GuardDuty class

Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the following foundational data sources - VPC flow logs, Amazon Web Services CloudTrail management event logs, CloudTrail S3 data event logs, EKS audit logs, DNS logs, Amazon EBS volume data, runtime activity belonging to container workloads, such as Amazon EKS, Amazon ECS (including Amazon Web Services Fargate), and Amazon EC2 instances. It uses threat intelligence feeds, such as lists of malicious IPs and domains, and machine learning to identify unexpected, potentially unauthorized, and malicious activity within your Amazon Web Services environment. This can include issues like escalations of privileges, uses of exposed credentials, or communication with malicious IPs, domains, or presence of malware on your Amazon EC2 instances and container workloads. For example, GuardDuty can detect compromised EC2 instances and container workloads serving malware, or mining bitcoin.

GuardDuty also monitors Amazon Web Services account access behavior for signs of compromise, such as unauthorized infrastructure deployments like EC2 instances deployed in a Region that has never been used, or unusual API calls like a password policy change to reduce password strength.

GuardDuty informs you about the status of your Amazon Web Services environment by producing security findings that you can view in the GuardDuty console or through Amazon EventBridge. For more information, see the Amazon GuardDuty User Guide .

Constructors

GuardDuty({required String region, AwsClientCredentials? credentials, AwsClientCredentialsProvider? credentialsProvider, Client? client, String? endpointUrl})

Properties

hashCode → int

The hash code for this object.

no setter, inherited

runtimeType → Type

A representation of the runtime type of the object.

no setter, inherited

Methods

acceptAdministratorInvitation({required String administratorId, required String detectorId, required String invitationId}) → Future<void>

Accepts the invitation to be a member account and get monitored by a GuardDuty administrator account that sent the invitation.

acceptInvitation({required String detectorId, required String invitationId, required String masterId}) → Future<void>

Accepts the invitation to be monitored by a GuardDuty administrator account.

archiveFindings({required String detectorId, required List<String> findingIds}) → Future<void>

Archives GuardDuty findings that are specified by the list of finding IDs.

close() → void

Closes the internal HTTP client if none was provided at creation. If a client was passed as a constructor argument, this becomes a noop.

createDetector({required bool enable, String? clientToken, DataSourceConfigurations? dataSources, List<DetectorFeatureConfiguration>? features, FindingPublishingFrequency? findingPublishingFrequency, Map<String, String>? tags}) → Future<CreateDetectorResponse>

Creates a single GuardDuty detector. A detector is a resource that represents the GuardDuty service. To start using GuardDuty, you must create a detector in each Region where you enable the service. You can have only one detector per account per Region. All data sources are enabled in a new detector by default.

createFilter({required String detectorId, required FindingCriteria findingCriteria, required String name, FilterAction? action, String? clientToken, String? description, int? rank, Map<String, String>? tags}) → Future<CreateFilterResponse>

Creates a filter using the specified finding criteria. The maximum number of saved filters per Amazon Web Services account per Region is 100. For more information, see Quotas for GuardDuty.

createIPSet({required bool activate, required String detectorId, required IpSetFormat format, required String location, required String name, String? clientToken, String? expectedBucketOwner, Map<String, String>? tags}) → Future<CreateIPSetResponse>

Creates a new IPSet, which is called a trusted IP list in the console user interface. An IPSet is a list of IP addresses that are trusted for secure communication with Amazon Web Services infrastructure and applications. GuardDuty doesn't generate findings for IP addresses that are included in IPSets. Only users from the administrator account can use this operation.

createMalwareProtectionPlan({required CreateProtectedResource protectedResource, required String role, MalwareProtectionPlanActions? actions, String? clientToken, Map<String, String>? tags}) → Future<CreateMalwareProtectionPlanResponse>

Creates a new Malware Protection plan for the protected resource.

createMembers({required List<AccountDetail> accountDetails, required String detectorId}) → Future<CreateMembersResponse>

Creates member accounts of the current Amazon Web Services account by specifying a list of Amazon Web Services account IDs. This step is a prerequisite for managing the associated member accounts either by invitation or through an organization.

createPublishingDestination({required DestinationProperties destinationProperties, required DestinationType destinationType, required String detectorId, String? clientToken, Map<String, String>? tags}) → Future<CreatePublishingDestinationResponse>

Creates a publishing destination where you can export your GuardDuty findings. Before you start exporting the findings, the destination resource must exist.

createSampleFindings({required String detectorId, List<String>? findingTypes}) → Future<void>

Generates sample findings of types specified by the list of finding types. If 'NULL' is specified for findingTypes, the API generates sample findings of all supported finding types.

createThreatEntitySet({required bool activate, required String detectorId, required ThreatEntitySetFormat format, required String location, required String name, String? clientToken, String? expectedBucketOwner, Map<String, String>? tags}) → Future<CreateThreatEntitySetResponse>

Creates a new threat entity set. In a threat entity set, you can provide known malicious threat entities for your Amazon Web Services environment. GuardDuty generates findings based on the entries in the threat entity sets. Only users of the administrator account can manage entity sets, which automatically apply to member accounts.

createThreatIntelSet({required bool activate, required String detectorId, required ThreatIntelSetFormat format, required String location, required String name, String? clientToken, String? expectedBucketOwner, Map<String, String>? tags}) → Future<CreateThreatIntelSetResponse>

Creates a new ThreatIntelSet. ThreatIntelSets consist of known malicious IP addresses. GuardDuty generates findings based on ThreatIntelSets. Only users of the administrator account can use this operation.

createTrustedEntitySet({required bool activate, required String detectorId, required TrustedEntitySetFormat format, required String location, required String name, String? clientToken, String? expectedBucketOwner, Map<String, String>? tags}) → Future<CreateTrustedEntitySetResponse>

Creates a new trusted entity set. In the trusted entity set, you can provide IP addresses and domains that you believe are secure for communication in your Amazon Web Services environment. GuardDuty will not generate findings for the entries that are specified in a trusted entity set. At any given time, you can have only one trusted entity set.

declineInvitations({required List<String> accountIds}) → Future<DeclineInvitationsResponse>

Declines invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs.

deleteDetector({required String detectorId}) → Future<void>

Deletes an Amazon GuardDuty detector that is specified by the detector ID.

deleteFilter({required String detectorId, required String filterName}) → Future<void>

Deletes the filter specified by the filter name.

deleteInvitations({required List<String> accountIds}) → Future<DeleteInvitationsResponse>

Deletes invitations sent to the current member account by Amazon Web Services accounts specified by their account IDs.

deleteIPSet({required String detectorId, required String ipSetId}) → Future<void>

Deletes the IPSet specified by the ipSetId. IPSets are called trusted IP lists in the console user interface.

deleteMalwareProtectionPlan({required String malwareProtectionPlanId}) → Future<void>

Deletes the Malware Protection plan ID associated with the Malware Protection plan resource. Use this API only when you no longer want to protect the resource associated with this Malware Protection plan ID.

deleteMembers({required List<String> accountIds, required String detectorId}) → Future<DeleteMembersResponse>

Deletes GuardDuty member accounts (to the current GuardDuty administrator account) specified by the account IDs.

deletePublishingDestination({required String destinationId, required String detectorId}) → Future<void>

Deletes the publishing definition with the specified destinationId.

deleteThreatEntitySet({required String detectorId, required String threatEntitySetId}) → Future<void>

Deletes the threat entity set that is associated with the specified threatEntitySetId.

deleteThreatIntelSet({required String detectorId, required String threatIntelSetId}) → Future<void>

Deletes the ThreatIntelSet specified by the ThreatIntelSet ID.

deleteTrustedEntitySet({required String detectorId, required String trustedEntitySetId}) → Future<void>

Deletes the trusted entity set that is associated with the specified trustedEntitySetId.

describeMalwareScans({required String detectorId, FilterCriteria? filterCriteria, int? maxResults, String? nextToken, SortCriteria? sortCriteria}) → Future<DescribeMalwareScansResponse>

Returns a list of malware scans. Each member account can view the malware scans for their own accounts. An administrator can view the malware scans for all the member accounts.

describeOrganizationConfiguration({required String detectorId, int? maxResults, String? nextToken}) → Future<DescribeOrganizationConfigurationResponse>

Returns information about the account selected as the delegated administrator for GuardDuty.

describePublishingDestination({required String destinationId, required String detectorId}) → Future<DescribePublishingDestinationResponse>

Returns information about the publishing destination specified by the provided destinationId.

disableOrganizationAdminAccount({required String adminAccountId}) → Future<void>

Removes the existing GuardDuty delegated administrator of the organization. Only the organization's management account can run this API operation.

disassociateFromAdministratorAccount({required String detectorId}) → Future<void>

Disassociates the current GuardDuty member account from its administrator account.

disassociateFromMasterAccount({required String detectorId}) → Future<void>

Disassociates the current GuardDuty member account from its administrator account.

disassociateMembers({required List<String> accountIds, required String detectorId}) → Future<DisassociateMembersResponse>

Disassociates GuardDuty member accounts (from the current administrator account) specified by the account IDs.

enableOrganizationAdminAccount({required String adminAccountId}) → Future<void>

Designates an Amazon Web Services account within the organization as your GuardDuty delegated administrator. Only the organization's management account can run this API operation.

getAdministratorAccount({required String detectorId}) → Future<GetAdministratorAccountResponse>

Provides the details of the GuardDuty administrator account associated with the current GuardDuty member account.

getCoverageStatistics({required String detectorId, required List<CoverageStatisticsType> statisticsType, CoverageFilterCriteria? filterCriteria}) → Future<GetCoverageStatisticsResponse>

Retrieves aggregated statistics for your account. If you are a GuardDuty administrator, you can retrieve the statistics for all the resources associated with the active member accounts in your organization who have enabled Runtime Monitoring and have the GuardDuty security agent running on their resources.

getDetector({required String detectorId}) → Future<GetDetectorResponse>

Retrieves a GuardDuty detector specified by the detectorId.

getFilter({required String detectorId, required String filterName}) → Future<GetFilterResponse>

Returns the details of the filter specified by the filter name.

getFindings({required String detectorId, required List<String> findingIds, SortCriteria? sortCriteria}) → Future<GetFindingsResponse>

Describes Amazon GuardDuty findings specified by finding IDs.

getFindingsStatistics({required String detectorId, FindingCriteria? findingCriteria, List<FindingStatisticType>? findingStatisticTypes, GroupByType? groupBy, int? maxResults, OrderBy? orderBy}) → Future<GetFindingsStatisticsResponse>

Lists GuardDuty findings statistics for the specified detector ID.

getInvitationsCount() → Future<GetInvitationsCountResponse>

Returns the count of all GuardDuty membership invitations that were sent to the current member account except the currently accepted invitation.

getIPSet({required String detectorId, required String ipSetId}) → Future<GetIPSetResponse>

Retrieves the IPSet specified by the ipSetId.

getMalwareProtectionPlan({required String malwareProtectionPlanId}) → Future<GetMalwareProtectionPlanResponse>

Retrieves the Malware Protection plan details associated with a Malware Protection plan ID.

getMalwareScan({required String scanId}) → Future<GetMalwareScanResponse>

Retrieves the detailed information for a specific malware scan. Each member account can view the malware scan details for their own account. An administrator can view malware scan details for all accounts in the organization.

getMalwareScanSettings({required String detectorId}) → Future<GetMalwareScanSettingsResponse>

Returns the details of the malware scan settings.

getMasterAccount({required String detectorId}) → Future<GetMasterAccountResponse>

Provides the details for the GuardDuty administrator account associated with the current GuardDuty member account.

getMemberDetectors({required List<String> accountIds, required String detectorId}) → Future<GetMemberDetectorsResponse>

Describes which data sources are enabled for the member account's detector.

getMembers({required List<String> accountIds, required String detectorId}) → Future<GetMembersResponse>

Retrieves GuardDuty member accounts (of the current GuardDuty administrator account) specified by the account IDs.

getOrganizationStatistics() → Future<GetOrganizationStatisticsResponse>

Retrieves how many active member accounts have each feature enabled within GuardDuty. Only a delegated GuardDuty administrator of an organization can run this API.

getRemainingFreeTrialDays({required List<String> accountIds, required String detectorId}) → Future<GetRemainingFreeTrialDaysResponse>

Provides the number of days left for each data source used in the free trial period.

getThreatEntitySet({required String detectorId, required String threatEntitySetId}) → Future<GetThreatEntitySetResponse>

Retrieves the threat entity set associated with the specified threatEntitySetId.

getThreatIntelSet({required String detectorId, required String threatIntelSetId}) → Future<GetThreatIntelSetResponse>

Retrieves the ThreatIntelSet that is specified by the ThreatIntelSet ID.

getTrustedEntitySet({required String detectorId, required String trustedEntitySetId}) → Future<GetTrustedEntitySetResponse>

Retrieves the trusted entity set associated with the specified trustedEntitySetId.

getUsageStatistics({required String detectorId, required UsageCriteria usageCriteria, required UsageStatisticType usageStatisticType, int? maxResults, String? nextToken, String? unit}) → Future<GetUsageStatisticsResponse>

Lists Amazon GuardDuty usage statistics over the last 30 days for the specified detector ID. For newly enabled detectors or data sources, the cost returned will include only the usage so far under 30 days. This may differ from the cost metrics in the console, which project usage over 30 days to provide a monthly cost estimate. For more information, see Understanding How Usage Costs are Calculated.

inviteMembers({required List<String> accountIds, required String detectorId, bool? disableEmailNotification, String? message}) → Future<InviteMembersResponse>

Invites Amazon Web Services accounts to become members of an organization administered by the Amazon Web Services account that invokes this API. If you are using Amazon Web Services Organizations to manage your GuardDuty environment, this step is not needed. For more information, see Managing accounts with organizations.

listCoverage({required String detectorId, CoverageFilterCriteria? filterCriteria, int? maxResults, String? nextToken, CoverageSortCriteria? sortCriteria}) → Future<ListCoverageResponse>

Lists coverage details for your GuardDuty account. If you're a GuardDuty administrator, you can retrieve all resources associated with the active member accounts in your organization.

listDetectors({int? maxResults, String? nextToken}) → Future<ListDetectorsResponse>

Lists detectorIds of all the existing Amazon GuardDuty detector resources.

listFilters({required String detectorId, int? maxResults, String? nextToken}) → Future<ListFiltersResponse>

Returns a paginated list of the current filters.

listFindings({required String detectorId, FindingCriteria? findingCriteria, int? maxResults, String? nextToken, SortCriteria? sortCriteria}) → Future<ListFindingsResponse>

Lists GuardDuty findings for the specified detector ID.

listInvitations({int? maxResults, String? nextToken}) → Future<ListInvitationsResponse>

Lists all GuardDuty membership invitations that were sent to the current Amazon Web Services account.

listIPSets({required String detectorId, int? maxResults, String? nextToken}) → Future<ListIPSetsResponse>

Lists the IPSets of the GuardDuty service specified by the detector ID. If you use this operation from a member account, the IPSets returned are the IPSets from the associated administrator account.

listMalwareProtectionPlans({String? nextToken}) → Future<ListMalwareProtectionPlansResponse>

Lists the Malware Protection plan IDs associated with the protected resources in your Amazon Web Services account.

listMalwareScans({ListMalwareScansFilterCriteria? filterCriteria, int? maxResults, String? nextToken, SortCriteria? sortCriteria}) → Future<ListMalwareScansResponse>

Returns a list of malware scans. Each member account can view the malware scans for their own accounts. An administrator can view the malware scans for all of its members' accounts.

listMembers({required String detectorId, int? maxResults, String? nextToken, String? onlyAssociated}) → Future<ListMembersResponse>

Lists details about all member accounts for the current GuardDuty administrator account.

listOrganizationAdminAccounts({int? maxResults, String? nextToken}) → Future<ListOrganizationAdminAccountsResponse>

Lists the accounts designated as GuardDuty delegated administrators. Only the organization's management account can run this API operation.

listPublishingDestinations({required String detectorId, int? maxResults, String? nextToken}) → Future<ListPublishingDestinationsResponse>

Returns a list of publishing destinations associated with the specified detectorId.

listTagsForResource({required String resourceArn}) → Future<ListTagsForResourceResponse>

Lists tags for a resource. Tagging is currently supported for detectors, finding filters, IP sets, threat intel sets, and publishing destination, with a limit of 50 tags per resource. When invoked, this operation returns all assigned tags for a given resource.

listThreatEntitySets({required String detectorId, int? maxResults, String? nextToken}) → Future<ListThreatEntitySetsResponse>

Lists the threat entity sets associated with the specified GuardDuty detector ID. If you use this operation from a member account, the threat entity sets that are returned as a response, belong to the administrator account.

listThreatIntelSets({required String detectorId, int? maxResults, String? nextToken}) → Future<ListThreatIntelSetsResponse>

Lists the ThreatIntelSets of the GuardDuty service specified by the detector ID. If you use this operation from a member account, the ThreatIntelSets associated with the administrator account are returned.

listTrustedEntitySets({required String detectorId, int? maxResults, String? nextToken}) → Future<ListTrustedEntitySetsResponse>

Lists the trusted entity sets associated with the specified GuardDuty detector ID. If you use this operation from a member account, the trusted entity sets that are returned as a response, belong to the administrator account.

noSuchMethod(Invocation invocation) → dynamic

Invoked when a nonexistent method or property is accessed.

inherited

sendObjectMalwareScan({S3ObjectForSendObjectMalwareScan? s3Object}) → Future<void>

Initiates a malware scan for a specific S3 object. This API allows you to perform on-demand malware scanning of individual objects in S3 buckets that have Malware Protection for S3 enabled.

startMalwareScan({required String resourceArn, String? clientToken, StartMalwareScanConfiguration? scanConfiguration}) → Future<StartMalwareScanResponse>

Initiates the malware scan. Invoking this API will automatically create the Service-linked role in the corresponding account if the resourceArn belongs to an EC2 instance.

startMonitoringMembers({required List<String> accountIds, required String detectorId}) → Future<StartMonitoringMembersResponse>

Turns on GuardDuty monitoring of the specified member accounts. Use this operation to restart monitoring of accounts that you stopped monitoring with the StopMonitoringMembers operation.

stopMonitoringMembers({required List<String> accountIds, required String detectorId}) → Future<StopMonitoringMembersResponse>

Stops GuardDuty monitoring for the specified member accounts. Use the StartMonitoringMembers operation to restart monitoring for those accounts.

tagResource({required String resourceArn, required Map<String, String> tags}) → Future<void>

Adds tags to a resource.

toString() → String

A string representation of this object.

inherited

unarchiveFindings({required String detectorId, required List<String> findingIds}) → Future<void>

Unarchives GuardDuty findings specified by the findingIds.

untagResource({required String resourceArn, required List<String> tagKeys}) → Future<void>

Removes tags from a resource.

updateDetector({required String detectorId, DataSourceConfigurations? dataSources, bool? enable, List<DetectorFeatureConfiguration>? features, FindingPublishingFrequency? findingPublishingFrequency}) → Future<void>

Updates the GuardDuty detector specified by the detector ID.

updateFilter({required String detectorId, required String filterName, FilterAction? action, String? description, FindingCriteria? findingCriteria, int? rank}) → Future<UpdateFilterResponse>

Updates the filter specified by the filter name.

updateFindingsFeedback({required String detectorId, required Feedback feedback, required List<String> findingIds, String? comments}) → Future<void>

Marks the specified GuardDuty findings as useful or not useful.

updateIPSet({required String detectorId, required String ipSetId, bool? activate, String? expectedBucketOwner, String? location, String? name}) → Future<void>

Updates the IPSet specified by the IPSet ID.

updateMalwareProtectionPlan({required String malwareProtectionPlanId, MalwareProtectionPlanActions? actions, UpdateProtectedResource? protectedResource, String? role}) → Future<void>

Updates an existing Malware Protection plan resource.

updateMalwareScanSettings({required String detectorId, EbsSnapshotPreservation? ebsSnapshotPreservation, ScanResourceCriteria? scanResourceCriteria}) → Future<void>

Updates the malware scan settings.

updateMemberDetectors({required List<String> accountIds, required String detectorId, DataSourceConfigurations? dataSources, List<MemberFeaturesConfiguration>? features}) → Future<UpdateMemberDetectorsResponse>

Contains information on member accounts to be updated.

updateOrganizationConfiguration({required String detectorId, bool? autoEnable, AutoEnableMembers? autoEnableOrganizationMembers, OrganizationDataSourceConfigurations? dataSources, List<OrganizationFeatureConfiguration>? features}) → Future<void>

Configures the delegated administrator account with the provided values. You must provide a value for either autoEnableOrganizationMembers or autoEnable, but not both.

updatePublishingDestination({required String destinationId, required String detectorId, DestinationProperties? destinationProperties}) → Future<void>

Updates information about the publishing destination specified by the destinationId.

updateThreatEntitySet({required String detectorId, required String threatEntitySetId, bool? activate, String? expectedBucketOwner, String? location, String? name}) → Future<void>

Updates the threat entity set associated with the specified threatEntitySetId.

updateThreatIntelSet({required String detectorId, required String threatIntelSetId, bool? activate, String? expectedBucketOwner, String? location, String? name}) → Future<void>

Updates the ThreatIntelSet specified by the ThreatIntelSet ID.

updateTrustedEntitySet({required String detectorId, required String trustedEntitySetId, bool? activate, String? expectedBucketOwner, String? location, String? name}) → Future<void>

Updates the trusted entity set associated with the specified trustedEntitySetId.

Operators

operator ==(Object other) → bool

The equality operator.

inherited