Amazon GuardDuty
Amazon Guard Duty User Guide

UpdateFilter

Updates the filter specified by the filter name.

Request Syntax

POST https://<endpoint>/detector/{detectorId}/filter/<filter-name>

Body:

{ "description": "string", "criteria": [ "criterion": { "<field>": { "gt": "integer", "gte": "integer", "lt": "integer", "lte": "integer", "eq": [ "string" ], "neq": [ "string" ] } } ], "action": "[NOOP|ARCHIVE]", "rank": "integer" }

Path Parameters

detectorID

The unique ID of the detector that specifies the GuardDuty service where you want to update a filter.

Type: String

Required: Yes

filterName

The name of the filter.

Type: String

Required: Yes

Request Parameters

The request accepts the following data in JSON format.

description

The description of the filter.

Type: String

Required: No

findingCriteria

Represents the criteria to be used in the filter for querying findings.

Type: FindingCriteria

Required: No

You can only use the following attributes to query findings:

JSON field name

Console field name

accountID

Account ID

region

Region

confidence

Confidence

id

Finding ID

resource.accessKeyDetails.accessKeyId

Access Key ID

resource.accessKeyDetails.principalId

Principal ID

resource.accessKeyDetails.userName

Username

resource.accessKeyDetails.userType

User type

resource.instanceDetails.iamInstanceProfile.id

IAM instance profile ID

resource.instanceDetails.imageId

Instance image ID

resource.instanceDetails.instanceId

Instance ID

resource.instanceDetails.networkInterfaces.ipv6Addresses

IPv6 address

resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress

Private IPv4 address

resource.instanceDetails.networkInterfaces.publicDnsName

Public DNS name

resource.instanceDetails.networkInterfaces.publicIp

Public IP

resource.instanceDetails.networkInterfaces.securityGroups.groupId

Security group ID

resource.instanceDetails.networkInterfaces.securityGroups.groupName

Security group name

resource.instanceDetails.networkInterfaces.subnetId

Subnet ID

resource.instanceDetails.networkInterfaces.vpcId

VPC ID

resource.instanceDetails.tags.key

Tag key

resource.instanceDetails.tags.value

Tag value

resource.resourceType

Resource type

service.action.actionType

Action type

service.action.awsApiCallAction.api

API called

service.action.awsApiCallAction.callerType

API caller type

service.action.awsApiCallAction.remoteIpDetails.city.cityName

API caller city

service.action.awsApiCallAction.remoteIpDetails.country.countryName

API caller country

service.action.awsApiCallAction.remoteIpDetails.ipAddressV4

API caller IPv4 address

service.action.awsApiCallAction.remoteIpDetails.organization.asn

API caller ASN ID

service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg

API caller ASN name

service.action.awsApiCallAction.serviceName

API caller service name

service.action.dnsRequestAction.domain

DNS request domain

service.action.networkConnectionAction.blocked

Network connection blocked

service.action.networkConnectionAction.connectionDirection

Network connection direction

service.action.networkConnectionAction.localPortDetails.port

Network connection local port

service.action.networkConnectionAction.protocol

Network connection protocol

service.action.networkConnectionAction.remoteIpDetails.city.cityName

Network connection city

service.action.networkConnectionAction.remoteIpDetails.country.countryName

Network connection country

service.action.networkConnectionAction.remoteIpDetails.ipAddressV4

Network connection remote IPv4 address

service.action.networkConnectionAction.remoteIpDetails.organization.asn

Network connection remote IP ASN ID

service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg

Network connection remote IP ASN name

service.action.networkConnectionAction.remotePortDetails.port

Network connection remote port

service.additionalInfo.threatListName

Threat list name

service.archived

Note

When this attribute is set to TRUE, only archived findings are listed. When it's set to FALSE, only unarchived findings are listed. When this attribute is not set, all existing findings are listed.

service.resourceRole

Resource role

severity

Severity

type

Finding type

updatedAt

Updated at

Type: ISO 8601 string format: YYYY-MM-DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds.

Gt

Represents the "greater than" condition to be applied to a single field when querying for findings.

Required: No

Gte

Represents the "greater than equal" condition to be applied to a single field when querying for findings.

Required: No

Lt

Represents the "less than" condition to be applied to a single field when querying for findings.

Required: No

Lte

Represents the "less than equal" condition to be applied to a single field when querying for findings.

Required: No

Eq

Represents the "equal to" condition to be applied to a single field when querying for findings.

Required: No

Neq

Represents the "not equal to" condition to be applied to a single field when querying for findings.

Required: No

action

Specifies the action that is to be applied to the findings that match the filter.

Type: Enum

Required: No

Valid values: NOOP | ARCHIVE

rank

Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.

Type: Integer

Required: No

Constraints: Minimum value is 1 and maximum value is equal to the increment of the total number of current filters.

Response Syntax

{ "name": "string" }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

name

The name of the filter.

Errors

If the action is not successful, the service sends back an HTTP error response code along with detailed error information.

InvalidInputException

The request is rejected. The required query or path parameters are not specified.

HTTP Status Code: 400

InvalidInputException

The request is rejected. One or more input parameters have invalid values.

HTTP Status Code: 400

InvalidInputException

The request is rejected. The parameter detectorId has an invalid value.

HTTP Status Code: 400

InvalidInputException

The request is rejected. The parameter name has an invalid value.

HTTP Status Code: 400

InvalidInputException

The request is rejected. The parameter description has an invalid value.

HTTP Status Code: 400

InvalidInputException

The request is rejected. The parameter findingCriteria has an invalid value.

HTTP Status Code: 400

InvalidInputException

The request is rejected. The parameter action has an invalid value.

HTTP Status Code: 400

InvalidInputException

The request is rejected. The parameter rank has an invalid value.

HTTP Status Code: 400

NoSuchEntityException

The request is rejected. The input detectorId is not owned by the current account.

HTTP Status Code: 400

AccessDeniedException

The request is rejected. The caller is not authorized to call this API.

HTTP Status Code: 400

NoSuchEntityException

The request is rejected. The input name is not owned by the current account.

HTTP Status Code: 400

InternalException

Internal server error.

HTTP Status Code: 500

Example

Sample Request

POST /detector/12abc34d567e8fa901bc2d34e56789f0/filter/Mine HTTP/1.1 Host: guardduty.us-west-2.amazonaws.com Accept-Encoding: identity Content-Length: 11 Authorization: AUTHPARAMSX-Amz-Date: 20180824T213118Z User-Agent: aws-cli/1.15.85 Python/2.7.9 Windows/8 botocore/1.10.84 { "rank": 2 }

Sample Response

HTTP/1.1 200 OK Content-Type: application/json Content-Length: 15 Date: Fri, 24 Aug 2018 21:31:19 GMT x-amzn-RequestId: 09e2d517-a7e5-11e8-a517-bf71f53debc8 x-amz-apigw-id: MJfeGEQbPHcFQaQ= X-Amzn-Trace-Id: Root=1-5b807927-024e2312ffbfa2e2e5a15c68;Sampled=0 X-Cache: Miss from cloudfront Via: 1.1 2dc84924ce70e874a873764fe1415858.cloudfront.net (CloudFront) X-Amz-Cf-Id: zyyYOrZUDaCshcl3m7JcNJQAPb8gWBKz9QBGFjqMoWTr0cuhFe3y-A== Connection: keep-alive { "name": "ExampleFilter" }