Skip to content

CreateFilter

AWS

CreateFilter

service: AWS - GuardDuty
techniques:

Event

Creates a GuardDuty finding filter that automatically suppresses or highlights findings matching specified criteria.

Security Context

  • Impairing defenses allows adversaries to operate freely by removing security controls that would otherwise detect or block their activity.
  • Tampering with cloud security services blinds defenders to threats and may indicate an adversary is preparing for further malicious activity.

Log Source

CloudTrail

Sample Event

Adversarial. Draco — having either compromised a security-team role or a privileged session that can call guardduty:CreateFilter — creates a filter whose criterion is service.action.awsApiCallAction.remoteIpDetails.ipAddressV4 = 203.0.113.66 and whose action is ARCHIVE. From this point on, every GuardDuty finding tied to the adversary’s primary IP is auto-archived before a human or a SOAR playbook sees it. This is more durable than a one-shot ArchiveFindings call because future findings are also suppressed.

{
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "AIDADRAC0MALF0YBADGY",
"arn": "arn:aws:iam::555123456789:user/draco",
"accountId": "555123456789",
"accessKeyId": "AKIADRAC0MALF0YEXAMP5",
"userName": "draco",
"sessionContext": {
"attributes": {
"creationDate": "2026-04-15T18:51:02Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2026-04-15T22:31:09Z",
"eventSource": "guardduty.amazonaws.com",
"eventName": "CreateFilter",
"awsRegion": "us-east-1",
"sourceIPAddress": "203.0.113.66",
"userAgent": "aws-cli/1.18.147 Python/3.7.10 Linux/5.4.0-1045-aws botocore/1.18.6",
"requestParameters": {
"detectorId": "60000000000040008000001010011010",
"name": "incident-response-noise-filter",
"description": "Auto-archive findings tied to internal network testing.",
"action": "ARCHIVE",
"rank": 1,
"findingCriteria": {
"criterion": {
"service.action.awsApiCallAction.remoteIpDetails.ipAddressV4": {
"equals": ["203.0.113.66"]
}
}
}
},
"responseElements": {
"name": "incident-response-noise-filter"
},
"requestID": "90000000-0000-4000-8000-000010000110",
"eventID": "90000000-0000-4000-8000-000010000111",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "555123456789",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "guardduty.us-east-1.amazonaws.com"
}
}

MITRE ATT&CK Mapping

Tactics: Defense Impairment

Techniques:
  • T1685 — Disable or Modify Tools — Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping spec...