Amazon GuardDuty
App Vendor: AWS
App Category: Network Security
Connector Version: 2.0.0
API Version: 1.28.0
About App
Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious or unauthorised behaviour to help you protect your AWS accounts and workloads.
The Amazon GuardDuty app is configured with the Orchestrate application to perform the following actions:
Action Name | Description |
|---|---|
Create Detector | This action creates an Amazon GuardDuty detector on the integration instance specified for the AWS account. |
Create IP Set | This action creates a list of trusted IP addresses that have been whitelisted for a secure communication with the AWS infrastructure and applications. |
Create Sample Findings | This action generates sample findings of types. |
Delete Detector | This action deletes a detector. |
Delete IP Set | This action deletes an IP set. |
Delete Threat Intel Set | This action deletes a threat intel set. |
Archive Findings | This action archives Amazon GuardDuty findings specified by the list of finding IDs. |
Create Threat Intel Set | This action creates a threat intel set specified by ThreatIntelSet ID. |
List Threat Intel Sets | This action retrieves all the threat intel sets. |
Update Threat Intel Set | This action is used to update the threat intel set specified by ThreatIntelSet ID. |
Get Threat Intel Set | This action retrieves all the threat intel sets. |
Configuration Parameters
The following configuration parameters are required for the Amazon GuardDuty app to communicate with the Amazon GuardDuty enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Session Token | Enter the session token. | Text | Optional |
|
Region Name | Enter the AWS region for accessing the endpoint. | Text | Required |
|
Access Key ID | Enter the access key for accessing the endpoint. | Text | Required |
|
Secret Access Key | Enter the secret key to access the endpoint. | Password | Required |
|
Action: Create Detector
This action creates an Amazon GuardDuty detector on the integration instance for the AWS account.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Client Token | Enter the client token. | Password | Optional |
|
Enable Detector | Choose to enable the detector. | Boolean | Required | Allowed values:
|
Find Publishing Frequency | Enter the frequently updated findings. | Text | Optional | Allowed values :
|
Extra Params | Enter any additional parameters you want to pass while creating detector. Example:{'Tags':tags} | Key_value | Optional |
|
Example Request
[
{
"extra_params": {},
"enable_detector": false
}
]Action: Create IP Set
This action creates a list of trusted IP addresses that have been whitelisted for secure communication with AWS infrastructure and applications.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Is Active | Enter true to start using the uploaded IP set. | Boolean | Required | Allowed values:
|
Client Token | Enter the client token. | Password | Optional |
|
Detector ID | Enter the detector ID. Example: dac5b803e9471c624aaf2012e1 | Text | Required |
|
File Format | Enter the file format. | Text | Required | Allowed values:
|
IP set Location | Enter the IP set location URL. Example: https://s3.amazonaws.com/my-bucket/my-threat-list.txt | Text | Required |
|
IP set name | Enter the IP set name. | Text | Required |
|
Example Request
[
{
"detector_id": "0ec5c04d0c247d4ce01656ad6ef0bada"
}
]Action: Create Sample Findings
This action generates example findings of types specified by the list of finding types.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Detector ID | Enter the detector ID. Example: dac5b803e9471c624aaf2012e1 | Text | Required |
|
Finding types | Enter the finding types. | List | Optional |
|
Example Request
[
{
"detector_id": "0ec5c04d0c247d4ce01656ad6ef0bada"
}
]Action: Delete Detector
This action deletes the detector.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Detector ID | Enter the detector ID. Example: dac5b803e9471c624aaf2012e1 | Text | Required |
|
Example Request
[
{
"detector_id": "a0c5c04b43056842b4825939d2a40494"
}
]Action: Delete IP Set
This action deletes an IP set.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Detector ID | Enter the unique ID of the detector that the IP set is associated with. Example: dac5b803e9471c624aaf2012e1 | Text | Required |
|
IP set ID | Enter the IP set ID. | Text | Required |
|
Example Request
[
{
"ipset_id": "cac5c04d0d8ee90258f053f6734f0a92",
"detector_id": "0ec5c04d0c247d4ce01656ad6ef0bada"
}
]Action: Delete Threat Intel Set
This action deletes the threat intel set.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Detector ID | Enter the detector ID. | Text | Required |
|
Threat Intel Set ID | Enter the threat intel ID. | Text | Required |
|
Example Request
[
{
"detector_id": "0ec5c04d0c247d4ce01656ad6ef0bada",
"threatintelset_id": "58c5c04d0ee2836cf7d02fad2d84a6de"
}
]Action: Archive Findings
This action is used to archive Amazon GuardDuty findings specified by the list of finding IDs.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Detector ID | Enter the unique ID of the detector. Example: dac5b803e941c624aaf2012e1 | Text | Required |
|
Finding IDs | Enter the comma separated list of finding ids. Example: $list['9424949dsa'] | List | Required |
|
Example Request
[
{
"detector_id": "a0c5c04b43056842b4825939d2a40494",
"finding_ids": [
"46f36dfa6a204bc0a18473d493618493"
]
}
]Action: Create Threat Intel Set
This action is used to create a threat intel set specified by ThreatIntelSet ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Format | Enter the format of the file that contains the threat intel set. | Text | Required | Allowed values:
|
Detector ID | Enter the unique ID of the detector that specifies the Guardd=Duty service whose threatintelset you want to create. Example: dac5b803e9471c624aaf2012e1 | Text | Required |
|
Name | Enter the unique name that you want to create. | Text | Required |
|
Location | Enter the URI of the file that contains the threat intel set. | Text | Required |
|
Activate | Enter true to specify if the threat intel set is active. | Boolean | Required |
|
Extra params | Enter any additional params you want to pass while creating threat intel. Example: {'tags':tags} | Key Value | Optional |
|
Example Request
[
{
"name": "Testgdapi",
"activate": false,
"location": "https://testbucketgdddd.s3.amazonaws.com/test-ip",
"detector_id": "0ec5c04d0c247d4ce01656ad6ef0bada",
"file_format": "“Txt.",
"extra_params": {}
}
]Action: List Threat Intel Sets
This action retrieves all the threat intel sets.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Detector ID | Enter the unique id of the detector that the ThreatIntelSet is associated with. Example: dac5b803e9471c624aaf2012e1 | Text | Required |
|
Max result | Enter the maximum number of items that you want in the response. | Integer | Optional | default value: 50 |
Next token | Enter the next token to fetch the next set of results. | Text | Optional |
|
Example Request
[
{
"detector_id": "0ec5c04d0c247d4ce01656ad6ef0bada"
}
]Action: Update Threat Intel Set
This action updates the threatintelset specified by the ThreatIntelSet ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Threat intel set ID | Enter the unique ID that specifies the ThreatIntelSet that you want to update. | Text | Required |
|
Detector ID | Enter the unique ID of the detector that specifies the GuardDuty service whose ThreatIntelSet you want to update. Example: dac5b803e9471c624c2aaf2012e1 | Text | Required |
|
Name | Enter the unique ID that specifies the ThreatIntelSet that you want to update. | Text | Optional |
|
Location | Enter the updated URI of the file that contains the ThreatIntelSet. | Text | Optional |
|
Activate | Enter the updated boolean value that specifies whether the ThreatIntelSet is active or not. | Boolean | Optional |
|
Example Request
[
{
"activate": false,
"detector_id": "0ec5c04d0c247d4ce01656ad6ef0bada",
"threatintelset_id": "58c5c04d0ee2836cf7d02fad2d84a6de"
}
]Get Threat Intel Set
This action retrieves all the threat intel sets.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Detector ID | Enter the unique ID of the detector that the threat intel set is associated with. Example: dac5b803e9471c624aaf2012e1 | Text | Required |
|
Threat Intel Set ID | Enter the unique ID that specifies the Threat Intel Set that you want to get. | Text | Required |
|