AWS guardduty documentation change
Summary
Added extensive documentation for suppression rule filter criteria fields, including timestamp format specifications and a comprehensive list of fields only available for ARCHIVE action filters via API operations
Security assessment
This change documents expanded filtering capabilities for GuardDuty findings suppression rules, which is a security feature for managing alert fatigue and focusing on relevant security findings. The documentation clarifies which fields are only available for suppression rules via API and provides timestamp format guidance. While this enhances security operations, there's no evidence it addresses a specific security vulnerability.
Diff
diff --git a/guardduty/latest/ug/guardduty_filter-findings.md b/guardduty/latest/ug/guardduty_filter-findings.md index 86bdbbc47..048d71354 100644 --- a//guardduty/latest/ug/guardduty_filter-findings.md +++ b//guardduty/latest/ug/guardduty_filter-findings.md @@ -22,0 +23,4 @@ When you create filters, take the following list into consideration: + * Fields under `service.additionalInfo` are specified using their full JSON path, the same as any other field. For example: `{ "service.additionalInfo.sample": { "Equals": ["true"] } }`. + + * Timestamp fields accept values in Unix Epoch millisecond format (for example, `1486685375000`). For a full list of timestamp fields, see the note below. + @@ -237,0 +242,569 @@ DNS request domain | service.action.dnsRequestAction.domainWithSuffix +All other finding fields (listed below) are available as suppression rule filter criteria only (using [CreateFilter](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_CreateFilter.html) and [UpdateFilter](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_UpdateFilter.html)). These fields are not supported by other API operations. Suppression rules that use these fields must be created or updated through the API. These fields can only be applied for filters with an `ARCHIVE` action. + +###### Note + +The following fields accept timestamp values in Unix Epoch millisecond format (for example, `1262309025000` represents Friday, January 1, 2010 at 1:23:45 AM GMT): + + * createdAt + + * updatedAt + + * service.eventFirstSeen + + * service.eventLastSeen + + * resource.instanceDetails.launchTime + + * resource.lambdaDetails.lastModifiedAt + + * resource.s3BucketDetails.createdAt + + * resource.eksClusterDetails.createdAt + + * resource.ecsClusterDetails.taskDetails.createdAt + + * resource.ecsClusterDetails.taskDetails.startedAt + + * service.ebsVolumeScanDetails.scanStartedAt + + * service.ebsVolumeScanDetails.scanCompletedAt + + * service.runtimeDetails.context.modifiedAt + + * service.runtimeDetails.context.modifyingProcess.startTime + + * service.runtimeDetails.context.modifyingProcess.lineage.startTime + + * service.runtimeDetails.context.targetProcess.startTime + + * service.runtimeDetails.context.targetProcess.lineage.startTime + + * service.runtimeDetails.process.startTime + + * service.runtimeDetails.process.lineage.startTime + + * service.detection.sequence.actors.session.createdTime + + * service.detection.sequence.signals.createdAt + + * service.detection.sequence.signals.updatedAt + + * service.detection.sequence.signals.firstSeenAt + + * service.detection.sequence.signals.lastSeenAt + + * service.detection.sequence.resources.data.s3Bucket.createdAt + + * service.detection.sequence.resources.data.ecsTask.createdAt + + * service.detection.sequence.resources.data.eksCluster.createdAt + + + + +JSON field name +--- +arn +associatedAttackSequenceArn +createdAt +description +partition +resource.accessKeyDetails.userIdentity.accessKeyId +resource.accessKeyDetails.userIdentity.accountId +resource.accessKeyDetails.userIdentity.arn +resource.accessKeyDetails.userIdentity.principalId +resource.accessKeyDetails.userIdentity.sessionContext.attributes.mfaAuthenticated +resource.accessKeyDetails.userIdentity.sessionContext.ec2RoleDelivery +resource.accessKeyDetails.userIdentity.sessionContext.invokedBy +resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.accountId +resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.arn +resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.principalId +resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.type +resource.accessKeyDetails.userIdentity.sessionContext.sessionIssuer.userName +resource.accessKeyDetails.userIdentity.sessionContext.sourceIdentity +resource.accessKeyDetails.userIdentity.sessionContext.webIdFederationData.attributes +resource.accessKeyDetails.userIdentity.sessionContext.webIdFederationData.federatedProvider +resource.accessKeyDetails.userIdentity.type +resource.accessKeyDetails.userIdentity.userName +resource.bedrockGuardrailDetails.guardrailArn +resource.bedrockGuardrailDetails.guardrailVersion +resource.containerDetails.containerRuntime +resource.containerDetails.imagePrefix +resource.containerDetails.securityContext.allowPrivilegeEscalation +resource.containerDetails.securityContext.privileged +resource.containerDetails.volumeMounts.mountPath +resource.containerDetails.volumeMounts.name +resource.ebsVolumeDetails.scannedVolumeDetails.deviceName +resource.ebsVolumeDetails.scannedVolumeDetails.encryptionType +resource.ebsVolumeDetails.scannedVolumeDetails.kmsKeyArn +resource.ebsVolumeDetails.scannedVolumeDetails.snapshotArn +resource.ebsVolumeDetails.scannedVolumeDetails.volumeArn +resource.ebsVolumeDetails.scannedVolumeDetails.volumeSizeInGB +resource.ebsVolumeDetails.scannedVolumeDetails.volumeType +resource.ebsVolumeDetails.skippedVolumeDetails.deviceName +resource.ebsVolumeDetails.skippedVolumeDetails.encryptionType +resource.ebsVolumeDetails.skippedVolumeDetails.kmsKeyArn +resource.ebsVolumeDetails.skippedVolumeDetails.snapshotArn +resource.ebsVolumeDetails.skippedVolumeDetails.volumeArn +resource.ebsVolumeDetails.skippedVolumeDetails.volumeSizeInGB +resource.ebsVolumeDetails.skippedVolumeDetails.volumeType +resource.ecsClusterDetails.activeServicesCount +resource.ecsClusterDetails.arn +resource.ecsClusterDetails.registeredContainerInstancesCount +resource.ecsClusterDetails.runningTasksCount +resource.ecsClusterDetails.status +resource.ecsClusterDetails.tags.key +resource.ecsClusterDetails.tags.value +resource.ecsClusterDetails.taskDetails.arn +resource.ecsClusterDetails.taskDetails.containers.containerRuntime +resource.ecsClusterDetails.taskDetails.containers.id +resource.ecsClusterDetails.taskDetails.containers.imagePrefix +resource.ecsClusterDetails.taskDetails.containers.name +resource.ecsClusterDetails.taskDetails.containers.securityContext.allowPrivilegeEscalation +resource.ecsClusterDetails.taskDetails.containers.securityContext.privileged +resource.ecsClusterDetails.taskDetails.containers.volumeMounts.mountPath +resource.ecsClusterDetails.taskDetails.containers.volumeMounts.name +resource.ecsClusterDetails.taskDetails.createdAt +resource.ecsClusterDetails.taskDetails.group +resource.ecsClusterDetails.taskDetails.launchType +resource.ecsClusterDetails.taskDetails.startedAt +resource.ecsClusterDetails.taskDetails.startedBy +resource.ecsClusterDetails.taskDetails.tags.key +resource.ecsClusterDetails.taskDetails.tags.value +resource.ecsClusterDetails.taskDetails.version +resource.ecsClusterDetails.taskDetails.volumes.hostPath.path +resource.ecsClusterDetails.taskDetails.volumes.name +resource.eksClusterDetails.arn +resource.eksClusterDetails.createdAt +resource.eksClusterDetails.status +resource.eksClusterDetails.tags.key +resource.eksClusterDetails.tags.value +resource.eksClusterDetails.vpcId +resource.instanceDetails.iamInstanceProfile.arn +resource.instanceDetails.instanceState +resource.instanceDetails.instanceType +resource.instanceDetails.launchTime +resource.instanceDetails.networkInterfaces.networkInterfaceId +resource.instanceDetails.networkInterfaces.privateDnsName +resource.instanceDetails.networkInterfaces.privateIpAddress +resource.instanceDetails.networkInterfaces.privateIpAddresses.privateDnsName +resource.instanceDetails.platform +resource.instanceDetails.productCodes.productCodeId +resource.instanceDetails.productCodes.productCodeType +resource.kubernetesDetails.kubernetesUserDetails.groups +resource.kubernetesDetails.kubernetesUserDetails.impersonatedUser.groups +resource.kubernetesDetails.kubernetesUserDetails.impersonatedUser.username +resource.kubernetesDetails.kubernetesUserDetails.sessionName +resource.kubernetesDetails.kubernetesUserDetails.uid +resource.kubernetesDetails.kubernetesWorkloadDetails.containers.containerRuntime +resource.kubernetesDetails.kubernetesWorkloadDetails.containers.id +resource.kubernetesDetails.kubernetesWorkloadDetails.containers.name +resource.kubernetesDetails.kubernetesWorkloadDetails.containers.securityContext.allowPrivilegeEscalation +resource.kubernetesDetails.kubernetesWorkloadDetails.containers.securityContext.privileged +resource.kubernetesDetails.kubernetesWorkloadDetails.containers.volumeMounts.mountPath +resource.kubernetesDetails.kubernetesWorkloadDetails.containers.volumeMounts.name +resource.kubernetesDetails.kubernetesWorkloadDetails.hostIpc +resource.kubernetesDetails.kubernetesWorkloadDetails.hostNetwork +resource.kubernetesDetails.kubernetesWorkloadDetails.hostPid +resource.kubernetesDetails.kubernetesWorkloadDetails.serviceAccountName +resource.kubernetesDetails.kubernetesWorkloadDetails.type +resource.kubernetesDetails.kubernetesWorkloadDetails.uid +resource.kubernetesDetails.kubernetesWorkloadDetails.volumes.hostPath.path +resource.kubernetesDetails.kubernetesWorkloadDetails.volumes.name +resource.lambdaDetails.description +resource.lambdaDetails.lastModifiedAt +resource.lambdaDetails.revisionId +resource.lambdaDetails.vpcConfig.securityGroups.groupId +resource.lambdaDetails.vpcConfig.securityGroups.groupName +resource.lambdaDetails.vpcConfig.subnetIds +resource.lambdaDetails.vpcConfig.vpcId +resource.rdsDbInstanceDetails.dbInstanceArn +resource.rdsDbInstanceDetails.dbiResourceId +resource.rdsDbInstanceDetails.dbSecurityGroups.name +resource.rdsDbInstanceDetails.dbSecurityGroups.status +resource.rdsDbInstanceDetails.engineVersion +resource.rdsDbInstanceDetails.iamDatabaseAuthenticationEnabled +resource.rdsDbInstanceDetails.publiclyAccessible +resource.rdsDbInstanceDetails.vpcId +resource.rdsDbInstanceDetails.vpcSecurityGroups.status +resource.rdsDbInstanceDetails.vpcSecurityGroups.vpcSecurityGroupId +resource.rdsDbUserDetails.application