Filtering findings - Amazon GuardDuty
Creating filters in the GuardDuty consoleFilter attributes
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Filtering findings

A finding filter allows you to view findings that match the criteria you specify and filter out any unmatched findings. You can easily create finding filters using the Amazon GuardDuty console, or you can create them with the CreateFilter API using JSON. Review the following sections to understand how to create a filter in the console. To use these filters to automatically archive incoming findings, see Suppression rules.

Creating filters in the GuardDuty console

Finding filters can be created and tested through the GuardDuty console. You can save filters created through the console for use in suppression rules or future filter operations. A filter is made up of at least one filter criteria, which consists of one filter attribute paired with at least one value.

When you create filters, be aware of the following:

  • Filters do not accept wild cards.

  • You can specify a minimum of one attribute and up to a maximum of 50 attributes as the criteria for a particular filter.

  • When you use the equal to or not equal to condition to filter on an attribute value, such as Account ID, you can specify a maximum of 50 values.

  • Each filter criteria attribute is evaluated as an AND operator. Multiple values for the same attribute are evaluated as AND/OR.

To filter findings (console)

  1. Choose Add filter criteria above the displayed list of your GuardDuty findings.

  2. In the expanded list of attributes, select the attribute that you want to specify as the criteria for your filter, such as Account ID or Action type.

    Note

    See the filter attribute table on this page for a list of attributes that you can use to create filter criteria.

  3. In the displayed text field, specify a value for each selected attribute and then choose Apply.

    Note

    After you apply a filter, you can convert the filter to exclude findings that match the filter by choosing the black dot to the left of the filter name. This effectively creates a "not equals" filter for the selected attribute.

  4. To save the specified attributes and their values (filter criteria) as a filter, select Save. Enter the filter name and description, and then choose Done.

Filter attributes

When you create filters or sort findings using the API operations, you must specify filter criteria in JSON. These filter criteria correlate to a finding's details JSON. The following table contains a list of the console display names for filter attributes and their equivalent JSON field names.

Console field name

JSON field name

Account ID

accountId

Finding ID

id

Region

region

Severity

severity

If you use severity with API, Amazon CLI, or Amazon CloudFormation, it will have a numeric value. For more information, see findingCriteria.

Finding type

type

Updated at

updatedAt

Access Key ID

resource.accessKeyDetails.accessKeyId

Principal ID

resource.accessKeyDetails.principalId

Username

resource.accessKeyDetails.userName

User type

resource.accessKeyDetails.userType

IAM instance profile ID

resource.instanceDetails.iamInstanceProfile.id

Instance ID

resource.instanceDetails.instanceId

Instance image ID

resource.instanceDetails.imageId

Instance tag key

resource.instanceDetails.tags.key

Instance tag value

resource.instanceDetails.tags.value

IPv6 address

resource.instanceDetails.networkInterfaces.ipv6Addresses

Private IPv4 address

resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress

Public DNS name

resource.instanceDetails.networkInterfaces.publicDnsName

Public IP

resource.instanceDetails.networkInterfaces.publicIp

Security group ID

resource.instanceDetails.networkInterfaces.securityGroups.groupId

Security group name

resource.instanceDetails.networkInterfaces.securityGroups.groupName

Subnet ID

resource.instanceDetails.networkInterfaces.subnetId

VPC ID

resource.instanceDetails.networkInterfaces.vpcId

Outpost ARN

resource.instanceDetails.outpostARN

Resource type

resource.resourceType

Bucket permissions

resource.s3BucketDetails.publicAccess.effectivePermission

Bucket name

resource.s3BucketDetails.name

Bucket tag key

resource.s3BucketDetails.tags.key

Bucket tag value

resource.s3BucketDetails.tags.value

Bucket type

resource.s3BucketDetails.type

Action type

service.action.actionType

API called

service.action.awsApiCallAction.api

API caller type

service.action.awsApiCallAction.callerType

API Error Code

service.action.awsApiCallAction.errorCode

API caller city

service.action.awsApiCallAction.remoteIpDetails.city.cityName

API caller country

service.action.awsApiCallAction.remoteIpDetails.country.countryName

API caller IPv4 address

service.action.awsApiCallAction.remoteIpDetails.ipAddressV4

API caller ASN ID

service.action.awsApiCallAction.remoteIpDetails.organization.asn

API caller ASN name

service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg

API caller service name

service.action.awsApiCallAction.serviceName

DNS request domain

service.action.dnsRequestAction.domain

DNS request domain suffix

service.action.dnsRequestAction.domainWithSuffix

Network connection blocked

service.action.networkConnectionAction.blocked

Network connection direction

service.action.networkConnectionAction.connectionDirection

Network connection local port

service.action.networkConnectionAction.localPortDetails.port

Network connection protocol

service.action.networkConnectionAction.protocol

Network connection city

service.action.networkConnectionAction.remoteIpDetails.city.cityName

Network connection country

service.action.networkConnectionAction.remoteIpDetails.country.countryName

Network connection remote IPv4 address

service.action.networkConnectionAction.remoteIpDetails.ipAddressV4

Network connection remote IP ASN ID

service.action.networkConnectionAction.remoteIpDetails.organization.asn

Network connection remote IP ASN name

service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg

Network connection remote port

service.action.networkConnectionAction.remotePortDetails.port

Remote account affiliated

service.action.awsApiCallAction.remoteAccountDetails.affiliated

Kubernetes API caller IPv4 address

service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4

Kubernetes namespace

service.action.kubernetesApiCallAction.namespace

Kubernetes API caller ASN ID

service.action.kubernetesApiCallAction.remoteIpDetails.organization.asn

Kubernetes API call request URI

service.action.kubernetesApiCallAction.requestUri

Kubernetes API status code

service.action.kubernetesApiCallAction.statusCode

Network connection local IPv4 address

service.action.networkConnectionAction.localIpDetails.ipAddressV4

Protocol

service.action.networkConnectionAction.protocol

API call service name

service.action.awsApiCallAction.serviceName

API caller account ID

service.action.awsApiCallAction.remoteAccountDetails.accountId

Threat list name

service.additionalInfo.threatListName

Resource role

service.resourceRole

EKS cluster name

resource.eksClusterDetails.name

Kubernetes workload name

resource.kubernetesDetails.kubernetesWorkloadDetails.name

Kubernetes workload namespace

resource.kubernetesDetails.kubernetesWorkloadDetails.namespace

Kubernetes user name

resource.kubernetesDetails.kubernetesUserDetails.username

Kubernetes container image

resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image

Kubernetes container image prefix

resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix

Scan ID

service.ebsVolumeScanDetails.scanId

Threat name

service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name

Threat severity

service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity

File SHA

service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash

ECS cluster name

resource.ecsClusterDetails.name

ECS container image

resource.ecsClusterDetails.taskDetails.containers.image

ECS task definition ARN

resource.ecsClusterDetails.taskDetails.definitionArn

Standalone container image

resource.containerDetails.image

Database Instance Id

resource.rdsDbInstanceDetails.dbInstanceIdentifier

Database Cluster Id

resource.rdsDbInstanceDetails.dbClusterIdentifier

Database Engine

resource.rdsDbInstanceDetails.engine

Database user

resource.rdsDbUserDetails.user

Database instance tag key

resource.rdsDbInstanceDetails.tags.key

Database instance tag value

resource.rdsDbInstanceDetails.tags.value

Executable SHA-256

service.runtimeDetails.process.executableSha256

Process name

service.runtimeDetails.process.name

Executable path

service.runtimeDetails.process.executablePath

Lambda function name

resource.lambdaDetails.functionName

Lambda function ARN

resource.lambdaDetails.functionArn

Lambda function tag key

resource.lambdaDetails.tags.key

Lambda function tag value

resource.lambdaDetails.tags.value

DNS request domain

service.action.dnsRequestAction.domainWithSuffix