GuardDuty / Client / create_filter
create_filter¶
- GuardDuty.Client.create_filter(**kwargs)¶
Creates a filter using the specified finding criteria. The maximum number of saved filters per Amazon Web Services account per Region is 100. For more information, see Quotas for GuardDuty.
See also: AWS API Documentation
Request Syntax
response = client.create_filter( DetectorId='string', Name='string', Description='string', Action='NOOP'|'ARCHIVE', Rank=123, FindingCriteria={ 'Criterion': { 'string': { 'Eq': [ 'string', ], 'Neq': [ 'string', ], 'Gt': 123, 'Gte': 123, 'Lt': 123, 'Lte': 123, 'Equals': [ 'string', ], 'NotEquals': [ 'string', ], 'GreaterThan': 123, 'GreaterThanOrEqual': 123, 'LessThan': 123, 'LessThanOrEqual': 123, 'Matches': [ 'string', ], 'NotMatches': [ 'string', ] } } }, ClientToken='string', Tags={ 'string': 'string' } )
- Parameters:
DetectorId (string) –
[REQUIRED]
The detector ID associated with the GuardDuty account for which you want to create a filter.
To find the
detectorIdin the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.Name (string) –
[REQUIRED]
The name of the filter. Valid characters include period (.), underscore (_), dash (-), and alphanumeric characters. A whitespace is considered to be an invalid character.
Description (string) – The description of the filter. Valid characters include alphanumeric characters, and special characters such as hyphen, period, colon, underscore, parentheses (
{ },[ ], and( )), forward slash, horizontal tab, vertical tab, newline, form feed, return, and whitespace.Action (string) –
Specifies the action that is to be applied to the findings that match the filter.
Default: NOOP
Rank (integer) – Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
FindingCriteria (dict) –
[REQUIRED]
Represents the criteria to be used in the filter for querying findings. The following fields are available for filtering:
accountId
arn
associatedAttackSequenceArn
confidence
createdAt Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
description
id
partition
region
resource.accessKeyDetails.accessKeyId
resource.accessKeyDetails.principalId
resource.accessKeyDetails.userIdentity.accessKeyId
resource.accessKeyDetails.userIdentity.accountId
resource.accessKeyDetails.userIdentity.arn
resource.accessKeyDetails.userIdentity.principalId
resource.accessKeyDetails.userIdentity.sessionContext.attributes.mfaAuthenticated
resource.accessKeyDetails.userIdentity.sessionContext.ec2RoleDelivery
resource.accessKeyDetails.userIdentity.sessionContext.invokedBy
resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.accountId
resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.arn
resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.principalId
resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.type
resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.userName
resource.accessKeyDetails.userIdentity.sessionContext.sourceIdentity
resource.accessKeyDetails.userIdentity.sessionContext.webIdFederationData.attributes
resource.accessKeyDetails.userIdentity.sessionContext.webIdFederationData.federatedProvider
resource.accessKeyDetails.userIdentity.type
resource.accessKeyDetails.userIdentity.userName
resource.accessKeyDetails.userName
resource.accessKeyDetails.userType
resource.bedrockGuardrailDetails.guardrailArn
resource.bedrockGuardrailDetails.guardrailVersion
resource.containerDetails.containerRuntime
resource.containerDetails.id
resource.containerDetails.image
resource.containerDetails.imagePrefix
resource.containerDetails.name
resource.containerDetails.securityContext.allowPrivilegeEscalation
resource.containerDetails.securityContext.privileged
resource.containerDetails.volumeMounts.mountPath
resource.containerDetails.volumeMounts.name
resource.ebsSnapshotDetails.snapshotArn
resource.ebsVolumeDetails.scannedVolumeDetails.deviceName
resource.ebsVolumeDetails.scannedVolumeDetails.encryptionType
resource.ebsVolumeDetails.scannedVolumeDetails.kmsKeyArn
resource.ebsVolumeDetails.scannedVolumeDetails.snapshotArn
resource.ebsVolumeDetails.scannedVolumeDetails.volumeArn
resource.ebsVolumeDetails.scannedVolumeDetails.volumeSizeInGB
resource.ebsVolumeDetails.scannedVolumeDetails.volumeType
resource.ebsVolumeDetails.skippedVolumeDetails.deviceName
resource.ebsVolumeDetails.skippedVolumeDetails.encryptionType
resource.ebsVolumeDetails.skippedVolumeDetails.kmsKeyArn
resource.ebsVolumeDetails.skippedVolumeDetails.snapshotArn
resource.ebsVolumeDetails.skippedVolumeDetails.volumeArn
resource.ebsVolumeDetails.skippedVolumeDetails.volumeSizeInGB
resource.ebsVolumeDetails.skippedVolumeDetails.volumeType
resource.ec2ImageDetails.imageArn
resource.ecsClusterDetails.activeServicesCount
resource.ecsClusterDetails.arn
resource.ecsClusterDetails.name
resource.ecsClusterDetails.registeredContainerInstancesCount
resource.ecsClusterDetails.runningTasksCount
resource.ecsClusterDetails.status
resource.ecsClusterDetails.tags.key
resource.ecsClusterDetails.tags.value
resource.ecsClusterDetails.taskDetails.arn
resource.ecsClusterDetails.taskDetails.containers.containerRuntime
resource.ecsClusterDetails.taskDetails.containers.id
resource.ecsClusterDetails.taskDetails.containers.image
resource.ecsClusterDetails.taskDetails.containers.imagePrefix
resource.ecsClusterDetails.taskDetails.containers.name
resource.ecsClusterDetails.taskDetails.containers.securityContext.allowPrivilegeEscalation
resource.ecsClusterDetails.taskDetails.containers.securityContext.privileged
resource.ecsClusterDetails.taskDetails.containers.volumeMounts.mountPath
resource.ecsClusterDetails.taskDetails.containers.volumeMounts.name
resource.ecsClusterDetails.taskDetails.createdAt Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
resource.ecsClusterDetails.taskDetails.definitionArn
resource.ecsClusterDetails.taskDetails.group
resource.ecsClusterDetails.taskDetails.launchType
resource.ecsClusterDetails.taskDetails.startedAt Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
resource.ecsClusterDetails.taskDetails.startedBy
resource.ecsClusterDetails.taskDetails.tags.key
resource.ecsClusterDetails.taskDetails.tags.value
resource.ecsClusterDetails.taskDetails.version
resource.ecsClusterDetails.taskDetails.volumes.hostPath.path
resource.ecsClusterDetails.taskDetails.volumes.name
resource.eksClusterDetails.arn
resource.eksClusterDetails.createdAt Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
resource.eksClusterDetails.name
resource.eksClusterDetails.status
resource.eksClusterDetails.tags.key
resource.eksClusterDetails.tags.value
resource.eksClusterDetails.vpcId
resource.instanceDetails.availabilityZone
resource.instanceDetails.iamInstanceProfile.arn
resource.instanceDetails.iamInstanceProfile.id
resource.instanceDetails.imageDescription
resource.instanceDetails.imageId
resource.instanceDetails.instanceId
resource.instanceDetails.instanceState
resource.instanceDetails.instanceType
resource.instanceDetails.launchTime Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
resource.instanceDetails.networkInterfaces.ipv6Addresses
resource.instanceDetails.networkInterfaces.networkInterfaceId
resource.instanceDetails.networkInterfaces.privateDnsName
resource.instanceDetails.networkInterfaces.privateIpAddress
resource.instanceDetails.networkInterfaces.privateIpAddresses.privateDnsName
resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress
resource.instanceDetails.networkInterfaces.publicDnsName
resource.instanceDetails.networkInterfaces.publicIp
resource.instanceDetails.networkInterfaces.securityGroups.groupId
resource.instanceDetails.networkInterfaces.securityGroups.groupName
resource.instanceDetails.networkInterfaces.subnetId
resource.instanceDetails.networkInterfaces.vpcId
resource.instanceDetails.outpostArn
resource.instanceDetails.platform
resource.instanceDetails.productCodes.productCodeId
resource.instanceDetails.productCodes.productCodeType
resource.instanceDetails.tags.key
resource.instanceDetails.tags.value
resource.kubernetesDetails.kubernetesUserDetails.groups
resource.kubernetesDetails.kubernetesUserDetails.impersonatedUser.groups
resource.kubernetesDetails.kubernetesUserDetails.impersonatedUser.username
resource.kubernetesDetails.kubernetesUserDetails.sessionName
resource.kubernetesDetails.kubernetesUserDetails.uid
resource.kubernetesDetails.kubernetesUserDetails.username
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.containerRuntime
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.id
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.name
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.securityContext.allowPrivilegeEscalation
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.securityContext.privileged
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.volumeMounts.mountPath
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.volumeMounts.name
resource.kubernetesDetails.kubernetesWorkloadDetails.hostIpc
resource.kubernetesDetails.kubernetesWorkloadDetails.hostNetwork
resource.kubernetesDetails.kubernetesWorkloadDetails.hostPid
resource.kubernetesDetails.kubernetesWorkloadDetails.name
resource.kubernetesDetails.kubernetesWorkloadDetails.namespace
resource.kubernetesDetails.kubernetesWorkloadDetails.serviceAccountName
resource.kubernetesDetails.kubernetesWorkloadDetails.type
resource.kubernetesDetails.kubernetesWorkloadDetails.uid
resource.kubernetesDetails.kubernetesWorkloadDetails.volumes.hostPath.path
resource.kubernetesDetails.kubernetesWorkloadDetails.volumes.name
resource.lambdaDetails.description
resource.lambdaDetails.functionArn
resource.lambdaDetails.functionName
resource.lambdaDetails.functionVersion
resource.lambdaDetails.lastModifiedAt Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
resource.lambdaDetails.revisionId
resource.lambdaDetails.role
resource.lambdaDetails.tags.key
resource.lambdaDetails.tags.value
resource.lambdaDetails.vpcConfig.securityGroups.groupId
resource.lambdaDetails.vpcConfig.securityGroups.groupName
resource.lambdaDetails.vpcConfig.subnetIds
resource.lambdaDetails.vpcConfig.vpcId
resource.rdsDbInstanceDetails.dbClusterIdentifier
resource.rdsDbInstanceDetails.dbInstanceArn
resource.rdsDbInstanceDetails.dbInstanceIdentifier
resource.rdsDbInstanceDetails.dbSecurityGroups.name
resource.rdsDbInstanceDetails.dbSecurityGroups.status
resource.rdsDbInstanceDetails.dbiResourceId
resource.rdsDbInstanceDetails.engine
resource.rdsDbInstanceDetails.engineVersion
resource.rdsDbInstanceDetails.iamDatabaseAuthenticationEnabled
resource.rdsDbInstanceDetails.publiclyAccessible
resource.rdsDbInstanceDetails.tags.key
resource.rdsDbInstanceDetails.tags.value
resource.rdsDbInstanceDetails.vpcId
resource.rdsDbInstanceDetails.vpcSecurityGroups.status
resource.rdsDbInstanceDetails.vpcSecurityGroups.vpcSecurityGroupId
resource.rdsDbUserDetails.application
resource.rdsDbUserDetails.authMethod
resource.rdsDbUserDetails.database
resource.rdsDbUserDetails.ssl
resource.rdsDbUserDetails.user
resource.rdsLimitlessDbDetails.dbClusterIdentifier
resource.rdsLimitlessDbDetails.dbShardGroupArn
resource.rdsLimitlessDbDetails.dbShardGroupIdentifier
resource.rdsLimitlessDbDetails.dbShardGroupResourceId
resource.rdsLimitlessDbDetails.engine
resource.rdsLimitlessDbDetails.engineVersion
resource.rdsLimitlessDbDetails.tags.key
resource.rdsLimitlessDbDetails.tags.value
resource.recoveryPointDetails.backupVaultName
resource.recoveryPointDetails.recoveryPointArn
resource.resourceType
resource.s3BucketDetails.arn
resource.s3BucketDetails.createdAt Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
resource.s3BucketDetails.defaultServerSideEncryption.encryptionType
resource.s3BucketDetails.defaultServerSideEncryption.kmsMasterKeyArn
resource.s3BucketDetails.name
resource.s3BucketDetails.owner.id
resource.s3BucketDetails.publicAccess.effectivePermission
resource.s3BucketDetails.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess.blockPublicAcls
resource.s3BucketDetails.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess.blockPublicPolicy
resource.s3BucketDetails.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess.ignorePublicAcls
resource.s3BucketDetails.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess.restrictPublicBuckets
resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.accessControlList.allowsPublicReadAccess
resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.accessControlList.allowsPublicWriteAccess
resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess.blockPublicAcls
resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess.blockPublicPolicy
resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess.ignorePublicAcls
resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess.restrictPublicBuckets
resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.bucketPolicy.allowsPublicReadAccess
resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.bucketPolicy.allowsPublicWriteAccess
resource.s3BucketDetails.s3ObjectDetails.eTag
resource.s3BucketDetails.s3ObjectDetails.hash
resource.s3BucketDetails.s3ObjectDetails.key
resource.s3BucketDetails.s3ObjectDetails.objectArn
resource.s3BucketDetails.s3ObjectDetails.versionId
resource.s3BucketDetails.tags.key
resource.s3BucketDetails.tags.value
resource.s3BucketDetails.type
schemaVersion
service.action.actionType
service.action.awsApiCallAction.affectedResources
service.action.awsApiCallAction.api
service.action.awsApiCallAction.callerType
service.action.awsApiCallAction.domainDetails.domain
service.action.awsApiCallAction.errorCode
service.action.awsApiCallAction.remoteAccountDetails.accountId
service.action.awsApiCallAction.remoteAccountDetails.affiliated
service.action.awsApiCallAction.remoteAccountDetails.awsServiceName
service.action.awsApiCallAction.remoteIpDetails.city.cityName
service.action.awsApiCallAction.remoteIpDetails.country.countryCode
service.action.awsApiCallAction.remoteIpDetails.country.countryName
service.action.awsApiCallAction.remoteIpDetails.geoLocation.lat
service.action.awsApiCallAction.remoteIpDetails.geoLocation.lon
service.action.awsApiCallAction.remoteIpDetails.ipAddressV4
service.action.awsApiCallAction.remoteIpDetails.ipAddressV6
service.action.awsApiCallAction.remoteIpDetails.organization.asn
service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg
service.action.awsApiCallAction.remoteIpDetails.organization.isp
service.action.awsApiCallAction.remoteIpDetails.organization.org
service.action.awsApiCallAction.serviceName
service.action.awsApiCallAction.userAgent
service.action.dnsRequestAction.blocked
service.action.dnsRequestAction.domain
service.action.dnsRequestAction.domainWithSuffix
service.action.dnsRequestAction.protocol
service.action.dnsRequestAction.vpcOwnerAccountId
service.action.kubernetesApiCallAction.namespace
service.action.kubernetesApiCallAction.parameters
service.action.kubernetesApiCallAction.remoteIpDetails.city.cityName
service.action.kubernetesApiCallAction.remoteIpDetails.country.countryCode
service.action.kubernetesApiCallAction.remoteIpDetails.country.countryName
service.action.kubernetesApiCallAction.remoteIpDetails.geoLocation.lat
service.action.kubernetesApiCallAction.remoteIpDetails.geoLocation.lon
service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4
service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV6
service.action.kubernetesApiCallAction.remoteIpDetails.organization.asn
service.action.kubernetesApiCallAction.remoteIpDetails.organization.asnOrg
service.action.kubernetesApiCallAction.remoteIpDetails.organization.isp
service.action.kubernetesApiCallAction.remoteIpDetails.organization.org
service.action.kubernetesApiCallAction.requestUri
service.action.kubernetesApiCallAction.resource
service.action.kubernetesApiCallAction.resourceName
service.action.kubernetesApiCallAction.sourceIPs
service.action.kubernetesApiCallAction.statusCode
service.action.kubernetesApiCallAction.subresource
service.action.kubernetesApiCallAction.userAgent
service.action.kubernetesApiCallAction.verb
service.action.kubernetesPermissionCheckedDetails.allowed
service.action.kubernetesPermissionCheckedDetails.namespace
service.action.kubernetesPermissionCheckedDetails.resource
service.action.kubernetesPermissionCheckedDetails.verb
service.action.kubernetesRoleBindingDetails.kind
service.action.kubernetesRoleBindingDetails.name
service.action.kubernetesRoleBindingDetails.roleRefKind
service.action.kubernetesRoleBindingDetails.roleRefName
service.action.kubernetesRoleBindingDetails.uid
service.action.kubernetesRoleDetails.kind
service.action.kubernetesRoleDetails.name
service.action.kubernetesRoleDetails.uid
service.action.networkConnectionAction.blocked
service.action.networkConnectionAction.connectionDirection
service.action.networkConnectionAction.localIpDetails.ipAddressV4
service.action.networkConnectionAction.localIpDetails.ipAddressV6
service.action.networkConnectionAction.localNetworkInterface
service.action.networkConnectionAction.localPortDetails.port
service.action.networkConnectionAction.localPortDetails.portName
service.action.networkConnectionAction.protocol
service.action.networkConnectionAction.remoteIpDetails.city.cityName
service.action.networkConnectionAction.remoteIpDetails.country.countryCode
service.action.networkConnectionAction.remoteIpDetails.country.countryName
service.action.networkConnectionAction.remoteIpDetails.geoLocation.lat
service.action.networkConnectionAction.remoteIpDetails.geoLocation.lon
service.action.networkConnectionAction.remoteIpDetails.ipAddressV4
service.action.networkConnectionAction.remoteIpDetails.ipAddressV6
service.action.networkConnectionAction.remoteIpDetails.organization.asn
service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg
service.action.networkConnectionAction.remoteIpDetails.organization.isp
service.action.networkConnectionAction.remoteIpDetails.organization.org
service.action.networkConnectionAction.remotePortDetails.port
service.action.networkConnectionAction.remotePortDetails.portName
service.action.portProbeAction.blocked
service.action.portProbeAction.portProbeDetails.localIpDetails.ipAddressV4
service.action.portProbeAction.portProbeDetails.localIpDetails.ipAddressV6
service.action.portProbeAction.portProbeDetails.localPortDetails.port
service.action.portProbeAction.portProbeDetails.localPortDetails.portName
service.action.portProbeAction.portProbeDetails.remoteIpDetails.city.cityName
service.action.portProbeAction.portProbeDetails.remoteIpDetails.country.countryCode
service.action.portProbeAction.portProbeDetails.remoteIpDetails.country.countryName
service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lat
service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lon
service.action.portProbeAction.portProbeDetails.remoteIpDetails.ipAddressV4
service.action.portProbeAction.portProbeDetails.remoteIpDetails.ipAddressV6
service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asn
service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asnOrg
service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.isp
service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.org
service.action.rdsLoginAttemptAction.loginAttributes.application
service.action.rdsLoginAttemptAction.loginAttributes.failedLoginAttempts
service.action.rdsLoginAttemptAction.loginAttributes.successfulLoginAttempts
service.action.rdsLoginAttemptAction.loginAttributes.user
service.action.rdsLoginAttemptAction.remoteIpDetails.city.cityName
service.action.rdsLoginAttemptAction.remoteIpDetails.country.countryCode
service.action.rdsLoginAttemptAction.remoteIpDetails.country.countryName
service.action.rdsLoginAttemptAction.remoteIpDetails.geoLocation.lat
service.action.rdsLoginAttemptAction.remoteIpDetails.geoLocation.lon
service.action.rdsLoginAttemptAction.remoteIpDetails.ipAddressV4
service.action.rdsLoginAttemptAction.remoteIpDetails.ipAddressV6
service.action.rdsLoginAttemptAction.remoteIpDetails.organization.asn
service.action.rdsLoginAttemptAction.remoteIpDetails.organization.asnOrg
service.action.rdsLoginAttemptAction.remoteIpDetails.organization.isp
service.action.rdsLoginAttemptAction.remoteIpDetails.organization.org
service.additionalInfo.agentDetails.agentId
service.additionalInfo.agentDetails.agentVersion
service.additionalInfo.anomalies.anomalousAPIs
service.additionalInfo.authenticationMethod
service.additionalInfo.averagePacketSizeIn
service.additionalInfo.averagePacketSizeOut
service.additionalInfo.context
service.additionalInfo.domain
service.additionalInfo.inBytes
service.additionalInfo.localNetworkInterfaceOwner
service.additionalInfo.localPort
service.additionalInfo.outBytes
service.additionalInfo.packetsIn
service.additionalInfo.packetsOut
service.additionalInfo.policyArn
service.additionalInfo.policyName
service.additionalInfo.remotePort
service.additionalInfo.sample
service.additionalInfo.scannedPort
service.additionalInfo.threatFileSha256
service.additionalInfo.threatListName
service.additionalInfo.threatName
service.additionalInfo.totalBytesIn
service.additionalInfo.totalBytesOut
service.additionalInfo.type
service.additionalInfo.unusual.asnOrg
service.additionalInfo.unusual.port
service.additionalInfo.unusualProtocol
service.additionalInfo.userAgent.fullUserAgent
service.additionalInfo.userAgent.userAgentCategory
service.additionalInfo.value
service.additionalInfo.vpcOwnerAccountId
service.archived
service.count
service.detection.anomaly.profiles
service.detection.anomaly.unusual.behavior
service.detection.sequence.actors.id
service.detection.sequence.actors.process.name
service.detection.sequence.actors.process.path
service.detection.sequence.actors.process.sha256
service.detection.sequence.actors.session.createdTime Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.detection.sequence.actors.session.issuer
service.detection.sequence.actors.session.mfaStatus
service.detection.sequence.actors.session.uid
service.detection.sequence.actors.user.account.account
service.detection.sequence.actors.user.account.uid
service.detection.sequence.actors.user.credentialUid
service.detection.sequence.actors.user.name
service.detection.sequence.actors.user.type
service.detection.sequence.actors.user.uid
service.detection.sequence.additionalSequenceTypes
service.detection.sequence.description
service.detection.sequence.endpoints.autonomousSystem.name
service.detection.sequence.endpoints.autonomousSystem.number
service.detection.sequence.endpoints.connection.direction
service.detection.sequence.endpoints.domain
service.detection.sequence.endpoints.id
service.detection.sequence.endpoints.ip
service.detection.sequence.endpoints.location.city
service.detection.sequence.endpoints.location.country
service.detection.sequence.endpoints.location.lat
service.detection.sequence.endpoints.location.lon
service.detection.sequence.endpoints.port
service.detection.sequence.resources.accountId
service.detection.sequence.resources.cloudPartition
service.detection.sequence.resources.data.accessKey.principalId
service.detection.sequence.resources.data.accessKey.userName
service.detection.sequence.resources.data.accessKey.userType
service.detection.sequence.resources.data.autoscalingAutoScalingGroup.ec2InstanceUids
service.detection.sequence.resources.data.cloudformationStack.ec2InstanceUids
service.detection.sequence.resources.data.container.image
service.detection.sequence.resources.data.container.imageUid
service.detection.sequence.resources.data.ec2Image.ec2InstanceUids
service.detection.sequence.resources.data.ec2Instance.availabilityZone
service.detection.sequence.resources.data.ec2Instance.ec2NetworkInterfaceUids
service.detection.sequence.resources.data.ec2Instance.iamInstanceProfile.arn
service.detection.sequence.resources.data.ec2Instance.iamInstanceProfile.id
service.detection.sequence.resources.data.ec2Instance.imageDescription
service.detection.sequence.resources.data.ec2Instance.instanceState
service.detection.sequence.resources.data.ec2Instance.instanceType
service.detection.sequence.resources.data.ec2Instance.outpostArn
service.detection.sequence.resources.data.ec2Instance.platform
service.detection.sequence.resources.data.ec2Instance.productCodes.productCodeId
service.detection.sequence.resources.data.ec2Instance.productCodes.productCodeType
service.detection.sequence.resources.data.ec2LaunchTemplate.ec2InstanceUids
service.detection.sequence.resources.data.ec2LaunchTemplate.version
service.detection.sequence.resources.data.ec2NetworkInterface.ipv6Addresses
service.detection.sequence.resources.data.ec2NetworkInterface.privateIpAddresses.privateDnsName
service.detection.sequence.resources.data.ec2NetworkInterface.privateIpAddresses.privateIpAddress
service.detection.sequence.resources.data.ec2NetworkInterface.publicIp
service.detection.sequence.resources.data.ec2NetworkInterface.securityGroups.groupId
service.detection.sequence.resources.data.ec2NetworkInterface.securityGroups.groupName
service.detection.sequence.resources.data.ec2NetworkInterface.subNetId
service.detection.sequence.resources.data.ec2NetworkInterface.vpcId
service.detection.sequence.resources.data.ec2Vpc.ec2InstanceUids
service.detection.sequence.resources.data.ecsCluster.ec2InstanceUids
service.detection.sequence.resources.data.ecsCluster.status
service.detection.sequence.resources.data.ecsTask.containerUids
service.detection.sequence.resources.data.ecsTask.createdAt Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.detection.sequence.resources.data.ecsTask.launchType
service.detection.sequence.resources.data.ecsTask.taskDefinitionArn
service.detection.sequence.resources.data.eksCluster.arn
service.detection.sequence.resources.data.eksCluster.createdAt Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.detection.sequence.resources.data.eksCluster.ec2InstanceUids
service.detection.sequence.resources.data.eksCluster.status
service.detection.sequence.resources.data.eksCluster.vpcId
service.detection.sequence.resources.data.iamInstanceProfile.ec2InstanceUids
service.detection.sequence.resources.data.iamInstanceProfile.id
service.detection.sequence.resources.data.kubernetesWorkload.containerUids
service.detection.sequence.resources.data.kubernetesWorkload.namespace
service.detection.sequence.resources.data.kubernetesWorkload.type
service.detection.sequence.resources.data.s3Bucket.accountPublicAccess.publicAclAccess
service.detection.sequence.resources.data.s3Bucket.accountPublicAccess.publicAclIgnoreBehavior
service.detection.sequence.resources.data.s3Bucket.accountPublicAccess.publicBucketRestrictBehavior
service.detection.sequence.resources.data.s3Bucket.accountPublicAccess.publicPolicyAccess
service.detection.sequence.resources.data.s3Bucket.bucketPublicAccess.publicAclAccess
service.detection.sequence.resources.data.s3Bucket.bucketPublicAccess.publicAclIgnoreBehavior
service.detection.sequence.resources.data.s3Bucket.bucketPublicAccess.publicBucketRestrictBehavior
service.detection.sequence.resources.data.s3Bucket.bucketPublicAccess.publicPolicyAccess
service.detection.sequence.resources.data.s3Bucket.createdAt Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.detection.sequence.resources.data.s3Bucket.effectivePermission
service.detection.sequence.resources.data.s3Bucket.encryptionKeyArn
service.detection.sequence.resources.data.s3Bucket.encryptionType
service.detection.sequence.resources.data.s3Bucket.ownerId
service.detection.sequence.resources.data.s3Bucket.publicReadAccess
service.detection.sequence.resources.data.s3Bucket.publicWriteAccess
service.detection.sequence.resources.data.s3Bucket.s3ObjectUids
service.detection.sequence.resources.data.s3Object.eTag
service.detection.sequence.resources.data.s3Object.key
service.detection.sequence.resources.data.s3Object.versionId
service.detection.sequence.resources.name
service.detection.sequence.resources.region
service.detection.sequence.resources.resourceType
service.detection.sequence.resources.service
service.detection.sequence.resources.tags.key
service.detection.sequence.resources.tags.value
service.detection.sequence.resources.uid
service.detection.sequence.sequenceIndicators.key
service.detection.sequence.sequenceIndicators.title
service.detection.sequence.sequenceIndicators.values
service.detection.sequence.signals.actorIds
service.detection.sequence.signals.count
service.detection.sequence.signals.createdAt Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.detection.sequence.signals.description
service.detection.sequence.signals.endpointIds
service.detection.sequence.signals.firstSeenAt Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.detection.sequence.signals.lastSeenAt Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.detection.sequence.signals.name
service.detection.sequence.signals.resourceUids
service.detection.sequence.signals.severity
service.detection.sequence.signals.signalIndicators.key
service.detection.sequence.signals.signalIndicators.title
service.detection.sequence.signals.signalIndicators.values
service.detection.sequence.signals.type
service.detection.sequence.signals.uid
service.detection.sequence.signals.updatedAt Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.detection.sequence.uid
service.detectorId
service.ebsVolumeScanDetails.scanCompletedAt Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.ebsVolumeScanDetails.scanDetections.highestSeverityThreatDetails.count
service.ebsVolumeScanDetails.scanDetections.highestSeverityThreatDetails.severity
service.ebsVolumeScanDetails.scanDetections.highestSeverityThreatDetails.threatName
service.ebsVolumeScanDetails.scanDetections.scannedItemCount.files
service.ebsVolumeScanDetails.scanDetections.scannedItemCount.totalGb
service.ebsVolumeScanDetails.scanDetections.scannedItemCount.volumes
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.itemCount
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.shortened
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.fileName
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.filePath
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.volumeArn
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.itemCount
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.uniqueThreatNameCount
service.ebsVolumeScanDetails.scanDetections.threatsDetectedItemCount.files
service.ebsVolumeScanDetails.scanId
service.ebsVolumeScanDetails.scanStartedAt Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.ebsVolumeScanDetails.scanType
service.ebsVolumeScanDetails.sources
service.ebsVolumeScanDetails.triggerFindingId
service.eventFirstSeen Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.eventLastSeen Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.evidence.threatIntelligenceDetails.threatFileSha256
service.evidence.threatIntelligenceDetails.threatListName
service.evidence.threatIntelligenceDetails.threatNames
service.featureName
service.malwareScanDetails.scanCategory
service.malwareScanDetails.scanConfiguration.incrementalScanDetails.baselineResourceArn
service.malwareScanDetails.scanConfiguration.triggerType
service.malwareScanDetails.scanId
service.malwareScanDetails.scanType
service.malwareScanDetails.threats.count
service.malwareScanDetails.threats.hash
service.malwareScanDetails.threats.itemDetails.additionalInfo.deviceName
service.malwareScanDetails.threats.itemDetails.additionalInfo.versionId
service.malwareScanDetails.threats.itemDetails.hash
service.malwareScanDetails.threats.itemDetails.itemPath
service.malwareScanDetails.threats.itemDetails.resourceArn
service.malwareScanDetails.threats.itemPaths.hash
service.malwareScanDetails.threats.itemPaths.nestedItemPath
service.malwareScanDetails.threats.name
service.malwareScanDetails.threats.source
service.malwareScanDetails.uniqueThreatCount
service.resourceRole
service.runtimeDetails.context.addressFamily
service.runtimeDetails.context.commandLineExample
service.runtimeDetails.context.fileOperation
service.runtimeDetails.context.filePath
service.runtimeDetails.context.fileSystemType
service.runtimeDetails.context.flags
service.runtimeDetails.context.ianaProtocolNumber
service.runtimeDetails.context.ldPreloadValue
service.runtimeDetails.context.libraryPath
service.runtimeDetails.context.memoryRegions
service.runtimeDetails.context.modifiedAt Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.runtimeDetails.context.modifyingProcess.euid
service.runtimeDetails.context.modifyingProcess.executablePath
service.runtimeDetails.context.modifyingProcess.executableSha256
service.runtimeDetails.context.modifyingProcess.lineage.euid
service.runtimeDetails.context.modifyingProcess.lineage.executablePath
service.runtimeDetails.context.modifyingProcess.lineage.name
service.runtimeDetails.context.modifyingProcess.lineage.namespacePid
service.runtimeDetails.context.modifyingProcess.lineage.parentUuid
service.runtimeDetails.context.modifyingProcess.lineage.pid
service.runtimeDetails.context.modifyingProcess.lineage.startTime Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.runtimeDetails.context.modifyingProcess.lineage.userId
service.runtimeDetails.context.modifyingProcess.lineage.uuid
service.runtimeDetails.context.modifyingProcess.name
service.runtimeDetails.context.modifyingProcess.namespacePid
service.runtimeDetails.context.modifyingProcess.parentUuid
service.runtimeDetails.context.modifyingProcess.pid
service.runtimeDetails.context.modifyingProcess.pwd
service.runtimeDetails.context.modifyingProcess.startTime Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.runtimeDetails.context.modifyingProcess.user
service.runtimeDetails.context.modifyingProcess.userId
service.runtimeDetails.context.modifyingProcess.uuid
service.runtimeDetails.context.moduleFilePath
service.runtimeDetails.context.moduleName
service.runtimeDetails.context.moduleSha256
service.runtimeDetails.context.mountSource
service.runtimeDetails.context.mountTarget
service.runtimeDetails.context.relatedFilePaths
service.runtimeDetails.context.releaseAgentPath
service.runtimeDetails.context.runcBinaryPath
service.runtimeDetails.context.scriptPath
service.runtimeDetails.context.serviceName
service.runtimeDetails.context.shellHistoryFilePath
service.runtimeDetails.context.socketPath
service.runtimeDetails.context.targetProcess.euid
service.runtimeDetails.context.targetProcess.executablePath
service.runtimeDetails.context.targetProcess.executableSha256
service.runtimeDetails.context.targetProcess.lineage.euid
service.runtimeDetails.context.targetProcess.lineage.executablePath
service.runtimeDetails.context.targetProcess.lineage.name
service.runtimeDetails.context.targetProcess.lineage.namespacePid
service.runtimeDetails.context.targetProcess.lineage.parentUuid
service.runtimeDetails.context.targetProcess.lineage.pid
service.runtimeDetails.context.targetProcess.lineage.startTime Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.runtimeDetails.context.targetProcess.lineage.userId
service.runtimeDetails.context.targetProcess.lineage.uuid
service.runtimeDetails.context.targetProcess.name
service.runtimeDetails.context.targetProcess.namespacePid
service.runtimeDetails.context.targetProcess.parentUuid
service.runtimeDetails.context.targetProcess.pid
service.runtimeDetails.context.targetProcess.pwd
service.runtimeDetails.context.targetProcess.startTime Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.runtimeDetails.context.targetProcess.user
service.runtimeDetails.context.targetProcess.userId
service.runtimeDetails.context.targetProcess.uuid
service.runtimeDetails.context.threatFilePath
service.runtimeDetails.context.toolCategory
service.runtimeDetails.context.toolName
service.runtimeDetails.process.euid
service.runtimeDetails.process.executablePath
service.runtimeDetails.process.executableSha256
service.runtimeDetails.process.lineage.euid
service.runtimeDetails.process.lineage.executablePath
service.runtimeDetails.process.lineage.name
service.runtimeDetails.process.lineage.namespacePid
service.runtimeDetails.process.lineage.parentUuid
service.runtimeDetails.process.lineage.pid
service.runtimeDetails.process.lineage.startTime Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.runtimeDetails.process.lineage.userId
service.runtimeDetails.process.lineage.uuid
service.runtimeDetails.process.name
service.runtimeDetails.process.namespacePid
service.runtimeDetails.process.parentUuid
service.runtimeDetails.process.pid
service.runtimeDetails.process.pwd
service.runtimeDetails.process.startTime Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.runtimeDetails.process.user
service.runtimeDetails.process.userId
service.runtimeDetails.process.uuid
service.serviceName
service.userFeedback
severity To configure severity based filters, use the following for the FindingCriteria condition:
Low:
["1", "2", "3"]Medium:
["4", "5", "6"]High:
["7", "8"]Critical:
["9", "10"]
For more information, see Findings severity levels in the Amazon GuardDuty User Guide.
title
type
updatedAt Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
Criterion (dict) –
Represents a map of finding properties that match specified conditions and values when querying findings.
(string) –
(dict) –
Contains information about the condition.
Eq (list) –
Represents the equal condition to be applied to a single field when querying for findings.
Max values: 50
(string) –
Neq (list) –
Represents the not equal condition to be applied to a single field when querying for findings.
Max values: 50
(string) –
Gt (integer) –
Represents a greater than condition to be applied to a single field when querying for findings.
Gte (integer) –
Represents a greater than or equal condition to be applied to a single field when querying for findings.
Lt (integer) –
Represents a less than condition to be applied to a single field when querying for findings.
Lte (integer) –
Represents a less than or equal condition to be applied to a single field when querying for findings.
Equals (list) –
Represents an equal condition to be applied to a single field when querying for findings.
Max values: 50
(string) –
NotEquals (list) –
Represents a not equal condition to be applied to a single field when querying for findings.
Max values: 50
(string) –
GreaterThan (integer) –
Represents a greater than condition to be applied to a single field when querying for findings.
GreaterThanOrEqual (integer) –
Represents a greater than or equal condition to be applied to a single field when querying for findings.
LessThan (integer) –
Represents a less than condition to be applied to a single field when querying for findings.
LessThanOrEqual (integer) –
Represents a less than or equal condition to be applied to a single field when querying for findings.
Matches (list) –
Represents the match condition to be applied to a single field when querying for findings.
Note
The matches condition is available only for create-filter and update-filter APIs.
(string) –
NotMatches (list) –
Represents the not match condition to be applied to a single field when querying for findings.
Note
The not-matches condition is available only for create-filter and update-filter APIs.
(string) –
ClientToken (string) –
The idempotency token for the create request.
This field is autopopulated if not provided.
Tags (dict) –
The tags to be added to a new filter resource.
(string) –
(string) –
- Return type:
dict
- Returns:
Response Syntax
{ 'Name': 'string' }
Response Structure
(dict) –
Name (string) –
The name of the successfully created filter.
Exceptions
GuardDuty.Client.exceptions.BadRequestExceptionGuardDuty.Client.exceptions.InternalServerErrorException