Filter
The Filter resource lets you manage AWS GuardDuty Filters that help in defining which findings should be included in the detection of threats. Filters allow you to take specific actions on the findings based on the defined criteria.
Minimal Example
Create a basic GuardDuty Filter with the required properties and one optional property.
ts
import AWS from "alchemy/aws/control";
const simpleFilter = await AWS.GuardDuty.Filter("simpleFilter", {
DetectorId: "12abcdef34gh567ijkl890mnopqrstu",
FindingCriteria: {
Criterion: {
severity: {
Eq: ["HIGH"]
}
}
},
Name: "HighSeverityFilter"
});Advanced Configuration
Configure a filter with an action and a rank to prioritize it:
ts
const advancedFilter = await AWS.GuardDuty.Filter("advancedFilter", {
DetectorId: "12abcdef34gh567ijkl890mnopqrstu",
FindingCriteria: {
Criterion: {
severity: {
Eq: ["MEDIUM", "HIGH"]
},
type: {
Eq: ["UnauthorizedAccess:Root", "UnauthorizedAccess:AWSAccount"]
}
}
},
Name: "MediumAndHighSeverityFilter",
Action: "NOOP",
Rank: 1
});Tagging for Organization
Create a filter with tags for better organization and management:
ts
const taggedFilter = await AWS.GuardDuty.Filter("taggedFilter", {
DetectorId: "12abcdef34gh567ijkl890mnopqrstu",
FindingCriteria: {
Criterion: {
severity: {
Eq: ["LOW", "MEDIUM"]
}
}
},
Name: "LowAndMediumSeverityFilter",
Tags: [
{ Key: "Environment", Value: "Production" },
{ Key: "Team", Value: "Security" }
]
});Adoption of Existing Filter
Create a filter that adopts an existing one instead of failing if it exists:
ts
const adoptFilter = await AWS.GuardDuty.Filter("adoptFilter", {
DetectorId: "12abcdef34gh567ijkl890mnopqrstu",
FindingCriteria: {
Criterion: {
severity: {
Eq: ["HIGH"]
}
}
},
Name: "AdoptHighSeverityFilter",
adopt: true
});