AWS GuardDuty

LAST UPDATED: SEPTEMBER 18, 2025

Overview

Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the following Data sources: VPC Flow Logs, AWS CloudTrail management event logs, CloudTrail S3 data event logs, and DNS logs. It uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected and potentially unauthorized and malicious activity within your AWS environment. This integration enables organizations to detect and manage threats and findings in your AWS environment.

D3 SOAR is providing REST operations to function with AWS GuardDuty.

AWS GuardDuty is available for use in:

D3 SOAR	V14.0.576+
Category	Threat Intelligence
Deployment Options	Option II, Option IV

Known Limitations

An error may be returned when the default limits have been exceeded. Request a quota increase as necessary.

Refer to Quotas for Amazon GuardDuty for detailed information.

Connection

To connect to AWS GuardDuty from D3 SOAR, follow this part to collect the required information below:

Parameter	Description	Example
Default Region Name	The AWS region name.	US West (N. California)
Access Key	The access key for authentication.	AKIAxxxxxxxxxxxx4CYL
Secret Key	The secret key for authentication.	Xdwchs**E8vjHyIx9x6iPuWdX**DXSdH
Default Role ARN	The Amazon Resource Name (ARN) of the role to assume can be obtained from IAM in the AWS console. Note that for assuming a role, ensure that the assumed role has the necessary permissions to execute related commands. Additionally, the assumed role must trust the account you're using for the connection. Please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Default Role Session Name	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If the Role Session Name parameter is not specified, but the Default Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Default Session Duration Time	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified, then the default value of 3600 seconds will be used.	1800

Permission Requirements

Each endpoint in the AWS GuardDuty API requires a certain permission scope. The following are required scopes for the commands in this integration:

Command	Policy
Command	Service	Access level (Actions)
Archive Findings	GuardDuty	ArchiveFindings
Create Detector	GuardDuty	CreateDetector
Create IPSet	GuardDuty	CreateIPSet
Create IPSet	IAM	PutRolePolicy
Create Sample Findings	GuardDuty	CreateSampleFindings
Create ThreatIntelSet	GuardDuty	CreateThreatIntelSet
Create ThreatIntelSet	IAM	PutRolePolicy
Delete Detector	GuardDuty	DeleteDetector
Delete IPSet	GuardDuty	DeleteIPSet
Delete IPSet	IAM	DeleteRolePolicy
Delete ThreatIntelSet	GuardDuty	DeleteThreatIntelSet
Delete ThreatIntelSet	IAM	DeleteRolePolicy
Fetch Event	GuardDuty	ListFindings
Fetch Event	GuardDuty	GetFindings
Fetch Incident	GuardDuty	ListFindings
Fetch Incident	GuardDuty	GetFindings
Get Detector Detail	GuardDuty	GetDetector
Get Findings	GuardDuty	GetFindings
Get IPSet	GuardDuty	GetIPSet
Get ThreatintelSet	GuardDuty	GetThreatIntelSet
List Detectors	GuardDuty	ListDetectors
List Findings	GuardDuty	ListFindings
List IPSets	GuardDuty	ListIPSets
List ThreatIntelSets	GuardDuty	ListThreatIntelSets
Unarchive Findings	GuardDuty	UnarchiveFindings
Update Detector	GuardDuty	UpdateDetector
Update Findings Feedback	GuardDuty	UpdateFindingsFeedback
Update IPSet	GuardDuty	UpdateIPSet
	IAM	PutRolePolicy
	IAM	DeleteRolePolicy
Update ThreatIntelSet	GuardDuty	UpdateThreatIntelSet
	IAM	PutRolePolicy
	IAM	DeleteRolePolicy
Test Connection	GuardDuty	ListDetectors

Configuring AWS GuardDuty to Work with D3 SOAR

If the login user is ready to use (no policy configure needed), follow the steps below to obtain the access key and secret key.

To configure an account with limited API access, follow Create Policy > Create User > Access Key and Secret Key to obtain keys.

Sign in to the AWS console.
Click the account icon at the top right corner, then click Security Credentials.
On my security credentials page, under the AWS IAM credentials tab, click the button Create access key to create a new Access Key and Secret Key.

READER NOTE

If necessary, contact an administrator to obtain permission to read or create access keys.

Copy the Access key ID and the Secret access key to use to connect with D3 SOAR.

READER NOTE

The secret access key is viewable or downloadable only at creation. Download the CSV immediately and store it securely. Lost secrets cannot be recovered; create a new access key and deactivate the old key. A maximum of two access keys, active or inactive, is allowed.

Creating Policy

Click on Services, which will expand the navigation menu. Then select IAM.
Select Access management > Policies. Then, click the Create Policy button.
In the Select a service section, click on Service to Choose a service. Refer to Permission Requirements for the selected service. Then click Next.
Search and assign using the search box in the Actions allowed section. For example, search for ListDetectors in the search box, and use the tick box underneath to select this action. Refer to Permission Requirements for the necessary Access level (Actions). It is possible to specify multiple permissions under the same policy. Then click Next.
Type a name in the text box under Policy name. Click Create policy.

Creating User

Locate the Users tab.
Type a user name into the User details field, then click Next.
Select your desired permissions under Permissions options. It is suggested to link directly to your created policy. Refer to Creating Policy for more detailed information.
Alternatively, create a role with the desired permissions. Refer to Adding a Role and Trusted Entities for creating user roles. Once the role is created, it is not required to assign the role directly to the user. Instead, assign the role through the D3 connection or D3 commands. Refer to AssumeRole - AWS Security Token Service for details.
Then click Next.
Review the details, and click Create user.
Find the created user. Copy the User ARN.

Adding a Role and Trusted Entities

Sign in to the AWS IAM console.
On the left side menu, click Roles and then click the Create role button at the top right.
Select AWS account under Trusted entity type. Choose the appropriate account under An AWS account, then click Next.
Use the search box to search for the policy name. Add the required permissions by selecting the policy, then click Next.
Enter the Role name, and click Create role.
Find the role. Navigate to Roles, and select the recently created role. Click Create rule.
Navigate to Roles and select the tab Trust relationships. Click Edit trust policy.

Return to Edit trust policy opened in another browser tab/window. Paste the following code into the trust policy. Then paste the copied user ARN (refer to step 5 of Creating User for getting user ARN) to the "AWS" field in the code. Click Update policy.

CODE

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::******:user/DOC_User",
        "Service": "guardduty.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

The Role ARN is ready to use.

Access Key and Secret Key

Find the created user and click on it to access the details.
Under the Security credentials tab, click on Create access key.
Create an access key and save the details. Click Done after saving these credentials.

READER NOTE

The secret access key is not retrievable after this point. Download the CSV immediately and store it securely. To obtain another key, create a new access key and deactivate the old key. A maximum of two access keys, active or inactive, is allowed.

Configuring D3 SOAR to Work with AWS GuardDuty

Log in to D3 SOAR.
Find the AWS GuardDuty integration.
1. Navigate to Configuration on the top header menu.
2. Click on the Integration icon on the left sidebar.
3. Type AWS GuardDuty in the search box to find the integration, then click it to select it.
4. Click + Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to AWS GuardDuty.
1. Connection Name: The desired name for the connection.
2. Site: The site on which to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
3. Recipient site for events from connections Shared to Internal Sites: This field is displayed when Share to Internal Sites is selected for the Site field, allowing selection of the internal site for deploying the integration connection.
4. Agent Name (Optional): The proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
5. Description (Optional): The description for the connection.
6. Tenant (Optional): When configuring the connection from a master tenant site, users can choose the specific tenant sites with which to share the connection. Once this setting is enabled, users can filter and select the desired tenant sites from the dropdowns to share the connection.
7. Configure User Permissions: Defines which users have access to the connection.
8. Active: The checkbox that enables the connection to be used when selected.
9. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
  1. Choose the Default Region Name.
  2. Input the Access Key obtained from the AWS GuardDuty platform in step 3 of Access Key and Secret Key.
  3. Input the Secret Key obtained from the AWS GuardDuty platform in step 3 of Access Key and Secret Key.
  4. (Optional) Define the Default Role ARN obtained from the AWS GuardDuty platform in step 9 of Adding a Role and Trusted Entities.
  5. (Optional) Input the Default Role Session Name.
  6. (Optional) Input the Default Session Duration Time.
10. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Refer to the password vault connection guide if needed.
11. Connection Health Check: Periodically checks the connection status by scheduling the Test Connection command at the specified interval (in minutes). Available only for active connections, this feature also allows configuring email notifications for failed attempts.
Test the connection.
1. Click on the Test Connection button to verify credentials and connectivity. A success alert displays Passed with a green checkmark. If the connection fails, review the parameters and retry.
2. Click OK to close the alert window.
3. Click + Add to create and add the configured connection.

Commands

AWS GuardDuty includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, users can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the AWS GuardDuty API, refer to the AWS GuardDuty API reference.

READER NOTE

Certain permissions are required for each command. Refer to the Permission Requirements and Configuring AWS GuardDuty to Work with D3 SOAR for details.

Note for Time-related parameters

The input format of time-related parameters may vary based on user account settings, which may cause the sample data in commands to differ from what is displayed. To adjust the time format, follow these steps:

Navigate to Configuration > Application Settings. Select Date/Time Format.
Choose the desired date and time format, then click on the Save button.

The selected time format will now be visible when configuring Date/Time command input parameters.

Archive Findings

Archives the GuardDuty findings specified by the list of finding IDs.

READER NOTE

Detector ID and Finding IDs are required parameters to run this command.

Run the List Detectors command to obtain the Detector ID. Detector IDs can be found in the raw data returned at the path $.detectorIds.
Run the List Findings command to obtain the Finding IDs. Finding IDs can be found in the raw data returned at the path $.findingIds.

Input

Input Parameter	Required/Optional	Description	Example
Detector ID	Required	The ID of the detector specifying the GuardDuty service from which to archive findings. Detector ID can be obtained using the List Detectors command.	62b*****d6b
Finding IDs	Required	The IDs of the findings to be archived. Finding IDs can be obtained using the List Findings command.	JSON `[ "36b*****689" ]`
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Archive Findings failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

Archive Findings failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value..

Create Detector

Creates a single Amazon GuardDuty detector. A detector is a resource that represents the GuardDuty service. To start using GuardDuty, you must create a detector in each Region where you enable the service. You can have only one detector per account per Region. All data sources are enabled in a new detector by default.

Input

Input Parameter	Required/Optional	Description	Example
Enable	Required	The boolean value that specifies whether the detector is to be enabled.	True
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Create Detector failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because a detector already exists for the current account.

Error Sample Data

Create Detector failed.

Status Code: 400.

Message: The request is rejected because a detector already exists for the current account.

Create IPSet

Creates a new IPSet, which is called a trusted IP list in the console user interface. An IPSet is a list of IP addresses that are trusted for secure communication with AWS infrastructure and applications. GuardDuty doesn't generate findings for IP addresses that are included in IPSets. Only users from the administrator account can use this operation.

READER NOTE

Detector ID is a required parameter to run this command.

Run the List Detectors command to obtain detector IDs. The detector IDs can be found in the returned raw data at the path $.detectorIds[*].

Input

Input Parameter	Required/Optional	Description	Example
Detector ID	Required	The ID of the detector is specified to create a new IPSet within the GuardDuty service. Detector ID can be obtained using the List Detectors command.	62b*****d6b
Activate	Required	The boolean value indicates whether GuardDuty should begin using the uploaded IPSet.	True
Format	Required	The format of the file that contains the IPSet.	Plain Text
IPSet File Location	Required	The URI of the file contains the IPSet, which can be stored in an AWS S3 bucket. The format should resemble "https://{bucket-name}.s3.{region-name}.amazonaws.com/{filename.txt}" or "https://s3.{region-name}.amazonaws.com/{bucket-name}/{filename.txt}".	https://.us-west-1.amazonaws.com//****.txt
Name	Optional	The user-friendly name to identify the IPSet.	"ip******0a"
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Create IPSet failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

Create IPSet failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value

Create Sample Findings

Generates example findings of types specified by the list of finding types. If a Finding Type is not specified, then example findings of all supported finding types will be generated.

READER NOTE

Detector ID is a required parameter to run this command.

Run the List Detectors command to obtain the Detector ID. Detector IDs can be found in the returned raw data at the path $.detectorIds[*].

Input

Input Parameter	Required/Optional	Description	Example
Detector ID	Required	The ID of the detector that specifies the GuardDuty service in which sample findings will be created. Detector ID can be obtained using the List Detectors command.	62b*****d6b
Finding Types	Optional	The types of sample findings to generate. If not specified, then the system will create one sample finding for each supported finding type. Please refer to Finding types - Amazon GuardDuty for supported finding types.	JSON `[ "Backdoor:EC2/Spambot" ]`
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Create Sample Findings failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

Create Sample Findings failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value.

Create ThreatIntelSet

Creates a new ThreatIntelSet. ThreatIntelSets consist of known malicious IP addresses. GuardDuty generates findings based on ThreatIntelSets. This operation is only available to users of the administrator account.

READER NOTE

Detector ID is a required parameter to run this command.

Run the List Detectors command to obtain Detector IDs. Detector ID can be found in the returned raw data at the path $.detectorIds.

Input

Input Parameter	Required/Optional	Description	Example
Detector ID	Required	The ID of the detector specifying the GuardDuty service where the new ThreatIntelSet will be created. Detector ID can be obtained using the List Detectors command.	62b*****d6b
Activate	Required	The boolean value indicating whether GuardDuty should start using the uploaded ThreatIntelSet.	True
Format	Required	The format of the file that contains the ThreatIntelSet.	Plain Text
ThreatIntelSet File Location	Required	The URI of the file containing the ThreatIntelSet. This file can be saved in an AWS S3 bucket. The format should be like "https://{bucket-name}.s3.{region-name}.amazonaws.com/{filename.txt}" or "https://s3.{region-name}.amazonaws.com/{bucket-name}/{filename.txt}".	https://***..us-west-1.amazonaws.com/thr******t01.txt
Name	Required	The user-friendly name of the ThreatIntelSet is displayed in all findings generated by activity involving IP addresses included in this ThreatIntelSet.	threatIntelSet0210A
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Create ThreatIntelSet failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

Create ThreatIntelSet failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value.

Delete Detector

Deletes the specified Amazon GuardDuty detectors.

READER NOTE

The parameter Detector IDs is required to run this command.

Run the List Detectors command to obtain Detector IDs. Detector IDs can be found in the returned raw data at the path $.detectorIds.

Input

Input Parameter	Required/Optional	Description	Example
Detector IDs	Required	The unique IDs of the detectors to be deleted. Detector ID can be obtained using the List Detectors command.	JSON `[ "1ab*****f4f" ]`
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Delete Detector failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

Delete Detector failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value.

Delete IPSet

Deletes the IPSets specified by the IDs.

READER NOTE

Detector ID and IPSet IDs are required parameters to run this command.

Run the List Detectors command to obtain the Detector ID. Detector IDs can be found in the returned raw data at the path $.detectorIds.
Run the List IPSets command to obtain IPSet IDs. IPSet IDs can be found in the returned raw data at the path $.ipSetIds.

Input

Input Parameter	Required/Optional	Description	Example
Detector ID	Required	The ID of the detector specifying the GuardDuty service from which to delete an IPSet. Detector ID can be obtained using the List Detectors command.	62b*****d6b
IPSet IDs	Required	The unique IDs of the IPSets to delete. IPSet IDs can be obtained using the List IPSets command.	JSON `[ "850*****c04" ]`
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Delete IPSet failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

Delete IPSet failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value.

Delete ThreatIntelSet

Deletes the ThreatIntelSet specified by the ThreatIntelSet IDs.

READER NOTE

Detector ID and Threat Intel Set IDs are required parameters to run this command.

Run the List Detectors command to obtain the Detector ID. Detector IDs can be found in the returned raw data at the path $.detectorIds..
Run the List ThreatIntelSets command to obtain Threat Intel Sets IDs. Threat Intel Sets IDs can be found in the returned raw data at the path $.threatIntelSetIds.

Input

Input Parameter	Required/Optional	Description	Example
Detector ID	Required	The unique ID of the detector that the ThreatIntelSet is associated with. Detector ID can be obtained using the List Detectors command.	62b*****d6b
ThreatIntelSet IDs	Required	The unique IDs of the ThreatIntelSets to be deleted. ThreatIntelSet IDs can be obtained using the List ThreatIntelSets command.	JSON `[ "5eb*****f09" ]`
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Delete ThreatIntelSet failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

Delete ThreatIntelSet failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value.

Fetch Event

Returns detailed information of Amazon GuardDuty findings is returned for the specified detector ID. Return results can be narrowed down using search conditions.

READER NOTE

Detector ID is a required parameter to run this command.

Run the List Detectors command to obtain Detector ID. Detector IDs can be found in the returned raw data at the path $.detectorIds.

Input

Input Parameter	Required/Optional	Description	Example
Start Time	Required	The start time for the time range to fetch detectors in UTC time.	2022-01-01 00:00
End Time	Required	The end time for the time range to fetch detectors in UTC time.	2022-02-01 00:00
Number of Event(s) Fetched	Optional	The maximum number of findings to return. The valid value is an integer between 1 and 50.	10
Detector ID	Required	The ID of the detector to be fetched. Detector ID can be obtained using the List Detectors command.	62b*****d6b
Search Condition	Optional	The criteria used for querying findings. Please refer to Request Syntax for query syntax. It's recommended to use D3 sample data as a base for building the query string. Obtain properties for query from the data structure of Findings. Avoid using the updatedAt property in the search condition because its value is handled by the Start Time and End Time parameter. Note: the search condition is case-sensitive.	"resource.instanceDetails.networkInterfaces.publicIp": { "eq": ["*...*"] }
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

To view the sample output data for all commands, refer to this article.

Fetch Event Field Mapping

See Field Mappings.

The AWS GuardDuty system integration includes pre-configured field mappings for the default event source.

The Default Event Source is the default system-provided set of field mappings applied when the fetch event command is executed. It includes a Main Event JSON Path, which is the JSONPath expression that points to the base array of event objects. The source field path continues from this array to locate the required data.

The Main Event JSON Path can be viewed by clicking on the Edit Main JSON Path button.

Main Event JSON Path: $.findings
The findings array contains the event objects. Within each object, the key ['accountId', 'AccountId'] denotes the Account ID field. As such, the full JSONPath expression to extract the Account ID is $.findings.['accountId', 'AccountId'].

The pre-configured field mappings are detailed below:

Field Name	Source Field
Document ID	['id','Id']
Start Time	['createdAt', 'CreatedAt']
Event Type	['type', 'Type']
Severity	['severity', 'Severity']
Description	['description', 'Description']
Title	['title', 'Title']
Username	['resource', 'Resource']['accessKeyDetails', 'AccessKeyDetails']['userName', 'UserName']
User Type	['resource', 'Resource']['accessKeyDetails', 'AccessKeyDetails']['userType', 'UserType']
Action Type	['service','Service']['action', 'Action']['actionType', 'ActionType']
Resource Role	['service', 'Service']['resourceRole', 'ResourceRole']
Aggregated / Correlated Event count	['service', 'Service']['count', 'Count']
Event First Seen	['service', 'Service']['eventFirstSeen', 'EventFirstSeen']
Event Last Seen	['service', 'Service']['eventLastSeen', 'EventLastSeen']
Remote IP Address	['service', 'Service']['action', 'Action']..['remoteIpDetails', 'RemoteIpDetails']['ipAddressV4', 'IpAddressV4']
Resource Type	['resource', 'Resource']['resourceType', 'ResourceType']
S3 Bucket Name	['resource','Resource']['s3BucketDetails','S3BucketDetails'][*]['name','Name']
Instance ID	['resource', 'Resource']['instanceDetails', 'InstanceDetails']['instanceId', 'InstanceId']
Updated At	['updatedAt', 'UpdatedAt']
Account ID	['accountId', 'AccountId']
Access Key ID	['resource', 'Resource']['accessKeyDetails', 'AccessKeyDetails']['accessKeyId', 'AccessKeyId']

READER NOTE

The Unique Event Key field mapping is used to prevent duplicate event ingestions. D3 SOAR will check if the value of a selected JSON path matches any Unique Event Key of previously ingested events. If a match is found, the event will be dismissed. If no match is found, an event will be created. However, if no Unique Event Key is mapped, then the hash value from the event pending ingestion will be used to check for any matches with existing events. If no match is found, the event will be created.

Unlike most other D3 SOAR integrations, the AWS GuardDuty integration’s Fetch Event command’s Default Event Source mapping does not include Unique Event Key in order to fetch the same fetched detectors with multiple updates.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Fetch Event failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

Fetch Event failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value.

Fetch Incident

Returns detailed information of Amazon GuardDuty findings as incidents for the specified detector ID. Findings can be narrowed down using search conditions.

READER NOTE

Detector ID is a required parameter to run this command.

Run the List Detectors command to obtain the Detector ID. Detector IDs can be found in the returned raw data at the path $.detectorIds.

Input

Input Parameter	Required/Optional	Description	Example
Start Time	Required	The start time for the time range to fetch detectors as incidents in UTC time.	2023-06-09 00:00
End Time	Required	The end time for the time range to fetch detectors as incidents in UTC time.	2023-06-10 00:00
Number of Incident(s) Fetched	Optional	The maximum number of incidents to return. The valid value is an integer between 1 and 50. If not specified, all incidents matching search condition will be returned.	10
Detector ID	Required	The ID of the detector to fetch as incidents. Detector ID can be obtained using the List Detectors command.	08c*****0ef
Search Condition	Optional	The criteria used for querying findings. Please refer to ListFindings - Amazon GuardDuty for query syntax. It's recommended to use D3 sample data as a base for building the query string. Obtain properties for query from the data structure of Findings. Avoid using the updatedAt property in the search condition because its value is handled by the Start Time and End Time parameter. Note: the search condition is case-sensitive.	JSON `{ "severity": { "greaterThanOrEqual": 2 }, "resource.s3BucketDetails.name": { "eq": [ "mr*******mr" ] } }`
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800
Update Field Mappings	Optional	The field mappings define the mapping between incident system fields or dynamic fields. Additionally, you can set the default value for the system field "owner". The D3 defined keys are "D3SystemFields" and "D3DefaultFields". The dynamic field structure will be "sectionName": {"fieldName": "JSON Path to the value"}. Please refer to the sample data for detailed fields and values.	JSON `{ "D3SystemFields": { "owner": "$.pathToAUsername", "Severity": "$.severityName", "Conclusion": "$.description" }, "D3DefaultFields": { "owner": "defaultOwner_A_Username_In_D3" }, "Dynamic Field Section Name": { "Field1": "$.path1", "Field2": "$.path2" } }`

Output

To view the sample output data for all commands, refer to this article.

Incident Field Mapping

For this integration, the default incident fields in D3 SOAR are fixed with no built-in source fields. Users can specify the source fields as needed.

Event and Incident Intake Field Mapping

See Field Mappings.

Incident field mapping is required.

Incident Main JSON Path: $.findings

Field Name	Source Field
Title	User to define
Description	User to define
Severity	User to define, default is “Low”
Incident Type *	User to define, default is the first Incident form in D3 SOAR system
Incident Creator	User to define
Incident Owner	User to define
Incident Playbook	User to define
Due In Date	User to define
Unique Key	User to define
Tactics	User to define
Techniques	User to define

Event Field Mapping

Main Event JSON Path: $

The event field mappings here are the same as that of Fetch Event.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Fetch Incident failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Errors in Fetch Incident function. Please check D3Error object in RawData for more details.

Error Sample Data

Fetch Incident failed.

Status Code: 400.

Message: Errors in Fetch Incident function. Please check D3Error object in RawData for more details.

Get Detector Detail

Retrieves the specified Amazon GuardDuty detectors.

READER NOTE

The parameter Detector IDs is required to run this command.

Run the List Detectors command to obtain Detector IDs. Detector IDs can be found in the returned raw data at the path $.detectorIds.

Input

Input Parameter	Required/Optional	Description	Example
Detector IDs	Required	The unique IDs of the detectors specified for retrieval. Detector IDs can be obtained using the List Detectors command.	JSON `[ "62b*****d6b" ]`
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Get Detector Detail failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

Get Detector Detail failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value.

Get Findings

Describes Amazon GuardDuty findings specified by finding IDs.

READER NOTE

Detector ID and Finding IDs are required parameters to run this command.

Run the List Detectors command to obtain the Detector ID. Detector IDs can be found in the returned raw data at the path $.detectorIds.
Run the List Findings command to obtain Finding IDs. Finding IDs can be found in the returned raw data at the path $.findingIds.

Input

Input Parameter	Required/Optional	Description	Example
Detector ID	Required	The ID of the detector specifies the GuardDuty service for retrieving findings. Detector ID can be obtained using the List Detectors command.	62b*****d6b
Finding IDs	Required	The IDs of the findings specified for retrieval. Finding ID can be obtained using the List Findings command.	JSON `[ "36b*****689" ]`
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Get Findings failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

Get Findings failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value.

Get IPSet

Retrieves the IPSets specified by the IPSet IDs.

READER NOTE

Detector ID and IPSet IDs are required parameters to run this command.

Run the List Detectors command to obtain the Detector ID. Detector IDs can be found in the returned raw data at the path $.detectorIds.
Run the List IPSets command to obtain the IPSet ID. IPSet IDs can be found in the returned raw data at the path $.ipSetIds.

Input

Input Parameter	Required/Optional	Description	Example
Detector ID	Required	The ID of the detector specifies the GuardDuty service for retrieving IPSets. Detector ID can be obtained using the List Detectors command.	62b*****d6b
IPSet ID	Required	The unique IDs of the IPSets to retrieve. IPSet ID can be obtained using the List IPSets command.	JSON `[ "ed5*****6b3" ]`
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Get IPSet failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the input detectorId is not owned by the current account.

Error Sample Data

Get IPSet failed.

Status Code: 400.

Message: The request is rejected because the input detectorId is not owned by the current account.

Get ThreatintelSet

Retrieves the specified ThreatIntelSets.

READER NOTE

Detector ID and Threat Intel Set IDs are required parameters to run this command.

Run the List Detectors command to obtain the Detector ID. Detector IDs can be found in the returned raw data at the path $.detectorIds.
Run the List ThreatIntelSets command to obtain Threat Intel Sets IDs. Threat Intel Sets IDs can be found in the returned raw data at the path $.threatIntelSetIds.

Input

Input Parameter	Required/Optional	Description	Example
Detector ID	Required	The ID of the detector specifies the GuardDuty service for retrieving the ThreatIntelSet. Detector ID can be obtained using the List Detectors command.	62b*****d6b
ThreatIntelSet IDs	Required	The unique ID of the ThreatIntelSet to retrieve. ThreatIntelSet IDs can be obtained using the List ThreatIntelSets command.	JSON `[ "9bd*****fec" ]`
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Get ThreatintelSet failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

Get ThreatintelSet failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value.

List Detectors

Lists detectors of all the existing Amazon GuardDuty detector resources.

Input

Input Parameter	Required/Optional	Description	Example
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	List Detectors failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 401.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: User: arn:aws:iam::**********:user/ is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::**********:role/d3guarddutyrole.

Error Sample Data

List Detectors failed.

Status Code: 401.

Message: User: arn:aws:iam::************:user/**** is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::************:role/d3guarddutyrole.

List Findings

Retrieves Amazon GuardDuty findings according to search criteria for the specified detector ID.

READER NOTE

Detector ID is a required parameter to run this command.

Run the List Detectors command to obtain detector ID. Detector IDs can be found in the returned raw data at the path $.detectorIds[*].

Input

Input Parameter	Required/Optional	Description	Example
Detector ID	Required	The ID of the detector that specifies the GuardDuty service for retrieving findings. Detector ID can be obtained using the List Detectors command.	62b*****d6b
Limit	Optional	The maximum number of findings requested in the response. The default value is 50, with a maximum value of 50.	10
Search Condition	Optional	The criteria used for querying findings. Please refer to ListFindings - Amazon GuardDuty for query syntax. It is recommended to use D3 sample data as a base to build the query string. The properties for query can be obtained from the data structure of Findings. Do not use the updatedAt property in the search condition because the value of the updatedAt property is handled by the Start Time and End Time parameters. Note: the search condition is case sensitive.	"resource.instanceDetails.networkInterfaces.publicIp": { "eq": ["*...*"] }
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	List Findings failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the input detectorId is not owned by the current account.

Error Sample Data

List Findings failed.

Status Code: 400.

Message: The request is rejected because the input detectorId is not owned by the current account.

List IPSets

Lists the IPSets of the GuardDuty service specified by the detector ID. If used from a member account, the returned IPSets are from the associated administrator account.

READER NOTE

Detector ID is a required parameter to run this command.

Run the List Detectors command to obtain the Detector ID. Detector IDs can be found in the returned raw data at the path $.detectorIds.

Input

Input Parameter	Required/Optional	Description	Example
Detector ID	Required	The ID of the detector specifies the GuardDuty service for listing IPSets. Detector ID can be obtained using the List Detectors command.	62b*****d6b
Limit	Optional	The maximum number of IPSets requested in the response. The default value is 50, with a maximum value of 50.	10
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	List IPSets failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

List IPSets failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value.

List ThreatIntelSets

Lists the ThreatIntelSet IDs of the GuardDuty service specified by the detector ID. If this operation is used from a member account, the ThreatIntelSets associated with the administrator account are returned.

READER NOTE

Detector ID is a required parameter to run this command.

Run the List Detectors command to obtain the Detector ID. Detector IDs can be found in the returned raw data at the path $.detectorIds.

Input

Input Parameter	Required/Optional	Description	Example
Detector ID	Required	The ID of the detector specifies the GuardDuty service for listing ThreatIntelSets. Detector ID can be obtained using the List Detectors command.	62b*****d6b
Limit	Optional	The maximum number of ThreatIntelSets requested in the response. The default value is 50, with a maximum value of 50.	10
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	List ThreatIntelSets failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

List ThreatIntelSets failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value.

Unarchive Findings

Unarchives GuardDuty findings specified by the Finding IDs.

READER NOTE

Detector ID and Finding IDs are required parameters to run this command.

Run the List Detectors command to obtain the Detector ID. Detector IDs can be found in the raw data returned at the path $.detectorIds.
Run the List Findings command to obtain the Finding IDs. Finding IDs can be found in the raw data returned at the path $.findingIds.

Input

Input Parameter	Required/Optional	Description	Example
Detector ID	Required	The ID of the detector specifies the GuardDuty service for unarchiving findings. Detector ID can be obtained using the List Detectors command.	62b*****d6b
Finding IDs	Required	The IDs of the findings specified for unarchiving. Finding IDs can be obtained using the List Findings command.	JSON `[ "36b*****689" ]`
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Unarchive Findings failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

Unarchive Findings failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value.

Update Detector

Updates the Amazon GuardDuty detectors specified by the Detector IDs.

READER NOTE

Detector IDs is a required parameter to run this command.

Run the List Detectors command to obtain the Detector ID. Detector IDs can be found in the returned raw data at the path $.detectorIds.

Input

Input Parameter	Required/Optional	Description	Example
Detector IDs	Required	The unique IDs of the detectors to be updated. Detector ID can be obtained using the List Detectors command.	JSON `[ "1ab*****f4f" ]`
Enable	Required	The boolean value specifying whether the detector is to be enabled.	True
Finding Publishing Frequency	Optional	The enum value specifying how frequently findings are exported, such as to CloudWatch Events.	1 hour
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Update Detector failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

Update Detector failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value.

Update Findings Feedback

Marks the specified GuardDuty findings as either useful or not useful.

READER NOTE

Detector ID and Finding IDs are required parameters to run this command.

Run the List Detectors command to obtain the Detector ID. Detector IDs can be found in the raw data returned at the path $.detectorIds.
Run the List Findings command to obtain the Finding IDs. Finding IDs can be found in the raw data returned at the path $.findingIds.

Input

Input Parameter	Required/Optional	Description	Example
Detector ID	Required	The ID of the detector specifies the GuardDuty service in which to update findings and feedback. Detector ID can be obtained using the List Detectors command.	62b*****d6b
Finding IDs	Required	The IDs of the findings you want to mark as useful or not useful. Finding IDs can be obtained using the List Findings command.	JSON `[ "36b*****689" ]`
Feedback	Required	The feedback for the finding(s).	Useful
Comments	Optional	The additional feedback about the GuardDuty finding(s).	Finding feedback comments. Sample0209
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relatonship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Update Findings Feedback failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

Update Findings Feedback failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value.

Update IPSet

Updates the IPSet specified by the IPSet IDs.

READER NOTE

Detector ID and IPSet IDs are required parameters to run this command.

Run the List Detectors command to obtain the Detector ID. Detector IDs can be found in the returned raw data at the path $.detectorIds.
Run the List IPSets command to obtain the IPSet IDs. IPSet IDs can be found in the returned raw data at the path $.ipSetIds.

Input

Input Parameter	Required/Optional	Description	Example
Detector ID	Required	The ID of the detector specifies the GuardDuty service in which to update the IPSet. Detector ID can be obtained using the List Detectors command.	62b*****d6b
IPSet IDs	Required	The unique IDs of the IPSets to update. IPSet IDs can be obtained from the List IPSets command.	JSON `[ "ed5*****6b3" ]`
Activate	Optional	The updated Boolean value specifies whether the IPSet is active or not.	True
IPSet File Location	Optional	The updated URI of the file containing the IPSet can be saved in an AWS S3 bucket. It should resemble "https://{bucket-name}.s3.{region-name}.amazonaws.com/{filename.txt}" or "https://s3.{region-name}.amazonaws.com/{bucket-name}/{filename.txt}".	https://1s1****dd1..us-west-1.amazonaws.com/ip***01.txt
Name	Optional	The unique ID that specifies the IPSet that you want to update.	ip***02update0210
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Update IPSet failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

Update IPSet failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value.

Update ThreatIntelSet

Updates the ThreatIntelSets specified by the ThreatIntelSet IDs.

READER NOTE

Detector ID and ThreatIntelSet IDs are required parameters to run this command.

Run the List Detectors command to obtain the Detector ID. Detector IDs can be found in the raw data returned at the path $.detectorIds.
Run the List ThreatIntelSets command to obtain the ThreatIntelSet IDs. ThreatIntelSet IDs can be found in the raw data returned at the path $.threatIntelSetIds.

Input

Input Parameter	Required/Optional	Description	Example
Detector ID	Required	The ID of the detector specifies the GuardDuty service in which the user wants to update the threatIntelSet. Detector IDs can be obtained using the List Detectors command.	62b*****d6b
ThreatIntelSet IDs	Required	The unique ID specifying the ThreatIntelSet that requires updating. ThreatIntelSet IDs can be obtained using the List ThreatIntelSets command.	JSON `[ "5eb*****f09" ]`
Activate	Optional	The updated Boolean value specifying the activation status of the ThreatIntelSet.	True
ThreatIntelSet File Location	Optional	The updated URI of the file containing the ThreatIntelSet. The ThreatIntelSet file can be stored in an AWS S3 bucket. It should follow this format: "https://{bucket-name}.s3.{region-name}.amazonaws.com/{filename.txt}" or "https://s3.{region-name}.amazonaws.com/{bucket-name}/{filename.txt}".	https://1s1****dd1..us-west-1.amazonaws.com/thr******t01.txt
Name	Optional	The unique ID specifying the ThreatIntelSet intended for update.	thr*******update
Region Name	Optional	The AWS region name.	US West (N. California)
Role Arn	Optional	The Amazon Resource Name (ARN) of the role to assume. If not specified, the value of the connection parameter Default Role ARN will be used. Please ensure that the assumed role has the necessary permissions to execute the relevant commands. Additionally, the assumed role must be trusted by the account used for connection. For more information, please refer to Editing the trust relationship for an existing role - AWS Directory Service.	arn:aws:iam::*****:role/d3guarddutyrole
Role Session Name	Optional	The identifier for the assumed role session. Use the role session name to uniquely identify a session, especially when the same role is assumed by different principals or for different purposes. The role session name should consist of upper- and lower-case alphanumeric characters with no spaces. Additionally, you can include underscores or any of the following characters: =,.@-. If this parameter is not specified but the Role ARN parameter is, the D3 system will automatically generate a role session name for you.	d3guarddutyrole_Session1
Session Duration Time	Optional	The duration of the role assumption session in seconds. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role, which is 1 hour by default. If this parameter is not specified but the Role ARN parameter is, then the default value of 3600 seconds will be used.	1800

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Update ThreatIntelSet failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the AWS GuardDuty portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The request is rejected because the parameter detectorId has an invalid value.

Error Sample Data

Update ThreatIntelSet failed.

Status Code: 400.

Message: The request is rejected because the parameter detectorId has an invalid value.

FAQ

1. What is Role ARN parameter used for?

The Role ARN parameter consists of temporary security credentials used to access AWS resources within your account or for cross-account access. Please refer to AssumeRole - AWS Security Token Service for more details.

2. When configuring Region Name, Role ARN, Role Session Name and Session Duration Time in both connector and command, do they take effect at the connection level or only when specified within individual commands?

When you configure everything in the command level, the value you defined will override the connector defined value.

The connector defined values are the default, without the defined value inside commands, the default value of the connector you choose will be automatically applied.

Please note that this temporary security credential will not affect your original account credentials. The original groups/roles/policies in your account will continue to be applied when you execute commands.

A recommended approach is to allocate no permissions to the account you have created, and instead to assign temporary security credentials within D3 SOAR.