Filtering findings
A finding filter allows you to view findings that match the criteria you specify and filter out any unmatched findings. You can easily create finding filters using the Amazon GuardDuty console, or you can create them with the CreateFilter API using JSON. Review the following sections to understand how to create a filter in the console. To use these filters to automatically archive incoming findings, see Suppression rules in GuardDuty.
Creating filters in the GuardDuty console
Finding filters can be created and tested through the GuardDuty console. You can save filters created through the console for use in suppression rules or future filter operations. A filter is made up of at least one filter criteria, which consists of one filter attribute paired with at least one value.
When you create filters, be aware of the following:
-
Filters do not accept wild cards.
-
You can specify a minimum of one attribute and up to a maximum of 50 attributes as the criteria for a particular filter.
-
When you use the equal to or not equal to condition to filter on an attribute value, such as Account ID, you can specify a maximum of 50 values.
-
Each filter criteria attribute is evaluated as an
AND
operator. Multiple values for the same attribute are evaluated asAND/OR
.
To filter findings (console)
-
Under Filter by attribute, choose Add filter criteria. This will show you an expanded list of filter attributes.
-
From the expanded list of attributes, select the attribute that you want to specify as the criteria for your filter, such as Account ID or Action type.
For a complete list of attributes, see Filter attributes.
-
In the displayed text field, specify a value for the selected attribute and then choose Apply.
-
To add more than one filter criteria, repeat steps 1-3.
-
By default, the list shows the findings that match with the applied filter. If you want to view the findings that do not match with the filter attribute, then choose Exclude next to the filter.
-
Save the specified attributes and values as filters
-
To save the specified attributes and their values (filter criteria) as a filter, select Save/Edit.
-
Enter the filter rule Name and Description.
-
Choose Save.
-
Filter attributes
When you create filters or sort findings using the API operations, you must specify filter criteria in JSON. These filter criteria correlate to a finding's details JSON. The following table contains a list of the console display names for filter attributes and their equivalent JSON field names.
Console field name |
JSON field name |
---|---|
Account ID |
accountId |
Finding ID |
id |
Region |
region |
Severity |
severity You can filter the finding types based on the severity level of
the finding types. For more information about severity values, see
Severity levels for GuardDuty findings. If you use
|
Finding type |
type |
Updated at |
updatedAt |
Access Key ID |
resource.accessKeyDetails.accessKeyId |
Principal ID |
resource.accessKeyDetails.principalId |
Username |
resource.accessKeyDetails.userName |
User type |
resource.accessKeyDetails.userType |
IAM instance profile ID |
resource.instanceDetails.iamInstanceProfile.id |
Instance ID |
resource.instanceDetails.instanceId |
Instance image ID |
resource.instanceDetails.imageId |
Instance tag key |
resource.instanceDetails.tags.key |
Instance tag value |
resource.instanceDetails.tags.value |
IPv6 address |
resource.instanceDetails.networkInterfaces.ipv6Addresses |
Private IPv4 address |
resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress |
Public DNS name |
resource.instanceDetails.networkInterfaces.publicDnsName |
Public IP |
resource.instanceDetails.networkInterfaces.publicIp |
Security group ID |
resource.instanceDetails.networkInterfaces.securityGroups.groupId |
Security group name |
resource.instanceDetails.networkInterfaces.securityGroups.groupName |
Subnet ID |
resource.instanceDetails.networkInterfaces.subnetId |
VPC ID |
resource.instanceDetails.networkInterfaces.vpcId |
Outpost ARN |
resource.instanceDetails.outpostARN |
Resource type |
resource.resourceType |
Bucket permissions |
resource.s3BucketDetails.publicAccess.effectivePermission |
Bucket name |
resource.s3BucketDetails.name |
Bucket tag key |
resource.s3BucketDetails.tags.key |
Bucket tag value |
resource.s3BucketDetails.tags.value |
Bucket type |
resource.s3BucketDetails.type |
Action type |
service.action.actionType |
API called |
service.action.awsApiCallAction.api |
API caller type |
service.action.awsApiCallAction.callerType |
API Error Code |
service.action.awsApiCallAction.errorCode |
API caller city |
service.action.awsApiCallAction.remoteIpDetails.city.cityName |
API caller country |
service.action.awsApiCallAction.remoteIpDetails.country.countryName |
API caller IPv4 address |
service.action.awsApiCallAction.remoteIpDetails.ipAddressV4 |
API caller IPv6 address |
service.action.awsApiCallAction.remoteIpDetails.ipAddressV6 |
API caller ASN ID |
service.action.awsApiCallAction.remoteIpDetails.organization.asn |
API caller ASN name |
service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg |
API caller service name |
service.action.awsApiCallAction.serviceName |
DNS request domain |
service.action.dnsRequestAction.domain |
DNS request domain suffix |
service.action.dnsRequestAction.domainWithSuffix |
Network connection blocked |
service.action.networkConnectionAction.blocked |
Network connection direction |
service.action.networkConnectionAction.connectionDirection |
Network connection local port |
service.action.networkConnectionAction.localPortDetails.port |
Network connection protocol |
service.action.networkConnectionAction.protocol |
Network connection city |
service.action.networkConnectionAction.remoteIpDetails.city.cityName |
Network connection country |
service.action.networkConnectionAction.remoteIpDetails.country.countryName |
Network connection remote IPv4 address |
service.action.networkConnectionAction.remoteIpDetails.ipAddressV4 |
Network connection remote IPv6 address |
service.action.networkConnectionAction.remoteIpDetails.ipAddressV6 |
Network connection remote IP ASN ID |
service.action.networkConnectionAction.remoteIpDetails.organization.asn |
Network connection remote IP ASN name |
service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg |
Network connection remote port |
service.action.networkConnectionAction.remotePortDetails.port |
Remote account affiliated |
service.action.awsApiCallAction.remoteAccountDetails.affiliated |
Kubernetes API caller IPv4 address |
service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4 |
Kubernetes API caller IPv6 address |
service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV6 |
Kubernetes namespace |
service.action.kubernetesApiCallAction.namespace |
Kubernetes API caller ASN ID |
service.action.kubernetesApiCallAction.remoteIpDetails.organization.asn |
Kubernetes API call request URI |
service.action.kubernetesApiCallAction.requestUri |
Kubernetes API status code |
service.action.kubernetesApiCallAction.statusCode |
Network connection local IPv4 address |
service.action.networkConnectionAction.localIpDetails.ipAddressV4 |
Network connection local IPv6 address |
service.action.networkConnectionAction.localIpDetails.ipAddressV6 |
Protocol |
service.action.networkConnectionAction.protocol |
API call service name |
service.action.awsApiCallAction.serviceName |
API caller account ID |
service.action.awsApiCallAction.remoteAccountDetails.accountId |
Threat list name |
service.additionalInfo.threatListName |
Resource role |
service.resourceRole |
EKS cluster name |
resource.eksClusterDetails.name |
Kubernetes workload name |
resource.kubernetesDetails.kubernetesWorkloadDetails.name |
Kubernetes workload namespace |
resource.kubernetesDetails.kubernetesWorkloadDetails.namespace |
Kubernetes user name |
resource.kubernetesDetails.kubernetesUserDetails.username |
Kubernetes container image |
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image |
Kubernetes container image prefix |
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix |
Scan ID |
service.ebsVolumeScanDetails.scanId |
EBS volume scan threat name |
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name |
S3 object scan threat name |
service.malwareScanDetails.threats.name |
Threat severity |
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity |
File SHA |
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash |
ECS cluster name |
resource.ecsClusterDetails.name |
ECS container image |
resource.ecsClusterDetails.taskDetails.containers.image |
ECS task definition ARN |
resource.ecsClusterDetails.taskDetails.definitionArn |
Standalone container image |
resource.containerDetails.image |
Database Instance Id |
resource.rdsDbInstanceDetails.dbInstanceIdentifier |
Database Cluster Id |
resource.rdsDbInstanceDetails.dbClusterIdentifier |
Database Engine |
resource.rdsDbInstanceDetails.engine |
Database user |
resource.rdsDbUserDetails.user |
Database instance tag key |
resource.rdsDbInstanceDetails.tags.key |
Database instance tag value |
resource.rdsDbInstanceDetails.tags.value |
Executable SHA-256 |
service.runtimeDetails.process.executableSha256 |
Process name |
service.runtimeDetails.process.name |
Executable path |
service.runtimeDetails.process.executablePath |
Lambda function name |
resource.lambdaDetails.functionName |
Lambda function ARN |
resource.lambdaDetails.functionArn |
Lambda function tag key |
resource.lambdaDetails.tags.key |
Lambda function tag value |
resource.lambdaDetails.tags.value |
DNS request domain |
service.action.dnsRequestAction.domainWithSuffix |