Table Options #

• GetFindings ([]CustomSecurityHubGetFindingsInput) (nullable)

CustomSecurityHubGetFindingsInput #

• Filters (AwsSecurityFindingFilters) (nullable)

  The finding attributes used to define a condition to filter the returned findings.

  You can filter by up to 10 finding attributes. For each attribute, you can provide up to 20 filter values.

  Note that in the available filter fields, WorkflowState is deprecated. To search for a finding based on its workflow status, use WorkflowStatus .
• MaxResults (integer) (nullable) (range: [1,100]) (default: 100)

  The maximum number of findings to return.
• SortCriteria ([]SortCriterion) (nullable)

  The finding attributes used to sort the list of returned findings.

AwsSecurityFindingFilters

• AwsAccountId ([]StringFilter) (nullable)

  The Amazon Web Services account ID in which a finding is generated.
• AwsAccountName ([]StringFilter) (nullable)

  The name of the Amazon Web Services account in which a finding is generated.
• CompanyName ([]StringFilter) (nullable)

  The name of the findings provider (company) that owns the solution (product) that generates findings.
• ComplianceAssociatedStandardsId ([]StringFilter) (nullable)

  The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the DescribeStandardsAPI response.
• ComplianceSecurityControlId ([]StringFilter) (nullable)

  The unique identifier of a control across standards. Values for this field typically consist of an Amazon Web Services service and a number, such as APIGateway.5.
• ComplianceSecurityControlParametersName ([]StringFilter) (nullable)

  The name of a security control parameter.
• ComplianceSecurityControlParametersValue ([]StringFilter) (nullable)

  The current value of a security control parameter.
• ComplianceStatus ([]StringFilter) (nullable)

  Exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard, such as CIS Amazon Web Services Foundations. Contains security standard-related finding details.
• Confidence ([]NumberFilter) (nullable)

  A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify.

  Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence.
• CreatedAt ([]DateFilter) (nullable)

  A timestamp that indicates when the security findings provider created the potential security issue that a finding reflects.

  For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps.
• Criticality ([]NumberFilter) (nullable)

  The level of importance assigned to the resources associated with the finding.

  A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.
• Description ([]StringFilter) (nullable)

  A finding's description.
• FindingProviderFieldsConfidence ([]NumberFilter) (nullable)

  The finding provider value for the finding confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify.

  Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence.
• FindingProviderFieldsCriticality ([]NumberFilter) (nullable)

  The finding provider value for the level of importance assigned to the resources associated with the findings.

  A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.
• FindingProviderFieldsRelatedFindingsId ([]StringFilter) (nullable)

  The finding identifier of a related finding that is identified by the finding provider.
• FindingProviderFieldsRelatedFindingsProductArn ([]StringFilter) (nullable)

  The ARN of the solution that generated a related finding that is identified by the finding provider.
• FindingProviderFieldsSeverityLabel ([]StringFilter) (nullable)

  The finding provider value for the severity label.
• FindingProviderFieldsSeverityOriginal ([]StringFilter) (nullable)

  The finding provider's original value for the severity.
• FindingProviderFieldsTypes ([]StringFilter) (nullable)

  One or more finding types that the finding provider assigned to the finding. Uses the format of namespace/category/classifier that classify a finding.

  Valid namespace values are: Software and Configuration Checks | TTPs | Effects | Unusual Behaviors | Sensitive Data Identifications
• FirstObservedAt ([]DateFilter) (nullable)

  A timestamp that indicates when the security findings provider first observed the potential security issue that a finding captured.

  For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps.
• GeneratorId ([]StringFilter) (nullable)

  The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security findings providers' solutions, this generator can be called a rule, a check, a detector, a plugin, etc.
• Id ([]StringFilter) (nullable)

  The security findings provider-specific identifier for a finding.
• Keyword ([]KeywordFilter) (nullable)

  A keyword for a finding.

  Deprecated: The Keyword property is deprecated.
• LastObservedAt ([]DateFilter) (nullable)

  A timestamp that indicates when the security findings provider most recently observed a change in the resource that is involved in the finding.

  For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps.
• MalwareName ([]StringFilter) (nullable)

  The name of the malware that was observed.
• MalwarePath ([]StringFilter) (nullable)

  The filesystem path of the malware that was observed.
• MalwareState ([]StringFilter) (nullable)

  The state of the malware that was observed.
• MalwareType ([]StringFilter) (nullable)

  The type of the malware that was observed.
• NetworkDestinationDomain ([]StringFilter) (nullable)

  The destination domain of network-related information about a finding.
• NetworkDestinationIpV4 ([]IpFilter) (nullable)

  The destination IPv4 address of network-related information about a finding.
• NetworkDestinationIpV6 ([]IpFilter) (nullable)

  The destination IPv6 address of network-related information about a finding.
• NetworkDestinationPort ([]NumberFilter) (nullable)

  The destination port of network-related information about a finding.
• NetworkDirection ([]StringFilter) (nullable)

  Indicates the direction of network traffic associated with a finding.
• NetworkProtocol ([]StringFilter) (nullable)

  The protocol of network-related information about a finding.
• NetworkSourceDomain ([]StringFilter) (nullable)

  The source domain of network-related information about a finding.
• NetworkSourceIpV4 ([]IpFilter) (nullable)

  The source IPv4 address of network-related information about a finding.
• NetworkSourceIpV6 ([]IpFilter) (nullable)

  The source IPv6 address of network-related information about a finding.
• NetworkSourceMac ([]StringFilter) (nullable)

  The source media access control (MAC) address of network-related information about a finding.
• NetworkSourcePort ([]NumberFilter) (nullable)

  The source port of network-related information about a finding.
• NoteText ([]StringFilter) (nullable)

  The text of a note.
• NoteUpdatedAt ([]DateFilter) (nullable)

  The timestamp of when the note was updated.
• NoteUpdatedBy ([]StringFilter) (nullable)

  The principal that created a note.
• ProcessLaunchedAt ([]DateFilter) (nullable)

  A timestamp that identifies when the process was launched.

  For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps.
• ProcessName ([]StringFilter) (nullable)

  The name of the process.
• ProcessParentPid ([]NumberFilter) (nullable)

  The parent process ID. This field accepts positive integers between O and 2147483647 .
• ProcessPath ([]StringFilter) (nullable)

  The path to the process executable.
• ProcessPid ([]NumberFilter) (nullable)

  The process ID.
• ProcessTerminatedAt ([]DateFilter) (nullable)

  A timestamp that identifies when the process was terminated.

  For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps.
• ProductArn ([]StringFilter) (nullable)

  The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) after this provider's product (solution that generates findings) is registered with Security Hub.
• ProductFields ([]MapFilter) (nullable)

  A data type where security findings providers can include additional solution-specific details that aren't part of the defined AwsSecurityFinding format.
• ProductName ([]StringFilter) (nullable)

  The name of the solution (product) that generates findings.
• RecommendationText ([]StringFilter) (nullable)

  The recommendation of what to do about the issue described in a finding.
• RecordState ([]StringFilter) (nullable)

  The updated record state for the finding.
• Region ([]StringFilter) (nullable)

  The Region from which the finding was generated.
• RelatedFindingsId ([]StringFilter) (nullable)

  The solution-generated identifier for a related finding.
• RelatedFindingsProductArn ([]StringFilter) (nullable)

  The ARN of the solution that generated a related finding.
• ResourceApplicationArn ([]StringFilter) (nullable)

  The ARN of the application that is related to a finding.
• ResourceApplicationName ([]StringFilter) (nullable)

  The name of the application that is related to a finding.
• ResourceAwsEc2InstanceIamInstanceProfileArn ([]StringFilter) (nullable)

  The IAM profile ARN of the instance.
• ResourceAwsEc2InstanceImageId ([]StringFilter) (nullable)

  The Amazon Machine Image (AMI) ID of the instance.
• ResourceAwsEc2InstanceIpV4Addresses ([]IpFilter) (nullable)

  The IPv4 addresses associated with the instance.
• ResourceAwsEc2InstanceIpV6Addresses ([]IpFilter) (nullable)

  The IPv6 addresses associated with the instance.
• ResourceAwsEc2InstanceKeyName ([]StringFilter) (nullable)

  The key name associated with the instance.
• ResourceAwsEc2InstanceLaunchedAt ([]DateFilter) (nullable)

  The date and time the instance was launched.
• ResourceAwsEc2InstanceSubnetId ([]StringFilter) (nullable)

  The identifier of the subnet that the instance was launched in.
• ResourceAwsEc2InstanceType ([]StringFilter) (nullable)

  The instance type of the instance.
• ResourceAwsEc2InstanceVpcId ([]StringFilter) (nullable)

  The identifier of the VPC that the instance was launched in.
• ResourceAwsIamAccessKeyCreatedAt ([]DateFilter) (nullable)

  The creation date/time of the IAM access key related to a finding.
• ResourceAwsIamAccessKeyPrincipalName ([]StringFilter) (nullable)

  The name of the principal that is associated with an IAM access key.
• ResourceAwsIamAccessKeyStatus ([]StringFilter) (nullable)

  The status of the IAM access key related to a finding.
• ResourceAwsIamAccessKeyUserName ([]StringFilter) (nullable)

  The user associated with the IAM access key related to a finding.

  Deprecated: This filter is deprecated. Instead, use ResourceAwsIamAccessKeyPrincipalName.
• ResourceAwsIamUserUserName ([]StringFilter) (nullable)

  The name of an IAM user.
• ResourceAwsS3BucketOwnerId ([]StringFilter) (nullable)

  The canonical user ID of the owner of the S3 bucket.
• ResourceAwsS3BucketOwnerName ([]StringFilter) (nullable)

  The display name of the owner of the S3 bucket.
• ResourceContainerImageId ([]StringFilter) (nullable)

  The identifier of the image related to a finding.
• ResourceContainerImageName ([]StringFilter) (nullable)

  The name of the image related to a finding.
• ResourceContainerLaunchedAt ([]DateFilter) (nullable)

  A timestamp that identifies when the container was started.

  For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps.
• ResourceContainerName ([]StringFilter) (nullable)

  The name of the container related to a finding.
• ResourceDetailsOther ([]MapFilter) (nullable)

  The details of a resource that doesn't have a specific subfield for the resource type defined.
• ResourceId ([]StringFilter) (nullable)

  The canonical identifier for the given resource type.
• ResourcePartition ([]StringFilter) (nullable)

  The canonical Amazon Web Services partition name that the Region is assigned to.
• ResourceRegion ([]StringFilter) (nullable)

  The canonical Amazon Web Services external Region name where this resource is located.
• ResourceTags ([]MapFilter) (nullable)

  A list of Amazon Web Services tags associated with a resource at the time the finding was processed.
• ResourceType ([]StringFilter) (nullable)

  Specifies the type of the resource that details are provided for.
• Sample ([]BooleanFilter) (nullable)

  Indicates whether or not sample findings are included in the filter results.
• SeverityLabel ([]StringFilter) (nullable)

  The label of a finding's severity.
• SeverityNormalized ([]NumberFilter) (nullable)

  The normalized severity of a finding.

  Deprecated: This filter is deprecated. Instead, use SeverityLabel or FindingProviderFieldsSeverityLabel.
• SeverityProduct ([]NumberFilter) (nullable)

  The native severity as defined by the security findings provider's solution that generated the finding.

  Deprecated: This filter is deprecated. Instead, use FindingProviderSeverityOriginal.
• SourceUrl ([]StringFilter) (nullable)

  A URL that links to a page about the current finding in the security findings provider's solution.
• ThreatIntelIndicatorCategory ([]StringFilter) (nullable)

  The category of a threat intelligence indicator.
• ThreatIntelIndicatorLastObservedAt ([]DateFilter) (nullable)

  A timestamp that identifies the last observation of a threat intelligence indicator.

  For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps.
• ThreatIntelIndicatorSource ([]StringFilter) (nullable)

  The source of the threat intelligence.
• ThreatIntelIndicatorSourceUrl ([]StringFilter) (nullable)

  The URL for more details from the source of the threat intelligence.
• ThreatIntelIndicatorType ([]StringFilter) (nullable)

  The type of a threat intelligence indicator.
• ThreatIntelIndicatorValue ([]StringFilter) (nullable)

  The value of a threat intelligence indicator.
• Title ([]StringFilter) (nullable)

  A finding's title.
• Type ([]StringFilter) (nullable)

  A finding type in the format of namespace/category/classifier that classifies a finding.
• UpdatedAt ([]DateFilter) (nullable)

  A timestamp that indicates when the security findings provider last updated the finding record.

  For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps.
• UserDefinedFields ([]MapFilter) (nullable)

  A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.
• VerificationState ([]StringFilter) (nullable)

  The veracity of a finding.
• VulnerabilitiesExploitAvailable ([]StringFilter) (nullable)

  Indicates whether a software vulnerability in your environment has a known exploit. You can filter findings by this field only if you use Security Hub and Amazon Inspector.
• VulnerabilitiesFixAvailable ([]StringFilter) (nullable)

  Indicates whether a vulnerability is fixed in a newer version of the affected software packages. You can filter findings by this field only if you use Security Hub and Amazon Inspector.
• WorkflowState ([]StringFilter) (nullable)

  The workflow state of a finding.

  Note that this field is deprecated. To search for a finding based on its workflow status, use WorkflowStatus .
• WorkflowStatus ([]StringFilter) (nullable)

  The status of the investigation into a finding. Allowed values are the following.

  • NEW - The initial state of a finding, before it is reviewed.

  Security Hub also resets the workflow status from NOTIFIED or RESOLVED to NEW in the following cases:

  • RecordState changes from ARCHIVED to ACTIVE .
  • Compliance.Status changes from PASSED to either WARNING , FAILED , or NOT_AVAILABLE .
  • NOTIFIED - Indicates that the resource owner has been notified about the security issue. Used when the initial reviewer is not the resource owner, and needs intervention from the resource owner.

  If one of the following occurs, the workflow status is changed automatically from NOTIFIED to NEW :

  • RecordState changes from ARCHIVED to ACTIVE .
  • Compliance.Status changes from PASSED to FAILED , WARNING , or NOT_AVAILABLE .
  • SUPPRESSED - Indicates that you reviewed the finding and don't believe that any action is needed.

  The workflow status of a SUPPRESSED finding does not change if RecordState changes from ARCHIVED to ACTIVE .

  • RESOLVED - The finding was reviewed and remediated and is now considered resolved.

  The finding remains RESOLVED unless one of the following occurs:

  • RecordState changes from ARCHIVED to ACTIVE .
  • Compliance.Status changes from PASSED to FAILED , WARNING , or NOT_AVAILABLE .

  In those cases, the workflow status is automatically reset to NEW .

  For findings from controls, if Compliance.Status is PASSED , then Security Hub automatically sets the workflow status to RESOLVED .

StringFilter

• Comparison (string)

  The condition to apply to a string value when filtering Security Hub findings.

  To search for values that have the filter value, use one of the following comparison operators:

  • To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
  • To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.

  CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.

  To search for values that don’t have the filter value, use one of the following comparison operators:

  • To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
  • To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
  • To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .

  NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.

  You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.

  You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

  For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

  CONTAINS and NOT_CONTAINS operators can be used only with automation rules V1. CONTAINS_WORD operator is only supported in GetFindingsV2 , GetFindingStatisticsV2 , GetResourcesV2 , and GetResourceStatisticsV2 APIs. For more information, see Automation rulesin the Security Hub User Guide.
• Value (string) (nullable)

  The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.

NumberFilter

• Eq (number) (nullable)

  The equal-to condition to be applied to a single field when querying for findings.
• Gt (number) (nullable)

  The greater-than condition to be applied to a single field when querying for findings.
• Gte (number) (nullable)

  The greater-than-equal condition to be applied to a single field when querying for findings.
• Lt (number) (nullable)

  The less-than condition to be applied to a single field when querying for findings.
• Lte (number) (nullable)

  The less-than-equal condition to be applied to a single field when querying for findings.

DateFilter

• DateRange (DateRange) (nullable)

  A date range for the date filter.
• End (string) (nullable)

  A timestamp that provides the end date for the date filter.

  For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps.
• Start (string) (nullable)

  A timestamp that provides the start date for the date filter.

  For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps.

DateRange

• Unit (string)

  A date range unit for the date filter.
• Value (integer) (nullable)

  A date range value for the date filter.

KeywordFilter

• Value (string) (nullable)

  A value for the keyword.

IpFilter

• Cidr (string) (nullable)

  A finding's CIDR value.

MapFilter

• Comparison (string)

  The condition to apply to the key value when filtering Security Hub findings with a map filter.

  To search for values that have the filter value, use one of the following comparison operators:

  • To search for values that include the filter value, use CONTAINS . For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.
  • To search for values that exactly match the filter value, use EQUALS . For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.

  CONTAINS and EQUALS filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security , Finance , or both values.

  To search for values that don't have the filter value, use one of the following comparison operators:

  • To search for values that exclude the filter value, use NOT_CONTAINS . For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.
  • To search for values other than the filter value, use NOT_EQUALS . For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.

  NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.

  CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.

  You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.

  CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rulesin the Security Hub User Guide.
• Key (string) (nullable)

  The key of the map filter. For example, for ResourceTags , Key identifies the name of the tag. For UserDefinedFields , Key is the name of the field.
• Value (string) (nullable)

  The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security . If you provide security as the filter value, then there's no match.

BooleanFilter

• Value (boolean) (nullable)

  The value of the boolean.

SortCriterion

• Field (string) (nullable)

  The finding attribute used to sort findings.
• SortOrder (string)

  The order used to sort findings.