Amazon GuardDuty

Name: Amazon GuardDuty API
Brand: Amazon GuardDuty
Availability: InStock

★ Only Publicly Available SpecSecurityThreat Detectionhmac67 EndpointsREST

For Agents

Investigate, archive, and act on Amazon GuardDuty findings and manage detectors, member accounts, threat intel sets, and malware scan plans across an AWS organisation.

Quickstart

Get started with Amazon GuardDuty in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"list amazon guardduty findings"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with Amazon GuardDuty API.

Create and configure GuardDuty detectors with selected data sources and feature toggles

List and retrieve security findings with filtering by severity, type, and resource

Archive and unarchive findings to triage incidents at scale

Manage trusted IP sets and threat intel sets that suppress or escalate detections

GET STARTED

Start building with Amazon GuardDuty API

Explore with Jentic

View OpenAPI Spec

Use for: I need to enable GuardDuty in a new region with all data sources turned on, List high-severity findings across the organisation in the last 7 days, Archive a finding once an analyst has confirmed it is a false positive, Add an IP CIDR to a trusted IP set so internal scanners stop triggering alerts

Not supported: Does not handle log ingestion, vulnerability scanning, or incident response automation — use for GuardDuty threat detection management and finding triage only.

Jentic publishes the only available OpenAPI specification for Amazon GuardDuty, keeping it validated and agent-ready.

Jentic publishes the only available OpenAPI specification for Amazon GuardDuty, keeping it validated and agent-ready. Amazon GuardDuty is a continuous threat detection service that analyses VPC flow logs, CloudTrail events, DNS logs, EKS audit logs, and EBS volume data to surface suspicious activity in AWS accounts. The API covers full lifecycle management of detectors, findings, threat intelligence sets, IP allow lists, member accounts, malware protection plans, and publishing destinations across 67 operations.

Use Cases

Patterns agents use Amazon GuardDuty API for, with concrete tasks.

★ Centralised Multi-Account Threat Detection

Configure a delegated GuardDuty administrator account that aggregates findings from every member account in an AWS organisation. The API exposes EnableOrganizationAdminAccount, CreateMembers, InviteMembers, and ListMembers so an agent can onboard or audit accounts at scale. Findings flow into the administrator account where they can be filtered, archived, or republished.

Call EnableOrganizationAdminAccount for the security account, then CreateMembers with a list of AccountDetail entries and InviteMembers to send the invitation

Automated Finding Triage

Pull GuardDuty findings on a schedule, classify them by severity and type, archive low-severity false positives, and route the remainder to a SIEM or ticketing system. ListFindings supports rich filter criteria, GetFindings returns full detail for a batch, and ArchiveFindings closes off resolved cases. UpdateFindingsFeedback feeds analyst decisions back to AWS.

Call ListFindings with FindingCriteria filtering severity >= 7 and updatedAt within the last 24 hours, then GetFindings for the returned IDs

Custom Threat Intelligence Feeds

Add organisation-specific threat intelligence by uploading IOC lists to S3 and registering them as ThreatIntelSets. GuardDuty correlates incoming events against the lists and raises a CustomThreatIntel finding when a match occurs. The API also manages IPSets — trusted ranges that suppress noisy detections from known scanners or load balancers.

Call CreateThreatIntelSet with a Location pointing to an S3 object containing IOCs in TXT format, Activate=true, and a Format of TXT

AI Agent Security Operations

Through Jentic, an AI agent can act as an SOC analyst — paginating through findings, archiving false positives by pattern, updating IP allow lists, and triggering malware scans on suspicious EC2 instances. The 67 GuardDuty operations are exposed as Jentic tools so the agent picks the right one from intent.

Search Jentic for 'archive guardduty finding', load the ArchiveFindings schema, and execute it with the DetectorId and a list of FindingIds

Key Endpoints

67 endpoints — jentic publishes the only available openapi specification for amazon guardduty, keeping it validated and agent-ready.

METHOD

PATH

DESCRIPTION

GET

/detector

ListDetectors — list GuardDuty detectors in the region

GET

/detector/{detectorId}/filter

ListFilters — list saved finding filters

POST

/detector/{detectorId}/findings/archive

ArchiveFindings — archive a batch of findings

GET

/detector/{detectorId}/ipset

ListIPSets — list trusted IP sets on a detector

GET

/detector/{detectorId}/administrator

GetAdministratorAccount — fetch the admin account for the detector

GET

/detector

ListDetectors — list GuardDuty detectors in the region

GET

/detector/{detectorId}/filter

ListFilters — list saved finding filters

POST

/detector/{detectorId}/findings/archive

ArchiveFindings — archive a batch of findings

GET

/detector/{detectorId}/ipset

ListIPSets — list trusted IP sets on a detector

GET

/detector/{detectorId}/administrator

GetAdministratorAccount — fetch the admin account for the detector

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

AWS access keys for GuardDuty are stored encrypted in the Jentic vault. Agents never see the raw credentials — Jentic signs each request with SigV4 server-side.

Intent-based discovery

Agents search Jentic with intents like 'list guardduty findings' or 'archive a finding' and get the matching operation back with its input schema.

Time to first call

Direct integration: 1-2 days to wire up the AWS SDK and IAM policies for security operations. Through Jentic: under an hour.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Complementary

AWS Security Hub

Aggregates GuardDuty findings alongside other AWS and partner security signals

Use Security Hub to centralise findings from GuardDuty, Inspector, and Macie under a unified standard; use GuardDuty to manage the threat detection itself.

Complementary

Amazon Detective

Investigation graph that pivots from GuardDuty findings into root-cause analysis

Use Detective when an investigation needs entity-relationship analysis after a GuardDuty alert; GuardDuty itself focuses on detection and management.

Complementary

AWS CloudTrail

Source of CloudTrail management and S3 data events that GuardDuty analyses

Use CloudTrail to query the underlying API call history; GuardDuty consumes those events to detect anomalies.

FAQs

Specific to using Amazon GuardDuty API through Jentic.

Why is there no official OpenAPI spec for Amazon GuardDuty?

AWS does not publish an OpenAPI specification. Jentic generates and maintains this spec so that AI agents and developers can call Amazon GuardDuty via structured tooling. It is validated against the live API and kept up to date. Get started at https://app.jentic.com/sign-up.

What authentication does the Amazon GuardDuty API use?

The API uses AWS Signature Version 4 (HMAC) request signing. Through Jentic, AWS credentials are stored encrypted in the vault and requests are signed server-side, so the agent never holds raw access keys.

Can I list and filter GuardDuty findings with the API?

Yes. Call ListFindings on /detector/{detectorId}/findings with a FindingCriteria object that filters by severity, type, resource, or updatedAt. Pass the returned IDs to GetFindings to retrieve full finding details.

What are the rate limits for the Amazon GuardDuty API?

AWS applies per-account, per-region request quotas to GuardDuty operations and these vary by call. List operations have higher throughput than mutation operations like CreateDetector or InviteMembers. Check AWS Service Quotas for current limits.

How do I archive a finding through Jentic?

Search Jentic for 'archive guardduty finding', load the ArchiveFindings schema, and execute with the DetectorId and a list of up to 50 FindingIds. The archived findings remain queryable but no longer count as active.

Can I add custom threat intelligence to GuardDuty?

Yes. Upload an IOC list to S3 in TXT, STIX, OTX_CSV, ALIEN_VAULT, PROOF_POINT, or FIRE_EYE format and call CreateThreatIntelSet with the Location, Format, and Activate=true. GuardDuty raises a Custom finding type when an event matches an entry.