v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Steampipe logo 
Hub
Plugins
turbot/aws
Overview
496Tables
Versions
PowerpipeMods
GitHub
steampipe plugin install aws

Table: aws_guardduty_finding - Query AWS GuardDuty Findings using SQL

AWS GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior to help protect your AWS accounts and workloads. It identifies unusual or unauthorized activity, like crypto-currency mining or infrastructure deployments in a region that has never been used. GuardDuty analyzes tens of billions of events across multiple AWS data sources, such as AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs.

Table Usage Guide

The aws_guardduty_finding table in Steampipe provides you with information about findings reported by AWS GuardDuty. This table allows you as a security analyst to query finding-specific details, including threat type, severity, and associated resources. You can utilize this table to gather insights on potential security threats, such as unauthorized access attempts, data breaches, or compromised instances. The schema outlines the various attributes of the GuardDuty finding for you, including the finding ID, detector ID, account ID, region, and associated tags.

Examples

Basic info

Explore which instances have been identified by AWS GuardDuty. This is useful for assessing the security findings and understanding when they were created.

select
  id,
  detector_id,
  arn,
  created_at
from
  aws_guardduty_finding;
select
  id,
  detector_id,
  arn,
  created_at
from
  aws_guardduty_finding;

List findings that are not archived

Discover the segments that consist of unarchived findings in your AWS GuardDuty. This is particularly useful in identifying active threats or issues that are yet to be addressed and archived.

select
  id,
  detector_id,
  arn,
  created_at
from
  aws_guardduty_finding
where
  service ->> 'Archived' = 'false';
select
  id,
  detector_id,
  arn,
  created_at
from
  aws_guardduty_finding
where
  json_extract(service, '$.Archived') = 'false';

Control examples

Schema for aws_guardduty_finding

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The AWS Account ID in which the resource is located.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
arntextThe Amazon Resource Name (ARN) specifying the finding.
confidencedouble precisionThe confidence score for the finding.
created_attimestamp with time zoneThe time and date when the finding was created.
descriptiontextThe description of the finding.
detector_idtext=The ID of the detector.
idtext=, !=The ID of the finding.
nametextThe title of the finding.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
regiontextThe AWS Region in which the resource is located.
resourcejsonbContains information about the AWS resource associated with the activity that prompted GuardDuty to generate a finding.
schema_versiontextThe version of the schema used for the finding.
servicejsonbContains additional information about the generated finding.
severitydouble precisionThe severity of the finding.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
titletextTitle of the resource.
typetext=, !=The type of finding.
updated_attimestamp with time zoneThe time and date when the finding was last updated.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_guardduty_finding