CreateDetector
Creates a single GuardDuty detector. A detector is a resource that represents the GuardDuty service. To start using GuardDuty, you must create a detector in each Region where you enable the service. You can have only one detector per account per Region. All data sources are enabled in a new detector by default.
-
When you don't specify any
features, with an exception toRUNTIME_MONITORING, all the optional features are enabled by default. -
When you specify some of the
features, any feature that is not specified in the API call gets enabled by default, with an exception toRUNTIME_MONITORING.
Specifying both EKS Runtime Monitoring (EKS_RUNTIME_MONITORING)
and Runtime Monitoring (RUNTIME_MONITORING) will cause an error.
You can add only one of these two features because Runtime Monitoring already includes the
threat detection for Amazon EKS resources. For more information, see
Runtime Monitoring.
There might be regional differences because some data sources might not be available in all the Amazon Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.
Request Syntax
POST /detector HTTP/1.1
Content-type: application/json
{
"clientToken": "string",
"dataSources": {
"kubernetes": {
"auditLogs": {
"enable": boolean
}
},
"malwareProtection": {
"scanEc2InstanceWithFindings": {
"ebsVolumes": boolean
}
},
"s3Logs": {
"enable": boolean
}
},
"enable": boolean,
"features": [
{
"additionalConfiguration": [
{
"name": "string",
"status": "string"
}
],
"name": "string",
"status": "string"
}
],
"findingPublishingFrequency": "string",
"tags": {
"string" : "string"
}
}URI Request Parameters
The request does not use any URI parameters.
Request Body
The request accepts the following data in JSON format.
- clientToken
-
The idempotency token for the create request.
Type: String
Length Constraints: Minimum length of 0. Maximum length of 64.
Required: No
- dataSources
-
This parameter has been deprecated.
Describes which data sources will be enabled for the detector.
There might be regional differences because some data sources might not be available in all the Amazon Regions where GuardDuty is presently supported. For more information, see Regions and endpoints.
Type: DataSourceConfigurations object
Required: No
- enable
-
A Boolean value that specifies whether the detector is to be enabled.
Type: Boolean
Required: Yes
- features
-
A list of features that will be configured for the detector.
Type: Array of DetectorFeatureConfiguration objects
Required: No
- findingPublishingFrequency
-
A value that specifies how frequently updated findings are exported.
Type: String
Valid Values:
FIFTEEN_MINUTES | ONE_HOUR | SIX_HOURSRequired: No
-
The tags to be added to a new detector resource.
Type: String to string map
Map Entries: Maximum number of 200 items.
Key Length Constraints: Minimum length of 1. Maximum length of 128.
Key Pattern:
^(?!aws:)[a-zA-Z+-=._:/]+$Value Length Constraints: Maximum length of 256.
Required: No
Response Syntax
HTTP/1.1 200
Content-type: application/json
{
"detectorId": "string",
"unprocessedDataSources": {
"malwareProtection": {
"scanEc2InstanceWithFindings": {
"ebsVolumes": {
"reason": "string",
"status": "string"
}
},
"serviceRole": "string"
}
}
}Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- detectorId
-
The unique ID of the created detector.
Type: String
Length Constraints: Minimum length of 1. Maximum length of 300.
- unprocessedDataSources
-
Specifies the data sources that couldn't be enabled when GuardDuty was enabled for the first time.
Type: UnprocessedDataSourcesResult object
Errors
For information about the errors that are common to all actions, see Common Errors.
- BadRequestException
-
A bad request exception object.
HTTP Status Code: 400
- InternalServerErrorException
-
An internal server error exception object.
HTTP Status Code: 500
See Also
For more information about using this API in one of the language-specific Amazon SDKs, see the following: