Table: aws_guardduty_detector - Query AWS GuardDuty Detector using SQL
The AWS GuardDuty Detector is a part of the Amazon GuardDuty service, a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. It uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats. GuardDuty analyzes tens of billions of events across multiple AWS data sources, such as AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs.
Table Usage Guide
The aws_guardduty_detector
table in Steampipe provides you with information about detectors within AWS GuardDuty. This table allows you, as a security analyst, to query detector-specific details, including detector ID, creation timestamp, status, and associated tags. You can utilize this table to gather insights on detectors, such as their current status, when they were created, and more. The schema outlines the various attributes of the GuardDuty detector for you, including the detector ID, creation timestamp, status, service role, and associated tags.
Examples
Basic info
Uncover the details of your AWS GuardDuty detectors, such as their creation date and current status, to gain insights into your security infrastructure and help manage your service roles more effectively.
select detector_id, arn, created_at, status, service_rolefrom aws_guardduty_detector;
select detector_id, arn, created_at, status, service_rolefrom aws_guardduty_detector;
List enabled detectors
Discover the segments that are actively monitoring for malicious activity by identifying the enabled detectors in your AWS GuardDuty. This can be useful for maintaining security and ensuring that all necessary detectors are functioning properly.
select detector_id, created_at, statusfrom aws_guardduty_detectorwhere status = 'ENABLED';
select detector_id, created_at, statusfrom aws_guardduty_detectorwhere status = 'ENABLED';
Get data source status info for each detector
Uncover the details of each detector's status and the status of their respective data sources. This allows for efficient monitoring and management of security and threat detection systems.
select detector_id, status as detector_status, data_sources -> 'CloudTrail' ->> 'Status' as cloud_trail_status, data_sources -> 'DNSLogs' ->> 'Status' as dns_logs_status, data_sources -> 'FlowLogs' ->> 'Status' as flow_logs_statusfrom aws_guardduty_detector;
select detector_id, status as detector_status, json_extract(data_sources, '$.CloudTrail.Status') as cloud_trail_status, json_extract(data_sources, '$.DNSLogs.Status') as dns_logs_status, json_extract(data_sources, '$.FlowLogs.Status') as flow_logs_statusfrom aws_guardduty_detector;
Get information about the master account relationship
Discover the segments that can provide insights into the relationship status of your master account with AWS GuardDuty. This can be particularly useful in understanding your account's security posture and managing potential threats.
select detector_id, master_account ->> 'AccountId' as master_account_id, master_account ->> 'InvitationId' as invitation_id, master_account ->> 'RelationshipStatus' as relationship_statusfrom aws_guardduty_detectorwhere master_account is not null;
select detector_id, json_extract(master_account, '$.AccountId') as master_account_id, json_extract(master_account, '$.InvitationId') as invitation_id, json_extract(master_account, '$.RelationshipStatus') as relationship_statusfrom aws_guardduty_detectorwhere master_account is not null;
Schema for aws_guardduty_detector
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
arn | text | The Amazon Resource Name (ARN) specifying the detector. | |
created_at | timestamp with time zone | The timestamp of when the detector was created. | |
data_sources | jsonb | Describes which data sources are enabled for the detector. | |
detector_id | text | = | The ID of the detector. |
features | jsonb | Describes the features that have been enabled for the detector. | |
finding_publishing_frequency | text | The publishing frequency of the finding. | |
master_account | jsonb | Contains information about the administrator account and invitation. | |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
region | text | The AWS Region in which the resource is located. | |
service_role | text | The GuardDuty service role. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
status | text | The detector status. | |
tags | jsonb | A map of tags for the resource. | |
title | text | Title of the resource. | |
updated_at | timestamp with time zone | The last-updated timestamp for the detector. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_guardduty_detector