guardduty_get_findings
Retrieve detailed JSON-formatted information for up to 2 AWS GuardDuty findings per request to prevent server crashes. Ideal for analyzing specific security threats in a controlled manner.
Instructions
Get detailed information for the specified GuardDuty findings.
Parameters:
aws_region (str): The AWS region - use 'us-east-1' if not specified.
detector_id (str): The GuardDuty detector ID.
finding_ids (list): A list of finding IDs for which to retrieve details.
<IMPORTANT>
The server may crash when the response is too large. To avoid this, pass only max 2 finding IDs at a time.
The finding_ids list should contain a maximum of 2 IDs.
If guardduty_list_findings returns more than 2 IDs, you should call this tool max 5 times.
Then, proceed with your analysis, but remember to notify the user that there may be additional findings not retrieved.
</IMPORTANT>
Returns:
str: JSON-formatted details of the findings.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| aws_region | Yes | ||
| detector_id | Yes | ||
| finding_ids | Yes |
Input Schema (JSON Schema)
{
"properties": {
"aws_region": {
"title": "Aws Region",
"type": "string"
},
"detector_id": {
"title": "Detector Id",
"type": "string"
},
"finding_ids": {
"items": {},
"title": "Finding Ids",
"type": "array"
}
},
"required": [
"aws_region",
"detector_id",
"finding_ids"
],
"title": "guardduty_get_findingsArguments",
"type": "object"
}
Implementation Reference
- server.py:622-658 (handler)Primary handler implementation for the guardduty_get_findings MCP tool. Decorated with @mcp.tool() for automatic registration. Uses type annotations for input schema (aws_region: str, detector_id: str, finding_ids: list[str]). Fetches GuardDuty findings via boto3 and serializes to JSON.@mcp.tool() async def guardduty_get_findings( aws_region: str, detector_id: str, finding_ids: list ) -> str: """ Get detailed information for the specified GuardDuty findings. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. detector_id (str): The GuardDuty detector ID. finding_ids (list): A list of finding IDs for which to retrieve details. <IMPORTANT> The server may crash when the response is too large. To avoid this, pass only max 2 finding IDs at a time. The finding_ids list should contain a maximum of 2 IDs. If guardduty_list_findings returns more than 2 IDs, you should call this tool max 5 times. Then, proceed with your analysis, but remember to notify the user that there may be additional findings not retrieved. </IMPORTANT> Returns: str: JSON-formatted details of the findings. """ try: client = boto3.client('guardduty', region_name=aws_region) response = client.get_findings( DetectorId=detector_id, FindingIds=finding_ids ) findings = response.get("Findings", []) # insert sleep of 3 seconds to avoid throttling #time.sleep(3) return json.dumps(findings, indent=2, cls=DateTimeEncoder) except Exception as e: return f"Error getting GuardDuty findings: {str(e)}"
- server.py:616-621 (helper)Helper class used in the tool's JSON serialization to handle datetime objects by converting them to ISO format strings.class DateTimeEncoder(json.JSONEncoder): def default(self, o): if isinstance(o, datetime.datetime): return o.isoformat() # Convert datetime to ISO-format string. return super().default(o)
- server.py:622-622 (registration)The @mcp.tool() decorator registers the guardduty_get_findings function as an MCP tool.@mcp.tool()