Creates a filter using the specified finding criteria.
guardduty_create_filter(DetectorId, Name, Description, Action, Rank,
FindingCriteria, ClientToken, Tags)A list with the following syntax:
list(
Name = "string"
)
[required] The ID of the detector belonging to the GuardDuty account that you want to create a filter for.
[required] The name of the filter. Minimum length of 3. Maximum length of 64. Valid characters include alphanumeric characters, dot (.), underscore (_), and dash (-). Spaces are not allowed.
The description of the filter.
Specifies the action that is to be applied to the findings that match the filter.
Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
[required] Represents the criteria to be used in the filter for querying findings.
You can only use the following attributes to query findings:
accountId
region
confidence
id
resource.accessKeyDetails.accessKeyId
resource.accessKeyDetails.principalId
resource.accessKeyDetails.userName
resource.accessKeyDetails.userType
resource.instanceDetails.iamInstanceProfile.id
resource.instanceDetails.imageId
resource.instanceDetails.instanceId
resource.instanceDetails.outpostArn
resource.instanceDetails.networkInterfaces.ipv6Addresses
resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress
resource.instanceDetails.networkInterfaces.publicDnsName
resource.instanceDetails.networkInterfaces.publicIp
resource.instanceDetails.networkInterfaces.securityGroups.groupId
resource.instanceDetails.networkInterfaces.securityGroups.groupName
resource.instanceDetails.networkInterfaces.subnetId
resource.instanceDetails.networkInterfaces.vpcId
resource.instanceDetails.tags.key
resource.instanceDetails.tags.value
resource.resourceType
service.action.actionType
service.action.awsApiCallAction.api
service.action.awsApiCallAction.callerType
service.action.awsApiCallAction.errorCode
service.action.awsApiCallAction.remoteIpDetails.city.cityName
service.action.awsApiCallAction.remoteIpDetails.country.countryName
service.action.awsApiCallAction.remoteIpDetails.ipAddressV4
service.action.awsApiCallAction.remoteIpDetails.organization.asn
service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg
service.action.awsApiCallAction.serviceName
service.action.dnsRequestAction.domain
service.action.networkConnectionAction.blocked
service.action.networkConnectionAction.connectionDirection
service.action.networkConnectionAction.localPortDetails.port
service.action.networkConnectionAction.protocol
service.action.networkConnectionAction.localIpDetails.ipAddressV4
service.action.networkConnectionAction.remoteIpDetails.city.cityName
service.action.networkConnectionAction.remoteIpDetails.country.countryName
service.action.networkConnectionAction.remoteIpDetails.ipAddressV4
service.action.networkConnectionAction.remoteIpDetails.organization.asn
service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg
service.action.networkConnectionAction.remotePortDetails.port
service.additionalInfo.threatListName
service.archived
When this attribute is set to TRUE, only archived findings are listed. When it's set to FALSE, only unarchived findings are listed. When this attribute is not set, all existing findings are listed.
service.resourceRole
severity
type
updatedAt
Type: ISO 8601 string format: YYYY-MM-DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds.
The idempotency token for the create request.
The tags to be added to a new filter resource.
svc$create_filter(
DetectorId = "string",
Name = "string",
Description = "string",
Action = "NOOP"|"ARCHIVE",
Rank = 123,
FindingCriteria = list(
Criterion = list(
list(
Eq = list(
"string"
),
Neq = list(
"string"
),
Gt = 123,
Gte = 123,
Lt = 123,
Lte = 123,
Equals = list(
"string"
),
NotEquals = list(
"string"
),
GreaterThan = 123,
GreaterThanOrEqual = 123,
LessThan = 123,
LessThanOrEqual = 123
)
)
),
ClientToken = "string",
Tags = list(
"string"
)
)