AWS CloudFormation
User Guide (API Version 2010-05-15)

AWS::GuardDuty::Filter

You can use the AWS::GuardDuty::Filter resource to create a GuardDuty filter using the specified finding criteria.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::GuardDuty::Filter", "Properties" : { "Action" : String, "Description" : String, "DetectorId" : String, "FindingCriteria" : FindingCriteria, "Rank" : Integer, "Name" : String } }

YAML

Type: "AWS::GuardDuty::Filter" Properties: Action: String Description: String DetectorId: String FindingCriteria: FindingCriteria Rank: Integer Name: String

Properties

Action

Specifies the action that is to be applied to the findings that match the filter. Valid values are: NOOP | ARCHIVE

Required: Yes

Type: String

Update requires: No interruption

Description

The description of the filter.

Required: Yes

Type: String

Update requires: No interruption

DetectorId

The ID of the detector that specifies the GuardDuty service whose findings you want to filter.

Required: Yes

Type: String

Update requires: Replacement

FindingCriteria

Represents the criteria to be used in the filter for querying findings.

Required: Yes

Type: GuardDuty Filter FindingCriteria

Update requires: No interruption

Rank

Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.

Required: Yes

Type: Integer

Update requires: No interruption

Name

The name of the filter.

Required: No

Type: String

Update requires: Replacement

Return Values

Ref

When you pass the logical ID of an AWS::GuardDuty::Filter resource to the intrinsic Ref function, the function returns the name of the created filter, such as SampleFilter.

For more information about using the Ref function, see Ref.

Examples

Declaring a GuardDuty Member Resource

The following example shows how to declare an AWS::GuardDuty::Filter resource to create a filter for your GuardDuty findings.

JSON

{ "Type": "AWS::GuardDuty::Filter", "Properties": { "Action": "ARCHIVE", "Description": "SampleFilter", "DetectorId": "a12abc34d567e8fa901bc2d34e56789f0", "FindingCriteria": { "Criterion": { "updatedAt": { "Gte": 0 } } }, "Rank": 1, "Name": "SampleFilter" } }

YAML

Type: "AWS::GuardDuty::Filter" Properties: Action : "ARCHIVE" Description : "SampleFilter" DetectorId : "a12abc34d567e8fa901bc2d34e56789f0" FindingCriteria : Criterion: "updatedAt": Gte: 0 Rank : 1 Name : "SampleFilter"