Filtering findings in GuardDuty - Amazon GuardDuty

Filtering findings in GuardDuty

A finding filter allows you to view findings that match the criteria you specify and filter out any unmatched findings. You can easily create finding filters using the Amazon GuardDuty console, or you can create them with the CreateFilter API using JSON. Review the following sections to understand how to create a filter in the console. To use these filters to automatically archive incoming findings, see Suppression rules in GuardDuty.

Creating and saving filter set in the GuardDuty console

Finding filters can be created and tested through the GuardDuty console. You can save filters created through the console for use in suppression rules or future filter operations. A filter is made up of at least one filter criteria, which consists of one filter attribute paired with at least one value.

When you create filters, be aware of the following:

  • GuardDuty doesn't support wild cards for filter criteria.

  • You can specify a minimum of one attribute and up to a maximum of 50 attributes as the criteria for a particular filter.

  • When you use the Equals or Does not equals operator to filter on an attribute value, such as Account ID, you can specify a maximum of 50 values.

  • Each filter criteria attribute is evaluated as an AND operator. Multiple values for the same attribute are evaluated as AND/OR.

To create and save filter criteria (console)
  1. Sign in to the AWS Management Console and open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

  2. In the left navigation pane, choose Findings.

  3. On the Findings page, select the Filter findings bar next to Saved rules menu. This will display an expanded list of Property filters.

    Selecting property filters to filter findings in the GuardDuty console.
  4. From the expanded list of filters, select an attribute based on which you want to filter the findings table.

    For example, to view findings for which the potentially impacted resource is an S3Bucket, choose Resource type.

  5. For Operators, choose one that will help you filter the findings to get the desired result. To continue the example from the previous step, choose Resource type =. This will display a list of resource types in GuardDuty.

    Selecting the equals or does not equals operator to filter findings in GuardDuty console.

    If your use case requires excluding specific findings, you can choose Does not equal or != operator.

  6. Specify the value for the selected property filter. If needed, choose Apply. To continue the example from the previous step, you can choose S3Bucket.

    This will display the findings that match with the applied filters.

  7. To add more than one filter criteria, repeat steps 3-6.

    For a complete list of attributes, see Property filters in GuardDuty.

  8. (Optional) save the specified attributes and values as filters

    To apply this filter combination again in the future, you can save the specified attributes and their values as a filter set.

    1. After you have created a filter criteria with one or more property filters, select the arrow in the Clear filters menu.

      Saving a filter set in GuardDuty console to be able to filter the findings again.
    2. Enter the filter set Name. The name must be 3-64 characters. Valid characters are a-z, A-Z, 0-9, period (.), hyphen (-), and underscore (_).

    3. The Description is optional. If you enter a description, it can have up to 512 characters.

    4. Choose Create.

Property filters in GuardDuty

When you create filters or sort findings using the API operations, you must specify filter criteria in JSON. These filter criteria correlate to a finding's details JSON. The following table contains a list of the console display names for filter attributes and their equivalent JSON field names.

Console field name

JSON field name

Account ID

accountId

Finding ID

id

Region

region

Severity

severity

You can filter the finding types based on the severity level of the finding types. For more information about severity values, see Severity levels of GuardDuty findings. If you use severity with API, AWS CLI, or AWS CloudFormation, it is assigned a numeric value. For more information, see findingCriteria in the Amazon GuardDuty API Reference.

Finding type

type

Updated at

updatedAt

Access Key ID

resource.accessKeyDetails.accessKeyId

Principal ID

resource.accessKeyDetails.principalId

Username

resource.accessKeyDetails.userName

User type

resource.accessKeyDetails.userType

IAM instance profile ID

resource.instanceDetails.iamInstanceProfile.id

Instance ID

resource.instanceDetails.instanceId

Instance image ID

resource.instanceDetails.imageId

Instance tag key

resource.instanceDetails.tags.key

Instance tag value

resource.instanceDetails.tags.value

IPv6 address

resource.instanceDetails.networkInterfaces.ipv6Addresses

Private IPv4 address

resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress

Public DNS name

resource.instanceDetails.networkInterfaces.publicDnsName

Public IP

resource.instanceDetails.networkInterfaces.publicIp

Security group ID

resource.instanceDetails.networkInterfaces.securityGroups.groupId

Security group name

resource.instanceDetails.networkInterfaces.securityGroups.groupName

Subnet ID

resource.instanceDetails.networkInterfaces.subnetId

VPC ID

resource.instanceDetails.networkInterfaces.vpcId

Outpost ARN

resource.instanceDetails.outpostARN

Resource type

resource.resourceType

Bucket permissions

resource.s3BucketDetails.publicAccess.effectivePermission

Bucket name

resource.s3BucketDetails.name

Bucket tag key

resource.s3BucketDetails.tags.key

Bucket tag value

resource.s3BucketDetails.tags.value

Bucket type

resource.s3BucketDetails.type

Action type

service.action.actionType

API called

service.action.awsApiCallAction.api

API caller type

service.action.awsApiCallAction.callerType

API Error Code

service.action.awsApiCallAction.errorCode

API caller city

service.action.awsApiCallAction.remoteIpDetails.city.cityName

API caller country

service.action.awsApiCallAction.remoteIpDetails.country.countryName

API caller IPv4 address

service.action.awsApiCallAction.remoteIpDetails.ipAddressV4

API caller IPv6 address

service.action.awsApiCallAction.remoteIpDetails.ipAddressV6

API caller ASN ID

service.action.awsApiCallAction.remoteIpDetails.organization.asn

API caller ASN name

service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg

API caller service name

service.action.awsApiCallAction.serviceName

DNS request domain

service.action.dnsRequestAction.domain

DNS request domain suffix

service.action.dnsRequestAction.domainWithSuffix

Network connection blocked

service.action.networkConnectionAction.blocked

Network connection direction

service.action.networkConnectionAction.connectionDirection

Network connection local port

service.action.networkConnectionAction.localPortDetails.port

Network connection protocol

service.action.networkConnectionAction.protocol

Network connection city

service.action.networkConnectionAction.remoteIpDetails.city.cityName

Network connection country

service.action.networkConnectionAction.remoteIpDetails.country.countryName

Network connection remote IPv4 address

service.action.networkConnectionAction.remoteIpDetails.ipAddressV4

Network connection remote IPv6 address

service.action.networkConnectionAction.remoteIpDetails.ipAddressV6

Network connection remote IP ASN ID

service.action.networkConnectionAction.remoteIpDetails.organization.asn

Network connection remote IP ASN name

service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg

Network connection remote port

service.action.networkConnectionAction.remotePortDetails.port

Remote account affiliated

service.action.awsApiCallAction.remoteAccountDetails.affiliated

Kubernetes API caller IPv4 address

service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4

Kubernetes API caller IPv6 address

service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV6

Kubernetes namespace

service.action.kubernetesApiCallAction.namespace

Kubernetes API caller ASN ID

service.action.kubernetesApiCallAction.remoteIpDetails.organization.asn

Kubernetes API call request URI

service.action.kubernetesApiCallAction.requestUri

Kubernetes API status code

service.action.kubernetesApiCallAction.statusCode

Network connection local IPv4 address

service.action.networkConnectionAction.localIpDetails.ipAddressV4

Network connection local IPv6 address

service.action.networkConnectionAction.localIpDetails.ipAddressV6

Protocol

service.action.networkConnectionAction.protocol

API call service name

service.action.awsApiCallAction.serviceName

API caller account ID

service.action.awsApiCallAction.remoteAccountDetails.accountId

Threat list name

service.additionalInfo.threatListName

Resource role

service.resourceRole

EKS cluster name

resource.eksClusterDetails.name

Kubernetes workload name

resource.kubernetesDetails.kubernetesWorkloadDetails.name

Kubernetes workload namespace

resource.kubernetesDetails.kubernetesWorkloadDetails.namespace

Kubernetes user name

resource.kubernetesDetails.kubernetesUserDetails.username

Kubernetes container image

resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image

Kubernetes container image prefix

resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix

Scan ID

service.ebsVolumeScanDetails.scanId

EBS volume scan threat name

service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name

S3 object scan threat name

service.malwareScanDetails.threats.name

Threat severity

service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity

File SHA

service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash

ECS cluster name

resource.ecsClusterDetails.name

ECS container image

resource.ecsClusterDetails.taskDetails.containers.image

ECS task definition ARN

resource.ecsClusterDetails.taskDetails.definitionArn

Standalone container image

resource.containerDetails.image

Database Instance Id

resource.rdsDbInstanceDetails.dbInstanceIdentifier

Database Cluster Id

resource.rdsDbInstanceDetails.dbClusterIdentifier

Database Engine

resource.rdsDbInstanceDetails.engine

Database user

resource.rdsDbUserDetails.user

Database instance tag key

resource.rdsDbInstanceDetails.tags.key

Database instance tag value

resource.rdsDbInstanceDetails.tags.value

Executable SHA-256

service.runtimeDetails.process.executableSha256

Process name

service.runtimeDetails.process.name

Executable path

service.runtimeDetails.process.executablePath

Lambda function name

resource.lambdaDetails.functionName

Lambda function ARN

resource.lambdaDetails.functionArn

Lambda function tag key

resource.lambdaDetails.tags.key

Lambda function tag value

resource.lambdaDetails.tags.value

DNS request domain

service.action.dnsRequestAction.domainWithSuffix