guardduty_get_findings
Retrieve detailed information for specific AWS GuardDuty security findings to analyze potential threats in your cloud environment.
Instructions
Get detailed information for the specified GuardDuty findings.
Parameters:
aws_region (str): The AWS region - use 'us-east-1' if not specified.
detector_id (str): The GuardDuty detector ID.
finding_ids (list): A list of finding IDs for which to retrieve details.
<IMPORTANT>
The server may crash when the response is too large. To avoid this, pass only max 2 finding IDs at a time.
The finding_ids list should contain a maximum of 2 IDs.
If guardduty_list_findings returns more than 2 IDs, you should call this tool max 5 times.
Then, proceed with your analysis, but remember to notify the user that there may be additional findings not retrieved.
</IMPORTANT>
Returns:
str: JSON-formatted details of the findings.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| aws_region | Yes | ||
| detector_id | Yes | ||
| finding_ids | Yes |
Implementation Reference
- server.py:622-657 (handler)The handler function that implements the core logic of the 'guardduty_get_findings' tool. It uses the boto3 GuardDuty client to fetch detailed findings for given detector_id and finding_ids, serializes the response to JSON, and handles errors.@mcp.tool() async def guardduty_get_findings( aws_region: str, detector_id: str, finding_ids: list ) -> str: """ Get detailed information for the specified GuardDuty findings. Parameters: aws_region (str): The AWS region - use 'us-east-1' if not specified. detector_id (str): The GuardDuty detector ID. finding_ids (list): A list of finding IDs for which to retrieve details. <IMPORTANT> The server may crash when the response is too large. To avoid this, pass only max 2 finding IDs at a time. The finding_ids list should contain a maximum of 2 IDs. If guardduty_list_findings returns more than 2 IDs, you should call this tool max 5 times. Then, proceed with your analysis, but remember to notify the user that there may be additional findings not retrieved. </IMPORTANT> Returns: str: JSON-formatted details of the findings. """ try: client = boto3.client('guardduty', region_name=aws_region) response = client.get_findings( DetectorId=detector_id, FindingIds=finding_ids ) findings = response.get("Findings", []) # insert sleep of 3 seconds to avoid throttling #time.sleep(3) return json.dumps(findings, indent=2, cls=DateTimeEncoder) except Exception as e: return f"Error getting GuardDuty findings: {str(e)}"
- server.py:616-620 (helper)Helper class for JSON encoding datetime objects to ISO format, used in the guardduty_get_findings tool to serialize response data containing timestamps.class DateTimeEncoder(json.JSONEncoder): def default(self, o): if isinstance(o, datetime.datetime): return o.isoformat() # Convert datetime to ISO-format string. return super().default(o)
- server.py:622-622 (registration)The @mcp.tool() decorator registers the guardduty_get_findings function as an MCP tool.@mcp.tool()