your account. For more information about S3 Protection and steps to enable it, see S3 Protection in the Amazon GuardDuty User Guide.
Contains information about the signals involved in the attack sequence.
" } }, "SortCriteria": { "base": "Contains information about the criteria used for sorting findings.
", "refs": { "DescribeMalwareScansRequest$SortCriteria": "Represents the criteria used for sorting scan entries. The attributeName is required and it must be scanStartTime.
Represents the criteria used for sorting findings.
", "ListFindingsRequest$SortCriteria": "Represents the criteria used for sorting findings.
" } }, "SourceIps": { "base": null, "refs": { "KubernetesApiCallAction$SourceIps": "The IP of the Kubernetes API caller and the IPs of any proxies or load balancers between the caller and the API endpoint.
" } }, "Sources": { "base": null, "refs": { "EbsVolumeScanDetails$Sources": "Contains list of threat intelligence sources used to detect threats.
" } }, "StartMalwareScanRequest": { "base": null, "refs": {} }, "StartMalwareScanResponse": { "base": null, "refs": {} }, "StartMonitoringMembersRequest": { "base": null, "refs": {} }, "StartMonitoringMembersResponse": { "base": null, "refs": {} }, "StopMonitoringMembersRequest": { "base": null, "refs": {} }, "StopMonitoringMembersResponse": { "base": null, "refs": {} }, "String": { "base": null, "refs": { "AcceptAdministratorInvitationRequest$AdministratorId": "The account ID of the GuardDuty administrator account whose invitation you're accepting.
", "AcceptAdministratorInvitationRequest$InvitationId": "The value that is used to validate the administrator account to the member account.
", "AcceptInvitationRequest$MasterId": "The account ID of the GuardDuty administrator account whose invitation you're accepting.
", "AcceptInvitationRequest$InvitationId": "The value that is used to validate the administrator account to the member account.
", "AccessDeniedException$Message": "The error message.
", "AccessDeniedException$Type": "The error type.
", "AccessKey$PrincipalId": "Principal ID of the user.
", "AccessKey$UserName": "Name of the user.
", "AccessKey$UserType": "Type of the user.
", "AccessKeyDetails$AccessKeyId": "The access key ID of the user.
", "AccessKeyDetails$PrincipalId": "The principal ID of the user.
", "AccessKeyDetails$UserName": "The name of the user.
", "AccessKeyDetails$UserType": "The type of the user.
", "Account$Uid": "ID of the member's Amazon Web Services account
", "Account$Name": "Name of the member's Amazon Web Services account.
", "AccountFreeTrialInfo$AccountId": "The account identifier of the GuardDuty member account.
", "AccountStatistics$AccountId": "The ID of the Amazon Web Services account.
", "Action$ActionType": "The GuardDuty finding activity type.
", "Actor$Id": "ID of the threat actor.
", "ActorIds$member": null, "AddonDetails$AddonVersion": "Version of the installed EKS add-on.
", "AddonDetails$AddonStatus": "Status of the installed EKS add-on.
", "AdminAccount$AdminAccountId": "The Amazon Web Services account ID for the account.
", "Administrator$InvitationId": "The value that is used to validate the administrator account to the member account.
", "Administrator$RelationshipStatus": "The status of the relationship between the administrator and member accounts.
", "Administrator$InvitedAt": "The timestamp when the invitation was sent.
", "AffectedResources$key": null, "AffectedResources$value": null, "AgentDetails$Version": "Version of the installed GuardDuty security agent.
", "AnomalyProfileFeatures$key": null, "AnomalyProfiles$key": null, "AnomalyUnusualBehaviorFeature$key": null, "AutonomousSystem$Name": "Name associated with the Autonomous System (AS).
", "AwsApiCallAction$Api": "The Amazon Web Services API name.
", "AwsApiCallAction$CallerType": "The Amazon Web Services API caller type.
", "AwsApiCallAction$ErrorCode": "The error code of the failed Amazon Web Services API action.
", "AwsApiCallAction$UserAgent": "The agent through which the API request was made.
", "AwsApiCallAction$ServiceName": "The Amazon Web Services service name whose API was invoked.
", "BadRequestException$Message": "The error message.
", "BadRequestException$Type": "The error type.
", "Behavior$key": null, "City$CityName": "The city name of the remote IP address.
", "ConflictException$Message": "The error message.
", "ConflictException$Type": "The error type.
", "Container$ContainerRuntime": "The container runtime (such as, Docker or containerd) used to run the container.
", "Container$Id": "Container ID.
", "Container$Name": "Container name.
", "Container$Image": "Container image.
", "Container$ImagePrefix": "Part of the image name before the last slash. For example, imagePrefix for public.ecr.aws/amazonlinux/amazonlinux:latest would be public.ecr.aws/amazonlinux. If the image name is relative and does not have a slash, this field is empty.
", "ContainerFindingResource$Image": "The container image information, including the image name and tag used to run the container that was involved in the finding.
", "CountBySeverity$key": null, "Country$CountryCode": "The country code of the remote IP address.
", "Country$CountryName": "The country name of the remote IP address.
", "CoverageEc2InstanceDetails$InstanceId": "The Amazon EC2 instance ID.
", "CoverageEc2InstanceDetails$InstanceType": "The instance type of the Amazon EC2 instance.
", "CoverageEc2InstanceDetails$ClusterArn": "The cluster ARN of the Amazon ECS cluster running on the Amazon EC2 instance.
", "CoverageEcsClusterDetails$ClusterName": "The name of the Amazon ECS cluster.
", "CoverageEksClusterDetails$ClusterName": "Name of the EKS cluster.
", "CoverageResource$ResourceId": "The unique ID of the resource.
", "CoverageResource$Issue": "Represents the reason why a coverage status was UNHEALTHY for the EKS cluster.
The ID of the IPSet resource.
", "CreateMalwareProtectionPlanRequest$Role": "Amazon Resource Name (ARN) of the IAM role that has the permissions to scan and add tags to the associated protected resource.
", "CreateMalwareProtectionPlanResponse$MalwareProtectionPlanId": "A unique identifier associated with the Malware Protection plan resource.
", "CreatePublishingDestinationResponse$DestinationId": "The ID of the publishing destination that is created.
", "CreateS3BucketResource$BucketName": "Name of the S3 bucket.
", "CreateThreatEntitySetResponse$ThreatEntitySetId": "The ID returned by GuardDuty after creation of the threat entity set resource.
", "CreateThreatIntelSetResponse$ThreatIntelSetId": "The ID of the ThreatIntelSet resource.
", "CreateTrustedEntitySetResponse$TrustedEntitySetId": "The ID returned by GuardDuty after creation of the trusted entity set resource.
", "Criterion$key": null, "DefaultServerSideEncryption$EncryptionType": "The type of encryption used for objects within the S3 bucket.
", "DefaultServerSideEncryption$KmsMasterKeyArn": "The Amazon Resource Name (ARN) of the KMS encryption key. Only available if the bucket EncryptionType is aws:kms.
The name of the filter that you want to delete.
", "DeleteIPSetRequest$IpSetId": "The unique ID of the IPSet to delete.
", "DeleteMalwareProtectionPlanRequest$MalwareProtectionPlanId": "A unique identifier associated with Malware Protection plan resource.
", "DeletePublishingDestinationRequest$DestinationId": "The ID of the publishing destination to delete.
", "DeleteThreatEntitySetRequest$ThreatEntitySetId": "The unique ID that helps GuardDuty identify which threat entity set needs to be deleted.
", "DeleteThreatIntelSetRequest$ThreatIntelSetId": "The unique ID of the threatIntelSet that you want to delete.
", "DeleteTrustedEntitySetRequest$TrustedEntitySetId": "The unique ID that helps GuardDuty identify which trusted entity set needs to be deleted.
", "DescribeMalwareScansRequest$NextToken": "You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
", "DescribeMalwareScansResponse$NextToken": "The pagination parameter to be used on the next list operation to retrieve more items.
", "DescribeOrganizationConfigurationRequest$NextToken": "You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
The pagination parameter to be used on the next list operation to retrieve more items.
", "DescribePublishingDestinationRequest$DestinationId": "The ID of the publishing destination to retrieve.
", "DescribePublishingDestinationResponse$DestinationId": "The ID of the publishing destination.
", "Destination$DestinationId": "The unique ID of the publishing destination.
", "DestinationProperties$DestinationArn": "The ARN of the resource to publish to.
To specify an S3 bucket folder use the following format: arn:aws:s3:::DOC-EXAMPLE-BUCKET/myFolder/
The ARN of the KMS key to use for encryption.
", "DisableOrganizationAdminAccountRequest$AdminAccountId": "The Amazon Web Services Account ID for the organizations account to be disabled as a GuardDuty delegated administrator.
", "DnsRequestAction$Domain": "The domain information for the DNS query.
", "DnsRequestAction$Protocol": "The network connection protocol observed in the activity that prompted GuardDuty to generate the finding.
", "DnsRequestAction$DomainWithSuffix": "The second and top level domain involved in the activity that potentially prompted GuardDuty to generate this finding. For a list of top-level and second-level domains, see public suffix list.
", "DomainDetails$Domain": "The domain information for the Amazon Web Services API call.
", "EbsVolumeScanDetails$ScanId": "Unique Id of the malware scan that generated the finding.
", "EbsVolumeScanDetails$TriggerFindingId": "GuardDuty finding ID that triggered a malware scan.
", "EbsVolumesResult$Reason": "Specifies the reason why scanning EBS volumes (Malware Protection) was not enabled as a data source.
", "Ec2Instance$AvailabilityZone": "The availability zone of the Amazon EC2 instance. For more information, see Availability zones in the Amazon EC2 User Guide.
", "Ec2Instance$ImageDescription": "The image description of the Amazon EC2 instance.
", "Ec2Instance$InstanceState": "The state of the Amazon EC2 instance. For more information, see Amazon EC2 instance state changes in the Amazon EC2 User Guide.
", "Ec2Instance$InstanceType": "Type of the Amazon EC2 instance.
", "Ec2Instance$OutpostArn": "The Amazon Resource Name (ARN) of the Amazon Web Services Outpost. This shows applicable Amazon Web Services Outposts instances.
", "Ec2Instance$Platform": "The platform of the Amazon EC2 instance.
", "Ec2NetworkInterface$PublicIp": "The public IP address of the Amazon EC2 instance.
", "Ec2NetworkInterface$SubNetId": "The subnet ID of the Amazon EC2 instance.
", "Ec2NetworkInterface$VpcId": "The VPC ID of the Amazon EC2 instance.
", "Ec2NetworkInterfaceUids$member": null, "EcsClusterDetails$Name": "The name of the ECS Cluster.
", "EcsClusterDetails$Arn": "The Amazon Resource Name (ARN) that identifies the cluster.
", "EcsClusterDetails$Status": "The status of the ECS cluster.
", "EcsTaskDetails$Arn": "The Amazon Resource Name (ARN) of the task.
", "EcsTaskDetails$DefinitionArn": "The ARN of the task definition that creates the task.
", "EcsTaskDetails$Version": "The version counter for the task.
", "EcsTaskDetails$StartedBy": "Contains the tag specified when a task is started.
", "EcsTaskDetails$Group": "The name of the task group that's associated with the task.
", "EcsTaskDetails$LaunchType": "A capacity on which the task is running. For example, Fargate and EC2.
The Amazon Resource Name (ARN) that uniquely identifies the Amazon EKS cluster involved in the finding.
", "EksCluster$VpcId": "The ID of the Amazon Virtual Private Cloud (Amazon VPC) associated with the Amazon EKS cluster.
", "EksClusterDetails$Name": "EKS cluster name.
", "EksClusterDetails$Arn": "EKS cluster ARN.
", "EksClusterDetails$VpcId": "The VPC ID to which the EKS cluster is attached.
", "EksClusterDetails$Status": "The EKS cluster status.
", "EnableOrganizationAdminAccountRequest$AdminAccountId": "The Amazon Web Services account ID for the organization account to be enabled as a GuardDuty delegated administrator.
", "EndpointIds$member": null, "Eq$member": null, "Equals$member": null, "Finding$AccountId": "The ID of the account in which the finding was generated.
", "Finding$Arn": "The ARN of the finding.
", "Finding$CreatedAt": "The time and date when the finding was created.
", "Finding$Description": "The description of the finding.
", "Finding$Id": "The ID of the finding.
", "Finding$Partition": "The partition associated with the finding.
", "Finding$Region": "The Region where the finding was generated. For findings generated from Global Service Events, the Region value in the finding might differ from the Region where GuardDuty identifies the potential threat. For more information, see How GuardDuty handles Amazon Web Services CloudTrail global events in the Amazon GuardDuty User Guide.
", "Finding$SchemaVersion": "The version of the schema used for the finding.
", "Finding$Title": "The title of the finding.
", "Finding$UpdatedAt": "The time and date when the finding was last updated.
", "Finding$AssociatedAttackSequenceArn": "Amazon Resource Name (ARN) associated with the attack sequence finding.
", "FindingTypeStatistics$FindingType": "Name of the finding type.
", "FlagsList$member": null, "GetDetectorResponse$CreatedAt": "The timestamp of when the detector was created.
", "GetDetectorResponse$ServiceRole": "The GuardDuty service role.
", "GetDetectorResponse$UpdatedAt": "The last-updated timestamp for the detector.
", "GetFilterRequest$FilterName": "The name of the filter you want to get.
", "GetFindingsStatisticsResponse$NextToken": "The pagination parameter to be used on the next list operation to retrieve more items.
This parameter is currently not supported.
", "GetIPSetRequest$IpSetId": "The unique ID of the IPSet to retrieve.
", "GetMalwareProtectionPlanRequest$MalwareProtectionPlanId": "A unique identifier associated with Malware Protection plan resource.
", "GetMalwareProtectionPlanResponse$Arn": "Amazon Resource Name (ARN) of the protected resource.
", "GetMalwareProtectionPlanResponse$Role": "Amazon Resource Name (ARN) of the IAM role that includes the permissions to scan and add tags to the associated protected resource.
", "GetThreatEntitySetRequest$ThreatEntitySetId": "The unique ID that helps GuardDuty identify the threat entity set.
", "GetThreatEntitySetResponse$ErrorDetails": "The error details when the status is shown as ERROR.
The unique ID of the threatIntelSet that you want to get.
", "GetTrustedEntitySetRequest$TrustedEntitySetId": "The unique ID that helps GuardDuty identify the trusted entity set.
", "GetTrustedEntitySetResponse$ErrorDetails": "The error details when the status is shown as ERROR.
The currency unit you would like to view your usage statistics in. Current valid values are USD.
", "GetUsageStatisticsRequest$NextToken": "A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the NextToken value returned from the previous request to continue listing results after the first page.
", "GetUsageStatisticsResponse$NextToken": "The pagination parameter to be used on the next list operation to retrieve more items.
", "Groups$member": null, "HighestSeverityThreatDetails$Severity": "Severity level of the highest severity threat detected.
", "HighestSeverityThreatDetails$ThreatName": "Threat name of the highest severity threat detected as part of the malware scan.
", "HostPath$Path": "Path of the file or directory on the host that the volume maps to.
", "IamInstanceProfile$Arn": "The profile ARN of the EC2 instance.
", "IamInstanceProfile$Id": "The profile ID of the EC2 instance.
", "ImpersonatedUser$Username": "Information about the username that was being impersonated.
The Availability Zone of the EC2 instance.
", "InstanceDetails$ImageDescription": "The image description of the EC2 instance.
", "InstanceDetails$ImageId": "The image ID of the EC2 instance.
", "InstanceDetails$InstanceId": "The ID of the EC2 instance.
", "InstanceDetails$InstanceState": "The state of the EC2 instance.
", "InstanceDetails$InstanceType": "The type of the EC2 instance.
", "InstanceDetails$OutpostArn": "The Amazon Resource Name (ARN) of the Amazon Web Services Outpost. Only applicable to Amazon Web Services Outposts instances.
", "InstanceDetails$LaunchTime": "The launch time of the EC2 instance.
", "InstanceDetails$Platform": "The platform of the EC2 instance.
", "InternalServerErrorException$Message": "The error message.
", "InternalServerErrorException$Type": "The error type.
", "Invitation$InvitationId": "The ID of the invitation. This value is used to validate the inviter account to the member account.
", "Invitation$RelationshipStatus": "The status of the relationship between the inviter and invitee accounts.
", "Invitation$InvitedAt": "The timestamp when the invitation was sent.
", "InviteMembersRequest$Message": "The invitation message that you want to send to the accounts that you're inviting to GuardDuty as members.
", "IpSetIds$member": null, "Ipv6Addresses$member": null, "Issues$member": null, "ItemPath$NestedItemPath": "The nested item path where the infected file was found.
", "ItemPath$Hash": "The hash value of the infected resource.
", "KubernetesApiCallAction$RequestUri": "The Kubernetes API request URI.
", "KubernetesApiCallAction$Verb": "The Kubernetes API request HTTP verb.
", "KubernetesApiCallAction$UserAgent": "The user agent of the caller of the Kubernetes API.
", "KubernetesApiCallAction$Parameters": "Parameters related to the Kubernetes API call action.
", "KubernetesApiCallAction$Resource": "The resource component in the Kubernetes API call action.
", "KubernetesApiCallAction$Subresource": "The name of the sub-resource in the Kubernetes API call action.
", "KubernetesApiCallAction$Namespace": "The name of the namespace where the Kubernetes API call action takes place.
", "KubernetesApiCallAction$ResourceName": "The name of the resource in the Kubernetes API call action.
", "KubernetesPermissionCheckedDetails$Verb": "The verb component of the Kubernetes API call. For example, when you check whether or not you have the permission to call the CreatePod API, the verb component will be Create.
The Kubernetes resource with which your Kubernetes API call will interact.
", "KubernetesPermissionCheckedDetails$Namespace": "The namespace where the Kubernetes API action will take place.
", "KubernetesRoleBindingDetails$Kind": "The kind of the role. For role binding, this value will be RoleBinding.
The name of the RoleBinding.
The unique identifier of the role binding.
", "KubernetesRoleBindingDetails$RoleRefName": "The name of the role being referenced. This must match the name of the Role or ClusterRole that you want to bind to.
The type of the role being referenced. This could be either Role or ClusterRole.
The kind of role. For this API, the value of kind will be Role.
The name of the Kubernetes role.
", "KubernetesRoleDetails$Uid": "The unique identifier of the Kubernetes role name.
", "KubernetesUserDetails$Username": "The username of the user who called the Kubernetes API.
", "KubernetesUserDetails$Uid": "The user ID of the user who called the Kubernetes API.
", "KubernetesWorkload$Namespace": "The Kubernetes namespace in which the workload is running, providing logical isolation within the cluster.
", "KubernetesWorkloadDetails$Name": "Kubernetes workload name.
", "KubernetesWorkloadDetails$Type": "Kubernetes workload type (e.g. Pod, Deployment, etc.).
", "KubernetesWorkloadDetails$Uid": "Kubernetes workload ID.
", "KubernetesWorkloadDetails$Namespace": "Kubernetes namespace that the workload is part of.
", "KubernetesWorkloadDetails$ServiceAccountName": "The service account name that is associated with a Kubernetes workload.
", "LambdaDetails$FunctionArn": "Amazon Resource Name (ARN) of the Lambda function.
", "LambdaDetails$FunctionName": "Name of the Lambda function.
", "LambdaDetails$Description": "Description of the Lambda function.
", "LambdaDetails$RevisionId": "The revision ID of the Lambda function version.
", "LambdaDetails$FunctionVersion": "The version of the Lambda function.
", "LambdaDetails$Role": "The execution role of the Lambda function.
", "LineageObject$Name": "The name of the process.
", "LineageObject$Uuid": "The unique ID assigned to the process by GuardDuty.
", "LineageObject$ExecutablePath": "The absolute path of the process executable file.
", "LineageObject$ParentUuid": "The unique ID of the parent process. This ID is assigned to the parent process by GuardDuty.
", "ListCoverageRequest$NextToken": "A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the NextToken value returned from the previous request to continue listing results after the first page.
", "ListCoverageResponse$NextToken": "The pagination parameter to be used on the next list operation to retrieve more items.
", "ListDetectorsRequest$NextToken": "You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
", "ListDetectorsResponse$NextToken": "The pagination parameter to be used on the next list operation to retrieve more items.
", "ListFiltersRequest$NextToken": "You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
", "ListFiltersResponse$NextToken": "The pagination parameter to be used on the next list operation to retrieve more items.
", "ListFindingsRequest$NextToken": "You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
", "ListFindingsResponse$NextToken": "The pagination parameter to be used on the next list operation to retrieve more items.
", "ListIPSetsRequest$NextToken": "You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
", "ListIPSetsResponse$NextToken": "The pagination parameter to be used on the next list operation to retrieve more items.
", "ListInvitationsRequest$NextToken": "You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
", "ListInvitationsResponse$NextToken": "The pagination parameter to be used on the next list operation to retrieve more items.
", "ListMalwareProtectionPlansRequest$NextToken": "You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
", "ListMembersRequest$OnlyAssociated": "Specifies whether to only return associated members or to return all members (including members who haven't been invited yet or have been disassociated). Member accounts must have been previously associated with the GuardDuty administrator account using Create Members .
The pagination parameter to be used on the next list operation to retrieve more items.
", "ListOrganizationAdminAccountsRequest$NextToken": "A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the NextToken value returned from the previous request to continue listing results after the first page.
The pagination parameter to be used on the next list operation to retrieve more items.
", "ListPublishingDestinationsRequest$NextToken": "A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the NextToken value returned from the previous request to continue listing results after the first page.
A token to use for paginating results that are returned in the response. Set the value of this parameter to null for the first request to a list action. For subsequent calls, use the NextToken value returned from the previous request to continue listing results after the first page.
You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
", "ListThreatEntitySetsResponse$NextToken": "The pagination parameter to be used on the next list operation to retrieve more items.
", "ListThreatIntelSetsRequest$NextToken": "You can use this parameter to paginate results in the response. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
", "ListThreatIntelSetsResponse$NextToken": "The pagination parameter to be used on the next list operation to retrieve more items.
", "ListTrustedEntitySetsRequest$NextToken": "You can use this parameter when paginating results. Set the value of this parameter to null on your first call to the list action. For subsequent calls to the action, fill nextToken in the request with the value of NextToken from the previous response to continue listing data.
", "ListTrustedEntitySetsResponse$NextToken": "The pagination parameter to be used on the next list operation to retrieve more items.
", "LocalPortDetails$PortName": "The port name of the local connection.
", "LoginAttribute$User": "Indicates the user name which attempted to log in.
", "LoginAttribute$Application": "Indicates the application name used to attempt log in.
", "MalwareProtectionConfigurationResult$ServiceRole": "The GuardDuty Malware Protection service role.
", "MalwareProtectionPlanObjectPrefixesList$member": null, "MalwareProtectionPlanStatusReason$Code": "Issue code.
", "MalwareProtectionPlanStatusReason$Message": "Issue message that specifies the reason. For information about potential troubleshooting steps, see Troubleshooting Malware Protection for S3 status issues in the Amazon GuardDuty User Guide.
", "MalwareProtectionPlanSummary$MalwareProtectionPlanId": "A unique identifier associated with Malware Protection plan.
", "Master$InvitationId": "The value used to validate the administrator account to the member account.
", "Master$RelationshipStatus": "The status of the relationship between the administrator and member accounts.
", "Master$InvitedAt": "The timestamp when the invitation was sent.
", "Member$MasterId": "The administrator account ID.
", "Member$RelationshipStatus": "The status of the relationship between the member and the administrator.
", "Member$InvitedAt": "The timestamp when the invitation was sent.
", "Member$UpdatedAt": "The last-updated timestamp of the member.
", "Member$AdministratorId": "The administrator account ID.
", "MemoryRegionsList$member": null, "Neq$member": null, "NetworkConnectionAction$ConnectionDirection": "The network connection direction.
", "NetworkConnectionAction$Protocol": "The network connection protocol.
", "NetworkConnectionAction$LocalNetworkInterface": "The EC2 instance's local elastic network interface utilized for the connection.
", "NetworkEndpoint$Id": "The ID of the network endpoint.
", "NetworkEndpoint$Ip": "The IP address associated with the network endpoint.
", "NetworkEndpoint$Domain": "The domain information for the network endpoint.
", "NetworkGeoLocation$City": "The name of the city.
", "NetworkGeoLocation$Country": "The name of the country.
", "NetworkInterface$NetworkInterfaceId": "The ID of the network interface.
", "NetworkInterface$PrivateDnsName": "The private DNS name of the EC2 instance.
", "NetworkInterface$PublicDnsName": "The public DNS name of the EC2 instance.
", "NetworkInterface$PublicIp": "The public IP address of the EC2 instance.
", "NetworkInterface$SubnetId": "The subnet ID of the EC2 instance.
", "NetworkInterface$VpcId": "The VPC ID of the EC2 instance.
", "NotEquals$member": null, "ObservationTexts$member": null, "Organization$Asn": "The Autonomous System Number (ASN) of the internet provider of the remote IP address.
", "Organization$AsnOrg": "The organization that registered this ASN.
", "Organization$Isp": "The ISP information for the internet provider.
", "Organization$Org": "The name of the internet provider.
", "Owner$Id": "The canonical user ID of the bucket owner. For information about locating your canonical user ID see Finding Your Account Canonical User ID.
", "PrivateIpAddressDetails$PrivateDnsName": "The private DNS name of the EC2 instance.
", "ProcessDetails$Name": "The name of the process.
", "ProcessDetails$ExecutablePath": "The absolute path of the process executable file.
", "ProcessDetails$ExecutableSha256": "The SHA256 hash of the process executable.
The present working directory of the process.
", "ProcessDetails$Uuid": "The unique ID assigned to the process by GuardDuty.
", "ProcessDetails$ParentUuid": "The unique ID of the parent process. This ID is assigned to the parent process by GuardDuty.
", "ProcessDetails$User": "The user that executed the process.
", "ProductCode$Code": "The product code information.
", "ProductCode$ProductType": "The product code type.
", "PublicAccess$EffectivePermission": "Describes the effective permission on this bucket after factoring all attached policies.
", "RdsDbInstanceDetails$DbInstanceIdentifier": "The identifier associated to the database instance that was involved in the finding.
", "RdsDbInstanceDetails$Engine": "The database engine of the database instance involved in the finding.
", "RdsDbInstanceDetails$EngineVersion": "The version of the database engine that was involved in the finding.
", "RdsDbInstanceDetails$DbClusterIdentifier": "The identifier of the database cluster that contains the database instance ID involved in the finding.
", "RdsDbInstanceDetails$DbInstanceArn": "The Amazon Resource Name (ARN) that identifies the database instance involved in the finding.
", "RdsDbUserDetails$User": "The user name used in the anomalous login attempt.
", "RdsDbUserDetails$Application": "The application name used in the anomalous login attempt.
", "RdsDbUserDetails$Database": "The name of the database instance involved in the anomalous login attempt.
", "RdsDbUserDetails$Ssl": "The version of the Secure Socket Layer (SSL) used for the network.
", "RdsDbUserDetails$AuthMethod": "The authentication method used by the user involved in the finding.
", "RdsLimitlessDbDetails$DbShardGroupIdentifier": "The name associated with the Limitless DB shard group.
", "RdsLimitlessDbDetails$DbShardGroupResourceId": "The resource identifier of the DB shard group within the Limitless Database.
", "RdsLimitlessDbDetails$DbShardGroupArn": "The Amazon Resource Name (ARN) that identifies the DB shard group.
", "RdsLimitlessDbDetails$Engine": "The database engine of the database instance involved in the finding.
", "RdsLimitlessDbDetails$EngineVersion": "The version of the database engine.
", "RdsLimitlessDbDetails$DbClusterIdentifier": "The name of the database cluster that is a part of the Limitless Database.
", "RemoteAccountDetails$AccountId": "The Amazon Web Services account ID of the remote API caller.
", "RemotePortDetails$PortName": "The port name of the remote connection.
", "Resource$ResourceType": "The type of Amazon Web Services resource.
", "ResourceList$member": null, "ResourceNotFoundException$Message": "The error message.
", "ResourceNotFoundException$Type": "The error type.
", "ResourceStatistics$AccountId": "The ID of the Amazon Web Services account.
", "ResourceStatistics$ResourceId": "ID associated with each resource. The following list provides the mapping of the resource type and resource ID.
Mapping of resource and resource ID
AccessKey - resource.accessKeyDetails.accessKeyId
Container - resource.containerDetails.id
ECSCluster - resource.ecsClusterDetails.name
EKSCluster - resource.eksClusterDetails.name
Instance - resource.instanceDetails.instanceId
KubernetesCluster - resource.kubernetesDetails.kubernetesWorkloadDetails.name
Lambda - resource.lambdaDetails.functionName
RDSDBInstance - resource.rdsDbInstanceDetails.dbInstanceIdentifier
S3Bucket - resource.s3BucketDetails.name
S3Object - resource.s3BucketDetails.name
The type of resource.
", "ResourceUids$member": null, "ResourceV2$Uid": "The unique identifier of the resource.
", "ResourceV2$Name": "The name of the resource.
", "ResourceV2$AccountId": "The Amazon Web Services account ID to which the resource belongs.
", "ResourceV2$Region": "The Amazon Web Services Region where the resource belongs.
", "ResourceV2$Service": "The Amazon Web Services service of the resource.
", "ResourceV2$CloudPartition": "The cloud partition within the Amazon Web Services Region to which the resource belongs.
", "RuntimeContext$ScriptPath": "The path to the script that was executed.
", "RuntimeContext$LibraryPath": "The path to the new library that was loaded.
", "RuntimeContext$LdPreloadValue": "The value of the LD_PRELOAD environment variable.
", "RuntimeContext$SocketPath": "The path to the docket socket that was accessed.
", "RuntimeContext$RuncBinaryPath": "The path to the leveraged runc implementation.
The path in the container that modified the release agent file.
", "RuntimeContext$MountSource": "The path on the host that is mounted by the container.
", "RuntimeContext$MountTarget": "The path in the container that is mapped to the host directory.
", "RuntimeContext$FileSystemType": "Represents the type of mounted fileSystem.
", "RuntimeContext$ModuleName": "The name of the module loaded into the kernel.
", "RuntimeContext$ModuleFilePath": "The path to the module loaded into the kernel.
", "RuntimeContext$ModuleSha256": "The SHA256 hash of the module.
The path to the modified shell history file.
", "RuntimeContext$AddressFamily": "Represents the communication protocol associated with the address. For example, the address family AF_INET is used for IP version of 4 protocol.
Name of the potentially suspicious tool.
", "RuntimeContext$ToolCategory": "Category that the tool belongs to. Some of the examples are Backdoor Tool, Pentest Tool, Network Scanner, and Network Sniffer.
", "RuntimeContext$ServiceName": "Name of the security service that has been potentially disabled.
", "RuntimeContext$CommandLineExample": "Example of the command line involved in the suspicious activity.
", "RuntimeContext$ThreatFilePath": "The suspicious file path for which the threat intelligence details were found.
", "S3Bucket$OwnerId": "The owner ID of the associated S3Amazon S3bucket.
", "S3Bucket$EncryptionType": "The type of encryption used for the Amazon S3 buckets and its objects. For more information, see Protecting data with server-side encryption in the Amazon S3 User Guide.
", "S3Bucket$EncryptionKeyArn": "The Amazon Resource Name (ARN) of the encryption key that is used to encrypt the Amazon S3 bucket and its objects.
", "S3Bucket$EffectivePermission": "Describes the effective permissions on this S3 bucket, after factoring all the attached policies.
", "S3BucketDetail$Arn": "The Amazon Resource Name (ARN) of the S3 bucket.
", "S3BucketDetail$Name": "The name of the S3 bucket.
", "S3BucketDetail$Type": "Describes whether the bucket is a source or destination bucket.
", "S3Object$ETag": "The entity tag is a hash of the Amazon S3 object. The ETag reflects changes only to the contents of an object, and not its metadata.
", "S3Object$Key": "The key of the Amazon S3 object.
", "S3Object$VersionId": "The version Id of the Amazon S3 object.
", "S3ObjectDetail$ObjectArn": "Amazon Resource Name (ARN) of the S3 object.
", "S3ObjectDetail$Key": "Key of the S3 object.
", "S3ObjectDetail$ETag": "The entity tag is a hash of the S3 object. The ETag reflects changes only to the contents of an object, and not its metadata.
", "S3ObjectDetail$Hash": "Hash of the threat detected in this finding.
", "S3ObjectDetail$VersionId": "Version ID of the object.
", "S3ObjectUids$member": null, "ScanFilePath$FilePath": "The file path of the infected file.
", "ScanFilePath$VolumeArn": "EBS volume ARN details of the infected file.
", "ScanFilePath$Hash": "The hash value of the infected file.
", "ScanFilePath$FileName": "File name of the infected file.
", "ScanThreatName$Name": "The name of the identified threat.
", "ScanThreatName$Severity": "Severity of threat identified as part of the malware scan.
", "SecurityGroup$GroupId": "The security group ID of the EC2 instance.
", "SecurityGroup$GroupName": "The security group name of the EC2 instance.
", "Sequence$Uid": "Unique identifier of the attack sequence.
", "Service$EventFirstSeen": "The first-seen timestamp of the activity that prompted GuardDuty to generate this finding.
", "Service$EventLastSeen": "The last-seen timestamp of the activity that prompted GuardDuty to generate this finding.
", "Service$ResourceRole": "The resource role information for this finding.
", "Service$ServiceName": "The name of the Amazon Web Services service (GuardDuty) that generated a finding.
", "Service$UserFeedback": "Feedback that was submitted about the finding.
", "Service$FeatureName": "The name of the feature that generated a finding.
", "ServiceAdditionalInfo$Value": "This field specifies the value of the additional information.
", "ServiceAdditionalInfo$Type": "Describes the type of the additional information.
", "Session$Uid": "The unique identifier of the session.
", "Session$Issuer": "Identifier of the session issuer.
In Amazon Web Services CloudTrail, you can find this value as userIdentity.sessionContext.sessionIssuer.arn.
The unique identifier of the signal.
", "Signal$Name": "The name of the signal. For example, when signal type is FINDING, the signal name is the name of the finding.
Represents the finding attribute, such as accountId, that sorts the findings.
Describes the key associated with the tag.
", "Tag$Value": "Describes the value associated with the tag key.
", "Threat$Name": "Name of the detected threat that caused GuardDuty to generate this finding.
", "Threat$Source": "Source of the threat that generated this finding.
", "ThreatEntitySetIds$member": null, "ThreatIntelSetIds$member": null, "ThreatIntelligenceDetail$ThreatListName": "The name of the threat intelligence list that triggered the finding.
", "ThreatIntelligenceDetail$ThreatFileSha256": "SHA256 of the file that generated the finding.
", "ThreatNames$member": null, "Total$Amount": "The total usage.
", "Total$Unit": "The currency unit that the amount is given in.
", "TrustedEntitySetIds$member": null, "UnprocessedAccount$Result": "A reason why the account hasn't been processed.
", "UpdateFilterRequest$FilterName": "The name of the filter.
", "UpdateFindingsFeedbackRequest$Comments": "Additional feedback about the GuardDuty findings.
", "UpdateIPSetRequest$IpSetId": "The unique ID that specifies the IPSet that you want to update.
", "UpdateMalwareProtectionPlanRequest$MalwareProtectionPlanId": "A unique identifier associated with the Malware Protection plan.
", "UpdateMalwareProtectionPlanRequest$Role": "Amazon Resource Name (ARN) of the IAM role with permissions to scan and add tags to the associated protected resource.
", "UpdatePublishingDestinationRequest$DestinationId": "The ID of the publishing destination to update.
", "UpdateThreatEntitySetRequest$ThreatEntitySetId": "The ID returned by GuardDuty after updating the threat entity set resource.
", "UpdateThreatIntelSetRequest$ThreatIntelSetId": "The unique ID that specifies the ThreatIntelSet that you want to update.
", "UpdateTrustedEntitySetRequest$TrustedEntitySetId": "The ID returned by GuardDuty after updating the trusted entity set resource.
", "UsageResourceResult$Resource": "The Amazon Web Services resource that generated usage.
", "User$Name": "The name of the user.
", "User$Uid": "The unique identifier of the user.
", "User$Type": "The type of the user.
", "User$CredentialUid": "The credentials of the user ID.
", "Volume$Name": "Volume name.
", "VolumeDetail$VolumeArn": "EBS volume ARN information.
", "VolumeDetail$VolumeType": "The EBS volume type.
", "VolumeDetail$DeviceName": "The device name for the EBS volume.
", "VolumeDetail$EncryptionType": "EBS volume encryption type.
", "VolumeDetail$SnapshotArn": "Snapshot ARN of the EBS volume.
", "VolumeDetail$KmsKeyArn": "KMS key ARN used to encrypt the EBS volume.
", "VolumeMount$Name": "Volume mount name.
", "VolumeMount$MountPath": "Volume mount path.
", "VpcConfig$VpcId": "The identifier of the Amazon Virtual Private Cloud.
" } }, "SubnetIds": { "base": null, "refs": { "VpcConfig$SubnetIds": "The identifiers of the subnets that are associated with your Lambda function.
" } }, "Tag": { "base": "Contains information about a tag key-value pair.
", "refs": { "Tags$member": null } }, "TagKey": { "base": null, "refs": { "ScanConditionPair$Key": "Represents the key in the map condition.
", "TagKeyList$member": null, "TagMap$key": null } }, "TagKeyList": { "base": null, "refs": { "UntagResourceRequest$TagKeys": "The tag keys to remove from the resource.
" } }, "TagMap": { "base": null, "refs": { "CreateDetectorRequest$Tags": "The tags to be added to a new detector resource.
", "CreateFilterRequest$Tags": "The tags to be added to a new filter resource.
", "CreateIPSetRequest$Tags": "The tags to be added to a new IP set resource.
", "CreateMalwareProtectionPlanRequest$Tags": "Tags added to the Malware Protection plan resource.
", "CreateThreatEntitySetRequest$Tags": "The tags to be added to a new threat entity set resource.
", "CreateThreatIntelSetRequest$Tags": "The tags to be added to a new threat list resource.
", "CreateTrustedEntitySetRequest$Tags": "The tags to be added to a new trusted entity set resource.
", "GetDetectorResponse$Tags": "The tags of the detector resource.
", "GetFilterResponse$Tags": "The tags of the filter resource.
", "GetIPSetResponse$Tags": "The tags of the IPSet resource.
", "GetMalwareProtectionPlanResponse$Tags": "Tags added to the Malware Protection plan resource.
", "GetThreatEntitySetResponse$Tags": "The tags associated with the threat entity set resource.
", "GetThreatIntelSetResponse$Tags": "The tags of the threat list resource.
", "GetTrustedEntitySetResponse$Tags": "The tags associated with trusted entity set resource.
", "ListTagsForResourceResponse$Tags": "The tags associated with the resource.
", "TagResourceRequest$Tags": "The tags to be added to a resource.
" } }, "TagResourceRequest": { "base": null, "refs": {} }, "TagResourceResponse": { "base": null, "refs": {} }, "TagValue": { "base": null, "refs": { "ScanConditionPair$Value": "Represents optional value in the map condition. If not specified, only the key will be matched.
", "TagMap$value": null } }, "Tags": { "base": null, "refs": { "EcsClusterDetails$Tags": "The tags of the ECS Cluster.
", "EcsTaskDetails$Tags": "The tags of the ECS Task.
", "EksClusterDetails$Tags": "The EKS cluster tags.
", "InstanceDetails$Tags": "The tags of the EC2 instance.
", "LambdaDetails$Tags": "A list of tags attached to this resource, listed in the format of key:value pair.
Information about the tag key-value pairs.
", "RdsLimitlessDbDetails$Tags": "Information about the tag key-value pair.
", "ResourceV2$Tags": "Contains information about the tags associated with the resource.
", "S3BucketDetail$Tags": "All tags attached to the S3 bucket
" } }, "Threat": { "base": "Information about the detected threats associated with the generated finding.
", "refs": { "Threats$member": null } }, "ThreatDetectedByName": { "base": "Contains details about identified threats organized by threat name.
", "refs": { "ScanDetections$ThreatDetectedByName": "Contains details about identified threats organized by threat name.
" } }, "ThreatEntitySetFormat": { "base": null, "refs": { "CreateThreatEntitySetRequest$Format": "The format of the file that contains the threat entity set.
", "GetThreatEntitySetResponse$Format": "The format of the file that contains the threat entity set.
" } }, "ThreatEntitySetIds": { "base": null, "refs": { "ListThreatEntitySetsResponse$ThreatEntitySetIds": "The IDs of the threat entity set resources.
" } }, "ThreatEntitySetStatus": { "base": null, "refs": { "GetThreatEntitySetResponse$Status": "The status of the associated threat entity set.
" } }, "ThreatIntelSetFormat": { "base": null, "refs": { "CreateThreatIntelSetRequest$Format": "The format of the file that contains the ThreatIntelSet.
", "GetThreatIntelSetResponse$Format": "The format of the threatIntelSet.
" } }, "ThreatIntelSetIds": { "base": null, "refs": { "ListThreatIntelSetsResponse$ThreatIntelSetIds": "The IDs of the ThreatIntelSet resources.
" } }, "ThreatIntelSetStatus": { "base": null, "refs": { "GetThreatIntelSetResponse$Status": "The status of threatIntelSet file uploaded.
" } }, "ThreatIntelligenceDetail": { "base": "An instance of a threat intelligence detail that constitutes evidence for the finding.
", "refs": { "ThreatIntelligenceDetails$member": null } }, "ThreatIntelligenceDetails": { "base": null, "refs": { "Evidence$ThreatIntelligenceDetails": "A list of threat intelligence details related to the evidence.
" } }, "ThreatNames": { "base": null, "refs": { "ThreatIntelligenceDetail$ThreatNames": "A list of names of the threats in the threat intelligence list that triggered the finding.
" } }, "Threats": { "base": null, "refs": { "MalwareScanDetails$Threats": "Information about the detected threats associated with the generated GuardDuty finding.
" } }, "ThreatsDetectedItemCount": { "base": "Contains total number of infected files.
", "refs": { "ScanDetections$ThreatsDetectedItemCount": "Total number of infected files.
" } }, "Timestamp": { "base": null, "refs": { "AccountStatistics$LastGeneratedAt": "The timestamp at which the finding for this account was last generated.
", "CoverageResource$UpdatedAt": "The timestamp at which the coverage details for the resource were last updated. This is in UTC format.
", "DateStatistics$Date": "The timestamp when the total findings count is observed.
For example, Date would look like \"2024-09-05T17:00:00-07:00\" whereas LastGeneratedAt would look like 2024-09-05T17:12:29-07:00\".
The timestamp at which the last finding in the findings count, was generated.
", "DetectorAdditionalConfigurationResult$UpdatedAt": "The timestamp at which the additional configuration was last updated. This is in UTC format.
", "DetectorFeatureConfigurationResult$UpdatedAt": "The timestamp at which the feature object was updated.
", "EbsVolumeScanDetails$ScanStartedAt": "Returns the start date and time of the malware scan.
", "EbsVolumeScanDetails$ScanCompletedAt": "Returns the completion date and time of the malware scan.
", "EcsTaskDetails$TaskCreatedAt": "The Unix timestamp for the time when the task was created.
", "EcsTaskDetails$StartedAt": "The Unix timestamp for the time when the task started.
", "EksCluster$CreatedAt": "The timestamp indicating when the Amazon EKS cluster was created, in UTC format.
", "EksClusterDetails$CreatedAt": "The timestamp when the EKS cluster was created.
", "FindingTypeStatistics$LastGeneratedAt": "The timestamp at which this finding type was last generated in your environment.
", "GetMalwareProtectionPlanResponse$CreatedAt": "The timestamp when the Malware Protection plan resource was created.
", "GetThreatEntitySetResponse$CreatedAt": "The timestamp when the associated threat entity set was created.
", "GetThreatEntitySetResponse$UpdatedAt": "The timestamp when the associated threat entity set was updated.
", "GetTrustedEntitySetResponse$CreatedAt": "The timestamp when the associated trusted entity set was created.
", "GetTrustedEntitySetResponse$UpdatedAt": "The timestamp when the associated trusted entity set was updated.
", "LambdaDetails$LastModifiedAt": "The timestamp when the Lambda function was last modified. This field is in the UTC date string format (2023-03-22T19:37:20.168Z).
The time when the process started. This is in UTC format.
", "MemberAdditionalConfigurationResult$UpdatedAt": "The timestamp at which the additional configuration was set for the member account. This is in UTC format.
", "MemberFeaturesConfigurationResult$UpdatedAt": "The timestamp at which the feature object was updated.
", "OrganizationDetails$UpdatedAt": "The timestamp at which the organization statistics was last updated. This is in UTC format.
", "ProcessDetails$StartTime": "The time when the process started. This is in UTC format.
", "ResourceStatistics$LastGeneratedAt": "The timestamp at which the statistics for this resource was last generated.
", "RuntimeContext$ModifiedAt": "The timestamp at which the process modified the current process. The timestamp is in UTC date string format.
", "S3Bucket$CreatedAt": "The timestamp at which the Amazon S3 bucket was created.
", "S3BucketDetail$CreatedAt": "The date and time the bucket was created at.
", "Scan$ScanStartTime": "The timestamp of when the scan was triggered.
", "Scan$ScanEndTime": "The timestamp of when the scan was finished.
", "Session$CreatedTime": "The timestamp for when the session was created.
In Amazon Web Services CloudTrail, you can find this value as userIdentity.sessionContext.attributes.creationDate.
The timestamp at which a finding type for a specific severity was last generated.
", "Signal$CreatedAt": "The timestamp when the first finding or activity related to this signal was observed.
", "Signal$UpdatedAt": "The timestamp when this signal was last observed.
", "Signal$FirstSeenAt": "The timestamp when the first finding or activity related to this signal was observed.
", "Signal$LastSeenAt": "The timestamp when the last finding or activity related to this signal was observed.
" } }, "Total": { "base": "Contains the total usage with the corresponding currency unit for that value.
", "refs": { "UsageAccountResult$Total": "Represents the total of usage for the Account ID.
", "UsageDataSourceResult$Total": "Represents the total of usage for the specified data source.
", "UsageFeatureResult$Total": null, "UsageResourceResult$Total": "Represents the sum total of usage for the specified resource type.
", "UsageTopAccountResult$Total": null } }, "TriggerDetails": { "base": "Represents the reason the scan was triggered.
", "refs": { "Scan$TriggerDetails": "Specifies the reason why the scan was initiated.
" } }, "TrustedEntitySetFormat": { "base": null, "refs": { "CreateTrustedEntitySetRequest$Format": "The format of the file that contains the trusted entity set.
", "GetTrustedEntitySetResponse$Format": "The format of the file that contains the trusted entity set.
" } }, "TrustedEntitySetIds": { "base": null, "refs": { "ListTrustedEntitySetsResponse$TrustedEntitySetIds": "The IDs of the trusted entity set resources.
" } }, "TrustedEntitySetStatus": { "base": null, "refs": { "GetTrustedEntitySetResponse$Status": "The status of the associated trusted entity set.
" } }, "UnarchiveFindingsRequest": { "base": null, "refs": {} }, "UnarchiveFindingsResponse": { "base": null, "refs": {} }, "UnprocessedAccount": { "base": "Contains information about the accounts that weren't processed.
", "refs": { "UnprocessedAccounts$member": null } }, "UnprocessedAccounts": { "base": null, "refs": { "CreateMembersResponse$UnprocessedAccounts": "A list of objects that include the accountIds of the unprocessed accounts and a result string that explains why each was unprocessed.
A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.
", "DeleteInvitationsResponse$UnprocessedAccounts": "A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.
", "DeleteMembersResponse$UnprocessedAccounts": "The accounts that could not be processed.
", "DisassociateMembersResponse$UnprocessedAccounts": "A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.
", "GetMemberDetectorsResponse$UnprocessedAccounts": "A list of member account IDs that were unable to be processed along with an explanation for why they were not processed.
", "GetMembersResponse$UnprocessedAccounts": "A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.
", "GetRemainingFreeTrialDaysResponse$UnprocessedAccounts": "The member account that was included in a request but for which the request could not be processed.
", "InviteMembersResponse$UnprocessedAccounts": "A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.
", "StartMonitoringMembersResponse$UnprocessedAccounts": "A list of objects that contain the unprocessed account and a result string that explains why it was unprocessed.
", "StopMonitoringMembersResponse$UnprocessedAccounts": "A list of objects that contain an accountId for each account that could not be processed, and a result string that indicates why the account was not processed.
", "UpdateMemberDetectorsResponse$UnprocessedAccounts": "A list of member account IDs that were unable to be processed along with an explanation for why they were not processed.
" } }, "UnprocessedDataSourcesResult": { "base": "Specifies the names of the data sources that couldn't be enabled.
", "refs": { "CreateDetectorResponse$UnprocessedDataSources": "Specifies the data sources that couldn't be enabled when GuardDuty was enabled for the first time.
" } }, "UntagResourceRequest": { "base": null, "refs": {} }, "UntagResourceResponse": { "base": null, "refs": {} }, "UpdateDetectorRequest": { "base": null, "refs": {} }, "UpdateDetectorResponse": { "base": null, "refs": {} }, "UpdateFilterRequest": { "base": null, "refs": {} }, "UpdateFilterResponse": { "base": null, "refs": {} }, "UpdateFindingsFeedbackRequest": { "base": null, "refs": {} }, "UpdateFindingsFeedbackResponse": { "base": null, "refs": {} }, "UpdateIPSetRequest": { "base": null, "refs": {} }, "UpdateIPSetResponse": { "base": null, "refs": {} }, "UpdateMalwareProtectionPlanRequest": { "base": null, "refs": {} }, "UpdateMalwareScanSettingsRequest": { "base": null, "refs": {} }, "UpdateMalwareScanSettingsResponse": { "base": null, "refs": {} }, "UpdateMemberDetectorsRequest": { "base": null, "refs": {} }, "UpdateMemberDetectorsResponse": { "base": null, "refs": {} }, "UpdateOrganizationConfigurationRequest": { "base": null, "refs": {} }, "UpdateOrganizationConfigurationResponse": { "base": null, "refs": {} }, "UpdateProtectedResource": { "base": "Information about the protected resource that is associated with the created Malware Protection plan. Presently, S3Bucket is the only supported protected resource.
Information about the protected resource that is associated with the created Malware Protection plan. Presently, S3Bucket is the only supported protected resource.
Information about the protected S3 bucket resource.
", "refs": { "UpdateProtectedResource$S3Bucket": "Information about the protected S3 bucket resource.
" } }, "UpdateThreatEntitySetRequest": { "base": null, "refs": {} }, "UpdateThreatEntitySetResponse": { "base": null, "refs": {} }, "UpdateThreatIntelSetRequest": { "base": null, "refs": {} }, "UpdateThreatIntelSetResponse": { "base": null, "refs": {} }, "UpdateTrustedEntitySetRequest": { "base": null, "refs": {} }, "UpdateTrustedEntitySetResponse": { "base": null, "refs": {} }, "UsageAccountResult": { "base": "Contains information on the total of usage based on account IDs.
", "refs": { "UsageAccountResultList$member": null } }, "UsageAccountResultList": { "base": null, "refs": { "UsageStatistics$SumByAccount": "The usage statistic sum organized by account ID.
" } }, "UsageCriteria": { "base": "Contains information about the criteria used to query usage statistics.
", "refs": { "GetUsageStatisticsRequest$UsageCriteria": "Represents the criteria used for querying usage.
" } }, "UsageDataSourceResult": { "base": "Contains information on the result of usage based on data source type.
", "refs": { "UsageDataSourceResultList$member": null } }, "UsageDataSourceResultList": { "base": null, "refs": { "UsageStatistics$SumByDataSource": "The usage statistic sum organized by on data source.
" } }, "UsageFeature": { "base": null, "refs": { "UsageFeatureList$member": null, "UsageFeatureResult$Feature": "The feature that generated the usage cost.
", "UsageTopAccountsResult$Feature": "Features by which you can generate the usage statistics.
RDS_LOGIN_EVENTS is currently not supported with topAccountsByFeature.
The features to aggregate usage statistics from.
" } }, "UsageFeatureResult": { "base": "Contains information about the result of the total usage based on the feature.
", "refs": { "UsageFeatureResultList$member": null } }, "UsageFeatureResultList": { "base": null, "refs": { "UsageStatistics$SumByFeature": "The usage statistic sum organized by feature.
" } }, "UsageResourceResult": { "base": "Contains information on the sum of usage based on an Amazon Web Services resource.
", "refs": { "UsageResourceResultList$member": null } }, "UsageResourceResultList": { "base": null, "refs": { "UsageStatistics$SumByResource": "The usage statistic sum organized by resource.
", "UsageStatistics$TopResources": "Lists the top 50 resources that have generated the most GuardDuty usage, in order from most to least expensive.
" } }, "UsageStatisticType": { "base": null, "refs": { "GetUsageStatisticsRequest$UsageStatisticType": "The type of usage statistics to retrieve.
" } }, "UsageStatistics": { "base": "Contains the result of GuardDuty usage. If a UsageStatisticType is provided the result for other types will be null.
", "refs": { "GetUsageStatisticsResponse$UsageStatistics": "The usage statistics object. If a UsageStatisticType was provided, the objects representing other types will be null.
" } }, "UsageTopAccountResult": { "base": "Contains information on the total of usage based on the topmost 50 account IDs.
", "refs": { "UsageTopAccountsByFeatureList$member": null } }, "UsageTopAccountsByFeatureList": { "base": null, "refs": { "UsageTopAccountsResult$Accounts": "The accounts that contributed to the total usage cost.
" } }, "UsageTopAccountsResult": { "base": "Information about the usage statistics, calculated by top accounts by feature.
", "refs": { "UsageTopAccountsResultList$member": null } }, "UsageTopAccountsResultList": { "base": null, "refs": { "UsageStatistics$TopAccountsByFeature": "Lists the top 50 accounts by feature that have generated the most GuardDuty usage, in the order from most to least expensive.
Currently, this doesn't support RDS_LOGIN_EVENTS.
Contains information about the user involved in the attack sequence.
", "refs": { "Actor$User": "Contains information about the user credentials used by the threat actor.
" } }, "Volume": { "base": "Volume used by the Kubernetes workload.
", "refs": { "Volumes$member": null } }, "VolumeDetail": { "base": "Contains EBS volume details.
", "refs": { "VolumeDetails$member": null } }, "VolumeDetails": { "base": null, "refs": { "EbsVolumeDetails$ScannedVolumeDetails": "List of EBS volumes that were scanned.
", "EbsVolumeDetails$SkippedVolumeDetails": "List of EBS volumes that were skipped from the malware scan.
", "Scan$AttachedVolumes": "List of volumes that were attached to the original instance to be scanned.
" } }, "VolumeMount": { "base": "Container volume mount.
", "refs": { "VolumeMounts$member": null } }, "VolumeMounts": { "base": null, "refs": { "Container$VolumeMounts": "Container volume mounts.
" } }, "Volumes": { "base": null, "refs": { "EcsTaskDetails$Volumes": "The list of data volume definitions for the task.
", "KubernetesWorkloadDetails$Volumes": "Volumes used by the Kubernetes workload.
" } }, "VpcConfig": { "base": "Amazon Virtual Private Cloud configuration details associated with your Lambda function.
", "refs": { "LambdaDetails$VpcConfig": "Amazon Virtual Private Cloud configuration details associated with your Lambda function.
" } } } }