2025/12/02 - AWS SecurityHub - 1 new9 updated api methods
Changes ITSM enhancements: DRYRUN mode for testing ticket creation, ServiceNow now uses AWS Secrets Manager for credentials, ConnectorRegistrationsV2 renamed to RegisterConnectorV2, added ServiceQuotaExceededException error, and ConnectorStatus visibility in CreateConnectorV2.
Grants permission to complete the authorization based on input parameters.
See also: AWS API Documentation
Request Syntax
client.register_connector_v2(
AuthCode='string',
AuthState='string'
)
string
[REQUIRED]
The authCode retrieved from authUrl to complete the OAuth 2.0 authorization code flow.
string
[REQUIRED]
The authState retrieved from authUrl to complete the OAuth 2.0 authorization code flow.
dict
Response Syntax
{
'ConnectorArn': 'string',
'ConnectorId': 'string'
}
Response Structure
(dict) --
ConnectorArn (string) --
The Amazon Resource Name (ARN) of the connectorV2.
ConnectorId (string) --
The UUID of the connectorV2 to identify connectorV2 resource.
{'Criteria': {'OcsfFindingCriteria': {'CompositeFilters': {'NumberFilters': {'FieldName': {'vendor_attributes.severity_id',
'vulnerabilities.cve.cvss.base_score'}},
'StringFilters': {'FieldName': {'finding_info.related_events.traits.category',
'vendor_attributes.severity'}}}}}}
Creates a V2 automation rule.
See also: AWS API Documentation
Request Syntax
client.create_automation_rule_v2(
RuleName='string',
RuleStatus='ENABLED'|'DISABLED',
Description='string',
RuleOrder=...,
Criteria={
'OcsfFindingCriteria': {
'CompositeFilters': [
{
'StringFilters': [
{
'FieldName': 'metadata.uid'|'activity_name'|'cloud.account.uid'|'cloud.provider'|'cloud.region'|'compliance.assessments.category'|'compliance.assessments.name'|'compliance.control'|'compliance.status'|'compliance.standards'|'finding_info.desc'|'finding_info.src_url'|'finding_info.title'|'finding_info.types'|'finding_info.uid'|'finding_info.related_events.traits.category'|'finding_info.related_events.uid'|'finding_info.related_events.product.uid'|'finding_info.related_events.title'|'metadata.product.name'|'metadata.product.uid'|'metadata.product.vendor_name'|'remediation.desc'|'remediation.references'|'resources.cloud_partition'|'resources.region'|'resources.type'|'resources.uid'|'severity'|'status'|'comment'|'vulnerabilities.fix_coverage'|'class_name'|'databucket.encryption_details.algorithm'|'databucket.encryption_details.key_uid'|'databucket.file.data_classifications.classifier_details.type'|'evidences.actor.user.account.uid'|'evidences.api.operation'|'evidences.api.response.error_message'|'evidences.api.service.name'|'evidences.connection_info.direction'|'evidences.connection_info.protocol_name'|'evidences.dst_endpoint.autonomous_system.name'|'evidences.dst_endpoint.location.city'|'evidences.dst_endpoint.location.country'|'evidences.src_endpoint.autonomous_system.name'|'evidences.src_endpoint.hostname'|'evidences.src_endpoint.location.city'|'evidences.src_endpoint.location.country'|'finding_info.analytic.name'|'malware.name'|'malware_scan_info.uid'|'malware.severity'|'resources.cloud_function.layers.uid_alt'|'resources.cloud_function.runtime'|'resources.cloud_function.user.uid'|'resources.device.encryption_details.key_uid'|'resources.device.image.uid'|'resources.image.architecture'|'resources.image.registry_uid'|'resources.image.repository_name'|'resources.image.uid'|'resources.subnet_info.uid'|'resources.vpc_uid'|'vulnerabilities.affected_code.file.path'|'vulnerabilities.affected_packages.name'|'vulnerabilities.cve.epss.score'|'vulnerabilities.cve.uid'|'vulnerabilities.related_vulnerabilities'|'cloud.account.name'|'vendor_attributes.severity',
'Filter': {
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
}
},
],
'DateFilters': [
{
'FieldName': 'finding_info.created_time_dt'|'finding_info.first_seen_time_dt'|'finding_info.last_seen_time_dt'|'finding_info.modified_time_dt'|'resources.image.created_time_dt'|'resources.image.last_used_time_dt'|'resources.modified_time_dt',
'Filter': {
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
}
},
],
'BooleanFilters': [
{
'FieldName': 'compliance.assessments.meets_criteria'|'vulnerabilities.is_exploit_available'|'vulnerabilities.is_fix_available',
'Filter': {
'Value': True|False
}
},
],
'NumberFilters': [
{
'FieldName': 'activity_id'|'compliance.status_id'|'confidence_score'|'severity_id'|'status_id'|'finding_info.related_events_count'|'evidences.api.response.code'|'evidences.dst_endpoint.autonomous_system.number'|'evidences.dst_endpoint.port'|'evidences.src_endpoint.autonomous_system.number'|'evidences.src_endpoint.port'|'resources.image.in_use_count'|'vulnerabilities.cve.cvss.base_score'|'vendor_attributes.severity_id',
'Filter': {
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
}
},
],
'MapFilters': [
{
'FieldName': 'resources.tags'|'compliance.control_parameters'|'databucket.tags'|'finding_info.tags',
'Filter': {
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
}
},
],
'IpFilters': [
{
'FieldName': 'evidences.dst_endpoint.ip'|'evidences.src_endpoint.ip',
'Filter': {
'Cidr': 'string'
}
},
],
'NestedCompositeFilters': {'... recursive ...'},
'Operator': 'AND'|'OR'
},
],
'CompositeOperator': 'AND'|'OR'
}
},
Actions=[
{
'Type': 'FINDING_FIELDS_UPDATE'|'EXTERNAL_INTEGRATION',
'FindingFieldsUpdate': {
'SeverityId': 123,
'Comment': 'string',
'StatusId': 123
},
'ExternalIntegrationConfiguration': {
'ConnectorArn': 'string'
}
},
],
Tags={
'string': 'string'
},
ClientToken='string'
)
string
[REQUIRED]
The name of the V2 automation rule.
string
The status of the V2 automation rule.
string
[REQUIRED]
A description of the V2 automation rule.
float
[REQUIRED]
The value for the rule priority.
dict
[REQUIRED]
The filtering type and configuration of the automation rule.
OcsfFindingCriteria (dict) --
The filtering conditions that align with OCSF standards.
CompositeFilters (list) --
Enables the creation of complex filtering conditions by combining filter criteria.
(dict) --
Enables the creation of filtering criteria for security findings.
StringFilters (list) --
Enables filtering based on string field values.
(dict) --
Enables filtering of security findings based on string field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules V1. CONTAINS_WORD operator is only supported in GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourceStatisticsV2 APIs. For more information, see Automation rules in the Security Hub User Guide.
DateFilters (list) --
Enables filtering based on date and timestamp fields.
(dict) --
Enables filtering of security findings based on date and timestamp fields in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps.
End (string) --
A timestamp that provides the end date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
BooleanFilters (list) --
Enables filtering based on boolean field values.
(dict) --
Enables filtering of security findings based on boolean field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
Boolean filter for querying findings.
Value (boolean) --
The value of the boolean.
NumberFilters (list) --
Enables filtering based on numerical field values.
(dict) --
Enables filtering of security findings based on numerical field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
Gt (float) --
The greater-than condition to be applied to a single field when querying for findings.
Lt (float) --
The less-than condition to be applied to a single field when querying for findings.
MapFilters (list) --
Enables filtering based on map field values.
(dict) --
Enables filtering of security findings based on map field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
Key (string) --
The key of the map filter. For example, for ResourceTags, Key identifies the name of the tag. For UserDefinedFields, Key is the name of the field.
Value (string) --
The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security. If you provide security as the filter value, then there's no match.
Comparison (string) --
The condition to apply to the key value when filtering Security Hub findings with a map filter.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.
To search for values that exactly match the filter value, use EQUALS. For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.
CONTAINS and EQUALS filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security, Finance, or both values.
To search for values that don't have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.
To search for values other than the filter value, use NOT_EQUALS. For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.
NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.
CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide.
IpFilters (list) --
A list of IP address filters that allowing you to filter findings based on IP address properties.
(dict) --
The structure for filtering findings based on IP address attributes.
FieldName (string) --
The name of the IP address field to filter on.
Filter (dict) --
The IP filter for querying findings.
Cidr (string) --
A finding's CIDR value.
NestedCompositeFilters (list) --
Provides an additional level of filtering, creating a three-layer nested structure. The first layer is a CompositeFilters array with a CompositeOperator ( AND/ OR). The second layer is a CompositeFilter object that contains direct filters and NestedCompositeFilters. The third layer is NestedCompositeFilters, which contains additional filter conditions.
Operator (string) --
The logical operator used to combine multiple filter conditions.
CompositeOperator (string) --
The logical operators used to combine the filtering on multiple CompositeFilters.
list
[REQUIRED]
A list of actions to be performed when the rule criteria is met.
(dict) --
Allows you to configure automated responses.
Type (string) -- [REQUIRED]
The category of action to be executed by the automation rule.
FindingFieldsUpdate (dict) --
The changes to be applied to fields in a security finding when an automation rule is triggered.
SeverityId (integer) --
The severity level to be assigned to findings that match the automation rule criteria.
Comment (string) --
Notes or contextual information for findings that are modified by the automation rule.
StatusId (integer) --
The status to be applied to findings that match automation rule criteria.
ExternalIntegrationConfiguration (dict) --
The settings for integrating automation rule actions with external systems or service.
ConnectorArn (string) --
The ARN of the connector that establishes the integration.
dict
A list of key-value pairs associated with the V2 automation rule.
(string) --
(string) --
string
A unique identifier used to ensure idempotency.
This field is autopopulated if not provided.
dict
Response Syntax
{
'RuleArn': 'string',
'RuleId': 'string'
}
Response Structure
(dict) --
RuleArn (string) --
The ARN of the V2 automation rule.
RuleId (string) --
The ID of the V2 automation rule.
{'Provider': {'ServiceNow': {'SecretArn': 'string'}}}
Response {'ConnectorStatus': 'CONNECTED | FAILED_TO_CONNECT | PENDING_CONFIGURATION | '
'PENDING_AUTHORIZATION'}
Grants permission to create a connectorV2 based on input parameters.
See also: AWS API Documentation
Request Syntax
client.create_connector_v2(
Name='string',
Description='string',
Provider={
'JiraCloud': {
'ProjectKey': 'string'
},
'ServiceNow': {
'InstanceName': 'string',
'SecretArn': 'string'
}
},
KmsKeyArn='string',
Tags={
'string': 'string'
},
ClientToken='string'
)
string
[REQUIRED]
The unique name of the connectorV2.
string
The description of the connectorV2.
dict
[REQUIRED]
The third-party provider’s service configuration.
JiraCloud (dict) --
The configuration settings required to establish an integration with Jira Cloud.
ProjectKey (string) --
The project key for a JiraCloud instance.
ServiceNow (dict) --
The configuration settings required to establish an integration with ServiceNow ITSM.
InstanceName (string) -- [REQUIRED]
The instance name of ServiceNow ITSM.
SecretArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the Amazon Web Services Secrets Manager secret that contains the ServiceNow credentials.
string
The Amazon Resource Name (ARN) of KMS key used to encrypt secrets for the connectorV2.
dict
The tags to add to the connectorV2 when you create.
(string) --
(string) --
string
A unique identifier used to ensure idempotency.
This field is autopopulated if not provided.
dict
Response Syntax
{
'ConnectorArn': 'string',
'ConnectorId': 'string',
'AuthUrl': 'string',
'ConnectorStatus': 'CONNECTED'|'FAILED_TO_CONNECT'|'PENDING_CONFIGURATION'|'PENDING_AUTHORIZATION'
}
Response Structure
(dict) --
ConnectorArn (string) --
The Amazon Resource Name (ARN) of the connectorV2.
ConnectorId (string) --
The UUID of the connectorV2 to identify connectorV2 resource.
AuthUrl (string) --
The Url provide to customers for OAuth auth code flow.
ConnectorStatus (string) --
The current status of the connectorV2.
{'Mode': 'DRYRUN'}
Grants permission to create a ticket in the chosen ITSM based on finding information for the provided finding metadata UID.
See also: AWS API Documentation
Request Syntax
client.create_ticket_v2(
ConnectorId='string',
FindingMetadataUid='string',
ClientToken='string',
Mode='DRYRUN'
)
string
[REQUIRED]
The UUID of the connectorV2 to identify connectorV2 resource.
string
[REQUIRED]
The the unique ID for the finding.
string
The client idempotency token.
This field is autopopulated if not provided.
string
The mode for ticket creation. When set to DRYRUN, the ticket is created using a Security Hub owned template test finding to verify the integration is working correctly.
dict
Response Syntax
{
'TicketId': 'string',
'TicketSrcUrl': 'string'
}
Response Structure
(dict) --
TicketId (string) --
The ID for the ticketv2.
TicketSrcUrl (string) --
The url to the created ticket.
{'Criteria': {'OcsfFindingCriteria': {'CompositeFilters': {'NumberFilters': {'FieldName': {'vendor_attributes.severity_id',
'vulnerabilities.cve.cvss.base_score'}},
'StringFilters': {'FieldName': {'finding_info.related_events.traits.category',
'vendor_attributes.severity'}}}}}}
Returns an automation rule for the V2 service.
See also: AWS API Documentation
Request Syntax
client.get_automation_rule_v2(
Identifier='string'
)
string
[REQUIRED]
The ARN of the V2 automation rule.
dict
Response Syntax
{
'RuleArn': 'string',
'RuleId': 'string',
'RuleOrder': ...,
'RuleName': 'string',
'RuleStatus': 'ENABLED'|'DISABLED',
'Description': 'string',
'Criteria': {
'OcsfFindingCriteria': {
'CompositeFilters': [
{
'StringFilters': [
{
'FieldName': 'metadata.uid'|'activity_name'|'cloud.account.uid'|'cloud.provider'|'cloud.region'|'compliance.assessments.category'|'compliance.assessments.name'|'compliance.control'|'compliance.status'|'compliance.standards'|'finding_info.desc'|'finding_info.src_url'|'finding_info.title'|'finding_info.types'|'finding_info.uid'|'finding_info.related_events.traits.category'|'finding_info.related_events.uid'|'finding_info.related_events.product.uid'|'finding_info.related_events.title'|'metadata.product.name'|'metadata.product.uid'|'metadata.product.vendor_name'|'remediation.desc'|'remediation.references'|'resources.cloud_partition'|'resources.region'|'resources.type'|'resources.uid'|'severity'|'status'|'comment'|'vulnerabilities.fix_coverage'|'class_name'|'databucket.encryption_details.algorithm'|'databucket.encryption_details.key_uid'|'databucket.file.data_classifications.classifier_details.type'|'evidences.actor.user.account.uid'|'evidences.api.operation'|'evidences.api.response.error_message'|'evidences.api.service.name'|'evidences.connection_info.direction'|'evidences.connection_info.protocol_name'|'evidences.dst_endpoint.autonomous_system.name'|'evidences.dst_endpoint.location.city'|'evidences.dst_endpoint.location.country'|'evidences.src_endpoint.autonomous_system.name'|'evidences.src_endpoint.hostname'|'evidences.src_endpoint.location.city'|'evidences.src_endpoint.location.country'|'finding_info.analytic.name'|'malware.name'|'malware_scan_info.uid'|'malware.severity'|'resources.cloud_function.layers.uid_alt'|'resources.cloud_function.runtime'|'resources.cloud_function.user.uid'|'resources.device.encryption_details.key_uid'|'resources.device.image.uid'|'resources.image.architecture'|'resources.image.registry_uid'|'resources.image.repository_name'|'resources.image.uid'|'resources.subnet_info.uid'|'resources.vpc_uid'|'vulnerabilities.affected_code.file.path'|'vulnerabilities.affected_packages.name'|'vulnerabilities.cve.epss.score'|'vulnerabilities.cve.uid'|'vulnerabilities.related_vulnerabilities'|'cloud.account.name'|'vendor_attributes.severity',
'Filter': {
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
}
},
],
'DateFilters': [
{
'FieldName': 'finding_info.created_time_dt'|'finding_info.first_seen_time_dt'|'finding_info.last_seen_time_dt'|'finding_info.modified_time_dt'|'resources.image.created_time_dt'|'resources.image.last_used_time_dt'|'resources.modified_time_dt',
'Filter': {
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
}
},
],
'BooleanFilters': [
{
'FieldName': 'compliance.assessments.meets_criteria'|'vulnerabilities.is_exploit_available'|'vulnerabilities.is_fix_available',
'Filter': {
'Value': True|False
}
},
],
'NumberFilters': [
{
'FieldName': 'activity_id'|'compliance.status_id'|'confidence_score'|'severity_id'|'status_id'|'finding_info.related_events_count'|'evidences.api.response.code'|'evidences.dst_endpoint.autonomous_system.number'|'evidences.dst_endpoint.port'|'evidences.src_endpoint.autonomous_system.number'|'evidences.src_endpoint.port'|'resources.image.in_use_count'|'vulnerabilities.cve.cvss.base_score'|'vendor_attributes.severity_id',
'Filter': {
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
}
},
],
'MapFilters': [
{
'FieldName': 'resources.tags'|'compliance.control_parameters'|'databucket.tags'|'finding_info.tags',
'Filter': {
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
}
},
],
'IpFilters': [
{
'FieldName': 'evidences.dst_endpoint.ip'|'evidences.src_endpoint.ip',
'Filter': {
'Cidr': 'string'
}
},
],
'NestedCompositeFilters': {'... recursive ...'},
'Operator': 'AND'|'OR'
},
],
'CompositeOperator': 'AND'|'OR'
}
},
'Actions': [
{
'Type': 'FINDING_FIELDS_UPDATE'|'EXTERNAL_INTEGRATION',
'FindingFieldsUpdate': {
'SeverityId': 123,
'Comment': 'string',
'StatusId': 123
},
'ExternalIntegrationConfiguration': {
'ConnectorArn': 'string'
}
},
],
'CreatedAt': datetime(2015, 1, 1),
'UpdatedAt': datetime(2015, 1, 1)
}
Response Structure
(dict) --
RuleArn (string) --
The ARN of the V2 automation rule.
RuleId (string) --
The ID of the V2 automation rule.
RuleOrder (float) --
The value for the rule priority.
RuleName (string) --
The name of the V2 automation rule.
RuleStatus (string) --
The status of the V2 automation automation rule.
Description (string) --
A description of the automation rule.
Criteria (dict) --
The filtering type and configuration of the V2 automation rule.
OcsfFindingCriteria (dict) --
The filtering conditions that align with OCSF standards.
CompositeFilters (list) --
Enables the creation of complex filtering conditions by combining filter criteria.
(dict) --
Enables the creation of filtering criteria for security findings.
StringFilters (list) --
Enables filtering based on string field values.
(dict) --
Enables filtering of security findings based on string field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules V1. CONTAINS_WORD operator is only supported in GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourceStatisticsV2 APIs. For more information, see Automation rules in the Security Hub User Guide.
DateFilters (list) --
Enables filtering based on date and timestamp fields.
(dict) --
Enables filtering of security findings based on date and timestamp fields in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps.
End (string) --
A timestamp that provides the end date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
BooleanFilters (list) --
Enables filtering based on boolean field values.
(dict) --
Enables filtering of security findings based on boolean field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
Boolean filter for querying findings.
Value (boolean) --
The value of the boolean.
NumberFilters (list) --
Enables filtering based on numerical field values.
(dict) --
Enables filtering of security findings based on numerical field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
Gt (float) --
The greater-than condition to be applied to a single field when querying for findings.
Lt (float) --
The less-than condition to be applied to a single field when querying for findings.
MapFilters (list) --
Enables filtering based on map field values.
(dict) --
Enables filtering of security findings based on map field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
Key (string) --
The key of the map filter. For example, for ResourceTags, Key identifies the name of the tag. For UserDefinedFields, Key is the name of the field.
Value (string) --
The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security. If you provide security as the filter value, then there's no match.
Comparison (string) --
The condition to apply to the key value when filtering Security Hub findings with a map filter.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.
To search for values that exactly match the filter value, use EQUALS. For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.
CONTAINS and EQUALS filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security, Finance, or both values.
To search for values that don't have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.
To search for values other than the filter value, use NOT_EQUALS. For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.
NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.
CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide.
IpFilters (list) --
A list of IP address filters that allowing you to filter findings based on IP address properties.
(dict) --
The structure for filtering findings based on IP address attributes.
FieldName (string) --
The name of the IP address field to filter on.
Filter (dict) --
The IP filter for querying findings.
Cidr (string) --
A finding's CIDR value.
NestedCompositeFilters (list) --
Provides an additional level of filtering, creating a three-layer nested structure. The first layer is a CompositeFilters array with a CompositeOperator ( AND/ OR). The second layer is a CompositeFilter object that contains direct filters and NestedCompositeFilters. The third layer is NestedCompositeFilters, which contains additional filter conditions.
Operator (string) --
The logical operator used to combine multiple filter conditions.
CompositeOperator (string) --
The logical operators used to combine the filtering on multiple CompositeFilters.
Actions (list) --
A list of actions performed when the rule criteria is met.
(dict) --
Allows you to configure automated responses.
Type (string) --
The category of action to be executed by the automation rule.
FindingFieldsUpdate (dict) --
The changes to be applied to fields in a security finding when an automation rule is triggered.
SeverityId (integer) --
The severity level to be assigned to findings that match the automation rule criteria.
Comment (string) --
Notes or contextual information for findings that are modified by the automation rule.
StatusId (integer) --
The status to be applied to findings that match automation rule criteria.
ExternalIntegrationConfiguration (dict) --
The settings for integrating automation rule actions with external systems or service.
ConnectorArn (string) --
The ARN of the connector that establishes the integration.
CreatedAt (datetime) --
The timestamp when the V2 automation rule was created.
UpdatedAt (datetime) --
The timestamp when the V2 automation rule was updated.
{'ProviderDetail': {'ServiceNow': {'SecretArn': 'string'}}}
Grants permission to retrieve details for a connectorV2 based on connector id.
See also: AWS API Documentation
Request Syntax
client.get_connector_v2(
ConnectorId='string'
)
string
[REQUIRED]
The UUID of the connectorV2 to identify connectorV2 resource.
dict
Response Syntax
{
'ConnectorArn': 'string',
'ConnectorId': 'string',
'Name': 'string',
'Description': 'string',
'KmsKeyArn': 'string',
'CreatedAt': datetime(2015, 1, 1),
'LastUpdatedAt': datetime(2015, 1, 1),
'Health': {
'ConnectorStatus': 'CONNECTED'|'FAILED_TO_CONNECT'|'PENDING_CONFIGURATION'|'PENDING_AUTHORIZATION',
'Message': 'string',
'LastCheckedAt': datetime(2015, 1, 1)
},
'ProviderDetail': {
'JiraCloud': {
'CloudId': 'string',
'ProjectKey': 'string',
'Domain': 'string',
'AuthUrl': 'string',
'AuthStatus': 'ACTIVE'|'FAILED'
},
'ServiceNow': {
'InstanceName': 'string',
'SecretArn': 'string',
'AuthStatus': 'ACTIVE'|'FAILED'
}
}
}
Response Structure
(dict) --
ConnectorArn (string) --
The Amazon Resource Name (ARN) of the connectorV2.
ConnectorId (string) --
The UUID of the connectorV2 to identify connectorV2 resource.
Name (string) --
The name of the connectorV2.
Description (string) --
The description of the connectorV2.
KmsKeyArn (string) --
The Amazon Resource Name (ARN) of KMS key used for the connectorV2.
CreatedAt (datetime) --
ISO 8601 UTC timestamp for the time create the connectorV2.
LastUpdatedAt (datetime) --
ISO 8601 UTC timestamp for the time update the connectorV2 connectorStatus.
Health (dict) --
The current health status for connectorV2
ConnectorStatus (string) --
The status of the connectorV2.
Message (string) --
The message for the reason of connectorStatus change.
LastCheckedAt (datetime) --
ISO 8601 UTC timestamp for the time check the health status of the connectorV2.
ProviderDetail (dict) --
The third-party provider detail for a service configuration.
JiraCloud (dict) --
Details about a Jira Cloud integration.
CloudId (string) --
The cloud id of the Jira Cloud.
ProjectKey (string) --
The projectKey of Jira Cloud.
Domain (string) --
The URL domain of your Jira Cloud instance.
AuthUrl (string) --
The URL to provide to customers for OAuth auth code flow.
AuthStatus (string) --
The status of the authorization between Jira Cloud and the service.
ServiceNow (dict) --
Details about a ServiceNow ITSM integration.
InstanceName (string) --
The instanceName of ServiceNow ITSM.
SecretArn (string) --
The Amazon Resource Name (ARN) of the Amazon Web Services Secrets Manager secret that contains the ServiceNow credentials.
AuthStatus (string) --
The status of the authorization between ServiceNow and the service.
{'GroupByRules': {'Filters': {'CompositeFilters': {'NumberFilters': {'FieldName': {'vendor_attributes.severity_id',
'vulnerabilities.cve.cvss.base_score'}},
'StringFilters': {'FieldName': {'finding_info.related_events.traits.category',
'vendor_attributes.severity'}}}},
'GroupByField': {'finding_info.related_events.traits.category',
'vendor_attributes.severity'}}}
Returns aggregated statistical data about findings. GetFindingStatisticsV2 use securityhub:GetAdhocInsightResults in the Action element of an IAM policy statement. You must have permission to perform the s action.
See also: AWS API Documentation
Request Syntax
client.get_finding_statistics_v2(
GroupByRules=[
{
'Filters': {
'CompositeFilters': [
{
'StringFilters': [
{
'FieldName': 'metadata.uid'|'activity_name'|'cloud.account.uid'|'cloud.provider'|'cloud.region'|'compliance.assessments.category'|'compliance.assessments.name'|'compliance.control'|'compliance.status'|'compliance.standards'|'finding_info.desc'|'finding_info.src_url'|'finding_info.title'|'finding_info.types'|'finding_info.uid'|'finding_info.related_events.traits.category'|'finding_info.related_events.uid'|'finding_info.related_events.product.uid'|'finding_info.related_events.title'|'metadata.product.name'|'metadata.product.uid'|'metadata.product.vendor_name'|'remediation.desc'|'remediation.references'|'resources.cloud_partition'|'resources.region'|'resources.type'|'resources.uid'|'severity'|'status'|'comment'|'vulnerabilities.fix_coverage'|'class_name'|'databucket.encryption_details.algorithm'|'databucket.encryption_details.key_uid'|'databucket.file.data_classifications.classifier_details.type'|'evidences.actor.user.account.uid'|'evidences.api.operation'|'evidences.api.response.error_message'|'evidences.api.service.name'|'evidences.connection_info.direction'|'evidences.connection_info.protocol_name'|'evidences.dst_endpoint.autonomous_system.name'|'evidences.dst_endpoint.location.city'|'evidences.dst_endpoint.location.country'|'evidences.src_endpoint.autonomous_system.name'|'evidences.src_endpoint.hostname'|'evidences.src_endpoint.location.city'|'evidences.src_endpoint.location.country'|'finding_info.analytic.name'|'malware.name'|'malware_scan_info.uid'|'malware.severity'|'resources.cloud_function.layers.uid_alt'|'resources.cloud_function.runtime'|'resources.cloud_function.user.uid'|'resources.device.encryption_details.key_uid'|'resources.device.image.uid'|'resources.image.architecture'|'resources.image.registry_uid'|'resources.image.repository_name'|'resources.image.uid'|'resources.subnet_info.uid'|'resources.vpc_uid'|'vulnerabilities.affected_code.file.path'|'vulnerabilities.affected_packages.name'|'vulnerabilities.cve.epss.score'|'vulnerabilities.cve.uid'|'vulnerabilities.related_vulnerabilities'|'cloud.account.name'|'vendor_attributes.severity',
'Filter': {
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
}
},
],
'DateFilters': [
{
'FieldName': 'finding_info.created_time_dt'|'finding_info.first_seen_time_dt'|'finding_info.last_seen_time_dt'|'finding_info.modified_time_dt'|'resources.image.created_time_dt'|'resources.image.last_used_time_dt'|'resources.modified_time_dt',
'Filter': {
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
}
},
],
'BooleanFilters': [
{
'FieldName': 'compliance.assessments.meets_criteria'|'vulnerabilities.is_exploit_available'|'vulnerabilities.is_fix_available',
'Filter': {
'Value': True|False
}
},
],
'NumberFilters': [
{
'FieldName': 'activity_id'|'compliance.status_id'|'confidence_score'|'severity_id'|'status_id'|'finding_info.related_events_count'|'evidences.api.response.code'|'evidences.dst_endpoint.autonomous_system.number'|'evidences.dst_endpoint.port'|'evidences.src_endpoint.autonomous_system.number'|'evidences.src_endpoint.port'|'resources.image.in_use_count'|'vulnerabilities.cve.cvss.base_score'|'vendor_attributes.severity_id',
'Filter': {
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
}
},
],
'MapFilters': [
{
'FieldName': 'resources.tags'|'compliance.control_parameters'|'databucket.tags'|'finding_info.tags',
'Filter': {
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
}
},
],
'IpFilters': [
{
'FieldName': 'evidences.dst_endpoint.ip'|'evidences.src_endpoint.ip',
'Filter': {
'Cidr': 'string'
}
},
],
'NestedCompositeFilters': {'... recursive ...'},
'Operator': 'AND'|'OR'
},
],
'CompositeOperator': 'AND'|'OR'
},
'GroupByField': 'activity_name'|'cloud.account.uid'|'cloud.provider'|'cloud.region'|'compliance.assessments.name'|'compliance.status'|'compliance.control'|'finding_info.title'|'finding_info.related_events.traits.category'|'finding_info.types'|'metadata.product.name'|'metadata.product.uid'|'resources.type'|'resources.uid'|'severity'|'status'|'vulnerabilities.fix_coverage'|'class_name'|'vulnerabilities.affected_packages.name'|'finding_info.analytic.name'|'compliance.standards'|'cloud.account.name'|'vendor_attributes.severity'
},
],
SortOrder='asc'|'desc',
MaxStatisticResults=123
)
list
[REQUIRED]
Specifies how security findings should be aggregated and organized in the statistical analysis. It can accept up to 5 groupBy fields in a single call.
(dict) --
Defines the how the finding attribute should be grouped.
Filters (dict) --
The criteria used to select which security findings should be included in the grouping operation.
CompositeFilters (list) --
Enables the creation of complex filtering conditions by combining filter criteria.
(dict) --
Enables the creation of filtering criteria for security findings.
StringFilters (list) --
Enables filtering based on string field values.
(dict) --
Enables filtering of security findings based on string field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules V1. CONTAINS_WORD operator is only supported in GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourceStatisticsV2 APIs. For more information, see Automation rules in the Security Hub User Guide.
DateFilters (list) --
Enables filtering based on date and timestamp fields.
(dict) --
Enables filtering of security findings based on date and timestamp fields in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps.
End (string) --
A timestamp that provides the end date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
BooleanFilters (list) --
Enables filtering based on boolean field values.
(dict) --
Enables filtering of security findings based on boolean field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
Boolean filter for querying findings.
Value (boolean) --
The value of the boolean.
NumberFilters (list) --
Enables filtering based on numerical field values.
(dict) --
Enables filtering of security findings based on numerical field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
Gt (float) --
The greater-than condition to be applied to a single field when querying for findings.
Lt (float) --
The less-than condition to be applied to a single field when querying for findings.
MapFilters (list) --
Enables filtering based on map field values.
(dict) --
Enables filtering of security findings based on map field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
Key (string) --
The key of the map filter. For example, for ResourceTags, Key identifies the name of the tag. For UserDefinedFields, Key is the name of the field.
Value (string) --
The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security. If you provide security as the filter value, then there's no match.
Comparison (string) --
The condition to apply to the key value when filtering Security Hub findings with a map filter.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.
To search for values that exactly match the filter value, use EQUALS. For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.
CONTAINS and EQUALS filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security, Finance, or both values.
To search for values that don't have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.
To search for values other than the filter value, use NOT_EQUALS. For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.
NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.
CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide.
IpFilters (list) --
A list of IP address filters that allowing you to filter findings based on IP address properties.
(dict) --
The structure for filtering findings based on IP address attributes.
FieldName (string) --
The name of the IP address field to filter on.
Filter (dict) --
The IP filter for querying findings.
Cidr (string) --
A finding's CIDR value.
NestedCompositeFilters (list) --
Provides an additional level of filtering, creating a three-layer nested structure. The first layer is a CompositeFilters array with a CompositeOperator ( AND/ OR). The second layer is a CompositeFilter object that contains direct filters and NestedCompositeFilters. The third layer is NestedCompositeFilters, which contains additional filter conditions.
Operator (string) --
The logical operator used to combine multiple filter conditions.
CompositeOperator (string) --
The logical operators used to combine the filtering on multiple CompositeFilters.
GroupByField (string) -- [REQUIRED]
The attribute by which filtered findings should be grouped.
string
Orders the aggregation count in descending or ascending order. Descending order is the default.
integer
The maximum number of results to be returned.
dict
Response Syntax
{
'GroupByResults': [
{
'GroupByField': 'string',
'GroupByValues': [
{
'FieldValue': 'string',
'Count': 123
},
]
},
]
}
Response Structure
(dict) --
GroupByResults (list) --
Aggregated statistics about security findings based on specified grouping criteria.
(dict) --
Represents finding statistics grouped by GroupedByField.
GroupByField (string) --
The attribute by which filtered security findings should be grouped.
GroupByValues (list) --
An array of grouped values and their respective counts for each GroupByField.
(dict) --
Represents individual aggregated results when grouping security findings for each GroupByField.
FieldValue (string) --
The value of the field by which findings are grouped.
Count (integer) --
The number of findings for a specific FieldValue and GroupByField.
{'Filters': {'CompositeFilters': {'NumberFilters': {'FieldName': {'vendor_attributes.severity_id',
'vulnerabilities.cve.cvss.base_score'}},
'StringFilters': {'FieldName': {'finding_info.related_events.traits.category',
'vendor_attributes.severity'}}}}}
Return a list of findings that match the specified criteria. GetFindings and GetFindingsV2 both use securityhub:GetFindings in the Action element of an IAM policy statement. You must have permission to perform the securityhub:GetFindings action.
See also: AWS API Documentation
Request Syntax
client.get_findings_v2(
Filters={
'CompositeFilters': [
{
'StringFilters': [
{
'FieldName': 'metadata.uid'|'activity_name'|'cloud.account.uid'|'cloud.provider'|'cloud.region'|'compliance.assessments.category'|'compliance.assessments.name'|'compliance.control'|'compliance.status'|'compliance.standards'|'finding_info.desc'|'finding_info.src_url'|'finding_info.title'|'finding_info.types'|'finding_info.uid'|'finding_info.related_events.traits.category'|'finding_info.related_events.uid'|'finding_info.related_events.product.uid'|'finding_info.related_events.title'|'metadata.product.name'|'metadata.product.uid'|'metadata.product.vendor_name'|'remediation.desc'|'remediation.references'|'resources.cloud_partition'|'resources.region'|'resources.type'|'resources.uid'|'severity'|'status'|'comment'|'vulnerabilities.fix_coverage'|'class_name'|'databucket.encryption_details.algorithm'|'databucket.encryption_details.key_uid'|'databucket.file.data_classifications.classifier_details.type'|'evidences.actor.user.account.uid'|'evidences.api.operation'|'evidences.api.response.error_message'|'evidences.api.service.name'|'evidences.connection_info.direction'|'evidences.connection_info.protocol_name'|'evidences.dst_endpoint.autonomous_system.name'|'evidences.dst_endpoint.location.city'|'evidences.dst_endpoint.location.country'|'evidences.src_endpoint.autonomous_system.name'|'evidences.src_endpoint.hostname'|'evidences.src_endpoint.location.city'|'evidences.src_endpoint.location.country'|'finding_info.analytic.name'|'malware.name'|'malware_scan_info.uid'|'malware.severity'|'resources.cloud_function.layers.uid_alt'|'resources.cloud_function.runtime'|'resources.cloud_function.user.uid'|'resources.device.encryption_details.key_uid'|'resources.device.image.uid'|'resources.image.architecture'|'resources.image.registry_uid'|'resources.image.repository_name'|'resources.image.uid'|'resources.subnet_info.uid'|'resources.vpc_uid'|'vulnerabilities.affected_code.file.path'|'vulnerabilities.affected_packages.name'|'vulnerabilities.cve.epss.score'|'vulnerabilities.cve.uid'|'vulnerabilities.related_vulnerabilities'|'cloud.account.name'|'vendor_attributes.severity',
'Filter': {
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
}
},
],
'DateFilters': [
{
'FieldName': 'finding_info.created_time_dt'|'finding_info.first_seen_time_dt'|'finding_info.last_seen_time_dt'|'finding_info.modified_time_dt'|'resources.image.created_time_dt'|'resources.image.last_used_time_dt'|'resources.modified_time_dt',
'Filter': {
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
}
},
],
'BooleanFilters': [
{
'FieldName': 'compliance.assessments.meets_criteria'|'vulnerabilities.is_exploit_available'|'vulnerabilities.is_fix_available',
'Filter': {
'Value': True|False
}
},
],
'NumberFilters': [
{
'FieldName': 'activity_id'|'compliance.status_id'|'confidence_score'|'severity_id'|'status_id'|'finding_info.related_events_count'|'evidences.api.response.code'|'evidences.dst_endpoint.autonomous_system.number'|'evidences.dst_endpoint.port'|'evidences.src_endpoint.autonomous_system.number'|'evidences.src_endpoint.port'|'resources.image.in_use_count'|'vulnerabilities.cve.cvss.base_score'|'vendor_attributes.severity_id',
'Filter': {
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
}
},
],
'MapFilters': [
{
'FieldName': 'resources.tags'|'compliance.control_parameters'|'databucket.tags'|'finding_info.tags',
'Filter': {
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
}
},
],
'IpFilters': [
{
'FieldName': 'evidences.dst_endpoint.ip'|'evidences.src_endpoint.ip',
'Filter': {
'Cidr': 'string'
}
},
],
'NestedCompositeFilters': {'... recursive ...'},
'Operator': 'AND'|'OR'
},
],
'CompositeOperator': 'AND'|'OR'
},
SortCriteria=[
{
'Field': 'string',
'SortOrder': 'asc'|'desc'
},
],
NextToken='string',
MaxResults=123
)
dict
The finding attributes used to define a condition to filter the returned OCSF findings. You can filter up to 10 composite filters. For each filter type inside of a composite filter, you can provide up to 20 filters.
CompositeFilters (list) --
Enables the creation of complex filtering conditions by combining filter criteria.
(dict) --
Enables the creation of filtering criteria for security findings.
StringFilters (list) --
Enables filtering based on string field values.
(dict) --
Enables filtering of security findings based on string field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules V1. CONTAINS_WORD operator is only supported in GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourceStatisticsV2 APIs. For more information, see Automation rules in the Security Hub User Guide.
DateFilters (list) --
Enables filtering based on date and timestamp fields.
(dict) --
Enables filtering of security findings based on date and timestamp fields in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps.
End (string) --
A timestamp that provides the end date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
BooleanFilters (list) --
Enables filtering based on boolean field values.
(dict) --
Enables filtering of security findings based on boolean field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
Boolean filter for querying findings.
Value (boolean) --
The value of the boolean.
NumberFilters (list) --
Enables filtering based on numerical field values.
(dict) --
Enables filtering of security findings based on numerical field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
Gt (float) --
The greater-than condition to be applied to a single field when querying for findings.
Lt (float) --
The less-than condition to be applied to a single field when querying for findings.
MapFilters (list) --
Enables filtering based on map field values.
(dict) --
Enables filtering of security findings based on map field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
Key (string) --
The key of the map filter. For example, for ResourceTags, Key identifies the name of the tag. For UserDefinedFields, Key is the name of the field.
Value (string) --
The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security. If you provide security as the filter value, then there's no match.
Comparison (string) --
The condition to apply to the key value when filtering Security Hub findings with a map filter.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.
To search for values that exactly match the filter value, use EQUALS. For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.
CONTAINS and EQUALS filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security, Finance, or both values.
To search for values that don't have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.
To search for values other than the filter value, use NOT_EQUALS. For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.
NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.
CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide.
IpFilters (list) --
A list of IP address filters that allowing you to filter findings based on IP address properties.
(dict) --
The structure for filtering findings based on IP address attributes.
FieldName (string) --
The name of the IP address field to filter on.
Filter (dict) --
The IP filter for querying findings.
Cidr (string) --
A finding's CIDR value.
NestedCompositeFilters (list) --
Provides an additional level of filtering, creating a three-layer nested structure. The first layer is a CompositeFilters array with a CompositeOperator ( AND/ OR). The second layer is a CompositeFilter object that contains direct filters and NestedCompositeFilters. The third layer is NestedCompositeFilters, which contains additional filter conditions.
Operator (string) --
The logical operator used to combine multiple filter conditions.
CompositeOperator (string) --
The logical operators used to combine the filtering on multiple CompositeFilters.
list
The finding attributes used to sort the list of returned findings.
(dict) --
A collection of finding attributes used to sort findings.
Field (string) --
The finding attribute used to sort findings.
SortOrder (string) --
The order used to sort findings.
string
The token required for pagination. On your first call, set the value of this parameter to NULL. For subsequent calls, to continue listing data, set the value of this parameter to the value returned in the previous response.
integer
The maximum number of results to return.
dict
Response Syntax
{
'Findings': [
{...}|[...]|123|123.4|'string'|True|None,
],
'NextToken': 'string'
}
Response Structure
(dict) --
Findings (list) --
An array of security findings returned by the operation.
(:ref:`document<document>`) --
NextToken (string) --
The pagination token to use to request the next page of results. Otherwise, this parameter is null.
{'Criteria': {'OcsfFindingCriteria': {'CompositeFilters': {'NumberFilters': {'FieldName': {'vendor_attributes.severity_id',
'vulnerabilities.cve.cvss.base_score'}},
'StringFilters': {'FieldName': {'finding_info.related_events.traits.category',
'vendor_attributes.severity'}}}}}}
Updates a V2 automation rule.
See also: AWS API Documentation
Request Syntax
client.update_automation_rule_v2(
Identifier='string',
RuleStatus='ENABLED'|'DISABLED',
RuleOrder=...,
Description='string',
RuleName='string',
Criteria={
'OcsfFindingCriteria': {
'CompositeFilters': [
{
'StringFilters': [
{
'FieldName': 'metadata.uid'|'activity_name'|'cloud.account.uid'|'cloud.provider'|'cloud.region'|'compliance.assessments.category'|'compliance.assessments.name'|'compliance.control'|'compliance.status'|'compliance.standards'|'finding_info.desc'|'finding_info.src_url'|'finding_info.title'|'finding_info.types'|'finding_info.uid'|'finding_info.related_events.traits.category'|'finding_info.related_events.uid'|'finding_info.related_events.product.uid'|'finding_info.related_events.title'|'metadata.product.name'|'metadata.product.uid'|'metadata.product.vendor_name'|'remediation.desc'|'remediation.references'|'resources.cloud_partition'|'resources.region'|'resources.type'|'resources.uid'|'severity'|'status'|'comment'|'vulnerabilities.fix_coverage'|'class_name'|'databucket.encryption_details.algorithm'|'databucket.encryption_details.key_uid'|'databucket.file.data_classifications.classifier_details.type'|'evidences.actor.user.account.uid'|'evidences.api.operation'|'evidences.api.response.error_message'|'evidences.api.service.name'|'evidences.connection_info.direction'|'evidences.connection_info.protocol_name'|'evidences.dst_endpoint.autonomous_system.name'|'evidences.dst_endpoint.location.city'|'evidences.dst_endpoint.location.country'|'evidences.src_endpoint.autonomous_system.name'|'evidences.src_endpoint.hostname'|'evidences.src_endpoint.location.city'|'evidences.src_endpoint.location.country'|'finding_info.analytic.name'|'malware.name'|'malware_scan_info.uid'|'malware.severity'|'resources.cloud_function.layers.uid_alt'|'resources.cloud_function.runtime'|'resources.cloud_function.user.uid'|'resources.device.encryption_details.key_uid'|'resources.device.image.uid'|'resources.image.architecture'|'resources.image.registry_uid'|'resources.image.repository_name'|'resources.image.uid'|'resources.subnet_info.uid'|'resources.vpc_uid'|'vulnerabilities.affected_code.file.path'|'vulnerabilities.affected_packages.name'|'vulnerabilities.cve.epss.score'|'vulnerabilities.cve.uid'|'vulnerabilities.related_vulnerabilities'|'cloud.account.name'|'vendor_attributes.severity',
'Filter': {
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
}
},
],
'DateFilters': [
{
'FieldName': 'finding_info.created_time_dt'|'finding_info.first_seen_time_dt'|'finding_info.last_seen_time_dt'|'finding_info.modified_time_dt'|'resources.image.created_time_dt'|'resources.image.last_used_time_dt'|'resources.modified_time_dt',
'Filter': {
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
}
},
],
'BooleanFilters': [
{
'FieldName': 'compliance.assessments.meets_criteria'|'vulnerabilities.is_exploit_available'|'vulnerabilities.is_fix_available',
'Filter': {
'Value': True|False
}
},
],
'NumberFilters': [
{
'FieldName': 'activity_id'|'compliance.status_id'|'confidence_score'|'severity_id'|'status_id'|'finding_info.related_events_count'|'evidences.api.response.code'|'evidences.dst_endpoint.autonomous_system.number'|'evidences.dst_endpoint.port'|'evidences.src_endpoint.autonomous_system.number'|'evidences.src_endpoint.port'|'resources.image.in_use_count'|'vulnerabilities.cve.cvss.base_score'|'vendor_attributes.severity_id',
'Filter': {
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
}
},
],
'MapFilters': [
{
'FieldName': 'resources.tags'|'compliance.control_parameters'|'databucket.tags'|'finding_info.tags',
'Filter': {
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
}
},
],
'IpFilters': [
{
'FieldName': 'evidences.dst_endpoint.ip'|'evidences.src_endpoint.ip',
'Filter': {
'Cidr': 'string'
}
},
],
'NestedCompositeFilters': {'... recursive ...'},
'Operator': 'AND'|'OR'
},
],
'CompositeOperator': 'AND'|'OR'
}
},
Actions=[
{
'Type': 'FINDING_FIELDS_UPDATE'|'EXTERNAL_INTEGRATION',
'FindingFieldsUpdate': {
'SeverityId': 123,
'Comment': 'string',
'StatusId': 123
},
'ExternalIntegrationConfiguration': {
'ConnectorArn': 'string'
}
},
]
)
string
[REQUIRED]
The ARN of the automation rule.
string
The status of the automation rule.
float
Represents a value for the rule priority.
string
A description of the automation rule.
string
The name of the automation rule.
dict
The filtering type and configuration of the automation rule.
OcsfFindingCriteria (dict) --
The filtering conditions that align with OCSF standards.
CompositeFilters (list) --
Enables the creation of complex filtering conditions by combining filter criteria.
(dict) --
Enables the creation of filtering criteria for security findings.
StringFilters (list) --
Enables filtering based on string field values.
(dict) --
Enables filtering of security findings based on string field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A string filter for filtering Security Hub findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
CONTAINS and NOT_CONTAINS operators can be used only with automation rules V1. CONTAINS_WORD operator is only supported in GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourceStatisticsV2 APIs. For more information, see Automation rules in the Security Hub User Guide.
DateFilters (list) --
Enables filtering based on date and timestamp fields.
(dict) --
Enables filtering of security findings based on date and timestamp fields in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps.
End (string) --
A timestamp that provides the end date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
BooleanFilters (list) --
Enables filtering based on boolean field values.
(dict) --
Enables filtering of security findings based on boolean field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
Boolean filter for querying findings.
Value (boolean) --
The value of the boolean.
NumberFilters (list) --
Enables filtering based on numerical field values.
(dict) --
Enables filtering of security findings based on numerical field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
Gt (float) --
The greater-than condition to be applied to a single field when querying for findings.
Lt (float) --
The less-than condition to be applied to a single field when querying for findings.
MapFilters (list) --
Enables filtering based on map field values.
(dict) --
Enables filtering of security findings based on map field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
Key (string) --
The key of the map filter. For example, for ResourceTags, Key identifies the name of the tag. For UserDefinedFields, Key is the name of the field.
Value (string) --
The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security. If you provide security as the filter value, then there's no match.
Comparison (string) --
The condition to apply to the key value when filtering Security Hub findings with a map filter.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.
To search for values that exactly match the filter value, use EQUALS. For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.
CONTAINS and EQUALS filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security, Finance, or both values.
To search for values that don't have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.
To search for values other than the filter value, use NOT_EQUALS. For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.
NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.
CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub User Guide.
IpFilters (list) --
A list of IP address filters that allowing you to filter findings based on IP address properties.
(dict) --
The structure for filtering findings based on IP address attributes.
FieldName (string) --
The name of the IP address field to filter on.
Filter (dict) --
The IP filter for querying findings.
Cidr (string) --
A finding's CIDR value.
NestedCompositeFilters (list) --
Provides an additional level of filtering, creating a three-layer nested structure. The first layer is a CompositeFilters array with a CompositeOperator ( AND/ OR). The second layer is a CompositeFilter object that contains direct filters and NestedCompositeFilters. The third layer is NestedCompositeFilters, which contains additional filter conditions.
Operator (string) --
The logical operator used to combine multiple filter conditions.
CompositeOperator (string) --
The logical operators used to combine the filtering on multiple CompositeFilters.
list
A list of actions to be performed when the rule criteria is met.
(dict) --
Allows you to configure automated responses.
Type (string) -- [REQUIRED]
The category of action to be executed by the automation rule.
FindingFieldsUpdate (dict) --
The changes to be applied to fields in a security finding when an automation rule is triggered.
SeverityId (integer) --
The severity level to be assigned to findings that match the automation rule criteria.
Comment (string) --
Notes or contextual information for findings that are modified by the automation rule.
StatusId (integer) --
The status to be applied to findings that match automation rule criteria.
ExternalIntegrationConfiguration (dict) --
The settings for integrating automation rule actions with external systems or service.
ConnectorArn (string) --
The ARN of the connector that establishes the integration.
dict
Response Syntax
{}
Response Structure
(dict) --
{'Provider': {'ServiceNow': {'SecretArn': 'string'}}}
Grants permission to update a connectorV2 based on its id and input parameters.
See also: AWS API Documentation
Request Syntax
client.update_connector_v2(
ConnectorId='string',
Description='string',
Provider={
'JiraCloud': {
'ProjectKey': 'string'
},
'ServiceNow': {
'SecretArn': 'string'
}
}
)
string
[REQUIRED]
The UUID of the connectorV2 to identify connectorV2 resource.
string
The description of the connectorV2.
dict
The third-party provider’s service configuration.
JiraCloud (dict) --
The parameters required to update the configuration for a Jira Cloud integration.
ProjectKey (string) --
The project key for a JiraCloud instance.
ServiceNow (dict) --
The parameters required to update the configuration for a ServiceNow integration.
SecretArn (string) --
The Amazon Resource Name (ARN) of the Amazon Web Services Secrets Manager secret that contains the ServiceNow credentials.
dict
Response Syntax
{}
Response Structure
(dict) --