Creating suppression rules in GuardDuty

A suppression rule is a set of criteria that includes using filter attributes and providing values for which you don't want GuardDuty to generate a finding type. The finding types that match this criteria are automatically archived. To reduce noise, the suppressed findings are not sent to any of the Amazon Web Services services with which you may integrate. For more information about common use cases for creating suppression rules, see Suppression rules.

You can visualize, create, and manage suppression rules by using the GuardDuty console. Suppression rules are generated in the same manner as filters, and your existing saved filters can be used as suppression rules. For more information about creating filters, see Filtering findings in GuardDuty.

Choose your preferred access method to create a suppression rule for GuardDuty finding types.

Console

To create a suppression rule using the console:

Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.
On the Findings page, the Create suppression rule feature remains grayed out unless you add at least one filter criterion. Because suppression rules are applied to active, ongoing findings, make sure that the Status menu is set to Current.
To add one or more filter criteria, follow steps 3 through 7 in Adding filters on Findings page, and then continue with the following steps.
After you have added the filter criteria and confirmed that the filtered findings meet your requirements, choose Create suppression rule.
Enter a Name for the suppression rule.The name must be 3-64 characters. Valid characters are a-z, A-Z, 0-9, period (.), hyphen (-), and underscore (_).
The Description is optional. If you enter a description, it can have up to 512 characters.
Choose Create.

You can also create a suppression rule from an existing saved filter. For more information about creating filters, see Filtering findings in GuardDuty.

To create a suppression rule from a saved filter:

Open the GuardDuty console at https://console.amazonaws.cn/guardduty/.
On the Findings page, from the Saved rules menu, select a saved filter set rule. This will automatically display the filter set and findings that match the criteria.
You can also add more filter criteria to this saved rule. If you don't need additional filter criteria, skip this step.

To add one or more additional filter criteria, follow steps 2 through the end of the preceding procedure - To create a suppression rule using the console.
If you don't need to add additional filter criteria to the saved rule, follow steps 4 through the end of the preceding procedure - To create a suppression rule using the console.

API/CLI

To create a suppression rule using API:

You can create suppression rules through the CreateFilter API. To do so, specify the filter criteria in a JSON file following the format of the example detailed below. The below example will suppress any unarchived low-severity findings that has a DNS request to the test.example.com domain. For medium severity findings, the input list will be ["4", "5", "7"]. For high severity findings, the input list will be ["6", "7", "8"]. For critical severity findings, the input list will be ["9", "10"]. You can also filter on the basis of any one value in the list.

The following example adds a filter for low severity findings.
```
{
    "Criterion": {
        "service.archived": {
            "Eq": [
                "false"
            ]
        },
        "service.action.dnsRequestAction.domain": {
            "Eq": [
                "test.example.com"
            ]
        },
        "severity": {
            "Eq": [
                "1",
                "2",
                "3"
            ]
        }
    }
}
```
For a list of JSON field names and their console equivalent see Property filters in GuardDuty.

To test your filter criteria, use the same JSON criterion in the ListFindings API, and confirm that the correct findings have been selected. To test your filter criteria using Amazon CLI follow the example using your own detectorId and .json file.

To find the detectorId for your account and current Region, see the Settings page in the https://console.amazonaws.cn/guardduty/ console, or run the ListDetectors API.
```
aws guardduty list-findings --detector-id 12abc34d567e8fa901bc2d34e56789f0 --finding-criteria file://criteria.json
```
Upload your filter to be used as suppression rule with the CreateFilter API or by using the Amazon CLI following the example below with your own detector ID, a name for the suppression rule, and .json file.

To find the detectorId for your account and current Region, see the Settings page in the https://console.amazonaws.cn/guardduty/ console, or run the ListDetectors API.
```
aws guardduty create-filter --action ARCHIVE --detector-id 12abc34d567e8fa901bc2d34e56789f0 --name yourfiltername --finding-criteria file://criteria.json
                
```

You can view a list of your filters programmatically with the ListFilter API. You can view the details of an individual filter by supplying the filter name to the GetFilter API. Update filters using UpdateFilter or delete them with the DeleteFilter API.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Suppression rules

Deleting suppression rules