Filtering findings in GuardDuty
A finding filter allows you to view findings that match the criteria you specify and filter out any unmatched findings. You can easily create finding filters using the Amazon GuardDuty console, or you can create them with the CreateFilter API using JSON. Review the following sections to understand how to create a filter in the console. To use these filters to automatically archive incoming findings, see Suppression rules in GuardDuty.
Creating and saving filter set in the GuardDuty console
Finding filters can be created and tested through the GuardDuty console. You can save filters created through the console for use in suppression rules or future filter operations. A filter is made up of at least one filter criteria, which consists of one filter attribute paired with at least one value.
When you create filters, be aware of the following:
-
GuardDuty doesn't support wild cards for filter criteria.
-
You can specify a minimum of one attribute and up to a maximum of 50 attributes as the criteria for a particular filter.
-
When you use the Equals or Does not equals operator to filter on an attribute value, such as Account ID, you can specify a maximum of 50 values.
-
Each filter criteria attribute is evaluated as an
AND
operator. Multiple values for the same attribute are evaluated asAND/OR
.
To create and save filter criteria (console)
Sign in to the AWS Management Console and open the GuardDuty console at https://console.aws.amazon.com/guardduty/
. -
In the left navigation pane, choose Findings.
-
On the Findings page, select the Filter findings bar next to Saved rules menu. This will display an expanded list of Property filters.
-
From the expanded list of filters, select an attribute based on which you want to filter the findings table.
For example, to view findings for which the potentially impacted resource is an S3Bucket, choose Resource type.
-
For Operators, choose one that will help you filter the findings to get the desired result. To continue the example from the previous step, choose Resource type =. This will display a list of resource types in GuardDuty.
If your use case requires excluding specific findings, you can choose Does not equal or != operator.
-
Specify the value for the selected property filter. If needed, choose Apply. To continue the example from the previous step, you can choose S3Bucket.
This will display the findings that match with the applied filters.
-
To add more than one filter criteria, repeat steps 3-6.
For a complete list of attributes, see Property filters in GuardDuty.
-
(Optional) save the specified attributes and values as filters
To apply this filter combination again in the future, you can save the specified attributes and their values as a filter set.
-
After you have created a filter criteria with one or more property filters, select the arrow in the Clear filters menu.
-
Enter the filter set Name. The name must be 3-64 characters. Valid characters are a-z, A-Z, 0-9, period (.), hyphen (-), and underscore (_).
-
The Description is optional. If you enter a description, it can have up to 512 characters.
-
Choose Create.
-
Property filters in GuardDuty
When you create filters or sort findings using the API operations, you must specify filter criteria in JSON. These filter criteria correlate to a finding's details JSON. The following table contains a list of the console display names for filter attributes and their equivalent JSON field names.
Console field name |
JSON field name |
---|---|
Account ID |
accountId |
Finding ID |
id |
Region |
region |
Severity |
severity You can filter the finding types based on the severity level of
the finding types. For more information about severity values, see
Severity levels of GuardDuty findings. If you use
|
Finding type |
type |
Updated at |
updatedAt |
Access Key ID |
resource.accessKeyDetails.accessKeyId |
Principal ID |
resource.accessKeyDetails.principalId |
Username |
resource.accessKeyDetails.userName |
User type |
resource.accessKeyDetails.userType |
IAM instance profile ID |
resource.instanceDetails.iamInstanceProfile.id |
Instance ID |
resource.instanceDetails.instanceId |
Instance image ID |
resource.instanceDetails.imageId |
Instance tag key |
resource.instanceDetails.tags.key |
Instance tag value |
resource.instanceDetails.tags.value |
IPv6 address |
resource.instanceDetails.networkInterfaces.ipv6Addresses |
Private IPv4 address |
resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress |
Public DNS name |
resource.instanceDetails.networkInterfaces.publicDnsName |
Public IP |
resource.instanceDetails.networkInterfaces.publicIp |
Security group ID |
resource.instanceDetails.networkInterfaces.securityGroups.groupId |
Security group name |
resource.instanceDetails.networkInterfaces.securityGroups.groupName |
Subnet ID |
resource.instanceDetails.networkInterfaces.subnetId |
VPC ID |
resource.instanceDetails.networkInterfaces.vpcId |
Outpost ARN |
resource.instanceDetails.outpostARN |
Resource type |
resource.resourceType |
Bucket permissions |
resource.s3BucketDetails.publicAccess.effectivePermission |
Bucket name |
resource.s3BucketDetails.name |
Bucket tag key |
resource.s3BucketDetails.tags.key |
Bucket tag value |
resource.s3BucketDetails.tags.value |
Bucket type |
resource.s3BucketDetails.type |
Action type |
service.action.actionType |
API called |
service.action.awsApiCallAction.api |
API caller type |
service.action.awsApiCallAction.callerType |
API Error Code |
service.action.awsApiCallAction.errorCode |
API caller city |
service.action.awsApiCallAction.remoteIpDetails.city.cityName |
API caller country |
service.action.awsApiCallAction.remoteIpDetails.country.countryName |
API caller IPv4 address |
service.action.awsApiCallAction.remoteIpDetails.ipAddressV4 |
API caller IPv6 address |
service.action.awsApiCallAction.remoteIpDetails.ipAddressV6 |
API caller ASN ID |
service.action.awsApiCallAction.remoteIpDetails.organization.asn |
API caller ASN name |
service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg |
API caller service name |
service.action.awsApiCallAction.serviceName |
DNS request domain |
service.action.dnsRequestAction.domain |
DNS request domain suffix |
service.action.dnsRequestAction.domainWithSuffix |
Network connection blocked |
service.action.networkConnectionAction.blocked |
Network connection direction |
service.action.networkConnectionAction.connectionDirection |
Network connection local port |
service.action.networkConnectionAction.localPortDetails.port |
Network connection protocol |
service.action.networkConnectionAction.protocol |
Network connection city |
service.action.networkConnectionAction.remoteIpDetails.city.cityName |
Network connection country |
service.action.networkConnectionAction.remoteIpDetails.country.countryName |
Network connection remote IPv4 address |
service.action.networkConnectionAction.remoteIpDetails.ipAddressV4 |
Network connection remote IPv6 address |
service.action.networkConnectionAction.remoteIpDetails.ipAddressV6 |
Network connection remote IP ASN ID |
service.action.networkConnectionAction.remoteIpDetails.organization.asn |
Network connection remote IP ASN name |
service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg |
Network connection remote port |
service.action.networkConnectionAction.remotePortDetails.port |
Remote account affiliated |
service.action.awsApiCallAction.remoteAccountDetails.affiliated |
Kubernetes API caller IPv4 address |
service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4 |
Kubernetes API caller IPv6 address |
service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV6 |
Kubernetes namespace |
service.action.kubernetesApiCallAction.namespace |
Kubernetes API caller ASN ID |
service.action.kubernetesApiCallAction.remoteIpDetails.organization.asn |
Kubernetes API call request URI |
service.action.kubernetesApiCallAction.requestUri |
Kubernetes API status code |
service.action.kubernetesApiCallAction.statusCode |
Network connection local IPv4 address |
service.action.networkConnectionAction.localIpDetails.ipAddressV4 |
Network connection local IPv6 address |
service.action.networkConnectionAction.localIpDetails.ipAddressV6 |
Protocol |
service.action.networkConnectionAction.protocol |
API call service name |
service.action.awsApiCallAction.serviceName |
API caller account ID |
service.action.awsApiCallAction.remoteAccountDetails.accountId |
Threat list name |
service.additionalInfo.threatListName |
Resource role |
service.resourceRole |
EKS cluster name |
resource.eksClusterDetails.name |
Kubernetes workload name |
resource.kubernetesDetails.kubernetesWorkloadDetails.name |
Kubernetes workload namespace |
resource.kubernetesDetails.kubernetesWorkloadDetails.namespace |
Kubernetes user name |
resource.kubernetesDetails.kubernetesUserDetails.username |
Kubernetes container image |
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image |
Kubernetes container image prefix |
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix |
Scan ID |
service.ebsVolumeScanDetails.scanId |
EBS volume scan threat name |
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name |
S3 object scan threat name |
service.malwareScanDetails.threats.name |
Threat severity |
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity |
File SHA |
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash |
ECS cluster name |
resource.ecsClusterDetails.name |
ECS container image |
resource.ecsClusterDetails.taskDetails.containers.image |
ECS task definition ARN |
resource.ecsClusterDetails.taskDetails.definitionArn |
Standalone container image |
resource.containerDetails.image |
Database Instance Id |
resource.rdsDbInstanceDetails.dbInstanceIdentifier |
Database Cluster Id |
resource.rdsDbInstanceDetails.dbClusterIdentifier |
Database Engine |
resource.rdsDbInstanceDetails.engine |
Database user |
resource.rdsDbUserDetails.user |
Database instance tag key |
resource.rdsDbInstanceDetails.tags.key |
Database instance tag value |
resource.rdsDbInstanceDetails.tags.value |
Executable SHA-256 |
service.runtimeDetails.process.executableSha256 |
Process name |
service.runtimeDetails.process.name |
Executable path |
service.runtimeDetails.process.executablePath |
Lambda function name |
resource.lambdaDetails.functionName |
Lambda function ARN |
resource.lambdaDetails.functionArn |
Lambda function tag key |
resource.lambdaDetails.tags.key |
Lambda function tag value |
resource.lambdaDetails.tags.value |
DNS request domain |
service.action.dnsRequestAction.domainWithSuffix |