CreateFilter
AWS
CreateFilter
Event
Creates a GuardDuty finding filter that automatically suppresses or highlights findings matching specified criteria.
Security Context
- Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
- Tampering with cloud security services blinds defenders to threats and may indicate an adversary is preparing for further malicious activity.
Log Source
CloudTrail
Sample Event
Adversarial. Draco — having either compromised a security-team role or a privileged session that can call guardduty:CreateFilter — creates a filter whose criterion is service.action.awsApiCallAction.remoteIpDetails.ipAddressV4 = 203.0.113.66 and whose action is ARCHIVE. From this point on, every GuardDuty finding tied to the adversary’s primary IP is auto-archived before a human or a SOAR playbook sees it. This is more durable than a one-shot ArchiveFindings call because future findings are also suppressed.
{ "eventVersion": "1.09", "userIdentity": { "type": "IAMUser", "principalId": "AIDADRAC0MALF0YBADGY", "arn": "arn:aws:iam::555123456789:user/draco", "accountId": "555123456789", "accessKeyId": "AKIADRAC0MALF0YEXAMP5", "userName": "draco", "sessionContext": { "attributes": { "creationDate": "2026-04-15T18:51:02Z", "mfaAuthenticated": "false" } } }, "eventTime": "2026-04-15T22:31:09Z", "eventSource": "guardduty.amazonaws.com", "eventName": "CreateFilter", "awsRegion": "us-east-1", "sourceIPAddress": "203.0.113.66", "userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6", "requestParameters": { "detectorId": "60000000000040008000001010011010", "name": "incident-response-noise-filter", "description": "Auto-archive findings tied to internal network testing.", "action": "ARCHIVE", "rank": 1, "findingCriteria": { "criterion": { "service.action.awsApiCallAction.remoteIpDetails.ipAddressV4": { "equals": ["203.0.113.66"] } } } }, "responseElements": { "name": "incident-response-noise-filter" }, "requestID": "90000000-0000-4000-8000-000010000110", "eventID": "90000000-0000-4000-8000-000010000111", "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "555123456789", "eventCategory": "Management", "tlsDetails": { "tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "guardduty.us-east-1.amazonaws.com" }}MITRE ATT&CK Mapping
Tactics: Defense Impairment
Techniques:
- T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...