Creating suppression rules in GuardDuty

Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

On the Findings page, the Create suppression rule feature remains grayed out unless you add at least one filter criterion. Because suppression rules are applied to active, ongoing findings, make sure that the Status menu is set to Current.

To add one or more filter criteria, follow steps 3 through 7 in Adding filters on Findings page, and then continue with the following steps.

After you have added the filter criteria and confirmed that the filtered findings meet your requirements, choose Create suppression rule.

Enter a Name for the suppression rule.The name must be 3-64 characters. Valid characters are a-z, A-Z, 0-9, period (.), hyphen (-), and underscore (_).

The Description is optional. If you enter a description, it can have up to 512 characters.

Choose Create.

Open the GuardDuty console at https://console.aws.amazon.com/guardduty/.

On the Findings page, from the Saved rules menu, select a saved filter set rule. This will automatically display the filter set and findings that match the criteria.

You can also add more filter criteria to this saved rule. If you don't need additional filter criteria, skip this step.

To add one or more additional filter criteria, follow steps 2 through the end of the preceding procedure - To create a suppression rule using the console.

If you don't need to add additional filter criteria to the saved rule, follow steps 4 through the end of the preceding procedure - To create a suppression rule using the console.

You can create suppression rules through the CreateFilter API. To do so, specify the filter criteria in a JSON file following the format of the example detailed below. The below example will suppress any unarchived low-severity findings that has a DNS request to the test.example.com domain. For medium severity findings, the input list will be ["4", "5", "7"]. For high severity findings, the input list will be ["6", "7", "8"]. For critical severity findings, the input list will be ["9", "10"]. You can also filter on the basis of any one value in the list.

The following example adds a filter for low severity findings.

{
    "Criterion": {
        "service.archived": {
            "Eq": [
                "false"
            ]
        },
        "service.action.dnsRequestAction.domain": {
            "Eq": [
                "test.example.com"
            ]
        },
        "severity": {
            "Eq": [
                "1",
                "2",
                "3"
            ]
        }
    }
}

For a list of JSON field names and their console equivalent see Property filters in GuardDuty.

To test your filter criteria, use the same JSON criterion in the ListFindings API, and confirm that the correct findings have been selected. To test your filter criteria using AWS CLI follow the example using your own detectorId and .json file.

To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API.

aws guardduty list-findings --detector-id 12abc34d567e8fa901bc2d34e56789f0 --finding-criteria file://criteria.json

Upload your filter to be used as suppression rule with the CreateFilter API or by using the AWS CLI following the example below with your own detector ID, a name for the suppression rule, and .json file.

To find the detectorId for your account and current Region, see the Settings page in the https://console.aws.amazon.com/guardduty/ console, or run the ListDetectors API.

aws guardduty create-filter --action ARCHIVE --detector-id 12abc34d567e8fa901bc2d34e56789f0 --name yourfiltername --finding-criteria file://criteria.json