Table: aws_guardduty_detector - Query AWS GuardDuty Detector using SQL

The AWS GuardDuty Detector is a part of the Amazon GuardDuty service, a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. It uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats. GuardDuty analyzes tens of billions of events across multiple AWS data sources, such as AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs.

Table Usage Guide

The aws_guardduty_detector table in Steampipe provides you with information about detectors within AWS GuardDuty. This table allows you, as a security analyst, to query detector-specific details, including detector ID, creation timestamp, status, and associated tags. You can utilize this table to gather insights on detectors, such as their current status, when they were created, and more. The schema outlines the various attributes of the GuardDuty detector for you, including the detector ID, creation timestamp, status, service role, and associated tags.

Examples

Basic info

Uncover the details of your AWS GuardDuty detectors, such as their creation date and current status, to gain insights into your security infrastructure and help manage your service roles more effectively.

select
  detector_id,
  arn,
  created_at,
  status,
  service_role
from
  aws_guardduty_detector;

select
  detector_id,
  arn,
  created_at,
  status,
  service_role
from
  aws_guardduty_detector;

List enabled detectors

Discover the segments that are actively monitoring for malicious activity by identifying the enabled detectors in your AWS GuardDuty. This can be useful for maintaining security and ensuring that all necessary detectors are functioning properly.

select
  detector_id,
  created_at,
  status
from
  aws_guardduty_detector
where
  status = 'ENABLED';

select
  detector_id,
  created_at,
  status
from
  aws_guardduty_detector
where
  status = 'ENABLED';

Get data source status info for each detector

Uncover the details of each detector's status and the status of their respective data sources. This allows for efficient monitoring and management of security and threat detection systems.

select
  detector_id,
  status as detector_status,
  data_sources -> 'CloudTrail' ->> 'Status' as cloud_trail_status,
  data_sources -> 'DNSLogs' ->> 'Status' as dns_logs_status,
  data_sources -> 'FlowLogs' ->> 'Status' as flow_logs_status
from
  aws_guardduty_detector;

select
  detector_id,
  status as detector_status,
  json_extract(data_sources, '$.CloudTrail.Status') as cloud_trail_status,
  json_extract(data_sources, '$.DNSLogs.Status') as dns_logs_status,
  json_extract(data_sources, '$.FlowLogs.Status') as flow_logs_status
from
  aws_guardduty_detector;

Get information about the master account relationship

Discover the segments that can provide insights into the relationship status of your master account with AWS GuardDuty. This can be particularly useful in understanding your account's security posture and managing potential threats.

select
  detector_id,
  master_account ->> 'AccountId' as master_account_id,
  master_account ->> 'InvitationId' as invitation_id,
  master_account ->> 'RelationshipStatus' as relationship_status
from
  aws_guardduty_detector
where
  master_account is not null;

select
  detector_id,
  json_extract(master_account, '$.AccountId') as master_account_id,
  json_extract(master_account, '$.InvitationId') as invitation_id,
  json_extract(master_account, '$.RelationshipStatus') as relationship_status
from
  aws_guardduty_detector
where
  master_account is not null;

Query examples

guardduty_detectors_for_iam_role

Control examples

Schema for aws_guardduty_detector

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form.
account_id	text	=, !=, ~~, ~~, !~~, !~~	The AWS Account ID in which the resource is located.
akas	jsonb		Array of globally unique identifier strings (also known as) for the resource.
arn	text		The Amazon Resource Name (ARN) specifying the detector.
created_at	timestamp with time zone		The timestamp of when the detector was created.
data_sources	jsonb		Describes which data sources are enabled for the detector.
detector_id	text	=	The ID of the detector.
features	jsonb		Describes the features that have been enabled for the detector.
finding_publishing_frequency	text		The publishing frequency of the finding.
master_account	jsonb		Contains information about the administrator account and invitation.
partition	text		The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
region	text		The AWS Region in which the resource is located.
service_role	text		The GuardDuty service role.
sp_connection_name	text	=, !=, ~~, ~~, !~~, !~~	Steampipe connection name.
sp_ctx	jsonb		Steampipe context in JSON form.
status	text		The detector status.
tags	jsonb		A map of tags for the resource.
title	text		Title of the resource.
updated_at	timestamp with time zone		The last-updated timestamp for the detector.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_guardduty_detector