AWS.GuardDuty (aws-elixir v0.8.0) View Source

Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the following data sources: VPC Flow Logs, AWS CloudTrail event logs, and DNS logs.

It uses threat intelligence feeds (such as lists of malicious IPs and domains) and machine learning to identify unexpected, potentially unauthorized, and malicious activity within your AWS environment. This can include issues like escalations of privileges, uses of exposed credentials, or communication with malicious IPs, URLs, or domains. For example, GuardDuty can detect compromised EC2 instances that serve malware or mine bitcoin.

GuardDuty also monitors AWS account access behavior for signs of compromise. Some examples of this are unauthorized infrastructure deployments such as EC2 instances deployed in a Region that has never been used, or unusual API calls like a password policy change to reduce password strength.

GuardDuty informs you of the status of your AWS environment by producing security findings that you can view in the GuardDuty console or through Amazon CloudWatch events. For more information, see the Amazon GuardDuty User Guide .

Link to this section Summary

Functions

Accepts the invitation to be monitored by a GuardDuty administrator account.

Archives GuardDuty findings that are specified by the list of finding IDs.

Creates a single Amazon GuardDuty detector.

Creates a filter using the specified finding criteria.

Creates a new IPSet, which is called a trusted IP list in the console user interface.

Creates member accounts of the current AWS account by specifying a list of AWS account IDs.

Creates a publishing destination to export findings to.

Generates example findings of types specified by the list of finding types.

Declines invitations sent to the current member account by AWS accounts specified by their account IDs.

Deletes an Amazon GuardDuty detector that is specified by the detector ID.

Deletes the filter specified by the filter name.

Deletes invitations sent to the current member account by AWS accounts specified by their account IDs.

Deletes the IPSet specified by the ipSetId.

Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.

Deletes the publishing definition with the specified destinationId.

Deletes the ThreatIntelSet specified by the ThreatIntelSet ID.

Returns information about the account selected as the delegated administrator for GuardDuty.

Returns information about the publishing destination specified by the provided destinationId.

Disables an AWS account within the Organization as the GuardDuty delegated administrator.

Disassociates the current GuardDuty member account from its administrator account.

Disassociates GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.

Enables an AWS account within the organization as the GuardDuty delegated administrator.

Retrieves an Amazon GuardDuty detector specified by the detectorId.

Returns the details of the filter specified by the filter name.

Describes Amazon GuardDuty findings specified by finding IDs.

Lists Amazon GuardDuty findings statistics for the specified detector ID.

Returns the count of all GuardDuty membership invitations that were sent to the current member account except the currently accepted invitation.

Retrieves the IPSet specified by the ipSetId.

Provides the details for the GuardDuty administrator account associated with the current GuardDuty member account.

Describes which data sources are enabled for the member account's detector.

Retrieves GuardDuty member accounts (of the current GuardDuty administrator account) specified by the account IDs.

Retrieves the ThreatIntelSet that is specified by the ThreatIntelSet ID.

Lists Amazon GuardDuty usage statistics over the last 30 days for the specified detector ID.

Invites other AWS accounts (created as members of the current AWS account by CreateMembers) to enable GuardDuty, and allow the current AWS account to view and manage these accounts' findings on their behalf as the GuardDuty administrator account.

Lists detectorIds of all the existing Amazon GuardDuty detector resources.

Lists Amazon GuardDuty findings for the specified detector ID.

Lists all GuardDuty membership invitations that were sent to the current AWS account.

Lists the IPSets of the GuardDuty service specified by the detector ID.

Lists details about all member accounts for the current GuardDuty administrator account.

Lists the accounts configured as GuardDuty delegated administrators.

Returns a list of publishing destinations associated with the specified dectectorId.

Lists the ThreatIntelSets of the GuardDuty service specified by the detector ID.

Turns on GuardDuty monitoring of the specified member accounts.

Stops GuardDuty monitoring for the specified member accounts.

Unarchives GuardDuty findings specified by the findingIds.

Updates the Amazon GuardDuty detector specified by the detectorId.

Updates the filter specified by the filter name.

Marks the specified GuardDuty findings as useful or not useful.

Updates the IPSet specified by the IPSet ID.

Contains information on member accounts to be updated.

Updates the delegated administrator account with the values provided.

Updates information about the publishing destination specified by the destinationId.

Updates the ThreatIntelSet specified by the ThreatIntelSet ID.

Link to this section Functions

Link to this function

accept_invitation(client, detector_id, input, options \\ [])

View Source

Accepts the invitation to be monitored by a GuardDuty administrator account.

Link to this function

archive_findings(client, detector_id, input, options \\ [])

View Source

Archives GuardDuty findings that are specified by the list of finding IDs.

Only the administrator account can archive findings. Member accounts don't have permission to archive findings from their accounts.

Link to this function

create_detector(client, input, options \\ [])

View Source

Creates a single Amazon GuardDuty detector.

A detector is a resource that represents the GuardDuty service. To start using GuardDuty, you must create a detector in each Region where you enable the service. You can have only one detector per account per Region. All data sources are enabled in a new detector by default.

Link to this function

create_filter(client, detector_id, input, options \\ [])

View Source

Creates a filter using the specified finding criteria.

Link to this function

create_ip_set(client, detector_id, input, options \\ [])

View Source

Creates a new IPSet, which is called a trusted IP list in the console user interface.

An IPSet is a list of IP addresses that are trusted for secure communication with AWS infrastructure and applications. GuardDuty doesn't generate findings for IP addresses that are included in IPSets. Only users from the administrator account can use this operation.

Link to this function

create_members(client, detector_id, input, options \\ [])

View Source

Creates member accounts of the current AWS account by specifying a list of AWS account IDs.

This step is a prerequisite for managing the associated member accounts either by invitation or through an organization.

When using Create Members as an organizations delegated administrator this action will enable GuardDuty in the added member accounts, with the exception of the organization delegated administrator account, which must enable GuardDuty prior to being added as a member.

If you are adding accounts by invitation use this action after GuardDuty has been enabled in potential member accounts and before using Invite Members .

Link to this function

create_publishing_destination(client, detector_id, input, options \\ [])

View Source

Creates a publishing destination to export findings to.

The resource to export findings to must exist before you use this operation.

Link to this function

create_sample_findings(client, detector_id, input, options \\ [])

View Source

Generates example findings of types specified by the list of finding types.

If 'NULL' is specified for findingTypes, the API generates example findings of all supported finding types.

Link to this function

create_threat_intel_set(client, detector_id, input, options \\ [])

View Source

Creates a new ThreatIntelSet.

ThreatIntelSets consist of known malicious IP addresses. GuardDuty generates findings based on ThreatIntelSets. Only users of the administrator account can use this operation.

Link to this function

decline_invitations(client, input, options \\ [])

View Source

Declines invitations sent to the current member account by AWS accounts specified by their account IDs.

Link to this function

delete_detector(client, detector_id, input, options \\ [])

View Source

Deletes an Amazon GuardDuty detector that is specified by the detector ID.

Link to this function

delete_filter(client, detector_id, filter_name, input, options \\ [])

View Source

Deletes the filter specified by the filter name.

Link to this function

delete_invitations(client, input, options \\ [])

View Source

Deletes invitations sent to the current member account by AWS accounts specified by their account IDs.

Link to this function

delete_ip_set(client, detector_id, ip_set_id, input, options \\ [])

View Source

Deletes the IPSet specified by the ipSetId.

IPSets are called trusted IP lists in the console user interface.

Link to this function

delete_members(client, detector_id, input, options \\ [])

View Source

Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.

Link to this function

delete_publishing_destination(client, destination_id, detector_id, input, options \\ [])

View Source

Deletes the publishing definition with the specified destinationId.

Link to this function

delete_threat_intel_set(client, detector_id, threat_intel_set_id, input, options \\ [])

View Source

Deletes the ThreatIntelSet specified by the ThreatIntelSet ID.

Link to this function

describe_organization_configuration(client, detector_id, options \\ [])

View Source

Returns information about the account selected as the delegated administrator for GuardDuty.

Link to this function

describe_publishing_destination(client, destination_id, detector_id, options \\ [])

View Source

Returns information about the publishing destination specified by the provided destinationId.

Link to this function

disable_organization_admin_account(client, input, options \\ [])

View Source

Disables an AWS account within the Organization as the GuardDuty delegated administrator.

Link to this function

disassociate_from_master_account(client, detector_id, input, options \\ [])

View Source

Disassociates the current GuardDuty member account from its administrator account.

Link to this function

disassociate_members(client, detector_id, input, options \\ [])

View Source

Disassociates GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.

Link to this function

enable_organization_admin_account(client, input, options \\ [])

View Source

Enables an AWS account within the organization as the GuardDuty delegated administrator.

Link to this function

get_detector(client, detector_id, options \\ [])

View Source

Retrieves an Amazon GuardDuty detector specified by the detectorId.

Link to this function

get_filter(client, detector_id, filter_name, options \\ [])

View Source

Returns the details of the filter specified by the filter name.

Link to this function

get_findings(client, detector_id, input, options \\ [])

View Source

Describes Amazon GuardDuty findings specified by finding IDs.

Link to this function

get_findings_statistics(client, detector_id, input, options \\ [])

View Source

Lists Amazon GuardDuty findings statistics for the specified detector ID.

Link to this function

get_invitations_count(client, options \\ [])

View Source

Returns the count of all GuardDuty membership invitations that were sent to the current member account except the currently accepted invitation.

Link to this function

get_ip_set(client, detector_id, ip_set_id, options \\ [])

View Source

Retrieves the IPSet specified by the ipSetId.

Link to this function

get_master_account(client, detector_id, options \\ [])

View Source

Provides the details for the GuardDuty administrator account associated with the current GuardDuty member account.

Link to this function

get_member_detectors(client, detector_id, input, options \\ [])

View Source

Describes which data sources are enabled for the member account's detector.

Link to this function

get_members(client, detector_id, input, options \\ [])

View Source

Retrieves GuardDuty member accounts (of the current GuardDuty administrator account) specified by the account IDs.

Link to this function

get_threat_intel_set(client, detector_id, threat_intel_set_id, options \\ [])

View Source

Retrieves the ThreatIntelSet that is specified by the ThreatIntelSet ID.

Link to this function

get_usage_statistics(client, detector_id, input, options \\ [])

View Source

Lists Amazon GuardDuty usage statistics over the last 30 days for the specified detector ID.

For newly enabled detectors or data sources the cost returned will include only the usage so far under 30 days, this may differ from the cost metrics in the console, which projects usage over 30 days to provide a monthly cost estimate. For more information see Understanding How Usage Costs are Calculated.

Link to this function

invite_members(client, detector_id, input, options \\ [])

View Source

Invites other AWS accounts (created as members of the current AWS account by CreateMembers) to enable GuardDuty, and allow the current AWS account to view and manage these accounts' findings on their behalf as the GuardDuty administrator account.

Link to this function

list_detectors(client, max_results \\ nil, next_token \\ nil, options \\ [])

View Source

Lists detectorIds of all the existing Amazon GuardDuty detector resources.

Link to this function

list_filters(client, detector_id, max_results \\ nil, next_token \\ nil, options \\ [])

View Source

Returns a paginated list of the current filters.

Link to this function

list_findings(client, detector_id, input, options \\ [])

View Source

Lists Amazon GuardDuty findings for the specified detector ID.

Link to this function

list_invitations(client, max_results \\ nil, next_token \\ nil, options \\ [])

View Source

Lists all GuardDuty membership invitations that were sent to the current AWS account.

Link to this function

list_ip_sets(client, detector_id, max_results \\ nil, next_token \\ nil, options \\ [])

View Source

Lists the IPSets of the GuardDuty service specified by the detector ID.

If you use this operation from a member account, the IPSets returned are the IPSets from the associated administrator account.

Link to this function

list_members(client, detector_id, max_results \\ nil, next_token \\ nil, only_associated \\ nil, options \\ [])

View Source

Lists details about all member accounts for the current GuardDuty administrator account.

Link to this function

list_organization_admin_accounts(client, max_results \\ nil, next_token \\ nil, options \\ [])

View Source

Lists the accounts configured as GuardDuty delegated administrators.

Link to this function

list_publishing_destinations(client, detector_id, max_results \\ nil, next_token \\ nil, options \\ [])

View Source

Returns a list of publishing destinations associated with the specified dectectorId.

Link to this function

list_tags_for_resource(client, resource_arn, options \\ [])

View Source

Lists tags for a resource.

Tagging is currently supported for detectors, finding filters, IP sets, and threat intel sets, with a limit of 50 tags per resource. When invoked, this operation returns all assigned tags for a given resource.

Link to this function

list_threat_intel_sets(client, detector_id, max_results \\ nil, next_token \\ nil, options \\ [])

View Source

Lists the ThreatIntelSets of the GuardDuty service specified by the detector ID.

If you use this operation from a member account, the ThreatIntelSets associated with the administrator account are returned.

Link to this function

start_monitoring_members(client, detector_id, input, options \\ [])

View Source

Turns on GuardDuty monitoring of the specified member accounts.

Use this operation to restart monitoring of accounts that you stopped monitoring with the StopMonitoringMembers operation.

Link to this function

stop_monitoring_members(client, detector_id, input, options \\ [])

View Source

Stops GuardDuty monitoring for the specified member accounts.

Use the StartMonitoringMembers operation to restart monitoring for those accounts.

Link to this function

tag_resource(client, resource_arn, input, options \\ [])

View Source

Adds tags to a resource.

Link to this function

unarchive_findings(client, detector_id, input, options \\ [])

View Source

Unarchives GuardDuty findings specified by the findingIds.

Link to this function

untag_resource(client, resource_arn, input, options \\ [])

View Source

Removes tags from a resource.

Link to this function

update_detector(client, detector_id, input, options \\ [])

View Source

Updates the Amazon GuardDuty detector specified by the detectorId.

Link to this function

update_filter(client, detector_id, filter_name, input, options \\ [])

View Source

Updates the filter specified by the filter name.

Link to this function

update_findings_feedback(client, detector_id, input, options \\ [])

View Source

Marks the specified GuardDuty findings as useful or not useful.

Link to this function

update_ip_set(client, detector_id, ip_set_id, input, options \\ [])

View Source

Updates the IPSet specified by the IPSet ID.

Link to this function

update_member_detectors(client, detector_id, input, options \\ [])

View Source

Contains information on member accounts to be updated.

Link to this function

update_organization_configuration(client, detector_id, input, options \\ [])

View Source

Updates the delegated administrator account with the values provided.

Link to this function

update_publishing_destination(client, destination_id, detector_id, input, options \\ [])

View Source

Updates information about the publishing destination specified by the destinationId.

Link to this function

update_threat_intel_set(client, detector_id, threat_intel_set_id, input, options \\ [])

View Source

Updates the ThreatIntelSet specified by the ThreatIntelSet ID.