CreateFilterRequest

Specifies the action that is to be applied to the findings that match the filter.

The idempotency token for the create request.

The description of the filter. Valid characters include alphanumeric characters, and special characters such as -, ., :, { }, [ ], ( ), /, \t, \n, \x0B, \f, \r, _, and whitespace.

The ID of the detector belonging to the GuardDuty account that you want to create a filter for.

Represents the criteria to be used in the filter for querying findings.

You can only use the following attributes to query findings:

• accountId
• region
• id
• resource.accessKeyDetails.accessKeyId
• resource.accessKeyDetails.principalId
• resource.accessKeyDetails.userName
• resource.accessKeyDetails.userType
• resource.instanceDetails.iamInstanceProfile.id
• resource.instanceDetails.imageId
• resource.instanceDetails.instanceId
• resource.instanceDetails.outpostArn
• resource.instanceDetails.networkInterfaces.ipv6Addresses
• resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress
• resource.instanceDetails.networkInterfaces.publicDnsName
• resource.instanceDetails.networkInterfaces.publicIp
• resource.instanceDetails.networkInterfaces.securityGroups.groupId
• resource.instanceDetails.networkInterfaces.securityGroups.groupName
• resource.instanceDetails.networkInterfaces.subnetId
• resource.instanceDetails.networkInterfaces.vpcId
• resource.instanceDetails.tags.key
• resource.instanceDetails.tags.value
• resource.resourceType
• service.action.actionType
• service.action.awsApiCallAction.api
• service.action.awsApiCallAction.callerType
• service.action.awsApiCallAction.errorCode
• service.action.awsApiCallAction.userAgent
• service.action.awsApiCallAction.remoteIpDetails.city.cityName
• service.action.awsApiCallAction.remoteIpDetails.country.countryName
• service.action.awsApiCallAction.remoteIpDetails.ipAddressV4
• service.action.awsApiCallAction.remoteIpDetails.organization.asn
• service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg
• service.action.awsApiCallAction.serviceName
• service.action.dnsRequestAction.domain
• service.action.networkConnectionAction.blocked
• service.action.networkConnectionAction.connectionDirection
• service.action.networkConnectionAction.localPortDetails.port
• service.action.networkConnectionAction.protocol
• service.action.networkConnectionAction.localIpDetails.ipAddressV4
• service.action.networkConnectionAction.remoteIpDetails.city.cityName
• service.action.networkConnectionAction.remoteIpDetails.country.countryName
• service.action.networkConnectionAction.remoteIpDetails.ipAddressV4
• service.action.networkConnectionAction.remoteIpDetails.organization.asn
• service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg
• service.action.networkConnectionAction.remotePortDetails.port
• service.additionalInfo.threatListName
• resource.s3BucketDetails.publicAccess.effectivePermissions
• resource.s3BucketDetails.name
• resource.s3BucketDetails.tags.key
• resource.s3BucketDetails.tags.value
• resource.s3BucketDetails.type
• service.resourceRole
• severity
• type
• updatedAt Type: ISO 8601 string format: YYYY-MM-DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds.

The name of the filter. Valid characters include period (.), underscore (_), dash (-), and alphanumeric characters. A whitespace is considered to be an invalid character.

Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.

The tags to be added to a new filter resource.