Create Filter
guardduty_create_filter | R Documentation |
Creates a filter using the specified finding criteria¶
Description¶
Creates a filter using the specified finding criteria. The maximum number of saved filters per Amazon Web Services account per Region is 100. For more information, see Quotas for GuardDuty.
Usage¶
guardduty_create_filter(DetectorId, Name, Description, Action, Rank,
FindingCriteria, ClientToken, Tags)
Arguments¶
DetectorId
[required] The ID of the detector belonging to the GuardDuty account that you want to create a filter for.
Name
[required] The name of the filter. Valid characters include period (.), underscore (_), dash (-), and alphanumeric characters. A whitespace is considered to be an invalid character.
Description
The description of the filter. Valid characters include alphanumeric characters, and special characters such as hyphen, period, colon, underscore, parentheses (
{ }
,[ ]
, and( )
), forward slash, horizontal tab, vertical tab, newline, form feed, return, and whitespace.[ ]: R:%20
Action
Specifies the action that is to be applied to the findings that match the filter.
Rank
Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
FindingCriteria
[required] Represents the criteria to be used in the filter for querying findings.
You can only use the following attributes to query findings:
accountId
id
region
severity
To filter on the basis of severity, the API and CLI use the following input list for the FindingCriteria condition:
Low:
["1", "2", "3"]
Medium:
["4", "5", "6"]
High:
["7", "8", "9"]
For more information, see Severity levels for GuardDuty findings.
type
updatedAt
Type: ISO 8601 string format: YYYY-MM-DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds.
resource.accessKeyDetails.accessKeyId
resource.accessKeyDetails.principalId
resource.accessKeyDetails.userName
resource.accessKeyDetails.userType
resource.instanceDetails.iamInstanceProfile.id
resource.instanceDetails.imageId
resource.instanceDetails.instanceId
resource.instanceDetails.tags.key
resource.instanceDetails.tags.value
resource.instanceDetails.networkInterfaces.ipv6Addresses
resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress
resource.instanceDetails.networkInterfaces.publicDnsName
resource.instanceDetails.networkInterfaces.publicIp
resource.instanceDetails.networkInterfaces.securityGroups.groupId
resource.instanceDetails.networkInterfaces.securityGroups.groupName
resource.instanceDetails.networkInterfaces.subnetId
resource.instanceDetails.networkInterfaces.vpcId
resource.instanceDetails.outpostArn
resource.resourceType
resource.s3BucketDetails.publicAccess.effectivePermissions
resource.s3BucketDetails.name
resource.s3BucketDetails.tags.key
resource.s3BucketDetails.tags.value
resource.s3BucketDetails.type
service.action.actionType
service.action.awsApiCallAction.api
service.action.awsApiCallAction.callerType
service.action.awsApiCallAction.errorCode
service.action.awsApiCallAction.remoteIpDetails.city.cityName
service.action.awsApiCallAction.remoteIpDetails.country.countryName
service.action.awsApiCallAction.remoteIpDetails.ipAddressV4
service.action.awsApiCallAction.remoteIpDetails.ipAddressV6
service.action.awsApiCallAction.remoteIpDetails.organization.asn
service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg
service.action.awsApiCallAction.serviceName
service.action.dnsRequestAction.domain
service.action.dnsRequestAction.domainWithSuffix
service.action.networkConnectionAction.blocked
service.action.networkConnectionAction.connectionDirection
service.action.networkConnectionAction.localPortDetails.port
service.action.networkConnectionAction.protocol
service.action.networkConnectionAction.remoteIpDetails.city.cityName
service.action.networkConnectionAction.remoteIpDetails.country.countryName
service.action.networkConnectionAction.remoteIpDetails.ipAddressV4
service.action.networkConnectionAction.remoteIpDetails.ipAddressV6
service.action.networkConnectionAction.remoteIpDetails.organization.asn
service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg
service.action.networkConnectionAction.remotePortDetails.port
service.action.awsApiCallAction.remoteAccountDetails.affiliated
service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4
service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV6
service.action.kubernetesApiCallAction.namespace
service.action.kubernetesApiCallAction.remoteIpDetails.organization.asn
service.action.kubernetesApiCallAction.requestUri
service.action.kubernetesApiCallAction.statusCode
service.action.networkConnectionAction.localIpDetails.ipAddressV4
service.action.networkConnectionAction.localIpDetails.ipAddressV6
service.action.networkConnectionAction.protocol
service.action.awsApiCallAction.serviceName
service.action.awsApiCallAction.remoteAccountDetails.accountId
service.additionalInfo.threatListName
service.resourceRole
resource.eksClusterDetails.name
resource.kubernetesDetails.kubernetesWorkloadDetails.name
resource.kubernetesDetails.kubernetesWorkloadDetails.namespace
resource.kubernetesDetails.kubernetesUserDetails.username
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix
service.ebsVolumeScanDetails.scanId
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash
resource.ecsClusterDetails.name
resource.ecsClusterDetails.taskDetails.containers.image
resource.ecsClusterDetails.taskDetails.definitionArn
resource.containerDetails.image
resource.rdsDbInstanceDetails.dbInstanceIdentifier
resource.rdsDbInstanceDetails.dbClusterIdentifier
resource.rdsDbInstanceDetails.engine
resource.rdsDbUserDetails.user
resource.rdsDbInstanceDetails.tags.key
resource.rdsDbInstanceDetails.tags.value
service.runtimeDetails.process.executableSha256
service.runtimeDetails.process.name
service.runtimeDetails.process.name
resource.lambdaDetails.functionName
resource.lambdaDetails.functionArn
resource.lambdaDetails.tags.key
resource.lambdaDetails.tags.value
ClientToken
The idempotency token for the create request.
Tags
The tags to be added to a new filter resource.
Value¶
A list with the following syntax:
Request syntax¶
svc$create_filter(
DetectorId = "string",
Name = "string",
Description = "string",
Action = "NOOP"|"ARCHIVE",
Rank = 123,
FindingCriteria = list(
Criterion = list(
list(
Eq = list(
"string"
),
Neq = list(
"string"
),
Gt = 123,
Gte = 123,
Lt = 123,
Lte = 123,
Equals = list(
"string"
),
NotEquals = list(
"string"
),
GreaterThan = 123,
GreaterThanOrEqual = 123,
LessThan = 123,
LessThanOrEqual = 123
)
)
),
ClientToken = "string",
Tags = list(
"string"
)
)