AWS::GuardDuty::Filter - Amazon CloudFormation
SyntaxPropertiesReturn valuesExamples
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AWS::GuardDuty::Filter

The AWS::GuardDuty::Filter resource specifies a new filter defined by the provided findingCriteria.

Syntax

To declare this entity in your Amazon CloudFormation template, use the following syntax:

JSON

{
  "Type" : "AWS::GuardDuty::Filter",
  "Properties" : {
      "Action" : String,
      "Description" : String,
      "DetectorId" : String,
      "FindingCriteria" : FindingCriteria,
      "Name" : String,
      "Rank" : Integer,
      "Tags" : [ TagItem, ... ]
    }
}

YAML

Type: AWS::GuardDuty::Filter
Properties:
  Action: String
  Description: String
  DetectorId: String
  FindingCriteria: 
    FindingCriteria
  Name: String
  Rank: Integer
  Tags: 
    - TagItem

Properties

Action

Specifies the action that is to be applied to the findings that match the filter.

Required: No

Type: String

Allowed values: NOOP | ARCHIVE

Update requires: No interruption

Description

The description of the filter. Valid characters include alphanumeric characters, and special characters such as hyphen, period, colon, underscore, parentheses ({ }, [ ], and ( )), forward slash, horizontal tab, vertical tab, newline, form feed, return, and whitespace.

Required: No

Type: String

Minimum: 0

Maximum: 512

Update requires: No interruption

DetectorId

The ID of the detector belonging to the GuardDuty account that you want to create a filter for.

Required: No

Type: String

Minimum: 1

Maximum: 300

Update requires: Replacement

FindingCriteria

Represents the criteria to be used in the filter for querying findings.

Required: Yes

Type: FindingCriteria

Update requires: No interruption

Name

The name of the filter. Valid characters include period (.), underscore (_), dash (-), and alphanumeric characters. A whitespace is considered to be an invalid character.

Required: No

Type: String

Minimum: 1

Maximum: 64

Update requires: Replacement

Rank

Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings. The minimum value for this property is 1 and the maximum is 100.

By default, filters may not be created in the same order as they are ranked. To ensure that the filters are created in the expected order, you can use an optional attribute, DependsOn, with the following syntax: "DependsOn":[ "ObjectName" ].

Required: No

Type: Integer

Minimum: 1

Maximum: 100

Update requires: No interruption

Tags

The tags to be added to a new filter resource. Each tag consists of a key and an optional value, both of which you define.

For more information, see Tag.

Required: No

Type: Array of TagItem

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the name of the filter, such as SampleFilter.

For more information about using the Ref function, see Ref.

Examples

Declare a Filter Resource

The following example shows how to declare a GuardDuty Filter resource:

JSON

{
    "Type": "AWS::GuardDuty::Filter",
    "Properties": {
        "Action": "ARCHIVE",
        "Description": "SampleFilter",
        "DetectorId": "a12abc34d567e8fa901bc2d34e56789f0",
        "FindingCriteria": {
            "Criterion": {
                "updatedAt": {
                "Gte": 0
                },
                "severity": {
                "Gte": 0
        }
    },
    "Rank": 1,
    "Name": "SampleFilter"
    }
}

YAML

Type: "AWS::GuardDuty::Filter"
Properties:
    Action : "ARCHIVE"
    Description : "SampleFilter"
    DetectorId : "a12abc34d567e8fa901bc2d34e56789f0"
    FindingCriteria : 
        Criterion:
            "updatedAt":
                Gte: 0	
            "severity":
                Gte: 0	
    Rank : 1
    Name : "SampleFilter"