Filtering findings
A finding filter allows you to view findings that match the criteria you specify and filter out any unmatched findings. You can easily create finding filters using the Amazon GuardDuty console, or you can create them with the CreateFilter API using JSON. Review the following sections to understand how to create a filter in the console. To use these filters to automatically archive incoming findings, see Suppression rules.
Creating filters in the GuardDuty console
Finding filters can be created and tested through the GuardDuty console. You can save filters created through the console for use in suppression rules or future filter operations. A filter is made up of at least one filter criteria, which consists of one filter attribute paired with at least one value.
When you create filters, be aware of the following:
-
Filters do not accept wild cards.
-
You can specify a minimum of one attribute and up to a maximum of 50 attributes as the criteria for a particular filter.
-
When you use the equal to or not equal to condition to filter on an attribute value, such as Account ID, you can specify a maximum of 50 values.
-
Each filter criteria attribute is evaluated as an
ANDoperator. Multiple values for the same attribute are evaluated asAND/OR.
To filter findings (console)
-
Choose Add filter criteria above the displayed list of your GuardDuty findings.
-
In the expanded list of attributes, select the attribute that you want to specify as the criteria for your filter, such as Account ID or Action type.
Note
See the filter attribute table on this page for a list of attributes that you can use to create filter criteria.
-
In the displayed text field, specify a value for each selected attribute and then choose Apply.
Note
After you apply a filter, you can convert the filter to exclude findings that match the filter by choosing the black dot to the left of the filter name. This effectively creates a "not equals" filter for the selected attribute.
-
To save the specified attributes and their values (filter criteria) as a filter, select Save. Enter the filter name and description, and then choose Done.
Filter attributes
When you create filters or sort findings using the API operations, you must specify filter criteria in JSON. These filter criteria correlate to a finding's details JSON. The following table contains a list of the console display names for filter attributes and their equivalent JSON field names.
Console field name |
JSON field name |
|---|---|
Account ID |
accountId |
Finding ID |
id |
Region |
region |
Severity |
severity If you use |
Finding type |
type |
Updated at |
updatedAt |
Access Key ID |
resource.accessKeyDetails.accessKeyId |
Principal ID |
resource.accessKeyDetails.principalId |
Username |
resource.accessKeyDetails.userName |
User type |
resource.accessKeyDetails.userType |
IAM instance profile ID |
resource.instanceDetails.iamInstanceProfile.id |
Instance ID |
resource.instanceDetails.instanceId |
Instance image ID |
resource.instanceDetails.imageId |
Instance tag key |
resource.instanceDetails.tags.key |
Instance tag value |
resource.instanceDetails.tags.value |
IPv6 address |
resource.instanceDetails.networkInterfaces.ipv6Addresses |
Private IPv4 address |
resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress |
Public DNS name |
resource.instanceDetails.networkInterfaces.publicDnsName |
Public IP |
resource.instanceDetails.networkInterfaces.publicIp |
Security group ID |
resource.instanceDetails.networkInterfaces.securityGroups.groupId |
Security group name |
resource.instanceDetails.networkInterfaces.securityGroups.groupName |
Subnet ID |
resource.instanceDetails.networkInterfaces.subnetId |
VPC ID |
resource.instanceDetails.networkInterfaces.vpcId |
Outpost ARN |
resource.instanceDetails.outpostARN |
Resource type |
resource.resourceType |
Bucket permissions |
resource.s3BucketDetails.publicAccess.effectivePermission |
Bucket name |
resource.s3BucketDetails.name |
Bucket tag key |
resource.s3BucketDetails.tags.key |
Bucket tag value |
resource.s3BucketDetails.tags.value |
Bucket type |
resource.s3BucketDetails.type |
Action type |
service.action.actionType |
API called |
service.action.awsApiCallAction.api |
API caller type |
service.action.awsApiCallAction.callerType |
API Error Code |
service.action.awsApiCallAction.errorCode |
API caller city |
service.action.awsApiCallAction.remoteIpDetails.city.cityName |
API caller country |
service.action.awsApiCallAction.remoteIpDetails.country.countryName |
API caller IPv4 address |
service.action.awsApiCallAction.remoteIpDetails.ipAddressV4 |
API caller ASN ID |
service.action.awsApiCallAction.remoteIpDetails.organization.asn |
API caller ASN name |
service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg |
API caller service name |
service.action.awsApiCallAction.serviceName |
DNS request domain |
service.action.dnsRequestAction.domain |
Network connection blocked |
service.action.networkConnectionAction.blocked |
Network connection direction |
service.action.networkConnectionAction.connectionDirection |
Network connection local port |
service.action.networkConnectionAction.localPortDetails.port |
Network connection protocol |
service.action.networkConnectionAction.protocol |
Network connection city |
service.action.networkConnectionAction.remoteIpDetails.city.cityName |
Network connection country |
service.action.networkConnectionAction.remoteIpDetails.country.countryName |
Network connection remote IPv4 address |
service.action.networkConnectionAction.remoteIpDetails.ipAddressV4 |
Network connection remote IP ASN ID |
service.action.networkConnectionAction.remoteIpDetails.organization.asn |
Network connection remote IP ASN name |
service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg |
Network connection remote port |
service.action.networkConnectionAction.remotePortDetails.port |
Remote account affiliated |
service.action.awsApiCallAction.remoteAccountDetails.affiliated |
Kubernetes API caller IPv4 address |
service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4 |
Kubernetes API call request URI |
service.action.kubernetesApiCallAction.requestUri |
Network connection local IPv4 address |
service.action.networkConnectionAction.localIpDetails.ipAddressV4 |
Protocol |
service.action.networkConnectionAction.protocol |
API call service name |
service.action.awsApiCallAction.serviceName |
API caller account ID |
service.action.awsApiCallAction.remoteAccountDetails.accountId |
Threat list name |
service.additionalInfo.threatListName |
Resource role |
service.resourceRole |
EKS cluster name |
resource.eksClusterDetails.name |
Kubernetes workload name |
resource.kubernetesDetails.kubernetesWorkloadDetails.name |
Kubernetes workload namespace |
resource.kubernetesDetails.kubernetesWorkloadDetails.namespace |
Kubernetes user name |
resource.kubernetesDetails.kubernetesUserDetails.username |
Kubernetes container image |
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image |
Kubernetes container image prefix |
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix |
Scan ID |
service.ebsVolumeScanDetails.scanId |
Threat name |
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name |
Threat severity |
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity |
File SHA |
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash |
ECS cluster name |
resource.ecsClusterDetails.name |
ECS container image |
resource.ecsClusterDetails.taskDetails.containers.image |
ECS task definition ARN |
resource.ecsClusterDetails.taskDetails.definitionArn |
Standalone container image |
resource.containerDetails.image |
Database Instance Id |
resource.rdsDbInstanceDetails.dbInstanceIdentifier |
Database Cluster Id |
resource.rdsDbInstanceDetails.dbClusterIdentifier |
Database Engine |
resource.rdsDbInstanceDetails.engine |
Database user |
resource.rdsDbUserDetails.user |
Database instance tag key |
resource.rdsDbInstanceDetails.tags.key |
Database instance tag value |
resource.rdsDbInstanceDetails.tags.value |
Executable SHA-256 |
service.runtimeDetails.process.executableSha256 |
Process name |
service.runtimeDetails.process.name |
Executable path |
service.runtimeDetails.process.executablePath |
Lambda function name |
resource.lambdaDetails.functionName |
Lambda function ARN |
resource.lambdaDetails.functionArn |
Lambda function tag key |
resource.lambdaDetails.tags.key |
Lambda function tag value |
resource.lambdaDetails.tags.value |
