CreateFilter
Creates a filter using the specified finding criteria. The maximum number of saved filters per AWS account per Region is 100. For more information, see Quotas for GuardDuty.
Request Syntax
POST /detector/DetectorId/filter HTTP/1.1
Content-type: application/json
{
"action": "string",
"clientToken": "string",
"description": "string",
"findingCriteria": {
"criterion": {
"string" : {
"eq": [ "string" ],
"equals": [ "string" ],
"greaterThan": number,
"greaterThanOrEqual": number,
"gt": number,
"gte": number,
"lessThan": number,
"lessThanOrEqual": number,
"lt": number,
"lte": number,
"matches": [ "string" ],
"neq": [ "string" ],
"notEquals": [ "string" ],
"notMatches": [ "string" ]
}
}
},
"name": "string",
"rank": number,
"tags": {
"string" : "string"
}
}URI Request Parameters
The request uses the following URI parameters.
- DetectorId
-
The detector ID associated with the GuardDuty account for which you want to create a filter.
To find the
detectorIdin the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.Length Constraints: Minimum length of 1. Maximum length of 300.
Required: Yes
Request Body
The request accepts the following data in JSON format.
- action
-
Specifies the action that is to be applied to the findings that match the filter.
Default: NOOP
Type: String
Length Constraints: Minimum length of 1. Maximum length of 300.
Valid Values:
NOOP | ARCHIVERequired: No
- clientToken
-
The idempotency token for the create request.
Type: String
Length Constraints: Minimum length of 0. Maximum length of 64.
Required: No
- description
-
The description of the filter. Valid characters include alphanumeric characters, and special characters such as hyphen, period, colon, underscore, parentheses (
{ },[ ], and( )), forward slash, horizontal tab, vertical tab, newline, form feed, return, and whitespace.Type: String
Length Constraints: Minimum length of 0. Maximum length of 512.
Required: No
- findingCriteria
-
Represents the criteria to be used in the filter for querying findings. The following fields are available for filtering:
-
accountId
-
arn
-
associatedAttackSequenceArn
-
confidence
-
createdAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
-
description
-
id
-
partition
-
region
-
resource.accessKeyDetails.accessKeyId
-
resource.accessKeyDetails.principalId
-
resource.accessKeyDetails.userIdentity.accessKeyId
-
resource.accessKeyDetails.userIdentity.accountId
-
resource.accessKeyDetails.userIdentity.arn
-
resource.accessKeyDetails.userIdentity.principalId
-
resource.accessKeyDetails.userIdentity.sessionContext.attributes.mfaAuthenticated
-
resource.accessKeyDetails.userIdentity.sessionContext.ec2RoleDelivery
-
resource.accessKeyDetails.userIdentity.sessionContext.invokedBy
-
resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.accountId
-
resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.arn
-
resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.principalId
-
resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.type
-
resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.userName
-
resource.accessKeyDetails.userIdentity.sessionContext.sourceIdentity
-
resource.accessKeyDetails.userIdentity.sessionContext.webIdFederationData.attributes
-
resource.accessKeyDetails.userIdentity.sessionContext.webIdFederationData.federatedProvider
-
resource.accessKeyDetails.userIdentity.type
-
resource.accessKeyDetails.userIdentity.userName
-
resource.accessKeyDetails.userName
-
resource.accessKeyDetails.userType
-
resource.bedrockGuardrailDetails.guardrailArn
-
resource.bedrockGuardrailDetails.guardrailVersion
-
resource.containerDetails.containerRuntime
-
resource.containerDetails.id
-
resource.containerDetails.image
-
resource.containerDetails.imagePrefix
-
resource.containerDetails.name
-
resource.containerDetails.securityContext.allowPrivilegeEscalation
-
resource.containerDetails.securityContext.privileged
-
resource.containerDetails.volumeMounts.mountPath
-
resource.containerDetails.volumeMounts.name
-
resource.ebsSnapshotDetails.snapshotArn
-
resource.ebsVolumeDetails.scannedVolumeDetails.deviceName
-
resource.ebsVolumeDetails.scannedVolumeDetails.encryptionType
-
resource.ebsVolumeDetails.scannedVolumeDetails.kmsKeyArn
-
resource.ebsVolumeDetails.scannedVolumeDetails.snapshotArn
-
resource.ebsVolumeDetails.scannedVolumeDetails.volumeArn
-
resource.ebsVolumeDetails.scannedVolumeDetails.volumeSizeInGB
-
resource.ebsVolumeDetails.scannedVolumeDetails.volumeType
-
resource.ebsVolumeDetails.skippedVolumeDetails.deviceName
-
resource.ebsVolumeDetails.skippedVolumeDetails.encryptionType
-
resource.ebsVolumeDetails.skippedVolumeDetails.kmsKeyArn
-
resource.ebsVolumeDetails.skippedVolumeDetails.snapshotArn
-
resource.ebsVolumeDetails.skippedVolumeDetails.volumeArn
-
resource.ebsVolumeDetails.skippedVolumeDetails.volumeSizeInGB
-
resource.ebsVolumeDetails.skippedVolumeDetails.volumeType
-
resource.ec2ImageDetails.imageArn
-
resource.ecsClusterDetails.activeServicesCount
-
resource.ecsClusterDetails.arn
-
resource.ecsClusterDetails.name
-
resource.ecsClusterDetails.registeredContainerInstancesCount
-
resource.ecsClusterDetails.runningTasksCount
-
resource.ecsClusterDetails.status
-
resource.ecsClusterDetails.tags.key
-
resource.ecsClusterDetails.tags.value
-
resource.ecsClusterDetails.taskDetails.arn
-
resource.ecsClusterDetails.taskDetails.containers.containerRuntime
-
resource.ecsClusterDetails.taskDetails.containers.id
-
resource.ecsClusterDetails.taskDetails.containers.image
-
resource.ecsClusterDetails.taskDetails.containers.imagePrefix
-
resource.ecsClusterDetails.taskDetails.containers.name
-
resource.ecsClusterDetails.taskDetails.containers.securityContext.allowPrivilegeEscalation
-
resource.ecsClusterDetails.taskDetails.containers.securityContext.privileged
-
resource.ecsClusterDetails.taskDetails.containers.volumeMounts.mountPath
-
resource.ecsClusterDetails.taskDetails.containers.volumeMounts.name
-
resource.ecsClusterDetails.taskDetails.createdAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
-
resource.ecsClusterDetails.taskDetails.definitionArn
-
resource.ecsClusterDetails.taskDetails.group
-
resource.ecsClusterDetails.taskDetails.launchType
-
resource.ecsClusterDetails.taskDetails.startedAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
-
resource.ecsClusterDetails.taskDetails.startedBy
-
resource.ecsClusterDetails.taskDetails.tags.key
-
resource.ecsClusterDetails.taskDetails.tags.value
-
resource.ecsClusterDetails.taskDetails.version
-
resource.ecsClusterDetails.taskDetails.volumes.hostPath.path
-
resource.ecsClusterDetails.taskDetails.volumes.name
-
resource.eksClusterDetails.arn
-
resource.eksClusterDetails.createdAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
-
resource.eksClusterDetails.name
-
resource.eksClusterDetails.status
-
resource.eksClusterDetails.tags.key
-
resource.eksClusterDetails.tags.value
-
resource.eksClusterDetails.vpcId
-
resource.instanceDetails.availabilityZone
-
resource.instanceDetails.iamInstanceProfile.arn
-
resource.instanceDetails.iamInstanceProfile.id
-
resource.instanceDetails.imageDescription
-
resource.instanceDetails.imageId
-
resource.instanceDetails.instanceId
-
resource.instanceDetails.instanceState
-
resource.instanceDetails.instanceType
-
resource.instanceDetails.launchTime
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
-
resource.instanceDetails.networkInterfaces.ipv6Addresses
-
resource.instanceDetails.networkInterfaces.networkInterfaceId
-
resource.instanceDetails.networkInterfaces.privateDnsName
-
resource.instanceDetails.networkInterfaces.privateIpAddress
-
resource.instanceDetails.networkInterfaces.privateIpAddresses.privateDnsName
-
resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress
-
resource.instanceDetails.networkInterfaces.publicDnsName
-
resource.instanceDetails.networkInterfaces.publicIp
-
resource.instanceDetails.networkInterfaces.securityGroups.groupId
-
resource.instanceDetails.networkInterfaces.securityGroups.groupName
-
resource.instanceDetails.networkInterfaces.subnetId
-
resource.instanceDetails.networkInterfaces.vpcId
-
resource.instanceDetails.outpostArn
-
resource.instanceDetails.platform
-
resource.instanceDetails.productCodes.productCodeId
-
resource.instanceDetails.productCodes.productCodeType
-
resource.instanceDetails.tags.key
-
resource.instanceDetails.tags.value
-
resource.kubernetesDetails.kubernetesUserDetails.groups
-
resource.kubernetesDetails.kubernetesUserDetails.impersonatedUser.groups
-
resource.kubernetesDetails.kubernetesUserDetails.impersonatedUser.username
-
resource.kubernetesDetails.kubernetesUserDetails.sessionName
-
resource.kubernetesDetails.kubernetesUserDetails.uid
-
resource.kubernetesDetails.kubernetesUserDetails.username
-
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.containerRuntime
-
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.id
-
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image
-
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix
-
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.name
-
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.securityContext.allowPrivilegeEscalation
-
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.securityContext.privileged
-
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.volumeMounts.mountPath
-
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.volumeMounts.name
-
resource.kubernetesDetails.kubernetesWorkloadDetails.hostIpc
-
resource.kubernetesDetails.kubernetesWorkloadDetails.hostNetwork
-
resource.kubernetesDetails.kubernetesWorkloadDetails.hostPid
-
resource.kubernetesDetails.kubernetesWorkloadDetails.name
-
resource.kubernetesDetails.kubernetesWorkloadDetails.namespace
-
resource.kubernetesDetails.kubernetesWorkloadDetails.serviceAccountName
-
resource.kubernetesDetails.kubernetesWorkloadDetails.type
-
resource.kubernetesDetails.kubernetesWorkloadDetails.uid
-
resource.kubernetesDetails.kubernetesWorkloadDetails.volumes.hostPath.path
-
resource.kubernetesDetails.kubernetesWorkloadDetails.volumes.name
-
resource.lambdaDetails.description
-
resource.lambdaDetails.functionArn
-
resource.lambdaDetails.functionName
-
resource.lambdaDetails.functionVersion
-
resource.lambdaDetails.lastModifiedAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
-
resource.lambdaDetails.revisionId
-
resource.lambdaDetails.role
-
resource.lambdaDetails.tags.key
-
resource.lambdaDetails.tags.value
-
resource.lambdaDetails.vpcConfig.securityGroups.groupId
-
resource.lambdaDetails.vpcConfig.securityGroups.groupName
-
resource.lambdaDetails.vpcConfig.subnetIds
-
resource.lambdaDetails.vpcConfig.vpcId
-
resource.rdsDbInstanceDetails.dbClusterIdentifier
-
resource.rdsDbInstanceDetails.dbInstanceArn
-
resource.rdsDbInstanceDetails.dbInstanceIdentifier
-
resource.rdsDbInstanceDetails.dbSecurityGroups.name
-
resource.rdsDbInstanceDetails.dbSecurityGroups.status
-
resource.rdsDbInstanceDetails.dbiResourceId
-
resource.rdsDbInstanceDetails.engine
-
resource.rdsDbInstanceDetails.engineVersion
-
resource.rdsDbInstanceDetails.iamDatabaseAuthenticationEnabled
-
resource.rdsDbInstanceDetails.publiclyAccessible
-
resource.rdsDbInstanceDetails.tags.key
-
resource.rdsDbInstanceDetails.tags.value
-
resource.rdsDbInstanceDetails.vpcId
-
resource.rdsDbInstanceDetails.vpcSecurityGroups.status
-
resource.rdsDbInstanceDetails.vpcSecurityGroups.vpcSecurityGroupId
-
resource.rdsDbUserDetails.application
-
resource.rdsDbUserDetails.authMethod
-
resource.rdsDbUserDetails.database
-
resource.rdsDbUserDetails.ssl
-
resource.rdsDbUserDetails.user
-
resource.rdsLimitlessDbDetails.dbClusterIdentifier
-
resource.rdsLimitlessDbDetails.dbShardGroupArn
-
resource.rdsLimitlessDbDetails.dbShardGroupIdentifier
-
resource.rdsLimitlessDbDetails.dbShardGroupResourceId
-
resource.rdsLimitlessDbDetails.engine
-
resource.rdsLimitlessDbDetails.engineVersion
-
resource.rdsLimitlessDbDetails.tags.key
-
resource.rdsLimitlessDbDetails.tags.value
-
resource.recoveryPointDetails.backupVaultName
-
resource.recoveryPointDetails.recoveryPointArn
-
resource.resourceType
-
resource.s3BucketDetails.arn
-
resource.s3BucketDetails.createdAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
-
resource.s3BucketDetails.defaultServerSideEncryption.encryptionType
-
resource.s3BucketDetails.defaultServerSideEncryption.kmsMasterKeyArn
-
resource.s3BucketDetails.name
-
resource.s3BucketDetails.owner.id
-
resource.s3BucketDetails.publicAccess.effectivePermission
-
resource.s3BucketDetails.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess.blockPublicAcls
-
resource.s3BucketDetails.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess.blockPublicPolicy
-
resource.s3BucketDetails.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess.ignorePublicAcls
-
resource.s3BucketDetails.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess.restrictPublicBuckets
-
resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.accessControlList.allowsPublicReadAccess
-
resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.accessControlList.allowsPublicWriteAccess
-
resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess.blockPublicAcls
-
resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess.blockPublicPolicy
-
resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess.ignorePublicAcls
-
resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess.restrictPublicBuckets
-
resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.bucketPolicy.allowsPublicReadAccess
-
resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.bucketPolicy.allowsPublicWriteAccess
-
resource.s3BucketDetails.s3ObjectDetails.eTag
-
resource.s3BucketDetails.s3ObjectDetails.hash
-
resource.s3BucketDetails.s3ObjectDetails.key
-
resource.s3BucketDetails.s3ObjectDetails.objectArn
-
resource.s3BucketDetails.s3ObjectDetails.versionId
-
resource.s3BucketDetails.tags.key
-
resource.s3BucketDetails.tags.value
-
resource.s3BucketDetails.type
-
schemaVersion
-
service.action.actionType
-
service.action.awsApiCallAction.affectedResources
-
service.action.awsApiCallAction.api
-
service.action.awsApiCallAction.callerType
-
service.action.awsApiCallAction.domainDetails.domain
-
service.action.awsApiCallAction.errorCode
-
service.action.awsApiCallAction.remoteAccountDetails.accountId
-
service.action.awsApiCallAction.remoteAccountDetails.affiliated
-
service.action.awsApiCallAction.remoteAccountDetails.awsServiceName
-
service.action.awsApiCallAction.remoteIpDetails.city.cityName
-
service.action.awsApiCallAction.remoteIpDetails.country.countryCode
-
service.action.awsApiCallAction.remoteIpDetails.country.countryName
-
service.action.awsApiCallAction.remoteIpDetails.geoLocation.lat
-
service.action.awsApiCallAction.remoteIpDetails.geoLocation.lon
-
service.action.awsApiCallAction.remoteIpDetails.ipAddressV4
-
service.action.awsApiCallAction.remoteIpDetails.ipAddressV6
-
service.action.awsApiCallAction.remoteIpDetails.organization.asn
-
service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg
-
service.action.awsApiCallAction.remoteIpDetails.organization.isp
-
service.action.awsApiCallAction.remoteIpDetails.organization.org
-
service.action.awsApiCallAction.serviceName
-
service.action.awsApiCallAction.userAgent
-
service.action.dnsRequestAction.blocked
-
service.action.dnsRequestAction.domain
-
service.action.dnsRequestAction.domainWithSuffix
-
service.action.dnsRequestAction.protocol
-
service.action.dnsRequestAction.vpcOwnerAccountId
-
service.action.kubernetesApiCallAction.namespace
-
service.action.kubernetesApiCallAction.parameters
-
service.action.kubernetesApiCallAction.remoteIpDetails.city.cityName
-
service.action.kubernetesApiCallAction.remoteIpDetails.country.countryCode
-
service.action.kubernetesApiCallAction.remoteIpDetails.country.countryName
-
service.action.kubernetesApiCallAction.remoteIpDetails.geoLocation.lat
-
service.action.kubernetesApiCallAction.remoteIpDetails.geoLocation.lon
-
service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4
-
service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV6
-
service.action.kubernetesApiCallAction.remoteIpDetails.organization.asn
-
service.action.kubernetesApiCallAction.remoteIpDetails.organization.asnOrg
-
service.action.kubernetesApiCallAction.remoteIpDetails.organization.isp
-
service.action.kubernetesApiCallAction.remoteIpDetails.organization.org
-
service.action.kubernetesApiCallAction.requestUri
-
service.action.kubernetesApiCallAction.resource
-
service.action.kubernetesApiCallAction.resourceName
-
service.action.kubernetesApiCallAction.sourceIPs
-
service.action.kubernetesApiCallAction.statusCode
-
service.action.kubernetesApiCallAction.subresource
-
service.action.kubernetesApiCallAction.userAgent
-
service.action.kubernetesApiCallAction.verb
-
service.action.kubernetesPermissionCheckedDetails.allowed
-
service.action.kubernetesPermissionCheckedDetails.namespace
-
service.action.kubernetesPermissionCheckedDetails.resource
-
service.action.kubernetesPermissionCheckedDetails.verb
-
service.action.kubernetesRoleBindingDetails.kind
-
service.action.kubernetesRoleBindingDetails.name
-
service.action.kubernetesRoleBindingDetails.roleRefKind
-
service.action.kubernetesRoleBindingDetails.roleRefName
-
service.action.kubernetesRoleBindingDetails.uid
-
service.action.kubernetesRoleDetails.kind
-
service.action.kubernetesRoleDetails.name
-
service.action.kubernetesRoleDetails.uid
-
service.action.networkConnectionAction.blocked
-
service.action.networkConnectionAction.connectionDirection
-
service.action.networkConnectionAction.localIpDetails.ipAddressV4
-
service.action.networkConnectionAction.localIpDetails.ipAddressV6
-
service.action.networkConnectionAction.localNetworkInterface
-
service.action.networkConnectionAction.localPortDetails.port
-
service.action.networkConnectionAction.localPortDetails.portName
-
service.action.networkConnectionAction.protocol
-
service.action.networkConnectionAction.remoteIpDetails.city.cityName
-
service.action.networkConnectionAction.remoteIpDetails.country.countryCode
-
service.action.networkConnectionAction.remoteIpDetails.country.countryName
-
service.action.networkConnectionAction.remoteIpDetails.geoLocation.lat
-
service.action.networkConnectionAction.remoteIpDetails.geoLocation.lon
-
service.action.networkConnectionAction.remoteIpDetails.ipAddressV4
-
service.action.networkConnectionAction.remoteIpDetails.ipAddressV6
-
service.action.networkConnectionAction.remoteIpDetails.organization.asn
-
service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg
-
service.action.networkConnectionAction.remoteIpDetails.organization.isp
-
service.action.networkConnectionAction.remoteIpDetails.organization.org
-
service.action.networkConnectionAction.remotePortDetails.port
-
service.action.networkConnectionAction.remotePortDetails.portName
-
service.action.portProbeAction.blocked
-
service.action.portProbeAction.portProbeDetails.localIpDetails.ipAddressV4
-
service.action.portProbeAction.portProbeDetails.localIpDetails.ipAddressV6
-
service.action.portProbeAction.portProbeDetails.localPortDetails.port
-
service.action.portProbeAction.portProbeDetails.localPortDetails.portName
-
service.action.portProbeAction.portProbeDetails.remoteIpDetails.city.cityName
-
service.action.portProbeAction.portProbeDetails.remoteIpDetails.country.countryCode
-
service.action.portProbeAction.portProbeDetails.remoteIpDetails.country.countryName
-
service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lat
-
service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lon
-
service.action.portProbeAction.portProbeDetails.remoteIpDetails.ipAddressV4
-
service.action.portProbeAction.portProbeDetails.remoteIpDetails.ipAddressV6
-
service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asn
-
service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asnOrg
-
service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.isp
-
service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.org
-
service.action.rdsLoginAttemptAction.loginAttributes.application
-
service.action.rdsLoginAttemptAction.loginAttributes.failedLoginAttempts
-
service.action.rdsLoginAttemptAction.loginAttributes.successfulLoginAttempts
-
service.action.rdsLoginAttemptAction.loginAttributes.user
-
service.action.rdsLoginAttemptAction.remoteIpDetails.city.cityName
-
service.action.rdsLoginAttemptAction.remoteIpDetails.country.countryCode
-
service.action.rdsLoginAttemptAction.remoteIpDetails.country.countryName
-
service.action.rdsLoginAttemptAction.remoteIpDetails.geoLocation.lat
-
service.action.rdsLoginAttemptAction.remoteIpDetails.geoLocation.lon
-
service.action.rdsLoginAttemptAction.remoteIpDetails.ipAddressV4
-
service.action.rdsLoginAttemptAction.remoteIpDetails.ipAddressV6
-
service.action.rdsLoginAttemptAction.remoteIpDetails.organization.asn
-
service.action.rdsLoginAttemptAction.remoteIpDetails.organization.asnOrg
-
service.action.rdsLoginAttemptAction.remoteIpDetails.organization.isp
-
service.action.rdsLoginAttemptAction.remoteIpDetails.organization.org
-
service.additionalInfo.agentDetails.agentId
-
service.additionalInfo.agentDetails.agentVersion
-
service.additionalInfo.anomalies.anomalousAPIs
-
service.additionalInfo.authenticationMethod
-
service.additionalInfo.averagePacketSizeIn
-
service.additionalInfo.averagePacketSizeOut
-
service.additionalInfo.context
-
service.additionalInfo.domain
-
service.additionalInfo.inBytes
-
service.additionalInfo.localNetworkInterfaceOwner
-
service.additionalInfo.localPort
-
service.additionalInfo.outBytes
-
service.additionalInfo.packetsIn
-
service.additionalInfo.packetsOut
-
service.additionalInfo.policyArn
-
service.additionalInfo.policyName
-
service.additionalInfo.remotePort
-
service.additionalInfo.sample
-
service.additionalInfo.scannedPort
-
service.additionalInfo.threatFileSha256
-
service.additionalInfo.threatListName
-
service.additionalInfo.threatName
-
service.additionalInfo.totalBytesIn
-
service.additionalInfo.totalBytesOut
-
service.additionalInfo.type
-
service.additionalInfo.unusual.asnOrg
-
service.additionalInfo.unusual.port
-
service.additionalInfo.unusualProtocol
-
service.additionalInfo.userAgent.fullUserAgent
-
service.additionalInfo.userAgent.userAgentCategory
-
service.additionalInfo.value
-
service.additionalInfo.vpcOwnerAccountId
-
service.archived
-
service.count
-
service.detection.anomaly.profiles
-
service.detection.anomaly.unusual.behavior
-
service.detection.sequence.actors.id
-
service.detection.sequence.actors.process.name
-
service.detection.sequence.actors.process.path
-
service.detection.sequence.actors.process.sha256
-
service.detection.sequence.actors.session.createdTime
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
-
service.detection.sequence.actors.session.issuer
-
service.detection.sequence.actors.session.mfaStatus
-
service.detection.sequence.actors.session.uid
-
service.detection.sequence.actors.user.account.account
-
service.detection.sequence.actors.user.account.uid
-
service.detection.sequence.actors.user.credentialUid
-
service.detection.sequence.actors.user.name
-
service.detection.sequence.actors.user.type
-
service.detection.sequence.actors.user.uid
-
service.detection.sequence.additionalSequenceTypes
-
service.detection.sequence.description
-
service.detection.sequence.endpoints.autonomousSystem.name
-
service.detection.sequence.endpoints.autonomousSystem.number
-
service.detection.sequence.endpoints.connection.direction
-
service.detection.sequence.endpoints.domain
-
service.detection.sequence.endpoints.id
-
service.detection.sequence.endpoints.ip
-
service.detection.sequence.endpoints.location.city
-
service.detection.sequence.endpoints.location.country
-
service.detection.sequence.endpoints.location.lat
-
service.detection.sequence.endpoints.location.lon
-
service.detection.sequence.endpoints.port
-
service.detection.sequence.resources.accountId
-
service.detection.sequence.resources.cloudPartition
-
service.detection.sequence.resources.data.accessKey.principalId
-
service.detection.sequence.resources.data.accessKey.userName
-
service.detection.sequence.resources.data.accessKey.userType
-
service.detection.sequence.resources.data.autoscalingAutoScalingGroup.ec2InstanceUids
-
service.detection.sequence.resources.data.cloudformationStack.ec2InstanceUids
-
service.detection.sequence.resources.data.container.image
-
service.detection.sequence.resources.data.container.imageUid
-
service.detection.sequence.resources.data.ec2Image.ec2InstanceUids
-
service.detection.sequence.resources.data.ec2Instance.availabilityZone
-
service.detection.sequence.resources.data.ec2Instance.ec2NetworkInterfaceUids
-
service.detection.sequence.resources.data.ec2Instance.iamInstanceProfile.arn
-
service.detection.sequence.resources.data.ec2Instance.iamInstanceProfile.id
-
service.detection.sequence.resources.data.ec2Instance.imageDescription
-
service.detection.sequence.resources.data.ec2Instance.instanceState
-
service.detection.sequence.resources.data.ec2Instance.instanceType
-
service.detection.sequence.resources.data.ec2Instance.outpostArn
-
service.detection.sequence.resources.data.ec2Instance.platform
-
service.detection.sequence.resources.data.ec2Instance.productCodes.productCodeId
-
service.detection.sequence.resources.data.ec2Instance.productCodes.productCodeType
-
service.detection.sequence.resources.data.ec2LaunchTemplate.ec2InstanceUids
-
service.detection.sequence.resources.data.ec2LaunchTemplate.version
-
service.detection.sequence.resources.data.ec2NetworkInterface.ipv6Addresses
-
service.detection.sequence.resources.data.ec2NetworkInterface.privateIpAddresses.privateDnsName
-
service.detection.sequence.resources.data.ec2NetworkInterface.privateIpAddresses.privateIpAddress
-
service.detection.sequence.resources.data.ec2NetworkInterface.publicIp
-
service.detection.sequence.resources.data.ec2NetworkInterface.securityGroups.groupId
-
service.detection.sequence.resources.data.ec2NetworkInterface.securityGroups.groupName
-
service.detection.sequence.resources.data.ec2NetworkInterface.subNetId
-
service.detection.sequence.resources.data.ec2NetworkInterface.vpcId
-
service.detection.sequence.resources.data.ec2Vpc.ec2InstanceUids
-
service.detection.sequence.resources.data.ecsCluster.ec2InstanceUids
-
service.detection.sequence.resources.data.ecsCluster.status
-
service.detection.sequence.resources.data.ecsTask.containerUids
-
service.detection.sequence.resources.data.ecsTask.createdAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
-
service.detection.sequence.resources.data.ecsTask.launchType
-
service.detection.sequence.resources.data.ecsTask.taskDefinitionArn
-
service.detection.sequence.resources.data.eksCluster.arn
-
service.detection.sequence.resources.data.eksCluster.createdAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
-
service.detection.sequence.resources.data.eksCluster.ec2InstanceUids
-
service.detection.sequence.resources.data.eksCluster.status
-
service.detection.sequence.resources.data.eksCluster.vpcId
-
service.detection.sequence.resources.data.iamInstanceProfile.ec2InstanceUids
-
service.detection.sequence.resources.data.iamInstanceProfile.id
-
service.detection.sequence.resources.data.kubernetesWorkload.containerUids
-
service.detection.sequence.resources.data.kubernetesWorkload.namespace
-
service.detection.sequence.resources.data.kubernetesWorkload.type
-
service.detection.sequence.resources.data.s3Bucket.accountPublicAccess.publicAclAccess
-
service.detection.sequence.resources.data.s3Bucket.accountPublicAccess.publicAclIgnoreBehavior
-
service.detection.sequence.resources.data.s3Bucket.accountPublicAccess.publicBucketRestrictBehavior
-
service.detection.sequence.resources.data.s3Bucket.accountPublicAccess.publicPolicyAccess
-
service.detection.sequence.resources.data.s3Bucket.bucketPublicAccess.publicAclAccess
-
service.detection.sequence.resources.data.s3Bucket.bucketPublicAccess.publicAclIgnoreBehavior
-
service.detection.sequence.resources.data.s3Bucket.bucketPublicAccess.publicBucketRestrictBehavior
-
service.detection.sequence.resources.data.s3Bucket.bucketPublicAccess.publicPolicyAccess
-
service.detection.sequence.resources.data.s3Bucket.createdAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
-
service.detection.sequence.resources.data.s3Bucket.effectivePermission
-
service.detection.sequence.resources.data.s3Bucket.encryptionKeyArn
-
service.detection.sequence.resources.data.s3Bucket.encryptionType
-
service.detection.sequence.resources.data.s3Bucket.ownerId
-
service.detection.sequence.resources.data.s3Bucket.publicReadAccess
-
service.detection.sequence.resources.data.s3Bucket.publicWriteAccess
-
service.detection.sequence.resources.data.s3Bucket.s3ObjectUids
-
service.detection.sequence.resources.data.s3Object.eTag
-
service.detection.sequence.resources.data.s3Object.key
-
service.detection.sequence.resources.data.s3Object.versionId
-
service.detection.sequence.resources.name
-
service.detection.sequence.resources.region
-
service.detection.sequence.resources.resourceType
-
service.detection.sequence.resources.service
-
service.detection.sequence.resources.tags.key
-
service.detection.sequence.resources.tags.value
-
service.detection.sequence.resources.uid
-
service.detection.sequence.sequenceIndicators.key
-
service.detection.sequence.sequenceIndicators.title
-
service.detection.sequence.sequenceIndicators.values
-
service.detection.sequence.signals.actorIds
-
service.detection.sequence.signals.count
-
service.detection.sequence.signals.createdAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
-
service.detection.sequence.signals.description
-
service.detection.sequence.signals.endpointIds
-
service.detection.sequence.signals.firstSeenAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
-
service.detection.sequence.signals.lastSeenAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
-
service.detection.sequence.signals.name
-
service.detection.sequence.signals.resourceUids
-
service.detection.sequence.signals.severity
-
service.detection.sequence.signals.signalIndicators.key
-
service.detection.sequence.signals.signalIndicators.title
-
service.detection.sequence.signals.signalIndicators.values
-
service.detection.sequence.signals.type
-
service.detection.sequence.signals.uid
-
service.detection.sequence.signals.updatedAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
-
service.detection.sequence.uid
-
service.detectorId
-
service.ebsVolumeScanDetails.scanCompletedAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
-
service.ebsVolumeScanDetails.scanDetections.highestSeverityThreatDetails.count
-
service.ebsVolumeScanDetails.scanDetections.highestSeverityThreatDetails.severity
-
service.ebsVolumeScanDetails.scanDetections.highestSeverityThreatDetails.threatName
-
service.ebsVolumeScanDetails.scanDetections.scannedItemCount.files
-
service.ebsVolumeScanDetails.scanDetections.scannedItemCount.totalGb
-
service.ebsVolumeScanDetails.scanDetections.scannedItemCount.volumes
-
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.itemCount
-
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.shortened
-
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.fileName
-
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.filePath
-
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash
-
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.volumeArn
-
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.itemCount
-
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name
-
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity
-
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.uniqueThreatNameCount
-
service.ebsVolumeScanDetails.scanDetections.threatsDetectedItemCount.files
-
service.ebsVolumeScanDetails.scanId
-
service.ebsVolumeScanDetails.scanStartedAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
-
service.ebsVolumeScanDetails.scanType
-
service.ebsVolumeScanDetails.sources
-
service.ebsVolumeScanDetails.triggerFindingId
-
service.eventFirstSeen
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
-
service.eventLastSeen
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
-
service.evidence.threatIntelligenceDetails.threatFileSha256
-
service.evidence.threatIntelligenceDetails.threatListName
-
service.evidence.threatIntelligenceDetails.threatNames
-
service.featureName
-
service.malwareScanDetails.scanCategory
-
service.malwareScanDetails.scanConfiguration.incrementalScanDetails.baselineResourceArn
-
service.malwareScanDetails.scanConfiguration.triggerType
-
service.malwareScanDetails.scanId
-
service.malwareScanDetails.scanType
-
service.malwareScanDetails.threats.count
-
service.malwareScanDetails.threats.hash
-
service.malwareScanDetails.threats.itemDetails.additionalInfo.deviceName
-
service.malwareScanDetails.threats.itemDetails.additionalInfo.versionId
-
service.malwareScanDetails.threats.itemDetails.hash
-
service.malwareScanDetails.threats.itemDetails.itemPath
-
service.malwareScanDetails.threats.itemDetails.resourceArn
-
service.malwareScanDetails.threats.itemPaths.hash
-
service.malwareScanDetails.threats.itemPaths.nestedItemPath
-
service.malwareScanDetails.threats.name
-
service.malwareScanDetails.threats.source
-
service.malwareScanDetails.uniqueThreatCount
-
service.resourceRole
-
service.runtimeDetails.context.addressFamily
-
service.runtimeDetails.context.commandLineExample
-
service.runtimeDetails.context.fileOperation
-
service.runtimeDetails.context.filePath
-
service.runtimeDetails.context.fileSystemType
-
service.runtimeDetails.context.flags
-
service.runtimeDetails.context.ianaProtocolNumber
-
service.runtimeDetails.context.ldPreloadValue
-
service.runtimeDetails.context.libraryPath
-
service.runtimeDetails.context.memoryRegions
-
service.runtimeDetails.context.modifiedAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
-
service.runtimeDetails.context.modifyingProcess.euid
-
service.runtimeDetails.context.modifyingProcess.executablePath
-
service.runtimeDetails.context.modifyingProcess.executableSha256
-
service.runtimeDetails.context.modifyingProcess.lineage.euid
-
service.runtimeDetails.context.modifyingProcess.lineage.executablePath
-
service.runtimeDetails.context.modifyingProcess.lineage.name
-
service.runtimeDetails.context.modifyingProcess.lineage.namespacePid
-
service.runtimeDetails.context.modifyingProcess.lineage.parentUuid
-
service.runtimeDetails.context.modifyingProcess.lineage.pid
-
service.runtimeDetails.context.modifyingProcess.lineage.startTime
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
-
service.runtimeDetails.context.modifyingProcess.lineage.userId
-
service.runtimeDetails.context.modifyingProcess.lineage.uuid
-
service.runtimeDetails.context.modifyingProcess.name
-
service.runtimeDetails.context.modifyingProcess.namespacePid
-
service.runtimeDetails.context.modifyingProcess.parentUuid
-
service.runtimeDetails.context.modifyingProcess.pid
-
service.runtimeDetails.context.modifyingProcess.pwd
-
service.runtimeDetails.context.modifyingProcess.startTime
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
-
service.runtimeDetails.context.modifyingProcess.user
-
service.runtimeDetails.context.modifyingProcess.userId
-
service.runtimeDetails.context.modifyingProcess.uuid
-
service.runtimeDetails.context.moduleFilePath
-
service.runtimeDetails.context.moduleName
-
service.runtimeDetails.context.moduleSha256
-
service.runtimeDetails.context.mountSource
-
service.runtimeDetails.context.mountTarget
-
service.runtimeDetails.context.relatedFilePaths
-
service.runtimeDetails.context.releaseAgentPath
-
service.runtimeDetails.context.runcBinaryPath
-
service.runtimeDetails.context.scriptPath
-
service.runtimeDetails.context.serviceName
-
service.runtimeDetails.context.shellHistoryFilePath
-
service.runtimeDetails.context.socketPath
-
service.runtimeDetails.context.targetProcess.euid
-
service.runtimeDetails.context.targetProcess.executablePath
-
service.runtimeDetails.context.targetProcess.executableSha256
-
service.runtimeDetails.context.targetProcess.lineage.euid
-
service.runtimeDetails.context.targetProcess.lineage.executablePath
-
service.runtimeDetails.context.targetProcess.lineage.name
-
service.runtimeDetails.context.targetProcess.lineage.namespacePid
-
service.runtimeDetails.context.targetProcess.lineage.parentUuid
-
service.runtimeDetails.context.targetProcess.lineage.pid
-
service.runtimeDetails.context.targetProcess.lineage.startTime
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
-
service.runtimeDetails.context.targetProcess.lineage.userId
-
service.runtimeDetails.context.targetProcess.lineage.uuid
-
service.runtimeDetails.context.targetProcess.name
-
service.runtimeDetails.context.targetProcess.namespacePid
-
service.runtimeDetails.context.targetProcess.parentUuid
-
service.runtimeDetails.context.targetProcess.pid
-
service.runtimeDetails.context.targetProcess.pwd
-
service.runtimeDetails.context.targetProcess.startTime
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
-
service.runtimeDetails.context.targetProcess.user
-
service.runtimeDetails.context.targetProcess.userId
-
service.runtimeDetails.context.targetProcess.uuid
-
service.runtimeDetails.context.threatFilePath
-
service.runtimeDetails.context.toolCategory
-
service.runtimeDetails.context.toolName
-
service.runtimeDetails.process.euid
-
service.runtimeDetails.process.executablePath
-
service.runtimeDetails.process.executableSha256
-
service.runtimeDetails.process.lineage.euid
-
service.runtimeDetails.process.lineage.executablePath
-
service.runtimeDetails.process.lineage.name
-
service.runtimeDetails.process.lineage.namespacePid
-
service.runtimeDetails.process.lineage.parentUuid
-
service.runtimeDetails.process.lineage.pid
-
service.runtimeDetails.process.lineage.startTime
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
-
service.runtimeDetails.process.lineage.userId
-
service.runtimeDetails.process.lineage.uuid
-
service.runtimeDetails.process.name
-
service.runtimeDetails.process.namespacePid
-
service.runtimeDetails.process.parentUuid
-
service.runtimeDetails.process.pid
-
service.runtimeDetails.process.pwd
-
service.runtimeDetails.process.startTime
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
-
service.runtimeDetails.process.user
-
service.runtimeDetails.process.userId
-
service.runtimeDetails.process.uuid
-
service.serviceName
-
service.userFeedback
-
severity
To configure severity based filters, use the following for the FindingCriteria condition:
-
Low:
["1", "2", "3"] -
Medium:
["4", "5", "6"] -
High:
["7", "8"] -
Critical:
["9", "10"]
For more information, see Findings severity levels in the Amazon GuardDuty User Guide.
-
-
title
-
type
-
updatedAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
Type: FindingCriteria object
Required: Yes
-
- name
-
The name of the filter. Valid characters include period (.), underscore (_), dash (-), and alphanumeric characters. A whitespace is considered to be an invalid character.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 64.
Required: Yes
- rank
-
Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
Type: Integer
Valid Range: Minimum value of 1. Maximum value of 100.
Required: No
-
The tags to be added to a new filter resource.
Type: String to string map
Map Entries: Maximum number of 200 items.
Key Length Constraints: Minimum length of 1. Maximum length of 128.
Key Pattern:
(?!aws:)[a-zA-Z+-=._:/]+Value Length Constraints: Minimum length of 0. Maximum length of 256.
Required: No
Response Syntax
HTTP/1.1 200
Content-type: application/json
{
"name": "string"
}Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- name
-
The name of the successfully created filter.
Type: String
Length Constraints: Minimum length of 3. Maximum length of 64.
Errors
For information about the errors that are common to all actions, see Common Error Types.
- BadRequestException
-
A bad request exception object.
- Message
-
The error message.
- Type
-
The error type.
HTTP Status Code: 400
- InternalServerErrorException
-
An internal server error exception object.
- Message
-
The error message.
- Type
-
The error type.
HTTP Status Code: 500
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
