Skip to content

Client

guardduty R Documentation

Amazon GuardDuty

Description

Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the following foundational data sources - VPC flow logs, Amazon Web Services CloudTrail management event logs, CloudTrail S3 data event logs, EKS audit logs, DNS logs, Amazon EBS volume data, runtime activity belonging to container workloads, such as Amazon EKS, Amazon ECS (including Amazon Web Services Fargate), and Amazon EC2 instances. It uses threat intelligence feeds, such as lists of malicious IPs and domains, and machine learning to identify unexpected, potentially unauthorized, and malicious activity within your Amazon Web Services environment. This can include issues like escalations of privileges, uses of exposed credentials, or communication with malicious IPs, domains, or presence of malware on your Amazon EC2 instances and container workloads. For example, GuardDuty can detect compromised EC2 instances and container workloads serving malware, or mining bitcoin.

GuardDuty also monitors Amazon Web Services account access behavior for signs of compromise, such as unauthorized infrastructure deployments like EC2 instances deployed in a Region that has never been used, or unusual API calls like a password policy change to reduce password strength.

GuardDuty informs you about the status of your Amazon Web Services environment by producing security findings that you can view in the GuardDuty console or through Amazon EventBridge. For more information, see the Amazon GuardDuty User Guide .

Usage

guardduty(
  config = list(),
  credentials = list(),
  endpoint = NULL,
  region = NULL
)

Arguments

config

Optional configuration of credentials, endpoint, and/or region.

  • credentials:

    • creds:

      • access_key_id: AWS access key ID

      • secret_access_key: AWS secret access key

      • session_token: AWS temporary session token

    • profile: The name of a profile to use. If not given, then the default profile is used.

    • anonymous: Set anonymous credentials.

  • endpoint: The complete URL to use for the constructed client.

  • region: The AWS Region used in instantiating the client.

  • close_connection: Immediately close all HTTP connections.

  • timeout: The time in seconds till a timeout exception is thrown when attempting to make a connection. The default is 60 seconds.

  • s3_force_path_style: Set this to true to force the request to use path-style addressing, i.e. ⁠http://s3.amazonaws.com/BUCKET/KEY⁠.

  • sts_regional_endpoint: Set sts regional endpoint resolver to regional or legacy https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html

credentials

Optional credentials shorthand for the config parameter

  • creds:

    • access_key_id: AWS access key ID

    • secret_access_key: AWS secret access key

    • session_token: AWS temporary session token

  • profile: The name of a profile to use. If not given, then the default profile is used.

  • anonymous: Set anonymous credentials.

endpoint

Optional shorthand for complete URL to use for the constructed client.

region

Optional shorthand for AWS Region used in instantiating the client.

Value

A client for the service. You can call the service's operations using syntax like svc$operation(...), where svc is the name you've assigned to the client. The available operations are listed in the Operations section.

Service syntax

svc <- guardduty(
  config = list(
    credentials = list(
      creds = list(
        access_key_id = "string",
        secret_access_key = "string",
        session_token = "string"
      ),
      profile = "string",
      anonymous = "logical"
    ),
    endpoint = "string",
    region = "string",
    close_connection = "logical",
    timeout = "numeric",
    s3_force_path_style = "logical",
    sts_regional_endpoint = "string"
  ),
  credentials = list(
    creds = list(
      access_key_id = "string",
      secret_access_key = "string",
      session_token = "string"
    ),
    profile = "string",
    anonymous = "logical"
  ),
  endpoint = "string",
  region = "string"
)

Operations

accept_administrator_invitation
Accepts the invitation to be a member account and get monitored by a GuardDuty administrator account that sent the invitation
accept_invitation
Accepts the invitation to be monitored by a GuardDuty administrator account
archive_findings
Archives GuardDuty findings that are specified by the list of finding IDs
create_detector
Creates a single GuardDuty detector
create_filter
Creates a filter using the specified finding criteria
create_ip_set
Creates a new IPSet, which is called a trusted IP list in the console user interface
create_malware_protection_plan
Creates a new Malware Protection plan for the protected resource
create_members
Creates member accounts of the current Amazon Web Services account by specifying a list of Amazon Web Services account IDs
create_publishing_destination
Creates a publishing destination to export findings to
create_sample_findings
Generates sample findings of types specified by the list of finding types
create_threat_intel_set
Creates a new ThreatIntelSet
decline_invitations
Declines invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs
delete_detector
Deletes an Amazon GuardDuty detector that is specified by the detector ID
delete_filter
Deletes the filter specified by the filter name
delete_invitations
Deletes invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs
delete_ip_set
Deletes the IPSet specified by the ipSetId
delete_malware_protection_plan
Deletes the Malware Protection plan ID associated with the Malware Protection plan resource
delete_members
Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs
delete_publishing_destination
Deletes the publishing definition with the specified destinationId
delete_threat_intel_set
Deletes the ThreatIntelSet specified by the ThreatIntelSet ID
describe_malware_scans
Returns a list of malware scans
describe_organization_configuration
Returns information about the account selected as the delegated administrator for GuardDuty
describe_publishing_destination
Returns information about the publishing destination specified by the provided destinationId
disable_organization_admin_account
Removes the existing GuardDuty delegated administrator of the organization
disassociate_from_administrator_account
Disassociates the current GuardDuty member account from its administrator account
disassociate_from_master_account
Disassociates the current GuardDuty member account from its administrator account
disassociate_members
Disassociates GuardDuty member accounts (from the current administrator account) specified by the account IDs
enable_organization_admin_account
Designates an Amazon Web Services account within the organization as your GuardDuty delegated administrator
get_administrator_account
Provides the details of the GuardDuty administrator account associated with the current GuardDuty member account
get_coverage_statistics
Retrieves aggregated statistics for your account
get_detector
Retrieves an Amazon GuardDuty detector specified by the detectorId
get_filter
Returns the details of the filter specified by the filter name
get_findings
Describes Amazon GuardDuty findings specified by finding IDs
get_findings_statistics
Lists Amazon GuardDuty findings statistics for the specified detector ID
get_invitations_count
Returns the count of all GuardDuty membership invitations that were sent to the current member account except the currently accepted invitation
get_ip_set
Retrieves the IPSet specified by the ipSetId
get_malware_protection_plan
Retrieves the Malware Protection plan details associated with a Malware Protection plan ID
get_malware_scan_settings
Returns the details of the malware scan settings
get_master_account
Provides the details for the GuardDuty administrator account associated with the current GuardDuty member account
get_member_detectors
Describes which data sources are enabled for the member account's detector
get_members
Retrieves GuardDuty member accounts (of the current GuardDuty administrator account) specified by the account IDs
get_organization_statistics
Retrieves how many active member accounts have each feature enabled within GuardDuty
get_remaining_free_trial_days
Provides the number of days left for each data source used in the free trial period
get_threat_intel_set
Retrieves the ThreatIntelSet that is specified by the ThreatIntelSet ID
get_usage_statistics
Lists Amazon GuardDuty usage statistics over the last 30 days for the specified detector ID
invite_members
Invites Amazon Web Services accounts to become members of an organization administered by the Amazon Web Services account that invokes this API
list_coverage
Lists coverage details for your GuardDuty account
list_detectors
Lists detectorIds of all the existing Amazon GuardDuty detector resources
list_filters
Returns a paginated list of the current filters
list_findings
Lists GuardDuty findings for the specified detector ID
list_invitations
Lists all GuardDuty membership invitations that were sent to the current Amazon Web Services account
list_ip_sets
Lists the IPSets of the GuardDuty service specified by the detector ID
list_malware_protection_plans
Lists the Malware Protection plan IDs associated with the protected resources in your Amazon Web Services account
list_members
Lists details about all member accounts for the current GuardDuty administrator account
list_organization_admin_accounts
Lists the accounts designated as GuardDuty delegated administrators
list_publishing_destinations
Returns a list of publishing destinations associated with the specified detectorId
list_tags_for_resource
Lists tags for a resource
list_threat_intel_sets
Lists the ThreatIntelSets of the GuardDuty service specified by the detector ID
start_malware_scan
Initiates the malware scan
start_monitoring_members
Turns on GuardDuty monitoring of the specified member accounts
stop_monitoring_members
Stops GuardDuty monitoring for the specified member accounts
tag_resource
Adds tags to a resource
unarchive_findings
Unarchives GuardDuty findings specified by the findingIds
untag_resource
Removes tags from a resource
update_detector
Updates the GuardDuty detector specified by the detector ID
update_filter
Updates the filter specified by the filter name
update_findings_feedback
Marks the specified GuardDuty findings as useful or not useful
update_ip_set
Updates the IPSet specified by the IPSet ID
update_malware_protection_plan
Updates an existing Malware Protection plan resource
update_malware_scan_settings
Updates the malware scan settings
update_member_detectors
Contains information on member accounts to be updated
update_organization_configuration
Configures the delegated administrator account with the provided values
update_publishing_destination
Updates information about the publishing destination specified by the destinationId
update_threat_intel_set
Updates the ThreatIntelSet specified by the ThreatIntelSet ID

Examples

## Not run: 
svc <- guardduty()
svc$accept_administrator_invitation(
  Foo = 123
)

## End(Not run)