Skip to content

Create Filter

guardduty_create_filter R Documentation

Creates a filter using the specified finding criteria

Description

Creates a filter using the specified finding criteria. The maximum number of saved filters per Amazon Web Services account per Region is 100. For more information, see Quotas for GuardDuty.

Usage

guardduty_create_filter(DetectorId, Name, Description, Action, Rank,
  FindingCriteria, ClientToken, Tags)

Arguments

DetectorId

[required] The detector ID associated with the GuardDuty account for which you want to create a filter.

To find the detectorId in the current Region, see the Settings page in the GuardDuty console, or run the list_detectors API.
Name

[required] The name of the filter. Valid characters include period (.), underscore (_), dash (-), and alphanumeric characters. A whitespace is considered to be an invalid character.
Description

The description of the filter. Valid characters include alphanumeric characters, and special characters such as hyphen, period, colon, underscore, parentheses ({ }, ⁠[ ]⁠, and ⁠( )⁠), forward slash, horizontal tab, vertical tab, newline, form feed, return, and whitespace.

[ ]: R:%20
Action

Specifies the action that is to be applied to the findings that match the filter.
Rank

Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
FindingCriteria

[required] Represents the criteria to be used in the filter for querying findings.

You can only use the following attributes to query findings:

  • accountId

  • id

  • region

  • severity

    To filter on the basis of severity, the API and CLI use the following input list for the FindingCriteria condition:

    • Low: ⁠["1", "2", "3"]⁠

    • Medium: ⁠["4", "5", "6"]⁠

    • High: ⁠["7", "8"]⁠

    • Critical: ⁠["9", "10"]⁠

    For more information, see Findings severity levels in the Amazon GuardDuty User Guide.

  • type

  • updatedAt

    Type: ISO 8601 string format: YYYY-MM-DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds.

  • resource.accessKeyDetails.accessKeyId

  • resource.accessKeyDetails.principalId

  • resource.accessKeyDetails.userName

  • resource.accessKeyDetails.userType

  • resource.instanceDetails.iamInstanceProfile.id

  • resource.instanceDetails.imageId

  • resource.instanceDetails.instanceId

  • resource.instanceDetails.tags.key

  • resource.instanceDetails.tags.value

  • resource.instanceDetails.networkInterfaces.ipv6Addresses

  • resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress

  • resource.instanceDetails.networkInterfaces.publicDnsName

  • resource.instanceDetails.networkInterfaces.publicIp

  • resource.instanceDetails.networkInterfaces.securityGroups.groupId

  • resource.instanceDetails.networkInterfaces.securityGroups.groupName

  • resource.instanceDetails.networkInterfaces.subnetId

  • resource.instanceDetails.networkInterfaces.vpcId

  • resource.instanceDetails.outpostArn

  • resource.resourceType

  • resource.s3BucketDetails.publicAccess.effectivePermissions

  • resource.s3BucketDetails.name

  • resource.s3BucketDetails.tags.key

  • resource.s3BucketDetails.tags.value

  • resource.s3BucketDetails.type

  • service.action.actionType

  • service.action.awsApiCallAction.api

  • service.action.awsApiCallAction.callerType

  • service.action.awsApiCallAction.errorCode

  • service.action.awsApiCallAction.remoteIpDetails.city.cityName

  • service.action.awsApiCallAction.remoteIpDetails.country.countryName

  • service.action.awsApiCallAction.remoteIpDetails.ipAddressV4

  • service.action.awsApiCallAction.remoteIpDetails.ipAddressV6

  • service.action.awsApiCallAction.remoteIpDetails.organization.asn

  • service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg

  • service.action.awsApiCallAction.serviceName

  • service.action.dnsRequestAction.domain

  • service.action.dnsRequestAction.domainWithSuffix

  • service.action.networkConnectionAction.blocked

  • service.action.networkConnectionAction.connectionDirection

  • service.action.networkConnectionAction.localPortDetails.port

  • service.action.networkConnectionAction.protocol

  • service.action.networkConnectionAction.remoteIpDetails.city.cityName

  • service.action.networkConnectionAction.remoteIpDetails.country.countryName

  • service.action.networkConnectionAction.remoteIpDetails.ipAddressV4

  • service.action.networkConnectionAction.remoteIpDetails.ipAddressV6

  • service.action.networkConnectionAction.remoteIpDetails.organization.asn

  • service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg

  • service.action.networkConnectionAction.remotePortDetails.port

  • service.action.awsApiCallAction.remoteAccountDetails.affiliated

  • service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4

  • service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV6

  • service.action.kubernetesApiCallAction.namespace

  • service.action.kubernetesApiCallAction.remoteIpDetails.organization.asn

  • service.action.kubernetesApiCallAction.requestUri

  • service.action.kubernetesApiCallAction.statusCode

  • service.action.networkConnectionAction.localIpDetails.ipAddressV4

  • service.action.networkConnectionAction.localIpDetails.ipAddressV6

  • service.action.networkConnectionAction.protocol

  • service.action.awsApiCallAction.serviceName

  • service.action.awsApiCallAction.remoteAccountDetails.accountId

  • service.additionalInfo.threatListName

  • service.resourceRole

  • resource.eksClusterDetails.name

  • resource.kubernetesDetails.kubernetesWorkloadDetails.name

  • resource.kubernetesDetails.kubernetesWorkloadDetails.namespace

  • resource.kubernetesDetails.kubernetesUserDetails.username

  • resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image

  • resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix

  • service.ebsVolumeScanDetails.scanId

  • service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name

  • service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity

  • service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash

  • resource.ecsClusterDetails.name

  • resource.ecsClusterDetails.taskDetails.containers.image

  • resource.ecsClusterDetails.taskDetails.definitionArn

  • resource.containerDetails.image

  • resource.rdsDbInstanceDetails.dbInstanceIdentifier

  • resource.rdsDbInstanceDetails.dbClusterIdentifier

  • resource.rdsDbInstanceDetails.engine

  • resource.rdsDbUserDetails.user

  • resource.rdsDbInstanceDetails.tags.key

  • resource.rdsDbInstanceDetails.tags.value

  • service.runtimeDetails.process.executableSha256

  • service.runtimeDetails.process.name

  • service.runtimeDetails.process.executablePath

  • resource.lambdaDetails.functionName

  • resource.lambdaDetails.functionArn

  • resource.lambdaDetails.tags.key

  • resource.lambdaDetails.tags.value
ClientToken

The idempotency token for the create request.
Tags

The tags to be added to a new filter resource.

Value

A list with the following syntax:

list(
  Name = "string"
)

Request syntax

svc$create_filter(
  DetectorId = "string",
  Name = "string",
  Description = "string",
  Action = "NOOP"|"ARCHIVE",
  Rank = 123,
  FindingCriteria = list(
    Criterion = list(
      list(
        Eq = list(
          "string"
        ),
        Neq = list(
          "string"
        ),
        Gt = 123,
        Gte = 123,
        Lt = 123,
        Lte = 123,
        Equals = list(
          "string"
        ),
        NotEquals = list(
          "string"
        ),
        GreaterThan = 123,
        GreaterThanOrEqual = 123,
        LessThan = 123,
        LessThanOrEqual = 123
      )
    )
  ),
  ClientToken = "string",
  Tags = list(
    "string"
  )
)