steampipe plugin install aws

Table: aws_guardduty_filter - Query AWS GuardDuty Filter using SQL

The AWS GuardDuty Filter is a feature of AWS GuardDuty that allows you to manage and define conditions for the findings that AWS GuardDuty includes in its threat detection reports. These filters help you categorize and prioritize findings according to your organization's threat model and security posture. You can use these filters to specify the severity level of a finding, the type of threat detected, or other criteria to tailor the findings to your specific needs.

Table Usage Guide

The aws_guardduty_filter table in Steampipe provides you with information about filters within AWS GuardDuty. This table enables you, as a security analyst, to query filter-specific details, including filter conditions, actions, and associated metadata. You can utilize this table to gather insights on filters, such as filter actions, conditions, and the detector ID to which the filter is associated. The schema outlines for you the various attributes of the GuardDuty filter, including the filter name, detector ID, rank, description, and associated tags.

Examples

Basic info

Discover the segments that are being monitored by AWS GuardDuty, including their action priority. This can help prioritize security responses and manage potential threats more effectively.

select
name,
detector_id,
action,
rank
from
aws_guardduty_filter;
select
name,
detector_id,
action,
rank
from
aws_guardduty_filter;

List filters that will archive the findings

Discover the segments that will archive findings in AWS GuardDuty. This can be beneficial for understanding which filters are set to archive findings, helping to manage security alerts effectively.

select
name,
detector_id,
action,
rank
from
aws_guardduty_filter
where
action = 'ARCHIVE';
select
name,
detector_id,
action,
rank
from
aws_guardduty_filter
where
action = 'ARCHIVE';

Get the filter which will be applied first to the findings

Discover the initial filter that will be applied to your findings in AWS GuardDuty. This is useful for understanding the first layer of scrutiny your data will undergo.

select
name,
region,
detector_id,
action,
rank
from
aws_guardduty_filter
where
rank = 1;
select
name,
region,
detector_id,
action,
rank
from
aws_guardduty_filter
where
rank = 1;

Get the criteria details for a filter

Determine the specifics of a particular filter in AWS GuardDuty to better understand its function and configuration. This is useful for assessing the filter's criteria and optimizing security measures.

select
name,
jsonb_pretty(finding_criteria) as finding_criteria
from
aws_guardduty_filter
where
name = 'filter-1';
select
name,
finding_criteria
from
aws_guardduty_filter
where
name = 'filter-1';

Count the number of filters by region and detector

Assess the distribution of filters across various regions and detectors to better understand the security measures in place. This information can be useful for auditing purposes or for optimizing the distribution of filters.

select
region,
detector_id,
count(name)
from
aws_guardduty_filter
group by
region,
detector_id
order by
count desc;
select
region,
detector_id,
count(name)
from
aws_guardduty_filter
group by
region,
detector_id
order by
count(name) desc;

Schema for aws_guardduty_filter

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form, e.g. connection_name.
account_idtextThe AWS Account ID in which the resource is located.
actiontextSpecifies the action that is to be applied to the findings that match the filter.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
descriptiontextThe description of the filter.
detector_idtext=The ID of the detector.
finding_criteriajsonbRepresents the criteria to be used in the filter for querying findings.
nametext=The name for the filter.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
rankbigintSpecifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
regiontextThe AWS Region in which the resource is located.
tagsjsonbA map of tags for the resource.
titletextTitle of the resource.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_guardduty_filter