AWS::GuardDuty::Filter
The AWS::GuardDuty::Filter
resource specifies a new filter defined by
the provided findingCriteria
.
Syntax
To declare this entity in your Amazon CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::GuardDuty::Filter", "Properties" : { "Action" :
String
, "Description" :String
, "DetectorId" :String
, "FindingCriteria" :FindingCriteria
, "Name" :String
, "Rank" :Integer
, "Tags" :[ Tag, ... ]
} }
YAML
Type: AWS::GuardDuty::Filter Properties: Action:
String
Description:String
DetectorId:String
FindingCriteria:FindingCriteria
Name:String
Rank:Integer
Tags:- Tag
Properties
Action
-
Specifies the action that is to be applied to the findings that match the filter.
Required: Yes
Type: String
Allowed values:
ARCHIVE | NOOP
Update requires: No interruption
Description
-
The description of the filter.
Required: Yes
Type: String
Minimum:
0
Maximum:
512
Update requires: No interruption
DetectorId
-
The ID of the detector belonging to the GuardDuty account that you want to create a filter for.
Required: Yes
Type: String
Minimum:
1
Maximum:
300
Update requires: Replacement
FindingCriteria
-
Represents the criteria to be used in the filter for querying findings.
Required: Yes
Type: FindingCriteria
Update requires: No interruption
Name
-
The name of the filter. Minimum length of 3. Maximum length of 64. Valid characters include alphanumeric characters, dot (.), underscore (_), and dash (-). Spaces are not allowed.
Required: Yes
Type: String
Minimum:
3
Maximum:
64
Update requires: Replacement
Rank
Not currently supported by Amazon CloudFormation.
Required: Yes
Type: Integer
Update requires: No interruption
Tags
Not currently supported by Amazon CloudFormation.
Required: No
Type: List of Tag
Update requires: No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref
function, Ref
returns the name of the filter, such as
SampleFilter
.
For more information about using the Ref
function, see Ref.
Examples
Declare a Filter Resource
The following example shows how to declare a GuardDuty
Filter
resource:
JSON
{ "Type": "AWS::GuardDuty::Filter", "Properties": { "Action": "ARCHIVE", "Description": "SampleFilter", "DetectorId": "a12abc34d567e8fa901bc2d34e56789f0", "FindingCriteria": { "Criterion": { "updatedAt": { "Gte": 0 }, "severity": { "Gte": 0 } }, "Rank": 1, "Name": "SampleFilter" } }
YAML
Type: "AWS::GuardDuty::Filter" Properties: Action : "ARCHIVE" Description : "SampleFilter" DetectorId : "a12abc34d567e8fa901bc2d34e56789f0" FindingCriteria : Criterion: "updatedAt": Gte: 0 "severity": Gte: 0 Rank : 1 Name : "SampleFilter"