:doc:`GuardDuty <../../guardduty>` / Client / create_filter

*************
create_filter
*************



.. py:method:: GuardDuty.Client.create_filter(**kwargs)

  

  Creates a filter using the specified finding criteria. The maximum number of saved filters per Amazon Web Services account per Region is 100. For more information, see `Quotas for GuardDuty <https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_limits.html>`__.

  

  See also: `AWS API Documentation <https://docs.aws.amazon.com/goto/WebAPI/guardduty-2017-11-28/CreateFilter>`_  


  **Request Syntax**
  ::

    response = client.create_filter(
        DetectorId='string',
        Name='string',
        Description='string',
        Action='NOOP'|'ARCHIVE',
        Rank=123,
        FindingCriteria={
            'Criterion': {
                'string': {
                    'Eq': [
                        'string',
                    ],
                    'Neq': [
                        'string',
                    ],
                    'Gt': 123,
                    'Gte': 123,
                    'Lt': 123,
                    'Lte': 123,
                    'Equals': [
                        'string',
                    ],
                    'NotEquals': [
                        'string',
                    ],
                    'GreaterThan': 123,
                    'GreaterThanOrEqual': 123,
                    'LessThan': 123,
                    'LessThanOrEqual': 123,
                    'Matches': [
                        'string',
                    ],
                    'NotMatches': [
                        'string',
                    ]
                }
            }
        },
        ClientToken='string',
        Tags={
            'string': 'string'
        }
    )
    
  :type DetectorId: string
  :param DetectorId: **[REQUIRED]** 

    The detector ID associated with the GuardDuty account for which you want to create a filter.

     

    To find the ``detectorId`` in the current Region, see the Settings page in the GuardDuty console, or run the `ListDetectors <https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html>`__ API.

    

  
  :type Name: string
  :param Name: **[REQUIRED]** 

    The name of the filter. Valid characters include period (.), underscore (_), dash (-), and alphanumeric characters. A whitespace is considered to be an invalid character.

    

  
  :type Description: string
  :param Description: 

    The description of the filter. Valid characters include alphanumeric characters, and special characters such as hyphen, period, colon, underscore, parentheses ( ``{ }``, ``[ ]``, and ``( )``), forward slash, horizontal tab, vertical tab, newline, form feed, return, and whitespace.

    

  
  :type Action: string
  :param Action: 

    Specifies the action that is to be applied to the findings that match the filter.

    

  
  :type Rank: integer
  :param Rank: 

    Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.

    

  
  :type FindingCriteria: dict
  :param FindingCriteria: **[REQUIRED]** 

    Represents the criteria to be used in the filter for querying findings.

     

    You can only use the following attributes to query findings:

     

    
    * accountId
     
    * id
     
    * region
     
    * severity To filter on the basis of severity, the API and CLI use the following input list for the `FindingCriteria <https://docs.aws.amazon.com/guardduty/latest/APIReference/API_FindingCriteria.html>`__ condition: 

      
      * **Low**: ``["1", "2", "3"]``
       
      * **Medium**: ``["4", "5", "6"]``
       
      * **High**: ``["7", "8"]``
       
      * **Critical**: ``["9", "10"]``
      

     

    For more information, see `Findings severity levels <https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings-severity.html>`__ in the *Amazon GuardDuty User Guide*.

    
     
    * type
     
    * updatedAt Type: ISO 8601 string format: YYYY-MM-DDTHH:MM:SS.SSSZ or YYYY-MM-DDTHH:MM:SSZ depending on whether the value contains milliseconds.
     
    * resource.accessKeyDetails.accessKeyId
     
    * resource.accessKeyDetails.principalId
     
    * resource.accessKeyDetails.userName
     
    * resource.accessKeyDetails.userType
     
    * resource.instanceDetails.iamInstanceProfile.id
     
    * resource.instanceDetails.imageId
     
    * resource.instanceDetails.instanceId
     
    * resource.instanceDetails.tags.key
     
    * resource.instanceDetails.tags.value
     
    * resource.instanceDetails.networkInterfaces.ipv6Addresses
     
    * resource.instanceDetails.networkInterfaces.privateIpAddresses.privateIpAddress
     
    * resource.instanceDetails.networkInterfaces.publicDnsName
     
    * resource.instanceDetails.networkInterfaces.publicIp
     
    * resource.instanceDetails.networkInterfaces.securityGroups.groupId
     
    * resource.instanceDetails.networkInterfaces.securityGroups.groupName
     
    * resource.instanceDetails.networkInterfaces.subnetId
     
    * resource.instanceDetails.networkInterfaces.vpcId
     
    * resource.instanceDetails.outpostArn
     
    * resource.resourceType
     
    * resource.s3BucketDetails.publicAccess.effectivePermissions
     
    * resource.s3BucketDetails.name
     
    * resource.s3BucketDetails.tags.key
     
    * resource.s3BucketDetails.tags.value
     
    * resource.s3BucketDetails.type
     
    * service.action.actionType
     
    * service.action.awsApiCallAction.api
     
    * service.action.awsApiCallAction.callerType
     
    * service.action.awsApiCallAction.errorCode
     
    * service.action.awsApiCallAction.remoteIpDetails.city.cityName
     
    * service.action.awsApiCallAction.remoteIpDetails.country.countryName
     
    * service.action.awsApiCallAction.remoteIpDetails.ipAddressV4
     
    * service.action.awsApiCallAction.remoteIpDetails.ipAddressV6
     
    * service.action.awsApiCallAction.remoteIpDetails.organization.asn
     
    * service.action.awsApiCallAction.remoteIpDetails.organization.asnOrg
     
    * service.action.awsApiCallAction.serviceName
     
    * service.action.dnsRequestAction.domain
     
    * service.action.dnsRequestAction.domainWithSuffix
     
    * service.action.dnsRequestAction.vpcOwnerAccountId
     
    * service.action.networkConnectionAction.blocked
     
    * service.action.networkConnectionAction.connectionDirection
     
    * service.action.networkConnectionAction.localPortDetails.port
     
    * service.action.networkConnectionAction.protocol
     
    * service.action.networkConnectionAction.remoteIpDetails.city.cityName
     
    * service.action.networkConnectionAction.remoteIpDetails.country.countryName
     
    * service.action.networkConnectionAction.remoteIpDetails.ipAddressV4
     
    * service.action.networkConnectionAction.remoteIpDetails.ipAddressV6
     
    * service.action.networkConnectionAction.remoteIpDetails.organization.asn
     
    * service.action.networkConnectionAction.remoteIpDetails.organization.asnOrg
     
    * service.action.networkConnectionAction.remotePortDetails.port
     
    * service.action.awsApiCallAction.remoteAccountDetails.affiliated
     
    * service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV4
     
    * service.action.kubernetesApiCallAction.remoteIpDetails.ipAddressV6
     
    * service.action.kubernetesApiCallAction.namespace
     
    * service.action.kubernetesApiCallAction.remoteIpDetails.organization.asn
     
    * service.action.kubernetesApiCallAction.requestUri
     
    * service.action.kubernetesApiCallAction.statusCode
     
    * service.action.networkConnectionAction.localIpDetails.ipAddressV4
     
    * service.action.networkConnectionAction.localIpDetails.ipAddressV6
     
    * service.action.networkConnectionAction.protocol
     
    * service.action.awsApiCallAction.serviceName
     
    * service.action.awsApiCallAction.remoteAccountDetails.accountId
     
    * service.additionalInfo.threatListName
     
    * service.resourceRole
     
    * resource.eksClusterDetails.name
     
    * resource.kubernetesDetails.kubernetesWorkloadDetails.name
     
    * resource.kubernetesDetails.kubernetesWorkloadDetails.namespace
     
    * resource.kubernetesDetails.kubernetesUserDetails.username
     
    * resource.kubernetesDetails.kubernetesWorkloadDetails.containers.image
     
    * resource.kubernetesDetails.kubernetesWorkloadDetails.containers.imagePrefix
     
    * service.ebsVolumeScanDetails.scanId
     
    * service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.name
     
    * service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.severity
     
    * service.ebsVolumeScanDetails.scanDetections.threatDetectedByName.threatNames.filePaths.hash
     
    * resource.ecsClusterDetails.name
     
    * resource.ecsClusterDetails.taskDetails.containers.image
     
    * resource.ecsClusterDetails.taskDetails.definitionArn
     
    * resource.containerDetails.image
     
    * resource.rdsDbInstanceDetails.dbInstanceIdentifier
     
    * resource.rdsDbInstanceDetails.dbClusterIdentifier
     
    * resource.rdsDbInstanceDetails.engine
     
    * resource.rdsDbUserDetails.user
     
    * resource.rdsDbInstanceDetails.tags.key
     
    * resource.rdsDbInstanceDetails.tags.value
     
    * service.runtimeDetails.process.executableSha256
     
    * service.runtimeDetails.process.name
     
    * service.runtimeDetails.process.executablePath
     
    * resource.lambdaDetails.functionName
     
    * resource.lambdaDetails.functionArn
     
    * resource.lambdaDetails.tags.key
     
    * resource.lambdaDetails.tags.value
    

    

  
    - **Criterion** *(dict) --* 

      Represents a map of finding properties that match specified conditions and values when querying findings.

      

    
      - *(string) --* 

      
        - *(dict) --* 

          Contains information about the condition.

          

        
          - **Eq** *(list) --* 

            Represents the *equal* condition to be applied to a single field when querying for findings.

            

          
            - *(string) --* 

            
        
          - **Neq** *(list) --* 

            Represents the *not equal* condition to be applied to a single field when querying for findings.

            

          
            - *(string) --* 

            
        
          - **Gt** *(integer) --* 

            Represents a *greater than* condition to be applied to a single field when querying for findings.

            

          
          - **Gte** *(integer) --* 

            Represents a *greater than or equal* condition to be applied to a single field when querying for findings.

            

          
          - **Lt** *(integer) --* 

            Represents a *less than* condition to be applied to a single field when querying for findings.

            

          
          - **Lte** *(integer) --* 

            Represents a *less than or equal* condition to be applied to a single field when querying for findings.

            

          
          - **Equals** *(list) --* 

            Represents an *equal*  condition to be applied to a single field when querying for findings.

            

          
            - *(string) --* 

            
        
          - **NotEquals** *(list) --* 

            Represents a *not equal*  condition to be applied to a single field when querying for findings.

            

          
            - *(string) --* 

            
        
          - **GreaterThan** *(integer) --* 

            Represents a *greater than* condition to be applied to a single field when querying for findings.

            

          
          - **GreaterThanOrEqual** *(integer) --* 

            Represents a *greater than or equal* condition to be applied to a single field when querying for findings.

            

          
          - **LessThan** *(integer) --* 

            Represents a *less than* condition to be applied to a single field when querying for findings.

            

          
          - **LessThanOrEqual** *(integer) --* 

            Represents a *less than or equal* condition to be applied to a single field when querying for findings.

            

          
          - **Matches** *(list) --* 

            Represents the *match* condition to be applied to a single field when querying for findings.

             

            .. note::

              

              The *matches* condition is available only for create-filter and update-filter APIs.

              

            

          
            - *(string) --* 

            
        
          - **NotMatches** *(list) --* 

            Represents the *not match* condition to be applied to a single field when querying for findings.

             

            .. note::

              

              The *not-matches* condition is available only for create-filter and update-filter APIs.

              

            

          
            - *(string) --* 

            
        
        
  

  
  :type ClientToken: string
  :param ClientToken: 

    The idempotency token for the create request.

    This field is autopopulated if not provided.

  
  :type Tags: dict
  :param Tags: 

    The tags to be added to a new filter resource.

    

  
    - *(string) --* 

    
      - *(string) --* 

      


  
  :rtype: dict
  :returns: 
    
    **Response Syntax**

    
    ::

      {
          'Name': 'string'
      }
      
    **Response Structure**

    

    - *(dict) --* 
      

      - **Name** *(string) --* 

        The name of the successfully created filter.

        
  
  **Exceptions**
  
  *   :py:class:`GuardDuty.Client.exceptions.BadRequestException`

  
  *   :py:class:`GuardDuty.Client.exceptions.InternalServerErrorException`

  