# Security team example: Creating a Security Hub CSPM automation rule Security team example The security team receives findings related to threat detection, including Amazon GuardDuty findings. For a complete list of GuardDuty finding types that are categorized by AWS resource type, see [Finding types](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html) in the GuardDuty documentation. Security teams must be familiar with all of these finding types. For this example, the security team is accepting the level of associated risk for security findings in an AWS account that is used strictly for learning purposes and does not include important or sensitive data. The name of this account is `sandbox`, and the account ID is `123456789012`. The security team can create an AWS Security Hub CSPM automation rule that suppresses all GuardDuty findings from this account. They can either create a rule from a template, which covers many common use cases, or they can create a custom rule. In Security Hub CSPM, we recommend previewing the results of the criteria to confirm that the rule returns the intended findings. **Note** This example highlights the functionality of automation rules. We don't recommend suppressing all GuardDuty findings for an account. Context matters, and each organization must choose which findings to suppress based on data type, classification, and mitigation controls. The following are the parameters used to create this automation rule: + **Rule:** + **Rule name** is `Suppress findings from Sandbox account` + **Rule description** is `Date: 06/25/23 Authored by: John Doe Reason: Suppress GuardDuty findings from the sandbox account` + **Criteria:** + `AwsAccountId` = `123456789012` + `ProductName` = `GuardDuty` + `WorkflowStatus` = `NEW` + `RecordState` = `ACTIVE` + **Automated action:** + `Workflow.status` is `SUPPRESSED` For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the Security Hub CSPM documentation. Security teams have many options for investigating and remediating findings for detected threats. For extensive guidance, see the [AWS Security Incident Response Guide](https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/aws-security-incident-response-guide.html). We recommend reviewing this guide to confirm that you have established strong incident response processes.