AWS::GuardDuty::Filter
The AWS::GuardDuty::Filter resource specifies a new filter defined by
the provided findingCriteria.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::GuardDuty::Filter", "Properties" : { "Action" :String, "Description" :String, "DetectorId" :String, "FindingCriteria" :FindingCriteria, "Name" :String, "Rank" :Integer, "Tags" :[ TagItem, ... ]} }
YAML
Type: AWS::GuardDuty::Filter Properties: Action:StringDescription:StringDetectorId:StringFindingCriteria:FindingCriteriaName:StringRank:IntegerTags:- TagItem
Properties
Action-
Specifies the action that is to be applied to the findings that match the filter.
Required: No
Type: String
Allowed values:
NOOP | ARCHIVEUpdate requires: No interruption
Description-
The description of the filter. Valid characters include alphanumeric characters, and special characters such as hyphen, period, colon, underscore, parentheses (
{ },[ ], and( )), forward slash, horizontal tab, vertical tab, newline, form feed, return, and whitespace.Required: No
Type: String
Minimum:
0Maximum:
512Update requires: No interruption
DetectorId-
The detector ID associated with the GuardDuty account for which you want to create a filter.
To find the
detectorIdin the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.Required: Yes
Type: String
Minimum:
1Maximum:
300Update requires: Replacement
FindingCriteria-
Represents the criteria to be used in the filter for querying findings.
Required: Yes
Type: FindingCriteria
Update requires: No interruption
Name-
The name of the filter. Valid characters include period (.), underscore (_), dash (-), and alphanumeric characters. A whitespace is considered to be an invalid character.
Required: Yes
Type: String
Minimum:
1Maximum:
64Update requires: Replacement
Rank-
Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings. The minimum value for this property is 1 and the maximum is 100.
By default, filters may not be created in the same order as they are ranked. To ensure that the filters are created in the expected order, you can use an optional attribute, DependsOn, with the following syntax:
"DependsOn":[ "ObjectName" ].Required: No
Type: Integer
Minimum:
1Maximum:
100Update requires: No interruption
-
The tags to be added to a new filter resource. Each tag consists of a key and an optional value, both of which you define.
For more information, see Tag.
Required: No
Type: Array of TagItem
Update requires: No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the name of the filter, such as
SampleFilter.
For more information about using the Ref function, see Ref.
Examples
Declare a Filter Resource
The following example shows how to declare a GuardDuty
Filter resource:
JSON
{ "Type": "AWS::GuardDuty::Filter", "Properties": { "Action": "ARCHIVE", "Description": "SampleFilter", "DetectorId": "a12abc34d567e8fa901bc2d34e56789f0", "FindingCriteria": { "Criterion": { "updatedAt": { "Gte": 0 }, "severity": { "Gte": 0 } }, "Rank": 1, "Name": "SampleFilter" } }
YAML
Type: "AWS::GuardDuty::Filter" Properties: Action : "ARCHIVE" Description : "SampleFilter" DetectorId : "a12abc34d567e8fa901bc2d34e56789f0" FindingCriteria : Criterion: "updatedAt": Gte: 0 "severity": Gte: 0 Rank : 1 Name : "SampleFilter"
