AWS GuardDuty

LAST UPDATED: FEB 4, 2025

Overview

Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the following Data sources: VPC Flow Logs, AWS CloudTrail management event logs, CloudTrail S3 data event logs, and DNS logs. It uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected and potentially unauthorized and malicious activity within your AWS environment. This integration enables organizations to detect and manage threats and findings in your AWS environment.

D3 SOAR is providing REST operations to function with AWS GuardDuty.

AWS GuardDuty is available for use in:

D3 SOAR	V14.0.576+
Category	Threat Intelligence
Deployment Options	Option II, Option IV

Known Limitations

When request calls exceed the default limits, you may receive error responses at this point. Request a quota increase when you need it.

Please refer to the Quotas for Amazon GuardDuty for detailed information.

Connection

To connect to AWS GuardDuty from D3 SOAR, please follow this part to collect the required information below:

Parameter	Description	Example
Default Region Name	The AWS region name.	US West (N. California)
Access Key	The access key for authentication.	AKIAxxxxxxxxxxxx4CYL
Secret Key	The secret key for authentication.	Xdwchs**E8vjHyIx9x6iPuWdX**DXSdH
Default Role ARN	The Amazon Resource Name (ARN) of the role to assume can be obtained from IAM in the AWS console. Note that for assuming a role, ensure that the assumed role has the necessary permissions to execute related commands. Additionally, the assumed role must trust the account you're using for the connection. Please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Default Role Session Name	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If the Role Session Name parameter is not specified, but the Default Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Default Session Duration Time	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified, then the default value of 3600 seconds will be used.	1800

Permission Requirements

Each endpoint in the AWS GuardDuty API requires a certain permission scope. The following are required scopes for the commands in this integration:

Command	Policy
Command	Service	Access level (Actions)
Archive Findings	GuardDuty	ArchiveFindings
Create Detector	GuardDuty	CreateDetector
Create IPSet	GuardDuty	CreateIPSet
Create IPSet	IAM	PutRolePolicy
Create Sample Findings	GuardDuty	CreateSampleFindings
Create ThreatIntelSet	GuardDuty	CreateThreatIntelSet
Create ThreatIntelSet	IAM	PutRolePolicy
Delete Detector	GuardDuty	DeleteDetector
Delete IPSet	GuardDuty	DeleteIPSet
Delete IPSet	IAM	DeleteRolePolicy
Delete ThreatIntelSet	GuardDuty	DeleteThreatIntelSet
Delete ThreatIntelSet	IAM	DeleteRolePolicy
Fetch Event	GuardDuty	ListFindings
Fetch Event	GuardDuty	GetFindings
Fetch Incident	GuardDuty	ListFindings
Fetch Incident	GuardDuty	GetFindings
Get Detector Detail	GuardDuty	GetDetector
Get Findings	GuardDuty	GetFindings
Get IPSet	GuardDuty	GetIPSet
Get ThreatintelSet	GuardDuty	GetThreatIntelSet
List Detectors	GuardDuty	ListDetectors
List Findings	GuardDuty	ListFindings
List IPSets	GuardDuty	ListIPSets
List ThreatIntelSets	GuardDuty	ListThreatIntelSets
Unarchive Findings	GuardDuty	UnarchiveFindings
Update Detector	GuardDuty	UpdateDetector
Update Findings Feedback	GuardDuty	UpdateFindingsFeedback
Update IPSet	GuardDuty	UpdateIPSet
	IAM	PutRolePolicy
	IAM	DeleteRolePolicy
Update ThreatIntelSet	GuardDuty	UpdateThreatIntelSet
	IAM	PutRolePolicy
	IAM	DeleteRolePolicy
Test Connection	GuardDuty	ListDetectors

Configuring AWS GuardDuty to Work with D3 SOAR

If your login user is ready to use (no policy configure needed), please follow the steps below to get your access Key and secret key.

If you want to configure an account with limited API access, please follow the Create Policy > Create User > Access Key and Secret Key to get keys.

Sign in to the AWS console with your account credentials.
Click the account icon at the top right corner, then click Security Credentials.
On my security credentials page, under the AWS IAM credentials tab, click the button Create access key to create a new Access Key and Secret Key.

READER NOTE

If you do not have permission to read or create an access key, please ask your administrator for help.

Copy the Access key ID and the Secret access key to use to connect with D3 SOAR.

READER NOTE

The secret access key can only be viewed or downloaded at this time. It is recommended that you promptly download the .csv file and securely store it for future reference. If you lose or forget your secret key, you will not be able to recover it. If you have lost your secret key, you will need to create a new access key and deactivate the old key. You can have a maximum of two access keys (active or inactive) at a time.

Creating Policy

Click on Services, which will expand the navigation menu. Then select IAM.
Select Access management, which will open a menu where you can select Policies. Then, click the Create Policy button.
In the Select a service section, click on Service to Choose a service. Please refer to Permission Requirements for the service you have selected. Then click Next.
Search and assign using the search box in the Actions allowed section. For example, search for ListDetectors in the search box, and use the tick box underneath it to select this action. Please refer to Permission Requirements for the necessary Access level (Actions). It is possible to specify multiple permissions under the same policy. Then click Next.
Type a name in the text box under Policy name. Click Create policy.

Creating User

Locate the Users tab.
Type a user name into the User details field, then click Next.
Select your desired permissions under Permissions options. It is suggested to link directly to your created policy. Please refer to Creating Policy for more detailed information.
Alternatively, you may create a role with your desired permissions. Please refer to Adding a Role and Trusted Entities for creating user roles. Once the role is created, it is not required to assign the role directly to the user. Instead, you can assign the role through the D3 connection or D3 commands. Please refer to AssumeRole - AWS Security Token Service for more details.
Then click Next.
Review the details you have entered, and click Create user.
Find the user you just created. Copy the User ARN.

Adding a Role and Trusted Entities

Sign in to the AWS IAM console with your administrator credentials.
On the left side menu, click Roles and then click the Create role button at the top right.
Select AWS account under Trusted entity type. Depending on your request, choose the appropriate account under An AWS account, then click Next.
Use the search box to search for the policy name. Add the required permissions by selecting the policy, then click Next.
Enter the Role name, and click Create role.
Find the role. Navigate to Roles, and select the role that you have just created. Click Create rule.
Navigate to Roles and select the tab Trust relationships. Click Edit trust policy.
Return to Edit trust policy that is opened in your other browser tab/window. Paste the following code to your trust policy. Then paste your copied user ARN (please refer to step 5 of Creating User for getting user ARN) to the "AWS" field in the code. Click Update policy.
CODE
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::******:user/DOC_User",
        "Service": "guardduty.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
```
The Role ARN is ready to use.

Access Key and Secret Key

Find the user you have created, and click on your user to access the details.
Under the Security credentials tab, click on Create access key.
Create an access key and save the details. Click Done after saving these credentials.

READER NOTE

The secret access key can only be viewed or downloaded at this time. It is recommended that you promptly download the .csv file and securely store it for future reference. If you lose or forget your secret key, you will not be able to recover it. If you have lost your secret key, you will need to create a new access key and deactivate the old key. You can have a maximum of two access keys (active or inactive) at a time.

Configuring D3 SOAR to Work with AWS GuardDuty

Log in to D3 SOAR.
Find the AWS GuardDuty integration.
1. Navigate to Configuration on the top header menu.
2. Click on the Integration icon on the left sidebar.
3. Type AWS GuardDuty in the search box to find the integration, then click it to select it.
4. Click + Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to AWS GuardDuty.
1. Connection Name: The desired name for the connection.
2. Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
3. Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.
4. Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
5. Description (Optional): Add your desired description for the connection.
6. Tenant (Optional): When configuring the connection from a master tenant site, you have the option to choose the specific tenant sites you want to share the connection with. Once you enable this setting, you can filter and select the desired tenant sites from the dropdowns to share the connection.
7. Configure User Permissions: Defines which users have access to the connection.
8. Active: Check the tick box to ensure the connection is available for use.
9. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
  1. Choose the Default Region Name.
  2. Input the Access Key obtained from the AWS GuardDuty platform in step 3 of Access Key and Secret Key.
  3. Input the Secret Key obtained from the AWS GuardDuty platform in step 3 of Access Key and Secret Key.
  4. (Optional) Define the Default Role ARN obtained from the AWS GuardDuty platform in step 9 of Adding a Role and Trusted Entities.
  5. (Optional) Input the Default Role Session Name.
  6. (Optional) Input the Default Session Duration Time.
10. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.
11. Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.
  To set up a connection health check, check the Connection Health Check tickbox. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.
Test the connection.
1. Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmark appear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.
2. Click OK to close the alert window.
3. Click + Add to create and add the configured connection.

Commands

AWS GuardDuty includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the AWS GuardDuty API, please refer to the AWS GuardDuty API reference.

READER NOTE

Certain permissions are required for each command. Please refer to the Permission Requirements and Configuring AWS GuardDuty to Work with D3 SOAR for details.

Note for Time-related parameters

The input format of time-related parameters may vary based on your account settings. As a result, the sample data provided in our commands is different from what you see. To set your preferred time format, follow these steps:

Navigate to Configuration > Application Settings. Select Date/Time Format.
Choose your desired date and time format.

After that, you will be able to view your preferred time format when configuring the DateTime input parameters for commands.

Archive Findings

Archives the GuardDuty findings specified by the list of finding IDs.

READER NOTE

Detector ID and Finding IDs are required parameters to run this command.

Run the List Detectors command to obtain the Detector ID. Detector IDs can be found in the raw data returned at the path $.detectorIds.
Run the List Findings command to obtain the Finding IDs. Finding IDs can be found in the raw data returned at the path $.findingIds.

Input

Input Parameter	Required/Optional	Description	Example
Detector ID	Required	The ID of the detector specifying the GuardDuty service from which to archive findings. Detector ID can be obtained using the List Detectors command.	62b*****d6b
Finding IDs	Required	The IDs of the findings to be archived. Finding IDs can be obtained using the List Findings command.	[ "36b*****689" ]
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

D3 customizes the returned raw data by adding "findingIDs" and "actionResult" fields to indicate which finding has been deleted and the result of the command.

SAMPLE DATA

JSON

[
    {
        "findingIDs": "36b*****689",
        "actionResult": "Archived  the finding successfully"
    }
]

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

findingIDs	actionResult
36b*****689	Archived the finding successfully

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Archive Findings failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

Archive Findings failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value..

Create Detector

Creates a single Amazon GuardDuty detector. A detector is a resource that represents the GuardDuty service. To start using GuardDuty, you must create a detector in each Region where you enable the service. You can have only one detector per account per Region. All data sources are enabled in a new detector by default.

Input

Input Parameter	Required/Optional	Description	Example
Enable	Required	The boolean value that specifies whether the detector is to be enabled.	True
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON

{
    "detectorId": "1ab*****f4f"
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
  "DetectorID": ["1ab*****f4f"]
}

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

detectorId

1ab*****f4f

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Create Detector failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because a detector already exists for the current account.

Error Sample Data

Create Detector failed.

Status Code: 400.

Message: The request is rejected because a detector already exists for the current account.

Create IPSet

Creates a new IPSet, which is called a trusted IP list in the console user interface. An IPSet is a list of IP addresses that are trusted for secure communication with AWS infrastructure and applications. GuardDuty doesn't generate findings for IP addresses that are included in IPSets. Only users from the administrator account can use this operation.

READER NOTE

Detector ID is a required parameter to run this command.

Run the List Detectors command to obtain detector IDs. The detector IDs can be found in the returned raw data at the path $.detectorIds[*].

Input

Input Parameter	Required/Optional	Description	Example
Detector ID	Required	The ID of the detector is specified to create a new IPSet within the GuardDuty service. Detector ID can be obtained using the List Detectors command.	62b*****d6b
Activate	Required	The boolean value indicates whether GuardDuty should begin using the uploaded IPSet.	True
Format	Required	The format of the file that contains the IPSet.	Plain Text
IPSet File Location	Required	The URI of the file contains the IPSet, which can be stored in an AWS S3 bucket. The format should resemble "https://{bucket-name}.s3.{region-name}.amazonaws.com/{filename.txt}" or "https://s3.{region-name}.amazonaws.com/{bucket-name}/{filename.txt}".	https://.us-west-1.amazonaws.com//****.txt
Name	Optional	The user-friendly name to identify the IPSet.	"ip******0a"
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

{
    "ipSetId": "6cb*****177"
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "IPSetID": [
        "6cb*****177"
    ]
}

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ipSetId

6cb*****177

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Create IPSet failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

Create IPSet failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value

Create Sample Findings

Generates example findings of types specified by the list of finding types. If a Finding Type is not specified, then example findings of all supported finding types will be generated.

READER NOTE

Detector ID is a required parameter to run this command.

Run the List Detectors command to obtain the Detector ID. Detector IDs can be found in the returned raw data at the path $.detectorIds[*].

Input

Input Parameter	Required/Optional	Description	Example
Detector ID	Required	The ID of the detector that specifies the GuardDuty service in which sample findings will be created. Detector ID can be obtained using the List Detectors command.	62b*****d6b
Finding Types	Optional	The types of sample findings to generate. If not specified, then the system will create one sample finding for each supported finding type. Please refer to Finding types - Amazon GuardDuty for supported finding types.	[ "Backdoor:EC2/Spambot" ]
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

D3 customizes the returned raw data by adding "actionResult" field to indicate result of the command.

SAMPLE DATA

CODE

{
    "actionResult": "Created the sample finding successfully"
}

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

actionResult

Created the sample finding successfully

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Create Sample Findings failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

Create Sample Findings failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value.

Create ThreatIntelSet

Creates a new ThreatIntelSet. ThreatIntelSets consist of known malicious IP addresses. GuardDuty generates findings based on ThreatIntelSets. This operation is only available to users of the administrator account.

READER NOTE

Detector ID is a required parameter to run this command.

Run the List Detectors command to obtain Detector IDs. Detector ID can be found in the returned raw data at the path $.detectorIds.

Input

Input Parameter	Required/Optional	Description	Example
Detector ID	Required	The ID of the detector specifying the GuardDuty service where the new ThreatIntelSet will be created. Detector ID can be obtained using the List Detectors command.	62b*****d6b
Activate	Required	The boolean value indicating whether GuardDuty should start using the uploaded ThreatIntelSet.	True
Format	Required	The format of the file that contains the ThreatIntelSet.	Plain Text
ThreatIntelSet File Location	Required	The URI of the file containing the ThreatIntelSet. This file can be saved in an AWS S3 bucket. The format should be like "https://{bucket-name}.s3.{region-name}.amazonaws.com/{filename.txt}" or "https://s3.{region-name}.amazonaws.com/{bucket-name}/{filename.txt}".	https://***..us-west-1.amazonaws.com/thr******t01.txt
Name	Required	The user-friendly name of the ThreatIntelSet is displayed in all findings generated by activity involving IP addresses included in this ThreatIntelSet.	threatIntelSet0210A
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

{
    "threatIntelSetId": "82b*****e0b"
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "ThreatIntelSetID": [
        "82b*****e0b"
    ]
}

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

threatIntelSetId

82b*****e0b

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Create ThreatIntelSet failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

Create ThreatIntelSet failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value.

Delete Detector

Deletes the specified Amazon GuardDuty detectors.

READER NOTE

The parameter Detector IDs is required to run this command.

Run the List Detectors command to obtain Detector IDs. Detector IDs can be found in the returned raw data at the path $.detectorIds.

Input

Input Parameter	Required/Optional	Description	Example
Detector IDs	Required	The unique IDs of the detectors to be deleted. Detector ID can be obtained using the List Detectors command.	[ "1ab*****f4f" ]
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

D3 customizes the returned raw data by adding "detectorID" and "actionResult" fields to indicate which detector has been deleted and the result of the command.

SAMPLE DATA

CODE

[
    {
        "detectorID": "1ab*****f4f",
        "actionResult": "Deleted the detector successfully"
    }
]

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

detectorID	actionResult
1ab*****f4f	Deleted the detector successfully

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Delete Detector failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

Delete Detector failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value.

Delete IPSet

Deletes the IPSets specified by the IDs.

READER NOTE

Detector ID and IPSet IDs are required parameters to run this command.

Run the List Detectors command to obtain the Detector ID. Detector IDs can be found in the returned raw data at the path $.detectorIds.
Run the List IPSets command to obtain IPSet IDs. IPSet IDs can be found in the returned raw data at the path $.ipSetIds.

Input

Input Parameter	Required/Optional	Description	Example
Detector ID	Required	The ID of the detector specifying the GuardDuty service from which to delete an IPSet. Detector ID can be obtained using the List Detectors command.	62b*****d6b
IPSet IDs	Required	The unique IDs of the IPSets to delete. IPSet IDs can be obtained using the List IPSets command.	[ "850*****c04" ]
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

D3 customizes the returned raw data by adding "IPSetID" and "actionResult" fields to indicate which IPSet has been deleted and the result of the command.

SAMPLE DATA

CODE

[
    {
        "IPSetID": "850*****c04",
        "actionResult": "Deleted the IPSet succesfully"
    }
]

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

IPSetID	actionResult
850*****c04	Deleted the IPSet succesfully

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Delete IPSet failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

Delete IPSet failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value.

Delete ThreatIntelSet

Deletes the ThreatIntelSet specified by the ThreatIntelSet IDs.

READER NOTE

Detector ID and Threat Intel Set IDs are required parameters to run this command.

Run the List Detectors command to obtain the Detector ID. Detector IDs can be found in the returned raw data at the path $.detectorIds..
Run the List ThreatIntelSets command to obtain Threat Intel Sets IDs. Threat Intel Sets IDs can be found in the returned raw data at the path $.threatIntelSetIds.

Input

Input Parameter	Required/Optional	Description	Example
Detector ID	Required	The unique ID of the detector that the ThreatIntelSet is associated with. Detector ID can be obtained using the List Detectors command.	62b*****d6b
ThreatIntelSet IDs	Required	The unique IDs of the ThreatIntelSets to be deleted. ThreatIntelSet IDs can be obtained using the List ThreatIntelSets command.	[ "5eb*****f09" ]
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

D3 customizes the returned raw data by adding "threatIntelSetID" and "actionResult" fields to indicate which threatset has been deleted and the result of the command.

SAMPLE DATA

CODE

[
    {
        "threatIntelSetID": "5eb*****f09",
        "actionResult": "Deleted the ThreatIntelSet successfully"
    }
]

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

threatIntelSetID	actionResult
5eb*****f09	Deleted the ThreatIntelSet successfully

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Delete ThreatIntelSet failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

Delete ThreatIntelSet failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value.

Fetch Event

Returns detailed information of Amazon GuardDuty findings is returned for the specified detector ID. Return results can be narrowed down using search conditions.

READER NOTE

Detector ID is a required parameter to run this command.

Run the List Detectors command to obtain Detector ID. Detector IDs can be found in the returned raw data at the path $.detectorIds.

Input

Input Parameter	Required/Optional	Description	Example
Start Time	Required	The start time for the time range to fetch detectors in UTC time.	2022-01-01 00:00
End Time	Required	The end time for the time range to fetch detectors in UTC time.	2022-02-01 00:00
Number of Event(s) Fetched	Optional	The maximum number of findings to return. The valid value is an integer between 1 and 50.	10
Detector ID	Required	The ID of the detector to be fetched. Detector ID can be obtained using the List Detectors command.	62b*****d6b
Search Condition	Optional	The criteria used for querying findings. Please refer to Request Syntax for query syntax. It's recommended to use D3 sample data as a base for building the query string. Obtain properties for query from the data structure of Findings. Avoid using the updatedAt property in the search condition because its value is handled by the Start Time and End Time parameter. Note: the search condition is case-sensitive.	"resource.instanceDetails.networkInterfaces.publicIp": { "eq": ["*...*"] }
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

{
    "findings": [
        {
            "schemaVersion": "2.0",
            "accountId": "*****",
            "region": "us-west-1",
            "partition": "aws",
            "id": "beb*****6c2",
            "arn": "arn:aws:guardduty:us-west-1:*****:detector/62b*****d6b/finding/beb*****6c2",
            "type": "Discovery:IAMUser/AnomalousBehavior",
            "resource": {
                "resourceType": "AccessKey",
                "accessKeyDetails": {
                    "accessKeyId": "*****",
                    "principalId": "*****",
                    "userType": "IAMUser",
                    "userName": "j***"
                }
            },
            "service": {
                "serviceName": "guardduty",
                "detectorId": "62b*****d6b",
                "action": {
                    "actionType": "AWS_API_CALL",
                    "awsApiCallAction": {
                        "api": "DescribeAccountAttributes",
                        "serviceName": "ec2.amazonaws.com",
                        "callerType": "Remote IP",
                        "remoteIpDetails": {
                            "ipAddressV4": "***.***.***.***",
                            "organization": {
                                "asn": "*****",
                                "asnOrg": "CIKTELECOM-CABLE",
                                "isp": "CIK Telecom",
                                "org": "CIK Telecom"
                            },
                            "country": {
                                "countryName": "Canada"
                            },
                            "city": {
                                "cityName": "Burnaby"
                            },
                            "geoLocation": {
                                "lat": 49.2292,
                                "lon": -122.9932
                            }
                        },
                        "affectedResources": {}
                    }
                },
                "resourceRole": "TARGET",
                "additionalInfo": {
                    "userAgent": {
                        "fullUserAgent": "console.ec2.amazonaws.com",
                        "userAgentCategory": "AwsSignin"
                    },
                    "anomalies": {
                        "anomalousAPIs": "ec2.amazonaws.com:[DescribeAccountAttributes:success , DescribeInstanceStatus:success , DescribeAddresses:success , DescribeInstances:success , DescribeInstanceTypes:success , DescribeTags:success] , monitoring.amazonaws.com:[DescribeAlarms:success] , signin.amazonaws.com:[ConsoleLogin:success]"
                    },
                    "profiledBehavior": {
                        "rareProfiledAPIsAccountProfiling": "",
                        "infrequentProfiledAPIsAccountProfiling": "DescribeAccountAttributes",
                        "frequentProfiledAPIsAccountProfiling": "DescribeImages , ListTopics , DescribeScalingActivities , ListRoles , GetAccountSummary , DescribeSubnets , DescribeVolumes , DescribeAddresses , ListGroups , DescribeLaunchConfigurations , GetResources , DescribeClusterSubnetGroups , ListClusters , DescribeEventSubscriptions , DescribeVpcClassicLink , ListStateMachines , DescribeVpcs , DescribeFlowLogs , DescribeTrails",
                        "rareProfiledAPIsUserIdentityProfiling": "",
                        "infrequentProfiledAPIsUserIdentityProfiling": "DescribeAccountAttributes",
                        "frequentProfiledAPIsUserIdentityProfiling": "ConsoleLogin , ListRoles , ListBuckets , ListClusters , ListUpdates , DescribeAddonVersions , AccessKubernetesApi , DescribeCluster , ListIdentityProviderConfigs , GetParameter , DescribeUpdate , ListAddons , ListNodegroups , DescribeNodegroup , ListFargateProfiles , GetAccountSummary , ListAccountAliases , GetBucketLocation , ListAccessKeys",
                        "rareProfiledUserTypesAccountProfiling": "",
                        "infrequentProfiledUserTypesAccountProfiling": "ROOT",
                        "frequentProfiledUserTypesAccountProfiling": "IAM_USER , ASSUMED_ROLE",
                        "rareProfiledUserNamesAccountProfiling": "Eddie , AWS********GuardDuty , NetworkSecurityRole",
                        "infrequentProfiledUserNamesAccountProfiling": "j**** , Root , HIDDEN_DUE_TO_SECURITY_REASONS",
                        "frequentProfiledUserNamesAccountProfiling": "j*** , AWSServiceRoleForAutoScaling , AWSServiceRoleForSecurityHub , eksctl-d3-kube-cluster-cluster-ServiceRole-CDV5TWJGR3CG , AWSServiceRoleForAmazonEKSNodegroup , AmazonSSMRoleForAutomationAssumeQuickSetup , rapid7Insightvm , AWSServiceRoleForAmazonEKS , datadog_demo_IAM , AWSServiceRoleForAccessAnalyzer , AWSServiceRoleForConfig , DatadogAWSIntegrationRole , dev",
                        "rareProfiledASNsAccountProfiling": "asnNumber: *****asnOrg: MICROSOFT-CORP-MSN-AS-BLOCK asnNumber: ***** asnOrg: SHAW",
                        "infrequentProfiledASNsAccountProfiling": "",
                        "frequentProfiledASNsAccountProfiling": "asnNumber: *****asnOrg: AMAZON-AES asnNumber: *****asnOrg: AMAZON-02 asnNumber: ***** asnOrg: *****",
                        "rareProfiledASNsUserIdentityProfiling": "asnNumber: *****asnOrg: MICROSOFT-CORP-MSN-AS-BLOCK asnNumber: *****asnOrg: AMAZON-AES asnNumber: ***** asnOrg: SHAW",
                        "infrequentProfiledASNsUserIdentityProfiling": "",
                        "frequentProfiledASNsUserIdentityProfiling": "asnNumber: ***** asnOrg: *****",
                        "rareProfiledUserAgentsAccountProfiling": "",
                        "infrequentProfiledUserAgentsAccountProfiling": "aws-cli",
                        "frequentProfiledUserAgentsAccountProfiling": "AWS Service , OTHER , aws-sdk-go , aws-sdk-java , AWS Internal , aws-internal/3 , browser , AwsSignin , Botocore , aws-sdk-dotnet-core",
                        "rareProfiledUserAgentsUserIdentityProfiling": "AWS Internal , OTHER , AWS Service",
                        "infrequentProfiledUserAgentsUserIdentityProfiling": "aws-cli",
                        "frequentProfiledUserAgentsUserIdentityProfiling": "aws-internal/3 , browser , AwsSignin , Botocore , aws-sdk-dotnet-core"
                    },
                    "unusualBehavior": {
                        "unusualAPIsAccountProfiling": "",
                        "unusualAPIsUserIdentityProfiling": "",
                        "unusualUserTypesAccountProfiling": "",
                        "unusualUserNamesAccountProfiling": "",
                        "unusualASNsAccountProfiling": "asnNumber: ***** asnOrg: CIKTELECOM-CABLE",
                        "unusualASNsUserIdentityProfiling": "asnNumber: ***** asnOrg: CIKTELECOM-CABLE",
                        "unusualUserAgentsAccountProfiling": "",
                        "unusualUserAgentsUserIdentityProfiling": "",
                        "isUnusualUserIdentity": "false"
                    }
                },
                "eventFirstSeen": "2022-01-07T05:36:19.000Z",
                "eventLastSeen": "2022-01-07T05:36:20.000Z",
                "archived": false,
                "count": 1
            },
            "severity": 2,
            "createdAt": "2022-01-07T05:46:45.882Z",
            "updatedAt": "2022-01-07T05:46:45.882Z",
            "findingTypeVersion": {
                "present": false
            },
            "title": "User IAMUser : j*** is anomalously invoking APIs commonly used in Discovery tactics.",
            "description": "APIs commonly used in Discovery tactics were invoked by user IAMUser : j***, under anomalous circumstances. Such activity is not typically seen from this user."
        }
    ]
}

Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the returned context data by extracting $.findings in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE

[
    {
        "schemaVersion": "2.0",
        "accountId": "*****",
        "region": "us-west-1",
        "partition": "aws",
        "id": "beb*****6c2",
        "arn": "arn:aws:guardduty:us-west-1:*****:detector/62b*****d6b/finding/beb*****6c2",
        "type": "Discovery:IAMUser/AnomalousBehavior",
        "resource": {
            "resourceType": "AccessKey",
            "accessKeyDetails": {
                "accessKeyId": "*****",
                "principalId": "*****",
                "userType": "IAMUser",
                "userName": "j***"
            }
        },
        "service": {
            "serviceName": "guardduty",
            "detectorId": "62b*****d6b",
            "action": {
                "actionType": "AWS_API_CALL",
                "awsApiCallAction": {
                    "api": "DescribeAccountAttributes",
                    "serviceName": "ec2.amazonaws.com",
                    "callerType": "Remote IP",
                    "remoteIpDetails": {
                        "ipAddressV4": "***.***.***.***",
                        "organization": {
                            "asn": "*****",
                            "asnOrg": "CIKTELECOM-CABLE",
                            "isp": "CIK Telecom",
                            "org": "CIK Telecom"
                        },
                        "country": {
                            "countryName": "Canada"
                        },
                        "city": {
                            "cityName": "Burnaby"
                        },
                        "geoLocation": {
                            "lat": 49.2292,
                            "lon": -122.9932
                        }
                    },
                    "affectedResources": {}
                }
            },
            "resourceRole": "TARGET",
            "additionalInfo": {
                "userAgent": {
                    "fullUserAgent": "console.ec2.amazonaws.com",
                    "userAgentCategory": "AwsSignin"
                },
                "anomalies": {
                    "anomalousAPIs": "ec2.amazonaws.com:[DescribeAccountAttributes:success , DescribeInstanceStatus:success , DescribeAddresses:success , DescribeInstances:success , DescribeInstanceTypes:success , DescribeTags:success] , monitoring.amazonaws.com:[DescribeAlarms:success] , signin.amazonaws.com:[ConsoleLogin:success]"
                },
                "profiledBehavior": {
                    "rareProfiledAPIsAccountProfiling": "",
                    "infrequentProfiledAPIsAccountProfiling": "DescribeAccountAttributes",
                    "frequentProfiledAPIsAccountProfiling": "DescribeImages , ListTopics , DescribeScalingActivities , ListRoles , GetAccountSummary , DescribeSubnets , DescribeVolumes , DescribeAddresses , ListGroups , DescribeLaunchConfigurations , GetResources , DescribeClusterSubnetGroups , ListClusters , DescribeEventSubscriptions , DescribeVpcClassicLink , ListStateMachines , DescribeVpcs , DescribeFlowLogs , DescribeTrails",
                    "rareProfiledAPIsUserIdentityProfiling": "",
                    "infrequentProfiledAPIsUserIdentityProfiling": "DescribeAccountAttributes",
                    "frequentProfiledAPIsUserIdentityProfiling": "ConsoleLogin , ListRoles , ListBuckets , ListClusters , ListUpdates , DescribeAddonVersions , AccessKubernetesApi , DescribeCluster , ListIdentityProviderConfigs , GetParameter , DescribeUpdate , ListAddons , ListNodegroups , DescribeNodegroup , ListFargateProfiles , GetAccountSummary , ListAccountAliases , GetBucketLocation , ListAccessKeys",
                    "rareProfiledUserTypesAccountProfiling": "",
                    "infrequentProfiledUserTypesAccountProfiling": "ROOT",
                    "frequentProfiledUserTypesAccountProfiling": "IAM_USER , ASSUMED_ROLE",
                    "rareProfiledUserNamesAccountProfiling": "Eddie , AWS********GuardDuty , NetworkSecurityRole",
                    "infrequentProfiledUserNamesAccountProfiling": "j**** , Root , HIDDEN_DUE_TO_SECURITY_REASONS",
                    "frequentProfiledUserNamesAccountProfiling": "j*** , AWSServiceRoleForAutoScaling , AWSServiceRoleForSecurityHub , eksctl-d3-kube-cluster-cluster-ServiceRole-CDV5TWJGR3CG , AWSServiceRoleForAmazonEKSNodegroup , AmazonSSMRoleForAutomationAssumeQuickSetup , rapid7Insightvm , AWSServiceRoleForAmazonEKS , datadog_demo_IAM , AWSServiceRoleForAccessAnalyzer , AWSServiceRoleForConfig , DatadogAWSIntegrationRole , dev",
                    "rareProfiledASNsAccountProfiling": "asnNumber: *****asnOrg: MICROSOFT-CORP-MSN-AS-BLOCK asnNumber: ***** asnOrg: SHAW",
                    "infrequentProfiledASNsAccountProfiling": "",
                    "frequentProfiledASNsAccountProfiling": "asnNumber: *****asnOrg: AMAZON-AES asnNumber: *****asnOrg: AMAZON-02 asnNumber: ***** asnOrg: *****",
                    "rareProfiledASNsUserIdentityProfiling": "asnNumber: *****asnOrg: MICROSOFT-CORP-MSN-AS-BLOCK asnNumber: *****asnOrg: AMAZON-AES asnNumber: ***** asnOrg: SHAW",
                    "infrequentProfiledASNsUserIdentityProfiling": "",
                    "frequentProfiledASNsUserIdentityProfiling": "asnNumber: ***** asnOrg: *****",
                    "rareProfiledUserAgentsAccountProfiling": "",
                    "infrequentProfiledUserAgentsAccountProfiling": "aws-cli",
                    "frequentProfiledUserAgentsAccountProfiling": "AWS Service , OTHER , aws-sdk-go , aws-sdk-java , AWS Internal , aws-internal/3 , browser , AwsSignin , Botocore , aws-sdk-dotnet-core",
                    "rareProfiledUserAgentsUserIdentityProfiling": "AWS Internal , OTHER , AWS Service",
                    "infrequentProfiledUserAgentsUserIdentityProfiling": "aws-cli",
                    "frequentProfiledUserAgentsUserIdentityProfiling": "aws-internal/3 , browser , AwsSignin , Botocore , aws-sdk-dotnet-core"
                },
                "unusualBehavior": {
                    "unusualAPIsAccountProfiling": "",
                    "unusualAPIsUserIdentityProfiling": "",
                    "unusualUserTypesAccountProfiling": "",
                    "unusualUserNamesAccountProfiling": "",
                    "unusualASNsAccountProfiling": "asnNumber: ***** asnOrg: CIKTELECOM-CABLE",
                    "unusualASNsUserIdentityProfiling": "asnNumber: ***** asnOrg: CIKTELECOM-CABLE",
                    "unusualUserAgentsAccountProfiling": "",
                    "unusualUserAgentsUserIdentityProfiling": "",
                    "isUnusualUserIdentity": "false"
                }
            },
            "eventFirstSeen": "2022-01-07T05:36:19.000Z",
            "eventLastSeen": "2022-01-07T05:36:20.000Z",
            "archived": false,
            "count": 1
        },
        "severity": 2,
        "createdAt": "2022-01-07T05:46:45.882Z",
        "updatedAt": "2022-01-07T05:46:45.882Z",
        "findingTypeVersion": {
            "present": false
        },
        "title": "User IAMUser : j*** is anomalously invoking APIs commonly used in Discovery tactics.",
        "description": "APIs commonly used in Discovery tactics were invoked by user IAMUser : j***, under anomalous circumstances. Such activity is not typically seen from this user."
    }
]

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "FindingIDs": [
        "beb*****6c2"
    ]
}

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

schemaVersion	accountId	region	partition	id	arn	type	resource	service	severity	createdAt	updatedAt	findingTypeVersion	title	description
2.0	391501681688	us-west-1	aws	bebf19899e7d12693b8ea4f81b78d6c2	arn:aws:guardduty:us-west-1:391501681688:detector/62b761b6845bf20aa6e243a90c8a8d6b/finding/bebf19899e7d12693b8ea4f81b78d6c2	Discovery:IAMUser/AnomalousBehavior	{'resourceType': 'AccessKey', 'accessKeyDetails': {'accessKeyId': 'ASIAVWJ2RSQMMH7PVY5A', 'principalId': 'AIDAINWM4OJM7K74OIVZO', 'userType': 'IAMUser', 'userName': 'jhou'}}	{'serviceName': 'guardduty', 'detectorId': '62b761b6845bf20aa6e243a90c8a8d6b', 'action': {'actionType': 'AWS_API_CALL', 'awsApiCallAction': {'api': 'DescribeAccountAttributes', 'serviceName': 'http://ec2.amazonaws.com ', 'callerType': 'Remote IP', 'remoteIpDetails': {'ipAddressV4': '104.243.106.206', 'organization': {'asn': '54614', 'asnOrg': 'CIKTELECOM-CABLE', 'isp': 'CIK Telecom', 'org': 'CIK Telecom'}, 'country': {'countryName': 'Canada'}, 'city': {'cityName': 'Burnaby'}, 'geoLocation': {'lat': 49.2292, 'lon': -122.9932}}, 'affectedResources': {}}}, 'resourceRole': 'TARGET', 'additionalInfo': {'userAgent': {'fullUserAgent': 'console.ec2.amazonaws.com', 'userAgentCategory': 'AwsSignin'}, 'anomalies': {'anomalousAPIs': 'http://ec2.amazonaws.com :[DescribeAccountAttributes:success , DescribeInstanceStatus:success , DescribeAddresses:success , DescribeInstances:success , DescribeInstanceTypes:success , DescribeTags:success] , monitoring.amazonaws.com:[DescribeAlarms:success] , signin.amazonaws.com:[ConsoleLogin:success]'}, 'profiledBehavior': {'rareProfiledAPIsAccountProfiling': '', 'infrequentProfiledAPIsAccountProfiling': 'DescribeAccountAttributes', 'frequentProfiledAPIsAccountProfiling': 'DescribeImages , ListTopics , DescribeScalingActivities , ListRoles , GetAccountSummary , DescribeSubnets , DescribeVolumes , DescribeAddresses , ListGroups , DescribeLaunchConfigurations , GetResources , DescribeClusterSubnetGroups , ListClusters , DescribeEventSubscriptions , DescribeVpcClassicLink , ListStateMachines , DescribeVpcs , DescribeFlowLogs , DescribeTrails', 'rareProfiledAPIsUserIdentityProfiling': '', 'infrequentProfiledAPIsUserIdentityProfiling': 'DescribeAccountAttributes', 'frequentProfiledAPIsUserIdentityProfiling': 'ConsoleLogin , ListRoles , ListBuckets , ListClusters , ListUpdates , DescribeAddonVersions , AccessKubernetesApi , DescribeCluster , ListIdentityProviderConfigs , GetParameter , DescribeUpdate , ListAddons , ListNodegroups , DescribeNodegroup , ListFargateProfiles , GetAccountSummary , ListAccountAliases , GetBucketLocation , ListAccessKeys', 'rareProfiledUserTypesAccountProfiling': '', 'infrequentProfiledUserTypesAccountProfiling': 'ROOT', 'frequentProfiledUserTypesAccountProfiling': 'IAM_USER , ASSUMED_ROLE', 'rareProfiledUserNamesAccountProfiling': 'Eddie , AWSServiceRoleForAmazonGuardDuty , NetworkSecurityRole', 'infrequentProfiledUserNamesAccountProfiling': 'kdeng , Root , HIDDEN_DUE_TO_SECURITY_REASONS', 'frequentProfiledUserNamesAccountProfiling': 'jhou , AWSServiceRoleForAutoScaling , AWSServiceRoleForSecurityHub , eksctl-d3-kube-cluster-cluster-ServiceRole-CDV5TWJGR3CG , AWSServiceRoleForAmazonEKSNodegroup , AmazonSSMRoleForAutomationAssumeQuickSetup , rapid7Insightvm , AWSServiceRoleForAmazonEKS , datadog_demo_IAM , AWSServiceRoleForAccessAnalyzer , AWSServiceRoleForConfig , DatadogAWSIntegrationRole , dev', 'rareProfiledASNsAccountProfiling': 'asnNumber: 8075 asnOrg: MICROSOFT-CORP-MSN-AS-BLOCK asnNumber: 6327 asnOrg: SHAW', 'infrequentProfiledASNsAccountProfiling': '', 'frequentProfiledASNsAccountProfiling': 'asnNumber: 14618 asnOrg: AMAZON-AES asnNumber: 16509 asnOrg: AMAZON-02 asnNumber: 14007 asnOrg: SOHOSKYWAY1', 'rareProfiledASNsUserIdentityProfiling': 'asnNumber: 8075 asnOrg: MICROSOFT-CORP-MSN-AS-BLOCK asnNumber: 14618 asnOrg: AMAZON-AES asnNumber: 6327 asnOrg: SHAW', 'infrequentProfiledASNsUserIdentityProfiling': '', 'frequentProfiledASNsUserIdentityProfiling': 'asnNumber: 14007 asnOrg: SOHOSKYWAY1', 'rareProfiledUserAgentsAccountProfiling': '', 'infrequentProfiledUserAgentsAccountProfiling': 'aws-cli', 'frequentProfiledUserAgentsAccountProfiling': 'AWS Service , OTHER , aws-sdk-go , aws-sdk-java , AWS Internal , aws-internal/3 , browser , AwsSignin , Botocore , aws-sdk-dotnet-core', 'rareProfiledUserAgentsUserIdentityProfiling': 'AWS Internal , OTHER , AWS Service', 'infrequentProfiledUserAgentsUserIdentityProfiling': 'aws-cli', 'frequentProfiledUserAgentsUserIdentityProfiling': 'aws-internal/3 , browser , AwsSignin , Botocore , aws-sdk-dotnet-core'}, 'unusualBehavior': {'unusualAPIsAccountProfiling': '', 'unusualAPIsUserIdentityProfiling': '', 'unusualUserTypesAccountProfiling': '', 'unusualUserNamesAccountProfiling': '', 'unusualASNsAccountProfiling': 'asnNumber: 54614 asnOrg: CIKTELECOM-CABLE', 'unusualASNsUserIdentityProfiling': 'asnNumber: 54614 asnOrg: CIKTELECOM-CABLE', 'unusualUserAgentsAccountProfiling': '', 'unusualUserAgentsUserIdentityProfiling': '', 'isUnusualUserIdentity': 'false'}}, 'eventFirstSeen': '2022-01-07T05:36:19.000Z', 'eventLastSeen': '2022-01-07T05:36:20.000Z', 'archived': False, 'count': 1}	2	2022-01-07T05:46:45.882Z	2022-01-07T05:46:45.882Z	{'present': False}	User IAMUser : jhou is anomalously invoking APIs commonly used in Discovery tactics.	APIs commonly used in Discovery tactics were invoked by user IAMUser : jhou, under anomalous circumstances. Such activity is not typically seen from this user.

Fetch Event Field Mapping

Please note that Fetch Event commands require event field mapping. Field mapping plays a key role in the data normalization process part of the event pipeline. Field mapping converts the original data fields from the different providers to the D3 fields which are standardized by the D3 Model. Please refer to Event and Incident Intake Field Mapping for details.

To customize field mapping, click + Add Field and add the custom field of your choice. You can also remove built-in field mappings by clicking x. Please note that two underscore characters will automatically prefix the defined Field Name as the System Name for a custom field mapping. Additionally, if an input Field Name contains any spaces, they will automatically be replaced with underscores for the corresponding System Name.

As a system integration, the AWS GuardDuty integration has some pre-configured field mappings for default field mapping.

Default Event Source The Default Event Source is the default set of field mappings that are applied when this fetch event command is executed. For out-of-the-box integrations, you will find a set of field mapping provided by the system. Default event source provides field mappings for common fields from fetched detectors. The default event source has a “Main Event JSON Path” (i.e., $.findings) that is used to extract a batch of events from the response raw data. Click Edit Main JSON Path to view the “Main Event JSON Path”.
- Main Event JSON Path: $.findings
  The Main Event JSON Path determines the root path where the system starts parsing raw response data into D3 event data. The JSON path begins with $, representing the root element. The path is formed by appending a sequence of child elements to $, each separated by a dot (.). Square brackets with nested quotation marks ([‘...’]) should be used to separate child elements in JSON arrays.
  For example, the root node of a JSON Path is findings. The child node denoting the Account ID field would be .['accountId', 'AccountId']. Putting it together, the JSON Path expression to extract the Account ID is $.findings.['accountId', 'AccountId'].

The pre-configured field mappings are detailed below:

Field Name	Source Field
Start Time	.['createdAt', 'CreatedAt']
Event Type	.['type', 'Type']
Severity	.['severity', 'Severity']
Description	.['description', 'Description']
Title	.['title', 'Title']
Username	.['resource', 'Resource']['accessKeyDetails', 'AccessKeyDetails']['userName', 'UserName']
User Type	.['resource', 'Resource']['accessKeyDetails', 'AccessKeyDetails']['userType', 'UserType']
Action Type	.['service','Service']['action', 'Action']['actionType', 'ActionType']
Resource Role	.['service', 'Service']['resourceRole', 'ResourceRole']
Aggregated / Correlated Event count	.['service', 'Service']['count', 'Count']
Event First Seen	.['service', 'Service']['eventFirstSeen', 'EventFirstSeen']
Event Last Seen	.['service', 'Service']['eventLastSeen', 'EventLastSeen']
Remote IP Address	.['service', 'Service']['action', 'Action']..['remoteIpDetails', 'RemoteIpDetails']['ipAddressV4', 'IpAddressV4']
Document ID	.['id','Id']
Resource Type	.['resource', 'Resource']['resourceType', 'ResourceType']
S3 Bucket Name	.['resource','Resource']['s3BucketDetails','S3BucketDetails'][*]['name','Name']
Instance ID	.['resource', 'Resource']['instanceDetails', 'InstanceDetails']['instanceId', 'InstanceId']
Updated At	.['updatedAt', 'UpdatedAt']
Account ID	.['accountId', 'AccountId']
Access Key ID	.['resource', 'Resource']['accessKeyDetails', 'AccessKeyDetails']['accessKeyId', 'AccessKeyId']

READER NOTE

The Unique Event Key field mapping is used to prevent duplicate event ingestions. D3 SOAR will check if the value of a selected JSON path matches any Unique Event Key of previously ingested events. If a match is found, the event will be dismissed. If no match is found, an event will be created. However, if no Unique Event Key is mapped, then the hash value from the event pending ingestion will be used to check for any matches with existing events. If no match is found, the event will be created.

Unlike most other D3 SOAR integrations, the AWS GuardDuty integration’s Fetch Event command’s Default Event Source mapping does not include Unique Event Key in order to fetch the same fetched detectors with multiple updates.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Fetch Event failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

Fetch Event failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value.

Fetch Incident

Returns detailed information of Amazon GuardDuty findings as incidents for the specified detector ID. Findings can be narrowed down using search conditions.

READER NOTE

Detector ID is a required parameter to run this command.

Run the List Detectors command to obtain the Detector ID. Detector IDs can be found in the returned raw data at the path $.detectorIds.

Input

Input Parameter	Required/Optional	Description	Example
Start Time	Required	The start time for the time range to fetch detectors as incidents in UTC time.	2023-06-09 00:00
End Time	Required	The end time for the time range to fetch detectors as incidents in UTC time.	2023-06-10 00:00
Number of Incident(s) Fetched	Optional	The maximum number of incidents to return. The valid value is an integer between 1 and 50. If not specified, all incidents matching search condition will be returned.	10
Detector ID	Required	The ID of the detector to fetch as incidents. Detector ID can be obtained using the List Detectors command.	08c*****0ef
Search Condition	Optional	The criteria used for querying findings. Please refer to ListFindings - Amazon GuardDuty for query syntax. It's recommended to use D3 sample data as a base for building the query string. Obtain properties for query from the data structure of Findings. Avoid using the updatedAt property in the search condition because its value is handled by the Start Time and End Time parameter. Note: the search condition is case-sensitive.	{ "severity": { "greaterThanOrEqual": 2 }, "resource.s3BucketDetails.name": { "eq": [ “mr*******mr" ] } }
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800
Update Field Mappings	Optional	The field mappings define the mapping between incident system fields or dynamic fields. Additionally, you can set the default value for the system field "owner". The D3 defined keys are "D3SystemFields" and "D3DefaultFields". The dynamic field structure will be "sectionName": {"fieldName": "JSON Path to the value"}. Please refer to the sample data for detailed fields and values.	{ "D3SystemFields": { "owner": "$.pathToAUsername", "Severity":"$.severityName", "Conclusion": "$.description" }, "D3DefaultFields": { "owner": "defaultOwner_A_Username_In_D3" }, "Dynamic Field Section Name": { "Field1": "$.path1", "Field2": "$.path2" } }

Output

Return Data

Indicates one of the possible command execution states: Successful, Successful with No Incident Data, or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

{
    "findings": [
        {
            "schemaVersion": "2.0",
            "accountId": "*****",
            "region": "us-east-2",
            "partition": "aws",
            "id": "16c*****631",
            "arn": "arn:aws:guardduty:us-east-2:*****:detector/08c*****0ef/finding/16c*****631",
            "type": "Discovery:S3/AnomalousBehavior",
            "resource": {
                "resourceType": "S3Bucket",
                "accessKeyDetails": {
                    "accessKeyId": "*****",
                    "principalId": "*****",
                    "userType": "IAMUser",
                    "userName": "j***"
                },
                "s3BucketDetails": [
                    {
                        "name": "mr*******mr",
                        "type": "Destination"
                    }
                ]
            },
            "service": {
                "serviceName": "guardduty",
                "detectorId": "08c*****0ef",
                "action": {
                    "actionType": "AWS_API_CALL",
                    "awsApiCallAction": {
                        "api": "ListObjects",
                        "serviceName": "s3.amazonaws.com",
                        "callerType": "Remote IP",
                        "remoteIpDetails": {
                            "ipAddressV4": "***.***.***.***",
                            "organization": {
                                "asn": "*****",
                                "asnOrg": "*****",
                                "isp": "Skyway West",
                                "org": "Skyway West"
                            },
                            "country": {
                                "countryName": "Canada"
                            },
                            "city": {
                                "cityName": "Vancouver"
                            },
                            "geoLocation": {
                                "lat": 49.2884,
                                "lon": -123.1146
                            }
                        },
                        "affectedResources": {}
                    }
                },
                "resourceRole": "TARGET",
                "additionalInfo": {
                    "userAgent": {
                        "fullUserAgent": "[S3Console/0.4, aws-internal/3 aws-sdk-java/1.***.*** Linux/5.***.***-***.***.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.***-*** java/1.8.*** vendor/Oracle_Corporation cfg/retry-mode/standard]",
                        "userAgentCategory": "browser"
                    },
                    "authenticationMethod": "AuthHeader",
                    "anomalies": {
                        "anomalousAPIs": "s3.amazonaws.com:[ListObjects:success , ListObjectVersions:success]"
                    },
                    "profiledBehavior": {
                        "rareProfiledAPIsAccountProfiling": "",
                        "infrequentProfiledAPIsAccountProfiling": "",
                        "frequentProfiledAPIsAccountProfiling": "ListObjects , PutObject",
                        "rareProfiledAPIsUserIdentityProfiling": "ListObjects",
                        "infrequentProfiledAPIsUserIdentityProfiling": "",
                        "frequentProfiledAPIsUserIdentityProfiling": "PutObject",
                        "rareProfiledUserTypesAccountProfiling": "",
                        "infrequentProfiledUserTypesAccountProfiling": "",
                        "frequentProfiledUserTypesAccountProfiling": "IAMUser , AWSService , AssumedRole",
                        "rareProfiledUserNamesAccountProfiling": "",
                        "infrequentProfiledUserNamesAccountProfiling": "",
                        "frequentProfiledUserNamesAccountProfiling": "j*** , cloudtrail.amazonaws.com , config.amazonaws.com , DatadogAWSIntegrationRole",
                        "rareProfiledUserNamesBucketProfiling": "",
                        "infrequentProfiledUserNamesBucketProfiling": "",
                        "frequentProfiledUserNamesBucketProfiling": "",
                        "rareProfiledASNsAccountProfiling": "asnNumber: ***.***.***.*** asnOrg: TELUS Communications",
                        "infrequentProfiledASNsAccountProfiling": "",
                        "frequentProfiledASNsAccountProfiling": "asnNumber: *****asnOrg: Amazon.com, Inc. asnNumber: *****asnOrg: MICROSOFT-CORP-MSN-AS-BLOCK asnNumber: *****asnOrg: AMAZON-AES",
                        "rareProfiledASNsUserIdentityProfiling": "asnNumber: ***.***.***.*** asnOrg: TELUS Communications",
                        "infrequentProfiledASNsUserIdentityProfiling": "",
                        "frequentProfiledASNsUserIdentityProfiling": "asnNumber: *****asnOrg: MICROSOFT-CORP-MSN-AS-BLOCK",
                        "rareProfiledASNsBucketProfiling": "",
                        "infrequentProfiledASNsBucketProfiling": "",
                        "frequentProfiledASNsBucketProfiling": "",
                        "rareProfiledUserAgentsAccountProfiling": "browser",
                        "infrequentProfiledUserAgentsAccountProfiling": "",
                        "frequentProfiledUserAgentsAccountProfiling": "AWS Service , Botocore , OTHER",
                        "rareProfiledUserAgentsUserIdentityProfiling": "browser",
                        "infrequentProfiledUserAgentsUserIdentityProfiling": "",
                        "frequentProfiledUserAgentsUserIdentityProfiling": "Botocore",
                        "rareProfiledBucketsAccountProfiling": "cyberhelpguide.d3securityonline.net , aaaaabbbbcccc",
                        "infrequentProfiledBucketsAccountProfiling": "",
                        "frequentProfiledBucketsAccountProfiling": "d3dblog , config-bucket-***** , d3cyber-01 , d3cyber-02",
                        "rareProfiledBucketsUserIdentityProfiling": "cyberhelpguide.d3securityonline.net , aaaaabbbbcccc",
                        "infrequentProfiledBucketsUserIdentityProfiling": "",
                        "frequentProfiledBucketsUserIdentityProfiling": "d3dblog"
                    },
                    "unusualBehavior": {
                        "unusualAPIsAccountProfiling": "ListObjectVersions",
                        "unusualUserTypesAccountProfiling": "",
                        "unusualUserNamesAccountProfiling": "",
                        "unusualASNsAccountProfiling": "asnNumber: ***** asnOrg: *****",
                        "unusualUserAgentsAccountProfiling": "",
                        "unusualBucketsAccountProfiling": "mr*******mr",
                        "unusualAPIsUserIdentityProfiling": "ListObjectVersions",
                        "unusualUserNamesBucketProfiling": "",
                        "unusualASNsUserIdentityProfiling": "asnNumber: ***** asnOrg: *****",
                        "unusualASNsBucketProfiling": "",
                        "unusualUserAgentsUserIdentityProfiling": "",
                        "unusualBucketsUserIdentityProfiling": "mr*******mr",
                        "isUnusualUserIdentity": "false"
                    },
                    "value": "{\"userAgent\":{\"fullUserAgent\":\"[S3Console/0.4, aws-internal/3 aws-sdk-java/1.***.*** Linux/5.***.***-***.***.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.***-*** java/1.8.*** vendor/Oracle_Corporation cfg/retry-mode/standard]\",\"userAgentCategory\":\"browser\"},\"authenticationMethod\":\"AuthHeader\",\"anomalies\":{\"anomalousAPIs\":\"s3.amazonaws.com:[ListObjects:success , ListObjectVersions:success]\"},\"profiledBehavior\":{\"rareProfiledAPIsAccountProfiling\":\"\",\"infrequentProfiledAPIsAccountProfiling\":\"\",\"frequentProfiledAPIsAccountProfiling\":\"ListObjects , PutObject\",\"rareProfiledAPIsUserIdentityProfiling\":\"ListObjects\",\"infrequentProfiledAPIsUserIdentityProfiling\":\"\",\"frequentProfiledAPIsUserIdentityProfiling\":\"PutObject\",\"rareProfiledUserTypesAccountProfiling\":\"\",\"infrequentProfiledUserTypesAccountProfiling\":\"\",\"frequentProfiledUserTypesAccountProfiling\":\"IAMUser , AWSService , AssumedRole\",\"rareProfiledUserNamesAccountProfiling\":\"\",\"infrequentProfiledUserNamesAccountProfiling\":\"\",\"frequentProfiledUserNamesAccountProfiling\":\"j*** , cloudtrail.amazonaws.com , config.amazonaws.com , DatadogAWSIntegrationRole\",\"rareProfiledUserNamesBucketProfiling\":\"\",\"infrequentProfiledUserNamesBucketProfiling\":\"\",\"frequentProfiledUserNamesBucketProfiling\":\"\",\"rareProfiledASNsAccountProfiling\":\"asnNumber: ***.***.***.*** asnOrg: TELUS Communications\",\"infrequentProfiledASNsAccountProfiling\":\"\",\"frequentProfiledASNsAccountProfiling\":\"asnNumber: *****asnOrg: Amazon.com, Inc. asnNumber: *****asnOrg: MICROSOFT-CORP-MSN-AS-BLOCK asnNumber: *****asnOrg: AMAZON-AES\",\"rareProfiledASNsUserIdentityProfiling\":\"asnNumber: ***.***.***.*** asnOrg: TELUS Communications\",\"infrequentProfiledASNsUserIdentityProfiling\":\"\",\"frequentProfiledASNsUserIdentityProfiling\":\"asnNumber: *****asnOrg: MICROSOFT-CORP-MSN-AS-BLOCK\",\"rareProfiledASNsBucketProfiling\":\"\",\"infrequentProfiledASNsBucketProfiling\":\"\",\"frequentProfiledASNsBucketProfiling\":\"\",\"rareProfiledUserAgentsAccountProfiling\":\"browser\",\"infrequentProfiledUserAgentsAccountProfiling\":\"\",\"frequentProfiledUserAgentsAccountProfiling\":\"AWS Service , Botocore , OTHER\",\"rareProfiledUserAgentsUserIdentityProfiling\":\"browser\",\"infrequentProfiledUserAgentsUserIdentityProfiling\":\"\",\"frequentProfiledUserAgentsUserIdentityProfiling\":\"Botocore\",\"rareProfiledBucketsAccountProfiling\":\"cyberhelpguide.d3securityonline.net , aaaaabbbbcccc\",\"infrequentProfiledBucketsAccountProfiling\":\"\",\"frequentProfiledBucketsAccountProfiling\":\"d3dblog , config-bucket-***** , d3cyber-01 , d3cyber-02\",\"rareProfiledBucketsUserIdentityProfiling\":\"cyberhelpguide.d3securityonline.net , aaaaabbbbcccc\",\"infrequentProfiledBucketsUserIdentityProfiling\":\"\",\"frequentProfiledBucketsUserIdentityProfiling\":\"d3dblog\"},\"unusualBehavior\":{\"unusualAPIsAccountProfiling\":\"ListObjectVersions\",\"unusualUserTypesAccountProfiling\":\"\",\"unusualUserNamesAccountProfiling\":\"\",\"unusualASNsAccountProfiling\":\"asnNumber: ***** asnOrg: *****\",\"unusualUserAgentsAccountProfiling\":\"\",\"unusualBucketsAccountProfiling\":\"mr*******mr\",\"unusualAPIsUserIdentityProfiling\":\"ListObjectVersions\",\"unusualUserNamesBucketProfiling\":\"\",\"unusualASNsUserIdentityProfiling\":\"asnNumber: ***** asnOrg: *****\",\"unusualASNsBucketProfiling\":\"\",\"unusualUserAgentsUserIdentityProfiling\":\"\",\"unusualBucketsUserIdentityProfiling\":\"mr*******mr\",\"isUnusualUserIdentity\":\"false\"}}",
                    "type": "default"
                },
                "eventFirstSeen": "2023-06-09T20:58:09.000Z",
                "eventLastSeen": "2023-06-09T20:58:09.000Z",
                "archived": false,
                "count": 1
            },
            "severity": 2,
            "severityName": "Low",
            "createdAt": "2023-06-09T21:05:03.019Z",
            "updatedAt": "2023-06-09T21:05:03.019Z",
            "title": "An API commonly used to discover S3 objects was invoked in an anomalous way.",
            "description": "This finding informs you that an IAM entity has invoked an S3 API to discover S3 buckets in your environment, such as ListBuckets. This type of activity is associated with the discovery stage of an attack wherein an attacker is gathering information to determine if your AWS environment is susceptible to a broader attack. This activity is suspicious because the way the IAM entity invoked the API was unusual. For example, this IAM entity had no prior history of invoking this type of API, or the API was invoked from an unusual location."
        }
    ]
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "FindingIDs": [
        "16c*****631"
    ],
    "AccountIDs": [
        "*****"
    ],
        
    "ResourceTypes": [
        "S3Bucket"
    ]
}

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

findings

{'schemaVersion': '2.0', 'accountId': '*****', 'region': 'us-east-2', 'partition': 'aws', 'id': '16c*****631', 'arn': 'arn:aws:guardduty:us-east-2:*****:detector/08c*****0ef/finding/16c*****631', 'type': 'Discovery:S3/AnomalousBehavior', 'resource': {'resourceType': 'S3Bucket', 'accessKeyDetails': {'accessKeyId': '*****', 'principalId': '*****', 'userType': 'IAMUser', 'userName': 'j***'}, 's3BucketDetails': [{'name': 'mr*******mr', 'type': 'Destination'}]}, 'service': {'serviceName': 'guardduty', 'detectorId': '08c*****0ef', 'action': {'actionType': 'AWS_API_CALL', 'awsApiCallAction': {'api': 'ListObjects', 'serviceName': 'http://s3.amazonaws.com ', 'callerType': 'Remote IP', 'remoteIpDetails': {'ipAddressV4': '***.***.***.***', 'organization': {'asn': '*****', 'asnOrg': '*****', 'isp': 'Skyway West', 'org': 'Skyway West'}, 'country': {'countryName': 'Canada'}, 'city': {'cityName': 'Vancouver'}, 'geoLocation': {'lat': 49.2884, 'lon': -123.1146}}, 'affectedResources': {}}}, 'resourceRole': 'TARGET', 'additionalInfo': {'userAgent': {'fullUserAgent': '[S3Console/0.4, aws-internal/3 aws-sdk-java/1.***.*** Linux/5.***.***-***.***.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.***-*** java/1.8.*** vendor/Oracle_Corporation cfg/retry-mode/standard]', 'userAgentCategory': 'browser'}, 'authenticationMethod': 'AuthHeader', 'anomalies': {'anomalousAPIs': 'http://s3.amazonaws.com :[ListObjects:success , ListObjectVersions:success]'}, 'profiledBehavior': {'rareProfiledAPIsAccountProfiling': '', 'infrequentProfiledAPIsAccountProfiling': '', 'frequentProfiledAPIsAccountProfiling': 'ListObjects , PutObject', 'rareProfiledAPIsUserIdentityProfiling': 'ListObjects', 'infrequentProfiledAPIsUserIdentityProfiling': '', 'frequentProfiledAPIsUserIdentityProfiling': 'PutObject', 'rareProfiledUserTypesAccountProfiling': '', 'infrequentProfiledUserTypesAccountProfiling': '', 'frequentProfiledUserTypesAccountProfiling': 'IAMUser , AWSService , AssumedRole', 'rareProfiledUserNamesAccountProfiling': '', 'infrequentProfiledUserNamesAccountProfiling': '', 'frequentProfiledUserNamesAccountProfiling': 'j*** , cloudtrail.amazonaws.com , config.amazonaws.com , DatadogAWSIntegrationRole', 'rareProfiledUserNamesBucketProfiling': '', 'infrequentProfiledUserNamesBucketProfiling': '', 'frequentProfiledUserNamesBucketProfiling': '', 'rareProfiledASNsAccountProfiling': 'asnNumber: ***.***.***.*** asnOrg: TELUS Communications', 'infrequentProfiledASNsAccountProfiling': '', 'frequentProfiledASNsAccountProfiling': 'asnNumber: *****asnOrg: http://Amazon.com , Inc. asnNumber: *****asnOrg: MICROSOFT-CORP-MSN-AS-BLOCK asnNumber: *****asnOrg: AMAZON-AES', 'rareProfiledASNsUserIdentityProfiling': 'asnNumber: ***.***.***.*** asnOrg: TELUS Communications', 'infrequentProfiledASNsUserIdentityProfiling': '', 'frequentProfiledASNsUserIdentityProfiling': 'asnNumber: *****asnOrg: MICROSOFT-CORP-MSN-AS-BLOCK', 'rareProfiledASNsBucketProfiling': '', 'infrequentProfiledASNsBucketProfiling': '', 'frequentProfiledASNsBucketProfiling': '', 'rareProfiledUserAgentsAccountProfiling': 'browser', 'infrequentProfiledUserAgentsAccountProfiling': '', 'frequentProfiledUserAgentsAccountProfiling': 'AWS Service , Botocore , OTHER', 'rareProfiledUserAgentsUserIdentityProfiling': 'browser', 'infrequentProfiledUserAgentsUserIdentityProfiling': '', 'frequentProfiledUserAgentsUserIdentityProfiling': 'Botocore', 'rareProfiledBucketsAccountProfiling': 'cyberhelpguide.d3securityonline.net , aaaaabbbbcccc', 'infrequentProfiledBucketsAccountProfiling': '', 'frequentProfiledBucketsAccountProfiling': 'd3dblog , config-bucket-***** , d3cyber-01 , d3cyber-02', 'rareProfiledBucketsUserIdentityProfiling': 'cyberhelpguide.d3securityonline.net , aaaaabbbbcccc', 'infrequentProfiledBucketsUserIdentityProfiling': '', 'frequentProfiledBucketsUserIdentityProfiling': 'd3dblog'}, 'unusualBehavior': {'unusualAPIsAccountProfiling': 'ListObjectVersions', 'unusualUserTypesAccountProfiling': '', 'unusualUserNamesAccountProfiling': '', 'unusualASNsAccountProfiling': 'asnNumber: ***** asnOrg: *****', 'unusualUserAgentsAccountProfiling': '', 'unusualBucketsAccountProfiling': 'mr*******mr', 'unusualAPIsUserIdentityProfiling': 'ListObjectVersions', 'unusualUserNamesBucketProfiling': '', 'unusualASNsUserIdentityProfiling': 'asnNumber: ***** asnOrg: *****', 'unusualASNsBucketProfiling': '', 'unusualUserAgentsUserIdentityProfiling': '', 'unusualBucketsUserIdentityProfiling': 'mr*******mr', 'isUnusualUserIdentity': 'false'}, 'value': '{"userAgent":{"fullUserAgent":"[S3Console/0.4, aws-internal/3 aws-sdk-java/1.***.*** Linux/5.***.***-***.***.amzn2int.x86_64 OpenJDK_64-Bit_Server_VM/25.***-*** java/1.8.*** vendor/Oracle_Corporation cfg/retry-mode/standard]","userAgentCategory":"browser"},"authenticationMethod":"AuthHeader","anomalies":{"anomalousAPIs":"http://s3.amazonaws.com :[ListObjects:success , ListObjectVersions:success]"},"profiledBehavior":{"rareProfiledAPIsAccountProfiling":"","infrequentProfiledAPIsAccountProfiling":"","frequentProfiledAPIsAccountProfiling":"ListObjects , PutObject","rareProfiledAPIsUserIdentityProfiling":"ListObjects","infrequentProfiledAPIsUserIdentityProfiling":"","frequentProfiledAPIsUserIdentityProfiling":"PutObject","rareProfiledUserTypesAccountProfiling":"","infrequentProfiledUserTypesAccountProfiling":"","frequentProfiledUserTypesAccountProfiling":"IAMUser , AWSService , AssumedRole","rareProfiledUserNamesAccountProfiling":"","infrequentProfiledUserNamesAccountProfiling":"","frequentProfiledUserNamesAccountProfiling":"j*** , cloudtrail.amazonaws.com , config.amazonaws.com , DatadogAWSIntegrationRole","rareProfiledUserNamesBucketProfiling":"","infrequentProfiledUserNamesBucketProfiling":"","frequentProfiledUserNamesBucketProfiling":"","rareProfiledASNsAccountProfiling":"asnNumber: ***.***.***.*** asnOrg: TELUS Communications","infrequentProfiledASNsAccountProfiling":"","frequentProfiledASNsAccountProfiling":"asnNumber: *****asnOrg: http://Amazon.com , Inc. asnNumber: *****asnOrg: MICROSOFT-CORP-MSN-AS-BLOCK asnNumber: *****asnOrg: AMAZON-AES","rareProfiledASNsUserIdentityProfiling":"asnNumber: ***.***.***.*** asnOrg: TELUS Communications","infrequentProfiledASNsUserIdentityProfiling":"","frequentProfiledASNsUserIdentityProfiling":"asnNumber: *****asnOrg: MICROSOFT-CORP-MSN-AS-BLOCK","rareProfiledASNsBucketProfiling":"","infrequentProfiledASNsBucketProfiling":"","frequentProfiledASNsBucketProfiling":"","rareProfiledUserAgentsAccountProfiling":"browser","infrequentProfiledUserAgentsAccountProfiling":"","frequentProfiledUserAgentsAccountProfiling":"AWS Service , Botocore , OTHER","rareProfiledUserAgentsUserIdentityProfiling":"browser","infrequentProfiledUserAgentsUserIdentityProfiling":"","frequentProfiledUserAgentsUserIdentityProfiling":"Botocore","rareProfiledBucketsAccountProfiling":"cyberhelpguide.d3securityonline.net , aaaaabbbbcccc","infrequentProfiledBucketsAccountProfiling":"","frequentProfiledBucketsAccountProfiling":"d3dblog , config-bucket-***** , d3cyber-01 , d3cyber-02","rareProfiledBucketsUserIdentityProfiling":"cyberhelpguide.d3securityonline.net , aaaaabbbbcccc","infrequentProfiledBucketsUserIdentityProfiling":"","frequentProfiledBucketsUserIdentityProfiling":"d3dblog"},"unusualBehavior":{"unusualAPIsAccountProfiling":"ListObjectVersions","unusualUserTypesAccountProfiling":"","unusualUserNamesAccountProfiling":"","unusualASNsAccountProfiling":"asnNumber: ***** asnOrg: *****","unusualUserAgentsAccountProfiling":"","unusualBucketsAccountProfiling":"mr*******mr","unusualAPIsUserIdentityProfiling":"ListObjectVersions","unusualUserNamesBucketProfiling":"","unusualASNsUserIdentityProfiling":"asnNumber: ***** asnOrg: *****","unusualASNsBucketProfiling":"","unusualUserAgentsUserIdentityProfiling":"","unusualBucketsUserIdentityProfiling":"mr*******mr","isUnusualUserIdentity":"false"}}', 'type': 'default'}, 'eventFirstSeen': '2023-06-09T20:58:09.000Z', 'eventLastSeen': '2023-06-09T20:58:09.000Z', 'archived': False, 'count': 1}, 'severity': 2, 'createdAt': '2023-06-09T21:05:03.019Z', 'updatedAt': '2023-06-09T21:05:03.019Z', 'title': 'An API commonly used to discover S3 objects was invoked in an anomalous way.', 'description': 'This finding informs you that an IAM entity has invoked an S3 API to discover S3 buckets in your environment, such as ListBuckets. This type of activity is associated with the discovery stage of an attack wherein an attacker is gathering information to determine if your AWS environment is susceptible to a broader attack. This activity is suspicious because the way the IAM entity invoked the API was unusual. For example, this IAM entity had no prior history of invoking this type of API, or the API was invoked from an unusual location.'}

Incident Field Mapping

For this integration, the default incident fields in D3 SOAR are fixed with no built-in source fields. Users can specify the source fields as needed.

Event and Incident Intake Field Mapping

Please note that incident and event intake commands require both Event Field and Incident Field Mapping. These field mappings are the default event/incident field mappings for D3 system integrations. You can edit the provided mappings or create custom mappings as needed. Please refer to Event and Incident Intake Field Mapping for more details.

Incident Main JSON Path: $.findings

Field Name	Source Field
Title	User to define
Description	User to define
Severity	User to define, default is “Low”
Incident Type *	User to define, default is the first Incident form in D3 SOAR system
Incident Creator	User to define
Incident Owner	User to define
Incident Playbook	User to define
Due In Date	User to define
Unique Key	User to define
Tactics	User to define
Techniques	User to define

Event Field Mapping

Main Event JSON Path

$.findings

The event field mapping in Fetch Incident is the same as the one in Command Fetch Event.

Please refer to the command Fetch Event for detail.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Fetch Incident failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Errors in Fetch Incident function. Please check D3Error object in RawData for more details.

Error Sample Data

Fetch Incident failed.

Status Code: 400.

Message: Errors in Fetch Incident function. Please check D3Error object in RawData for more details.

Get Detector Detail

Retrieves the specified Amazon GuardDuty detectors.

READER NOTE

The parameter Detector IDs is required to run this command.

Run the List Detectors command to obtain Detector IDs. Detector IDs can be found in the returned raw data at the path $.detectorIds.

Input

Input Parameter	Required/Optional	Description	Example
Detector IDs	Required	The unique IDs of the detectors specified for retrieval. Detector IDs can be obtained using the List Detectors command.	[ "62b*****d6b" ]
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

[
    {
        "status": "ENABLED",
        "createdAt": "2019-12-01T21:45:33.167Z",
        "updatedAt": "2022-02-09T01:45:24.987Z",
        "findingPublishingFrequency": "ONE_HOUR",
        "dataSources": {
            "cloudTrail": {
                "status": "ENABLED"
            },
            "dnsLogs": {
                "status": "ENABLED"
            },
            "flowLogs": {
                "status": "ENABLED"
            },
            "s3Logs": {
                "status": "DISABLED"
            },
            "kubernetes": {
                "auditLogs": {
                    "status": "DISABLED"
                }
            },
            "malwareScan": {
                "scanPotentiallyCompromisedEC2": {
                    "scanEBSVolumes": {
                        "status": "DISABLED"
                    }
                }
            }
        },
        "tags": {},
        "serviceRole": "arn:aws:iam::*****:role/aws-service-role/guardduty.amazonaws.com/AWS********GuardDuty"
    }
]

Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE

No Sample Data

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "Status": [
        "ENABLED"
    ],
    "ServiceRoles": [
        "arn:aws:iam::*****:role/aws-service-role/guardduty.amazonaws.com/AWS********GuardDuty"
    ]
}

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

status	createdAt	updatedAt	findingPublishingFrequency	dataSources	tags	serviceRole
ENABLED	2019-12-01T21:45:33.167Z	2022-02-09T01:45:24.987Z	ONE_HOUR	{'cloudTrail': {'status': 'ENABLED'}, 'dnsLogs': {'status': 'ENABLED'}, 'flowLogs': {'status': 'ENABLED'}, 's3Logs': {'status': 'DISABLED'}, 'kubernetes': {'auditLogs': {'status': 'DISABLED'}}, 'malwareScan': {'scanPotentiallyCompromisedEC2': {'scanEBSVolumes': {'status': 'DISABLED'}}}}	{}	arn:aws:iam::***:role/aws-service-role/guardduty.amazonaws.com/AWS******GuardDuty

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Get Detector Detail failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

Get Detector Detail failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value.

Get Findings

Describes Amazon GuardDuty findings specified by finding IDs.

READER NOTE

Detector ID and Finding IDs are required parameters to run this command.

Run the List Detectors command to obtain the Detector ID. Detector IDs can be found in the returned raw data at the path $.detectorIds.
Run the List Findings command to obtain Finding IDs. Finding IDs can be found in the returned raw data at the path $.findingIds.

Input

Input Parameter	Required/Optional	Description	Example
Detector ID	Required	The ID of the detector specifies the GuardDuty service for retrieving findings. Detector ID can be obtained using the List Detectors command.	62b*****d6b
Finding IDs	Required	The IDs of the findings specified for retrieval. Finding ID can be obtained using the List Findings command.	[ "36b*****689" ]
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

{
    "findings": [
        {
            "schemaVersion": "2.0",
            "accountId": "*****",
            "region": "us-west-1",
            "partition": "aws",
            "id": "36b*****689",
            "arn": "arn:aws:guardduty:us-west-1:*****:detector/62b*****d6b/finding/36b*****689",
            "type": "Persistence:IAMUser/AnomalousBehavior",
            "resource": {
                "resourceType": "AccessKey",
                "accessKeyDetails": {
                    "accessKeyId": "GeneratedFindingAccessKeyId",
                    "principalId": "GeneratedFindingPrincipalId",
                    "userType": "GeneratedFindingUserType",
                    "userName": "Gen********ame"
                },
                "instanceDetails": {
                    "instanceId": "*****",
                    "instanceType": "m3.xlarge",
                    "outpostArn": "arn:aws:outposts:us-west-2:*****:outpost/op-*****",
                    "launchTime": "2016-08-02T02:05:06.000Z",
                    "platform": null,
                    "productCodes": [
                        {
                            "productCodeId": "GeneratedFindingProductCodeId",
                            "productCodeType": "GeneratedFindingProductCodeType"
                        }
                    ],
                    "iamInstanceProfile": {
                        "arn": "arn:aws:iam::*****:example/instance/profile",
                        "id": "GeneratedFindingInstanceProfileId"
                    },
                    "networkInterfaces": [
                        {
                            "networkInterfaceId": "eni-*****",
                            "privateIpAddresses": [
                                {
                                    "privateDnsName": "GeneratedFindingPrivateName",
                                    "privateIpAddress": "***.***.***.***"
                                }
                            ],
                            "subnetId": "GeneratedFindingSubnetId",
                            "vpcId": "GeneratedFindingVPCId",
                            "privateDnsName": "GeneratedFindingPrivateDnsName",
                            "securityGroups": [
                                {
                                    "groupName": "GeneratedFindingSecurityGroupName",
                                    "groupId": "GeneratedFindingSecurityId"
                                }
                            ],
                            "publicIp": "***.***.***.***",
                            "ipv6Addresses": [],
                            "publicDnsName": "GeneratedFindingPublicDNSName",
                            "privateIpAddress": "***.***.***.***"
                        }
                    ],
                    "tags": [
                        {
                            "value": "GeneratedFindingInstaceValue1",
                            "key": "GeneratedFindingInstaceTag1"
                        },
                        {
                            "value": "GeneratedFindingInstaceTagValue2",
                            "key": "GeneratedFindingInstaceTag2"
                        },
                        {
                            "value": "GeneratedFindingInstaceTagValue3",
                            "key": "GeneratedFindingInstaceTag3"
                        },
                        {
                            "value": "GeneratedFindingInstaceTagValue4",
                            "key": "GeneratedFindingInstaceTag4"
                        },
                        {
                            "value": "GeneratedFindingInstaceTagValue5",
                            "key": "GeneratedFindingInstaceTag5"
                        },
                        {
                            "value": "GeneratedFindingInstaceTagValue6",
                            "key": "GeneratedFindingInstaceTag6"
                        },
                        {
                            "value": "GeneratedFindingInstaceTagValue7",
                            "key": "GeneratedFindingInstaceTag7"
                        },
                        {
                            "value": "GeneratedFindingInstaceTagValue8",
                            "key": "GeneratedFindingInstaceTag8"
                        },
                        {
                            "value": "GeneratedFindingInstaceTagValue9",
                            "key": "GeneratedFindingInstaceTag9"
                        }
                    ],
                    "instanceState": "running",
                    "availabilityZone": "GeneratedFindingInstaceAvailabilityZone",
                    "imageId": "am*****",
                    "imageDescription": "GeneratedFindingInstaceImageDescription"
                }
            },
            "service": {
                "serviceName": "guardduty",
                "detectorId": "62b*****d6b",
                "action": {
                    "actionType": "AWS_API_CALL",
                    "awsApiCallAction": {
                        "api": "GeneratedFindingAPIName",
                        "serviceName": "GeneratedFindingAPIServiceName",
                        "callerType": "Remote IP",
                        "errorCode": "AccessDenied",
                        "remoteIpDetails": {
                            "ipAddressV4": "***.***.***.***",
                            "organization": {
                                "asn": "-1",
                                "asnOrg": "GeneratedFindingASNOrg",
                                "isp": "GeneratedFindingISP",
                                "org": "GeneratedFindingOrg"
                            },
                            "country": {
                                "countryName": "GeneratedFindingCountryName"
                            },
                            "city": {
                                "cityName": "GeneratedFindingCityName"
                            },
                            "geoLocation": {
                                "lat": 0,
                                "lon": 0
                            }
                        },
                        "affectedResources": {}
                    }
                },
                "resourceRole": "TARGET",
                "additionalInfo": {
                    "userAgent": {
                        "fullUserAgent": "GeneratedFindingFullUserAgent",
                        "userAgentCategory": "GeneratedFindingUserAgentCategory"
                    },
                    "anomalies": {
                        "anomalousAPIs": "GeneratedFindingAPIServiceName:[GeneratedFindingAPIName:AccessDenied , GeneratedFindingAPINameTwo:AccessDenied] , GeneratedFindingAPIServiceNameThree:[GeneratedFindingAPINameThree:success] , GeneratedFindingAPIServiceNameFour:[GeneratedFindingAPINameFour:success]"
                    },
                    "profiledBehavior": {
                        "rareProfiledAPIsAccountProfiling": "GeneratedFindingAPINameTwo , GeneratedFindingAPINameThree",
                        "infrequentProfiledAPIsAccountProfiling": "GeneratedFindingAPINameFour",
                        "frequentProfiledAPIsAccountProfiling": "GeneratedFindingAPINameFive , GeneratedFindingAPINameSix",
                        "rareProfiledAPIsUserIdentityProfiling": "GeneratedFindingAPINameTwo",
                        "infrequentProfiledAPIsUserIdentityProfiling": "GeneratedFindingAPINameSix",
                        "frequentProfiledAPIsUserIdentityProfiling": "GeneratedFindingAPINameFive",
                        "rareProfiledUserTypesAccountProfiling": "GeneratedFindingUserType",
                        "infrequentProfiledUserTypesAccountProfiling": "",
                        "frequentProfiledUserTypesAccountProfiling": "ASSUMED_ROLE",
                        "rareProfiledUserNamesAccountProfiling": "Gen********ame , Gen********ameTwo",
                        "infrequentProfiledUserNamesAccountProfiling": "",
                        "frequentProfiledUserNamesAccountProfiling": "Gen********ameTwoThree",
                        "rareProfiledASNsAccountProfiling": "",
                        "infrequentProfiledASNsAccountProfiling": "",
                        "frequentProfiledASNsAccountProfiling": "asnNumber: GeneratedFindingASNOne asnOrg: GeneratedFindingASNOrgOne",
                        "rareProfiledASNsUserIdentityProfiling": "asnNumber: GeneratedFindingASNOne asnOrg: GeneratedFindingASNOrgOne",
                        "infrequentProfiledASNsUserIdentityProfiling": "",
                        "frequentProfiledASNsUserIdentityProfiling": "",
                        "rareProfiledUserAgentsAccountProfiling": "GeneratedFindingUserAgentOne , GeneratedFindingUserAgentTwo , GeneratedFindingUserAgentThree",
                        "infrequentProfiledUserAgentsAccountProfiling": "",
                        "frequentProfiledUserAgentsAccountProfiling": "AWS Service , AWS Internal",
                        "rareProfiledUserAgentsUserIdentityProfiling": "GeneratedFindingUserAgentOne",
                        "infrequentProfiledUserAgentsUserIdentityProfiling": "",
                        "frequentProfiledUserAgentsUserIdentityProfiling": ""
                    },
                    "unusualBehavior": {
                        "unusualAPIsAccountProfiling": "GeneratedFindingAPIName",
                        "unusualAPIsUserIdentityProfiling": "GeneratedFindingAPIName",
                        "unusualUserTypesAccountProfiling": "",
                        "unusualUserNamesAccountProfiling": "",
                        "unusualASNsAccountProfiling": "asnNumber: -1 asnOrg: GeneratedFindingASNOrg",
                        "unusualASNsUserIdentityProfiling": "asnNumber: -1 asnOrg: GeneratedFindingASNOrg",
                        "unusualUserAgentsAccountProfiling": "GeneratedFindingUserAgentCategory",
                        "unusualUserAgentsUserIdentityProfiling": "GeneratedFindingUserAgentCategory",
                        "isUnusualUserIdentity": "false"
                    },
                    "sample": true
                },
                "evidence": null,
                "eventFirstSeen": "2022-01-25T00:08:23.000Z",
                "eventLastSeen": "2022-01-25T00:18:15.000Z",
                "archived": false,
                "count": 2,
                "userFeedback": "USEFUL"
            },
            "severity": 5,
            "createdAt": "2022-01-25T00:08:23.327Z",
            "updatedAt": "2022-01-25T00:18:15.563Z",
            "title": "User GeneratedFindingUserType : Gen********ame is anomalously invoking APIs commonly used in Persistence tactics.",
            "description": "APIs commonly used in Persistence tactics were invoked by user GeneratedFindingUserType : Gen********ame, under anomalous circumstances. Such activity is not typically seen from this user."
        }
    ]
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "FindingIDs": [
        "36b*****689"
    ]
}

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

schemaVersion	2
accountId	391501681688
region	us-west-1
partition	aws
id	36bf4747f50fdd07542afa2dc4259689
arn	arn:aws:guardduty:us-west-1:391501681688:detector/62b761b6845bf20aa6e243a90c8a8d6b/finding/36bf4747f50fdd07542afa2dc4259689
type	Persistence:IAMUser/AnomalousBehavior
resource	{'resourceType': 'AccessKey', 'accessKeyDetails': {'accessKeyId': 'GeneratedFindingAccessKeyId', 'principalId': 'GeneratedFindingPrincipalId', 'userType': 'GeneratedFindingUserType', 'userName': 'GeneratedFindingUserName'}, 'instanceDetails': {'instanceId': 'i-99999999', 'instanceType': 'm3.xlarge', 'outpostArn': 'arn:aws:outposts:us-west-2:123456789000:outpost/op-0fbc006e9abbc73c3', 'launchTime': '2016-08-02T02:05:06.000Z', 'platform': None, 'productCodes': [{'productCodeId': 'GeneratedFindingProductCodeId', 'productCodeType': 'GeneratedFindingProductCodeType'}], 'iamInstanceProfile': {'arn': 'arn:aws:iam::391501681688:example/instance/profile', 'id': 'GeneratedFindingInstanceProfileId'}, 'networkInterfaces': [{'networkInterfaceId': 'eni-bfcffe88', 'privateIpAddresses': [{'privateDnsName': 'GeneratedFindingPrivateName', 'privateIpAddress': '10.0.0.1'}], 'subnetId': 'GeneratedFindingSubnetId', 'vpcId': 'GeneratedFindingVPCId', 'privateDnsName': 'GeneratedFindingPrivateDnsName', 'securityGroups': [{'groupName': 'GeneratedFindingSecurityGroupName', 'groupId': 'GeneratedFindingSecurityId'}], 'publicIp': '198.51.100.0', 'ipv6Addresses': [], 'publicDnsName': 'GeneratedFindingPublicDNSName', 'privateIpAddress': '10.0.0.1'}], 'tags': [{'value': 'GeneratedFindingInstaceValue1', 'key': 'GeneratedFindingInstaceTag1'}, {'value': 'GeneratedFindingInstaceTagValue2', 'key': 'GeneratedFindingInstaceTag2'}, {'value': 'GeneratedFindingInstaceTagValue3', 'key': 'GeneratedFindingInstaceTag3'}, {'value': 'GeneratedFindingInstaceTagValue4', 'key': 'GeneratedFindingInstaceTag4'}, {'value': 'GeneratedFindingInstaceTagValue5', 'key': 'GeneratedFindingInstaceTag5'}, {'value': 'GeneratedFindingInstaceTagValue6', 'key': 'GeneratedFindingInstaceTag6'}, {'value': 'GeneratedFindingInstaceTagValue7', 'key': 'GeneratedFindingInstaceTag7'}, {'value': 'GeneratedFindingInstaceTagValue8', 'key': 'GeneratedFindingInstaceTag8'}, {'value': 'GeneratedFindingInstaceTagValue9', 'key': 'GeneratedFindingInstaceTag9'}], 'instanceState': 'running', 'availabilityZone': 'GeneratedFindingInstaceAvailabilityZone', 'imageId': 'ami-99999999', 'imageDescription': 'GeneratedFindingInstaceImageDescription'}}
service	{'serviceName': 'guardduty', 'detectorId': '62b761b6845bf20aa6e243a90c8a8d6b', 'action': {'actionType': 'AWS_API_CALL', 'awsApiCallAction': {'api': 'GeneratedFindingAPIName', 'serviceName': 'GeneratedFindingAPIServiceName', 'callerType': 'Remote IP', 'errorCode': 'AccessDenied', 'remoteIpDetails': {'ipAddressV4': '198.51.100.0', 'organization': {'asn': '-1', 'asnOrg': 'GeneratedFindingASNOrg', 'isp': 'GeneratedFindingISP', 'org': 'GeneratedFindingOrg'}, 'country': {'countryName': 'GeneratedFindingCountryName'}, 'city': {'cityName': 'GeneratedFindingCityName'}, 'geoLocation': {'lat': 0, 'lon': 0}}, 'affectedResources': {}}}, 'resourceRole': 'TARGET', 'additionalInfo': {'userAgent': {'fullUserAgent': 'GeneratedFindingFullUserAgent', 'userAgentCategory': 'GeneratedFindingUserAgentCategory'}, 'anomalies': {'anomalousAPIs': 'GeneratedFindingAPIServiceName:[GeneratedFindingAPIName:AccessDenied , GeneratedFindingAPINameTwo:AccessDenied] , GeneratedFindingAPIServiceNameThree:[GeneratedFindingAPINameThree:success] , GeneratedFindingAPIServiceNameFour:[GeneratedFindingAPINameFour:success]'}, 'profiledBehavior': {'rareProfiledAPIsAccountProfiling': 'GeneratedFindingAPINameTwo , GeneratedFindingAPINameThree', 'infrequentProfiledAPIsAccountProfiling': 'GeneratedFindingAPINameFour', 'frequentProfiledAPIsAccountProfiling': 'GeneratedFindingAPINameFive , GeneratedFindingAPINameSix', 'rareProfiledAPIsUserIdentityProfiling': 'GeneratedFindingAPINameTwo', 'infrequentProfiledAPIsUserIdentityProfiling': 'GeneratedFindingAPINameSix', 'frequentProfiledAPIsUserIdentityProfiling': 'GeneratedFindingAPINameFive', 'rareProfiledUserTypesAccountProfiling': 'GeneratedFindingUserType', 'infrequentProfiledUserTypesAccountProfiling': '', 'frequentProfiledUserTypesAccountProfiling': 'ASSUMED_ROLE', 'rareProfiledUserNamesAccountProfiling': 'GeneratedFindingUserName , GeneratedFindingUserNameTwo', 'infrequentProfiledUserNamesAccountProfiling': '', 'frequentProfiledUserNamesAccountProfiling': 'GeneratedFindingUserNameTwoThree', 'rareProfiledASNsAccountProfiling': '', 'infrequentProfiledASNsAccountProfiling': '', 'frequentProfiledASNsAccountProfiling': 'asnNumber: GeneratedFindingASNOne asnOrg: GeneratedFindingASNOrgOne', 'rareProfiledASNsUserIdentityProfiling': 'asnNumber: GeneratedFindingASNOne asnOrg: GeneratedFindingASNOrgOne', 'infrequentProfiledASNsUserIdentityProfiling': '', 'frequentProfiledASNsUserIdentityProfiling': '', 'rareProfiledUserAgentsAccountProfiling': 'GeneratedFindingUserAgentOne , GeneratedFindingUserAgentTwo , GeneratedFindingUserAgentThree', 'infrequentProfiledUserAgentsAccountProfiling': '', 'frequentProfiledUserAgentsAccountProfiling': 'AWS Service , AWS Internal', 'rareProfiledUserAgentsUserIdentityProfiling': 'GeneratedFindingUserAgentOne', 'infrequentProfiledUserAgentsUserIdentityProfiling': '', 'frequentProfiledUserAgentsUserIdentityProfiling': ''}, 'unusualBehavior': {'unusualAPIsAccountProfiling': 'GeneratedFindingAPIName', 'unusualAPIsUserIdentityProfiling': 'GeneratedFindingAPIName', 'unusualUserTypesAccountProfiling': '', 'unusualUserNamesAccountProfiling': '', 'unusualASNsAccountProfiling': 'asnNumber: -1 asnOrg: GeneratedFindingASNOrg', 'unusualASNsUserIdentityProfiling': 'asnNumber: -1 asnOrg: GeneratedFindingASNOrg', 'unusualUserAgentsAccountProfiling': 'GeneratedFindingUserAgentCategory', 'unusualUserAgentsUserIdentityProfiling': 'GeneratedFindingUserAgentCategory', 'isUnusualUserIdentity': 'false'}, 'sample': True}, 'evidence': None, 'eventFirstSeen': '2022-01-25T00:08:23.000Z', 'eventLastSeen': '2022-01-25T00:18:15.000Z', 'archived': False, 'count': 2, 'userFeedback': 'USEFUL'}
severity	5
createdAt	2022-01-25T00:08:23.327Z
updatedAt	2022-01-25T00:18:15.563Z
title	User GeneratedFindingUserType : GeneratedFindingUserName is anomalously invoking APIs commonly used in Persistence tactics.
description	APIs commonly used in Persistence tactics were invoked by user GeneratedFindingUserType : GeneratedFindingUserName, under anomalous circumstances. Such activity is not typically seen from this user.

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Get Findings failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

Get Findings failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value.

Get IPSet

Retrieves the IPSets specified by the IPSet IDs.

READER NOTE

Detector ID and IPSet IDs are required parameters to run this command.

Run the List Detectors command to obtain the Detector ID. Detector IDs can be found in the returned raw data at the path $.detectorIds.
Run the List IPSets command to obtain the IPSet ID. IPSet IDs can be found in the returned raw data at the path $.ipSetIds.

Input

Input Parameter	Required/Optional	Description	Example
Detector ID	Required	The ID of the detector specifies the GuardDuty service for retrieving IPSets. Detector ID can be obtained using the List Detectors command.	62b*****d6b
IPSet ID	Required	The unique IDs of the IPSets to retrieve. IPSet ID can be obtained using the List IPSets command.	[ "ed5*****6b3" ]
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

[
    {
        "name": "ip***02",
        "location": "https://1s1******dd1.**.us-west-1.amazonaws.com/ip***01.txt",
        "format": "TXT",
        "status": "ACTIVE",
        "tags": {
            "string": "SecureIPs"
        }
    }
]

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "Names": [
        "ip***02"
    ]
}

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

name	location	format	status	tags
ip***02	https://1s1****dd1.3.us-west-1.amazonaws.com/ip***01.txt	TXT	ACTIVE	{'string': 'SecureIPs'}

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Get IPSet failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the input detectorId is not owned by the current account.

Error Sample Data

Get IPSet failed.

Status Code: 400.

Message: The request is rejected because the input detectorId is not owned by the current account.

Get ThreatintelSet

Retrieves the specified ThreatIntelSets.

READER NOTE

Detector ID and Threat Intel Set IDs are required parameters to run this command.

Run the List Detectors command to obtain the Detector ID. Detector IDs can be found in the returned raw data at the path $.detectorIds.
Run the List ThreatIntelSets command to obtain Threat Intel Sets IDs. Threat Intel Sets IDs can be found in the returned raw data at the path $.threatIntelSetIds.

Input

Input Parameter	Required/Optional	Description	Example
Detector ID	Required	The ID of the detector specifies the GuardDuty service for retrieving the ThreatIntelSet. Detector ID can be obtained using the List Detectors command.	62b*****d6b
ThreatIntelSet IDs	Required	The unique ID of the ThreatIntelSet to retrieve. ThreatIntelSet IDs can be obtained using the List ThreatIntelSets command.	[ "9bd*****fec" ]
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

[
    {
        "name": "thr*****NEW",
        "location": "https://1s1******dd1.**.us-west-1.amazonaws.com/thr******t01.txt",
        "format": "TXT",
        "status": "ACTIVE",
        "tags": {
            "string": "SuspiciousIPs"
        }
    }
]

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "Names": [
        "thr*****NEW"
    ]
}

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

name	location	format	status	tags
thr*****NEW	https://1s1****dd1..us-west-1.amazonaws.com/thr******t01.txt	TXT	ACTIVE	{'string': 'SuspiciousIPs'}

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Get ThreatintelSet failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

Get ThreatintelSet failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value.

List Detectors

Lists detectors of all the existing Amazon GuardDuty detector resources.

Input

Input Parameter	Required/Optional	Description	Example
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

{
    "detectorIds": [
        "62b*****d6b"
    ]
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "DetectorIDs": [
        "62b*****d6b"
    ]
}

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

detectorIds

62b*****d6b

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	List Detectors failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 401.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: User: arn:aws:iam::**********:user/ is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::**********:role/d3guarddutyrole.

Error Sample Data

List Detectors failed.

Status Code: 401.

Message: User: arn:aws:iam::************:user/**** is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::************:role/d3guarddutyrole.

List Findings

Retrieves Amazon GuardDuty findings according to search criteria for the specified detector ID.

READER NOTE

Detector ID is a required parameter to run this command.

Run the List Detectors command to obtain detector ID. Detector IDs can be found in the returned raw data at the path $.detectorIds[*].

Input

Input Parameter	Required/Optional	Description	Example
Detector ID	Required	The ID of the detector that specifies the GuardDuty service for retrieving findings. Detector ID can be obtained using the List Detectors command.	62b*****d6b
Limit	Optional	The maximum number of findings requested in the response. The default value is 50, with a maximum value of 50.	10
Search Condition	Optional	The criteria used for querying findings. Please refer to ListFindings - Amazon GuardDuty for query syntax. It is recommended to use D3 sample data as a base to build the query string. The properties for query can be obtained from the data structure of Findings. Do not use the updatedAt property in the search condition because the value of the updatedAt property is handled by the Start Time and End Time parameters. Note: the search condition is case sensitive.	"resource.instanceDetails.networkInterfaces.publicIp": { "eq": ["*...*"] }
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

{
    "findingIds": [
        "beb*****6c2"
    ],
    "nextToken": ""
}

Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the returned context data by keeping the "findingIds" field only.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE

{
    "findingIds": [
        "bebf******6c2"
    ]
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "FindingIDs": [
        "beb*****6c2"
    ]
}

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

findingIds	beb*****6c2
nextToken

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	List Findings failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the input detectorId is not owned by the current account.

Error Sample Data

List Findings failed.

Status Code: 400.

Message: The request is rejected because the input detectorId is not owned by the current account.

List IPSets

Lists the IPSets of the GuardDuty service specified by the detector ID. If used from a member account, the returned IPSets are from the associated administrator account.

READER NOTE

Detector ID is a required parameter to run this command.

Run the List Detectors command to obtain the Detector ID. Detector IDs can be found in the returned raw data at the path $.detectorIds.

Input

Input Parameter	Required/Optional	Description	Example
Detector ID	Required	The ID of the detector specifies the GuardDuty service for listing IPSets. Detector ID can be obtained using the List Detectors command.	62b*****d6b
Limit	Optional	The maximum number of IPSets requested in the response. The default value is 50, with a maximum value of 50.	10
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

{
    "ipSetIds": [
        "ed5*****6b3"
    ],
    "nextToken": null
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "IPSetIDs": [
        "ed5*****6b3"
    ]
}

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ipSetIds	ed5*****6b3
nextToken	None

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	List IPSets failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

List IPSets failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value.

List ThreatIntelSets

Lists the ThreatIntelSet IDs of the GuardDuty service specified by the detector ID. If this operation is used from a member account, the ThreatIntelSets associated with the administrator account are returned.

READER NOTE

Detector ID is a required parameter to run this command.

Run the List Detectors command to obtain the Detector ID. Detector IDs can be found in the returned raw data at the path $.detectorIds.

Input

Input Parameter	Required/Optional	Description	Example
Detector ID	Required	The ID of the detector specifies the GuardDuty service for listing ThreatIntelSets. Detector ID can be obtained using the List Detectors command.	62b*****d6b
Limit	Optional	The maximum number of ThreatIntelSets requested in the response. The default value is 50, with a maximum value of 50.	10
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

{
    "threatIntelSetIds": [
        "9bd*****fec"
    ],
    "nextToken": null
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "ThreatIntelSetIDs": [
        "9bd*****fec"
    ]
}

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

threatIntelSetIds	9bd*****fec
nextToken	None

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	List ThreatIntelSets failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

List ThreatIntelSets failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value.

Unarchive Findings

Unarchives GuardDuty findings specified by the Finding IDs.

READER NOTE

Detector ID and Finding IDs are required parameters to run this command.

Run the List Detectors command to obtain the Detector ID. Detector IDs can be found in the raw data returned at the path $.detectorIds.
Run the List Findings command to obtain the Finding IDs. Finding IDs can be found in the raw data returned at the path $.findingIds.

Input

Input Parameter	Required/Optional	Description	Example
Detector ID	Required	The ID of the detector specifies the GuardDuty service for unarchiving findings. Detector ID can be obtained using the List Detectors command.	62b*****d6b
Finding IDs	Required	The IDs of the findings specified for unarchiving. Finding IDs can be obtained using the List Findings command.	[ "36b*****689" ]
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

D3 customizes the returned raw data by adding "findingIDs" and "actionResult" fields to indicate which findings have been unarchived and the result of the command.

SAMPLE DATA

CODE

[
    {
        "findingIDs": "36b*****689",
        "actionResult": "Unarchived  the finding successfully"
    }
]

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

findingIDs	actionResult
36b*****689	Unarchived the finding successfully

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Unarchive Findings failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

Unarchive Findings failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value.

Update Detector

Updates the Amazon GuardDuty detectors specified by the Detector IDs.

READER NOTE

Detector IDs is a required parameter to run this command.

Run the List Detectors command to obtain the Detector ID. Detector IDs can be found in the returned raw data at the path $.detectorIds.

Input

Input Parameter	Required/Optional	Description	Example
Detector IDs	Required	The unique IDs of the detectors to be updated. Detector ID can be obtained using the List Detectors command.	[ "1ab*****f4f" ]
Enable	Required	The boolean value specifying whether the detector is to be enabled.	True
Finding Publishing Frequency	Optional	The enum value specifying how frequently findings are exported, such as to CloudWatch Events.	1 hour
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

D3 customizes the returned raw data by adding "detectorIDs" and "actionResult" fields to indicate which detectors have been updated and the result of the command.

SAMPLE DATA

CODE

[
    {
        "detectorIDs": "1ab*****f4f",
        "actionResult": "Updated the detector successfully"
    }
]

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

detectorIDs	actionResult
1ab*****f4f	Updated the detector successfully

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Update Detector failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

Update Detector failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value.

Update Findings Feedback

Marks the specified GuardDuty findings as either useful or not useful.

READER NOTE

Detector ID and Finding IDs are required parameters to run this command.

Run the List Detectors command to obtain the Detector ID. Detector IDs can be found in the raw data returned at the path $.detectorIds.
Run the List Findings command to obtain the Finding IDs. Finding IDs can be found in the raw data returned at the path $.findingIds.

Input

Input Parameter	Required/Optional	Description	Example
Detector ID	Required	The ID of the detector specifies the GuardDuty service in which to update findings and feedback. Detector ID can be obtained using the List Detectors command.	62b*****d6b
Finding IDs	Required	The IDs of the findings you want to mark as useful or not useful. Finding IDs can be obtained using the List Findings command.	[ "36b*****689" ]
Feedback	Required	The feedback for the finding(s).	Useful
Comments	Optional	The additional feedback about the GuardDuty finding(s).	Finding feedback comments. Sample0209
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relatonship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

D3 customizes the returned Raw Data by adding the "actionResult" field to indicate the running result of the command.

SAMPLE DATA

CODE

{
    "actionResult": "Updated the finding feedbacks successfully"
}

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE

No Sample Data

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Update Findings Feedback failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

Update Findings Feedback failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value.

Update IPSet

Updates the IPSet specified by the IPSet IDs.

READER NOTE

Detector ID and IPSet IDs are required parameters to run this command.

Run the List Detectors command to obtain the Detector ID. Detector IDs can be found in the returned raw data at the path $.detectorIds.
Run the List IPSets command to obtain the IPSet IDs. IPSet IDs can be found in the returned raw data at the path $.ipSetIds.

Input

Input Parameter	Required/Optional	Description	Example
Detector ID	Required	The ID of the detector specifies the GuardDuty service in which to update the IPSet. Detector ID can be obtained using the List Detectors command.	62b*****d6b
IPSet IDs	Required	The unique IDs of the IPSets to update. IPSet IDs can be obtained from the List IPSets command.	[ "ed5*****6b3" ]
Activate	Optional	The updated Boolean value specifies whether the IPSet is active or not.	True
IPSet File Location	Optional	The updated URI of the file containing the IPSet can be saved in an AWS S3 bucket. It should resemble "https://{bucket-name}.s3.{region-name}.amazonaws.com/{filename.txt}" or "https://s3.{region-name}.amazonaws.com/{bucket-name}/{filename.txt}".	https://1s1****dd1..us-west-1.amazonaws.com/ip***01.txt
Name	Optional	The unique ID that specifies the IPSet that you want to update.	ip***02update0210
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

[
    {
        "name": "ip***02***10",
        "location": "https://1s1******dd1.**.us-west-1.amazonaws.com/ip***01.txt",
        "format": "TXT",
        "status": "INACTIVE",
        "tags": {
            "string": "SecureIPs"
        }
    }
]

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "Name": [
        "ip***02***10"
    ]
}

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

name	location	format	status	tags
ip***02update0210	https://1s1****dd1..us-west-1.amazonaws.com/ip***01.txt	TXT	INACTIVE	{'string': 'SecureIPs'}

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Update IPSet failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

Update IPSet failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value.

Update ThreatIntelSet

Updates the ThreatIntelSets specified by the ThreatIntelSet IDs.

READER NOTE

Detector ID and ThreatIntelSet IDs are required parameters to run this command.

Run the List Detectors command to obtain the Detector ID. Detector IDs can be found in the raw data returned at the path $.detectorIds.
Run the List ThreatIntelSets command to obtain the ThreatIntelSet IDs. ThreatIntelSet IDs can be found in the raw data returned at the path $.threatIntelSetIds.

Input

Input Parameter	Required/Optional	Description	Example
Detector ID	Required	The ID of the detector specifies the GuardDuty service in which the user wants to update the threatIntelSet. Detector IDs can be obtained using the List Detectors command.	62b*****d6b
ThreatIntelSet IDs	Required	The unique ID specifying the ThreatIntelSet that requires updating. ThreatIntelSet IDs can be obtained using the List ThreatIntelSets command.	[ "5eb*****f09" ]
Activate	Optional	The updated Boolean value specifying the activation status of the ThreatIntelSet.	True
ThreatIntelSet File Location	Optional	The updated URI of the file containing the ThreatIntelSet. The ThreatIntelSet file can be stored in an AWS S3 bucket. It should follow this format: "https://{bucket-name}.s3.{region-name}.amazonaws.com/{filename.txt}" or "https://s3.{region-name}.amazonaws.com/{bucket-name}/{filename.txt}".	https://1s1****dd1..us-west-1.amazonaws.com/thr******t01.txt
Name	Optional	The unique ID specifying the ThreatIntelSet intended for update.	thr*******update
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

[
    {
        "name": "thr*******update",
        "location": "https://1s1******dd1.**.us-west-1.amazonaws.com/thr******t01.txt",
        "format": "TXT",
        "status": "INACTIVE",
        "tags": {}
    }
]

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "Name": [
        "thr*******update"
    ]
  }

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

name	location	format	status	tags
thr*******update	https://1s1****dd1..us-west-1.amazonaws.com/thr******t01.txt	TXT	INACTIVE	{}

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Update ThreatIntelSet failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

Update ThreatIntelSet failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value.

FAQ

1. What is Role ARN parameter used for?

The Role ARN parameter consists of temporary security credentials used to access AWS resources within your account or for cross-account access. Please refer to AssumeRole - AWS Security Token Service for more details.

2. When configuring Region Name, Role ARN, Role Session Name and Session Duration Time in both connector and command, do they take effect at the connection level or only when specified within individual commands?

When you configure everything in the command level, the value you defined will override the connector defined value.

The connector defined values are the default, without the defined value inside commands, the default value of the connector you choose will be automatically applied.

Please note that this temporary security credential will not affect your original account credentials. The original groups/roles/policies in your account will continue to be applied when you execute commands.

A recommended approach is to allocate no permissions to the account you have created, and instead to assign temporary security credentials within D3 SOAR.