Client

guardduty

R Documentation

Amazon GuardDuty¶

Description¶

Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the following foundational data sources - VPC flow logs, Amazon Web Services CloudTrail management event logs, CloudTrail S3 data event logs, EKS audit logs, DNS logs, Amazon EBS volume data, runtime activity belonging to container workloads, such as Amazon EKS, Amazon ECS (including Amazon Web Services Fargate), and Amazon EC2 instances. It uses threat intelligence feeds, such as lists of malicious IPs and domains, and machine learning to identify unexpected, potentially unauthorized, and malicious activity within your Amazon Web Services environment. This can include issues like escalations of privileges, uses of exposed credentials, or communication with malicious IPs, domains, or presence of malware on your Amazon EC2 instances and container workloads. For example, GuardDuty can detect compromised EC2 instances and container workloads serving malware, or mining bitcoin.

GuardDuty also monitors Amazon Web Services account access behavior for signs of compromise, such as unauthorized infrastructure deployments like EC2 instances deployed in a Region that has never been used, or unusual API calls like a password policy change to reduce password strength.

GuardDuty informs you about the status of your Amazon Web Services environment by producing security findings that you can view in the GuardDuty console or through Amazon EventBridge. For more information, see the Amazon GuardDuty User Guide .

Usage¶

guardduty(
  config = list(),
  credentials = list(),
  endpoint = NULL,
  region = NULL
)

Arguments¶

config

Optional configuration of credentials, endpoint, and/or region.

credentials:
- creds:
  - access_key_id: AWS access key ID
  - secret_access_key: AWS secret access key
  - session_token: AWS temporary session token
- profile: The name of a profile to use. If not given, then the default profile is used.
- anonymous: Set anonymous credentials.
endpoint: The complete URL to use for the constructed client.
region: The AWS Region used in instantiating the client.
close_connection: Immediately close all HTTP connections.
timeout: The time in seconds till a timeout exception is thrown when attempting to make a connection. The default is 60 seconds.
s3_force_path_style: Set this to true to force the request to use path-style addressing, i.e. ⁠http://s3.amazonaws.com/BUCKET/KEY⁠.
sts_regional_endpoint: Set sts regional endpoint resolver to regional or legacy https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html

credentials

Optional credentials shorthand for the config parameter

creds:
- access_key_id: AWS access key ID
- secret_access_key: AWS secret access key
- session_token: AWS temporary session token
profile: The name of a profile to use. If not given, then the default profile is used.
anonymous: Set anonymous credentials.

endpoint

Optional shorthand for complete URL to use for the constructed client.

region

Optional shorthand for AWS Region used in instantiating the client.

Value¶

A client for the service. You can call the service's operations using syntax like svc$operation(...), where svc is the name you've assigned to the client. The available operations are listed in the Operations section.

Service syntax¶

svc <- guardduty(
  config = list(
    credentials = list(
      creds = list(
        access_key_id = "string",
        secret_access_key = "string",
        session_token = "string"
      ),
      profile = "string",
      anonymous = "logical"
    ),
    endpoint = "string",
    region = "string",
    close_connection = "logical",
    timeout = "numeric",
    s3_force_path_style = "logical",
    sts_regional_endpoint = "string"
  ),
  credentials = list(
    creds = list(
      access_key_id = "string",
      secret_access_key = "string",
      session_token = "string"
    ),
    profile = "string",
    anonymous = "logical"
  ),
  endpoint = "string",
  region = "string"
)

Operations¶

accept_administrator_invitation: Accepts the invitation to be a member account and get monitored by a GuardDuty administrator account that sent the invitation
accept_invitation: Accepts the invitation to be monitored by a GuardDuty administrator account
archive_findings: Archives GuardDuty findings that are specified by the list of finding IDs
create_detector: Creates a single GuardDuty detector
create_filter: Creates a filter using the specified finding criteria
create_ip_set: Creates a new IPSet, which is called a trusted IP list in the console user interface
create_malware_protection_plan: Creates a new Malware Protection plan for the protected resource
create_members: Creates member accounts of the current Amazon Web Services account by specifying a list of Amazon Web Services account IDs
create_publishing_destination: Creates a publishing destination to export findings to
create_sample_findings: Generates sample findings of types specified by the list of finding types
create_threat_intel_set: Creates a new ThreatIntelSet
decline_invitations: Declines invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs
delete_detector: Deletes an Amazon GuardDuty detector that is specified by the detector ID
delete_filter: Deletes the filter specified by the filter name
delete_invitations: Deletes invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs
delete_ip_set: Deletes the IPSet specified by the ipSetId
delete_malware_protection_plan: Deletes the Malware Protection plan ID associated with the Malware Protection plan resource
delete_members: Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs
delete_publishing_destination: Deletes the publishing definition with the specified destinationId
delete_threat_intel_set: Deletes the ThreatIntelSet specified by the ThreatIntelSet ID
describe_malware_scans: Returns a list of malware scans
describe_organization_configuration: Returns information about the account selected as the delegated administrator for GuardDuty
describe_publishing_destination: Returns information about the publishing destination specified by the provided destinationId
disable_organization_admin_account: Removes the existing GuardDuty delegated administrator of the organization; Disassociates the current GuardDuty member account from its administrator account
disassociate_from_master_account: Disassociates the current GuardDuty member account from its administrator account
disassociate_members: Disassociates GuardDuty member accounts (from the current administrator account) specified by the account IDs
enable_organization_admin_account: Designates an Amazon Web Services account within the organization as your GuardDuty delegated administrator
get_administrator_account: Provides the details of the GuardDuty administrator account associated with the current GuardDuty member account
get_coverage_statistics: Retrieves aggregated statistics for your account
get_detector: Retrieves an Amazon GuardDuty detector specified by the detectorId
get_filter: Returns the details of the filter specified by the filter name
get_findings: Describes Amazon GuardDuty findings specified by finding IDs
get_findings_statistics: Lists Amazon GuardDuty findings statistics for the specified detector ID
get_invitations_count: Returns the count of all GuardDuty membership invitations that were sent to the current member account except the currently accepted invitation
get_ip_set: Retrieves the IPSet specified by the ipSetId
get_malware_protection_plan: Retrieves the Malware Protection plan details associated with a Malware Protection plan ID
get_malware_scan_settings: Returns the details of the malware scan settings
get_master_account: Provides the details for the GuardDuty administrator account associated with the current GuardDuty member account
get_member_detectors: Describes which data sources are enabled for the member account's detector
get_members: Retrieves GuardDuty member accounts (of the current GuardDuty administrator account) specified by the account IDs
get_organization_statistics: Retrieves how many active member accounts have each feature enabled within GuardDuty
get_remaining_free_trial_days: Provides the number of days left for each data source used in the free trial period
get_threat_intel_set: Retrieves the ThreatIntelSet that is specified by the ThreatIntelSet ID
get_usage_statistics: Lists Amazon GuardDuty usage statistics over the last 30 days for the specified detector ID
invite_members: Invites Amazon Web Services accounts to become members of an organization administered by the Amazon Web Services account that invokes this API
list_coverage: Lists coverage details for your GuardDuty account
list_detectors: Lists detectorIds of all the existing Amazon GuardDuty detector resources
list_filters: Returns a paginated list of the current filters
list_findings: Lists GuardDuty findings for the specified detector ID
list_invitations: Lists all GuardDuty membership invitations that were sent to the current Amazon Web Services account
list_ip_sets: Lists the IPSets of the GuardDuty service specified by the detector ID
list_malware_protection_plans: Lists the Malware Protection plan IDs associated with the protected resources in your Amazon Web Services account
list_members: Lists details about all member accounts for the current GuardDuty administrator account
list_organization_admin_accounts: Lists the accounts designated as GuardDuty delegated administrators
list_publishing_destinations: Returns a list of publishing destinations associated with the specified detectorId
list_tags_for_resource: Lists tags for a resource
list_threat_intel_sets: Lists the ThreatIntelSets of the GuardDuty service specified by the detector ID
start_malware_scan: Initiates the malware scan
start_monitoring_members: Turns on GuardDuty monitoring of the specified member accounts
stop_monitoring_members: Stops GuardDuty monitoring for the specified member accounts
tag_resource: Adds tags to a resource
unarchive_findings: Unarchives GuardDuty findings specified by the findingIds
untag_resource: Removes tags from a resource
update_detector: Updates the GuardDuty detector specified by the detector ID
update_filter: Updates the filter specified by the filter name
update_findings_feedback: Marks the specified GuardDuty findings as useful or not useful
update_ip_set: Updates the IPSet specified by the IPSet ID
update_malware_protection_plan: Updates an existing Malware Protection plan resource
update_malware_scan_settings: Updates the malware scan settings
update_member_detectors: Contains information on member accounts to be updated
update_organization_configuration: Configures the delegated administrator account with the provided values
update_publishing_destination: Updates information about the publishing destination specified by the destinationId
update_threat_intel_set: Updates the ThreatIntelSet specified by the ThreatIntelSet ID

Examples¶

## Not run: 
svc <- guardduty()
svc$accept_administrator_invitation(
  Foo = 123
)

## End(Not run)