Table Of Contents

  1. Docs
  2. Available services
  3. GuardDuty
  4. create_filter

create_filter

GuardDuty.Client.create_filter(**kwargs)

Creates a filter using the specified finding criteria. The maximum number of saved filters per Amazon Web Services account per Region is 100. For more information, see Quotas for GuardDuty.

See also: AWS API Documentation

Request Syntax

response = client.create_filter(
    DetectorId='string',
    Name='string',
    Description='string',
    Action='NOOP'|'ARCHIVE',
    Rank=123,
    FindingCriteria={
        'Criterion': {
            'string': {
                'Eq': [
                    'string',
                ],
                'Neq': [
                    'string',
                ],
                'Gt': 123,
                'Gte': 123,
                'Lt': 123,
                'Lte': 123,
                'Equals': [
                    'string',
                ],
                'NotEquals': [
                    'string',
                ],
                'GreaterThan': 123,
                'GreaterThanOrEqual': 123,
                'LessThan': 123,
                'LessThanOrEqual': 123
            }
        }
    },
    ClientToken='string',
    Tags={
        'string': 'string'
    }
)
Parameters
  • DetectorId (string) --

    [REQUIRED]

    The ID of the detector belonging to the GuardDuty account that you want to create a filter for.

  • Name (string) --

    [REQUIRED]

    The name of the filter. Valid characters include period (.), underscore (_), dash (-), and alphanumeric characters. A whitespace is considered to be an invalid character.

  • Description (string) -- The description of the filter. Valid characters include alphanumeric characters, and special characters such as hyphen, period, colon, underscore, parentheses ( { } , [ ] , and ( ) ), forward slash, horizontal tab, vertical tab, newline, form feed, return, and whitespace.
  • Action (string) -- Specifies the action that is to be applied to the findings that match the filter.
  • Rank (integer) -- Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
  • FindingCriteria (dict) --

    [REQUIRED]

    Represents the criteria to be used in the filter for querying findings.

    You can only use the following attributes to query findings:

    • accountId
    • region
    • id
    • resource.accessKeyDetails.accessKeyId
    • resource.accessKeyDetails.principalId
    • resource.accessKeyDetails.userName
    • resource.accessKeyDetails.userType
    • resource.instanceDetails.iamInstanceProfile.id
    • resource.instanceDetails.imageId
    • resource.instanceDetails.instanceId
    • resource.instanceDetails.outpostArn
    • resource.instanceDetails.networkInterfaces.ipv6Addresses
    • resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress
    • resource.instanceDetails.networkInterfaces.publicDnsName
    • resource.instanceDetails.networkInterfaces.publicIp
    • resource.instanceDetails.networkInterfaces.securityGroups.groupId
    • resource.instanceDetails.networkInterfaces.securityGroups.groupName
    • resource.instanceDetails.networkInterfaces.subnetId
    • resource.instanceDetails.networkInterfaces.vpcId
    • resource.instanceDetails.tags.key
    • resource.instanceDetails.tags.value
    • resource.resourceType
    • service.action.actionType
    • service.action.awsApiCallAction.api
    • service.action.awsApiCallAction.callerType
    • service.action.awsApiCallAction.errorCode
    • service.action.awsApiCallAction.userAgent
    • service.action.awsApiCallAction.remoteIpDetails.city.cityName
    • service.action.awsApiCallAction.remoteIpDetails.country.countryName
    • service.action.awsApiCallAction.remoteIpDetails.ipAddressV4
    • service.action.awsApiCallAction.remoteIpDetails.organization.asn
    • service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg
    • service.action.awsApiCallAction.serviceName
    • service.action.dnsRequestAction.domain
    • service.action.networkConnectionAction.blocked
    • service.action.networkConnectionAction.connectionDirection
    • service.action.networkConnectionAction.localPortDetails.port
    • service.action.networkConnectionAction.protocol
    • service.action.networkConnectionAction.localIpDetails.ipAddressV4
    • service.action.networkConnectionAction.remoteIpDetails.city.cityName
    • service.action.networkConnectionAction.remoteIpDetails.country.countryName
    • service.action.networkConnectionAction.remoteIpDetails.ipAddressV4
    • service.action.networkConnectionAction.remoteIpDetails.organization.asn
    • service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg
    • service.action.networkConnectionAction.remotePortDetails.port
    • service.additionalInfo.threatListName
    • resource.s3BucketDetails.publicAccess.effectivePermissions
    • resource.s3BucketDetails.name
    • resource.s3BucketDetails.tags.key
    • resource.s3BucketDetails.tags.value
    • resource.s3BucketDetails.type
    • service.resourceRole
    • severity
    • type
    • updatedAt Type: ISO 8601 string format: YYYY-MM-DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds.
    • Criterion (dict) --

      Represents a map of finding properties that match specified conditions and values when querying findings.

      • (string) --
        • (dict) --

          Contains information about the condition.

          • Eq (list) --

            Represents the equal condition to be applied to a single field when querying for findings.

            • (string) --
          • Neq (list) --

            Represents the not equal condition to be applied to a single field when querying for findings.

            • (string) --
          • Gt (integer) --

            Represents a greater than condition to be applied to a single field when querying for findings.

          • Gte (integer) --

            Represents a greater than or equal condition to be applied to a single field when querying for findings.

          • Lt (integer) --

            Represents a less than condition to be applied to a single field when querying for findings.

          • Lte (integer) --

            Represents a less than or equal condition to be applied to a single field when querying for findings.

          • Equals (list) --

            Represents an equal condition to be applied to a single field when querying for findings.

            • (string) --
          • NotEquals (list) --

            Represents a not equal condition to be applied to a single field when querying for findings.

            • (string) --
          • GreaterThan (integer) --

            Represents a greater than condition to be applied to a single field when querying for findings.

          • GreaterThanOrEqual (integer) --

            Represents a greater than or equal condition to be applied to a single field when querying for findings.

          • LessThan (integer) --

            Represents a less than condition to be applied to a single field when querying for findings.

          • LessThanOrEqual (integer) --

            Represents a less than or equal condition to be applied to a single field when querying for findings.

  • ClientToken (string) --

    The idempotency token for the create request.

    This field is autopopulated if not provided.

  • Tags (dict) --

    The tags to be added to a new filter resource.

    • (string) --
      • (string) --
Return type

dict

Returns

Response Syntax

{
    'Name': 'string'
}

Response Structure

  • (dict) --

    • Name (string) --

      The name of the successfully created filter.

Exceptions

  • GuardDuty.Client.exceptions.BadRequestException
  • GuardDuty.Client.exceptions.InternalServerErrorException
create_detector
create_ip_set
Privacy | Site Terms | Cookie preferences | © Copyright 2023, Amazon Web Services, Inc. Created using Sphinx.