All API actions are logged as CloudTrail events. See Logging Detective API Calls with CloudTrail.
We replaced the term "master account" with the term "administrator account." An +
We replaced the term "master account" with the term "administrator account". An administrator account is used to centrally manage multiple accounts. In the case of Detective, the administrator account manages the accounts in their behavior graph.
diff --git a/clients/client-detective/src/Detective.ts b/clients/client-detective/src/Detective.ts index 708ff2c401f2..01e296311123 100644 --- a/clients/client-detective/src/Detective.ts +++ b/clients/client-detective/src/Detective.ts @@ -665,7 +665,7 @@ export interface Detective { * *All API actions are logged as CloudTrail events. See Logging Detective API Calls with CloudTrail.
*We replaced the term "master account" with the term "administrator account." An + *
We replaced the term "master account" with the term "administrator account". An * administrator account is used to centrally manage multiple accounts. In the case of * Detective, the administrator account manages the accounts in their behavior * graph.
diff --git a/clients/client-detective/src/DetectiveClient.ts b/clients/client-detective/src/DetectiveClient.ts index 26d24856a642..09751f66f551 100644 --- a/clients/client-detective/src/DetectiveClient.ts +++ b/clients/client-detective/src/DetectiveClient.ts @@ -444,7 +444,7 @@ export interface DetectiveClientResolvedConfig extends DetectiveClientResolvedCo * *All API actions are logged as CloudTrail events. See Logging Detective API Calls with CloudTrail.
*We replaced the term "master account" with the term "administrator account." An + *
We replaced the term "master account" with the term "administrator account". An * administrator account is used to centrally manage multiple accounts. In the case of * Detective, the administrator account manages the accounts in their behavior * graph.
diff --git a/clients/client-detective/src/commands/CreateGraphCommand.ts b/clients/client-detective/src/commands/CreateGraphCommand.ts index f1654029b150..164c9c3bc6a0 100644 --- a/clients/client-detective/src/commands/CreateGraphCommand.ts +++ b/clients/client-detective/src/commands/CreateGraphCommand.ts @@ -30,12 +30,6 @@ export interface CreateGraphCommandOutput extends CreateGraphResponse, __Metadat * @public *Creates a new behavior graph for the calling account, and sets that account as the * administrator account. This operation is called by the account that is enabling Detective.
- *Before you try to enable Detective, make sure that your account has been - * enrolled in Amazon GuardDuty for at least 48 hours. If you do not meet this - * requirement, you cannot enable Detective. If you do meet the GuardDuty - * prerequisite, then when you make the request to enable Detective, it checks - * whether your data volume is within the Detective quota. If it exceeds the quota, - * then you cannot enable Detective.
*The operation also enables Detective for the calling account in the currently * selected Region. It returns the ARN of the new behavior graph.
*@@ -83,17 +77,12 @@ export interface CreateGraphCommandOutput extends CreateGraphResponse, __Metadat *
This request cannot be completed for one of the following reasons.
*The request would cause the number of member accounts in the behavior graph to - * exceed the maximum allowed. A behavior graph cannot have more than 1200 member - * accounts.
+ *This request cannot be completed if it would cause the number of member accounts in the + * behavior graph to exceed the maximum allowed. A behavior graph cannot have more than 1,200 + * member accounts.
*The request would cause the data rate for the behavior graph to exceed the maximum - * allowed.
- *Detective is unable to verify the data rate for the member account. This - * is usually because the member account is not enrolled in Amazon GuardDuty.
+ *This request cannot be completed if the current volume ingested is above the limit of 10 TB per day. Detective will not allow you to add additional member accounts.
*This request cannot be completed for one of the following reasons.
*The request would cause the number of member accounts in the behavior graph to - * exceed the maximum allowed. A behavior graph cannot have more than 1200 member - * accounts.
+ *This request cannot be completed if it would cause the number of member accounts in the + * behavior graph to exceed the maximum allowed. A behavior graph cannot have more than 1,200 + * member accounts.
*The request would cause the data rate for the behavior graph to exceed the maximum - * allowed.
- *Detective is unable to verify the data rate for the member account. This - * is usually because the member account is not enrolled in Amazon GuardDuty.
+ *This request cannot be completed if the current volume ingested is above the limit of 10 TB per day. Detective will not allow you to add additional member accounts.
*Returns the investigation results of an investigation for a behavior graph.
+ *Detective investigations lets you investigate IAM users and IAM roles using indicators of compromise. An indicator of compromise (IOC) is an artifact observed in or on a network, system, or environment that can (with a high level of confidence) identify malicious activity or a security incident. GetInvestigation returns the investigation results of an investigation for a behavior graph.
Get the indicators from an investigation
+ *Gets the indicators from an investigation. You can use the information from the indicators to determine if an IAM user and/or IAM role is involved in an unusual activity that could indicate malicious behavior and its impact.
* @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-detective/src/commands/ListInvestigationsCommand.ts b/clients/client-detective/src/commands/ListInvestigationsCommand.ts index 3f7ce323e46b..e249eda757aa 100644 --- a/clients/client-detective/src/commands/ListInvestigationsCommand.ts +++ b/clients/client-detective/src/commands/ListInvestigationsCommand.ts @@ -28,7 +28,12 @@ export interface ListInvestigationsCommandOutput extends ListInvestigationsRespo /** * @public - *List all Investigations.
+ *Detective investigations lets you investigate IAM users and
+ * IAM roles using indicators of compromise. An indicator of compromise
+ * (IOC) is an artifact observed in or on a network, system, or environment that can (with a
+ * high level of confidence) identify malicious activity or a security incident.
+ * ListInvestigations lists all active Detective
+ * investigations.
initiate an investigation on an entity in a graph
+ *Detective investigations lets you investigate IAM users and IAM roles using indicators of compromise. An indicator of compromise (IOC) is an artifact observed in or on a network, system, or environment that can (with a high level of confidence) identify malicious activity or a security incident. StartInvestigation initiates an investigation on an entity in a behavior graph.
This request cannot be completed for one of the following reasons.
*The request would cause the number of member accounts in the behavior graph to - * exceed the maximum allowed. A behavior graph cannot have more than 1200 member - * accounts.
+ *This request cannot be completed if it would cause the number of member accounts in the + * behavior graph to exceed the maximum allowed. A behavior graph cannot have more than 1,200 + * member accounts.
*The request would cause the data rate for the behavior graph to exceed the maximum - * allowed.
- *Detective is unable to verify the data rate for the member account. This - * is usually because the member account is not enrolled in Amazon GuardDuty.
+ *This request cannot be completed if the current volume ingested is above the limit of 10 TB per day. Detective will not allow you to add additional member accounts.
*This request cannot be completed for one of the following reasons.
*The request would cause the number of member accounts in the behavior graph to - * exceed the maximum allowed. A behavior graph cannot have more than 1200 member - * accounts.
+ *This request cannot be completed if it would cause the number of member accounts in the + * behavior graph to exceed the maximum allowed. A behavior graph cannot have more than 1,200 + * member accounts.
*The request would cause the data rate for the behavior graph to exceed the maximum - * allowed.
- *Detective is unable to verify the data rate for the member account. This - * is usually because the member account is not enrolled in Amazon GuardDuty.
+ *This request cannot be completed if the current volume ingested is above the limit of 10 TB per day. Detective will not allow you to add additional member accounts.
*Update the state of an investigation.
+ *Updates the state of an investigation.
* @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-detective/src/index.ts b/clients/client-detective/src/index.ts index 3129db1bc8a3..1f9d04710051 100644 --- a/clients/client-detective/src/index.ts +++ b/clients/client-detective/src/index.ts @@ -72,7 +72,7 @@ * *All API actions are logged as CloudTrail events. See Logging Detective API Calls with CloudTrail.
*We replaced the term "master account" with the term "administrator account." An + *
We replaced the term "master account" with the term "administrator account". An * administrator account is used to centrally manage multiple accounts. In the case of * Detective, the administrator account manages the accounts in their behavior * graph.
diff --git a/clients/client-detective/src/models/models_0.ts b/clients/client-detective/src/models/models_0.ts index d8dd705d9c2c..42f9b74481c2 100644 --- a/clients/client-detective/src/models/models_0.ts +++ b/clients/client-detective/src/models/models_0.ts @@ -431,17 +431,12 @@ export interface CreateGraphResponse { *This request cannot be completed for one of the following reasons.
*The request would cause the number of member accounts in the behavior graph to - * exceed the maximum allowed. A behavior graph cannot have more than 1200 member - * accounts.
+ *This request cannot be completed if it would cause the number of member accounts in the + * behavior graph to exceed the maximum allowed. A behavior graph cannot have more than 1,200 + * member accounts.
*The request would cause the data rate for the behavior graph to exceed the maximum - * allowed.
- *Detective is unable to verify the data rate for the member account. This - * is usually because the member account is not enrolled in Amazon GuardDuty.
+ *This request cannot be completed if the current volume ingested is above the limit of 10 TB per day. Detective will not allow you to add additional member accounts.
*The ARN of the behavior graph.
+ *The Amazon Resource Name (ARN) of the behavior graph.
*/ GraphArn: string | undefined; @@ -979,7 +974,7 @@ export type Status = (typeof Status)[keyof typeof Status]; export interface GetInvestigationResponse { /** * @public - *The ARN of the behavior graph.
+ *The Amazon Resource Name (ARN) of the behavior graph.
*/ GraphArn?: string; @@ -991,49 +986,53 @@ export interface GetInvestigationResponse { /** * @public - *The unique Amazon Resource Name (ARN) of the IAM user and IAM role.
+ *The unique Amazon Resource Name (ARN). Detective supports IAM user ARNs and IAM role ARNs.
*/ EntityArn?: string; /** * @public - *Type of entity. For example, Amazon Web Services accounts, such as IAM user and role.
+ *Type of entity. For example, Amazon Web Services accounts, such as an IAM user and/or IAM role.
*/ EntityType?: EntityType; /** * @public - *The UTC time stamp of the creation time of the investigation report.
+ *The creation time of the investigation report in UTC time stamp format.
*/ CreatedTime?: Date; /** * @public - *The start date and time for the scope time set to generate the investigation report.
+ *The start date and time used to set the scope time within which you want to generate the investigation report. The value is an UTC ISO8601 formatted
+ * string. For example, 2021-08-18T16:35:56.284Z.
The data and time when the investigation began. The value is an UTC ISO8601 formatted string. For example, 2021-08-18T16:35:56.284Z.
+ *The data and time when the investigation began. The value is an UTC ISO8601 formatted
+ * string. For example, 2021-08-18T16:35:56.284Z.
Status based on the completion status of the investigation.
+ *The status based on the completion status of the investigation.
*/ Status?: Status; /** * @public - *Severity based on the likelihood and impact of the indicators of compromise discovered in the investigation.
+ *The severity assigned is based on the likelihood and impact of the indicators of + * compromise discovered in the investigation.
*/ Severity?: Severity; /** * @public - *The current state of the investigation. An archived investigation indicates you have completed reviewing the investigation.
+ *The current state of the investigation. An archived investigation indicates that you + * have completed reviewing the investigation.
*/ State?: State; } @@ -1224,7 +1223,7 @@ export type IndicatorType = (typeof IndicatorType)[keyof typeof IndicatorType]; export interface ListIndicatorsRequest { /** * @public - *The ARN of the behavior graph.
+ *The Amazon Resource Name (ARN) of the behavior graph.
*/ GraphArn: string | undefined; @@ -1236,20 +1235,20 @@ export interface ListIndicatorsRequest { /** * @public - *See Detective investigations..
+ *For the list of indicators of compromise that are generated by Detective investigations, see Detective investigations.
*/ IndicatorType?: IndicatorType; /** * @public - *List if there are more results available. The value of nextToken is a unique pagination token for each page. Repeat the call using the returned token to retrieve the next page. Keep all other arguments unchanged.
+ *Lists if there are more results available. The value of nextToken is a unique pagination token for each page. Repeat the call using the returned token to retrieve the next page. Keep all other arguments unchanged.
*Each pagination token expires after 24 hours. Using an expired pagination token will return a Validation Exception error.
*/ NextToken?: string; /** * @public - *List the maximum number of indicators in a page.
+ *Lists the maximum number of indicators in a page.
*/ MaxResults?: number; } @@ -1292,7 +1291,7 @@ export interface FlaggedIpAddressDetail { export interface ImpossibleTravelDetail { /** * @public - *IP address where the resource was first used in the impossible travel
+ *IP address where the resource was first used in the impossible travel.
*/ StartingIpAddress?: string; @@ -1304,7 +1303,7 @@ export interface ImpossibleTravelDetail { /** * @public - *Location where the resource was first used in the impossible travel
+ *Location where the resource was first used in the impossible travel.
*/ StartingLocation?: string; @@ -1334,7 +1333,7 @@ export interface NewAsoDetail { /** * @public - *Checks if the ASO is for new for the entire account.
+ *Checks if the Autonomous System Organization (ASO) is new for the entire account.
*/ IsNewForEntireAccount?: boolean; } @@ -1358,7 +1357,7 @@ export interface NewGeolocationDetail { /** * @public - *Checks if the gelocation is new for the entire account.
+ *Checks if the geolocation is new for the entire account.
*/ IsNewForEntireAccount?: boolean; } @@ -1388,7 +1387,7 @@ export interface NewUserAgentDetail { export interface RelatedFindingDetail { /** * @public - *The ARN of the related finding.
+ *The Amazon Resource Name (ARN) of the related finding.
*/ Arn?: string; @@ -1443,13 +1442,13 @@ export interface TTPsObservedDetail { /** * @public - *The IP address where the TTP was observed.
+ *The IP address where the tactics, techniques, and procedure (TTP) was observed.
*/ IpAddress?: string; /** * @public - *The name of the API where the TTP was observed.
+ *The name of the API where the tactics, techniques, and procedure (TTP) was observed.
*/ APIName?: string; @@ -1468,7 +1467,7 @@ export interface TTPsObservedDetail { /** * @public - *Details about the indicators of compromise which are used to determine if a resource is involved in a security incident.
+ *Details about the indicators of compromise which are used to determine if a resource is involved in a security incident. An indicator of compromise (IOC) is an artifact observed in or on a network, system, or environment that can (with a high level of confidence) identify malicious activity or a security incident. For the list of indicators of compromise that are generated by Detective investigations, see Detective investigations.
*/ export interface IndicatorDetail { /** @@ -1485,7 +1484,7 @@ export interface IndicatorDetail { /** * @public - *Suspicious IP addresses that are flagged, which indicates critical or severe threats based on threat intelligence by Detective. This indicator is derived from AWS threat intelligence.
+ *Suspicious IP addresses that are flagged, which indicates critical or severe threats based on threat intelligence by Detective. This indicator is derived from Amazon Web Services threat intelligence.
*/ FlaggedIpAddressDetail?: FlaggedIpAddressDetail; @@ -1522,18 +1521,22 @@ export interface IndicatorDetail { /** * @public - *Investigations triages indicators of compromises such as a finding and surfaces only the most critical and suspicious issues, so you can focus on high-level investigations.
+ *Detective investigations triages indicators of compromises such as a finding
+ * and surfaces only the most critical and suspicious issues, so you can focus on high-level
+ * investigations. An Indicator lets you determine if an Amazon Web Services
+ * resource is involved in unusual activity that could indicate malicious behavior and its
+ * impact.
The type of indicator.
+ *The type of indicator.
*/ IndicatorType?: IndicatorType; /** * @public - *Details about the indicator of compromise.
+ *Details about the indicators of compromise that are used to determine if a resource is involved in a security incident. An indicator of compromise (IOC) is an artifact observed in or on a network, system, or environment that can (with a high level of confidence) identify malicious activity or a security incident.
*/ IndicatorDetail?: IndicatorDetail; } @@ -1544,7 +1547,7 @@ export interface Indicator { export interface ListIndicatorsResponse { /** * @public - *The ARN of the behavior graph.
+ *The Amazon Resource Name (ARN) of the behavior graph.
*/ GraphArn?: string; @@ -1556,14 +1559,14 @@ export interface ListIndicatorsResponse { /** * @public - *List if there are more results available. The value of nextToken is a unique pagination token for each page. Repeat the call using the returned token to retrieve the next page. Keep all other arguments unchanged.
+ *Lists if there are more results available. The value of nextToken is a unique pagination token for each page. Repeat the call using the returned token to retrieve the next page. Keep all other arguments unchanged.
*Each pagination token expires after 24 hours. Using an expired pagination token will return a Validation Exception error.
*/ NextToken?: string; /** * @public - *Indicators of compromise listed based on severity.
+ *Lists the indicators of compromise.
*/ Indicators?: Indicator[]; } @@ -1581,7 +1584,7 @@ export interface DateFilter { /** * @public - *A timestamp representing the end date of the time period until when data is filtered , including the end date.
+ *A timestamp representing the end date of the time period until when data is filtered, including the end date.
*/ EndInclusive: Date | undefined; } @@ -1687,26 +1690,26 @@ export interface SortCriteria { export interface ListInvestigationsRequest { /** * @public - *The ARN of the behavior graph.
+ *The Amazon Resource Name (ARN) of the behavior graph.
*/ GraphArn: string | undefined; /** * @public - *List if there are more results available. The value of nextToken is a unique pagination token for each page. Repeat the call using the returned token to retrieve the next page. Keep all other arguments unchanged.
+ *Lists if there are more results available. The value of nextToken is a unique pagination token for each page. Repeat the call using the returned token to retrieve the next page. Keep all other arguments unchanged.
*Each pagination token expires after 24 hours. Using an expired pagination token will return a Validation Exception error.
*/ NextToken?: string; /** * @public - *List the maximum number of investigations in a page.
+ *Lists the maximum number of investigations in a page.
*/ MaxResults?: number; /** * @public - *Filter the investigation results based on a criteria.
+ *Filters the investigation results based on a criteria.
*/ FilterCriteria?: FilterCriteria; @@ -1719,7 +1722,7 @@ export interface ListInvestigationsRequest { /** * @public - *Details about the investigation related to a potential security event identified by Detective
+ *Details about the investigation related to a potential security event identified by Detective.
*/ export interface InvestigationDetail { /** @@ -1748,7 +1751,8 @@ export interface InvestigationDetail { /** * @public - *The UTC time stamp of the creation time of the investigation report.
+ *The time stamp of the creation time of the investigation report. The value is an UTC ISO8601 formatted
+ * string. For example, 2021-08-18T16:35:56.284Z.
Investigations details lists the summary of uncommon behavior or malicious activity which indicates a compromise.
+ *Lists the summary of uncommon behavior or malicious activity which indicates a compromise.
*/ InvestigationDetails?: InvestigationDetail[]; /** * @public - *List if there are more results available. The value of nextToken is a unique pagination token for each page. Repeat the call using the returned token to retrieve the next page. Keep all other arguments unchanged.
- *Each pagination token expires after 24 hours. Using an expired pagination token will return an HTTP 400 InvalidToken error.
+ *Lists if there are more results available. The value of nextToken is a unique pagination token for each page. Repeat the call using the returned token to retrieve the next page. Keep all other arguments unchanged.
+ *Each pagination token expires after 24 hours.
*/ NextToken?: string; } @@ -1952,7 +1956,7 @@ export interface RejectInvitationRequest { export interface StartInvestigationRequest { /** * @public - *The ARN of the behavior graph.
+ *The Amazon Resource Name (ARN) of the behavior graph.
*/ GraphArn: string | undefined; @@ -1970,7 +1974,7 @@ export interface StartInvestigationRequest { /** * @public - *The data and time when the investigation began. The value is an UTC ISO8601 formatted + *
The data and time when the investigation ended. The value is an UTC ISO8601 formatted
* string. For example, 2021-08-18T16:35:56.284Z.
The ARN of the behavior graph.
+ *The Amazon Resource Name (ARN) of the behavior graph.
*/ GraphArn: string | undefined; diff --git a/codegen/sdk-codegen/aws-models/detective.json b/codegen/sdk-codegen/aws-models/detective.json index cca368fffd00..8970e88499e1 100644 --- a/codegen/sdk-codegen/aws-models/detective.json +++ b/codegen/sdk-codegen/aws-models/detective.json @@ -343,7 +343,7 @@ "name": "detective" }, "aws.protocols#restJson1": {}, - "smithy.api#documentation": "Detective uses machine learning and purpose-built visualizations to help you to\n analyze and investigate security issues across your Amazon Web Services (Amazon Web Services) workloads. Detective automatically extracts time-based events such\n as login attempts, API calls, and network traffic from CloudTrail and Amazon Virtual Private Cloud (Amazon VPC) flow logs. It also extracts findings detected by\n Amazon GuardDuty.
\nThe Detective API primarily supports the creation and management of behavior\n graphs. A behavior graph contains the extracted data from a set of member accounts, and is\n created and managed by an administrator account.
\nTo add a member account to the behavior graph, the administrator account sends an\n invitation to the account. When the account accepts the invitation, it becomes a member\n account in the behavior graph.
\nDetective is also integrated with Organizations. The organization\n management account designates the Detective administrator account for the\n organization. That account becomes the administrator account for the organization behavior\n graph. The Detective administrator account is also the delegated administrator\n account for Detective in Organizations.
\nThe Detective administrator account can enable any organization account as a\n member account in the organization behavior graph. The organization accounts do not receive\n invitations. The Detective administrator account can also invite other accounts to\n the organization behavior graph.
\nEvery behavior graph is specific to a Region. You can only use the API to manage\n behavior graphs that belong to the Region that is associated with the currently selected\n endpoint.
\nThe administrator account for a behavior graph can use the Detective API to do\n the following:
\nEnable and disable Detective. Enabling Detective creates a new\n behavior graph.
\nView the list of member accounts in a behavior graph.
\nAdd member accounts to a behavior graph.
\nRemove member accounts from a behavior graph.
\nApply tags to a behavior graph.
\nThe organization management account can use the Detective API to select the\n delegated administrator for Detective.
\nThe Detective administrator account for an organization can use the Detective API to do the following:
\nPerform all of the functions of an administrator account.
\nDetermine whether to automatically enable new organization accounts as member\n accounts in the organization behavior graph.
\nAn invited member account can use the Detective API to do the following:
\nView the list of behavior graphs that they are invited to.
\nAccept an invitation to contribute to a behavior graph.
\nDecline an invitation to contribute to a behavior graph.
\nRemove their account from a behavior graph.
\nAll API actions are logged as CloudTrail events. See Logging Detective API Calls with CloudTrail.
\nWe replaced the term \"master account\" with the term \"administrator account.\" An\n administrator account is used to centrally manage multiple accounts. In the case of\n Detective, the administrator account manages the accounts in their behavior\n graph.
\nDetective uses machine learning and purpose-built visualizations to help you to\n analyze and investigate security issues across your Amazon Web Services (Amazon Web Services) workloads. Detective automatically extracts time-based events such\n as login attempts, API calls, and network traffic from CloudTrail and Amazon Virtual Private Cloud (Amazon VPC) flow logs. It also extracts findings detected by\n Amazon GuardDuty.
\nThe Detective API primarily supports the creation and management of behavior\n graphs. A behavior graph contains the extracted data from a set of member accounts, and is\n created and managed by an administrator account.
\nTo add a member account to the behavior graph, the administrator account sends an\n invitation to the account. When the account accepts the invitation, it becomes a member\n account in the behavior graph.
\nDetective is also integrated with Organizations. The organization\n management account designates the Detective administrator account for the\n organization. That account becomes the administrator account for the organization behavior\n graph. The Detective administrator account is also the delegated administrator\n account for Detective in Organizations.
\nThe Detective administrator account can enable any organization account as a\n member account in the organization behavior graph. The organization accounts do not receive\n invitations. The Detective administrator account can also invite other accounts to\n the organization behavior graph.
\nEvery behavior graph is specific to a Region. You can only use the API to manage\n behavior graphs that belong to the Region that is associated with the currently selected\n endpoint.
\nThe administrator account for a behavior graph can use the Detective API to do\n the following:
\nEnable and disable Detective. Enabling Detective creates a new\n behavior graph.
\nView the list of member accounts in a behavior graph.
\nAdd member accounts to a behavior graph.
\nRemove member accounts from a behavior graph.
\nApply tags to a behavior graph.
\nThe organization management account can use the Detective API to select the\n delegated administrator for Detective.
\nThe Detective administrator account for an organization can use the Detective API to do the following:
\nPerform all of the functions of an administrator account.
\nDetermine whether to automatically enable new organization accounts as member\n accounts in the organization behavior graph.
\nAn invited member account can use the Detective API to do the following:
\nView the list of behavior graphs that they are invited to.
\nAccept an invitation to contribute to a behavior graph.
\nDecline an invitation to contribute to a behavior graph.
\nRemove their account from a behavior graph.
\nAll API actions are logged as CloudTrail events. See Logging Detective API Calls with CloudTrail.
\nWe replaced the term \"master account\" with the term \"administrator account\". An\n administrator account is used to centrally manage multiple accounts. In the case of\n Detective, the administrator account manages the accounts in their behavior\n graph.
\nCreates a new behavior graph for the calling account, and sets that account as the\n administrator account. This operation is called by the account that is enabling Detective.
\nBefore you try to enable Detective, make sure that your account has been\n enrolled in Amazon GuardDuty for at least 48 hours. If you do not meet this\n requirement, you cannot enable Detective. If you do meet the GuardDuty\n prerequisite, then when you make the request to enable Detective, it checks\n whether your data volume is within the Detective quota. If it exceeds the quota,\n then you cannot enable Detective.
\nThe operation also enables Detective for the calling account in the currently\n selected Region. It returns the ARN of the new behavior graph.
\n\n CreateGraph triggers a process to create the corresponding data tables for\n the new behavior graph.
An account can only be the administrator account for one behavior graph within a Region.\n If the same account calls CreateGraph with the same administrator account, it\n always returns the same behavior graph ARN. It does not create a new behavior graph.
Creates a new behavior graph for the calling account, and sets that account as the\n administrator account. This operation is called by the account that is enabling Detective.
\nThe operation also enables Detective for the calling account in the currently\n selected Region. It returns the ARN of the new behavior graph.
\n\n CreateGraph triggers a process to create the corresponding data tables for\n the new behavior graph.
An account can only be the administrator account for one behavior graph within a Region.\n If the same account calls CreateGraph with the same administrator account, it\n always returns the same behavior graph ARN. It does not create a new behavior graph.
A timestamp representing the end date of the time period until when data is filtered , including the end date.
", + "smithy.api#documentation": "A timestamp representing the end date of the time period until when data is filtered, including the end date.
", "smithy.api#required": {} } } @@ -2235,7 +2235,7 @@ } ], "traits": { - "smithy.api#documentation": "Returns the investigation results of an investigation for a behavior graph.
", + "smithy.api#documentation": "Detective investigations lets you investigate IAM users and IAM roles using indicators of compromise. An indicator of compromise (IOC) is an artifact observed in or on a network, system, or environment that can (with a high level of confidence) identify malicious activity or a security incident. GetInvestigation returns the investigation results of an investigation for a behavior graph.
The ARN of the behavior graph.
", + "smithy.api#documentation": "The Amazon Resource Name (ARN) of the behavior graph.
", "smithy.api#required": {} } }, @@ -2271,7 +2271,7 @@ "GraphArn": { "target": "com.amazonaws.detective#GraphArn", "traits": { - "smithy.api#documentation": "The ARN of the behavior graph.
" + "smithy.api#documentation": "The Amazon Resource Name (ARN) of the behavior graph.
" } }, "InvestigationId": { @@ -2283,49 +2283,49 @@ "EntityArn": { "target": "com.amazonaws.detective#EntityArn", "traits": { - "smithy.api#documentation": "The unique Amazon Resource Name (ARN) of the IAM user and IAM role.
" + "smithy.api#documentation": "The unique Amazon Resource Name (ARN). Detective supports IAM user ARNs and IAM role ARNs.
" } }, "EntityType": { "target": "com.amazonaws.detective#EntityType", "traits": { - "smithy.api#documentation": "Type of entity. For example, Amazon Web Services accounts, such as IAM user and role.
" + "smithy.api#documentation": "Type of entity. For example, Amazon Web Services accounts, such as an IAM user and/or IAM role.
" } }, "CreatedTime": { "target": "com.amazonaws.detective#Timestamp", "traits": { - "smithy.api#documentation": "The UTC time stamp of the creation time of the investigation report.
" + "smithy.api#documentation": "The creation time of the investigation report in UTC time stamp format.
" } }, "ScopeStartTime": { "target": "com.amazonaws.detective#Timestamp", "traits": { - "smithy.api#documentation": "The start date and time for the scope time set to generate the investigation report.
" + "smithy.api#documentation": "The start date and time used to set the scope time within which you want to generate the investigation report. The value is an UTC ISO8601 formatted\n string. For example, 2021-08-18T16:35:56.284Z.
The data and time when the investigation began. The value is an UTC ISO8601 formatted string. For example, 2021-08-18T16:35:56.284Z.
" + "smithy.api#documentation": "The data and time when the investigation began. The value is an UTC ISO8601 formatted\n string. For example, 2021-08-18T16:35:56.284Z.
Status based on the completion status of the investigation.
" + "smithy.api#documentation": "The status based on the completion status of the investigation.
" } }, "Severity": { "target": "com.amazonaws.detective#Severity", "traits": { - "smithy.api#documentation": "Severity based on the likelihood and impact of the indicators of compromise discovered in the investigation.
" + "smithy.api#documentation": "The severity assigned is based on the likelihood and impact of the indicators of\n compromise discovered in the investigation.
" } }, "State": { "target": "com.amazonaws.detective#State", "traits": { - "smithy.api#documentation": "The current state of the investigation. An archived investigation indicates you have completed reviewing the investigation.
" + "smithy.api#documentation": "The current state of the investigation. An archived investigation indicates that you\n have completed reviewing the investigation.
" } } }, @@ -2462,7 +2462,7 @@ "StartingIpAddress": { "target": "com.amazonaws.detective#IpAddress", "traits": { - "smithy.api#documentation": "IP address where the resource was first used in the impossible travel
" + "smithy.api#documentation": "IP address where the resource was first used in the impossible travel.
" } }, "EndingIpAddress": { @@ -2474,7 +2474,7 @@ "StartingLocation": { "target": "com.amazonaws.detective#Location", "traits": { - "smithy.api#documentation": "Location where the resource was first used in the impossible travel
" + "smithy.api#documentation": "Location where the resource was first used in the impossible travel.
" } }, "EndingLocation": { @@ -2500,18 +2500,18 @@ "IndicatorType": { "target": "com.amazonaws.detective#IndicatorType", "traits": { - "smithy.api#documentation": "The type of indicator.
" + "smithy.api#documentation": "The type of indicator.
" } }, "IndicatorDetail": { "target": "com.amazonaws.detective#IndicatorDetail", "traits": { - "smithy.api#documentation": "Details about the indicator of compromise.
" + "smithy.api#documentation": "Details about the indicators of compromise that are used to determine if a resource is involved in a security incident. An indicator of compromise (IOC) is an artifact observed in or on a network, system, or environment that can (with a high level of confidence) identify malicious activity or a security incident.
" } } }, "traits": { - "smithy.api#documentation": "Investigations triages indicators of compromises such as a finding and surfaces only the most critical and suspicious issues, so you can focus on high-level investigations.
" + "smithy.api#documentation": "Detective investigations triages indicators of compromises such as a finding\n and surfaces only the most critical and suspicious issues, so you can focus on high-level\n investigations. An Indicator lets you determine if an Amazon Web Services\n resource is involved in unusual activity that could indicate malicious behavior and its\n impact.
Suspicious IP addresses that are flagged, which indicates critical or severe threats based on threat intelligence by Detective. This indicator is derived from AWS threat intelligence.
" + "smithy.api#documentation": "Suspicious IP addresses that are flagged, which indicates critical or severe threats based on threat intelligence by Detective. This indicator is derived from Amazon Web Services threat intelligence.
" } }, "NewGeolocationDetail": { @@ -2567,7 +2567,7 @@ } }, "traits": { - "smithy.api#documentation": "Details about the indicators of compromise which are used to determine if a resource is involved in a security incident.
" + "smithy.api#documentation": "Details about the indicators of compromise which are used to determine if a resource is involved in a security incident. An indicator of compromise (IOC) is an artifact observed in or on a network, system, or environment that can (with a high level of confidence) identify malicious activity or a security incident. For the list of indicators of compromise that are generated by Detective investigations, see Detective investigations.
" } }, "com.amazonaws.detective#IndicatorType": { @@ -2672,7 +2672,7 @@ "CreatedTime": { "target": "com.amazonaws.detective#Timestamp", "traits": { - "smithy.api#documentation": "The UTC time stamp of the creation time of the investigation report.
" + "smithy.api#documentation": "The time stamp of the creation time of the investigation report. The value is an UTC ISO8601 formatted\n string. For example, 2021-08-18T16:35:56.284Z.
Details about the investigation related to a potential security event identified by Detective
" + "smithy.api#documentation": "Details about the investigation related to a potential security event identified by Detective.
" } }, "com.amazonaws.detective#InvestigationDetails": { @@ -2925,7 +2925,7 @@ } ], "traits": { - "smithy.api#documentation": "Get the indicators from an investigation
", + "smithy.api#documentation": "Gets the indicators from an investigation. You can use the information from the indicators to determine if an IAM user and/or IAM role is involved in an unusual activity that could indicate malicious behavior and its impact.
", "smithy.api#http": { "method": "POST", "uri": "/investigations/listIndicators", @@ -2939,7 +2939,7 @@ "GraphArn": { "target": "com.amazonaws.detective#GraphArn", "traits": { - "smithy.api#documentation": "The ARN of the behavior graph.
", + "smithy.api#documentation": "The Amazon Resource Name (ARN) of the behavior graph.
", "smithy.api#required": {} } }, @@ -2953,19 +2953,19 @@ "IndicatorType": { "target": "com.amazonaws.detective#IndicatorType", "traits": { - "smithy.api#documentation": "See Detective investigations..
" + "smithy.api#documentation": "For the list of indicators of compromise that are generated by Detective investigations, see Detective investigations.
" } }, "NextToken": { "target": "com.amazonaws.detective#AiPaginationToken", "traits": { - "smithy.api#documentation": "List if there are more results available. The value of nextToken is a unique pagination token for each page. Repeat the call using the returned token to retrieve the next page. Keep all other arguments unchanged.
\nEach pagination token expires after 24 hours. Using an expired pagination token will return a Validation Exception error.
" + "smithy.api#documentation": "Lists if there are more results available. The value of nextToken is a unique pagination token for each page. Repeat the call using the returned token to retrieve the next page. Keep all other arguments unchanged.
\nEach pagination token expires after 24 hours. Using an expired pagination token will return a Validation Exception error.
" } }, "MaxResults": { "target": "com.amazonaws.detective#MaxResults", "traits": { - "smithy.api#documentation": "List the maximum number of indicators in a page.
" + "smithy.api#documentation": "Lists the maximum number of indicators in a page.
" } } }, @@ -2979,7 +2979,7 @@ "GraphArn": { "target": "com.amazonaws.detective#GraphArn", "traits": { - "smithy.api#documentation": "The ARN of the behavior graph.
" + "smithy.api#documentation": "The Amazon Resource Name (ARN) of the behavior graph.
" } }, "InvestigationId": { @@ -2991,13 +2991,13 @@ "NextToken": { "target": "com.amazonaws.detective#AiPaginationToken", "traits": { - "smithy.api#documentation": "List if there are more results available. The value of nextToken is a unique pagination token for each page. Repeat the call using the returned token to retrieve the next page. Keep all other arguments unchanged.
\nEach pagination token expires after 24 hours. Using an expired pagination token will return a Validation Exception error.
" + "smithy.api#documentation": "Lists if there are more results available. The value of nextToken is a unique pagination token for each page. Repeat the call using the returned token to retrieve the next page. Keep all other arguments unchanged.
\nEach pagination token expires after 24 hours. Using an expired pagination token will return a Validation Exception error.
" } }, "Indicators": { "target": "com.amazonaws.detective#Indicators", "traits": { - "smithy.api#documentation": "Indicators of compromise listed based on severity.
" + "smithy.api#documentation": "Lists the indicators of compromise.
" } } }, @@ -3031,7 +3031,7 @@ } ], "traits": { - "smithy.api#documentation": "List all Investigations.
", + "smithy.api#documentation": "Detective investigations lets you investigate IAM users and\n IAM roles using indicators of compromise. An indicator of compromise\n (IOC) is an artifact observed in or on a network, system, or environment that can (with a\n high level of confidence) identify malicious activity or a security incident.\n ListInvestigations lists all active Detective\n investigations.
The ARN of the behavior graph.
", + "smithy.api#documentation": "The Amazon Resource Name (ARN) of the behavior graph.
", "smithy.api#required": {} } }, "NextToken": { "target": "com.amazonaws.detective#AiPaginationToken", "traits": { - "smithy.api#documentation": "List if there are more results available. The value of nextToken is a unique pagination token for each page. Repeat the call using the returned token to retrieve the next page. Keep all other arguments unchanged.
\nEach pagination token expires after 24 hours. Using an expired pagination token will return a Validation Exception error.
" + "smithy.api#documentation": "Lists if there are more results available. The value of nextToken is a unique pagination token for each page. Repeat the call using the returned token to retrieve the next page. Keep all other arguments unchanged.
\nEach pagination token expires after 24 hours. Using an expired pagination token will return a Validation Exception error.
" } }, "MaxResults": { "target": "com.amazonaws.detective#MaxResults", "traits": { - "smithy.api#documentation": "List the maximum number of investigations in a page.
" + "smithy.api#documentation": "Lists the maximum number of investigations in a page.
" } }, "FilterCriteria": { "target": "com.amazonaws.detective#FilterCriteria", "traits": { - "smithy.api#documentation": "Filter the investigation results based on a criteria.
" + "smithy.api#documentation": "Filters the investigation results based on a criteria.
" } }, "SortCriteria": { @@ -3084,13 +3084,13 @@ "InvestigationDetails": { "target": "com.amazonaws.detective#InvestigationDetails", "traits": { - "smithy.api#documentation": "Investigations details lists the summary of uncommon behavior or malicious activity which indicates a compromise.
" + "smithy.api#documentation": "Lists the summary of uncommon behavior or malicious activity which indicates a compromise.
" } }, "NextToken": { "target": "com.amazonaws.detective#AiPaginationToken", "traits": { - "smithy.api#documentation": "List if there are more results available. The value of nextToken is a unique pagination token for each page. Repeat the call using the returned token to retrieve the next page. Keep all other arguments unchanged.
\nEach pagination token expires after 24 hours. Using an expired pagination token will return an HTTP 400 InvalidToken error.
" + "smithy.api#documentation": "Lists if there are more results available. The value of nextToken is a unique pagination token for each page. Repeat the call using the returned token to retrieve the next page. Keep all other arguments unchanged.
\nEach pagination token expires after 24 hours.
" } } }, @@ -3634,7 +3634,7 @@ "target": "com.amazonaws.detective#IsNewForEntireAccount", "traits": { "smithy.api#default": false, - "smithy.api#documentation": "Checks if the ASO is for new for the entire account.
" + "smithy.api#documentation": "Checks if the Autonomous System Organization (ASO) is new for the entire account.
" } } }, @@ -3661,7 +3661,7 @@ "target": "com.amazonaws.detective#IsNewForEntireAccount", "traits": { "smithy.api#default": false, - "smithy.api#documentation": "Checks if the gelocation is new for the entire account.
" + "smithy.api#documentation": "Checks if the geolocation is new for the entire account.
" } } }, @@ -3771,7 +3771,7 @@ "Arn": { "target": "com.amazonaws.detective#EntityArn", "traits": { - "smithy.api#documentation": "The ARN of the related finding.
" + "smithy.api#documentation": "The Amazon Resource Name (ARN) of the related finding.
" } }, "Type": { @@ -3853,7 +3853,7 @@ } }, "traits": { - "smithy.api#documentation": "This request cannot be completed for one of the following reasons.
\nThe request would cause the number of member accounts in the behavior graph to\n exceed the maximum allowed. A behavior graph cannot have more than 1200 member\n accounts.
\nThe request would cause the data rate for the behavior graph to exceed the maximum\n allowed.
\nDetective is unable to verify the data rate for the member account. This\n is usually because the member account is not enrolled in Amazon GuardDuty.
\nThis request cannot be completed for one of the following reasons.
\nThis request cannot be completed if it would cause the number of member accounts in the\n behavior graph to exceed the maximum allowed. A behavior graph cannot have more than 1,200\n member accounts.
\nThis request cannot be completed if the current volume ingested is above the limit of 10 TB per day. Detective will not allow you to add additional member accounts.
\ninitiate an investigation on an entity in a graph
", + "smithy.api#documentation": "Detective investigations lets you investigate IAM users and IAM roles using indicators of compromise. An indicator of compromise (IOC) is an artifact observed in or on a network, system, or environment that can (with a high level of confidence) identify malicious activity or a security incident. StartInvestigation initiates an investigation on an entity in a behavior graph.
The ARN of the behavior graph.
", + "smithy.api#documentation": "The Amazon Resource Name (ARN) of the behavior graph.
", "smithy.api#required": {} } }, @@ -3991,7 +3991,7 @@ "ScopeEndTime": { "target": "com.amazonaws.detective#Timestamp", "traits": { - "smithy.api#documentation": "The data and time when the investigation began. The value is an UTC ISO8601 formatted\n string. For example, 2021-08-18T16:35:56.284Z.
The data and time when the investigation ended. The value is an UTC ISO8601 formatted\n string. For example, 2021-08-18T16:35:56.284Z.
The IP address where the TTP was observed.
" + "smithy.api#documentation": "The IP address where the tactics, techniques, and procedure (TTP) was observed.
" } }, "APIName": { "target": "com.amazonaws.detective#APIName", "traits": { - "smithy.api#documentation": "The name of the API where the TTP was observed.
" + "smithy.api#documentation": "The name of the API where the tactics, techniques, and procedure (TTP) was observed.
" } }, "APISuccessCount": { @@ -4528,7 +4528,7 @@ } ], "traits": { - "smithy.api#documentation": "Update the state of an investigation.
", + "smithy.api#documentation": "Updates the state of an investigation.
", "smithy.api#http": { "method": "POST", "uri": "/investigations/updateInvestigationState", @@ -4542,7 +4542,7 @@ "GraphArn": { "target": "com.amazonaws.detective#GraphArn", "traits": { - "smithy.api#documentation": "The ARN of the behavior graph.
", + "smithy.api#documentation": "The Amazon Resource Name (ARN) of the behavior graph.
", "smithy.api#required": {} } },