guardduty_create_filter: Creates a filter using the specified finding criteria

[required] The ID of the detector belonging to the GuardDuty account that you want to create a filter for.

[required] The name of the filter. Valid characters include period (.), underscore (_), dash (-), and alphanumeric characters. A whitespace is considered to be an invalid character.

The description of the filter. Valid characters include alphanumeric characters, and special characters such as hyphen, period, colon, underscore, parentheses ({ }, [ ], and ( )), forward slash, horizontal tab, vertical tab, newline, form feed, return, and whitespace.

[ ]: R:%20

Specifies the action that is to be applied to the findings that match the filter.

Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.

[required] Represents the criteria to be used in the filter for querying findings.

You can only use the following attributes to query findings:

• accountId

• region

• id

• resource.accessKeyDetails.accessKeyId

• resource.accessKeyDetails.principalId

• resource.accessKeyDetails.userName

• resource.accessKeyDetails.userType

• resource.instanceDetails.iamInstanceProfile.id

• resource.instanceDetails.imageId

• resource.instanceDetails.instanceId

• resource.instanceDetails.outpostArn

• resource.instanceDetails.networkInterfaces.ipv6Addresses

• resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress

• resource.instanceDetails.networkInterfaces.publicDnsName

• resource.instanceDetails.networkInterfaces.publicIp

• resource.instanceDetails.networkInterfaces.securityGroups.groupId

• resource.instanceDetails.networkInterfaces.securityGroups.groupName

• resource.instanceDetails.networkInterfaces.subnetId

• resource.instanceDetails.networkInterfaces.vpcId

• resource.instanceDetails.tags.key

• resource.instanceDetails.tags.value

• resource.resourceType

• service.action.actionType

• service.action.awsApiCallAction.api

• service.action.awsApiCallAction.callerType

• service.action.awsApiCallAction.errorCode

• service.action.awsApiCallAction.userAgent

• service.action.awsApiCallAction.remoteIpDetails.city.cityName

• service.action.awsApiCallAction.remoteIpDetails.country.countryName

• service.action.awsApiCallAction.remoteIpDetails.ipAddressV4

• service.action.awsApiCallAction.remoteIpDetails.organization.asn

• service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg

• service.action.awsApiCallAction.serviceName

• service.action.dnsRequestAction.domain

• service.action.networkConnectionAction.blocked

• service.action.networkConnectionAction.connectionDirection

• service.action.networkConnectionAction.localPortDetails.port

• service.action.networkConnectionAction.protocol

• service.action.networkConnectionAction.localIpDetails.ipAddressV4

• service.action.networkConnectionAction.remoteIpDetails.city.cityName

• service.action.networkConnectionAction.remoteIpDetails.country.countryName

• service.action.networkConnectionAction.remoteIpDetails.ipAddressV4

• service.action.networkConnectionAction.remoteIpDetails.organization.asn

• service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg

• service.action.networkConnectionAction.remotePortDetails.port

• service.additionalInfo.threatListName

• resource.s3BucketDetails.publicAccess.effectivePermissions

• resource.s3BucketDetails.name

• resource.s3BucketDetails.tags.key

• resource.s3BucketDetails.tags.value

• resource.s3BucketDetails.type

• service.resourceRole

• severity

• type

• updatedAt

  Type: ISO 8601 string format: YYYY-MM-DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds.

The idempotency token for the create request.

The tags to be added to a new filter resource.