Deletion groups can be defined in YAML or JSON format. A delete group can reside in a stand-alone file or be contained in a module. Define the deletion groups in. Rule.yaml or. Rule.jsonc. Each delete group can be defined individually or in parallel with resources such as rules or baselines. Simulation of the effects of a deletion rule still in the design phase. This call indicates which of your existing alerts would have been closed if the rule had been active. You can also select the Deletion Rules link at the top of the page, and then on the Deletion Rules page, select Create Deletion Rule: The Deletion Rules page opens with all the rules for the selected subscriptions. Some examples of a deletion group summary: To list all the rules configured for a particular subscription. Returns an array of applicable rules. In a multi-account environment, only the GuardDuty administrator can create deletion rules.
You can create deletion rules through the CreateFilter API. To do this, specify the filter criteria in a JSON file in the format of the example described below. The following example deletes all non-archived results that sent a DNS query to test.example.com. Optionally, a stream can be defined using the expiresOn property. When the expiration date is reached, the deletion is no longer applied. To configure an expiration date, specify a date in RFC3339 (ISO 8601) format in the format yyyy-MM-ddTHH:mm:ssZ. Deletion groups can be configured with a summary. When this option is set, the summary is included in the output for all deletion warnings displayed. The summary helps justify deleting a line in a short message. To set the summary, add a comment above the apiVersion property of the delete group.
You can view a list of all deletion rules and manage them in one place. You can also enable or disable a rule for deleting alerts. On the GuardDuty Findings page, choose Delete Results to open the Rule Deletion pane. After you create a delete rule, new results that match the criteria defined in the rule are automatically checked in as long as the delete rule exists. You can use an existing filter to create a new delete rule or delete rule from a new filter that you define. You can configure deletion rules to delete entire search types, or you can set more granular filter criteria to remove only specific instances of a particular search type. Your deletion rules are subject to change at any time. Removing security alerts reduces the effectiveness of Defender for Cloud`s threat protection. You should carefully consider the potential impact of a deletion rule and monitor it over time. If you opened the new rules page from a specific alert, the alert and subscription are automatically configured in your new rule. If you used the Create Delete Rule link, the selected subscriptions match the portal`s current filter. Alternatively, a localized summary can be provided in a separate Markdown file.
For more information, see about_PSRule_Docs. To retrieve the details of a specific rule for a specific subscription. Returns a deletion rule. In the New Deletion Rule pane, enter the details of the new rule. Recon:EC2/Portscan – Use a delete rule to automatically archive results when using a vulnerability assessment application. To test the filter criteria, use the same JSON criteria in the ListFindings API and verify that the correct results are selected. To test your filtering criteria with the AWS CLI, follow the example with your own detectorId and .json file. Set the summary to describe the reason for the deletion. One or more rule names can be used in the rules table.
If no rules are specified, deletion occurs for all rules. One or more logical conditions or operators can be used in the if object. If the if condition is true, the object of the current rule is deleted. UnauthorizedAccess:EC2/SSHBruteForce – Use a delete rule to automatically archive results when they target bastion instances. To edit a rule that you created, use the Deletion Rules page. You can also create a delete rule from an existing saved filter. For more information about creating filters, see Filter Results. This result is generated when the network is configured to route Internet traffic to come from an on-premises gateway rather than an Internet gateway VPC (IGW). Common configurations, such as using AWS Outposts or VPC VPN connections, can cause traffic to be routed this way. If this is the expected behavior, we recommend that you use deletion rules and create a rule that consists of two filter criteria. The first criterion is the search type, which must be UnauthorizedAccess:IAMUser/InstanceCredentialExfiltration.
The second filter criterion is the IPv4 address of the API caller with the IP address or CIDR range of your on-premises Internet gateway. The following example shows the filter you would use to remove this type of search based on the IP address of the API caller. PUT: To create or update a delete rule in a specified subscription. Deletion rules do not work retroactively, they only delete alerts that are triggered after the rule is created. If a particular alert type has never been generated for a particular subscription, future alerts of that type are not deleted. For a rule to delete an alert for a particular subscription, that type of alert must be triggered at least once before the rule is created. The following search types have common use cases for applying deletion rules, select the search name to learn more about this result, or learn how to create a delete rule for this search type from the console. GuardDuty will continue to generate results even if they comply with your deletion rules, but these results will automatically be marked as archived. The archived report is stored in GuardDuty for 90 days and can be viewed at any time during that time. You can view deleted results in the GuardDuty console by selecting Archived in the results table, or through the GuardDuty API using the ListFindings API with the findingCriteria.archived criteria service equal to true.
Upload your filter to use as a delete rule with the CreateFilter API, or use the AWS CLI by following the following example, with your own detector ID, a name for the deletion rule, and a .json file. Enter a name and description for the delete rule. GuardDuty recommends that you create deletion rules reactively and only for results for which you have repeatedly identified false positives. PSRule executes rules to validate an object from input. When evaluating each object, PSRule can use deletion groups to delete rules based on a condition. Delete groups use a selector to determine whether the rule is deleted. This page explains how to use alert removal rules to remove false positives or other unwanted security alerts from Defender for Cloud. There are several ways to create rules to remove unwanted security alerts: If a single alert is not interesting or relevant, you can close it manually. You can also use the Deletion Rules feature to automatically close similar alerts in the future. Typically, you use a deletion rule to: Your deletion rules define the criteria by which alerts should be automatically closed. If you want to save the new rule to a location other than the default location, browse to and select a file name and/or location.
Your deletion rules can be viewed, edited, or deleted at any time by selecting the rule from the Saved Rules drop-down menu in the console. The HTTP methods relevant to deletion rules in the REST API are as follows: This article describes removal rules in Microsoft Defender for Cloud that automatically close unwanted alerts. A deletion rule is a set of criteria, consisting of a filter attribute combined with a value, that is used to filter results by automatically checking in new results that match the specified criteria.