# UpdateFilter
Updates the filter specified by the filter name.
## Request Syntax
```
POST /detector/DetectorId/filter/FilterName HTTP/1.1
Content-type: application/json
{
"action": "string",
"description": "string",
"findingCriteria": {
"criterion": {
"string" : {
"eq": [ "string" ],
"equals": [ "string" ],
"greaterThan": number,
"greaterThanOrEqual": number,
"gt": number,
"gte": number,
"lessThan": number,
"lessThanOrEqual": number,
"lt": number,
"lte": number,
"matches": [ "string" ],
"neq": [ "string" ],
"notEquals": [ "string" ],
"notMatches": [ "string" ]
}
}
},
"rank": number
}
```
## URI Request Parameters
The request uses the following URI parameters.
** [DetectorId](#API_UpdateFilter_RequestSyntax) **
The unique ID of the detector that specifies the GuardDuty service where you want to update a filter.
To find the `detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.
Length Constraints: Minimum length of 1. Maximum length of 300.
Required: Yes
** [FilterName](#API_UpdateFilter_RequestSyntax) **
The name of the filter.
Required: Yes
## Request Body
The request accepts the following data in JSON format.
** [action](#API_UpdateFilter_RequestSyntax) **
Specifies the action that is to be applied to the findings that match the filter.
Default: NOOP
Type: String
Length Constraints: Minimum length of 1. Maximum length of 300.
Valid Values: `NOOP | ARCHIVE`
Required: No
** [description](#API_UpdateFilter_RequestSyntax) **
The description of the filter. Valid characters include alphanumeric characters, and special characters such as hyphen, period, colon, underscore, parentheses (`{ }`, `[ ]`, and `( )`), forward slash, horizontal tab, vertical tab, newline, form feed, return, and whitespace.
Type: String
Length Constraints: Minimum length of 0. Maximum length of 512.
Required: No
** [findingCriteria](#API_UpdateFilter_RequestSyntax) **
Represents the criteria to be used in the filter for querying findings. The following fields are available for filtering:
+ accountId
+ arn
+ associatedAttackSequenceArn
+ confidence
+ createdAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
+ description
+ id
+ partition
+ region
+ resource.accessKeyDetails.accessKeyId
+ resource.accessKeyDetails.principalId
+ resource.accessKeyDetails.userIdentity.accessKeyId
+ resource.accessKeyDetails.userIdentity.accountId
+ resource.accessKeyDetails.userIdentity.arn
+ resource.accessKeyDetails.userIdentity.principalId
+ resource.accessKeyDetails.userIdentity.sessionContext.attributes.mfaAuthenticated
+ resource.accessKeyDetails.userIdentity.sessionContext.ec2RoleDelivery
+ resource.accessKeyDetails.userIdentity.sessionContext.invokedBy
+ resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.accountId
+ resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.arn
+ resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.principalId
+ resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.type
+ resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.userName
+ resource.accessKeyDetails.userIdentity.sessionContext.sourceIdentity
+ resource.accessKeyDetails.userIdentity.sessionContext.webIdFederationData.attributes
+ resource.accessKeyDetails.userIdentity.sessionContext.webIdFederationData.federatedProvider
+ resource.accessKeyDetails.userIdentity.type
+ resource.accessKeyDetails.userIdentity.userName
+ resource.accessKeyDetails.userName
+ resource.accessKeyDetails.userType
+ resource.bedrockGuardrailDetails.guardrailArn
+ resource.bedrockGuardrailDetails.guardrailVersion
+ resource.containerDetails.containerRuntime
+ resource.containerDetails.id
+ resource.containerDetails.image
+ resource.containerDetails.imagePrefix
+ resource.containerDetails.name
+ resource.containerDetails.securityContext.allowPrivilegeEscalation
+ resource.containerDetails.securityContext.privileged
+ resource.containerDetails.volumeMounts.mountPath
+ resource.containerDetails.volumeMounts.name
+ resource.ebsSnapshotDetails.snapshotArn
+ resource.ebsVolumeDetails.scannedVolumeDetails.deviceName
+ resource.ebsVolumeDetails.scannedVolumeDetails.encryptionType
+ resource.ebsVolumeDetails.scannedVolumeDetails.kmsKeyArn
+ resource.ebsVolumeDetails.scannedVolumeDetails.snapshotArn
+ resource.ebsVolumeDetails.scannedVolumeDetails.volumeArn
+ resource.ebsVolumeDetails.scannedVolumeDetails.volumeSizeInGB
+ resource.ebsVolumeDetails.scannedVolumeDetails.volumeType
+ resource.ebsVolumeDetails.skippedVolumeDetails.deviceName
+ resource.ebsVolumeDetails.skippedVolumeDetails.encryptionType
+ resource.ebsVolumeDetails.skippedVolumeDetails.kmsKeyArn
+ resource.ebsVolumeDetails.skippedVolumeDetails.snapshotArn
+ resource.ebsVolumeDetails.skippedVolumeDetails.volumeArn
+ resource.ebsVolumeDetails.skippedVolumeDetails.volumeSizeInGB
+ resource.ebsVolumeDetails.skippedVolumeDetails.volumeType
+ resource.ec2ImageDetails.imageArn
+ resource.ecsClusterDetails.activeServicesCount
+ resource.ecsClusterDetails.arn
+ resource.ecsClusterDetails.name
+ resource.ecsClusterDetails.registeredContainerInstancesCount
+ resource.ecsClusterDetails.runningTasksCount
+ resource.ecsClusterDetails.status
+ resource.ecsClusterDetails.tags.key
+ resource.ecsClusterDetails.tags.value
+ resource.ecsClusterDetails.taskDetails.arn
+ resource.ecsClusterDetails.taskDetails.containers.containerRuntime
+ resource.ecsClusterDetails.taskDetails.containers.id
+ resource.ecsClusterDetails.taskDetails.containers.image
+ resource.ecsClusterDetails.taskDetails.containers.imagePrefix
+ resource.ecsClusterDetails.taskDetails.containers.name
+ resource.ecsClusterDetails.taskDetails.containers.securityContext.allowPrivilegeEscalation
+ resource.ecsClusterDetails.taskDetails.containers.securityContext.privileged
+ resource.ecsClusterDetails.taskDetails.containers.volumeMounts.mountPath
+ resource.ecsClusterDetails.taskDetails.containers.volumeMounts.name
+ resource.ecsClusterDetails.taskDetails.createdAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
+ resource.ecsClusterDetails.taskDetails.definitionArn
+ resource.ecsClusterDetails.taskDetails.group
+ resource.ecsClusterDetails.taskDetails.launchType
+ resource.ecsClusterDetails.taskDetails.startedAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
+ resource.ecsClusterDetails.taskDetails.startedBy
+ resource.ecsClusterDetails.taskDetails.tags.key
+ resource.ecsClusterDetails.taskDetails.tags.value
+ resource.ecsClusterDetails.taskDetails.version
+ resource.ecsClusterDetails.taskDetails.volumes.hostPath.path
+ resource.ecsClusterDetails.taskDetails.volumes.name
+ resource.eksClusterDetails.arn
+ resource.eksClusterDetails.createdAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
+ resource.eksClusterDetails.name
+ resource.eksClusterDetails.status
+ resource.eksClusterDetails.tags.key
+ resource.eksClusterDetails.tags.value
+ resource.eksClusterDetails.vpcId
+ resource.instanceDetails.availabilityZone
+ resource.instanceDetails.iamInstanceProfile.arn
+ resource.instanceDetails.iamInstanceProfile.id
+ resource.instanceDetails.imageDescription
+ resource.instanceDetails.imageId
+ resource.instanceDetails.instanceId
+ resource.instanceDetails.instanceState
+ resource.instanceDetails.instanceType
+ resource.instanceDetails.launchTime
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
+ resource.instanceDetails.networkInterfaces.ipv6Addresses
+ resource.instanceDetails.networkInterfaces.networkInterfaceId
+ resource.instanceDetails.networkInterfaces.privateDnsName
+ resource.instanceDetails.networkInterfaces.privateIpAddress
+ resource.instanceDetails.networkInterfaces.privateIpAddresses.privateDnsName
+ resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress
+ resource.instanceDetails.networkInterfaces.publicDnsName
+ resource.instanceDetails.networkInterfaces.publicIp
+ resource.instanceDetails.networkInterfaces.securityGroups.groupId
+ resource.instanceDetails.networkInterfaces.securityGroups.groupName
+ resource.instanceDetails.networkInterfaces.subnetId
+ resource.instanceDetails.networkInterfaces.vpcId
+ resource.instanceDetails.outpostArn
+ resource.instanceDetails.platform
+ resource.instanceDetails.productCodes.productCodeId
+ resource.instanceDetails.productCodes.productCodeType
+ resource.instanceDetails.tags.key
+ resource.instanceDetails.tags.value
+ resource.kubernetesDetails.kubernetesUserDetails.groups
+ resource.kubernetesDetails.kubernetesUserDetails.impersonatedUser.groups
+ resource.kubernetesDetails.kubernetesUserDetails.impersonatedUser.username
+ resource.kubernetesDetails.kubernetesUserDetails.sessionName
+ resource.kubernetesDetails.kubernetesUserDetails.uid
+ resource.kubernetesDetails.kubernetesUserDetails.username
+ resource.kubernetesDetails.kubernetesWorkloadDetails.containers.containerRuntime
+ resource.kubernetesDetails.kubernetesWorkloadDetails.containers.id
+ resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image
+ resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix
+ resource.kubernetesDetails.kubernetesWorkloadDetails.containers.name
+ resource.kubernetesDetails.kubernetesWorkloadDetails.containers.securityContext.allowPrivilegeEscalation
+ resource.kubernetesDetails.kubernetesWorkloadDetails.containers.securityContext.privileged
+ resource.kubernetesDetails.kubernetesWorkloadDetails.containers.volumeMounts.mountPath
+ resource.kubernetesDetails.kubernetesWorkloadDetails.containers.volumeMounts.name
+ resource.kubernetesDetails.kubernetesWorkloadDetails.hostIpc
+ resource.kubernetesDetails.kubernetesWorkloadDetails.hostNetwork
+ resource.kubernetesDetails.kubernetesWorkloadDetails.hostPid
+ resource.kubernetesDetails.kubernetesWorkloadDetails.name
+ resource.kubernetesDetails.kubernetesWorkloadDetails.namespace
+ resource.kubernetesDetails.kubernetesWorkloadDetails.serviceAccountName
+ resource.kubernetesDetails.kubernetesWorkloadDetails.type
+ resource.kubernetesDetails.kubernetesWorkloadDetails.uid
+ resource.kubernetesDetails.kubernetesWorkloadDetails.volumes.hostPath.path
+ resource.kubernetesDetails.kubernetesWorkloadDetails.volumes.name
+ resource.lambdaDetails.description
+ resource.lambdaDetails.functionArn
+ resource.lambdaDetails.functionName
+ resource.lambdaDetails.functionVersion
+ resource.lambdaDetails.lastModifiedAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
+ resource.lambdaDetails.revisionId
+ resource.lambdaDetails.role
+ resource.lambdaDetails.tags.key
+ resource.lambdaDetails.tags.value
+ resource.lambdaDetails.vpcConfig.securityGroups.groupId
+ resource.lambdaDetails.vpcConfig.securityGroups.groupName
+ resource.lambdaDetails.vpcConfig.subnetIds
+ resource.lambdaDetails.vpcConfig.vpcId
+ resource.rdsDbInstanceDetails.dbClusterIdentifier
+ resource.rdsDbInstanceDetails.dbInstanceArn
+ resource.rdsDbInstanceDetails.dbInstanceIdentifier
+ resource.rdsDbInstanceDetails.dbSecurityGroups.name
+ resource.rdsDbInstanceDetails.dbSecurityGroups.status
+ resource.rdsDbInstanceDetails.dbiResourceId
+ resource.rdsDbInstanceDetails.engine
+ resource.rdsDbInstanceDetails.engineVersion
+ resource.rdsDbInstanceDetails.iamDatabaseAuthenticationEnabled
+ resource.rdsDbInstanceDetails.publiclyAccessible
+ resource.rdsDbInstanceDetails.tags.key
+ resource.rdsDbInstanceDetails.tags.value
+ resource.rdsDbInstanceDetails.vpcId
+ resource.rdsDbInstanceDetails.vpcSecurityGroups.status
+ resource.rdsDbInstanceDetails.vpcSecurityGroups.vpcSecurityGroupId
+ resource.rdsDbUserDetails.application
+ resource.rdsDbUserDetails.authMethod
+ resource.rdsDbUserDetails.database
+ resource.rdsDbUserDetails.ssl
+ resource.rdsDbUserDetails.user
+ resource.rdsLimitlessDbDetails.dbClusterIdentifier
+ resource.rdsLimitlessDbDetails.dbShardGroupArn
+ resource.rdsLimitlessDbDetails.dbShardGroupIdentifier
+ resource.rdsLimitlessDbDetails.dbShardGroupResourceId
+ resource.rdsLimitlessDbDetails.engine
+ resource.rdsLimitlessDbDetails.engineVersion
+ resource.rdsLimitlessDbDetails.tags.key
+ resource.rdsLimitlessDbDetails.tags.value
+ resource.recoveryPointDetails.backupVaultName
+ resource.recoveryPointDetails.recoveryPointArn
+ resource.resourceType
+ resource.s3BucketDetails.arn
+ resource.s3BucketDetails.createdAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
+ resource.s3BucketDetails.defaultServerSideEncryption.encryptionType
+ resource.s3BucketDetails.defaultServerSideEncryption.kmsMasterKeyArn
+ resource.s3BucketDetails.name
+ resource.s3BucketDetails.owner.id
+ resource.s3BucketDetails.publicAccess.effectivePermission
+ resource.s3BucketDetails.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess.blockPublicAcls
+ resource.s3BucketDetails.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess.blockPublicPolicy
+ resource.s3BucketDetails.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess.ignorePublicAcls
+ resource.s3BucketDetails.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess.restrictPublicBuckets
+ resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.accessControlList.allowsPublicReadAccess
+ resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.accessControlList.allowsPublicWriteAccess
+ resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess.blockPublicAcls
+ resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess.blockPublicPolicy
+ resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess.ignorePublicAcls
+ resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess.restrictPublicBuckets
+ resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.bucketPolicy.allowsPublicReadAccess
+ resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.bucketPolicy.allowsPublicWriteAccess
+ resource.s3BucketDetails.s3ObjectDetails.eTag
+ resource.s3BucketDetails.s3ObjectDetails.hash
+ resource.s3BucketDetails.s3ObjectDetails.key
+ resource.s3BucketDetails.s3ObjectDetails.objectArn
+ resource.s3BucketDetails.s3ObjectDetails.versionId
+ resource.s3BucketDetails.tags.key
+ resource.s3BucketDetails.tags.value
+ resource.s3BucketDetails.type
+ schemaVersion
+ service.action.actionType
+ service.action.awsApiCallAction.affectedResources
+ service.action.awsApiCallAction.api
+ service.action.awsApiCallAction.callerType
+ service.action.awsApiCallAction.domainDetails.domain
+ service.action.awsApiCallAction.errorCode
+ service.action.awsApiCallAction.remoteAccountDetails.accountId
+ service.action.awsApiCallAction.remoteAccountDetails.affiliated
+ service.action.awsApiCallAction.remoteAccountDetails.awsServiceName
+ service.action.awsApiCallAction.remoteIpDetails.city.cityName
+ service.action.awsApiCallAction.remoteIpDetails.country.countryCode
+ service.action.awsApiCallAction.remoteIpDetails.country.countryName
+ service.action.awsApiCallAction.remoteIpDetails.geoLocation.lat
+ service.action.awsApiCallAction.remoteIpDetails.geoLocation.lon
+ service.action.awsApiCallAction.remoteIpDetails.ipAddressV4
+ service.action.awsApiCallAction.remoteIpDetails.ipAddressV6
+ service.action.awsApiCallAction.remoteIpDetails.organization.asn
+ service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg
+ service.action.awsApiCallAction.remoteIpDetails.organization.isp
+ service.action.awsApiCallAction.remoteIpDetails.organization.org
+ service.action.awsApiCallAction.serviceName
+ service.action.awsApiCallAction.userAgent
+ service.action.dnsRequestAction.blocked
+ service.action.dnsRequestAction.domain
+ service.action.dnsRequestAction.domainWithSuffix
+ service.action.dnsRequestAction.protocol
+ service.action.dnsRequestAction.vpcOwnerAccountId
+ service.action.kubernetesApiCallAction.namespace
+ service.action.kubernetesApiCallAction.parameters
+ service.action.kubernetesApiCallAction.remoteIpDetails.city.cityName
+ service.action.kubernetesApiCallAction.remoteIpDetails.country.countryCode
+ service.action.kubernetesApiCallAction.remoteIpDetails.country.countryName
+ service.action.kubernetesApiCallAction.remoteIpDetails.geoLocation.lat
+ service.action.kubernetesApiCallAction.remoteIpDetails.geoLocation.lon
+ service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4
+ service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV6
+ service.action.kubernetesApiCallAction.remoteIpDetails.organization.asn
+ service.action.kubernetesApiCallAction.remoteIpDetails.organization.asnOrg
+ service.action.kubernetesApiCallAction.remoteIpDetails.organization.isp
+ service.action.kubernetesApiCallAction.remoteIpDetails.organization.org
+ service.action.kubernetesApiCallAction.requestUri
+ service.action.kubernetesApiCallAction.resource
+ service.action.kubernetesApiCallAction.resourceName
+ service.action.kubernetesApiCallAction.sourceIPs
+ service.action.kubernetesApiCallAction.statusCode
+ service.action.kubernetesApiCallAction.subresource
+ service.action.kubernetesApiCallAction.userAgent
+ service.action.kubernetesApiCallAction.verb
+ service.action.kubernetesPermissionCheckedDetails.allowed
+ service.action.kubernetesPermissionCheckedDetails.namespace
+ service.action.kubernetesPermissionCheckedDetails.resource
+ service.action.kubernetesPermissionCheckedDetails.verb
+ service.action.kubernetesRoleBindingDetails.kind
+ service.action.kubernetesRoleBindingDetails.name
+ service.action.kubernetesRoleBindingDetails.roleRefKind
+ service.action.kubernetesRoleBindingDetails.roleRefName
+ service.action.kubernetesRoleBindingDetails.uid
+ service.action.kubernetesRoleDetails.kind
+ service.action.kubernetesRoleDetails.name
+ service.action.kubernetesRoleDetails.uid
+ service.action.networkConnectionAction.blocked
+ service.action.networkConnectionAction.connectionDirection
+ service.action.networkConnectionAction.localIpDetails.ipAddressV4
+ service.action.networkConnectionAction.localIpDetails.ipAddressV6
+ service.action.networkConnectionAction.localNetworkInterface
+ service.action.networkConnectionAction.localPortDetails.port
+ service.action.networkConnectionAction.localPortDetails.portName
+ service.action.networkConnectionAction.protocol
+ service.action.networkConnectionAction.remoteIpDetails.city.cityName
+ service.action.networkConnectionAction.remoteIpDetails.country.countryCode
+ service.action.networkConnectionAction.remoteIpDetails.country.countryName
+ service.action.networkConnectionAction.remoteIpDetails.geoLocation.lat
+ service.action.networkConnectionAction.remoteIpDetails.geoLocation.lon
+ service.action.networkConnectionAction.remoteIpDetails.ipAddressV4
+ service.action.networkConnectionAction.remoteIpDetails.ipAddressV6
+ service.action.networkConnectionAction.remoteIpDetails.organization.asn
+ service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg
+ service.action.networkConnectionAction.remoteIpDetails.organization.isp
+ service.action.networkConnectionAction.remoteIpDetails.organization.org
+ service.action.networkConnectionAction.remotePortDetails.port
+ service.action.networkConnectionAction.remotePortDetails.portName
+ service.action.portProbeAction.blocked
+ service.action.portProbeAction.portProbeDetails.localIpDetails.ipAddressV4
+ service.action.portProbeAction.portProbeDetails.localIpDetails.ipAddressV6
+ service.action.portProbeAction.portProbeDetails.localPortDetails.port
+ service.action.portProbeAction.portProbeDetails.localPortDetails.portName
+ service.action.portProbeAction.portProbeDetails.remoteIpDetails.city.cityName
+ service.action.portProbeAction.portProbeDetails.remoteIpDetails.country.countryCode
+ service.action.portProbeAction.portProbeDetails.remoteIpDetails.country.countryName
+ service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lat
+ service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lon
+ service.action.portProbeAction.portProbeDetails.remoteIpDetails.ipAddressV4
+ service.action.portProbeAction.portProbeDetails.remoteIpDetails.ipAddressV6
+ service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asn
+ service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asnOrg
+ service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.isp
+ service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.org
+ service.action.rdsLoginAttemptAction.loginAttributes.application
+ service.action.rdsLoginAttemptAction.loginAttributes.failedLoginAttempts
+ service.action.rdsLoginAttemptAction.loginAttributes.successfulLoginAttempts
+ service.action.rdsLoginAttemptAction.loginAttributes.user
+ service.action.rdsLoginAttemptAction.remoteIpDetails.city.cityName
+ service.action.rdsLoginAttemptAction.remoteIpDetails.country.countryCode
+ service.action.rdsLoginAttemptAction.remoteIpDetails.country.countryName
+ service.action.rdsLoginAttemptAction.remoteIpDetails.geoLocation.lat
+ service.action.rdsLoginAttemptAction.remoteIpDetails.geoLocation.lon
+ service.action.rdsLoginAttemptAction.remoteIpDetails.ipAddressV4
+ service.action.rdsLoginAttemptAction.remoteIpDetails.ipAddressV6
+ service.action.rdsLoginAttemptAction.remoteIpDetails.organization.asn
+ service.action.rdsLoginAttemptAction.remoteIpDetails.organization.asnOrg
+ service.action.rdsLoginAttemptAction.remoteIpDetails.organization.isp
+ service.action.rdsLoginAttemptAction.remoteIpDetails.organization.org
+ service.additionalInfo.agentDetails.agentId
+ service.additionalInfo.agentDetails.agentVersion
+ service.additionalInfo.anomalies.anomalousAPIs
+ service.additionalInfo.authenticationMethod
+ service.additionalInfo.averagePacketSizeIn
+ service.additionalInfo.averagePacketSizeOut
+ service.additionalInfo.context
+ service.additionalInfo.domain
+ service.additionalInfo.inBytes
+ service.additionalInfo.localNetworkInterfaceOwner
+ service.additionalInfo.localPort
+ service.additionalInfo.outBytes
+ service.additionalInfo.packetsIn
+ service.additionalInfo.packetsOut
+ service.additionalInfo.policyArn
+ service.additionalInfo.policyName
+ service.additionalInfo.remotePort
+ service.additionalInfo.sample
+ service.additionalInfo.scannedPort
+ service.additionalInfo.threatFileSha256
+ service.additionalInfo.threatListName
+ service.additionalInfo.threatName
+ service.additionalInfo.totalBytesIn
+ service.additionalInfo.totalBytesOut
+ service.additionalInfo.type
+ service.additionalInfo.unusual.asnOrg
+ service.additionalInfo.unusual.port
+ service.additionalInfo.unusualProtocol
+ service.additionalInfo.userAgent.fullUserAgent
+ service.additionalInfo.userAgent.userAgentCategory
+ service.additionalInfo.value
+ service.additionalInfo.vpcOwnerAccountId
+ service.archived
+ service.count
+ service.detection.anomaly.profiles
+ service.detection.anomaly.unusual.behavior
+ service.detection.sequence.actors.id
+ service.detection.sequence.actors.process.name
+ service.detection.sequence.actors.process.path
+ service.detection.sequence.actors.process.sha256
+ service.detection.sequence.actors.session.createdTime
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
+ service.detection.sequence.actors.session.issuer
+ service.detection.sequence.actors.session.mfaStatus
+ service.detection.sequence.actors.session.uid
+ service.detection.sequence.actors.user.account.account
+ service.detection.sequence.actors.user.account.uid
+ service.detection.sequence.actors.user.credentialUid
+ service.detection.sequence.actors.user.name
+ service.detection.sequence.actors.user.type
+ service.detection.sequence.actors.user.uid
+ service.detection.sequence.additionalSequenceTypes
+ service.detection.sequence.description
+ service.detection.sequence.endpoints.autonomousSystem.name
+ service.detection.sequence.endpoints.autonomousSystem.number
+ service.detection.sequence.endpoints.connection.direction
+ service.detection.sequence.endpoints.domain
+ service.detection.sequence.endpoints.id
+ service.detection.sequence.endpoints.ip
+ service.detection.sequence.endpoints.location.city
+ service.detection.sequence.endpoints.location.country
+ service.detection.sequence.endpoints.location.lat
+ service.detection.sequence.endpoints.location.lon
+ service.detection.sequence.endpoints.port
+ service.detection.sequence.resources.accountId
+ service.detection.sequence.resources.cloudPartition
+ service.detection.sequence.resources.data.accessKey.principalId
+ service.detection.sequence.resources.data.accessKey.userName
+ service.detection.sequence.resources.data.accessKey.userType
+ service.detection.sequence.resources.data.autoscalingAutoScalingGroup.ec2InstanceUids
+ service.detection.sequence.resources.data.cloudformationStack.ec2InstanceUids
+ service.detection.sequence.resources.data.container.image
+ service.detection.sequence.resources.data.container.imageUid
+ service.detection.sequence.resources.data.ec2Image.ec2InstanceUids
+ service.detection.sequence.resources.data.ec2Instance.availabilityZone
+ service.detection.sequence.resources.data.ec2Instance.ec2NetworkInterfaceUids
+ service.detection.sequence.resources.data.ec2Instance.iamInstanceProfile.arn
+ service.detection.sequence.resources.data.ec2Instance.iamInstanceProfile.id
+ service.detection.sequence.resources.data.ec2Instance.imageDescription
+ service.detection.sequence.resources.data.ec2Instance.instanceState
+ service.detection.sequence.resources.data.ec2Instance.instanceType
+ service.detection.sequence.resources.data.ec2Instance.outpostArn
+ service.detection.sequence.resources.data.ec2Instance.platform
+ service.detection.sequence.resources.data.ec2Instance.productCodes.productCodeId
+ service.detection.sequence.resources.data.ec2Instance.productCodes.productCodeType
+ service.detection.sequence.resources.data.ec2LaunchTemplate.ec2InstanceUids
+ service.detection.sequence.resources.data.ec2LaunchTemplate.version
+ service.detection.sequence.resources.data.ec2NetworkInterface.ipv6Addresses
+ service.detection.sequence.resources.data.ec2NetworkInterface.privateIpAddresses.privateDnsName
+ service.detection.sequence.resources.data.ec2NetworkInterface.privateIpAddresses.privateIpAddress
+ service.detection.sequence.resources.data.ec2NetworkInterface.publicIp
+ service.detection.sequence.resources.data.ec2NetworkInterface.securityGroups.groupId
+ service.detection.sequence.resources.data.ec2NetworkInterface.securityGroups.groupName
+ service.detection.sequence.resources.data.ec2NetworkInterface.subNetId
+ service.detection.sequence.resources.data.ec2NetworkInterface.vpcId
+ service.detection.sequence.resources.data.ec2Vpc.ec2InstanceUids
+ service.detection.sequence.resources.data.ecsCluster.ec2InstanceUids
+ service.detection.sequence.resources.data.ecsCluster.status
+ service.detection.sequence.resources.data.ecsTask.containerUids
+ service.detection.sequence.resources.data.ecsTask.createdAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
+ service.detection.sequence.resources.data.ecsTask.launchType
+ service.detection.sequence.resources.data.ecsTask.taskDefinitionArn
+ service.detection.sequence.resources.data.eksCluster.arn
+ service.detection.sequence.resources.data.eksCluster.createdAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
+ service.detection.sequence.resources.data.eksCluster.ec2InstanceUids
+ service.detection.sequence.resources.data.eksCluster.status
+ service.detection.sequence.resources.data.eksCluster.vpcId
+ service.detection.sequence.resources.data.iamInstanceProfile.ec2InstanceUids
+ service.detection.sequence.resources.data.iamInstanceProfile.id
+ service.detection.sequence.resources.data.kubernetesWorkload.containerUids
+ service.detection.sequence.resources.data.kubernetesWorkload.namespace
+ service.detection.sequence.resources.data.kubernetesWorkload.type
+ service.detection.sequence.resources.data.s3Bucket.accountPublicAccess.publicAclAccess
+ service.detection.sequence.resources.data.s3Bucket.accountPublicAccess.publicAclIgnoreBehavior
+ service.detection.sequence.resources.data.s3Bucket.accountPublicAccess.publicBucketRestrictBehavior
+ service.detection.sequence.resources.data.s3Bucket.accountPublicAccess.publicPolicyAccess
+ service.detection.sequence.resources.data.s3Bucket.bucketPublicAccess.publicAclAccess
+ service.detection.sequence.resources.data.s3Bucket.bucketPublicAccess.publicAclIgnoreBehavior
+ service.detection.sequence.resources.data.s3Bucket.bucketPublicAccess.publicBucketRestrictBehavior
+ service.detection.sequence.resources.data.s3Bucket.bucketPublicAccess.publicPolicyAccess
+ service.detection.sequence.resources.data.s3Bucket.createdAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
+ service.detection.sequence.resources.data.s3Bucket.effectivePermission
+ service.detection.sequence.resources.data.s3Bucket.encryptionKeyArn
+ service.detection.sequence.resources.data.s3Bucket.encryptionType
+ service.detection.sequence.resources.data.s3Bucket.ownerId
+ service.detection.sequence.resources.data.s3Bucket.publicReadAccess
+ service.detection.sequence.resources.data.s3Bucket.publicWriteAccess
+ service.detection.sequence.resources.data.s3Bucket.s3ObjectUids
+ service.detection.sequence.resources.data.s3Object.eTag
+ service.detection.sequence.resources.data.s3Object.key
+ service.detection.sequence.resources.data.s3Object.versionId
+ service.detection.sequence.resources.name
+ service.detection.sequence.resources.region
+ service.detection.sequence.resources.resourceType
+ service.detection.sequence.resources.service
+ service.detection.sequence.resources.tags.key
+ service.detection.sequence.resources.tags.value
+ service.detection.sequence.resources.uid
+ service.detection.sequence.sequenceIndicators.key
+ service.detection.sequence.sequenceIndicators.title
+ service.detection.sequence.sequenceIndicators.values
+ service.detection.sequence.signals.actorIds
+ service.detection.sequence.signals.count
+ service.detection.sequence.signals.createdAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
+ service.detection.sequence.signals.description
+ service.detection.sequence.signals.endpointIds
+ service.detection.sequence.signals.firstSeenAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
+ service.detection.sequence.signals.lastSeenAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
+ service.detection.sequence.signals.name
+ service.detection.sequence.signals.resourceUids
+ service.detection.sequence.signals.severity
+ service.detection.sequence.signals.signalIndicators.key
+ service.detection.sequence.signals.signalIndicators.title
+ service.detection.sequence.signals.signalIndicators.values
+ service.detection.sequence.signals.type
+ service.detection.sequence.signals.uid
+ service.detection.sequence.signals.updatedAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
+ service.detection.sequence.uid
+ service.detectorId
+ service.ebsVolumeScanDetails.scanCompletedAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
+ service.ebsVolumeScanDetails.scanDetections.highestSeverityThreatDetails.count
+ service.ebsVolumeScanDetails.scanDetections.highestSeverityThreatDetails.severity
+ service.ebsVolumeScanDetails.scanDetections.highestSeverityThreatDetails.threatName
+ service.ebsVolumeScanDetails.scanDetections.scannedItemCount.files
+ service.ebsVolumeScanDetails.scanDetections.scannedItemCount.totalGb
+ service.ebsVolumeScanDetails.scanDetections.scannedItemCount.volumes
+ service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.itemCount
+ service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.shortened
+ service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.fileName
+ service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.filePath
+ service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash
+ service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.volumeArn
+ service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.itemCount
+ service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name
+ service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity
+ service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.uniqueThreatNameCount
+ service.ebsVolumeScanDetails.scanDetections.threatsDetectedItemCount.files
+ service.ebsVolumeScanDetails.scanId
+ service.ebsVolumeScanDetails.scanStartedAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
+ service.ebsVolumeScanDetails.scanType
+ service.ebsVolumeScanDetails.sources
+ service.ebsVolumeScanDetails.triggerFindingId
+ service.eventFirstSeen
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
+ service.eventLastSeen
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
+ service.evidence.threatIntelligenceDetails.threatFileSha256
+ service.evidence.threatIntelligenceDetails.threatListName
+ service.evidence.threatIntelligenceDetails.threatNames
+ service.featureName
+ service.malwareScanDetails.scanCategory
+ service.malwareScanDetails.scanConfiguration.incrementalScanDetails.baselineResourceArn
+ service.malwareScanDetails.scanConfiguration.triggerType
+ service.malwareScanDetails.scanId
+ service.malwareScanDetails.scanType
+ service.malwareScanDetails.threats.count
+ service.malwareScanDetails.threats.hash
+ service.malwareScanDetails.threats.itemDetails.additionalInfo.deviceName
+ service.malwareScanDetails.threats.itemDetails.additionalInfo.versionId
+ service.malwareScanDetails.threats.itemDetails.hash
+ service.malwareScanDetails.threats.itemDetails.itemPath
+ service.malwareScanDetails.threats.itemDetails.resourceArn
+ service.malwareScanDetails.threats.itemPaths.hash
+ service.malwareScanDetails.threats.itemPaths.nestedItemPath
+ service.malwareScanDetails.threats.name
+ service.malwareScanDetails.threats.source
+ service.malwareScanDetails.uniqueThreatCount
+ service.resourceRole
+ service.runtimeDetails.context.addressFamily
+ service.runtimeDetails.context.commandLineExample
+ service.runtimeDetails.context.fileOperation
+ service.runtimeDetails.context.filePath
+ service.runtimeDetails.context.fileSystemType
+ service.runtimeDetails.context.flags
+ service.runtimeDetails.context.ianaProtocolNumber
+ service.runtimeDetails.context.ldPreloadValue
+ service.runtimeDetails.context.libraryPath
+ service.runtimeDetails.context.memoryRegions
+ service.runtimeDetails.context.modifiedAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
+ service.runtimeDetails.context.modifyingProcess.euid
+ service.runtimeDetails.context.modifyingProcess.executablePath
+ service.runtimeDetails.context.modifyingProcess.executableSha256
+ service.runtimeDetails.context.modifyingProcess.lineage.euid
+ service.runtimeDetails.context.modifyingProcess.lineage.executablePath
+ service.runtimeDetails.context.modifyingProcess.lineage.name
+ service.runtimeDetails.context.modifyingProcess.lineage.namespacePid
+ service.runtimeDetails.context.modifyingProcess.lineage.parentUuid
+ service.runtimeDetails.context.modifyingProcess.lineage.pid
+ service.runtimeDetails.context.modifyingProcess.lineage.startTime
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
+ service.runtimeDetails.context.modifyingProcess.lineage.userId
+ service.runtimeDetails.context.modifyingProcess.lineage.uuid
+ service.runtimeDetails.context.modifyingProcess.name
+ service.runtimeDetails.context.modifyingProcess.namespacePid
+ service.runtimeDetails.context.modifyingProcess.parentUuid
+ service.runtimeDetails.context.modifyingProcess.pid
+ service.runtimeDetails.context.modifyingProcess.pwd
+ service.runtimeDetails.context.modifyingProcess.startTime
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
+ service.runtimeDetails.context.modifyingProcess.user
+ service.runtimeDetails.context.modifyingProcess.userId
+ service.runtimeDetails.context.modifyingProcess.uuid
+ service.runtimeDetails.context.moduleFilePath
+ service.runtimeDetails.context.moduleName
+ service.runtimeDetails.context.moduleSha256
+ service.runtimeDetails.context.mountSource
+ service.runtimeDetails.context.mountTarget
+ service.runtimeDetails.context.relatedFilePaths
+ service.runtimeDetails.context.releaseAgentPath
+ service.runtimeDetails.context.runcBinaryPath
+ service.runtimeDetails.context.scriptPath
+ service.runtimeDetails.context.serviceName
+ service.runtimeDetails.context.shellHistoryFilePath
+ service.runtimeDetails.context.socketPath
+ service.runtimeDetails.context.targetProcess.euid
+ service.runtimeDetails.context.targetProcess.executablePath
+ service.runtimeDetails.context.targetProcess.executableSha256
+ service.runtimeDetails.context.targetProcess.lineage.euid
+ service.runtimeDetails.context.targetProcess.lineage.executablePath
+ service.runtimeDetails.context.targetProcess.lineage.name
+ service.runtimeDetails.context.targetProcess.lineage.namespacePid
+ service.runtimeDetails.context.targetProcess.lineage.parentUuid
+ service.runtimeDetails.context.targetProcess.lineage.pid
+ service.runtimeDetails.context.targetProcess.lineage.startTime
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
+ service.runtimeDetails.context.targetProcess.lineage.userId
+ service.runtimeDetails.context.targetProcess.lineage.uuid
+ service.runtimeDetails.context.targetProcess.name
+ service.runtimeDetails.context.targetProcess.namespacePid
+ service.runtimeDetails.context.targetProcess.parentUuid
+ service.runtimeDetails.context.targetProcess.pid
+ service.runtimeDetails.context.targetProcess.pwd
+ service.runtimeDetails.context.targetProcess.startTime
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
+ service.runtimeDetails.context.targetProcess.user
+ service.runtimeDetails.context.targetProcess.userId
+ service.runtimeDetails.context.targetProcess.uuid
+ service.runtimeDetails.context.threatFilePath
+ service.runtimeDetails.context.toolCategory
+ service.runtimeDetails.context.toolName
+ service.runtimeDetails.process.euid
+ service.runtimeDetails.process.executablePath
+ service.runtimeDetails.process.executableSha256
+ service.runtimeDetails.process.lineage.euid
+ service.runtimeDetails.process.lineage.executablePath
+ service.runtimeDetails.process.lineage.name
+ service.runtimeDetails.process.lineage.namespacePid
+ service.runtimeDetails.process.lineage.parentUuid
+ service.runtimeDetails.process.lineage.pid
+ service.runtimeDetails.process.lineage.startTime
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
+ service.runtimeDetails.process.lineage.userId
+ service.runtimeDetails.process.lineage.uuid
+ service.runtimeDetails.process.name
+ service.runtimeDetails.process.namespacePid
+ service.runtimeDetails.process.parentUuid
+ service.runtimeDetails.process.pid
+ service.runtimeDetails.process.pwd
+ service.runtimeDetails.process.startTime
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
+ service.runtimeDetails.process.user
+ service.runtimeDetails.process.userId
+ service.runtimeDetails.process.uuid
+ service.serviceName
+ service.userFeedback
+ severity
To configure severity based filters, use the following for the [FindingCriteria](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_FindingCriteria.html) condition:
+ **Low**: `["1", "2", "3"]`
+ **Medium**: `["4", "5", "6"]`
+ **High**: `["7", "8"]`
+ **Critical**: `["9", "10"]`
For more information, see [Findings severity levels](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings-severity.html) in the *Amazon GuardDuty User Guide*.
+ title
+ type
+ updatedAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
Type: [FindingCriteria](API_FindingCriteria.md) object
Required: No
** [rank](#API_UpdateFilter_RequestSyntax) **
Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
Type: Integer
Valid Range: Minimum value of 1. Maximum value of 100.
Required: No
## Response Syntax
```
HTTP/1.1 200
Content-type: application/json
{
"name": "string"
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [name](#API_UpdateFilter_ResponseSyntax) **
The name of the filter.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 64.
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** BadRequestException **
A bad request exception object.
** Message **
The error message.
** Type **
The error type.
HTTP Status Code: 400
** InternalServerErrorException **
An internal server error exception object.
** Message **
The error message.
** Type **
The error type.
HTTP Status Code: 500
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/guardduty-2017-11-28/UpdateFilter)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/guardduty-2017-11-28/UpdateFilter)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/guardduty-2017-11-28/UpdateFilter)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/guardduty-2017-11-28/UpdateFilter)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/guardduty-2017-11-28/UpdateFilter)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/guardduty-2017-11-28/UpdateFilter)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/guardduty-2017-11-28/UpdateFilter)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/guardduty-2017-11-28/UpdateFilter)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/guardduty-2017-11-28/UpdateFilter)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/guardduty-2017-11-28/UpdateFilter)