Files
Anthropic-Cybersecurity-Skills/skills/detecting-aws-guardduty-findings-automation/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

2.4 KiB

AWS GuardDuty Findings Automation — API Reference

Libraries

Library Install Purpose
boto3 pip install boto3 AWS SDK for GuardDuty API

Key boto3 GuardDuty Methods

Method Description
list_detectors() List GuardDuty detector IDs
get_detector(DetectorId=) Get detector configuration
list_findings(DetectorId=, FindingCriteria=) Query finding IDs
get_findings(DetectorId=, FindingIds=[]) Get finding details
get_findings_statistics(DetectorId=) Finding counts by severity
archive_findings(DetectorId=, FindingIds=[]) Archive processed findings
list_members(DetectorId=) List member accounts (multi-account)
create_sample_findings(DetectorId=) Generate sample findings for testing

Finding Severity Levels

Range Level Description
7.0-8.9 High Compromised resource, active threat
4.0-6.9 Medium Suspicious activity, potential threat
1.0-3.9 Low Attempted suspicious activity

GuardDuty Finding Types

Type Prefix Category
Recon: Reconnaissance activity
UnauthorizedAccess: Unauthorized access attempt
CryptoCurrency: Crypto mining activity
Trojan: Malware communication
Stealth: Logging/monitoring evasion
Policy: Policy violation
Persistence: Persistence mechanism

GuardDuty Protection Features

Feature Description
S3_DATA_EVENTS S3 data plane monitoring
EKS_AUDIT_LOGS EKS control plane monitoring
EBS_MALWARE_PROTECTION EBS volume malware scanning
RDS_LOGIN_EVENTS RDS login activity monitoring
LAMBDA_NETWORK_LOGS Lambda function network monitoring
RUNTIME_MONITORING EC2/ECS/EKS runtime threat detection

FindingCriteria Filter

criteria = {
    "Criterion": {
        "severity": {"Gte": 7.0},
        "service.archived": {"Eq": ["false"]},
        "type": {"Eq": ["UnauthorizedAccess:EC2/SSHBruteForce"]},
    }
}

External References