/AWS1/IF_GDY=>CREATEFILTER()¶
About CreateFilter¶
Creates a filter using the specified finding criteria. The maximum number of saved filters per Amazon Web Services account per Region is 100. For more information, see Quotas for GuardDuty.
Method Signature¶
METHODS /AWS1/IF_GDY~CREATEFILTER
IMPORTING
!IV_DETECTORID TYPE /AWS1/GDYDETECTORID OPTIONAL
!IV_NAME TYPE /AWS1/GDYFILTERNAME OPTIONAL
!IV_DESCRIPTION TYPE /AWS1/GDYFILTERDESCRIPTION OPTIONAL
!IV_ACTION TYPE /AWS1/GDYFILTERACTION OPTIONAL
!IV_RANK TYPE /AWS1/GDYFILTERRANK OPTIONAL
!IO_FINDINGCRITERIA TYPE REF TO /AWS1/CL_GDYFINDINGCRITERIA OPTIONAL
!IV_CLIENTTOKEN TYPE /AWS1/GDYCLIENTTOKEN OPTIONAL
!IT_TAGS TYPE /AWS1/CL_GDYTAGMAP_W=>TT_TAGMAP OPTIONAL
RETURNING
VALUE(OO_OUTPUT) TYPE REF TO /aws1/cl_gdycreatefilterrsp
RAISING
/AWS1/CX_GDYBADREQUESTEX
/AWS1/CX_GDYINTERNALSERVERER00
/AWS1/CX_GDYCLIENTEXC
/AWS1/CX_GDYSERVEREXC
/AWS1/CX_RT_TECHNICAL_GENERIC
/AWS1/CX_RT_SERVICE_GENERIC.
IMPORTING¶
Required arguments:¶
iv_detectorid TYPE /AWS1/GDYDETECTORID /AWS1/GDYDETECTORID¶
The detector ID associated with the GuardDuty account for which you want to create a filter.
To find the
detectorIdin the current Region, see the Settings page in the GuardDuty console, or run the ListDetectors API.
iv_name TYPE /AWS1/GDYFILTERNAME /AWS1/GDYFILTERNAME¶
The name of the filter. Valid characters include period (.), underscore (_), dash (-), and alphanumeric characters. A whitespace is considered to be an invalid character.
io_findingcriteria TYPE REF TO /AWS1/CL_GDYFINDINGCRITERIA /AWS1/CL_GDYFINDINGCRITERIA¶
Represents the criteria to be used in the filter for querying findings. The following fields are available for filtering:
accountId
arn
associatedAttackSequenceArn
confidence
createdAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
description
id
partition
region
resource.accessKeyDetails.accessKeyId
resource.accessKeyDetails.principalId
resource.accessKeyDetails.userIdentity.accessKeyId
resource.accessKeyDetails.userIdentity.accountId
resource.accessKeyDetails.userIdentity.arn
resource.accessKeyDetails.userIdentity.principalId
resource.accessKeyDetails.userIdentity.sessionContext.attributes.mfaAuthenticated
resource.accessKeyDetails.userIdentity.sessionContext.ec2RoleDelivery
resource.accessKeyDetails.userIdentity.sessionContext.invokedBy
resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.accountId
resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.arn
resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.principalId
resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.type
resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.userName
resource.accessKeyDetails.userIdentity.sessionContext.sourceIdentity
resource.accessKeyDetails.userIdentity.sessionContext.webIdFederationData.attributes
resource.accessKeyDetails.userIdentity.sessionContext.webIdFederationData.federatedProvider
resource.accessKeyDetails.userIdentity.type
resource.accessKeyDetails.userIdentity.userName
resource.accessKeyDetails.userName
resource.accessKeyDetails.userType
resource.bedrockGuardrailDetails.guardrailArn
resource.bedrockGuardrailDetails.guardrailVersion
resource.containerDetails.containerRuntime
resource.containerDetails.id
resource.containerDetails.image
resource.containerDetails.imagePrefix
resource.containerDetails.name
resource.containerDetails.securityContext.allowPrivilegeEscalation
resource.containerDetails.securityContext.privileged
resource.containerDetails.volumeMounts.mountPath
resource.containerDetails.volumeMounts.name
resource.ebsSnapshotDetails.snapshotArn
resource.ebsVolumeDetails.scannedVolumeDetails.deviceName
resource.ebsVolumeDetails.scannedVolumeDetails.encryptionType
resource.ebsVolumeDetails.scannedVolumeDetails.kmsKeyArn
resource.ebsVolumeDetails.scannedVolumeDetails.snapshotArn
resource.ebsVolumeDetails.scannedVolumeDetails.volumeArn
resource.ebsVolumeDetails.scannedVolumeDetails.volumeSizeInGB
resource.ebsVolumeDetails.scannedVolumeDetails.volumeType
resource.ebsVolumeDetails.skippedVolumeDetails.deviceName
resource.ebsVolumeDetails.skippedVolumeDetails.encryptionType
resource.ebsVolumeDetails.skippedVolumeDetails.kmsKeyArn
resource.ebsVolumeDetails.skippedVolumeDetails.snapshotArn
resource.ebsVolumeDetails.skippedVolumeDetails.volumeArn
resource.ebsVolumeDetails.skippedVolumeDetails.volumeSizeInGB
resource.ebsVolumeDetails.skippedVolumeDetails.volumeType
resource.ec2ImageDetails.imageArn
resource.ecsClusterDetails.activeServicesCount
resource.ecsClusterDetails.arn
resource.ecsClusterDetails.name
resource.ecsClusterDetails.registeredContainerInstancesCount
resource.ecsClusterDetails.runningTasksCount
resource.ecsClusterDetails.status
resource.ecsClusterDetails.tags.key
resource.ecsClusterDetails.tags.value
resource.ecsClusterDetails.taskDetails.arn
resource.ecsClusterDetails.taskDetails.containers.containerRuntime
resource.ecsClusterDetails.taskDetails.containers.id
resource.ecsClusterDetails.taskDetails.containers.image
resource.ecsClusterDetails.taskDetails.containers.imagePrefix
resource.ecsClusterDetails.taskDetails.containers.name
resource.ecsClusterDetails.taskDetails.containers.securityContext.allowPrivilegeEscalation
resource.ecsClusterDetails.taskDetails.containers.securityContext.privileged
resource.ecsClusterDetails.taskDetails.containers.volumeMounts.mountPath
resource.ecsClusterDetails.taskDetails.containers.volumeMounts.name
resource.ecsClusterDetails.taskDetails.createdAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
resource.ecsClusterDetails.taskDetails.definitionArn
resource.ecsClusterDetails.taskDetails.group
resource.ecsClusterDetails.taskDetails.launchType
resource.ecsClusterDetails.taskDetails.startedAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
resource.ecsClusterDetails.taskDetails.startedBy
resource.ecsClusterDetails.taskDetails.tags.key
resource.ecsClusterDetails.taskDetails.tags.value
resource.ecsClusterDetails.taskDetails.version
resource.ecsClusterDetails.taskDetails.volumes.hostPath.path
resource.ecsClusterDetails.taskDetails.volumes.name
resource.eksClusterDetails.arn
resource.eksClusterDetails.createdAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
resource.eksClusterDetails.name
resource.eksClusterDetails.status
resource.eksClusterDetails.tags.key
resource.eksClusterDetails.tags.value
resource.eksClusterDetails.vpcId
resource.instanceDetails.availabilityZone
resource.instanceDetails.iamInstanceProfile.arn
resource.instanceDetails.iamInstanceProfile.id
resource.instanceDetails.imageDescription
resource.instanceDetails.imageId
resource.instanceDetails.instanceId
resource.instanceDetails.instanceState
resource.instanceDetails.instanceType
resource.instanceDetails.launchTime
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
resource.instanceDetails.networkInterfaces.ipv6Addresses
resource.instanceDetails.networkInterfaces.networkInterfaceId
resource.instanceDetails.networkInterfaces.privateDnsName
resource.instanceDetails.networkInterfaces.privateIpAddress
resource.instanceDetails.networkInterfaces.privateIpAddresses.privateDnsName
resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress
resource.instanceDetails.networkInterfaces.publicDnsName
resource.instanceDetails.networkInterfaces.publicIp
resource.instanceDetails.networkInterfaces.securityGroups.groupId
resource.instanceDetails.networkInterfaces.securityGroups.groupName
resource.instanceDetails.networkInterfaces.subnetId
resource.instanceDetails.networkInterfaces.vpcId
resource.instanceDetails.outpostArn
resource.instanceDetails.platform
resource.instanceDetails.productCodes.productCodeId
resource.instanceDetails.productCodes.productCodeType
resource.instanceDetails.tags.key
resource.instanceDetails.tags.value
resource.kubernetesDetails.kubernetesUserDetails.groups
resource.kubernetesDetails.kubernetesUserDetails.impersonatedUser.groups
resource.kubernetesDetails.kubernetesUserDetails.impersonatedUser.username
resource.kubernetesDetails.kubernetesUserDetails.sessionName
resource.kubernetesDetails.kubernetesUserDetails.uid
resource.kubernetesDetails.kubernetesUserDetails.username
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.containerRuntime
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.id
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.name
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.securityContext.allowPrivilegeEscalation
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.securityContext.privileged
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.volumeMounts.mountPath
resource.kubernetesDetails.kubernetesWorkloadDetails.containers.volumeMounts.name
resource.kubernetesDetails.kubernetesWorkloadDetails.hostIpc
resource.kubernetesDetails.kubernetesWorkloadDetails.hostNetwork
resource.kubernetesDetails.kubernetesWorkloadDetails.hostPid
resource.kubernetesDetails.kubernetesWorkloadDetails.name
resource.kubernetesDetails.kubernetesWorkloadDetails.namespace
resource.kubernetesDetails.kubernetesWorkloadDetails.serviceAccountName
resource.kubernetesDetails.kubernetesWorkloadDetails.type
resource.kubernetesDetails.kubernetesWorkloadDetails.uid
resource.kubernetesDetails.kubernetesWorkloadDetails.volumes.hostPath.path
resource.kubernetesDetails.kubernetesWorkloadDetails.volumes.name
resource.lambdaDetails.description
resource.lambdaDetails.functionArn
resource.lambdaDetails.functionName
resource.lambdaDetails.functionVersion
resource.lambdaDetails.lastModifiedAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
resource.lambdaDetails.revisionId
resource.lambdaDetails.role
resource.lambdaDetails.tags.key
resource.lambdaDetails.tags.value
resource.lambdaDetails.vpcConfig.securityGroups.groupId
resource.lambdaDetails.vpcConfig.securityGroups.groupName
resource.lambdaDetails.vpcConfig.subnetIds
resource.lambdaDetails.vpcConfig.vpcId
resource.rdsDbInstanceDetails.dbClusterIdentifier
resource.rdsDbInstanceDetails.dbInstanceArn
resource.rdsDbInstanceDetails.dbInstanceIdentifier
resource.rdsDbInstanceDetails.dbSecurityGroups.name
resource.rdsDbInstanceDetails.dbSecurityGroups.status
resource.rdsDbInstanceDetails.dbiResourceId
resource.rdsDbInstanceDetails.engine
resource.rdsDbInstanceDetails.engineVersion
resource.rdsDbInstanceDetails.iamDatabaseAuthenticationEnabled
resource.rdsDbInstanceDetails.publiclyAccessible
resource.rdsDbInstanceDetails.tags.key
resource.rdsDbInstanceDetails.tags.value
resource.rdsDbInstanceDetails.vpcId
resource.rdsDbInstanceDetails.vpcSecurityGroups.status
resource.rdsDbInstanceDetails.vpcSecurityGroups.vpcSecurityGroupId
resource.rdsDbUserDetails.application
resource.rdsDbUserDetails.authMethod
resource.rdsDbUserDetails.database
resource.rdsDbUserDetails.ssl
resource.rdsDbUserDetails.user
resource.rdsLimitlessDbDetails.dbClusterIdentifier
resource.rdsLimitlessDbDetails.dbShardGroupArn
resource.rdsLimitlessDbDetails.dbShardGroupIdentifier
resource.rdsLimitlessDbDetails.dbShardGroupResourceId
resource.rdsLimitlessDbDetails.engine
resource.rdsLimitlessDbDetails.engineVersion
resource.rdsLimitlessDbDetails.tags.key
resource.rdsLimitlessDbDetails.tags.value
resource.recoveryPointDetails.backupVaultName
resource.recoveryPointDetails.recoveryPointArn
resource.resourceType
resource.s3BucketDetails.arn
resource.s3BucketDetails.createdAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
resource.s3BucketDetails.defaultServerSideEncryption.encryptionType
resource.s3BucketDetails.defaultServerSideEncryption.kmsMasterKeyArn
resource.s3BucketDetails.name
resource.s3BucketDetails.owner.id
resource.s3BucketDetails.publicAccess.effectivePermission
resource.s3BucketDetails.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess.blockPublicAcls
resource.s3BucketDetails.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess.blockPublicPolicy
resource.s3BucketDetails.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess.ignorePublicAcls
resource.s3BucketDetails.publicAccess.permissionConfiguration.accountLevelPermissions.blockPublicAccess.restrictPublicBuckets
resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.accessControlList.allowsPublicReadAccess
resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.accessControlList.allowsPublicWriteAccess
resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess.blockPublicAcls
resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess.blockPublicPolicy
resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess.ignorePublicAcls
resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.blockPublicAccess.restrictPublicBuckets
resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.bucketPolicy.allowsPublicReadAccess
resource.s3BucketDetails.publicAccess.permissionConfiguration.bucketLevelPermissions.bucketPolicy.allowsPublicWriteAccess
resource.s3BucketDetails.s3ObjectDetails.eTag
resource.s3BucketDetails.s3ObjectDetails.hash
resource.s3BucketDetails.s3ObjectDetails.key
resource.s3BucketDetails.s3ObjectDetails.objectArn
resource.s3BucketDetails.s3ObjectDetails.versionId
resource.s3BucketDetails.tags.key
resource.s3BucketDetails.tags.value
resource.s3BucketDetails.type
schemaVersion
service.action.actionType
service.action.awsApiCallAction.affectedResources
service.action.awsApiCallAction.api
service.action.awsApiCallAction.callerType
service.action.awsApiCallAction.domainDetails.domain
service.action.awsApiCallAction.errorCode
service.action.awsApiCallAction.remoteAccountDetails.accountId
service.action.awsApiCallAction.remoteAccountDetails.affiliated
service.action.awsApiCallAction.remoteAccountDetails.awsServiceName
service.action.awsApiCallAction.remoteIpDetails.city.cityName
service.action.awsApiCallAction.remoteIpDetails.country.countryCode
service.action.awsApiCallAction.remoteIpDetails.country.countryName
service.action.awsApiCallAction.remoteIpDetails.geoLocation.lat
service.action.awsApiCallAction.remoteIpDetails.geoLocation.lon
service.action.awsApiCallAction.remoteIpDetails.ipAddressV4
service.action.awsApiCallAction.remoteIpDetails.ipAddressV6
service.action.awsApiCallAction.remoteIpDetails.organization.asn
service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg
service.action.awsApiCallAction.remoteIpDetails.organization.isp
service.action.awsApiCallAction.remoteIpDetails.organization.org
service.action.awsApiCallAction.serviceName
service.action.awsApiCallAction.userAgent
service.action.dnsRequestAction.blocked
service.action.dnsRequestAction.domain
service.action.dnsRequestAction.domainWithSuffix
service.action.dnsRequestAction.protocol
service.action.dnsRequestAction.vpcOwnerAccountId
service.action.kubernetesApiCallAction.namespace
service.action.kubernetesApiCallAction.parameters
service.action.kubernetesApiCallAction.remoteIpDetails.city.cityName
service.action.kubernetesApiCallAction.remoteIpDetails.country.countryCode
service.action.kubernetesApiCallAction.remoteIpDetails.country.countryName
service.action.kubernetesApiCallAction.remoteIpDetails.geoLocation.lat
service.action.kubernetesApiCallAction.remoteIpDetails.geoLocation.lon
service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4
service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV6
service.action.kubernetesApiCallAction.remoteIpDetails.organization.asn
service.action.kubernetesApiCallAction.remoteIpDetails.organization.asnOrg
service.action.kubernetesApiCallAction.remoteIpDetails.organization.isp
service.action.kubernetesApiCallAction.remoteIpDetails.organization.org
service.action.kubernetesApiCallAction.requestUri
service.action.kubernetesApiCallAction.resource
service.action.kubernetesApiCallAction.resourceName
service.action.kubernetesApiCallAction.sourceIPs
service.action.kubernetesApiCallAction.statusCode
service.action.kubernetesApiCallAction.subresource
service.action.kubernetesApiCallAction.userAgent
service.action.kubernetesApiCallAction.verb
service.action.kubernetesPermissionCheckedDetails.allowed
service.action.kubernetesPermissionCheckedDetails.namespace
service.action.kubernetesPermissionCheckedDetails.resource
service.action.kubernetesPermissionCheckedDetails.verb
service.action.kubernetesRoleBindingDetails.kind
service.action.kubernetesRoleBindingDetails.name
service.action.kubernetesRoleBindingDetails.roleRefKind
service.action.kubernetesRoleBindingDetails.roleRefName
service.action.kubernetesRoleBindingDetails.uid
service.action.kubernetesRoleDetails.kind
service.action.kubernetesRoleDetails.name
service.action.kubernetesRoleDetails.uid
service.action.networkConnectionAction.blocked
service.action.networkConnectionAction.connectionDirection
service.action.networkConnectionAction.localIpDetails.ipAddressV4
service.action.networkConnectionAction.localIpDetails.ipAddressV6
service.action.networkConnectionAction.localNetworkInterface
service.action.networkConnectionAction.localPortDetails.port
service.action.networkConnectionAction.localPortDetails.portName
service.action.networkConnectionAction.protocol
service.action.networkConnectionAction.remoteIpDetails.city.cityName
service.action.networkConnectionAction.remoteIpDetails.country.countryCode
service.action.networkConnectionAction.remoteIpDetails.country.countryName
service.action.networkConnectionAction.remoteIpDetails.geoLocation.lat
service.action.networkConnectionAction.remoteIpDetails.geoLocation.lon
service.action.networkConnectionAction.remoteIpDetails.ipAddressV4
service.action.networkConnectionAction.remoteIpDetails.ipAddressV6
service.action.networkConnectionAction.remoteIpDetails.organization.asn
service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg
service.action.networkConnectionAction.remoteIpDetails.organization.isp
service.action.networkConnectionAction.remoteIpDetails.organization.org
service.action.networkConnectionAction.remotePortDetails.port
service.action.networkConnectionAction.remotePortDetails.portName
service.action.portProbeAction.blocked
service.action.portProbeAction.portProbeDetails.localIpDetails.ipAddressV4
service.action.portProbeAction.portProbeDetails.localIpDetails.ipAddressV6
service.action.portProbeAction.portProbeDetails.localPortDetails.port
service.action.portProbeAction.portProbeDetails.localPortDetails.portName
service.action.portProbeAction.portProbeDetails.remoteIpDetails.city.cityName
service.action.portProbeAction.portProbeDetails.remoteIpDetails.country.countryCode
service.action.portProbeAction.portProbeDetails.remoteIpDetails.country.countryName
service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lat
service.action.portProbeAction.portProbeDetails.remoteIpDetails.geoLocation.lon
service.action.portProbeAction.portProbeDetails.remoteIpDetails.ipAddressV4
service.action.portProbeAction.portProbeDetails.remoteIpDetails.ipAddressV6
service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asn
service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.asnOrg
service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.isp
service.action.portProbeAction.portProbeDetails.remoteIpDetails.organization.org
service.action.rdsLoginAttemptAction.loginAttributes.application
service.action.rdsLoginAttemptAction.loginAttributes.failedLoginAttempts
service.action.rdsLoginAttemptAction.loginAttributes.successfulLoginAttempts
service.action.rdsLoginAttemptAction.loginAttributes.user
service.action.rdsLoginAttemptAction.remoteIpDetails.city.cityName
service.action.rdsLoginAttemptAction.remoteIpDetails.country.countryCode
service.action.rdsLoginAttemptAction.remoteIpDetails.country.countryName
service.action.rdsLoginAttemptAction.remoteIpDetails.geoLocation.lat
service.action.rdsLoginAttemptAction.remoteIpDetails.geoLocation.lon
service.action.rdsLoginAttemptAction.remoteIpDetails.ipAddressV4
service.action.rdsLoginAttemptAction.remoteIpDetails.ipAddressV6
service.action.rdsLoginAttemptAction.remoteIpDetails.organization.asn
service.action.rdsLoginAttemptAction.remoteIpDetails.organization.asnOrg
service.action.rdsLoginAttemptAction.remoteIpDetails.organization.isp
service.action.rdsLoginAttemptAction.remoteIpDetails.organization.org
service.additionalInfo.agentDetails.agentId
service.additionalInfo.agentDetails.agentVersion
service.additionalInfo.anomalies.anomalousAPIs
service.additionalInfo.authenticationMethod
service.additionalInfo.averagePacketSizeIn
service.additionalInfo.averagePacketSizeOut
service.additionalInfo.context
service.additionalInfo.domain
service.additionalInfo.inBytes
service.additionalInfo.localNetworkInterfaceOwner
service.additionalInfo.localPort
service.additionalInfo.outBytes
service.additionalInfo.packetsIn
service.additionalInfo.packetsOut
service.additionalInfo.policyArn
service.additionalInfo.policyName
service.additionalInfo.remotePort
service.additionalInfo.sample
service.additionalInfo.scannedPort
service.additionalInfo.threatFileSha256
service.additionalInfo.threatListName
service.additionalInfo.threatName
service.additionalInfo.totalBytesIn
service.additionalInfo.totalBytesOut
service.additionalInfo.type
service.additionalInfo.unusual.asnOrg
service.additionalInfo.unusual.port
service.additionalInfo.unusualProtocol
service.additionalInfo.userAgent.fullUserAgent
service.additionalInfo.userAgent.userAgentCategory
service.additionalInfo.value
service.additionalInfo.vpcOwnerAccountId
service.archived
service.count
service.detection.anomaly.profiles
service.detection.anomaly.unusual.behavior
service.detection.sequence.actors.id
service.detection.sequence.actors.process.name
service.detection.sequence.actors.process.path
service.detection.sequence.actors.process.sha256
service.detection.sequence.actors.session.createdTime
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.detection.sequence.actors.session.issuer
service.detection.sequence.actors.session.mfaStatus
service.detection.sequence.actors.session.uid
service.detection.sequence.actors.user.account.account
service.detection.sequence.actors.user.account.uid
service.detection.sequence.actors.user.credentialUid
service.detection.sequence.actors.user.name
service.detection.sequence.actors.user.type
service.detection.sequence.actors.user.uid
service.detection.sequence.additionalSequenceTypes
service.detection.sequence.description
service.detection.sequence.endpoints.autonomousSystem.name
service.detection.sequence.endpoints.autonomousSystem.number
service.detection.sequence.endpoints.connection.direction
service.detection.sequence.endpoints.domain
service.detection.sequence.endpoints.id
service.detection.sequence.endpoints.ip
service.detection.sequence.endpoints.location.city
service.detection.sequence.endpoints.location.country
service.detection.sequence.endpoints.location.lat
service.detection.sequence.endpoints.location.lon
service.detection.sequence.endpoints.port
service.detection.sequence.resources.accountId
service.detection.sequence.resources.cloudPartition
service.detection.sequence.resources.data.accessKey.principalId
service.detection.sequence.resources.data.accessKey.userName
service.detection.sequence.resources.data.accessKey.userType
service.detection.sequence.resources.data.autoscalingAutoScalingGroup.ec2InstanceUids
service.detection.sequence.resources.data.cloudformationStack.ec2InstanceUids
service.detection.sequence.resources.data.container.image
service.detection.sequence.resources.data.container.imageUid
service.detection.sequence.resources.data.ec2Image.ec2InstanceUids
service.detection.sequence.resources.data.ec2Instance.availabilityZone
service.detection.sequence.resources.data.ec2Instance.ec2NetworkInterfaceUids
service.detection.sequence.resources.data.ec2Instance.iamInstanceProfile.arn
service.detection.sequence.resources.data.ec2Instance.iamInstanceProfile.id
service.detection.sequence.resources.data.ec2Instance.imageDescription
service.detection.sequence.resources.data.ec2Instance.instanceState
service.detection.sequence.resources.data.ec2Instance.instanceType
service.detection.sequence.resources.data.ec2Instance.outpostArn
service.detection.sequence.resources.data.ec2Instance.platform
service.detection.sequence.resources.data.ec2Instance.productCodes.productCodeId
service.detection.sequence.resources.data.ec2Instance.productCodes.productCodeType
service.detection.sequence.resources.data.ec2LaunchTemplate.ec2InstanceUids
service.detection.sequence.resources.data.ec2LaunchTemplate.version
service.detection.sequence.resources.data.ec2NetworkInterface.ipv6Addresses
service.detection.sequence.resources.data.ec2NetworkInterface.privateIpAddresses.privateDnsName
service.detection.sequence.resources.data.ec2NetworkInterface.privateIpAddresses.privateIpAddress
service.detection.sequence.resources.data.ec2NetworkInterface.publicIp
service.detection.sequence.resources.data.ec2NetworkInterface.securityGroups.groupId
service.detection.sequence.resources.data.ec2NetworkInterface.securityGroups.groupName
service.detection.sequence.resources.data.ec2NetworkInterface.subNetId
service.detection.sequence.resources.data.ec2NetworkInterface.vpcId
service.detection.sequence.resources.data.ec2Vpc.ec2InstanceUids
service.detection.sequence.resources.data.ecsCluster.ec2InstanceUids
service.detection.sequence.resources.data.ecsCluster.status
service.detection.sequence.resources.data.ecsTask.containerUids
service.detection.sequence.resources.data.ecsTask.createdAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.detection.sequence.resources.data.ecsTask.launchType
service.detection.sequence.resources.data.ecsTask.taskDefinitionArn
service.detection.sequence.resources.data.eksCluster.arn
service.detection.sequence.resources.data.eksCluster.createdAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.detection.sequence.resources.data.eksCluster.ec2InstanceUids
service.detection.sequence.resources.data.eksCluster.status
service.detection.sequence.resources.data.eksCluster.vpcId
service.detection.sequence.resources.data.iamInstanceProfile.ec2InstanceUids
service.detection.sequence.resources.data.iamInstanceProfile.id
service.detection.sequence.resources.data.kubernetesWorkload.containerUids
service.detection.sequence.resources.data.kubernetesWorkload.namespace
service.detection.sequence.resources.data.kubernetesWorkload.type
service.detection.sequence.resources.data.s3Bucket.accountPublicAccess.publicAclAccess
service.detection.sequence.resources.data.s3Bucket.accountPublicAccess.publicAclIgnoreBehavior
service.detection.sequence.resources.data.s3Bucket.accountPublicAccess.publicBucketRestrictBehavior
service.detection.sequence.resources.data.s3Bucket.accountPublicAccess.publicPolicyAccess
service.detection.sequence.resources.data.s3Bucket.bucketPublicAccess.publicAclAccess
service.detection.sequence.resources.data.s3Bucket.bucketPublicAccess.publicAclIgnoreBehavior
service.detection.sequence.resources.data.s3Bucket.bucketPublicAccess.publicBucketRestrictBehavior
service.detection.sequence.resources.data.s3Bucket.bucketPublicAccess.publicPolicyAccess
service.detection.sequence.resources.data.s3Bucket.createdAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.detection.sequence.resources.data.s3Bucket.effectivePermission
service.detection.sequence.resources.data.s3Bucket.encryptionKeyArn
service.detection.sequence.resources.data.s3Bucket.encryptionType
service.detection.sequence.resources.data.s3Bucket.ownerId
service.detection.sequence.resources.data.s3Bucket.publicReadAccess
service.detection.sequence.resources.data.s3Bucket.publicWriteAccess
service.detection.sequence.resources.data.s3Bucket.s3ObjectUids
service.detection.sequence.resources.data.s3Object.eTag
service.detection.sequence.resources.data.s3Object.key
service.detection.sequence.resources.data.s3Object.versionId
service.detection.sequence.resources.name
service.detection.sequence.resources.region
service.detection.sequence.resources.resourceType
service.detection.sequence.resources.service
service.detection.sequence.resources.tags.key
service.detection.sequence.resources.tags.value
service.detection.sequence.resources.uid
service.detection.sequence.sequenceIndicators.key
service.detection.sequence.sequenceIndicators.title
service.detection.sequence.sequenceIndicators.values
service.detection.sequence.signals.actorIds
service.detection.sequence.signals.count
service.detection.sequence.signals.createdAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.detection.sequence.signals.description
service.detection.sequence.signals.endpointIds
service.detection.sequence.signals.firstSeenAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.detection.sequence.signals.lastSeenAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.detection.sequence.signals.name
service.detection.sequence.signals.resourceUids
service.detection.sequence.signals.severity
service.detection.sequence.signals.signalIndicators.key
service.detection.sequence.signals.signalIndicators.title
service.detection.sequence.signals.signalIndicators.values
service.detection.sequence.signals.type
service.detection.sequence.signals.uid
service.detection.sequence.signals.updatedAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.detection.sequence.uid
service.detectorId
service.ebsVolumeScanDetails.scanCompletedAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.ebsVolumeScanDetails.scanDetections.highestSeverityThreatDetails.count
service.ebsVolumeScanDetails.scanDetections.highestSeverityThreatDetails.severity
service.ebsVolumeScanDetails.scanDetections.highestSeverityThreatDetails.threatName
service.ebsVolumeScanDetails.scanDetections.scannedItemCount.files
service.ebsVolumeScanDetails.scanDetections.scannedItemCount.totalGb
service.ebsVolumeScanDetails.scanDetections.scannedItemCount.volumes
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.itemCount
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.shortened
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.fileName
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.filePath
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.volumeArn
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.itemCount
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity
service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.uniqueThreatNameCount
service.ebsVolumeScanDetails.scanDetections.threatsDetectedItemCount.files
service.ebsVolumeScanDetails.scanId
service.ebsVolumeScanDetails.scanStartedAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.ebsVolumeScanDetails.scanType
service.ebsVolumeScanDetails.sources
service.ebsVolumeScanDetails.triggerFindingId
service.eventFirstSeen
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.eventLastSeen
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.evidence.threatIntelligenceDetails.threatFileSha256
service.evidence.threatIntelligenceDetails.threatListName
service.evidence.threatIntelligenceDetails.threatNames
service.featureName
service.malwareScanDetails.scanCategory
service.malwareScanDetails.scanConfiguration.incrementalScanDetails.baselineResourceArn
service.malwareScanDetails.scanConfiguration.triggerType
service.malwareScanDetails.scanId
service.malwareScanDetails.scanType
service.malwareScanDetails.threats.count
service.malwareScanDetails.threats.hash
service.malwareScanDetails.threats.itemDetails.additionalInfo.deviceName
service.malwareScanDetails.threats.itemDetails.additionalInfo.versionId
service.malwareScanDetails.threats.itemDetails.hash
service.malwareScanDetails.threats.itemDetails.itemPath
service.malwareScanDetails.threats.itemDetails.resourceArn
service.malwareScanDetails.threats.itemPaths.hash
service.malwareScanDetails.threats.itemPaths.nestedItemPath
service.malwareScanDetails.threats.name
service.malwareScanDetails.threats.source
service.malwareScanDetails.uniqueThreatCount
service.resourceRole
service.runtimeDetails.context.addressFamily
service.runtimeDetails.context.commandLineExample
service.runtimeDetails.context.fileOperation
service.runtimeDetails.context.filePath
service.runtimeDetails.context.fileSystemType
service.runtimeDetails.context.flags
service.runtimeDetails.context.ianaProtocolNumber
service.runtimeDetails.context.ldPreloadValue
service.runtimeDetails.context.libraryPath
service.runtimeDetails.context.memoryRegions
service.runtimeDetails.context.modifiedAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.runtimeDetails.context.modifyingProcess.euid
service.runtimeDetails.context.modifyingProcess.executablePath
service.runtimeDetails.context.modifyingProcess.executableSha256
service.runtimeDetails.context.modifyingProcess.lineage.euid
service.runtimeDetails.context.modifyingProcess.lineage.executablePath
service.runtimeDetails.context.modifyingProcess.lineage.name
service.runtimeDetails.context.modifyingProcess.lineage.namespacePid
service.runtimeDetails.context.modifyingProcess.lineage.parentUuid
service.runtimeDetails.context.modifyingProcess.lineage.pid
service.runtimeDetails.context.modifyingProcess.lineage.startTime
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.runtimeDetails.context.modifyingProcess.lineage.userId
service.runtimeDetails.context.modifyingProcess.lineage.uuid
service.runtimeDetails.context.modifyingProcess.name
service.runtimeDetails.context.modifyingProcess.namespacePid
service.runtimeDetails.context.modifyingProcess.parentUuid
service.runtimeDetails.context.modifyingProcess.pid
service.runtimeDetails.context.modifyingProcess.pwd
service.runtimeDetails.context.modifyingProcess.startTime
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.runtimeDetails.context.modifyingProcess.user
service.runtimeDetails.context.modifyingProcess.userId
service.runtimeDetails.context.modifyingProcess.uuid
service.runtimeDetails.context.moduleFilePath
service.runtimeDetails.context.moduleName
service.runtimeDetails.context.moduleSha256
service.runtimeDetails.context.mountSource
service.runtimeDetails.context.mountTarget
service.runtimeDetails.context.relatedFilePaths
service.runtimeDetails.context.releaseAgentPath
service.runtimeDetails.context.runcBinaryPath
service.runtimeDetails.context.scriptPath
service.runtimeDetails.context.serviceName
service.runtimeDetails.context.shellHistoryFilePath
service.runtimeDetails.context.socketPath
service.runtimeDetails.context.targetProcess.euid
service.runtimeDetails.context.targetProcess.executablePath
service.runtimeDetails.context.targetProcess.executableSha256
service.runtimeDetails.context.targetProcess.lineage.euid
service.runtimeDetails.context.targetProcess.lineage.executablePath
service.runtimeDetails.context.targetProcess.lineage.name
service.runtimeDetails.context.targetProcess.lineage.namespacePid
service.runtimeDetails.context.targetProcess.lineage.parentUuid
service.runtimeDetails.context.targetProcess.lineage.pid
service.runtimeDetails.context.targetProcess.lineage.startTime
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.runtimeDetails.context.targetProcess.lineage.userId
service.runtimeDetails.context.targetProcess.lineage.uuid
service.runtimeDetails.context.targetProcess.name
service.runtimeDetails.context.targetProcess.namespacePid
service.runtimeDetails.context.targetProcess.parentUuid
service.runtimeDetails.context.targetProcess.pid
service.runtimeDetails.context.targetProcess.pwd
service.runtimeDetails.context.targetProcess.startTime
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.runtimeDetails.context.targetProcess.user
service.runtimeDetails.context.targetProcess.userId
service.runtimeDetails.context.targetProcess.uuid
service.runtimeDetails.context.threatFilePath
service.runtimeDetails.context.toolCategory
service.runtimeDetails.context.toolName
service.runtimeDetails.process.euid
service.runtimeDetails.process.executablePath
service.runtimeDetails.process.executableSha256
service.runtimeDetails.process.lineage.euid
service.runtimeDetails.process.lineage.executablePath
service.runtimeDetails.process.lineage.name
service.runtimeDetails.process.lineage.namespacePid
service.runtimeDetails.process.lineage.parentUuid
service.runtimeDetails.process.lineage.pid
service.runtimeDetails.process.lineage.startTime
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.runtimeDetails.process.lineage.userId
service.runtimeDetails.process.lineage.uuid
service.runtimeDetails.process.name
service.runtimeDetails.process.namespacePid
service.runtimeDetails.process.parentUuid
service.runtimeDetails.process.pid
service.runtimeDetails.process.pwd
service.runtimeDetails.process.startTime
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
service.runtimeDetails.process.user
service.runtimeDetails.process.userId
service.runtimeDetails.process.uuid
service.serviceName
service.userFeedback
severity
To configure severity based filters, use the following for the FindingCriteria condition:
Low:
["1", "2", "3"]Medium:
["4", "5", "6"]High:
["7", "8"]Critical:
["9", "10"]For more information, see Findings severity levels in the Amazon GuardDuty User Guide.
title
type
updatedAt
Type: Timestamp in Unix Epoch millisecond format. Ex: 1486685375000
Optional arguments:¶
iv_description TYPE /AWS1/GDYFILTERDESCRIPTION /AWS1/GDYFILTERDESCRIPTION¶
The description of the filter. Valid characters include alphanumeric characters, and special characters such as hyphen, period, colon, underscore, parentheses (
{ },[ ], and( )), forward slash, horizontal tab, vertical tab, newline, form feed, return, and whitespace.
iv_action TYPE /AWS1/GDYFILTERACTION /AWS1/GDYFILTERACTION¶
Specifies the action that is to be applied to the findings that match the filter.
Default: NOOP
iv_rank TYPE /AWS1/GDYFILTERRANK /AWS1/GDYFILTERRANK¶
Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
iv_clienttoken TYPE /AWS1/GDYCLIENTTOKEN /AWS1/GDYCLIENTTOKEN¶
The idempotency token for the create request.
it_tags TYPE /AWS1/CL_GDYTAGMAP_W=>TT_TAGMAP TT_TAGMAP¶
The tags to be added to a new filter resource.
RETURNING¶
oo_output TYPE REF TO /aws1/cl_gdycreatefilterrsp /AWS1/CL_GDYCREATEFILTERRSP¶
Examples¶
Syntax Example¶
This is an example of the syntax for calling the method. It includes every possible argument and initializes every possible value. The data provided is not necessarily semantically accurate (for example the value "string" may be provided for something that is intended to be an instance ID, or in some cases two arguments may be mutually exclusive). The syntax shows the ABAP syntax for creating the various data structures.
DATA(lo_result) = lo_client->createfilter(
io_findingcriteria = new /aws1/cl_gdyfindingcriteria(
it_criterion = VALUE /aws1/cl_gdycondition=>tt_criterion(
(
VALUE /aws1/cl_gdycondition=>ts_criterion_maprow(
value = new /aws1/cl_gdycondition(
it_eq = VALUE /aws1/cl_gdyeq_w=>tt_eq(
( new /aws1/cl_gdyeq_w( |string| ) )
)
it_equals = VALUE /aws1/cl_gdyequals_w=>tt_equals(
( new /aws1/cl_gdyequals_w( |string| ) )
)
it_matches = VALUE /aws1/cl_gdymatches_w=>tt_matches(
( new /aws1/cl_gdymatches_w( |string| ) )
)
it_neq = VALUE /aws1/cl_gdyneq_w=>tt_neq(
( new /aws1/cl_gdyneq_w( |string| ) )
)
it_notequals = VALUE /aws1/cl_gdynotequals_w=>tt_notequals(
( new /aws1/cl_gdynotequals_w( |string| ) )
)
it_notmatches = VALUE /aws1/cl_gdynotmatches_w=>tt_notmatches(
( new /aws1/cl_gdynotmatches_w( |string| ) )
)
iv_greaterthan = 123
iv_greaterthanorequal = 123
iv_gt = 123
iv_gte = 123
iv_lessthan = 123
iv_lessthanorequal = 123
iv_lt = 123
iv_lte = 123
)
key = |string|
)
)
)
)
it_tags = VALUE /aws1/cl_gdytagmap_w=>tt_tagmap(
(
VALUE /aws1/cl_gdytagmap_w=>ts_tagmap_maprow(
key = |string|
value = new /aws1/cl_gdytagmap_w( |string| )
)
)
)
iv_action = |string|
iv_clienttoken = |string|
iv_description = |string|
iv_detectorid = |string|
iv_name = |string|
iv_rank = 123
).
This is an example of reading all possible response values
lo_result = lo_result.
IF lo_result IS NOT INITIAL.
lv_filtername = lo_result->get_name( ).
ENDIF.