CreateFilter

Creates a filter using the specified finding criteria. The maximum number of saved filters per AWS account per Region is 100. For more information, see Quotas for GuardDuty.

Request Syntax

POST /detector/detectorId/filter HTTP/1.1
Content-type: application/json

{
   "action": "string",
   "clientToken": "string",
   "description": "string",
   "findingCriteria": { 
      "criterion": { 
         "string" : { 
            "eq": [ "string" ],
            "equals": [ "string" ],
            "greaterThan": number,
            "greaterThanOrEqual": number,
            "gt": number,
            "gte": number,
            "lessThan": number,
            "lessThanOrEqual": number,
            "lt": number,
            "lte": number,
            "neq": [ "string" ],
            "notEquals": [ "string" ]
         }
      }
   },
   "name": "string",
   "rank": number,
   "tags": { 
      "string" : "string" 
   }
}

URI Request Parameters

The request uses the following URI parameters.

detectorId

The detector ID associated with the GuardDuty account for which you want to create a filter.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.

Length Constraints: Minimum length of 1. Maximum length of 300.

Required: Yes

Request Body

The request accepts the following data in JSON format.

action

Specifies the action that is to be applied to the findings that match the filter.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 300.

Valid Values: NOOP | ARCHIVE

Required: No

clientToken

The idempotency token for the create request.

Type: String

Length Constraints: Minimum length of 0. Maximum length of 64.

Required: No

description

The description of the filter. Valid characters include alphanumeric characters, and special characters such as hyphen, period, colon, underscore, parentheses ({ }, [ ], and ( )), forward slash, horizontal tab, vertical tab, newline, form feed, return, and whitespace.

Type: String

Length Constraints: Minimum length of 0. Maximum length of 512.

Required: No

findingCriteria

Represents the criteria to be used in the filter for querying findings.

You can only use the following attributes to query findings:

• accountId

• id

• region

• severity

  To filter on the basis of severity, the API and AWS CLI use the following input list for the FindingCriteria condition:

  • Low: ["1", "2", "3"]

  • Medium: ["4", "5", "6"]

  • High: ["7", "8", "9"]

  For more information, see Severity levels for GuardDuty findings.

• type

• updatedAt

  Type: ISO 8601 string format: YYYY-MM-DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds.

• resource.accessKeyDetails.accessKeyId

• resource.accessKeyDetails.principalId

• resource.accessKeyDetails.userName

• resource.accessKeyDetails.userType

• resource.instanceDetails.iamInstanceProfile.id

• resource.instanceDetails.imageId

• resource.instanceDetails.instanceId

• resource.instanceDetails.tags.key

• resource.instanceDetails.tags.value

• resource.instanceDetails.networkInterfaces.ipv6Addresses

• resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress

• resource.instanceDetails.networkInterfaces.publicDnsName

• resource.instanceDetails.networkInterfaces.publicIp

• resource.instanceDetails.networkInterfaces.securityGroups.groupId

• resource.instanceDetails.networkInterfaces.securityGroups.groupName

• resource.instanceDetails.networkInterfaces.subnetId

• resource.instanceDetails.networkInterfaces.vpcId

• resource.instanceDetails.outpostArn

• resource.resourceType

• resource.s3BucketDetails.publicAccess.effectivePermissions

• resource.s3BucketDetails.name

• resource.s3BucketDetails.tags.key

• resource.s3BucketDetails.tags.value

• resource.s3BucketDetails.type

• service.action.actionType

• service.action.awsApiCallAction.api

• service.action.awsApiCallAction.callerType

• service.action.awsApiCallAction.errorCode

• service.action.awsApiCallAction.remoteIpDetails.city.cityName

• service.action.awsApiCallAction.remoteIpDetails.country.countryName

• service.action.awsApiCallAction.remoteIpDetails.ipAddressV4

• service.action.awsApiCallAction.remoteIpDetails.ipAddressV6

• service.action.awsApiCallAction.remoteIpDetails.organization.asn

• service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg

• service.action.awsApiCallAction.serviceName

• service.action.dnsRequestAction.domain

• service.action.dnsRequestAction.domainWithSuffix

• service.action.networkConnectionAction.blocked

• service.action.networkConnectionAction.connectionDirection

• service.action.networkConnectionAction.localPortDetails.port

• service.action.networkConnectionAction.protocol

• service.action.networkConnectionAction.remoteIpDetails.city.cityName

• service.action.networkConnectionAction.remoteIpDetails.country.countryName

• service.action.networkConnectionAction.remoteIpDetails.ipAddressV4

• service.action.networkConnectionAction.remoteIpDetails.ipAddressV6

• service.action.networkConnectionAction.remoteIpDetails.organization.asn

• service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg

• service.action.networkConnectionAction.remotePortDetails.port

• service.action.awsApiCallAction.remoteAccountDetails.affiliated

• service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4

• service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV6

• service.action.kubernetesApiCallAction.namespace

• service.action.kubernetesApiCallAction.remoteIpDetails.organization.asn

• service.action.kubernetesApiCallAction.requestUri

• service.action.kubernetesApiCallAction.statusCode

• service.action.networkConnectionAction.localIpDetails.ipAddressV4

• service.action.networkConnectionAction.localIpDetails.ipAddressV6

• service.action.networkConnectionAction.protocol

• service.action.awsApiCallAction.serviceName

• service.action.awsApiCallAction.remoteAccountDetails.accountId

• service.additionalInfo.threatListName

• service.resourceRole

• resource.eksClusterDetails.name

• resource.kubernetesDetails.kubernetesWorkloadDetails.name

• resource.kubernetesDetails.kubernetesWorkloadDetails.namespace

• resource.kubernetesDetails.kubernetesUserDetails.username

• resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image

• resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix

• service.ebsVolumeScanDetails.scanId

• service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name

• service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity

• service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash

• resource.ecsClusterDetails.name

• resource.ecsClusterDetails.taskDetails.containers.image

• resource.ecsClusterDetails.taskDetails.definitionArn

• resource.containerDetails.image

• resource.rdsDbInstanceDetails.dbInstanceIdentifier

• resource.rdsDbInstanceDetails.dbClusterIdentifier

• resource.rdsDbInstanceDetails.engine

• resource.rdsDbUserDetails.user

• resource.rdsDbInstanceDetails.tags.key

• resource.rdsDbInstanceDetails.tags.value

• service.runtimeDetails.process.executableSha256

• service.runtimeDetails.process.name

• service.runtimeDetails.process.name

• resource.lambdaDetails.functionName

• resource.lambdaDetails.functionArn

• resource.lambdaDetails.tags.key

• resource.lambdaDetails.tags.value

Type: FindingCriteria object

Required: Yes

name

The name of the filter. Valid characters include period (.), underscore (_), dash (-), and alphanumeric characters. A whitespace is considered to be an invalid character.

Type: String

Length Constraints: Minimum length of 3. Maximum length of 64.

Required: Yes

rank

Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.

Type: Integer

Valid Range: Minimum value of 1. Maximum value of 100.

Required: No

tags

The tags to be added to a new filter resource.

Type: String to string map

Map Entries: Maximum number of 200 items.

Key Length Constraints: Minimum length of 1. Maximum length of 128.

Key Pattern: ^(?!aws:)[a-zA-Z+-=._:/]+$

Value Length Constraints: Maximum length of 256.

Required: No

Response Syntax

HTTP/1.1 200
Content-type: application/json

{
   "name": "string"
}

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

name

The name of the successfully created filter.

Type: String

Length Constraints: Minimum length of 3. Maximum length of 64.

Errors

For information about the errors that are common to all actions, see Common Errors.

BadRequestException

A bad request exception object.

HTTP Status Code: 400

InternalServerErrorException

An internal server error exception object.

HTTP Status Code: 500

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface

• AWS SDK for .NET

• AWS SDK for C++

• AWS SDK for Go v2

• AWS SDK for Java V2

• AWS SDK for JavaScript V3

• AWS SDK for PHP V3

• AWS SDK for Python

• AWS SDK for Ruby V3