Indicator - Amazon GuardDuty
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Indicator

Contains information about the indicators that include a set of signals observed in an attack sequence.

Contents

key

Specific indicator keys observed in the attack sequence.

Type: String

Valid Values: SUSPICIOUS_USER_AGENT | SUSPICIOUS_NETWORK | MALICIOUS_IP | TOR_IP | ATTACK_TACTIC | HIGH_RISK_API | ATTACK_TECHNIQUE | UNUSUAL_API_FOR_ACCOUNT | UNUSUAL_ASN_FOR_ACCOUNT | UNUSUAL_ASN_FOR_USER

Required: Yes

title

Title describing the indicator.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Required: No

values

Values associated with each indicator key. For example, if the indicator key is SUSPICIOUS_NETWORK, then the value will be the name of the network. If the indicator key is ATTACK_TACTIC, then the value will be one of the MITRE tactics.

For more information about the values associated with the key, see GuardDuty Extended Threat Detection in the GuardDuty User Guide.

Type: Array of strings

Array Members: Minimum number of 1 item. Maximum number of 400 items.

Length Constraints: Minimum length of 1. Maximum length of 256.

Required: No

See Also

For more information about using this API in one of the language-specific Amazon SDKs, see the following: