AWS - GuardDuty

Use this integration to detect and manage threats to your AWS system.

We recommend that you use roles that have the following bulit-in AWS policies:

  • AmazonGuardDutyFullAccess
  • AmazonGuardDutyReadOnlyAccess

Prerequisites

It is important that you familiarize yourself with and complete all steps detailed in the Amazon AWS Integrations Configuration Guide .

Configure the AWS GuardDuty Integration on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for AWS - GuardDuty.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance
    • AWS Default Region
    • Role Arn
    • Fetch incidents
    • Incident type
    • GuardDuty Severity Level (Low, Medium, High)
    • Role Session Name
    • Role Session Duration
  4. Click Test to validate the URLs and token.

Fetched Incidents Data

  • The integration fetches newly created Guard DutyFindings. Findings that are fetched are moved to Guard duty archive. Each integration instance can fetch findings from a single AWS Region.
  • Each region can have a maximum of 1,000 member accounts that are linked to a guard duty master account. For more information see the Amazon GuardDuty documentation .
  • You can set the severity level of the findings to be fetched. "Low", "Medium", "High".
    For example, if you set the severity level to "Medium", the integration will only fetch findings with severity level of Medium and higher.
  • Findings in archived status will not be retrieved.
  • The initial fetch interval is one minute.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Create an Amazon GuardDuty detector: aws-gd-create-detector
  2. Delete an Amazon GuardDuty detector: aws-gd-delete-detector
  3. Retrieve an Amazon GuardDuty detector: aws-gd-get-detector
  4. Update an Amazon GuardDuty detector: aws-gd-update-detector
  5. Create an IP whitelist: aws-gd-create-ip-set
  6. Delete an IP whitelist: aws-gd-delete-ip-set
  7. List all Amazon GuardDuty detectors: aws-gd-list-detectors
  8. Update an IP whitelist: aws-gd-update-ip-set
  9. Get IP whitelist information: aws-gd-get-ip-set
  10. List all IP whitelists: aws-gd-list-ip-sets
  11. Create a threat intelligence set: aws-gd-create-threatintel-set
  12. Delete a threat intelligence set: aws-gd-delete-threatintel-set
  13. Get threat intelligence set information: aws-gd-threatintel-set
  14. List all threat intelligence sets: aws-gd-list-threatintel-sets
  15. Update a threat intelligence set: aws-gd-update-threatintel-set
  16. List Amazon GuardDuty findings for a specific detector: aws-gd-list-findings
  17. Describe Amazon GuardDuty findings for a specific detector: aws-gd-get-findings
  18. Generate example findings: aws-gd-create-sample-findings
  19. Archive Amazon GuardDuty findings: aws-gd-archive-findings
  20. Un-archive Amazon GuardDuty findings: aws-gd-unarchive-findings
  21. Mark Amazon GuardDuty findings as useful or not useful: aws-gd-update-findings-feedback

Create an Amazon GuardDuty detector: aws-gd-create-detector

Creates an Amazon GuardDuty detector on the AWS account specified in the integration instance.

Command Example

!aws-gd-create-detector enabled=True region=eu-west-2

AWS IAM Policy Permission

Effect: Allow
Action: guardduty:CreateDetector

Input
Parameter Description
enabled A boolean value that specifies whether to enable the detector
region AWS region (if not specified, the default region is used)
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output
Path Description
AWS.GuardDuty.Detectors.DetectorId Unique ID of the created detector

Raw Output
{  
   "DetectorId":"38b1235ed3fe245279cd0c8e235db0715ac5561eb"
}

Delete an Amazon GuardDuty detector: aws-gd-delete-detector

Deletes an Amazon GuardDuty detector on the AWS account specified in the integration instance.

Command Example

!aws-gd-delete-detector detectorId=38b1235ed3fe245279cd0c8e235db0715ac5561eb

AWS IAM Policy Permission

Effect: Allow
Action: guardduty:DeleteDetector

Input
Parameter Description
enabled A boolean value that specifies whether to enable the detector
region AWS region (if not specified, the default region is used)
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output

There is no context output for this command.

Raw Output
The Detector 38b1235ed3fe245279cd0c8e235db0715ac5561eb has been deleted.

Retrieve an Amazon GuardDuty detector: aws-gd-get-detector

Retrives an Amazon GuardDuty detector by detectorId.

Command Example

!aws-gd-get-detector detectorId=38b1ed3fe279fdascd0c8edb071dsf5ac5561eb region=eu-west-2

AWS IAM Policy Permission

Effect: Allow
Action: guardduty:GetDetector

Input
Parameter Description
detectorId Unique ID of the detector that you want to retrieve
region AWS region (if not specified, the default region is used)
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output
Path Description
AWS.GuardDuty.Detectors.DetectorId Unique ID of the created detector
AWS.GuardDuty.Detectors.CreatedAt The first time a resource was created
AWS.GuardDuty.Detectors.ServiceRole Customer serviceRole name or ARN for accessing customer resources
AWS.GuardDuty.Detectors.Status Status of the detector
AWS.GuardDuty.Detectors.UpdatedAt The time a resource was last updated

Raw Output
{ 
   "CreatedAt":"2018-06-07T13:46:37.031Z",
   "DetectorId":"38b1ed3fe279cd0c8edb0715ac5561eb",
   "ServiceRole":"arn:aws:iam::123456789:role/aws-service-role/guardduty.amazonaws.com/AWSServiceRoleForAmazonGuardDuty",
   "Status":"DISABLED",
   "UpdatedAt":"2018-06-07T13:46:37.031Z"
}

Update an Amazon GuardDuty detector: aws-gd-update-detector

Updates an Amazon GuardDuty detector by detectorId.

Command Example

!aws-gd-get-detector detectorId=38b1ed3fe279fdascd0c8edb071dsf5ac5561eb enable=True

AWS IAM Policy Permission

Effect: Allow
Action: guardduty:UpdateDetector

Input
Parameter Description
detectorId Unique ID of the detector that you want to retrieve
enable Updated boolean value for the detector that specifies whether the detector is enabled
region AWS region (if not specified, the default region is used)
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output

There is no context output for this command.

Raw Output
The Detector 38b1ed3fe279fdascd0c8edb071dsf5ac5561eb was updated.

Create an IP white list: aws-gd-create-ip-set

Creates a list of trusted IP addresses (IPSet) that were white listed for secure communication with AWS insfrastructure and applications.

Command Example

!aws-gd-create-ip-set format=TXT location=https://s3.eu-central-1.amazonaws.com/test/ipset.txt activate=True detectorId=38b1ed3fe279czvasdd0c8edb0715azdsfc5561eb name=test region=eu-west-2

AWS IAM Policy Permission

Effect: Allow
Action: guardduty:CreateIPSet

Input
Parameter Description
activate A boolean value that indicates whether GuardDuty uses
the uploaded IPSet
detectorId Unique ID of the detector that you want to update
format Format of the file that contains the IPSet.
location URI of the file that contains the IPSet, for example, https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key
name Friendly name for the IPSet, which displays in all findings that are triggered by activities that involve IP addresses included in this IPSet
region AWS region (if not specified, the default region is used)
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output
Path Description
AWS.GuardDuty.IPSet.IpSetId A list of trusted IP addresses that have been whitelisted for secure communication with AWS infrastructure and applications

Raw Output
{  
   "DetectorId":"38b1ed3fe279czvasdd0c8edb0715azdsfc5561eb",
   "IpSetId":"7eb1f440be5931f168280b574a26d44d"
}

Delete an IP whitelist: aws-gd-delete-ip-set

Deletes the IPSet specified by IPSet ID.

Command Example

!aws-gd-delete-ip-set detectorId=38b1ed3fe279cd0c8edb0715ac5561eb ipSetId=7eb1f440be5931f168280b574a26d44d region=eu-west-2

AWS IAM Policy Permission

Effect: Allow
Action: guardduty:DeleteIPSet

Input
Parameter Description
detectorId Unique ID of the detector that you want to update
ipSetId Unique ID of the IPSet to delete
region AWS region (if not specified, the default region is used)
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output

There is no context output for this command.

Raw Output
The IPSet 7eb1f440be593asd1f168280b57asd4a26d44d has been deleted from Detector 38b1ed3fe279cdasd0c8edb0715ac5561eb.

List all Amazon GuardDuty detectors: aws-gd-list-detectors

Lists all Amazon GuardDuty detectors.

Command Example

!aws-gd-list-detectors region=eu-west-2

AWS IAM Policy Permission

Effect: Allow
Action: guardduty:ListDetectors

Input
Parameter Description
region AWS region (if not specified, the default region is used)
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output
Path Description
AWS.GuardDuty.Detectors.detectorId Unique ID of the detector

Raw Output
{  
   "DetectorId":"38b1ed3fe279czvasdd0c8edb0715azdsfc5561eb"
}

Update an IP whitelist: aws-gd-update-ip-set

Updates the IPSet specified by the IPSet ID.

Command Example

!aws-gd-update-ip-set detectorId=38b1ed3fe279cd0c8edb0715ac5561eb ipSetId=7eb1f440be5931f168280b574a26d44d activate=False region=eu-west-2

AWS IAM Policy Permission

Effect: Allow
Action: guardduty:UpdateIPSet

Input
Parameter Description
activate A boolean value that indicates whether GuardDuty uses
the uploaded IPSet
detectorId Unique ID of the detector that you want to update
ipSetId Unique ID that specifies the IPSet that you want to update
location URI of the file that contains the IPSet, for example, https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key
name Friendly name for the IPSet, which displays in all findings that are triggered by activities that involve IP addresses included in this IPSet
region AWS region (if not specified, the default region is used)
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output

There is no context output for this command.

Raw Output
The IPSet {0} was been updated.

Get IP whitelist information: aws-gd-get-ip-set

Retrives information for an IPSet.

Command Example

!aws-gd-get-ip-set detectorId=38b1ed3fesdf279cd0c8edbdsf071sdgfac5561eb ipSetId=7eb1sdff440be5931f1682adf80b574a26d44d region=eu-west-2

AWS IAM Policy Permission

Effect: Allow
Action: guardduty:GetIPSet

Input
Parameter Description
detectorId The detectorID that specifies the GuardDuty service whose IPSet you want to retrieve
ipSetId Unique ID that specifies the IPSet that you want to describe
region AWS region (if not specified, the default region is used)
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output
Path Description
AWS.GuardDuty.Detectors.IPSet.IpSetId Unique ID for the IPSet
AWS.GuardDuty.Detectors.IPSet.Format Format of the file that contains the IPSet
AWS.GuardDuty.Detectors.IPSet.Location URI of the file that contains the IPSet
AWS.GuardDuty.Detectors.IPSet.Name Friendly name to identify the IPSet
AWS.GuardDuty.Detectors.IPSet.Status Status of the uploaded IPSet file

Raw Output
{  
   "DetectorId":"38b1edsfd3fe279cd0dsfc8edb07sdf15asdfc5561eb",
   "Format":"TXT",
   "IpSetId":"7eb1f440sdfafbe5931f168280dsfb574a26d44d",
   "Location":"https://s3.eu-central-1.amazonaws.com/test/ipset.txt",
   "Name":"test",
   "Status":"DELETED"
}

List all IP whitelists: aws-gd-list-ip-sets

Lists all IPSets in GuardDuty.

Command Example

!aws-gd-list-ip-sets detectorId=38b1ed3fesdf279cd0c8edbdsf071sdgfac5561eb region=eu-west-2

AWS IAM Policy Permission

Effect: Allow
Action: guardduty:ListIPSets

Input
Parameter Description
detectorId Unique ID of the detector that you want to retrieve
region AWS region (if not specified, the default region is used)
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output
Path Description
AWS.GuardDuty.Detectors.IPSet.IpSetId Unique ID for the IPSet

Raw Output
[  
   {  
      "DetectorId":"38b1ed3sadfe279cd0c8edb071asd5ac5561eb"
   },
   {  
      "IpSetId":"0eb1f4asd4bc5ed4720995f3esad4c4aad0266"
   }
]

Create a threat intelligence set: aws-gd-create-threatintel-set

Creates a list of known malicious IP addresses (ThreatIntelSet). GuardDuty generates findings based on ThreatIntelSets.

Command Example

!aws-gd-create-threatintel-set format=TXT location=https://s3.eu-central-1.amazonaws.com/test/threatintel.txt activate=True detectorId=38b1ed3fe279czvasdd0c8edb0715azdsfc5561eb name=test region=eu-west-2

AWS IAM Policy Permission

Effect: Allow
Action: guardduty:CreateThreatIntelSet

Input
Parameter Description
activate A boolean value that indicates whether GuardDuty uses
the uploaded ThreatIntelSet
detectorId Unique ID of the detector that you want to update
format Format of the file that contains the ThreatIntelSet
location URI of the file that contains the ThreatIntelSet, for example, https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key
name Friendly name for the ThreatIntelSet, which displays in all findings that are triggered by activities that involve IP addresses included in this ThreatIntelSet
region AWS region (if not specified, the default region is used)
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output
Path Description
AWS.GuardDuty.Detectors.ThreatIntelSet.ThreatIntelSetId Unique identifier for a ThreatIntelSet

Raw Output
{  
   "ThreatIntelSetId":"0eb1f4asd4bc5ed4720995f3esad4c4aad0266"
}

Delete a threat intelligence set: aws-gd-delete-threatintel-set

Deletes a specified ThreatIntelSet ID.

Command Example

!aws-gd-delete-threatintel-set detectorId=38b1ed3fe279cd0c8edb0715ac5561eb threatIntelSetId=7eb1f440be5931f168280b574a26d44d region=eu-west-2

AWS IAM Policy Permission

Effect: Allow
Action: guardduty:DeleteThreatIntelSet

Input
Parameter Description
activate A boolean value that indicates whether GuardDuty uses
the uploaded ThreatIntelSet
detectorId Unique ID of the detector that you want to update
format Format of the file that contains the ThreatIntelSet
location URI of the file that contains the ThreatIntelSet, for example, https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key
name Friendly name for the ThreatIntelSet, which displays in all findings that are triggered by activities that involve IP addresses included in this ThreatIntelSet
region AWS region (if not specified, the default region is used)
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output

There is no context output for this command.

Raw Output
The ThreatIntel Set 7eb1f440be5931f168280b574a26d44d was deleted from Detector 38b1ed3fe279cd0c8edb0715ac5561eb.

Get threat intelligence set information: aws-gd-threatintel-set

Retrieves the ThreatIntelSet specified by the ThreatIntelSet ID.

Command Example

!aws-gd-get-threatintel-set detectorId=38b1ed3fe279cd0c8edb0715ac5561eb threatIntelSetId=7eb1f440be5931f168280b574a26d44d region=eu-west-2

AWS IAM Policy Permission

Effect: Allow
Action: guardduty:GetThreatIntelSet

Input
Parameter Description
detectorId Unique ID of the detector that you want to update
threatIntelSetId Unique ID that specifies the ThreatIntelSet that you want to describe
region AWS region (if not specified, the default region is used)
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output
Path Description
AWS.GuardDuty.Detectors.ThreatIntelSet.ThreatIntelSetId The unique ID that specifies the ThreatIntelSet
AWS.GuardDuty.Detectors.ThreatIntelSet.Format The format of the threatIntelSet
AWS.GuardDuty.Detectors.ThreatIntelSet.Location.Name The URI of the file that contains the ThreatIntelSet
AWS.GuardDuty.Detectors.ThreatIntelSet.Name Friendly ThreatIntelSet name
AWS.GuardDuty.Detectors.ThreatIntelSet.Status Status of the uploaded threatIntelSet file

Raw Output
{  
   "DetectorId":"38b1ed3fe279cd0c8edb0715ac5561eb",
   "ThreatIntelSetId":"7eb1f440be5931f168280b574a26d44d ",
   'Format':"TXT",
   'Location':"https://s3.eu-central-1.amazonaws.com/test/threatintel.txt",
   'Name':"Test",
   'Status':"DELETED"
}

List all threat intelligence sets: aws-gd-list-threatintel-sets

Lists all ThreatIntelSets in GuardDuty.

Command Example

!aws-gd-list-threatintel-sets detectorId=38b1ed3fe279cd0c8edb0715ac5561eb region=eu-west-2

AWS IAM Policy Permission

Effect: Allow
Action: guardduty:ListThreatIntelSet

Input
Parameter Description
detectorId The detectorID that specifies the GuardDuty service whose ThreatIntelSets you want to list
region AWS region (if not specified, the default region is used)
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output
Path Description
AWS.GuardDuty.Detectors.ThreatIntelSet.ThreatIntelSetId The unique ID that specifies the ThreatIntelSet

Raw Output
[  
   {  
      "DetectorId":"38b1ed3fe279cd0c8edb0715ac5561eb"
   },
   {  
      "ThreatIntelSetId":"7eb1f440be5931f168280b574a26d44d"
   }
]

Update a threat intelligence set: aws-gd-update-threatintel-set

Updates a specified ThreatIntelSet ID.

Command Example

!aws-gd-update-threatintel-set detectorId=38b1ed3fe279cd0c8edb0715ac5561eb threatIntelSetId=7eb1f440be5931f168280b574a26d44d activate=False region=eu-west-2

AWS IAM Policy Permission

Effect: Allow
Action: guardduty:UpdateThreatIntelSet

Input
Parameter Description
activate The updated boolean value that specifies whether the ThreateIntelSet is active
detectorId The detectorID that specifies the GuardDuty service whose ThreatIntelSet you want to update
threatIntelSetId The unique ID that specifies the ThreatIntelSet that you want to update
location URI of the file that contains the ThreatIntelSet, for example, https://s3.us-west-2.amazonaws.com/my-bucket/my-object-key
name Friendly name for the ThreatIntelSet
region AWS region (if not specified, the default region is used)
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output

There is no context output for this command.

Raw Output
The ThreatIntel Set 7eb1f440be5931f168280b574a26d44d was updated.

List Amazon GuardDuty findings for a specific detector: aws-gd-list-findings

Lists all Amazon GuardDuty findings for the specified detector ID.

Command Example

!aws-gd-list-findings detectorId=38b1ed3fe279cd0c8edb0715ac5561eb region=eu-west-2

AWS IAM Policy Permission

Effect: Allow
Action: guardduty:ListFindings

Input
Parameter Description
detectorId The detectorID that specifies the GuardDuty service whose findings you want to list
region AWS region (if not specified, the default region is used)
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output
Path Description
AWS.GuardDuty.Findings.FindingId Lists Amazon GuardDuty findings for the specified detector ID

Raw Output
[  
   {  
      "FindingId":"2eb1ecee343f42b66b6f1a394dc3c21b"
   },
   {  
      "FindingId":"c6b180f7c27aff7ee204c7a2620a9cb3"
   },
   {  
      "FindingId":"e6b180f1d95d58f56a85e76c45a2cb34"
   },
   {  
      "FindingId":"f6b1d610567b6172bce359b564aba920"
   },
   {  
      "FindingId":"e6b180f1d22bdbcf4519004c9264f393"
   }
]

Describe Amazon GuardDuty findings for a specific detector: aws-gd-get-findings

Describes Amazon GuardDuty findings specified by finding IDs.

Command Example

!aws-gd-get-findings detectorIds=4f1fc7cd7dsg26sdf4328d8dc813 findingIds=96b1ac608sdf00e5183c3dds115c36aac328b,0ab180f5801sdg954418f3806c2a45282c9

AWS IAM Policy Permission

Effect: Allow
Action: guardduty:GetFindings

Input
Parameter Description
detectorId The detectorID that specifies the GuardDuty service whose findings you want to retrieve
findingIds IDs of the findings that you want to retrieve
region AWS region (if not specified, the default region is used)
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output

There is no context output for this command.

Raw Output
[  
   {  
      "AccountId":"123456789",
      "Arn":"arn:aws:guardduty:eu-central-1:123456789:detector/20b180e9f14sdgf1fc7cd7264sdg328d8dc813/finding/0ab180f580sdg1954418f3806c2a45282c9",
      "CreatedAt":"2018-04-26T12:26:08.306Z",
      "Description":"EC2 instance has an unprotected port which is being probed by a known malicious host.",
      "Id":"0ab180f5801954418f3806c2a45282c9",
      "Region":"eu-central-1",
      "Title":"Unprotected port on EC2 instance i-123456789 is being probed.",
      "Type":"Recon:EC2/PortProbeUnprotectedPort"
   },
   {  
      "AccountId":"123456789",
      "Arn":"arn:aws:guardduty:eu-central-1:123456789:detector/20b180e9sdgf14f1fc7cd7264dsg328d8dc813/finding/96b1ac60sdg800e5183csdg3d115c36aac328b",
      "CreatedAt":"2018-05-13T09:07:13.564Z",
      "Description":"EC2 instance has an unprotected port which is being probed by a known malicious host.",
      "Id":"96b1ac60800e5183c3d115c36aac328b",
      "Region":"eu-central-1",
      "Title":"Unprotected port on EC2 instance i-123456789 is being probed.",
      "Type":"Recon:EC2/PortProbeUnprotectedPort"
   }
]

Generate example findings: aws-gd-create-sample-findings

Generates example findings of types specified by the list of findings.

Command Example

!aws-gd-create-sample-findings detectorId=4f1fc7cd7dsg2adf6sdf4328d8dc813 findingTypes=NULL region=eu-central-1

AWS IAM Policy Permission

Effect: Allow
Action: guardduty:CreateSampleFindings

Input
Parameter Description
detectorId The ID of the detector to create sample findings for
findingTypes Types of sample findings that you want to generate (separated with a comma ",")
region AWS region (if not specified, the default region is used)
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output

There is no context output for this command.

Raw Output
Sample Findings were generated.

Archive Amazon GuardDuty findings: aws-gd-archive-findings

Archives Amazon GuardDuty findings specified by the list of finding IDs.

Command Example

!aws-gd-archive-findings detectorIds=4f1fc7cd7dsg26sdf4328d8dc813 findingIds=96b1ac608sdf00e5183c3dds115c36aac328b,0ab180f5801sdg954418f3806c2a45282c9

AWS IAM Policy Permission

Effect: Allow
Action: guardduty:ArchiveFindings

Input
Parameter Description
detectorId The ID of the detector that specifies the GuardDuty service whose findings you want to archive
findingIds Types of sample findings that you want to archive (separated with a comma ",")
region AWS region (if not specified, the default region is used)
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output

There is no context output for this command.

Raw Output
Findings were archived.

Unarchive Amazon GuardDuty findings: aws-gd-unarchive-findings

Unarchives Amazon GuardDuty findings specified by the list of finding IDs.

Command Example

!aws-gd-unarchive-findings detectorIds=4f1fc7cd7dsg26sdf4328d8dc813 findingIds=96b1ac608sdf00e5183c3dds115c36aac328b,0ab180f5801sdg954418f3806c2a45282c9

AWS IAM Policy Permission

Effect: Allow
Action: guardduty:UnarchiveFindings

Input
Parameter Description
detectorId The ID of the detector that specifies the GuardDuty service whose findings you want to unarchive
findingIds Types of sample findings that you want to unarchive (separated with a comma ",")
region AWS region (if not specified, the default region is used)
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output

There is no context output for this command.

Raw Output
Findings were unarchived.

Mark Amazon GuardDuty findings as useful or not useful: aws-gd-update-findings-feedback

Marks the specified Amazon GuardDuty findings as useful or not useful.

Command Example

!aws-gd-update-findings-feedback detectorIds=4f1fc7cd7dsg26sdf4328d8dc813 findingIds=96b1ac608sdf00e5183c3dds115c36aac328b comments=Good Job feedback=USEFUL

AWS IAM Policy Permission

Effect: Allow
Action: guardduty:UpdateFindingsFeedback

Input
Parameter Description
detectorId The ID of the detector that specifies the GuardDuty service whose findings you want to mark as useful or not useful
findingIds Types of sample findings that you want to mark as useful or not useful (separated with a comma ",")
region AWS region (if not specified, the default region is used)
roleArn Amazon Resource Name (ARN) of the role to assume
roleSessionName Identifier for the assumed role session
roleSessionDuration Duration of the role session, in seconds (the value can range from 900 seconds to the maximum session duration set for the role)

Context Output

There is no context output for this command.

Raw Output
Findings feedback was sent.