Integrations
- Integrations
- 1Password
- Abnormal
- Absolute
- AbuseIPDB
- Acronis
- Active Directory On-Prem
- Adaptive Shield
- Adobe Cloud
- ADP
- Agari Phishing Response
- Airlock
- Airlock Digital
- Akamai Identity Cloud Social
- Alert Logic
- AlgoSec Firewall Analyzer
- Alienvault OTX
- Alienvault USM
- Anthropic
- Anodot
- Any Run
- Ansible
- Anvilogic
- Apex One
- ArcSight ESM
- Area 1
- Asana
- Asset Panda
- Astrix
- Atlassian Crowd
- Atlassian User Management
- Atlassian User Provisioning
- AuditBoard
- auth0
- Authentik
- Authomize
- Automox
- AWS
- AWS
- Actions
- Overview
- Access Analyzer Apply Archive Rule
- ACM Get Account Configuration
- AWS Custom Action
- AWS Cloud Query
- CloudTrail Lookup Events
- CloudWatch Get Metric Widget Image
- CloudWatch Logs Describe Log Groups
- CloudWatch Logs Filter Log Events
- CloudWatch Logs Get Log Events
- CloudWatch Logs Get Query Results
- CloudWatch Logs Put Metric Filter
- CloudWatch Logs Start Query
- Create PreSigned URL
- DynamoDB Create Table
- DynamoDB Delete Table
- DynamoDB Get Item
- DynamoDB List Tables
- DynamoDB Put Item
- DynamoDB Scan
- EBS Complete Snapshot
- EBS Get Snapshot Block
- EBS List Changed Blocks
- EBS List Snapshot Blocks
- EBS Put Snapshot Block
- EBS Start Snapshot
- EC2 Create Security Group
- EC2 Create Tags
- EC2 Delete Security Group
- EC2 Delete Snapshot
- EC2 Delete Tags
- EC2 Delete Volume
- EC2 Deregister Image
- EC2 Describe Availability Zones
- EC2 Describe Customer Gateways
- EC2 Describe Images
- EC2 Describe Instance Attribute
- EC2 Describe Instance Status
- EC2 Describe Instances
- EC2 Describe Key Pairs
- EC2 Describe Network Acls
- EC2 Describe Route Tables
- EC2 Describe Security Groups
- EC2 Describe Subnets
- EC2 Describe Tags
- EC2 Describe Transit Gateways
- EC2 Describe Volumes
- EC2 Describe VPCs
- EC2 Modify Volume
- EC2 Reboot Instances
- EC2 Release Address
- EC2 Start Instances
- EC2 Stop Instances
- EC2 Terminate Instances
- EKS Describe Cluster
- EKS Describe Nodegroup
- EKS List Clusters
- EKS List Nodegroups
- EKS Tag Resource
- EKS Update Nodegroup Config
- ELB Describe Load Balancers
- ELBV2 Describe Target Groups
- Get Role Effective Permissions
- Get User Effective Permissions
- Get User Org Effective Permissions
- GuardDuty Create Detector
- GuardDuty Create Members
- GuardDuty Delete Detector
- GuardDuty Get Detector
- GuardDuty Get Findings
- GuardDuty Invite Members
- GuardDuty List Detectors
- GuardDuty List Findings
- GuardDuty Start Monitoring Members
- GuardDuty Stop Monitoring Members
- GuardDuty Update Detector
- GuardDuty Update Findings Feedback
- IAM Add User To Group
- IAM Attach Group Policy
- IAM Attach Role Policy
- IAM Create Access Key
- IAM Create Login Profile
- IAM Create Policy
- IAM Create User
- IAM Delete User
- IAM Generate Credential Report
- IAM Get Access Key Last Used
- IAM Get Account Summary
- IAM Get Credential Report
- IAM Get Policy
- IAM Get User
- IAM List Access Keys
- IAM List Account Aliases
- IAM List Attached User Policies
- IAM List Roles
- IAM List User Tags
- IAM Put User Policy
- Organizations Create Account
- Organizations Describe Organization
- Performance Insights Describe Dimension Keys
- Performance Insights Get Resource Metrics
- Pricing Get Products
- Run AWS CLI Script
- Run AWS CLI Script Under Assumed Role
- Run EKS CLI (Eksctl) Script
- S3 Copy Object
- S3 Create Bucket
- S3 Delete Bucket
- S3 Get Bucket Acl
- S3 Get Bucket Encryption
- S3 Get Object
- S3 Head Object
- S3 List Buckets
- S3 List Objects
- S3 Put Object
- S3 Put Public Access Block
- Secrets Manager Get Secret Value
- Security Token Service Assume Role
- Security Token Service Get Caller Identity
- Simple Queue Service Change Message Visibility
- Simple Queue Service Delete Message
- Simple Queue Service List Queues
- Simple Queue Service Receive Message
- Simple Queue Service Send Message
- Generate AWS Steampipe Report
- Triggers
- AWS IAM Identity Center
- Axonius
- Azure
- Azure Data Explorer
- Azure DevOps
- Azure Log Analytics
- Azure Storage
- BambooHR
- Big Fix
- BigPanda
- Bitbucket
- Bitdefender
- Bitsight
- Bitwarden
- Black Duck
- Black Kite
- Blink
- BMC Remedy
- Box
- Brinqa
- Cato Networks
- Censys
- Chorus
- Cisco Advanced Phishing Protection
- Cisco Domain Protection
- Cisco Meraki
- Cisco Talos
- Cisco Umbrella
- Cisco Webex
- Claroty xDome
- ClearPass
- ClickHouse
- ClickUp
- Cloud Custodian
- Cloudflare
- Cloudflare R2
- Cobalt.io
- Check Point Harmony
- Check Point Infinity Events
- Check Point Management
- Check Point XDR/XPR
- Checkmarx SAST
- Checkmarx One
- Chronicle
- Compass
- Confluence
- Confluence Data Center
- Coralogix
- Coralogix Incident Management
- Cortex XDR
- Cortex Xpanse
- Coupa Compass
- CredStash
- Cribl
- CrowdStrike
- CyberArk
- Cybersixgill
- CyCognito
- Cyera
- Cylance
- Cyware CTIX
- Darktrace
- Dasera
- Databricks
- Datadog
- DataSet
- Discord
- Docusign
- Delighted
- Delinea
- Devo
- Domo
- Drata
- Dropbox
- Dropbox Business
- druva
- Duo
- Duo Auth
- Dynatrace
- EasyVista
- EchoTrail
- Egnyte
- Egnyte Secure Govern
- Elasticsearch
- Entro
- Entrust Certificate Services
- Ermetic
- Exabeam
- Exchange Online
- Expel
- F5
- Falcon LogScale
- Falcon Surface
- Fastly
- Flare.io
- Forcepoint DLP
- Forescout
- FortiGate
- Freshservice
- GCP
- Gemini
- Ghostwriter
- Git
- GitHub
- GitLab
- Glean
- Gmail
- Google Calendar
- Google Chat
- Google Docs
- Google Drive
- Google Forms
- Google Meet
- Google Looker
- Google Sheets
- Google Workspace
- Grafana
- Greenhouse
- GreyNoise
- Grip Security
- GYTPOL
- Have I Been Pwned
- HackerOne
- Halo Service Desk
- HackNotice
- HiBob
- HubSpot
- Hunters
- Hybrid Analysis
- Hyperproof
- IBM CLoud
- IBM NS1 Connect
- IBM X Force
- Imperva
- Incident.io
- Infobip
- Infoblox Cloud Services Portal
- Intercom
- Intezer
- IP API
- IPinfo
- IPWHOIS
- Ivanti RiskSense
- Ironscales
- Jamf
- JetBrains
- JFrog
- Jira
- Jira Data Center
- Joe Sandbox
- JumpCloud
- Kandji
- Keeper Secrets Manager
- Kenna Security
- KnowBe4
- KnowBe4 Events
- Kubernetes
- Lacework
- LaunchDarkly
- LimaCharlie
- Linear
- Litmos
- Living Security
- LogicMonitor
- LogRhythm
- Manage Engine ServiceDesk Plus
- Mattermost
- Maven
- Microsoft Defender For Cloud
- Microsoft Defender For Cloud Apps
- Microsoft Defender For Endpoints
- Microsoft Defender XDR
- Microsoft E-Discovery
- Microsoft Entra ID
- Microsoft Graph
- Microsoft Intune
- Microsoft Office 365 Management Activity
- Microsoft Outlook
- Microsoft Purview
- Microsoft Sentinel
- Microsoft SQL Server
- Microsoft Teams
- Mimecast
- MISP
- Monday
- MongoDB Atlas
- MxToolbox
- Neo4j
- NetBox
- Netography
- Netskope
- New Relic
- Nightfall AI
- NinjaOne
- Notion
- Nozomi Networks
- Nuclei
- Nucleus
- Nutanix Hypervisor
- Obsidian
- Okta
- OneDrive
- OneLogin
- OneTrust
- Oort
- OpenAI
- OpenCTI
- Opsgenie
- OPSWAT
- Oracle Cloud
- Oracle HCM
- Orca Security
- OWASP ZAP
- PagerDuty
- Palo Alto NGFW
- Palo Alto Firewall
- Panther
- Pentera
- Perception Point
- PhishLabs
- PhishLabs Incident Data
- PhishLabs Open Web Monitoring
- Pingdom
- PingID
- PingOne
- PlexTrac
- PortSwigger
- Power BI
- PowerShell
- Postman
- Postman SCIM
- Prisma Access
- Prisma Cloud
- Prisma Cloud CWP
- Prometheus
- Proofpoint
- Proofpoint ITM
- Proofpoint Protection Server
- Proofpoint Security Awareness Training
- Proofpoint TAP
- Proofpoint TRAP
- Pub-Sub
- QRadar
- Qualys
- Rapid7
- Rapid7 InsightIDR
- Rapid7 InsightVM Cloud
- Rapid7 Threat Command
- Reco
- Recorded Future
- Recorded Future Triage Cloud
- Red Hat IDM
- Rippling
- runZero
- SafeBase
- Sage HR
- SailPoint
- SailPoint IdentityIQ
- Salesforce
- SAP Ariba
- Sap Concur
- ScienceLogic
- Securin
- Securin VI
- SecurityScorecard
- Securonix
- Seemplicity
- Sekoia.io
- SemGrep
- SentinelOne
- ServiceNow
- SharePoint
- Shodan
- Shopify
- Silverfort
- Slack
- Smartsheet
- Snipe IT
- Snowflake
- Snyk
- SolarWinds Information Service
- SolarWinds Service Desk
- SonarQube
- Sophos
- Split
- Splunk
- Splunk Observability
- Splunk SOAR
- Spur
- StrongDM
- Sumo Logic
- Symantec EDR
- Sysdig
- Tableau
- Tanium
- TeamCity
- TeamViewer
- Telegram
- Tempo
- Tenable
- Tenable Security Center
- Terraform
- Terraform Cloud
- Tessian
- TheHive
- Thinkst Canary
- ThreatQuotient
- Trellix Email Security
- Trello
- Trend Vision One
- Twilio
- UKG HR
- Uptycs
- URLScan
- Vault
- Veracode
- Verkada
- Vertica
- VMware vSphere
- VMware Carbon Black
- VirusTotal
- WeChat
- WhatsApp
- WhoIs
- WildFire
- Wiz
- Workday
- Workspace ONE UEM
- YesWeHack
- Zendesk
- Zero Networks
- Zoom
- Zscaler Internet Access
- Zscaler Private Access
Actions
GuardDuty Get Findings
Describes Amazon GuardDuty findings specified by finding IDs.
External Documentation
To learn more, visit the AWS documentation.
Basic Parameters
| Parameter | Description |
|---|---|
| AWS Region(s) | Enter the desired AWS Region(s).To execute the action in multiple regions, provide a comma-separated list.For example: us-east-1,eu-west-2.If you wish to run the action in all available regions, use the asterisk symbol (*) instead. |
| Detector ID | The ID of the detector that specifies the GuardDuty service whose findings you want to retrieve. |
| Finding IDs | A comma-separated list of finding IDs you want to retrieve. |
Advanced Parameters
| Parameter | Description |
|---|---|
| Disable XML To JSON Auto Convert | When checked, XML responses are not automatically converted into JSON format. |
| Order By | The order by which the sorted findings are to be displayed. |
| Sort By | Represents the finding attribute (for example, accountId) to sort findings by. |
Example Output
Copy
{
"Findings": [
{
"AccountId": "string",
"Arn": "string",
"Confidence": 0,
"CreatedAt": "string",
"Description": "string",
"Id": "string",
"Partition": "string",
"Region": "string",
"Resource": {
"AccessKeyDetails": {
"AccessKeyId": "string",
"PrincipalId": "string",
"UserName": "string",
"UserType": "string"
},
"InstanceDetails": {
"AvailabilityZone": "string",
"IamInstanceProfile": {
"Arn": "string",
"Id": "string"
},
"ImageDescription": "string",
"ImageId": "string",
"InstanceId": "string",
"InstanceState": "string",
"InstanceType": "string",
"LaunchTime": "string",
"NetworkInterfaces": [
{
"Ipv6Addresses": [
"string"
],
"NetworkInterfaceId": "string",
"PrivateDnsName": "string",
"PrivateIpAddress": "string",
"PrivateIpAddresses": [
{
"PrivateDnsName": "string",
"PrivateIpAddress": "string"
}
],
"PublicDnsName": "string",
"PublicIp": "string",
"SecurityGroups": [
{
"GroupId": "string",
"GroupName": "string"
}
],
"SubnetId": "string",
"VpcId": "string"
}
],
"OutpostArn": "string",
"Platform": "string",
"ProductCodes": [
{
"Code": "string",
"ProductType": "string"
}
],
"Tags": [
{
"Key": "string",
"Value": "string"
}
]
},
"ResourceType": "string",
"S3BucketDetails": [
{
"Arn": "string",
"CreatedAt": "date-time",
"DefaultServerSideEncryption": {
"EncryptionType": "string",
"KmsMasterKeyArn": "string"
},
"Name": "string",
"Owner": {
"Id": "string"
},
"PublicAccess": {
"EffectivePermission": "string",
"PermissionConfiguration": {
"AccountLevelPermissions": {
"BlockPublicAccess": {
"BlockPublicAcls": false,
"BlockPublicPolicy": false,
"IgnorePublicAcls": false,
"RestrictPublicBuckets": false
}
},
"BucketLevelPermissions": {
"AccessControlList": {
"AllowsPublicReadAccess": false,
"AllowsPublicWriteAccess": false
},
"BlockPublicAccess": {
"BlockPublicAcls": false,
"BlockPublicPolicy": false,
"IgnorePublicAcls": false,
"RestrictPublicBuckets": false
},
"BucketPolicy": {
"AllowsPublicReadAccess": false,
"AllowsPublicWriteAccess": false
}
}
}
},
"Tags": [
{
"Key": "string",
"Value": "string"
}
],
"Type": "string"
}
]
},
"SchemaVersion": "string",
"Service": {
"Action": {
"ActionType": "string",
"AwsApiCallAction": {
"Api": "string",
"CallerType": "string",
"DomainDetails": {
"Domain": "string"
},
"ErrorCode": "string",
"RemoteIpDetails": {
"City": {
"CityName": "string"
},
"Country": {
"CountryCode": "string",
"CountryName": "string"
},
"GeoLocation": {
"Lat": 0,
"Lon": 0
},
"IpAddressV4": "string",
"Organization": {
"Asn": "string",
"AsnOrg": "string",
"Isp": "string",
"Org": "string"
}
},
"ServiceName": "string"
},
"DnsRequestAction": {
"Domain": "string"
},
"NetworkConnectionAction": {
"Blocked": false,
"ConnectionDirection": "string",
"LocalIpDetails": {
"IpAddressV4": "string"
},
"LocalPortDetails": {
"Port": 0,
"PortName": "string"
},
"Protocol": "string",
"RemoteIpDetails": {
"City": {
"CityName": "string"
},
"Country": {
"CountryCode": "string",
"CountryName": "string"
},
"GeoLocation": {
"Lat": 0,
"Lon": 0
},
"IpAddressV4": "string",
"Organization": {
"Asn": "string",
"AsnOrg": "string",
"Isp": "string",
"Org": "string"
}
},
"RemotePortDetails": {
"Port": 0,
"PortName": "string"
}
},
"PortProbeAction": {
"Blocked": false,
"PortProbeDetails": [
{
"LocalIpDetails": {
"IpAddressV4": "string"
},
"LocalPortDetails": {
"Port": 0,
"PortName": "string"
},
"RemoteIpDetails": {
"City": {
"CityName": "string"
},
"Country": {
"CountryCode": "string",
"CountryName": "string"
},
"GeoLocation": {
"Lat": 0,
"Lon": 0
},
"IpAddressV4": "string",
"Organization": {
"Asn": "string",
"AsnOrg": "string",
"Isp": "string",
"Org": "string"
}
}
}
]
}
},
"Archived": false,
"Count": 0,
"DetectorId": "string",
"EventFirstSeen": "string",
"EventLastSeen": "string",
"Evidence": {
"ThreatIntelligenceDetails": [
{
"ThreatListName": "string",
"ThreatNames": [
"string"
]
}
]
},
"ResourceRole": "string",
"ServiceName": "string",
"UserFeedback": "string"
},
"Severity": 0,
"Title": "string",
"Type": "string",
"UpdatedAt": "string"
}
]
}
Workflow Library Example
Guardduty Get Findings with Aws and Send Results Via Email
Preview this Workflow on desktop
Was this page helpful?
Assistant
Responses are generated using AI and may contain mistakes.