AWS::GuardDuty::Filter - AWS CloudFormation

AWS::GuardDuty::Filter

The AWS::GuardDuty::Filter resource specifies a new filter defined by the provided findingCriteria.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::GuardDuty::Filter", "Properties" : { "Action" : String, "Description" : String, "DetectorId" : String, "FindingCriteria" : FindingCriteria, "Name" : String, "Rank" : Integer } }

YAML

Type: AWS::GuardDuty::Filter Properties: Action: String Description: String DetectorId: String FindingCriteria: FindingCriteria Name: String Rank: Integer

Properties

Action

Specifies the action that is to be applied to the findings that match the filter.

Required: Yes

Type: String

Allowed values: ARCHIVE | NOOP

Update requires: No interruption

Description

The description of the filter.

Required: Yes

Type: String

Minimum: 0

Maximum: 512

Update requires: No interruption

DetectorId

The ID of the detector belonging to the GuardDuty account that you want to create a filter for.

Required: Yes

Type: String

Minimum: 1

Maximum: 300

Update requires: Replacement

FindingCriteria

Represents the criteria to be used in the filter for querying findings.

Required: Yes

Type: FindingCriteria

Update requires: No interruption

Name

The name of the filter. Minimum length of 3. Maximum length of 64. Valid characters include alphanumeric characters, dot (.), underscore (_), and dash (-). Spaces are not allowed.

Required: Yes

Type: String

Minimum: 3

Maximum: 64

Update requires: Replacement

Rank

Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.

Important

By default filters may not be created in the same order as they are ranked. To ensure filters are created in the correct order you can use the optional DependsOn attribute with the following syntax: "DependsOn":[ "ObjectName" ]. You can find more information on using this attribute here.

Required: Yes

Type: Integer

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the name of the filter, such as SampleFilter.

For more information about using the Ref function, see Ref.

Examples

Declare a Filter Resource

The following example shows how to declare a GuardDuty Filter resource:

JSON

{ "Type": "AWS::GuardDuty::Filter", "Properties": { "Action": "ARCHIVE", "Description": "SampleFilter", "DetectorId": "a12abc34d567e8fa901bc2d34e56789f0", "FindingCriteria": { "Criterion": { "updatedAt": { "Gte": 0 }, "severity": { "Gte": 0 } }, "Rank": 1, "Name": "SampleFilter" } }

YAML

Type: "AWS::GuardDuty::Filter" Properties: Action : "ARCHIVE" Description : "SampleFilter" DetectorId : "a12abc34d567e8fa901bc2d34e56789f0" FindingCriteria : Criterion: "updatedAt": Gte: 0 "severity": Gte: 0 Rank : 1 Name : "SampleFilter"