Skip to main content
Describes Amazon GuardDuty findings specified by finding IDs.
External DocumentationTo learn more, visit the AWS documentation.

Basic Parameters

ParameterDescription
AWS Region(s)Enter the desired AWS Region(s).

To execute the action in multiple regions, provide a comma-separated list.
For example: us-east-1,eu-west-2.

If you wish to run the action in all available regions, use the asterisk symbol (*) instead.
Detector IDThe ID of the detector that specifies the GuardDuty service whose findings you want to retrieve.
Finding IDsA comma-separated list of finding IDs you want to retrieve.

Advanced Parameters

ParameterDescription
Disable XML To JSON Auto ConvertWhen checked, XML responses are not automatically converted into JSON format.
Order ByThe order by which the sorted findings are to be displayed.
Sort ByRepresents the finding attribute (for example, accountId) to sort findings by.

Example Output

{
	"Findings": [
		{
			"AccountId": "string",
			"Arn": "string",
			"Confidence": 0,
			"CreatedAt": "string",
			"Description": "string",
			"Id": "string",
			"Partition": "string",
			"Region": "string",
			"Resource": {
				"AccessKeyDetails": {
					"AccessKeyId": "string",
					"PrincipalId": "string",
					"UserName": "string",
					"UserType": "string"
				},
				"InstanceDetails": {
					"AvailabilityZone": "string",
					"IamInstanceProfile": {
						"Arn": "string",
						"Id": "string"
					},
					"ImageDescription": "string",
					"ImageId": "string",
					"InstanceId": "string",
					"InstanceState": "string",
					"InstanceType": "string",
					"LaunchTime": "string",
					"NetworkInterfaces": [
						{
							"Ipv6Addresses": [
								"string"
							],
							"NetworkInterfaceId": "string",
							"PrivateDnsName": "string",
							"PrivateIpAddress": "string",
							"PrivateIpAddresses": [
								{
									"PrivateDnsName": "string",
									"PrivateIpAddress": "string"
								}
							],
							"PublicDnsName": "string",
							"PublicIp": "string",
							"SecurityGroups": [
								{
									"GroupId": "string",
									"GroupName": "string"
								}
							],
							"SubnetId": "string",
							"VpcId": "string"
						}
					],
					"OutpostArn": "string",
					"Platform": "string",
					"ProductCodes": [
						{
							"Code": "string",
							"ProductType": "string"
						}
					],
					"Tags": [
						{
							"Key": "string",
							"Value": "string"
						}
					]
				},
				"ResourceType": "string",
				"S3BucketDetails": [
					{
						"Arn": "string",
						"CreatedAt": "date-time",
						"DefaultServerSideEncryption": {
							"EncryptionType": "string",
							"KmsMasterKeyArn": "string"
						},
						"Name": "string",
						"Owner": {
							"Id": "string"
						},
						"PublicAccess": {
							"EffectivePermission": "string",
							"PermissionConfiguration": {
								"AccountLevelPermissions": {
									"BlockPublicAccess": {
										"BlockPublicAcls": false,
										"BlockPublicPolicy": false,
										"IgnorePublicAcls": false,
										"RestrictPublicBuckets": false
									}
								},
								"BucketLevelPermissions": {
									"AccessControlList": {
										"AllowsPublicReadAccess": false,
										"AllowsPublicWriteAccess": false
									},
									"BlockPublicAccess": {
										"BlockPublicAcls": false,
										"BlockPublicPolicy": false,
										"IgnorePublicAcls": false,
										"RestrictPublicBuckets": false
									},
									"BucketPolicy": {
										"AllowsPublicReadAccess": false,
										"AllowsPublicWriteAccess": false
									}
								}
							}
						},
						"Tags": [
							{
								"Key": "string",
								"Value": "string"
							}
						],
						"Type": "string"
					}
				]
			},
			"SchemaVersion": "string",
			"Service": {
				"Action": {
					"ActionType": "string",
					"AwsApiCallAction": {
						"Api": "string",
						"CallerType": "string",
						"DomainDetails": {
							"Domain": "string"
						},
						"ErrorCode": "string",
						"RemoteIpDetails": {
							"City": {
								"CityName": "string"
							},
							"Country": {
								"CountryCode": "string",
								"CountryName": "string"
							},
							"GeoLocation": {
								"Lat": 0,
								"Lon": 0
							},
							"IpAddressV4": "string",
							"Organization": {
								"Asn": "string",
								"AsnOrg": "string",
								"Isp": "string",
								"Org": "string"
							}
						},
						"ServiceName": "string"
					},
					"DnsRequestAction": {
						"Domain": "string"
					},
					"NetworkConnectionAction": {
						"Blocked": false,
						"ConnectionDirection": "string",
						"LocalIpDetails": {
							"IpAddressV4": "string"
						},
						"LocalPortDetails": {
							"Port": 0,
							"PortName": "string"
						},
						"Protocol": "string",
						"RemoteIpDetails": {
							"City": {
								"CityName": "string"
							},
							"Country": {
								"CountryCode": "string",
								"CountryName": "string"
							},
							"GeoLocation": {
								"Lat": 0,
								"Lon": 0
							},
							"IpAddressV4": "string",
							"Organization": {
								"Asn": "string",
								"AsnOrg": "string",
								"Isp": "string",
								"Org": "string"
							}
						},
						"RemotePortDetails": {
							"Port": 0,
							"PortName": "string"
						}
					},
					"PortProbeAction": {
						"Blocked": false,
						"PortProbeDetails": [
							{
								"LocalIpDetails": {
									"IpAddressV4": "string"
								},
								"LocalPortDetails": {
									"Port": 0,
									"PortName": "string"
								},
								"RemoteIpDetails": {
									"City": {
										"CityName": "string"
									},
									"Country": {
										"CountryCode": "string",
										"CountryName": "string"
									},
									"GeoLocation": {
										"Lat": 0,
										"Lon": 0
									},
									"IpAddressV4": "string",
									"Organization": {
										"Asn": "string",
										"AsnOrg": "string",
										"Isp": "string",
										"Org": "string"
									}
								}
							}
						]
					}
				},
				"Archived": false,
				"Count": 0,
				"DetectorId": "string",
				"EventFirstSeen": "string",
				"EventLastSeen": "string",
				"Evidence": {
					"ThreatIntelligenceDetails": [
						{
							"ThreatListName": "string",
							"ThreatNames": [
								"string"
							]
						}
					]
				},
				"ResourceRole": "string",
				"ServiceName": "string",
				"UserFeedback": "string"
			},
			"Severity": 0,
			"Title": "string",
			"Type": "string",
			"UpdatedAt": "string"
		}
	]
}

Workflow Library Example

Guardduty Get Findings with Aws and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop