[ aws . guardduty ]

get-findings

Description

Describes Amazon GuardDuty findings specified by finding IDs.

See also: AWS API Documentation

See ‘aws help’ for descriptions of global parameters.

Synopsis

  get-findings
--detector-id <value>
--finding-ids <value>
[--sort-criteria <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]

Options

--detector-id (string)

The ID of the detector that specifies the GuardDuty service whose findings you want to retrieve.

--finding-ids (list)

The IDs of the findings that you want to retrieve.

(string)

Syntax:

"string" "string" ...

--sort-criteria (structure)

Represents the criteria used for sorting findings.

AttributeName -> (string)

Represents the finding attribute (for example, accountId) to sort findings by.

OrderBy -> (string)

The order by which the sorted findings are to be displayed.

Shorthand Syntax:

AttributeName=string,OrderBy=string

JSON Syntax:

{
  "AttributeName": "string",
  "OrderBy": "ASC"|"DESC"
}

--cli-input-json | --cli-input-yaml (string) Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See ‘aws help’ for descriptions of global parameters.

Examples

Example 1: To retrieve the details of a specific finding

The following get-findings example retrieves the full JSON finding details of the specified finding.

aws guardduty get-findings \
    --detector-id 12abc34d567e8fa901bc2d34eexample \
    --finding-id 1ab92989eaf0e742df4a014d5example

Output:

{
    "Findings": [
        {
            "Resource": {
                "ResourceType": "AccessKey",
                "AccessKeyDetails": {
                    "UserName": "testuser",
                    "UserType": "IAMUser",
                    "PrincipalId": "AIDACKCEVSQ6C2EXAMPLE",
                    "AccessKeyId": "ASIASZ4SI7REEEXAMPLE"
                }
            },
            "Description": "APIs commonly used to discover the users, groups, policies and permissions in an account, was invoked by IAM principal testuser under unusual circumstances. Such activity is not typically seen from this principal.",
            "Service": {
                "Count": 5,
                "Archived": false,
                "ServiceName": "guardduty",
                "EventFirstSeen": "2020-05-26T22:02:24Z",
                "ResourceRole": "TARGET",
                "EventLastSeen": "2020-05-26T22:33:55Z",
                "DetectorId": "d4b040365221be2b54a6264dcexample",
                "Action": {
                    "ActionType": "AWS_API_CALL",
                    "AwsApiCallAction": {
                        "RemoteIpDetails": {
                            "GeoLocation": {
                                "Lat": 51.5164,
                                "Lon": -0.093
                            },
                            "City": {
                                "CityName": "London"
                            },
                            "IpAddressV4": "52.94.36.7",
                            "Organization": {
                                "Org": "Amazon.com",
                                "Isp": "Amazon.com",
                                "Asn": "16509",
                                "AsnOrg": "AMAZON-02"
                            },
                            "Country": {
                                "CountryName": "United Kingdom"
                            }
                        },
                        "Api": "ListPolicyVersions",
                        "ServiceName": "iam.amazonaws.com",
                        "CallerType": "Remote IP"
                    }
                }
            },
            "Title": "Unusual user permission reconnaissance activity by testuser.",
            "Type": "Recon:IAMUser/UserPermissions",
            "Region": "us-east-1",
            "Partition": "aws",
            "Arn": "arn:aws:guardduty:us-east-1:111122223333:detector/d4b040365221be2b54a6264dcexample/finding/1ab92989eaf0e742df4a014d5example",
            "UpdatedAt": "2020-05-26T22:55:21.703Z",
            "SchemaVersion": "2.0",
            "Severity": 5,
            "Id": "1ab92989eaf0e742df4a014d5example",
            "CreatedAt": "2020-05-26T22:21:48.385Z",
            "AccountId": "111122223333"
        }
    ]
}

For more information, see Findings in the GuardDuty User Guide.

Output

Findings -> (list)

A list of findings.

(structure)

Contains information about the finding, which is generated when abnormal or suspicious activity is detected.

AccountId -> (string)

The ID of the account in which the finding was generated.

Arn -> (string)

The ARN of the finding.

Confidence -> (double)

The confidence score for the finding.

CreatedAt -> (string)

The time and date when the finding was created.

Description -> (string)

The description of the finding.

Id -> (string)

The ID of the finding.

Partition -> (string)

The partition associated with the finding.

Region -> (string)

The Region where the finding was generated.

Resource -> (structure)

Contains information about the AWS resource associated with the activity that prompted GuardDuty to generate a finding.

AccessKeyDetails -> (structure)

The IAM access key details (IAM user information) of a user that engaged in the activity that prompted GuardDuty to generate a finding.

AccessKeyId -> (string)

The access key ID of the user.

PrincipalId -> (string)

The principal ID of the user.

UserName -> (string)

The name of the user.

UserType -> (string)

The type of the user.

S3BucketDetails -> (list)

Contains information on the S3 bucket.

(structure)

Contains information on the S3 bucket.

Arn -> (string)

The Amazon Resource Name (ARN) of the S3 bucket.

Name -> (string)

The name of the S3 bucket.

Type -> (string)

Describes whether the bucket is a source or destination bucket.

CreatedAt -> (timestamp)

The date and time the bucket was created at.

Owner -> (structure)

The owner of the S3 bucket.

Id -> (string)

The canonical user ID of the bucket owner. For information about locating your canonical user ID see Finding Your Account Canonical User ID.

Tags -> (list)

All tags attached to the S3 bucket

(structure)

Contains information about a tag associated with the EC2 instance.

Key -> (string)

The EC2 instance tag key.

Value -> (string)

The EC2 instance tag value.

DefaultServerSideEncryption -> (structure)

Describes the server side encryption method used in the S3 bucket.

EncryptionType -> (string)

The type of encryption used for objects within the S3 bucket.

KmsMasterKeyArn -> (string)

The Amazon Resource Name (ARN) of the KMS encryption key. Only available if the bucket EncryptionType is aws:kms .

PublicAccess -> (structure)

Describes the public access policies that apply to the S3 bucket.

PermissionConfiguration -> (structure)

Contains information about how permissions are configured for the S3 bucket.

BucketLevelPermissions -> (structure)

Contains information about the bucket level permissions for the S3 bucket.

AccessControlList -> (structure)

Contains information on how Access Control Policies are applied to the bucket.

AllowsPublicReadAccess -> (boolean)

A value that indicates whether public read access for the bucket is enabled through an Access Control List (ACL).

AllowsPublicWriteAccess -> (boolean)

A value that indicates whether public write access for the bucket is enabled through an Access Control List (ACL).

BucketPolicy -> (structure)

Contains information on the bucket policies for the S3 bucket.

AllowsPublicReadAccess -> (boolean)

A value that indicates whether public read access for the bucket is enabled through a bucket policy.

AllowsPublicWriteAccess -> (boolean)

A value that indicates whether public write access for the bucket is enabled through a bucket policy.

BlockPublicAccess -> (structure)

Contains information on which account level S3 Block Public Access settings are applied to the S3 bucket.

IgnorePublicAcls -> (boolean)

Indicates if S3 Block Public Access is set to IgnorePublicAcls .

RestrictPublicBuckets -> (boolean)

Indicates if S3 Block Public Access is set to RestrictPublicBuckets .

BlockPublicAcls -> (boolean)

Indicates if S3 Block Public Access is set to BlockPublicAcls .

BlockPublicPolicy -> (boolean)

Indicates if S3 Block Public Access is set to BlockPublicPolicy .

AccountLevelPermissions -> (structure)

Contains information about the account level permissions on the S3 bucket.

BlockPublicAccess -> (structure)

Describes the S3 Block Public Access settings of the bucket’s parent account.

IgnorePublicAcls -> (boolean)

Indicates if S3 Block Public Access is set to IgnorePublicAcls .

RestrictPublicBuckets -> (boolean)

Indicates if S3 Block Public Access is set to RestrictPublicBuckets .

BlockPublicAcls -> (boolean)

Indicates if S3 Block Public Access is set to BlockPublicAcls .

BlockPublicPolicy -> (boolean)

Indicates if S3 Block Public Access is set to BlockPublicPolicy .

EffectivePermission -> (string)

Describes the effective permission on this bucket after factoring all attached policies.

InstanceDetails -> (structure)

The information about the EC2 instance associated with the activity that prompted GuardDuty to generate a finding.

AvailabilityZone -> (string)

The Availability Zone of the EC2 instance.

IamInstanceProfile -> (structure)

The profile information of the EC2 instance.

Arn -> (string)

The profile ARN of the EC2 instance.

Id -> (string)

The profile ID of the EC2 instance.

ImageDescription -> (string)

The image description of the EC2 instance.

ImageId -> (string)

The image ID of the EC2 instance.

InstanceId -> (string)

The ID of the EC2 instance.

InstanceState -> (string)

The state of the EC2 instance.

InstanceType -> (string)

The type of the EC2 instance.

OutpostArn -> (string)

The Amazon Resource Name (ARN) of the AWS Outpost. Only applicable to AWS Outposts instances.

LaunchTime -> (string)

The launch time of the EC2 instance.

NetworkInterfaces -> (list)

The elastic network interface information of the EC2 instance.

(structure)

Contains information about the elastic network interface of the EC2 instance.

Ipv6Addresses -> (list)

A list of IPv6 addresses for the EC2 instance.

(string)

NetworkInterfaceId -> (string)

The ID of the network interface.

PrivateDnsName -> (string)

The private DNS name of the EC2 instance.

PrivateIpAddress -> (string)

The private IP address of the EC2 instance.

PrivateIpAddresses -> (list)

Other private IP address information of the EC2 instance.

(structure)

Contains other private IP address information of the EC2 instance.

PrivateDnsName -> (string)

The private DNS name of the EC2 instance.

PrivateIpAddress -> (string)

The private IP address of the EC2 instance.

PublicDnsName -> (string)

The public DNS name of the EC2 instance.

PublicIp -> (string)

The public IP address of the EC2 instance.

SecurityGroups -> (list)

The security groups associated with the EC2 instance.

(structure)

Contains information about the security groups associated with the EC2 instance.

GroupId -> (string)

The security group ID of the EC2 instance.

GroupName -> (string)

The security group name of the EC2 instance.

SubnetId -> (string)

The subnet ID of the EC2 instance.

VpcId -> (string)

The VPC ID of the EC2 instance.

Platform -> (string)

The platform of the EC2 instance.

ProductCodes -> (list)

The product code of the EC2 instance.

(structure)

Contains information about the product code for the EC2 instance.

Code -> (string)

The product code information.

ProductType -> (string)

The product code type.

Tags -> (list)

The tags of the EC2 instance.

(structure)

Contains information about a tag associated with the EC2 instance.

Key -> (string)

The EC2 instance tag key.

Value -> (string)

The EC2 instance tag value.

ResourceType -> (string)

The type of AWS resource.

SchemaVersion -> (string)

The version of the schema used for the finding.

Service -> (structure)

Contains additional information about the generated finding.

Action -> (structure)

Information about the activity that is described in a finding.

ActionType -> (string)

The GuardDuty finding activity type.

AwsApiCallAction -> (structure)

Information about the AWS_API_CALL action described in this finding.

Api -> (string)

The AWS API name.

CallerType -> (string)

The AWS API caller type.

DomainDetails -> (structure)

The domain information for the AWS API call.

Domain -> (string)

The domain information for the AWS API call.

ErrorCode -> (string)

The error code of the failed AWS API action.

RemoteIpDetails -> (structure)

The remote IP information of the connection that initiated the AWS API call.

City -> (structure)

The city information of the remote IP address.

CityName -> (string)

The city name of the remote IP address.

Country -> (structure)

The country code of the remote IP address.

CountryCode -> (string)

The country code of the remote IP address.

CountryName -> (string)

The country name of the remote IP address.

GeoLocation -> (structure)

The location information of the remote IP address.

Lat -> (double)

The latitude information of the remote IP address.

Lon -> (double)

The longitude information of the remote IP address.

IpAddressV4 -> (string)

The IPv4 remote address of the connection.

Organization -> (structure)

The ISP organization information of the remote IP address.

Asn -> (string)

The Autonomous System Number (ASN) of the internet provider of the remote IP address.

AsnOrg -> (string)

The organization that registered this ASN.

Isp -> (string)

The ISP information for the internet provider.

Org -> (string)

The name of the internet provider.

ServiceName -> (string)

The AWS service name whose API was invoked.

DnsRequestAction -> (structure)

Information about the DNS_REQUEST action described in this finding.

Domain -> (string)

The domain information for the API request.

NetworkConnectionAction -> (structure)

Information about the NETWORK_CONNECTION action described in this finding.

Blocked -> (boolean)

Indicates whether EC2 blocked the network connection to your instance.

ConnectionDirection -> (string)

The network connection direction.

LocalPortDetails -> (structure)

The local port information of the connection.

Port -> (integer)

The port number of the local connection.

PortName -> (string)

The port name of the local connection.

Protocol -> (string)

The network connection protocol.

LocalIpDetails -> (structure)

The local IP information of the connection.

IpAddressV4 -> (string)

The IPv4 local address of the connection.

RemoteIpDetails -> (structure)

The remote IP information of the connection.

City -> (structure)

The city information of the remote IP address.

CityName -> (string)

The city name of the remote IP address.

Country -> (structure)

The country code of the remote IP address.

CountryCode -> (string)

The country code of the remote IP address.

CountryName -> (string)

The country name of the remote IP address.

GeoLocation -> (structure)

The location information of the remote IP address.

Lat -> (double)

The latitude information of the remote IP address.

Lon -> (double)

The longitude information of the remote IP address.

IpAddressV4 -> (string)

The IPv4 remote address of the connection.

Organization -> (structure)

The ISP organization information of the remote IP address.

Asn -> (string)

The Autonomous System Number (ASN) of the internet provider of the remote IP address.

AsnOrg -> (string)

The organization that registered this ASN.

Isp -> (string)

The ISP information for the internet provider.

Org -> (string)

The name of the internet provider.

RemotePortDetails -> (structure)

The remote port information of the connection.

Port -> (integer)

The port number of the remote connection.

PortName -> (string)

The port name of the remote connection.

PortProbeAction -> (structure)

Information about the PORT_PROBE action described in this finding.

Blocked -> (boolean)

Indicates whether EC2 blocked the port probe to the instance, such as with an ACL.

PortProbeDetails -> (list)

A list of objects related to port probe details.

(structure)

Contains information about the port probe details.

LocalPortDetails -> (structure)

The local port information of the connection.

Port -> (integer)

The port number of the local connection.

PortName -> (string)

The port name of the local connection.

LocalIpDetails -> (structure)

The local IP information of the connection.

IpAddressV4 -> (string)

The IPv4 local address of the connection.

RemoteIpDetails -> (structure)

The remote IP information of the connection.

City -> (structure)

The city information of the remote IP address.

CityName -> (string)

The city name of the remote IP address.

Country -> (structure)

The country code of the remote IP address.

CountryCode -> (string)

The country code of the remote IP address.

CountryName -> (string)

The country name of the remote IP address.

GeoLocation -> (structure)

The location information of the remote IP address.

Lat -> (double)

The latitude information of the remote IP address.

Lon -> (double)

The longitude information of the remote IP address.

IpAddressV4 -> (string)

The IPv4 remote address of the connection.

Organization -> (structure)

The ISP organization information of the remote IP address.

Asn -> (string)

The Autonomous System Number (ASN) of the internet provider of the remote IP address.

AsnOrg -> (string)

The organization that registered this ASN.

Isp -> (string)

The ISP information for the internet provider.

Org -> (string)

The name of the internet provider.

Evidence -> (structure)

An evidence object associated with the service.

ThreatIntelligenceDetails -> (list)

A list of threat intelligence details related to the evidence.

(structure)

An instance of a threat intelligence detail that constitutes evidence for the finding.

ThreatListName -> (string)

The name of the threat intelligence list that triggered the finding.

ThreatNames -> (list)

A list of names of the threats in the threat intelligence list that triggered the finding.

(string)

Archived -> (boolean)

Indicates whether this finding is archived.

Count -> (integer)

The total count of the occurrences of this finding type.

DetectorId -> (string)

The detector ID for the GuardDuty service.

EventFirstSeen -> (string)

The first-seen timestamp of the activity that prompted GuardDuty to generate this finding.

EventLastSeen -> (string)

The last-seen timestamp of the activity that prompted GuardDuty to generate this finding.

ResourceRole -> (string)

The resource role information for this finding.

ServiceName -> (string)

The name of the AWS service (GuardDuty) that generated a finding.

UserFeedback -> (string)

Feedback that was submitted about the finding.

Severity -> (double)

The severity of the finding.

Title -> (string)

The title of the finding.

Type -> (string)

The type of finding.

UpdatedAt -> (string)

The time and date when the finding was last updated.