2023/11/27 - AWS SecurityHub - 10 new 11 updated api methods
Changes Adds and updates APIs to support central configuration. This feature allows the Security Hub delegated administrator to configure Security Hub for their entire AWS Org across multiple regions from a home Region. With this release, findings also include account name and application metadata.
Deletes a configuration policy. Only the Security Hub delegated administrator can invoke this operation from the home Region. For the deletion to succeed, you must first disassociate a configuration policy from target accounts, organizational units, or the root by invoking the StartConfigurationPolicyDisassociation operation.
See also: AWS API Documentation
Request Syntax
client.delete_configuration_policy(
Identifier='string'
)
string
[REQUIRED]
The Amazon Resource Name (ARN) or universally unique identifier (UUID) of the configuration policy.
dict
Response Syntax
{}
Response Structure
(dict) --
Disassociates a target account, organizational unit, or the root from a specified configuration. When you disassociate a configuration from its target, the target inherits the configuration of the closest parent. If there’s no configuration to inherit, the target retains its settings but becomes a self-managed account. A target can be disassociated from a configuration policy or self-managed behavior. Only the Security Hub delegated administrator can invoke this operation from the home Region.
See also: AWS API Documentation
Request Syntax
client.start_configuration_policy_disassociation(
Target={
'AccountId': 'string',
'OrganizationalUnitId': 'string',
'RootId': 'string'
},
ConfigurationPolicyIdentifier='string'
)
dict
The identifier of the target account, organizational unit, or the root to disassociate from the specified configuration.
Note
This is a Tagged Union structure. Only one of the following top level keys can be set: AccountId, OrganizationalUnitId, RootId.
AccountId (string) --
The Amazon Web Services account ID of the target account.
OrganizationalUnitId (string) --
The organizational unit ID of the target organizational unit.
RootId (string) --
The ID of the organization root.
string
[REQUIRED]
The Amazon Resource Name (ARN) or universally unique identifier (UUID) of the configuration policy.
dict
Response Syntax
{}
Response Structure
(dict) --
Provides information about a configuration policy. Only the Security Hub delegated administrator can invoke this operation from the home Region.
See also: AWS API Documentation
Request Syntax
client.get_configuration_policy(
Identifier='string'
)
string
[REQUIRED]
The Amazon Resource Name (ARN) or universally unique identifier (UUID) of the configuration policy.
dict
Response Syntax
{
'Arn': 'string',
'Id': 'string',
'Name': 'string',
'Description': 'string',
'UpdatedAt': datetime(2015, 1, 1),
'CreatedAt': datetime(2015, 1, 1),
'ConfigurationPolicy': {
'SecurityHub': {
'ServiceEnabled': True|False,
'EnabledStandardIdentifiers': [
'string',
],
'SecurityControlsConfiguration': {
'EnabledSecurityControlIdentifiers': [
'string',
],
'DisabledSecurityControlIdentifiers': [
'string',
],
'SecurityControlCustomParameters': [
{
'SecurityControlId': 'string',
'Parameters': {
'string': {
'ValueType': 'DEFAULT'|'CUSTOM',
'Value': {
'Integer': 123,
'IntegerList': [
123,
],
'Double': 123.0,
'String': 'string',
'StringList': [
'string',
],
'Boolean': True|False,
'Enum': 'string',
'EnumList': [
'string',
]
}
}
}
},
]
}
}
}
}
Response Structure
(dict) --
Arn (string) --
The ARN of the configuration policy.
Id (string) --
The UUID of the configuration policy.
Name (string) --
The name of the configuration policy.
Description (string) --
The description of the configuration policy.
UpdatedAt (datetime) --
The date and time, in UTC and ISO 8601 format, that the configuration policy was last updated.
CreatedAt (datetime) --
The date and time, in UTC and ISO 8601 format, that the configuration policy was created.
ConfigurationPolicy (dict) --
An object that defines how Security Hub is configured. It includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If the policy includes a list of security controls that are enabled, Security Hub disables all other controls (including newly released controls). If the policy includes a list of security controls that are disabled, Security Hub enables all other controls (including newly released controls).
Note
This is a Tagged Union structure. Only one of the following top level keys will be set: SecurityHub. If a client receives an unknown member it will set SDK_UNKNOWN_MEMBER as the top level key, which maps to the name or tag of the unknown member. The structure of SDK_UNKNOWN_MEMBER is as follows:
'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
SecurityHub (dict) --
The Amazon Web Service that the configuration policy applies to.
ServiceEnabled (boolean) --
Indicates whether Security Hub is enabled in the policy.
EnabledStandardIdentifiers (list) --
A list that defines which security standards are enabled in the configuration policy.
(string) --
SecurityControlsConfiguration (dict) --
An object that defines which security controls are enabled in the configuration policy. The enablement status of a control is aligned across all of the enabled standards in an account.
EnabledSecurityControlIdentifiers (list) --
A list of security controls that are enabled in the configuration policy. Security Hub disables all other controls (including newly released controls) other than the listed controls.
(string) --
DisabledSecurityControlIdentifiers (list) --
A list of security controls that are disabled in the configuration policy. Security Hub enables all other controls (including newly released controls) other than the listed controls.
(string) --
SecurityControlCustomParameters (list) --
A list of security controls and control parameter values that are included in a configuration policy.
(dict) --
A list of security controls and control parameter values that are included in a configuration policy.
SecurityControlId (string) --
The ID of the security control.
Parameters (dict) --
An object that specifies parameter values for a control in a configuration policy.
(string) --
(dict) --
An object that provides the current value of a security control parameter and identifies whether it has been customized.
ValueType (string) --
Identifies whether a control parameter uses a custom user-defined value or the Security Hub default value.
Value (dict) --
The current value of a control parameter.
Note
This is a Tagged Union structure. Only one of the following top level keys will be set: Integer, IntegerList, Double, String, StringList, Boolean, Enum, EnumList. If a client receives an unknown member it will set SDK_UNKNOWN_MEMBER as the top level key, which maps to the name or tag of the unknown member. The structure of SDK_UNKNOWN_MEMBER is as follows:
'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
Integer (integer) --
A control parameter that is an integer.
IntegerList (list) --
A control parameter that is a list of integers.
(integer) --
Double (float) --
A control parameter that is a double.
String (string) --
A control parameter that is a string.
StringList (list) --
A control parameter that is a list of strings.
(string) --
Boolean (boolean) --
A control parameter that is a boolean.
Enum (string) --
A control parameter that is an enum.
EnumList (list) --
A control parameter that is a list of enums.
(string) --
Provides information about the associations for your configuration policies and self-managed behavior. Only the Security Hub delegated administrator can invoke this operation from the home Region.
See also: AWS API Documentation
Request Syntax
client.list_configuration_policy_associations(
NextToken='string',
MaxResults=123,
Filters={
'ConfigurationPolicyId': 'string',
'AssociationType': 'INHERITED'|'APPLIED',
'AssociationStatus': 'PENDING'|'SUCCESS'|'FAILED'
}
)
string
The NextToken value that's returned from a previous paginated ListConfigurationPolicyAssociations request where MaxResults was used but the results exceeded the value of that parameter. Pagination continues from the end of the previous response that returned the NextToken value. This value is null when there are no more results to return.
integer
The maximum number of results that's returned by ListConfigurationPolicies in each page of the response. When this parameter is used, ListConfigurationPolicyAssociations returns the specified number of results in a single page and a NextToken response element. You can see the remaining results of the initial request by sending another ListConfigurationPolicyAssociations request with the returned NextToken value. A valid range for MaxResults is between 1 and 100.
dict
Options for filtering the ListConfigurationPolicyAssociations response. You can filter by the Amazon Resource Name (ARN) or universally unique identifier (UUID) of a configuration, AssociationType , or AssociationStatus .
ConfigurationPolicyId (string) --
The ARN or UUID of the configuration policy.
AssociationType (string) --
Indicates whether the association between a target and a configuration was directly applied by the Security Hub delegated administrator or inherited from a parent.
AssociationStatus (string) --
The current status of the association between a target and a configuration policy.
dict
Response Syntax
{
'ConfigurationPolicyAssociationSummaries': [
{
'ConfigurationPolicyId': 'string',
'TargetId': 'string',
'TargetType': 'ACCOUNT'|'ORGANIZATIONAL_UNIT',
'AssociationType': 'INHERITED'|'APPLIED',
'UpdatedAt': datetime(2015, 1, 1),
'AssociationStatus': 'PENDING'|'SUCCESS'|'FAILED',
'AssociationStatusMessage': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
ConfigurationPolicyAssociationSummaries (list) --
An object that contains the details of each configuration policy association that’s returned in a ListConfigurationPolicyAssociations request.
(dict) --
An object that contains the details of a configuration policy association that’s returned in a ListConfigurationPolicyAssociations request.
ConfigurationPolicyId (string) --
The universally unique identifier (UUID) of the configuration policy.
TargetId (string) --
The identifier of the target account, organizational unit, or the root.
TargetType (string) --
Specifies whether the target is an Amazon Web Services account, organizational unit, or the root.
AssociationType (string) --
Indicates whether the association between the specified target and the configuration was directly applied by the Security Hub delegated administrator or inherited from a parent.
UpdatedAt (datetime) --
The date and time, in UTC and ISO 8601 format, that the configuration policy association was last updated.
AssociationStatus (string) --
The current status of the association between the specified target and the configuration.
AssociationStatusMessage (string) --
The explanation for a FAILED value for AssociationStatus .
NextToken (string) --
The NextToken value to include in the next ListConfigurationPolicyAssociations request. When the results of a ListConfigurationPolicyAssociations request exceed MaxResults , this value can be used to retrieve the next page of results. This value is null when there are no more results to return.
Returns associations between an Security Hub configuration and a batch of target accounts, organizational units, or the root. Only the Security Hub delegated administrator can invoke this operation from the home Region. A configuration can refer to a configuration policy or to a self-managed configuration.
See also: AWS API Documentation
Request Syntax
client.batch_get_configuration_policy_associations(
ConfigurationPolicyAssociationIdentifiers=[
{
'Target': {
'AccountId': 'string',
'OrganizationalUnitId': 'string',
'RootId': 'string'
}
},
]
)
list
[REQUIRED]
Specifies one or more target account IDs, organizational unit (OU) IDs, or the root ID to retrieve associations for.
(dict) --
Provides details about the association between an Security Hub configuration and a target account, organizational unit, or the root. An association can exist between a target and a configuration policy, or between a target and self-managed behavior.
Target (dict) --
The target account, organizational unit, or the root.
Note
This is a Tagged Union structure. Only one of the following top level keys can be set: AccountId, OrganizationalUnitId, RootId.
AccountId (string) --
The Amazon Web Services account ID of the target account.
OrganizationalUnitId (string) --
The organizational unit ID of the target organizational unit.
RootId (string) --
The ID of the organization root.
dict
Response Syntax
{
'ConfigurationPolicyAssociations': [
{
'ConfigurationPolicyId': 'string',
'TargetId': 'string',
'TargetType': 'ACCOUNT'|'ORGANIZATIONAL_UNIT',
'AssociationType': 'INHERITED'|'APPLIED',
'UpdatedAt': datetime(2015, 1, 1),
'AssociationStatus': 'PENDING'|'SUCCESS'|'FAILED',
'AssociationStatusMessage': 'string'
},
],
'UnprocessedConfigurationPolicyAssociations': [
{
'ConfigurationPolicyAssociationIdentifiers': {
'Target': {
'AccountId': 'string',
'OrganizationalUnitId': 'string',
'RootId': 'string'
}
},
'ErrorCode': 'string',
'ErrorReason': 'string'
},
]
}
Response Structure
(dict) --
ConfigurationPolicyAssociations (list) --
Describes associations for the target accounts, OUs, or the root.
(dict) --
An object that contains the details of a configuration policy association that’s returned in a ListConfigurationPolicyAssociations request.
ConfigurationPolicyId (string) --
The universally unique identifier (UUID) of the configuration policy.
TargetId (string) --
The identifier of the target account, organizational unit, or the root.
TargetType (string) --
Specifies whether the target is an Amazon Web Services account, organizational unit, or the root.
AssociationType (string) --
Indicates whether the association between the specified target and the configuration was directly applied by the Security Hub delegated administrator or inherited from a parent.
UpdatedAt (datetime) --
The date and time, in UTC and ISO 8601 format, that the configuration policy association was last updated.
AssociationStatus (string) --
The current status of the association between the specified target and the configuration.
AssociationStatusMessage (string) --
The explanation for a FAILED value for AssociationStatus .
UnprocessedConfigurationPolicyAssociations (list) --
An array of configuration policy associations, one for each configuration policy association identifier, that was specified in the request but couldn’t be processed due to an error.
(dict) --
An array of configuration policy associations, one for each configuration policy association identifier, that was specified in a BatchGetConfigurationPolicyAssociations request but couldn’t be processed due to an error.
ConfigurationPolicyAssociationIdentifiers (dict) --
Configuration policy association identifiers that were specified in a BatchGetConfigurationPolicyAssociations request but couldn’t be processed due to an error.
Target (dict) --
The target account, organizational unit, or the root.
Note
This is a Tagged Union structure. Only one of the following top level keys will be set: AccountId, OrganizationalUnitId, RootId. If a client receives an unknown member it will set SDK_UNKNOWN_MEMBER as the top level key, which maps to the name or tag of the unknown member. The structure of SDK_UNKNOWN_MEMBER is as follows:
'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
AccountId (string) --
The Amazon Web Services account ID of the target account.
OrganizationalUnitId (string) --
The organizational unit ID of the target organizational unit.
RootId (string) --
The ID of the organization root.
ErrorCode (string) --
An HTTP status code that identifies why the configuration policy association failed.
ErrorReason (string) --
A string that identifies why the configuration policy association failed.
Returns the association between a configuration and a target account, organizational unit, or the root. The configuration can be a configuration policy or self-managed behavior. Only the Security Hub delegated administrator can invoke this operation from the home Region.
See also: AWS API Documentation
Request Syntax
client.get_configuration_policy_association(
Target={
'AccountId': 'string',
'OrganizationalUnitId': 'string',
'RootId': 'string'
}
)
dict
[REQUIRED]
The target account ID, organizational unit ID, or the root ID to retrieve the association for.
Note
This is a Tagged Union structure. Only one of the following top level keys can be set: AccountId, OrganizationalUnitId, RootId.
AccountId (string) --
The Amazon Web Services account ID of the target account.
OrganizationalUnitId (string) --
The organizational unit ID of the target organizational unit.
RootId (string) --
The ID of the organization root.
dict
Response Syntax
{
'ConfigurationPolicyId': 'string',
'TargetId': 'string',
'TargetType': 'ACCOUNT'|'ORGANIZATIONAL_UNIT',
'AssociationType': 'INHERITED'|'APPLIED',
'UpdatedAt': datetime(2015, 1, 1),
'AssociationStatus': 'PENDING'|'SUCCESS'|'FAILED',
'AssociationStatusMessage': 'string'
}
Response Structure
(dict) --
ConfigurationPolicyId (string) --
The universally unique identifier (UUID) of a configuration policy. For self-managed behavior, the value is SELF_MANAGED_SECURITY_HUB .
TargetId (string) --
The target account ID, organizational unit ID, or the root ID for which the association is retrieved.
TargetType (string) --
Specifies whether the target is an Amazon Web Services account, organizational unit, or the organization root.
AssociationType (string) --
Indicates whether the association between the specified target and the configuration was directly applied by the Security Hub delegated administrator or inherited from a parent.
UpdatedAt (datetime) --
The date and time, in UTC and ISO 8601 format, that the configuration policy association was last updated.
AssociationStatus (string) --
The current status of the association between the specified target and the configuration.
AssociationStatusMessage (string) --
The explanation for a FAILED value for AssociationStatus .
Updates a configuration policy. Only the Security Hub delegated administrator can invoke this operation from the home Region.
See also: AWS API Documentation
Request Syntax
client.update_configuration_policy(
Identifier='string',
Name='string',
Description='string',
UpdatedReason='string',
ConfigurationPolicy={
'SecurityHub': {
'ServiceEnabled': True|False,
'EnabledStandardIdentifiers': [
'string',
],
'SecurityControlsConfiguration': {
'EnabledSecurityControlIdentifiers': [
'string',
],
'DisabledSecurityControlIdentifiers': [
'string',
],
'SecurityControlCustomParameters': [
{
'SecurityControlId': 'string',
'Parameters': {
'string': {
'ValueType': 'DEFAULT'|'CUSTOM',
'Value': {
'Integer': 123,
'IntegerList': [
123,
],
'Double': 123.0,
'String': 'string',
'StringList': [
'string',
],
'Boolean': True|False,
'Enum': 'string',
'EnumList': [
'string',
]
}
}
}
},
]
}
}
}
)
string
[REQUIRED]
The Amazon Resource Name (ARN) or universally unique identifier (UUID) of the configuration policy.
string
The name of the configuration policy.
string
The description of the configuration policy.
string
The reason for updating the configuration policy.
dict
An object that defines how Security Hub is configured. It includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If you provide a list of security controls that are enabled in the configuration policy, Security Hub disables all other controls (including newly released controls). If you provide a list of security controls that are disabled in the configuration policy, Security Hub enables all other controls (including newly released controls).
When updating a configuration policy, provide a complete list of standards that you want to enable and a complete list of controls that you want to enable or disable. The updated configuration replaces the current configuration.
Note
This is a Tagged Union structure. Only one of the following top level keys can be set: SecurityHub.
SecurityHub (dict) --
The Amazon Web Service that the configuration policy applies to.
ServiceEnabled (boolean) --
Indicates whether Security Hub is enabled in the policy.
EnabledStandardIdentifiers (list) --
A list that defines which security standards are enabled in the configuration policy.
(string) --
SecurityControlsConfiguration (dict) --
An object that defines which security controls are enabled in the configuration policy. The enablement status of a control is aligned across all of the enabled standards in an account.
EnabledSecurityControlIdentifiers (list) --
A list of security controls that are enabled in the configuration policy. Security Hub disables all other controls (including newly released controls) other than the listed controls.
(string) --
DisabledSecurityControlIdentifiers (list) --
A list of security controls that are disabled in the configuration policy. Security Hub enables all other controls (including newly released controls) other than the listed controls.
(string) --
SecurityControlCustomParameters (list) --
A list of security controls and control parameter values that are included in a configuration policy.
(dict) --
A list of security controls and control parameter values that are included in a configuration policy.
SecurityControlId (string) --
The ID of the security control.
Parameters (dict) --
An object that specifies parameter values for a control in a configuration policy.
(string) --
(dict) --
An object that provides the current value of a security control parameter and identifies whether it has been customized.
ValueType (string) -- [REQUIRED]
Identifies whether a control parameter uses a custom user-defined value or the Security Hub default value.
Value (dict) --
The current value of a control parameter.
Note
This is a Tagged Union structure. Only one of the following top level keys can be set: Integer, IntegerList, Double, String, StringList, Boolean, Enum, EnumList.
Integer (integer) --
A control parameter that is an integer.
IntegerList (list) --
A control parameter that is a list of integers.
(integer) --
Double (float) --
A control parameter that is a double.
String (string) --
A control parameter that is a string.
StringList (list) --
A control parameter that is a list of strings.
(string) --
Boolean (boolean) --
A control parameter that is a boolean.
Enum (string) --
A control parameter that is an enum.
EnumList (list) --
A control parameter that is a list of enums.
(string) --
dict
Response Syntax
{
'Arn': 'string',
'Id': 'string',
'Name': 'string',
'Description': 'string',
'UpdatedAt': datetime(2015, 1, 1),
'CreatedAt': datetime(2015, 1, 1),
'ConfigurationPolicy': {
'SecurityHub': {
'ServiceEnabled': True|False,
'EnabledStandardIdentifiers': [
'string',
],
'SecurityControlsConfiguration': {
'EnabledSecurityControlIdentifiers': [
'string',
],
'DisabledSecurityControlIdentifiers': [
'string',
],
'SecurityControlCustomParameters': [
{
'SecurityControlId': 'string',
'Parameters': {
'string': {
'ValueType': 'DEFAULT'|'CUSTOM',
'Value': {
'Integer': 123,
'IntegerList': [
123,
],
'Double': 123.0,
'String': 'string',
'StringList': [
'string',
],
'Boolean': True|False,
'Enum': 'string',
'EnumList': [
'string',
]
}
}
}
},
]
}
}
}
}
Response Structure
(dict) --
Arn (string) --
The ARN of the configuration policy.
Id (string) --
The UUID of the configuration policy.
Name (string) --
The name of the configuration policy.
Description (string) --
The description of the configuration policy.
UpdatedAt (datetime) --
The date and time, in UTC and ISO 8601 format, that the configuration policy was last updated.
CreatedAt (datetime) --
The date and time, in UTC and ISO 8601 format, that the configuration policy was created.
ConfigurationPolicy (dict) --
An object that defines how Security Hub is configured. It includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If the request included a list of security controls that are enabled in the configuration policy, Security Hub disables all other controls (including newly released controls). If the request included a list of security controls that are disabled in the configuration policy, Security Hub enables all other controls (including newly released controls).
Note
This is a Tagged Union structure. Only one of the following top level keys will be set: SecurityHub. If a client receives an unknown member it will set SDK_UNKNOWN_MEMBER as the top level key, which maps to the name or tag of the unknown member. The structure of SDK_UNKNOWN_MEMBER is as follows:
'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
SecurityHub (dict) --
The Amazon Web Service that the configuration policy applies to.
ServiceEnabled (boolean) --
Indicates whether Security Hub is enabled in the policy.
EnabledStandardIdentifiers (list) --
A list that defines which security standards are enabled in the configuration policy.
(string) --
SecurityControlsConfiguration (dict) --
An object that defines which security controls are enabled in the configuration policy. The enablement status of a control is aligned across all of the enabled standards in an account.
EnabledSecurityControlIdentifiers (list) --
A list of security controls that are enabled in the configuration policy. Security Hub disables all other controls (including newly released controls) other than the listed controls.
(string) --
DisabledSecurityControlIdentifiers (list) --
A list of security controls that are disabled in the configuration policy. Security Hub enables all other controls (including newly released controls) other than the listed controls.
(string) --
SecurityControlCustomParameters (list) --
A list of security controls and control parameter values that are included in a configuration policy.
(dict) --
A list of security controls and control parameter values that are included in a configuration policy.
SecurityControlId (string) --
The ID of the security control.
Parameters (dict) --
An object that specifies parameter values for a control in a configuration policy.
(string) --
(dict) --
An object that provides the current value of a security control parameter and identifies whether it has been customized.
ValueType (string) --
Identifies whether a control parameter uses a custom user-defined value or the Security Hub default value.
Value (dict) --
The current value of a control parameter.
Note
This is a Tagged Union structure. Only one of the following top level keys will be set: Integer, IntegerList, Double, String, StringList, Boolean, Enum, EnumList. If a client receives an unknown member it will set SDK_UNKNOWN_MEMBER as the top level key, which maps to the name or tag of the unknown member. The structure of SDK_UNKNOWN_MEMBER is as follows:
'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
Integer (integer) --
A control parameter that is an integer.
IntegerList (list) --
A control parameter that is a list of integers.
(integer) --
Double (float) --
A control parameter that is a double.
String (string) --
A control parameter that is a string.
StringList (list) --
A control parameter that is a list of strings.
(string) --
Boolean (boolean) --
A control parameter that is a boolean.
Enum (string) --
A control parameter that is an enum.
EnumList (list) --
A control parameter that is a list of enums.
(string) --
Lists the configuration policies that the Security Hub delegated administrator has created for your organization. Only the delegated administrator can invoke this operation from the home Region.
See also: AWS API Documentation
Request Syntax
client.list_configuration_policies(
NextToken='string',
MaxResults=123
)
string
The NextToken value that's returned from a previous paginated ListConfigurationPolicies request where MaxResults was used but the results exceeded the value of that parameter. Pagination continues from the MaxResults was used but the results exceeded the value of that parameter. Pagination continues from the end of the previous response that returned the NextToken value. This value is null when there are no more results to return.
integer
The maximum number of results that's returned by ListConfigurationPolicies in each page of the response. When this parameter is used, ListConfigurationPolicies returns the specified number of results in a single page and a NextToken response element. You can see the remaining results of the initial request by sending another ListConfigurationPolicies request with the returned NextToken value. A valid range for MaxResults is between 1 and 100.
dict
Response Syntax
{
'ConfigurationPolicySummaries': [
{
'Arn': 'string',
'Id': 'string',
'Name': 'string',
'Description': 'string',
'UpdatedAt': datetime(2015, 1, 1),
'ServiceEnabled': True|False
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
ConfigurationPolicySummaries (list) --
Provides metadata for each of your configuration policies.
(dict) --
An object that contains the details of an Security Hub configuration policy that’s returned in a ListConfigurationPolicies request.
Arn (string) --
The Amazon Resource Name (ARN) of the configuration policy.
Id (string) --
The universally unique identifier (UUID) of the configuration policy.
Name (string) --
The name of the configuration policy.
Description (string) --
The description of the configuration policy.
UpdatedAt (datetime) --
The date and time, in UTC and ISO 8601 format, that the configuration policy was last updated.
ServiceEnabled (boolean) --
Indicates whether the service that the configuration policy applies to is enabled in the policy.
NextToken (string) --
The NextToken value to include in the next ListConfigurationPolicies request. When the results of a ListConfigurationPolicies request exceed MaxResults , this value can be used to retrieve the next page of results. This value is null when there are no more results to return.
Creates a configuration policy with the defined configuration. Only the Security Hub delegated administrator can invoke this operation from the home Region.
See also: AWS API Documentation
Request Syntax
client.create_configuration_policy(
Name='string',
Description='string',
ConfigurationPolicy={
'SecurityHub': {
'ServiceEnabled': True|False,
'EnabledStandardIdentifiers': [
'string',
],
'SecurityControlsConfiguration': {
'EnabledSecurityControlIdentifiers': [
'string',
],
'DisabledSecurityControlIdentifiers': [
'string',
],
'SecurityControlCustomParameters': [
{
'SecurityControlId': 'string',
'Parameters': {
'string': {
'ValueType': 'DEFAULT'|'CUSTOM',
'Value': {
'Integer': 123,
'IntegerList': [
123,
],
'Double': 123.0,
'String': 'string',
'StringList': [
'string',
],
'Boolean': True|False,
'Enum': 'string',
'EnumList': [
'string',
]
}
}
}
},
]
}
}
},
Tags={
'string': 'string'
}
)
string
[REQUIRED]
The name of the configuration policy.
string
The description of the configuration policy.
dict
[REQUIRED]
An object that defines how Security Hub is configured. It includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If you provide a list of security controls that are enabled in the configuration policy, Security Hub disables all other controls (including newly released controls). If you provide a list of security controls that are disabled in the configuration policy, Security Hub enables all other controls (including newly released controls).
Note
This is a Tagged Union structure. Only one of the following top level keys can be set: SecurityHub.
SecurityHub (dict) --
The Amazon Web Service that the configuration policy applies to.
ServiceEnabled (boolean) --
Indicates whether Security Hub is enabled in the policy.
EnabledStandardIdentifiers (list) --
A list that defines which security standards are enabled in the configuration policy.
(string) --
SecurityControlsConfiguration (dict) --
An object that defines which security controls are enabled in the configuration policy. The enablement status of a control is aligned across all of the enabled standards in an account.
EnabledSecurityControlIdentifiers (list) --
A list of security controls that are enabled in the configuration policy. Security Hub disables all other controls (including newly released controls) other than the listed controls.
(string) --
DisabledSecurityControlIdentifiers (list) --
A list of security controls that are disabled in the configuration policy. Security Hub enables all other controls (including newly released controls) other than the listed controls.
(string) --
SecurityControlCustomParameters (list) --
A list of security controls and control parameter values that are included in a configuration policy.
(dict) --
A list of security controls and control parameter values that are included in a configuration policy.
SecurityControlId (string) --
The ID of the security control.
Parameters (dict) --
An object that specifies parameter values for a control in a configuration policy.
(string) --
(dict) --
An object that provides the current value of a security control parameter and identifies whether it has been customized.
ValueType (string) -- [REQUIRED]
Identifies whether a control parameter uses a custom user-defined value or the Security Hub default value.
Value (dict) --
The current value of a control parameter.
Note
This is a Tagged Union structure. Only one of the following top level keys can be set: Integer, IntegerList, Double, String, StringList, Boolean, Enum, EnumList.
Integer (integer) --
A control parameter that is an integer.
IntegerList (list) --
A control parameter that is a list of integers.
(integer) --
Double (float) --
A control parameter that is a double.
String (string) --
A control parameter that is a string.
StringList (list) --
A control parameter that is a list of strings.
(string) --
Boolean (boolean) --
A control parameter that is a boolean.
Enum (string) --
A control parameter that is an enum.
EnumList (list) --
A control parameter that is a list of enums.
(string) --
dict
User-defined tags associated with a configuration policy. For more information, see Tagging Security Hub resources in the Security Hub user guide .
(string) --
(string) --
dict
Response Syntax
{
'Arn': 'string',
'Id': 'string',
'Name': 'string',
'Description': 'string',
'UpdatedAt': datetime(2015, 1, 1),
'CreatedAt': datetime(2015, 1, 1),
'ConfigurationPolicy': {
'SecurityHub': {
'ServiceEnabled': True|False,
'EnabledStandardIdentifiers': [
'string',
],
'SecurityControlsConfiguration': {
'EnabledSecurityControlIdentifiers': [
'string',
],
'DisabledSecurityControlIdentifiers': [
'string',
],
'SecurityControlCustomParameters': [
{
'SecurityControlId': 'string',
'Parameters': {
'string': {
'ValueType': 'DEFAULT'|'CUSTOM',
'Value': {
'Integer': 123,
'IntegerList': [
123,
],
'Double': 123.0,
'String': 'string',
'StringList': [
'string',
],
'Boolean': True|False,
'Enum': 'string',
'EnumList': [
'string',
]
}
}
}
},
]
}
}
}
}
Response Structure
(dict) --
Arn (string) --
The Amazon Resource Name (ARN) of the configuration policy.
Id (string) --
The universally unique identifier (UUID) of the configuration policy.
Name (string) --
The name of the configuration policy.
Description (string) --
The description of the configuration policy.
UpdatedAt (datetime) --
The date and time, in UTC and ISO 8601 format, that the configuration policy was last updated.
CreatedAt (datetime) --
The date and time, in UTC and ISO 8601 format, that the configuration policy was created.
ConfigurationPolicy (dict) --
An object that defines how Security Hub is configured. It includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If the request included a list of security controls that are enabled in the configuration policy, Security Hub disables all other controls (including newly released controls). If the request included a list of security controls that are disabled in the configuration policy, Security Hub enables all other controls (including newly released controls).
Note
This is a Tagged Union structure. Only one of the following top level keys will be set: SecurityHub. If a client receives an unknown member it will set SDK_UNKNOWN_MEMBER as the top level key, which maps to the name or tag of the unknown member. The structure of SDK_UNKNOWN_MEMBER is as follows:
'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
SecurityHub (dict) --
The Amazon Web Service that the configuration policy applies to.
ServiceEnabled (boolean) --
Indicates whether Security Hub is enabled in the policy.
EnabledStandardIdentifiers (list) --
A list that defines which security standards are enabled in the configuration policy.
(string) --
SecurityControlsConfiguration (dict) --
An object that defines which security controls are enabled in the configuration policy. The enablement status of a control is aligned across all of the enabled standards in an account.
EnabledSecurityControlIdentifiers (list) --
A list of security controls that are enabled in the configuration policy. Security Hub disables all other controls (including newly released controls) other than the listed controls.
(string) --
DisabledSecurityControlIdentifiers (list) --
A list of security controls that are disabled in the configuration policy. Security Hub enables all other controls (including newly released controls) other than the listed controls.
(string) --
SecurityControlCustomParameters (list) --
A list of security controls and control parameter values that are included in a configuration policy.
(dict) --
A list of security controls and control parameter values that are included in a configuration policy.
SecurityControlId (string) --
The ID of the security control.
Parameters (dict) --
An object that specifies parameter values for a control in a configuration policy.
(string) --
(dict) --
An object that provides the current value of a security control parameter and identifies whether it has been customized.
ValueType (string) --
Identifies whether a control parameter uses a custom user-defined value or the Security Hub default value.
Value (dict) --
The current value of a control parameter.
Note
This is a Tagged Union structure. Only one of the following top level keys will be set: Integer, IntegerList, Double, String, StringList, Boolean, Enum, EnumList. If a client receives an unknown member it will set SDK_UNKNOWN_MEMBER as the top level key, which maps to the name or tag of the unknown member. The structure of SDK_UNKNOWN_MEMBER is as follows:
'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
Integer (integer) --
A control parameter that is an integer.
IntegerList (list) --
A control parameter that is a list of integers.
(integer) --
Double (float) --
A control parameter that is a double.
String (string) --
A control parameter that is a string.
StringList (list) --
A control parameter that is a list of strings.
(string) --
Boolean (boolean) --
A control parameter that is a boolean.
Enum (string) --
A control parameter that is an enum.
EnumList (list) --
A control parameter that is a list of enums.
(string) --
Associates a target account, organizational unit, or the root with a specified configuration. The target can be associated with a configuration policy or self-managed behavior. Only the Security Hub delegated administrator can invoke this operation from the home Region.
See also: AWS API Documentation
Request Syntax
client.start_configuration_policy_association(
ConfigurationPolicyIdentifier='string',
Target={
'AccountId': 'string',
'OrganizationalUnitId': 'string',
'RootId': 'string'
}
)
string
[REQUIRED]
The Amazon Resource Name (ARN) or universally unique identifier (UUID) of the configuration policy.
dict
[REQUIRED]
The identifier of the target account, organizational unit, or the root to associate with the specified configuration.
Note
This is a Tagged Union structure. Only one of the following top level keys can be set: AccountId, OrganizationalUnitId, RootId.
AccountId (string) --
The Amazon Web Services account ID of the target account.
OrganizationalUnitId (string) --
The organizational unit ID of the target organizational unit.
RootId (string) --
The ID of the organization root.
dict
Response Syntax
{
'ConfigurationPolicyId': 'string',
'TargetId': 'string',
'TargetType': 'ACCOUNT'|'ORGANIZATIONAL_UNIT',
'AssociationType': 'INHERITED'|'APPLIED',
'UpdatedAt': datetime(2015, 1, 1),
'AssociationStatus': 'PENDING'|'SUCCESS'|'FAILED',
'AssociationStatusMessage': 'string'
}
Response Structure
(dict) --
ConfigurationPolicyId (string) --
The UUID of the configuration policy.
TargetId (string) --
The identifier of the target account, organizational unit, or the organization root with which the configuration is associated.
TargetType (string) --
Indicates whether the target is an Amazon Web Services account, organizational unit, or the organization root.
AssociationType (string) --
Indicates whether the association between the specified target and the configuration was directly applied by the Security Hub delegated administrator or inherited from a parent.
UpdatedAt (datetime) --
The date and time, in UTC and ISO 8601 format, that the configuration policy association was last updated.
AssociationStatus (string) --
The current status of the association between the specified target and the configuration.
AssociationStatusMessage (string) --
An explanation for a FAILED value for AssociationStatus .
{'Rules': {'Criteria': {'AwsAccountName': [{'Comparison': 'EQUALS | PREFIX | '
'NOT_EQUALS | '
'PREFIX_NOT_EQUALS | '
'CONTAINS | '
'NOT_CONTAINS',
'Value': 'string'}],
'ResourceApplicationArn': [{'Comparison': 'EQUALS | '
'PREFIX | '
'NOT_EQUALS '
'| '
'PREFIX_NOT_EQUALS '
'| CONTAINS '
'| '
'NOT_CONTAINS',
'Value': 'string'}],
'ResourceApplicationName': [{'Comparison': 'EQUALS | '
'PREFIX | '
'NOT_EQUALS '
'| '
'PREFIX_NOT_EQUALS '
'| CONTAINS '
'| '
'NOT_CONTAINS',
'Value': 'string'}]}}}
Retrieves a list of details for automation rules based on rule Amazon Resource Names (ARNs).
See also: AWS API Documentation
Request Syntax
client.batch_get_automation_rules(
AutomationRulesArns=[
'string',
]
)
list
[REQUIRED]
A list of rule ARNs to get details for.
(string) --
dict
Response Syntax
{
'Rules': [
{
'RuleArn': 'string',
'RuleStatus': 'ENABLED'|'DISABLED',
'RuleOrder': 123,
'RuleName': 'string',
'Description': 'string',
'IsTerminal': True|False,
'Criteria': {
'ProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'AwsAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Id': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'GeneratorId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Type': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'FirstObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'LastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'CreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'UpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'Confidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'Criticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'Title': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Description': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'SourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ProductName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'CompanyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'SeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourcePartition': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceRegion': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceTags': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceDetailsOther': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceSecurityControlId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceAssociatedStandardsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'VerificationState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'WorkflowStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'RecordState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'RelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'RelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NoteText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NoteUpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'NoteUpdatedBy': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'UserDefinedFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceApplicationArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceApplicationName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'AwsAccountName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
]
},
'Actions': [
{
'Type': 'FINDING_FIELDS_UPDATE',
'FindingFieldsUpdate': {
'Note': {
'Text': 'string',
'UpdatedBy': 'string'
},
'Severity': {
'Normalized': 123,
'Product': 123.0,
'Label': 'INFORMATIONAL'|'LOW'|'MEDIUM'|'HIGH'|'CRITICAL'
},
'VerificationState': 'UNKNOWN'|'TRUE_POSITIVE'|'FALSE_POSITIVE'|'BENIGN_POSITIVE',
'Confidence': 123,
'Criticality': 123,
'Types': [
'string',
],
'UserDefinedFields': {
'string': 'string'
},
'Workflow': {
'Status': 'NEW'|'NOTIFIED'|'RESOLVED'|'SUPPRESSED'
},
'RelatedFindings': [
{
'ProductArn': 'string',
'Id': 'string'
},
]
}
},
],
'CreatedAt': datetime(2015, 1, 1),
'UpdatedAt': datetime(2015, 1, 1),
'CreatedBy': 'string'
},
],
'UnprocessedAutomationRules': [
{
'RuleArn': 'string',
'ErrorCode': 123,
'ErrorMessage': 'string'
},
]
}
Response Structure
(dict) --
Rules (list) --
A list of rule details for the provided rule ARNs.
(dict) --
Defines the configuration of an automation rule.
RuleArn (string) --
The Amazon Resource Name (ARN) of a rule.
RuleStatus (string) --
Whether the rule is active after it is created. If this parameter is equal to ENABLED , Security Hub starts applying the rule to findings and finding updates after the rule is created.
RuleOrder (integer) --
An integer ranging from 1 to 1000 that represents the order in which the rule action is applied to findings. Security Hub applies rules with lower values for this parameter first.
RuleName (string) --
The name of the rule.
Description (string) --
A description of the rule.
IsTerminal (boolean) --
Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If a rule is terminal, Security Hub applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding. By default, a rule isn't terminal.
Criteria (dict) --
A set of Amazon Web Services Security Finding Format finding field attributes and corresponding expected values that Security Hub uses to filter findings. If a rule is enabled and a finding matches the conditions specified in this parameter, Security Hub applies the rule action to the finding.
ProductArn (list) --
The Amazon Resource Name (ARN) for a third-party product that generated a finding in Security Hub.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
AwsAccountId (list) --
The Amazon Web Services account ID in which a finding was generated.
Array Members: Minimum number of 1 item. Maximum number of 100 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
Id (list) --
The product-specific identifier for a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
GeneratorId (list) --
The identifier for the solution-specific component that generated a finding.
Array Members: Minimum number of 1 item. Maximum number of 100 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
Type (list) --
One or more finding types in the format of namespace/category/classifier that classify a finding. For a list of namespaces, classifiers, and categories, see Types taxonomy for ASFF in the Security Hub User Guide .
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
FirstObservedAt (list) --
A timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings product.
Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format.
End (string) --
A timestamp that provides the end date for the date filter.
A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
LastObservedAt (list) --
A timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings product.
Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format.
End (string) --
A timestamp that provides the end date for the date filter.
A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
CreatedAt (list) --
A timestamp that indicates when this finding record was created.
Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format.
End (string) --
A timestamp that provides the end date for the date filter.
A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
UpdatedAt (list) --
A timestamp that indicates when the finding record was most recently updated.
Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format.
End (string) --
A timestamp that provides the end date for the date filter.
A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
Confidence (list) --
The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0–100 basis using a ratio scale. A value of 0 means 0 percent confidence, and a value of 100 means 100 percent confidence. For example, a data exfiltration detection based on a statistical deviation of network traffic has low confidence because an actual exfiltration hasn't been verified. For more information, see Confidence in the Security Hub User Guide .
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
Gt (float) --
The greater-than condition to be applied to a single field when querying for findings.
Lt (float) --
The less-than condition to be applied to a single field when querying for findings.
Criticality (list) --
The level of importance that is assigned to the resources that are associated with a finding. Criticality is scored on a 0–100 basis, using a ratio scale that supports only full integers. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources. For more information, see Criticality in the Security Hub User Guide .
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
Gt (float) --
The greater-than condition to be applied to a single field when querying for findings.
Lt (float) --
The less-than condition to be applied to a single field when querying for findings.
Title (list) --
A finding's title.
Array Members: Minimum number of 1 item. Maximum number of 100 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
Description (list) --
A finding's description.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
SourceUrl (list) --
Provides a URL that links to a page about the current finding in the finding product.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ProductName (list) --
Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
CompanyName (list) --
The name of the company for the product that generated the finding. For control-based findings, the company is Amazon Web Services.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
SeverityLabel (list) --
The severity value of the finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ResourceType (list) --
The type of resource that the finding pertains to.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ResourceId (list) --
The identifier for the given resource type. For Amazon Web Services resources that are identified by Amazon Resource Names (ARNs), this is the ARN. For Amazon Web Services resources that lack ARNs, this is the identifier as defined by the Amazon Web Service that created the resource. For non-Amazon Web Services resources, this is a unique identifier that is associated with the resource.
Array Members: Minimum number of 1 item. Maximum number of 100 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ResourcePartition (list) --
The partition in which the resource that the finding pertains to is located. A partition is a group of Amazon Web Services Regions. Each Amazon Web Services account is scoped to one partition.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ResourceRegion (list) --
The Amazon Web Services Region where the resource that a finding pertains to is located.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ResourceTags (list) --
A list of Amazon Web Services tags associated with a resource at the time the finding was processed.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
Key (string) --
The key of the map filter. For example, for ResourceTags , Key identifies the name of the tag. For UserDefinedFields , Key is the name of the field.
Value (string) --
The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security . If you provide security as the filter value, then there's no match.
Comparison (string) --
The condition to apply to the key value when filtering Security Hub findings with a map filter.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.
To search for values that exactly match the filter value, use EQUALS . For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.
CONTAINS and EQUALS filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security , Finance , or both values.
To search for values that don't have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.
To search for values other than the filter value, use NOT_EQUALS . For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.
NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.
CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ResourceDetailsOther (list) --
Custom fields and values about the resource that a finding pertains to.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
Key (string) --
The key of the map filter. For example, for ResourceTags , Key identifies the name of the tag. For UserDefinedFields , Key is the name of the field.
Value (string) --
The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security . If you provide security as the filter value, then there's no match.
Comparison (string) --
The condition to apply to the key value when filtering Security Hub findings with a map filter.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.
To search for values that exactly match the filter value, use EQUALS . For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.
CONTAINS and EQUALS filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security , Finance , or both values.
To search for values that don't have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.
To search for values other than the filter value, use NOT_EQUALS . For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.
NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.
CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ComplianceStatus (list) --
The result of a security check. This field is only used for findings generated from controls.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ComplianceSecurityControlId (list) --
The security control ID for which a finding was generated. Security control IDs are the same across standards.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ComplianceAssociatedStandardsId (list) --
The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the DescribeStandards API response.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
VerificationState (list) --
Provides the veracity of a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
WorkflowStatus (list) --
Provides information about the status of the investigation into a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
RecordState (list) --
Provides the current state of a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
RelatedFindingsProductArn (list) --
The ARN for the product that generated a related finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
RelatedFindingsId (list) --
The product-generated identifier for a related finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
NoteText (list) --
The text of a user-defined note that's added to a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
NoteUpdatedAt (list) --
The timestamp of when the note was updated. Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format.
End (string) --
A timestamp that provides the end date for the date filter.
A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
NoteUpdatedBy (list) --
The principal that created a note.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
UserDefinedFields (list) --
A list of user-defined name and value string pairs added to a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
Key (string) --
The key of the map filter. For example, for ResourceTags , Key identifies the name of the tag. For UserDefinedFields , Key is the name of the field.
Value (string) --
The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security . If you provide security as the filter value, then there's no match.
Comparison (string) --
The condition to apply to the key value when filtering Security Hub findings with a map filter.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.
To search for values that exactly match the filter value, use EQUALS . For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.
CONTAINS and EQUALS filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security , Finance , or both values.
To search for values that don't have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.
To search for values other than the filter value, use NOT_EQUALS . For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.
NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.
CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ResourceApplicationArn (list) --
The Amazon Resource Name (ARN) of the application that is related to a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ResourceApplicationName (list) --
The name of the application that is related to a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
AwsAccountName (list) --
The name of the Amazon Web Services account in which a finding was generated.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
Actions (list) --
One or more actions to update finding fields if a finding matches the defined criteria of the rule.
(dict) --
One or more actions to update finding fields if a finding matches the defined criteria of the rule.
Type (string) --
Specifies that the rule action should update the Types finding field. The Types finding field classifies findings in the format of namespace/category/classifier. For more information, see Types taxonomy for ASFF in the Security Hub User Guide .
FindingFieldsUpdate (dict) --
Specifies that the automation rule action is an update to a finding field.
Note (dict) --
The updated note.
Text (string) --
The updated note text.
UpdatedBy (string) --
The principal that updated the note.
Severity (dict) --
Updates to the severity information for a finding.
Normalized (integer) --
The normalized severity for the finding. This attribute is to be deprecated in favor of Label .
If you provide Normalized and do not provide Label , Label is set automatically as follows.
0 - INFORMATIONAL
1–39 - LOW
40–69 - MEDIUM
70–89 - HIGH
90–100 - CRITICAL
Product (float) --
The native severity as defined by the Amazon Web Services service or integrated partner product that generated the finding.
Label (string) --
The severity value of the finding. The allowed values are the following.
INFORMATIONAL - No issue was found.
LOW - The issue does not require action on its own.
MEDIUM - The issue must be addressed but not urgently.
HIGH - The issue must be addressed as a priority.
CRITICAL - The issue must be remediated immediately to avoid it escalating.
VerificationState (string) --
The rule action updates the VerificationState field of a finding.
Confidence (integer) --
The rule action updates the Confidence field of a finding.
Criticality (integer) --
The rule action updates the Criticality field of a finding.
Types (list) --
The rule action updates the Types field of a finding.
(string) --
UserDefinedFields (dict) --
The rule action updates the UserDefinedFields field of a finding.
(string) --
(string) --
Workflow (dict) --
Used to update information about the investigation into the finding.
Status (string) --
The status of the investigation into the finding. The workflow status is specific to an individual finding. It does not affect the generation of new findings. For example, setting the workflow status to SUPPRESSED or RESOLVED does not prevent a new finding for the same issue.
The allowed values are the following.
NEW - The initial state of a finding, before it is reviewed. Security Hub also resets WorkFlowStatus from NOTIFIED or RESOLVED to NEW in the following cases:
The record state changes from ARCHIVED to ACTIVE .
The compliance status changes from PASSED to either WARNING , FAILED , or NOT_AVAILABLE .
NOTIFIED - Indicates that you notified the resource owner about the security issue. Used when the initial reviewer is not the resource owner, and needs intervention from the resource owner.
RESOLVED - The finding was reviewed and remediated and is now considered resolved.
SUPPRESSED - Indicates that you reviewed the finding and do not believe that any action is needed. The finding is no longer updated.
RelatedFindings (list) --
The rule action updates the RelatedFindings field of a finding.
(dict) --
Details about a related finding.
ProductArn (string) --
The ARN of the product that generated a related finding.
Id (string) --
The product-generated identifier for a related finding.
CreatedAt (datetime) --
A timestamp that indicates when the rule was created.
Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .
UpdatedAt (datetime) --
A timestamp that indicates when the rule was most recently updated.
Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .
CreatedBy (string) --
The principal that created a rule.
UnprocessedAutomationRules (list) --
A list of objects containing RuleArn , ErrorCode , and ErrorMessage . This parameter tells you which automation rules the request didn't retrieve and why.
(dict) --
A list of objects containing RuleArn , ErrorCode , and ErrorMessage . This parameter tells you which automation rules the request didn't process and why.
RuleArn (string) --
The Amazon Resource Name (ARN) for the unprocessed automation rule.
ErrorCode (integer) --
The error code associated with the unprocessed automation rule.
ErrorMessage (string) --
An error message describing why a request didn't process a specific rule.
{'Findings': {'AwsAccountName': 'string',
'ProcessedAt': 'string',
'Resources': {'ApplicationArn': 'string',
'ApplicationName': 'string'}}}
Imports security findings generated by a finding provider into Security Hub. This action is requested by the finding provider to import its findings into Security Hub.
BatchImportFindings must be called by one of the following:
The Amazon Web Services account that is associated with a finding if you are using the default product ARN or are a partner sending findings from within a customer's Amazon Web Services account. In these cases, the identifier of the account that you are calling BatchImportFindings from needs to be the same as the AwsAccountId attribute for the finding.
An Amazon Web Services account that Security Hub has allow-listed for an official partner integration. In this case, you can call BatchImportFindings from the allow-listed account and send findings from different customer accounts in the same batch.
The maximum allowed size for a finding is 240 Kb. An error is returned for any finding larger than 240 Kb.
After a finding is created, BatchImportFindings cannot be used to update the following finding fields and objects, which Security Hub customers use to manage their investigation workflow.
Note
UserDefinedFields
VerificationState
Workflow
Finding providers also should not use BatchImportFindings to update the following attributes.
Confidence
Criticality
RelatedFindings
Severity
Types
Instead, finding providers use FindingProviderFields to provide values for these attributes.
See also: AWS API Documentation
Request Syntax
# This section is too large to render. # Please see the AWS API Documentation linked below.Parameters
# This section is too large to render. # Please see the AWS API Documentation linked below.
dict
Response Syntax
{
'FailedCount': 123,
'SuccessCount': 123,
'FailedFindings': [
{
'Id': 'string',
'ErrorCode': 'string',
'ErrorMessage': 'string'
},
]
}
Response Structure
(dict) --
FailedCount (integer) --
The number of findings that failed to import.
SuccessCount (integer) --
The number of findings that were successfully imported.
FailedFindings (list) --
The list of findings that failed to import.
(dict) --
The list of the findings that cannot be imported. For each finding, the list provides the error.
Id (string) --
The identifier of the finding that could not be updated.
ErrorCode (string) --
The code of the error returned by the BatchImportFindings operation.
ErrorMessage (string) --
The message of the error returned by the BatchImportFindings operation.
{'UpdateAutomationRulesRequestItems': {'Criteria': {'AwsAccountName': [{'Comparison': 'EQUALS '
'| '
'PREFIX '
'| '
'NOT_EQUALS '
'| '
'PREFIX_NOT_EQUALS '
'| '
'CONTAINS '
'| '
'NOT_CONTAINS',
'Value': 'string'}],
'ResourceApplicationArn': [{'Comparison': 'EQUALS '
'| '
'PREFIX '
'| '
'NOT_EQUALS '
'| '
'PREFIX_NOT_EQUALS '
'| '
'CONTAINS '
'| '
'NOT_CONTAINS',
'Value': 'string'}],
'ResourceApplicationName': [{'Comparison': 'EQUALS '
'| '
'PREFIX '
'| '
'NOT_EQUALS '
'| '
'PREFIX_NOT_EQUALS '
'| '
'CONTAINS '
'| '
'NOT_CONTAINS',
'Value': 'string'}]}}}
Updates one or more automation rules based on rule Amazon Resource Names (ARNs) and input parameters.
See also: AWS API Documentation
Request Syntax
client.batch_update_automation_rules(
UpdateAutomationRulesRequestItems=[
{
'RuleArn': 'string',
'RuleStatus': 'ENABLED'|'DISABLED',
'RuleOrder': 123,
'Description': 'string',
'RuleName': 'string',
'IsTerminal': True|False,
'Criteria': {
'ProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'AwsAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Id': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'GeneratorId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Type': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'FirstObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'LastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'CreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'UpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'Confidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'Criticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'Title': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Description': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'SourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ProductName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'CompanyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'SeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourcePartition': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceRegion': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceTags': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceDetailsOther': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceSecurityControlId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceAssociatedStandardsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'VerificationState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'WorkflowStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'RecordState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'RelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'RelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NoteText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NoteUpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'NoteUpdatedBy': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'UserDefinedFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceApplicationArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceApplicationName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'AwsAccountName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
]
},
'Actions': [
{
'Type': 'FINDING_FIELDS_UPDATE',
'FindingFieldsUpdate': {
'Note': {
'Text': 'string',
'UpdatedBy': 'string'
},
'Severity': {
'Normalized': 123,
'Product': 123.0,
'Label': 'INFORMATIONAL'|'LOW'|'MEDIUM'|'HIGH'|'CRITICAL'
},
'VerificationState': 'UNKNOWN'|'TRUE_POSITIVE'|'FALSE_POSITIVE'|'BENIGN_POSITIVE',
'Confidence': 123,
'Criticality': 123,
'Types': [
'string',
],
'UserDefinedFields': {
'string': 'string'
},
'Workflow': {
'Status': 'NEW'|'NOTIFIED'|'RESOLVED'|'SUPPRESSED'
},
'RelatedFindings': [
{
'ProductArn': 'string',
'Id': 'string'
},
]
}
},
]
},
]
)
list
[REQUIRED]
An array of ARNs for the rules that are to be updated. Optionally, you can also include RuleStatus and RuleOrder .
(dict) --
Specifies the parameters to update in an existing automation rule.
RuleArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) for the rule.
RuleStatus (string) --
Whether the rule is active after it is created. If this parameter is equal to ENABLED , Security Hub starts applying the rule to findings and finding updates after the rule is created. To change the value of this parameter after creating a rule, use BatchUpdateAutomationRules.
RuleOrder (integer) --
An integer ranging from 1 to 1000 that represents the order in which the rule action is applied to findings. Security Hub applies rules with lower values for this parameter first.
Description (string) --
A description of the rule.
RuleName (string) --
The name of the rule.
IsTerminal (boolean) --
Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If a rule is terminal, Security Hub applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding. By default, a rule isn't terminal.
Criteria (dict) --
A set of ASFF finding field attributes and corresponding expected values that Security Hub uses to filter findings. If a rule is enabled and a finding matches the conditions specified in this parameter, Security Hub applies the rule action to the finding.
ProductArn (list) --
The Amazon Resource Name (ARN) for a third-party product that generated a finding in Security Hub.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
AwsAccountId (list) --
The Amazon Web Services account ID in which a finding was generated.
Array Members: Minimum number of 1 item. Maximum number of 100 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
Id (list) --
The product-specific identifier for a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
GeneratorId (list) --
The identifier for the solution-specific component that generated a finding.
Array Members: Minimum number of 1 item. Maximum number of 100 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
Type (list) --
One or more finding types in the format of namespace/category/classifier that classify a finding. For a list of namespaces, classifiers, and categories, see Types taxonomy for ASFF in the Security Hub User Guide .
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
FirstObservedAt (list) --
A timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings product.
Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format.
End (string) --
A timestamp that provides the end date for the date filter.
A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
LastObservedAt (list) --
A timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings product.
Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format.
End (string) --
A timestamp that provides the end date for the date filter.
A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
CreatedAt (list) --
A timestamp that indicates when this finding record was created.
Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format.
End (string) --
A timestamp that provides the end date for the date filter.
A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
UpdatedAt (list) --
A timestamp that indicates when the finding record was most recently updated.
Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format.
End (string) --
A timestamp that provides the end date for the date filter.
A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
Confidence (list) --
The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0–100 basis using a ratio scale. A value of 0 means 0 percent confidence, and a value of 100 means 100 percent confidence. For example, a data exfiltration detection based on a statistical deviation of network traffic has low confidence because an actual exfiltration hasn't been verified. For more information, see Confidence in the Security Hub User Guide .
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
Gt (float) --
The greater-than condition to be applied to a single field when querying for findings.
Lt (float) --
The less-than condition to be applied to a single field when querying for findings.
Criticality (list) --
The level of importance that is assigned to the resources that are associated with a finding. Criticality is scored on a 0–100 basis, using a ratio scale that supports only full integers. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources. For more information, see Criticality in the Security Hub User Guide .
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
Gt (float) --
The greater-than condition to be applied to a single field when querying for findings.
Lt (float) --
The less-than condition to be applied to a single field when querying for findings.
Title (list) --
A finding's title.
Array Members: Minimum number of 1 item. Maximum number of 100 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
Description (list) --
A finding's description.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
SourceUrl (list) --
Provides a URL that links to a page about the current finding in the finding product.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ProductName (list) --
Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
CompanyName (list) --
The name of the company for the product that generated the finding. For control-based findings, the company is Amazon Web Services.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
SeverityLabel (list) --
The severity value of the finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ResourceType (list) --
The type of resource that the finding pertains to.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ResourceId (list) --
The identifier for the given resource type. For Amazon Web Services resources that are identified by Amazon Resource Names (ARNs), this is the ARN. For Amazon Web Services resources that lack ARNs, this is the identifier as defined by the Amazon Web Service that created the resource. For non-Amazon Web Services resources, this is a unique identifier that is associated with the resource.
Array Members: Minimum number of 1 item. Maximum number of 100 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ResourcePartition (list) --
The partition in which the resource that the finding pertains to is located. A partition is a group of Amazon Web Services Regions. Each Amazon Web Services account is scoped to one partition.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ResourceRegion (list) --
The Amazon Web Services Region where the resource that a finding pertains to is located.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ResourceTags (list) --
A list of Amazon Web Services tags associated with a resource at the time the finding was processed.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
Key (string) --
The key of the map filter. For example, for ResourceTags , Key identifies the name of the tag. For UserDefinedFields , Key is the name of the field.
Value (string) --
The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security . If you provide security as the filter value, then there's no match.
Comparison (string) --
The condition to apply to the key value when filtering Security Hub findings with a map filter.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.
To search for values that exactly match the filter value, use EQUALS . For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.
CONTAINS and EQUALS filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security , Finance , or both values.
To search for values that don't have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.
To search for values other than the filter value, use NOT_EQUALS . For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.
NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.
CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ResourceDetailsOther (list) --
Custom fields and values about the resource that a finding pertains to.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
Key (string) --
The key of the map filter. For example, for ResourceTags , Key identifies the name of the tag. For UserDefinedFields , Key is the name of the field.
Value (string) --
The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security . If you provide security as the filter value, then there's no match.
Comparison (string) --
The condition to apply to the key value when filtering Security Hub findings with a map filter.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.
To search for values that exactly match the filter value, use EQUALS . For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.
CONTAINS and EQUALS filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security , Finance , or both values.
To search for values that don't have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.
To search for values other than the filter value, use NOT_EQUALS . For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.
NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.
CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ComplianceStatus (list) --
The result of a security check. This field is only used for findings generated from controls.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ComplianceSecurityControlId (list) --
The security control ID for which a finding was generated. Security control IDs are the same across standards.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ComplianceAssociatedStandardsId (list) --
The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the DescribeStandards API response.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
VerificationState (list) --
Provides the veracity of a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
WorkflowStatus (list) --
Provides information about the status of the investigation into a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
RecordState (list) --
Provides the current state of a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
RelatedFindingsProductArn (list) --
The ARN for the product that generated a related finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
RelatedFindingsId (list) --
The product-generated identifier for a related finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
NoteText (list) --
The text of a user-defined note that's added to a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
NoteUpdatedAt (list) --
The timestamp of when the note was updated. Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format.
End (string) --
A timestamp that provides the end date for the date filter.
A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
NoteUpdatedBy (list) --
The principal that created a note.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
UserDefinedFields (list) --
A list of user-defined name and value string pairs added to a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
Key (string) --
The key of the map filter. For example, for ResourceTags , Key identifies the name of the tag. For UserDefinedFields , Key is the name of the field.
Value (string) --
The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security . If you provide security as the filter value, then there's no match.
Comparison (string) --
The condition to apply to the key value when filtering Security Hub findings with a map filter.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.
To search for values that exactly match the filter value, use EQUALS . For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.
CONTAINS and EQUALS filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security , Finance , or both values.
To search for values that don't have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.
To search for values other than the filter value, use NOT_EQUALS . For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.
NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.
CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ResourceApplicationArn (list) --
The Amazon Resource Name (ARN) of the application that is related to a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ResourceApplicationName (list) --
The name of the application that is related to a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
AwsAccountName (list) --
The name of the Amazon Web Services account in which a finding was generated.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
Actions (list) --
One or more actions to update finding fields if a finding matches the conditions specified in Criteria .
(dict) --
One or more actions to update finding fields if a finding matches the defined criteria of the rule.
Type (string) --
Specifies that the rule action should update the Types finding field. The Types finding field classifies findings in the format of namespace/category/classifier. For more information, see Types taxonomy for ASFF in the Security Hub User Guide .
FindingFieldsUpdate (dict) --
Specifies that the automation rule action is an update to a finding field.
Note (dict) --
The updated note.
Text (string) -- [REQUIRED]
The updated note text.
UpdatedBy (string) -- [REQUIRED]
The principal that updated the note.
Severity (dict) --
Updates to the severity information for a finding.
Normalized (integer) --
The normalized severity for the finding. This attribute is to be deprecated in favor of Label .
If you provide Normalized and do not provide Label , Label is set automatically as follows.
0 - INFORMATIONAL
1–39 - LOW
40–69 - MEDIUM
70–89 - HIGH
90–100 - CRITICAL
Product (float) --
The native severity as defined by the Amazon Web Services service or integrated partner product that generated the finding.
Label (string) --
The severity value of the finding. The allowed values are the following.
INFORMATIONAL - No issue was found.
LOW - The issue does not require action on its own.
MEDIUM - The issue must be addressed but not urgently.
HIGH - The issue must be addressed as a priority.
CRITICAL - The issue must be remediated immediately to avoid it escalating.
VerificationState (string) --
The rule action updates the VerificationState field of a finding.
Confidence (integer) --
The rule action updates the Confidence field of a finding.
Criticality (integer) --
The rule action updates the Criticality field of a finding.
Types (list) --
The rule action updates the Types field of a finding.
(string) --
UserDefinedFields (dict) --
The rule action updates the UserDefinedFields field of a finding.
(string) --
(string) --
Workflow (dict) --
Used to update information about the investigation into the finding.
Status (string) --
The status of the investigation into the finding. The workflow status is specific to an individual finding. It does not affect the generation of new findings. For example, setting the workflow status to SUPPRESSED or RESOLVED does not prevent a new finding for the same issue.
The allowed values are the following.
NEW - The initial state of a finding, before it is reviewed. Security Hub also resets WorkFlowStatus from NOTIFIED or RESOLVED to NEW in the following cases:
The record state changes from ARCHIVED to ACTIVE .
The compliance status changes from PASSED to either WARNING , FAILED , or NOT_AVAILABLE .
NOTIFIED - Indicates that you notified the resource owner about the security issue. Used when the initial reviewer is not the resource owner, and needs intervention from the resource owner.
RESOLVED - The finding was reviewed and remediated and is now considered resolved.
SUPPRESSED - Indicates that you reviewed the finding and do not believe that any action is needed. The finding is no longer updated.
RelatedFindings (list) --
The rule action updates the RelatedFindings field of a finding.
(dict) --
Details about a related finding.
ProductArn (string) -- [REQUIRED]
The ARN of the product that generated a related finding.
Id (string) -- [REQUIRED]
The product-generated identifier for a related finding.
dict
Response Syntax
{
'ProcessedAutomationRules': [
'string',
],
'UnprocessedAutomationRules': [
{
'RuleArn': 'string',
'ErrorCode': 123,
'ErrorMessage': 'string'
},
]
}
Response Structure
(dict) --
ProcessedAutomationRules (list) --
A list of properly processed rule ARNs.
(string) --
UnprocessedAutomationRules (list) --
A list of objects containing RuleArn , ErrorCode , and ErrorMessage . This parameter tells you which automation rules the request didn't update and why.
(dict) --
A list of objects containing RuleArn , ErrorCode , and ErrorMessage . This parameter tells you which automation rules the request didn't process and why.
RuleArn (string) --
The Amazon Resource Name (ARN) for the unprocessed automation rule.
ErrorCode (integer) --
The error code associated with the unprocessed automation rule.
ErrorMessage (string) --
An error message describing why a request didn't process a specific rule.
{'Criteria': {'AwsAccountName': [{'Comparison': 'EQUALS | PREFIX | NOT_EQUALS '
'| PREFIX_NOT_EQUALS | '
'CONTAINS | NOT_CONTAINS',
'Value': 'string'}],
'ResourceApplicationArn': [{'Comparison': 'EQUALS | PREFIX | '
'NOT_EQUALS | '
'PREFIX_NOT_EQUALS | '
'CONTAINS | '
'NOT_CONTAINS',
'Value': 'string'}],
'ResourceApplicationName': [{'Comparison': 'EQUALS | PREFIX | '
'NOT_EQUALS | '
'PREFIX_NOT_EQUALS | '
'CONTAINS | '
'NOT_CONTAINS',
'Value': 'string'}]}}
Creates an automation rule based on input parameters.
See also: AWS API Documentation
Request Syntax
client.create_automation_rule(
Tags={
'string': 'string'
},
RuleStatus='ENABLED'|'DISABLED',
RuleOrder=123,
RuleName='string',
Description='string',
IsTerminal=True|False,
Criteria={
'ProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'AwsAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Id': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'GeneratorId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Type': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'FirstObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'LastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'CreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'UpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'Confidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'Criticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'Title': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Description': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'SourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ProductName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'CompanyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'SeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourcePartition': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceRegion': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceTags': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceDetailsOther': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceSecurityControlId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceAssociatedStandardsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'VerificationState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'WorkflowStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'RecordState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'RelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'RelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NoteText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NoteUpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'NoteUpdatedBy': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'UserDefinedFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceApplicationArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceApplicationName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'AwsAccountName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
]
},
Actions=[
{
'Type': 'FINDING_FIELDS_UPDATE',
'FindingFieldsUpdate': {
'Note': {
'Text': 'string',
'UpdatedBy': 'string'
},
'Severity': {
'Normalized': 123,
'Product': 123.0,
'Label': 'INFORMATIONAL'|'LOW'|'MEDIUM'|'HIGH'|'CRITICAL'
},
'VerificationState': 'UNKNOWN'|'TRUE_POSITIVE'|'FALSE_POSITIVE'|'BENIGN_POSITIVE',
'Confidence': 123,
'Criticality': 123,
'Types': [
'string',
],
'UserDefinedFields': {
'string': 'string'
},
'Workflow': {
'Status': 'NEW'|'NOTIFIED'|'RESOLVED'|'SUPPRESSED'
},
'RelatedFindings': [
{
'ProductArn': 'string',
'Id': 'string'
},
]
}
},
]
)
dict
User-defined tags associated with an automation rule.
(string) --
(string) --
string
Whether the rule is active after it is created. If this parameter is equal to ENABLED , Security Hub starts applying the rule to findings and finding updates after the rule is created. To change the value of this parameter after creating a rule, use BatchUpdateAutomationRules.
integer
[REQUIRED]
An integer ranging from 1 to 1000 that represents the order in which the rule action is applied to findings. Security Hub applies rules with lower values for this parameter first.
string
[REQUIRED]
The name of the rule.
string
[REQUIRED]
A description of the rule.
boolean
Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If a rule is terminal, Security Hub applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding. By default, a rule isn't terminal.
dict
[REQUIRED]
A set of ASFF finding field attributes and corresponding expected values that Security Hub uses to filter findings. If a rule is enabled and a finding matches the conditions specified in this parameter, Security Hub applies the rule action to the finding.
ProductArn (list) --
The Amazon Resource Name (ARN) for a third-party product that generated a finding in Security Hub.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
AwsAccountId (list) --
The Amazon Web Services account ID in which a finding was generated.
Array Members: Minimum number of 1 item. Maximum number of 100 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
Id (list) --
The product-specific identifier for a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
GeneratorId (list) --
The identifier for the solution-specific component that generated a finding.
Array Members: Minimum number of 1 item. Maximum number of 100 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
Type (list) --
One or more finding types in the format of namespace/category/classifier that classify a finding. For a list of namespaces, classifiers, and categories, see Types taxonomy for ASFF in the Security Hub User Guide .
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
FirstObservedAt (list) --
A timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings product.
Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format.
End (string) --
A timestamp that provides the end date for the date filter.
A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
LastObservedAt (list) --
A timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings product.
Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format.
End (string) --
A timestamp that provides the end date for the date filter.
A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
CreatedAt (list) --
A timestamp that indicates when this finding record was created.
Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format.
End (string) --
A timestamp that provides the end date for the date filter.
A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
UpdatedAt (list) --
A timestamp that indicates when the finding record was most recently updated.
Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format.
End (string) --
A timestamp that provides the end date for the date filter.
A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
Confidence (list) --
The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0–100 basis using a ratio scale. A value of 0 means 0 percent confidence, and a value of 100 means 100 percent confidence. For example, a data exfiltration detection based on a statistical deviation of network traffic has low confidence because an actual exfiltration hasn't been verified. For more information, see Confidence in the Security Hub User Guide .
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
Gt (float) --
The greater-than condition to be applied to a single field when querying for findings.
Lt (float) --
The less-than condition to be applied to a single field when querying for findings.
Criticality (list) --
The level of importance that is assigned to the resources that are associated with a finding. Criticality is scored on a 0–100 basis, using a ratio scale that supports only full integers. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources. For more information, see Criticality in the Security Hub User Guide .
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
Gt (float) --
The greater-than condition to be applied to a single field when querying for findings.
Lt (float) --
The less-than condition to be applied to a single field when querying for findings.
Title (list) --
A finding's title.
Array Members: Minimum number of 1 item. Maximum number of 100 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
Description (list) --
A finding's description.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
SourceUrl (list) --
Provides a URL that links to a page about the current finding in the finding product.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ProductName (list) --
Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
CompanyName (list) --
The name of the company for the product that generated the finding. For control-based findings, the company is Amazon Web Services.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
SeverityLabel (list) --
The severity value of the finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ResourceType (list) --
The type of resource that the finding pertains to.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ResourceId (list) --
The identifier for the given resource type. For Amazon Web Services resources that are identified by Amazon Resource Names (ARNs), this is the ARN. For Amazon Web Services resources that lack ARNs, this is the identifier as defined by the Amazon Web Service that created the resource. For non-Amazon Web Services resources, this is a unique identifier that is associated with the resource.
Array Members: Minimum number of 1 item. Maximum number of 100 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ResourcePartition (list) --
The partition in which the resource that the finding pertains to is located. A partition is a group of Amazon Web Services Regions. Each Amazon Web Services account is scoped to one partition.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ResourceRegion (list) --
The Amazon Web Services Region where the resource that a finding pertains to is located.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ResourceTags (list) --
A list of Amazon Web Services tags associated with a resource at the time the finding was processed.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
Key (string) --
The key of the map filter. For example, for ResourceTags , Key identifies the name of the tag. For UserDefinedFields , Key is the name of the field.
Value (string) --
The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security . If you provide security as the filter value, then there's no match.
Comparison (string) --
The condition to apply to the key value when filtering Security Hub findings with a map filter.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.
To search for values that exactly match the filter value, use EQUALS . For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.
CONTAINS and EQUALS filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security , Finance , or both values.
To search for values that don't have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.
To search for values other than the filter value, use NOT_EQUALS . For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.
NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.
CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ResourceDetailsOther (list) --
Custom fields and values about the resource that a finding pertains to.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
Key (string) --
The key of the map filter. For example, for ResourceTags , Key identifies the name of the tag. For UserDefinedFields , Key is the name of the field.
Value (string) --
The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security . If you provide security as the filter value, then there's no match.
Comparison (string) --
The condition to apply to the key value when filtering Security Hub findings with a map filter.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.
To search for values that exactly match the filter value, use EQUALS . For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.
CONTAINS and EQUALS filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security , Finance , or both values.
To search for values that don't have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.
To search for values other than the filter value, use NOT_EQUALS . For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.
NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.
CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ComplianceStatus (list) --
The result of a security check. This field is only used for findings generated from controls.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ComplianceSecurityControlId (list) --
The security control ID for which a finding was generated. Security control IDs are the same across standards.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ComplianceAssociatedStandardsId (list) --
The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the DescribeStandards API response.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
VerificationState (list) --
Provides the veracity of a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
WorkflowStatus (list) --
Provides information about the status of the investigation into a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
RecordState (list) --
Provides the current state of a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
RelatedFindingsProductArn (list) --
The ARN for the product that generated a related finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
RelatedFindingsId (list) --
The product-generated identifier for a related finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
NoteText (list) --
The text of a user-defined note that's added to a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
NoteUpdatedAt (list) --
The timestamp of when the note was updated. Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format.
End (string) --
A timestamp that provides the end date for the date filter.
A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
NoteUpdatedBy (list) --
The principal that created a note.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
UserDefinedFields (list) --
A list of user-defined name and value string pairs added to a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
Key (string) --
The key of the map filter. For example, for ResourceTags , Key identifies the name of the tag. For UserDefinedFields , Key is the name of the field.
Value (string) --
The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security . If you provide security as the filter value, then there's no match.
Comparison (string) --
The condition to apply to the key value when filtering Security Hub findings with a map filter.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.
To search for values that exactly match the filter value, use EQUALS . For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.
CONTAINS and EQUALS filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security , Finance , or both values.
To search for values that don't have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.
To search for values other than the filter value, use NOT_EQUALS . For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.
NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.
CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ResourceApplicationArn (list) --
The Amazon Resource Name (ARN) of the application that is related to a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
ResourceApplicationName (list) --
The name of the application that is related to a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
AwsAccountName (list) --
The name of the Amazon Web Services account in which a finding was generated.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS . For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS . For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012 .
To search for values that start with the filter value, use PREFIX . For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us . A ResourceRegion that starts with a different value, such as af , ap , or ca , doesn't match.
CONTAINS , EQUALS , and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront , CloudWatch , or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS . For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS . For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012 .
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us .
NOT_CONTAINS , NOT_EQUALS , and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide .
list
[REQUIRED]
One or more actions to update finding fields if a finding matches the conditions specified in Criteria .
(dict) --
One or more actions to update finding fields if a finding matches the defined criteria of the rule.
Type (string) --
Specifies that the rule action should update the Types finding field. The Types finding field classifies findings in the format of namespace/category/classifier. For more information, see Types taxonomy for ASFF in the Security Hub User Guide .
FindingFieldsUpdate (dict) --
Specifies that the automation rule action is an update to a finding field.
Note (dict) --
The updated note.
Text (string) -- [REQUIRED]
The updated note text.
UpdatedBy (string) -- [REQUIRED]
The principal that updated the note.
Severity (dict) --
Updates to the severity information for a finding.
Normalized (integer) --
The normalized severity for the finding. This attribute is to be deprecated in favor of Label .
If you provide Normalized and do not provide Label , Label is set automatically as follows.
0 - INFORMATIONAL
1–39 - LOW
40–69 - MEDIUM
70–89 - HIGH
90–100 - CRITICAL
Product (float) --
The native severity as defined by the Amazon Web Services service or integrated partner product that generated the finding.
Label (string) --
The severity value of the finding. The allowed values are the following.
INFORMATIONAL - No issue was found.
LOW - The issue does not require action on its own.
MEDIUM - The issue must be addressed but not urgently.
HIGH - The issue must be addressed as a priority.
CRITICAL - The issue must be remediated immediately to avoid it escalating.
VerificationState (string) --
The rule action updates the VerificationState field of a finding.
Confidence (integer) --
The rule action updates the Confidence field of a finding.
Criticality (integer) --
The rule action updates the Criticality field of a finding.
Types (list) --
The rule action updates the Types field of a finding.
(string) --
UserDefinedFields (dict) --
The rule action updates the UserDefinedFields field of a finding.
(string) --
(string) --
Workflow (dict) --
Used to update information about the investigation into the finding.
Status (string) --
The status of the investigation into the finding. The workflow status is specific to an individual finding. It does not affect the generation of new findings. For example, setting the workflow status to SUPPRESSED or RESOLVED does not prevent a new finding for the same issue.
The allowed values are the following.
NEW - The initial state of a finding, before it is reviewed. Security Hub also resets WorkFlowStatus from NOTIFIED or RESOLVED to NEW in the following cases:
The record state changes from ARCHIVED to ACTIVE .
The compliance status changes from PASSED to either WARNING , FAILED , or NOT_AVAILABLE .
NOTIFIED - Indicates that you notified the resource owner about the security issue. Used when the initial reviewer is not the resource owner, and needs intervention from the resource owner.
RESOLVED - The finding was reviewed and remediated and is now considered resolved.
SUPPRESSED - Indicates that you reviewed the finding and do not believe that any action is needed. The finding is no longer updated.
RelatedFindings (list) --
The rule action updates the RelatedFindings field of a finding.
(dict) --
Details about a related finding.
ProductArn (string) -- [REQUIRED]
The ARN of the product that generated a related finding.
Id (string) -- [REQUIRED]
The product-generated identifier for a related finding.
dict
Response Syntax
{
'RuleArn': 'string'
}
Response Structure
(dict) --
RuleArn (string) --
The Amazon Resource Name (ARN) of the automation rule that you created.
{'Filters': {'AwsAccountName': [{'Comparison': 'EQUALS | PREFIX | NOT_EQUALS | '
'PREFIX_NOT_EQUALS | CONTAINS | '
'NOT_CONTAINS',
'Value': 'string'}],
'ResourceApplicationArn': [{'Comparison': 'EQUALS | PREFIX | '
'NOT_EQUALS | '
'PREFIX_NOT_EQUALS | '
'CONTAINS | '
'NOT_CONTAINS',
'Value': 'string'}],
'ResourceApplicationName': [{'Comparison': 'EQUALS | PREFIX | '
'NOT_EQUALS | '
'PREFIX_NOT_EQUALS | '
'CONTAINS | '
'NOT_CONTAINS',
'Value': 'string'}]}}
Creates a custom insight in Security Hub. An insight is a consolidation of findings that relate to a security issue that requires attention or remediation.
To group the related findings in the insight, use the GroupByAttribute .
See also: AWS API Documentation
Request Syntax
client.create_insight(
Name='string',
Filters={
'ProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'AwsAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Id': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'GeneratorId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Region': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Type': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'FirstObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'LastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'CreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'UpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'SeverityProduct': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'SeverityNormalized': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'SeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Confidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'Criticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'Title': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Description': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'RecommendationText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'SourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ProductFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ProductName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'CompanyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'UserDefinedFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'MalwareName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'MalwareType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'MalwarePath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'MalwareState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NetworkDirection': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NetworkProtocol': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NetworkSourceIpV4': [
{
'Cidr': 'string'
},
],
'NetworkSourceIpV6': [
{
'Cidr': 'string'
},
],
'NetworkSourcePort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'NetworkSourceDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NetworkSourceMac': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NetworkDestinationIpV4': [
{
'Cidr': 'string'
},
],
'NetworkDestinationIpV6': [
{
'Cidr': 'string'
},
],
'NetworkDestinationPort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'NetworkDestinationDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ProcessName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ProcessPath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ProcessPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'ProcessParentPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'ProcessLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ProcessTerminatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ThreatIntelIndicatorValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ThreatIntelIndicatorCategory': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ThreatIntelIndicatorLastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorSource': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ThreatIntelIndicatorSourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourcePartition': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceRegion': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceTags': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceIpV4Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceIpV6Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceKeyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceIamInstanceProfileArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceVpcId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceSubnetId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceAwsS3BucketOwnerId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsS3BucketOwnerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsIamAccessKeyUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsIamAccessKeyPrincipalName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsIamAccessKeyStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsIamAccessKeyCreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceAwsIamUserUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceContainerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceContainerImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceContainerImageName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceContainerLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceDetailsOther': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'VerificationState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'WorkflowState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'WorkflowStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'RecordState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'RelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'RelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NoteText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NoteUpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'NoteUpdatedBy': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Keyword': [
{
'Value': 'string'
},
],
'FindingProviderFieldsConfidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'FindingProviderFieldsCriticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'FindingProviderFieldsRelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'FindingProviderFieldsRelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'FindingProviderFieldsSeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'FindingProviderFieldsSeverityOriginal': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'FindingProviderFieldsTypes': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Sample': [
{
'Value': True|False
},
],
'ComplianceSecurityControlId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceAssociatedStandardsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'VulnerabilitiesExploitAvailable': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'VulnerabilitiesFixAvailable': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceSecurityControlParametersName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceSecurityControlParametersValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'AwsAccountName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceApplicationName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceApplicationArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
]
},
GroupByAttribute='string'
)
**Parameters**
::
# This section is too large to render.
# Please see the AWS API Documentation linked below.
`AWS API Documentation <https://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/CreateInsight>`_
dict
Response Syntax
{
'InsightArn': 'string'
}
Response Structure
(dict) --
InsightArn (string) --
The ARN of the insight created.
{'OrganizationConfiguration': {'ConfigurationType': 'CENTRAL | LOCAL',
'Status': 'PENDING | ENABLED | FAILED',
'StatusMessage': 'string'}}
Returns information about the way your organization is configured in Security Hub. Only the Security Hub administrator account can invoke this operation.
See also: AWS API Documentation
Request Syntax
client.describe_organization_configuration()
dict
Response Syntax
{
'AutoEnable': True|False,
'MemberAccountLimitReached': True|False,
'AutoEnableStandards': 'NONE'|'DEFAULT',
'OrganizationConfiguration': {
'ConfigurationType': 'CENTRAL'|'LOCAL',
'Status': 'PENDING'|'ENABLED'|'FAILED',
'StatusMessage': 'string'
}
}
Response Structure
(dict) --
AutoEnable (boolean) --
Whether to automatically enable Security Hub in new member accounts when they join the organization.
If set to true , then Security Hub is automatically enabled in new accounts. If set to false , then Security Hub isn't enabled in new accounts automatically. The default value is false .
If the ConfigurationType of your organization is set to CENTRAL , then this field is set to false and can't be changed in the home Region and linked Regions. However, in that case, the delegated administrator can create a configuration policy in which Security Hub is enabled and associate the policy with new organization accounts.
MemberAccountLimitReached (boolean) --
Whether the maximum number of allowed member accounts are already associated with the Security Hub administrator account.
AutoEnableStandards (string) --
Whether to automatically enable Security Hub default standards in new member accounts when they join the organization.
If equal to DEFAULT , then Security Hub default standards are automatically enabled for new member accounts. If equal to NONE , then default standards are not automatically enabled for new member accounts. The default value of this parameter is equal to DEFAULT .
If the ConfigurationType of your organization is set to CENTRAL , then this field is set to NONE and can't be changed in the home Region and linked Regions. However, in that case, the delegated administrator can create a configuration policy in which specific security standards are enabled and associate the policy with new organization accounts.
OrganizationConfiguration (dict) --
Provides information about the way an organization is configured in Security Hub.
ConfigurationType (string) --
Indicates whether the organization uses local or central configuration.
If you use local configuration, the Security Hub delegated administrator can set AutoEnable to true and AutoEnableStandards to DEFAULT . This automatically enables Security Hub and default security standards in new organization accounts. These new account settings must be set separately in each Amazon Web Services Region, and settings may be different in each Region.
If you use central configuration, the delegated administrator can create configuration policies. Configuration policies can be used to configure Security Hub, security standards, and security controls in multiple accounts and Regions. If you want new organization accounts to use a specific configuration, you can create a configuration policy and associate it with the root or specific organizational units (OUs). New accounts will inherit the policy from the root or their assigned OU.
Status (string) --
Describes whether central configuration could be enabled as the ConfigurationType for the organization. If your ConfigurationType is local configuration, then the value of Status is always ENABLED .
StatusMessage (string) --
Provides an explanation if the value of Status is equal to FAILED when ConfigurationType is equal to CENTRAL .
{'Filters': {'AwsAccountName': [{'Comparison': 'EQUALS | PREFIX | NOT_EQUALS | '
'PREFIX_NOT_EQUALS | CONTAINS | '
'NOT_CONTAINS',
'Value': 'string'}],
'ResourceApplicationArn': [{'Comparison': 'EQUALS | PREFIX | '
'NOT_EQUALS | '
'PREFIX_NOT_EQUALS | '
'CONTAINS | '
'NOT_CONTAINS',
'Value': 'string'}],
'ResourceApplicationName': [{'Comparison': 'EQUALS | PREFIX | '
'NOT_EQUALS | '
'PREFIX_NOT_EQUALS | '
'CONTAINS | '
'NOT_CONTAINS',
'Value': 'string'}]}}
Response {'Findings': {'AwsAccountName': 'string',
'ProcessedAt': 'string',
'Resources': {'ApplicationArn': 'string',
'ApplicationName': 'string'}}}
Returns a list of findings that match the specified criteria.
If finding aggregation is enabled, then when you call GetFindings from the aggregation Region, the results include all of the matching findings from both the aggregation Region and the linked Regions.
See also: AWS API Documentation
Request Syntax
client.get_findings(
Filters={
'ProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'AwsAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Id': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'GeneratorId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Region': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Type': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'FirstObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'LastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'CreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'UpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'SeverityProduct': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'SeverityNormalized': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'SeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Confidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'Criticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'Title': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Description': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'RecommendationText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'SourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ProductFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ProductName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'CompanyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'UserDefinedFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'MalwareName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'MalwareType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'MalwarePath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'MalwareState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NetworkDirection': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NetworkProtocol': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NetworkSourceIpV4': [
{
'Cidr': 'string'
},
],
'NetworkSourceIpV6': [
{
'Cidr': 'string'
},
],
'NetworkSourcePort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'NetworkSourceDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NetworkSourceMac': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NetworkDestinationIpV4': [
{
'Cidr': 'string'
},
],
'NetworkDestinationIpV6': [
{
'Cidr': 'string'
},
],
'NetworkDestinationPort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'NetworkDestinationDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ProcessName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ProcessPath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ProcessPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'ProcessParentPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'ProcessLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ProcessTerminatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ThreatIntelIndicatorValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ThreatIntelIndicatorCategory': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ThreatIntelIndicatorLastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorSource': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ThreatIntelIndicatorSourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourcePartition': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceRegion': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceTags': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceIpV4Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceIpV6Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceKeyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceIamInstanceProfileArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceVpcId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceSubnetId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceAwsS3BucketOwnerId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsS3BucketOwnerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsIamAccessKeyUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsIamAccessKeyPrincipalName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsIamAccessKeyStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsIamAccessKeyCreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceAwsIamUserUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceContainerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceContainerImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceContainerImageName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceContainerLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceDetailsOther': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'VerificationState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'WorkflowState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'WorkflowStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'RecordState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'RelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'RelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NoteText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NoteUpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'NoteUpdatedBy': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Keyword': [
{
'Value': 'string'
},
],
'FindingProviderFieldsConfidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'FindingProviderFieldsCriticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'FindingProviderFieldsRelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'FindingProviderFieldsRelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'FindingProviderFieldsSeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'FindingProviderFieldsSeverityOriginal': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'FindingProviderFieldsTypes': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Sample': [
{
'Value': True|False
},
],
'ComplianceSecurityControlId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceAssociatedStandardsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'VulnerabilitiesExploitAvailable': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'VulnerabilitiesFixAvailable': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceSecurityControlParametersName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceSecurityControlParametersValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'AwsAccountName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceApplicationName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceApplicationArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
]
},
SortCriteria=[
{
'Field': 'string',
'SortOrder': 'asc'|'desc'
},
],
NextToken='string',
MaxResults=123
)
**Parameters**
::
# This section is too large to render.
# Please see the AWS API Documentation linked below.
`AWS API Documentation <https://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/GetFindings>`_
dict
Response Syntax
# This section is too large to render. # Please see the AWS API Documentation linked below.
Response Structure
# This section is too large to render. # Please see the AWS API Documentation linked below.
{'Insights': {'Filters': {'AwsAccountName': [{'Comparison': 'EQUALS | PREFIX | '
'NOT_EQUALS | '
'PREFIX_NOT_EQUALS '
'| CONTAINS | '
'NOT_CONTAINS',
'Value': 'string'}],
'ResourceApplicationArn': [{'Comparison': 'EQUALS | '
'PREFIX | '
'NOT_EQUALS '
'| '
'PREFIX_NOT_EQUALS '
'| '
'CONTAINS '
'| '
'NOT_CONTAINS',
'Value': 'string'}],
'ResourceApplicationName': [{'Comparison': 'EQUALS | '
'PREFIX | '
'NOT_EQUALS '
'| '
'PREFIX_NOT_EQUALS '
'| '
'CONTAINS '
'| '
'NOT_CONTAINS',
'Value': 'string'}]}}}
Lists and describes insights for the specified insight ARNs.
See also: AWS API Documentation
Request Syntax
client.get_insights(
InsightArns=[
'string',
],
NextToken='string',
MaxResults=123
)
list
The ARNs of the insights to describe. If you do not provide any insight ARNs, then GetInsights returns all of your custom insights. It does not return any managed insights.
(string) --
string
The token that is required for pagination. On your first call to the GetInsights operation, set the value of this parameter to NULL .
For subsequent calls to the operation, to continue listing data, set the value of this parameter to the value returned from the previous response.
integer
The maximum number of items to return in the response.
dict
Response Syntax
{
'Insights': [
{
'InsightArn': 'string',
'Name': 'string',
'Filters': {
'ProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'AwsAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Id': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'GeneratorId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Region': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Type': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'FirstObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'LastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'CreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'UpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'SeverityProduct': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'SeverityNormalized': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'SeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Confidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'Criticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'Title': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Description': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'RecommendationText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'SourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ProductFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ProductName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'CompanyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'UserDefinedFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'MalwareName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'MalwareType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'MalwarePath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'MalwareState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NetworkDirection': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NetworkProtocol': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NetworkSourceIpV4': [
{
'Cidr': 'string'
},
],
'NetworkSourceIpV6': [
{
'Cidr': 'string'
},
],
'NetworkSourcePort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'NetworkSourceDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NetworkSourceMac': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NetworkDestinationIpV4': [
{
'Cidr': 'string'
},
],
'NetworkDestinationIpV6': [
{
'Cidr': 'string'
},
],
'NetworkDestinationPort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'NetworkDestinationDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ProcessName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ProcessPath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ProcessPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'ProcessParentPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'ProcessLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ProcessTerminatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ThreatIntelIndicatorValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ThreatIntelIndicatorCategory': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ThreatIntelIndicatorLastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorSource': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ThreatIntelIndicatorSourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourcePartition': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceRegion': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceTags': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceIpV4Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceIpV6Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceKeyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceIamInstanceProfileArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceVpcId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceSubnetId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceAwsS3BucketOwnerId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsS3BucketOwnerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsIamAccessKeyUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsIamAccessKeyPrincipalName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsIamAccessKeyStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsIamAccessKeyCreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceAwsIamUserUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceContainerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceContainerImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceContainerImageName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceContainerLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceDetailsOther': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'VerificationState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'WorkflowState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'WorkflowStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'RecordState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'RelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'RelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NoteText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NoteUpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'NoteUpdatedBy': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Keyword': [
{
'Value': 'string'
},
],
'FindingProviderFieldsConfidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'FindingProviderFieldsCriticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'FindingProviderFieldsRelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'FindingProviderFieldsRelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'FindingProviderFieldsSeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'FindingProviderFieldsSeverityOriginal': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'FindingProviderFieldsTypes': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Sample': [
{
'Value': True|False
},
],
'ComplianceSecurityControlId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceAssociatedStandardsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'VulnerabilitiesExploitAvailable': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'VulnerabilitiesFixAvailable': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceSecurityControlParametersName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceSecurityControlParametersValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'AwsAccountName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceApplicationName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceApplicationArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
]
},
'GroupByAttribute': 'string'
},
],
'NextToken': 'string'
}
**Response Structure**
::
# This section is too large to render.
# Please see the AWS API Documentation linked below.
`AWS API Documentation <https://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/GetInsights>`_
{'Filters': {'AwsAccountName': [{'Comparison': 'EQUALS | PREFIX | NOT_EQUALS | '
'PREFIX_NOT_EQUALS | CONTAINS | '
'NOT_CONTAINS',
'Value': 'string'}],
'ResourceApplicationArn': [{'Comparison': 'EQUALS | PREFIX | '
'NOT_EQUALS | '
'PREFIX_NOT_EQUALS | '
'CONTAINS | '
'NOT_CONTAINS',
'Value': 'string'}],
'ResourceApplicationName': [{'Comparison': 'EQUALS | PREFIX | '
'NOT_EQUALS | '
'PREFIX_NOT_EQUALS | '
'CONTAINS | '
'NOT_CONTAINS',
'Value': 'string'}]}}
UpdateFindings is deprecated. Instead of UpdateFindings , use BatchUpdateFindings .
Updates the Note and RecordState of the Security Hub-aggregated findings that the filter attributes specify. Any member account that can view the finding also sees the update to the finding.
See also: AWS API Documentation
Request Syntax
client.update_findings(
Filters={
'ProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'AwsAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Id': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'GeneratorId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Region': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Type': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'FirstObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'LastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'CreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'UpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'SeverityProduct': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'SeverityNormalized': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'SeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Confidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'Criticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'Title': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Description': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'RecommendationText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'SourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ProductFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ProductName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'CompanyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'UserDefinedFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'MalwareName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'MalwareType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'MalwarePath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'MalwareState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NetworkDirection': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NetworkProtocol': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NetworkSourceIpV4': [
{
'Cidr': 'string'
},
],
'NetworkSourceIpV6': [
{
'Cidr': 'string'
},
],
'NetworkSourcePort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'NetworkSourceDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NetworkSourceMac': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NetworkDestinationIpV4': [
{
'Cidr': 'string'
},
],
'NetworkDestinationIpV6': [
{
'Cidr': 'string'
},
],
'NetworkDestinationPort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'NetworkDestinationDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ProcessName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ProcessPath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ProcessPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'ProcessParentPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'ProcessLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ProcessTerminatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ThreatIntelIndicatorValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ThreatIntelIndicatorCategory': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ThreatIntelIndicatorLastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorSource': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ThreatIntelIndicatorSourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourcePartition': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceRegion': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceTags': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceIpV4Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceIpV6Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceKeyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceIamInstanceProfileArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceVpcId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceSubnetId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceAwsS3BucketOwnerId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsS3BucketOwnerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsIamAccessKeyUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsIamAccessKeyPrincipalName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsIamAccessKeyStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsIamAccessKeyCreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceAwsIamUserUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceContainerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceContainerImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceContainerImageName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceContainerLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceDetailsOther': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'VerificationState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'WorkflowState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'WorkflowStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'RecordState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'RelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'RelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NoteText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NoteUpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'NoteUpdatedBy': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Keyword': [
{
'Value': 'string'
},
],
'FindingProviderFieldsConfidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'FindingProviderFieldsCriticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'FindingProviderFieldsRelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'FindingProviderFieldsRelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'FindingProviderFieldsSeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'FindingProviderFieldsSeverityOriginal': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'FindingProviderFieldsTypes': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Sample': [
{
'Value': True|False
},
],
'ComplianceSecurityControlId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceAssociatedStandardsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'VulnerabilitiesExploitAvailable': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'VulnerabilitiesFixAvailable': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceSecurityControlParametersName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceSecurityControlParametersValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'AwsAccountName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceApplicationName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceApplicationArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
]
},
Note={
'Text': 'string',
'UpdatedBy': 'string'
},
RecordState='ACTIVE'|'ARCHIVED'
)
**Parameters**
::
# This section is too large to render.
# Please see the AWS API Documentation linked below.
`AWS API Documentation <https://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/UpdateFindings>`_
dict
Response Syntax
{}
Response Structure
(dict) --
{'Filters': {'AwsAccountName': [{'Comparison': 'EQUALS | PREFIX | NOT_EQUALS | '
'PREFIX_NOT_EQUALS | CONTAINS | '
'NOT_CONTAINS',
'Value': 'string'}],
'ResourceApplicationArn': [{'Comparison': 'EQUALS | PREFIX | '
'NOT_EQUALS | '
'PREFIX_NOT_EQUALS | '
'CONTAINS | '
'NOT_CONTAINS',
'Value': 'string'}],
'ResourceApplicationName': [{'Comparison': 'EQUALS | PREFIX | '
'NOT_EQUALS | '
'PREFIX_NOT_EQUALS | '
'CONTAINS | '
'NOT_CONTAINS',
'Value': 'string'}]}}
Updates the Security Hub insight identified by the specified insight ARN.
See also: AWS API Documentation
Request Syntax
client.update_insight(
InsightArn='string',
Name='string',
Filters={
'ProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'AwsAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Id': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'GeneratorId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Region': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Type': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'FirstObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'LastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'CreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'UpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'SeverityProduct': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'SeverityNormalized': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'SeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Confidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'Criticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'Title': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Description': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'RecommendationText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'SourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ProductFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ProductName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'CompanyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'UserDefinedFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'MalwareName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'MalwareType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'MalwarePath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'MalwareState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NetworkDirection': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NetworkProtocol': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NetworkSourceIpV4': [
{
'Cidr': 'string'
},
],
'NetworkSourceIpV6': [
{
'Cidr': 'string'
},
],
'NetworkSourcePort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'NetworkSourceDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NetworkSourceMac': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NetworkDestinationIpV4': [
{
'Cidr': 'string'
},
],
'NetworkDestinationIpV6': [
{
'Cidr': 'string'
},
],
'NetworkDestinationPort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'NetworkDestinationDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ProcessName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ProcessPath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ProcessPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'ProcessParentPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'ProcessLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ProcessTerminatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ThreatIntelIndicatorValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ThreatIntelIndicatorCategory': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ThreatIntelIndicatorLastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorSource': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ThreatIntelIndicatorSourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourcePartition': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceRegion': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceTags': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceIpV4Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceIpV6Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceKeyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceIamInstanceProfileArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceVpcId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceSubnetId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceAwsS3BucketOwnerId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsS3BucketOwnerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsIamAccessKeyUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsIamAccessKeyPrincipalName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsIamAccessKeyStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsIamAccessKeyCreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceAwsIamUserUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceContainerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceContainerImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceContainerImageName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceContainerLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceDetailsOther': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'VerificationState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'WorkflowState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'WorkflowStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'RecordState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'RelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'RelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NoteText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'NoteUpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'NoteUpdatedBy': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Keyword': [
{
'Value': 'string'
},
],
'FindingProviderFieldsConfidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'FindingProviderFieldsCriticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'FindingProviderFieldsRelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'FindingProviderFieldsRelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'FindingProviderFieldsSeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'FindingProviderFieldsSeverityOriginal': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'FindingProviderFieldsTypes': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'Sample': [
{
'Value': True|False
},
],
'ComplianceSecurityControlId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceAssociatedStandardsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'VulnerabilitiesExploitAvailable': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'VulnerabilitiesFixAvailable': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceSecurityControlParametersName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceSecurityControlParametersValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'AwsAccountName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceApplicationName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceApplicationArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
]
},
GroupByAttribute='string'
)
**Parameters**
::
# This section is too large to render.
# Please see the AWS API Documentation linked below.
`AWS API Documentation <https://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/UpdateInsight>`_
dict
Response Syntax
{}
Response Structure
(dict) --
{'OrganizationConfiguration': {'ConfigurationType': 'CENTRAL | LOCAL',
'Status': 'PENDING | ENABLED | FAILED',
'StatusMessage': 'string'}}
Updates the configuration of your organization in Security Hub. Only the Security Hub administrator account can invoke this operation.
See also: AWS API Documentation
Request Syntax
client.update_organization_configuration(
AutoEnable=True|False,
AutoEnableStandards='NONE'|'DEFAULT',
OrganizationConfiguration={
'ConfigurationType': 'CENTRAL'|'LOCAL',
'Status': 'PENDING'|'ENABLED'|'FAILED',
'StatusMessage': 'string'
}
)
boolean
[REQUIRED]
Whether to automatically enable Security Hub in new member accounts when they join the organization.
If set to true , then Security Hub is automatically enabled in new accounts. If set to false , then Security Hub isn't enabled in new accounts automatically. The default value is false .
If the ConfigurationType of your organization is set to CENTRAL , then this field is set to false and can't be changed in the home Region and linked Regions. However, in that case, the delegated administrator can create a configuration policy in which Security Hub is enabled and associate the policy with new organization accounts.
string
Whether to automatically enable Security Hub default standards in new member accounts when they join the organization.
The default value of this parameter is equal to DEFAULT .
If equal to DEFAULT , then Security Hub default standards are automatically enabled for new member accounts. If equal to NONE , then default standards are not automatically enabled for new member accounts.
If the ConfigurationType of your organization is set to CENTRAL , then this field is set to NONE and can't be changed in the home Region and linked Regions. However, in that case, the delegated administrator can create a configuration policy in which specific security standards are enabled and associate the policy with new organization accounts.
dict
Provides information about the way an organization is configured in Security Hub.
ConfigurationType (string) --
Indicates whether the organization uses local or central configuration.
If you use local configuration, the Security Hub delegated administrator can set AutoEnable to true and AutoEnableStandards to DEFAULT . This automatically enables Security Hub and default security standards in new organization accounts. These new account settings must be set separately in each Amazon Web Services Region, and settings may be different in each Region.
If you use central configuration, the delegated administrator can create configuration policies. Configuration policies can be used to configure Security Hub, security standards, and security controls in multiple accounts and Regions. If you want new organization accounts to use a specific configuration, you can create a configuration policy and associate it with the root or specific organizational units (OUs). New accounts will inherit the policy from the root or their assigned OU.
Status (string) --
Describes whether central configuration could be enabled as the ConfigurationType for the organization. If your ConfigurationType is local configuration, then the value of Status is always ENABLED .
StatusMessage (string) --
Provides an explanation if the value of Status is equal to FAILED when ConfigurationType is equal to CENTRAL .
dict
Response Syntax
{}
Response Structure
(dict) --