Merge pull request #9180 from elysahall/awsdocs-12-30-24-p2

CLI examples for guardduty
aws · Jan 9, 2025 · 3006a70 · 3006a70
2 parents 2bf885f + 6d493e1
commit 3006a70
Show file tree

Hide file tree

Showing 11 changed files with 85 additions and 41 deletions.
diff --git a/awscli/examples/guardduty/accept-invitation.rst b/awscli/examples/guardduty/accept-invitation.rst
@@ -6,7 +6,7 @@ The following ``accept-invitation`` example shows how to accept an invitation to
         --detector-id 12abc34d567e8fa901bc2d34eexample \ 
         --master-id 123456789111 \
         --invitation-id d6b94fb03a66ff665f7db8764example
-        
+
 This command produces no output.
 
-For more information, see `Managing GuardDuty Accounts by Invitation <https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_invitations.html>`__ in the GuardDuty User Guide.
+For more information, see `Managing GuardDuty accounts by invitation <https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_invitations.html>`__ in the GuardDuty User Guide.
diff --git a/awscli/examples/guardduty/archive-findings.rst b/awscli/examples/guardduty/archive-findings.rst
@@ -1,11 +1,11 @@
 **To archive findings in the current region**
 
-This example shows how to archive findings in the current region. ::
+This ``archive-findings`` example shows how to archive findings in the current region. ::
 
     aws guardduty archive-findings \
         --detector-id 12abc34d567e8fa901bc2d34eexample \
         --finding-ids d6b94fb03a66ff665f7db8764example 3eb970e0de00c16ec14e6910fexample
 
-This command produces no output. 
+This command produces no output.
 
-For more information, see `Managing GuardDuty Accounts by Invitation <https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html#guardduty_working-with-findings>`__ in the *GuardDuty User Guide*.
+For more information, see `Creating suppression rules <https://docs.aws.amazon.com/guardduty/latest/ug/findings_suppression-rules-console.html>`__ in the *GuardDuty User Guide*.
diff --git a/awscli/examples/guardduty/create-filter.rst b/awscli/examples/guardduty/create-filter.rst
@@ -1,17 +1,34 @@
-**To create a new filter for the current region**
+**Example 1: To create a new filter in the current region**
 
-This example creates a filter that matches all portscan findings for instance created from a specific image.::
+The following ``create-filter`` example creates a filter that matches all Portscan findings for instance created from a specific image. This does not suppress those findings. ::
+
+    aws guardduty create-filter \
+        --detector-id b6b992d6d2f48e64bc59180bfexample \ 
+        --name myFilterExample \
+        --finding-criteria '{"Criterion": {"type": {"Eq": ["Recon:EC2/Portscan"]},"resource.instanceDetails.imageId": {"Eq": ["ami-0a7a207083example"]}}}'
+
+Output::
+
+    {
+        "Name": "myFilterExample"
+    }
+
+For more information, see `Filtering GuardDuty findings <https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_filter-findings.html>`__ in the *GuardDuty User Guide*.
+
+**Example 2: To create a new filter and suppress findings in the current region**
+
+The following ``create-filter`` example creates a filter that matches all Portscan findings for instance created from a specific image. This filter archives those findings so that they do not appear in your current findings. ::
 
     aws guardduty create-filter \
         --detector-id b6b992d6d2f48e64bc59180bfexample \ 
         --action ARCHIVE \
-        --name myFilter \
+        --name myFilterSecondExample \
         --finding-criteria '{"Criterion": {"type": {"Eq": ["Recon:EC2/Portscan"]},"resource.instanceDetails.imageId": {"Eq": ["ami-0a7a207083example"]}}}'
 
 Output::
 
     {
-        "Name": "myFilter"
+        "Name": "myFilterSecondExample"
     }
 
-For more information, see `Filtering findings <https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_filter-findings.html>`__ in the *GuardDuty User Guide*.
+For more information, see `Filtering GuardDuty findings <https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_filter-findings.html>`__ in the *GuardDuty User Guide*.
diff --git a/awscli/examples/guardduty/create-ip-set.rst b/awscli/examples/guardduty/create-ip-set.rst
@@ -1,18 +1,18 @@
-**To create a trusted IP set**
+**To create and activate a trusted IP set**
 
-The following ``create-ip-set`` example creates and activates a trusted IP set in the current region. ::
+The following ``create-ip-set`` example creates and activates a trusted IP set in the current Region. ::
 
     aws guardduty create-ip-set \
         --detector-id 12abc34d567e8fa901bc2d34eexample \ 
-        --name new-ip-set \
-        --format TXT
-        --location s3://amzn-s3-demo-bucket/customtrustlist.csv
+        --name new-ip-set-example \
+        --format TXT \
+        --location s3://amzn-s3-demo-bucket/customtrustlist.csv \
         --activate
 
 Output::
-    
+
     {
         "IpSetId": "d4b94fc952d6912b8f3060768example"
     }
 
-For more information, see `Working with Trusted IP Lists and Threat Lists <https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload_lists.html>`__ in the GuardDuty User Guide.
+For more information, see `Working with Trusted IP Lists and Threat Lists <https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload_lists.html>`__ in the *GuardDuty User Guide*.
diff --git a/awscli/examples/guardduty/create-publishing-destination.rst b/awscli/examples/guardduty/create-publishing-destination.rst
@@ -1,16 +1,16 @@
 **To create a publishing destination to export GuardDuty findings in the current region to.**
 
-This example shows how to create a publishing destination for GuardDuty findings. ::
+The following ``create-publishing-destination`` example shows how to set up a publishing destination to export current (not archived) GuardDuty findings to keep track of historical findings data. ::
 
     aws guardduty create-publishing-destination \
         --detector-id b6b992d6d2f48e64bc59180bfexample \
         --destination-type S3 \
-        --destination-properties DestinationArn=arn:aws:s3:::yourbucket,KmsKeyArn=arn:aws:kms:us-west-1:111122223333:key/84cee9c5-dea1-401a-ab6d-e1de7example
+        --destination-properties 'DestinationArn=arn:aws:s3:::amzn-s3-demo-bucket,KmsKeyArn=arn:aws:kms:us-west-1:111122223333:key/84cee9c5-dea1-401a-ab6d-e1de7example'
 
 Output::
 
     {
         "DestinationId": "46b99823849e1bbc242dfbe3cexample"
     }
 
-For more information, see `Exporting findings <https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_exportfindings.html>`__ in the *GuardDuty User Guide*.
+For more information, see `Exporting generated GuardDuty findings to Amazon S3 buckets <https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_exportfindings.html>`__ in the *GuardDuty User Guide*.
diff --git a/awscli/examples/guardduty/create-threat-intel-set.rst b/awscli/examples/guardduty/create-threat-intel-set.rst
@@ -1,12 +1,12 @@
-**To create a new threat intel set in the current region.**
+**To create and activate a new threat intel set**
 
-This example shows how to upload a threat intel set to GuardDuty and activate it immediately. ::
+The following ``create-threat-intel-set`` example creates and activates a threat intel set in the current Region. ::
 
     aws guardduty create-threat-intel-set \
         --detector-id b6b992d6d2f48e64bc59180bfexample \
-        --name myThreatSet \
+        --name myThreatSet-example \
         --format TXT \
-        --location s3://EXAMPLEBUCKET/threatlist.csv \
+        --location s3://amzn-s3-demo-bucket/threatlist.csv \
         --activate 
 
 Output::
@@ -15,4 +15,4 @@ Output::
         "ThreatIntelSetId": "20b9a4691aeb33506b808878cexample"
     }
 
-For more information, see `Trusted IP and threat lists <https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload_lists.html>`__ in the *GuardDuty User Guide*.
+For more information, see `Working with Trusted IP Lists and Threat Lists <https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload_lists.html>`__ in the *GuardDuty User Guide*.
diff --git a/awscli/examples/guardduty/disassociate-from-master-account.rst b/awscli/examples/guardduty/disassociate-from-master-account.rst
@@ -1,10 +1,10 @@
-**To disassociate from your current master account in the current region**
+**To disassociate from your current administrator account in the current region**
 
-The following ``disassociate-from-master-account`` example dissassociates your account from the current GuardDuty master account in the current AWS region. ::
+The following ``disassociate-from-master-account`` example dissassociates your account from the current GuardDuty administrator account in the current AWS region. ::
 
     aws guardduty disassociate-from-master-account \
         --detector-id d4b040365221be2b54a6264dcexample 
 
 This command produces no output.
 
-For more information, see `Understanding the Relationship between GuardDuty Master and Member Accounts <https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_accounts.html#master_member_relationships>`__ in the GuardDuty User Guide.
+For more information, see `Understanding the relationship between GuardDuty administrator account and member accounts <https://docs.aws.amazon.com/guardduty/latest/ug/administrator_member_relationships.html>`__ in the *GuardDuty User Guide*.
diff --git a/awscli/examples/guardduty/get-ip-set.rst b/awscli/examples/guardduty/get-ip-set.rst
@@ -1,6 +1,6 @@
 **To list get details on a specified trusted IP set**
 
-The following ``get-ip-set`` example shows the status and details of the specififed trusted IP set. ::
+The following ``get-ip-set`` example shows the status and details of the specified trusted IP set. ::
 
     aws guardduty get-ip-set \
         --detector-id 12abc34d567e8fa901bc2d34eexample \
@@ -13,7 +13,7 @@ Output::
         "Location": "s3://amzn-s3-demo-bucket.s3-us-west-2.amazonaws.com/customlist.csv",
         "Tags": {},
         "Format": "TXT",
-        "Name": "test-ip-set"
+        "Name": "test-ip-set-example"
     }
     
-For more information, see `Working with Trusted IP Lists and Threat Lists <https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload_lists.html>`__ in the GuardDuty User Guide.
+For more information, see `Working with Trusted IP Lists and Threat Lists <https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload_lists.html>`__ in the *GuardDuty User Guide*.
diff --git a/awscli/examples/guardduty/get-master-account.rst b/awscli/examples/guardduty/get-master-account.rst
@@ -12,8 +12,8 @@ Output::
             "InvitationId": "04b94d9704854a73f94e061e8example",
             "InvitedAt": "2020-06-09T22:23:04.970Z",
             "RelationshipStatus": "Enabled",
-            "AccountId": "123456789111"
+            "AccountId": "111122223333"
         }
     }
 
-For more information, see `Understanding the Relationship between GuardDuty Master and Member Accounts <https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_accounts.html#master_member_relationships>`__ in the GuardDuty User Guide.
+For more information, see `Understanding the relationship between GuardDuty administrator account and member account <https://docs.aws.amazon.com/guardduty/latest/ug/administrator_member_relationships.html>`__ in the *GuardDuty User Guide*.
diff --git a/awscli/examples/guardduty/list-members.rst b/awscli/examples/guardduty/list-members.rst
@@ -1,24 +1,51 @@
-**To list all members in the current region**
+**Example 1: To list only current members in the current Region**
 
-The following ``list-members`` example lists all member accounts and their details for the current region. ::
+The following ``list-members`` example lists and provides details of only current member accounts associated with the GuardDuty administrator account, in the current region. ::
 
     aws guardduty list-members \
-        --detector-id 12abc34d567e8fa901bc2d34eexample 
+        --detector-id 12abc34d567e8fa901bc2d34eexample \
+        --only-associated="true" 
 
 Output::
-    
+
     {
         "Members": [
             {
                 "RelationshipStatus": "Enabled",
                 "InvitedAt": "2020-06-09T22:49:00.910Z",
-                "MasterId": "123456789111",
+                "MasterId": "111122223333",
                 "DetectorId": "7ab8b2f61b256c87f793f6a86example",
                 "UpdatedAt": "2020-06-09T23:08:22.512Z",
                 "Email": "your+member@example.com",
-                "AccountId": "123456789222"
+                "AccountId": "123456789012"
+            }
+        ]
+    }
+
+For more information, see `Understanding the relationship between GuardDuty administrator account and member accounts <https://docs.aws.amazon.com/guardduty/latest/ug/administrator_member_relationships.html>`__ in the *GuardDuty User Guide*.
+
+**Example 2: To list all the members in the current Region**
+
+The following ``list-members`` example lists and provides details of all the member accounts, including those who have been disassociated or have not yet accepted the invite from the GuardDuty administrator, in the current region. ::
+
+    aws guardduty list-members \
+        --detector-id 12abc34d567e8fa901bc2d34eexample \
+        --only-associated="false"
+
+Output::
+
+    {
+        "Members": [
+            {
+                "RelationshipStatus": "Enabled",
+                "InvitedAt": "2020-06-09T22:49:00.910Z",
+                "MasterId": "111122223333",
+                "DetectorId": "7ab8b2f61b256c87f793f6a86example",
+                "UpdatedAt": "2020-06-09T23:08:22.512Z",
+                "Email": "your+other+member@example.com",
+                "AccountId": "555555555555"
             }
         ]
     }
 
-For more information, see `Understanding the Relationship between GuardDuty Master and Member Accounts <https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_accounts.html#master_member_relationships>`__ in the GuardDuty User Guide.
+For more information, see `Understanding the relationship between GuardDuty administrator account and member accounts <https://docs.aws.amazon.com/guardduty/latest/ug/administrator_member_relationships.html>`__ in the *GuardDuty User Guide*.
diff --git a/awscli/examples/guardduty/update-ip-set.rst b/awscli/examples/guardduty/update-ip-set.rst
@@ -9,4 +9,4 @@ The following ``update-ip-set`` example shows how to update the details of a tru
 
 This command produces no output.
 
-For more information, see `Working with Trusted IP Lists and Threat Lists <https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload_lists.html>`__ in the GuardDuty User Guide.
+For more information, see `Working with Trusted IP Lists and Threat Lists <https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload_lists.html>`__ in the *GuardDuty User Guide*.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -9,4 +9,4 @@ The following ``update-ip-set`` example shows how to update the details of a tru

		This command produces no output.

		For more information, see `Working with Trusted IP Lists and Threat Lists <https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload_lists.html>`__ in the GuardDuty User Guide.
		For more information, see `Working with Trusted IP Lists and Threat Lists <https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload_lists.html>`__ in the GuardDuty User Guide.