AWS::SecurityHub::Insight AwsSecurityFindingFilters
A collection of filters that are applied to all active findings aggregated by AWS Security Hub.
You can filter by up to ten finding attributes. For each attribute, you can provide up to 20 filter values.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "AwsAccountId" :[ StringFilter, ... ], "AwsAccountName" :[ StringFilter, ... ], "CompanyName" :[ StringFilter, ... ], "ComplianceAssociatedStandardsId" :[ StringFilter, ... ], "ComplianceSecurityControlId" :[ StringFilter, ... ], "ComplianceSecurityControlParametersName" :[ StringFilter, ... ], "ComplianceSecurityControlParametersValue" :[ StringFilter, ... ], "ComplianceStatus" :[ StringFilter, ... ], "Confidence" :[ NumberFilter, ... ], "CreatedAt" :[ DateFilter, ... ], "Criticality" :[ NumberFilter, ... ], "Description" :[ StringFilter, ... ], "FindingProviderFieldsConfidence" :[ NumberFilter, ... ], "FindingProviderFieldsCriticality" :[ NumberFilter, ... ], "FindingProviderFieldsRelatedFindingsId" :[ StringFilter, ... ], "FindingProviderFieldsRelatedFindingsProductArn" :[ StringFilter, ... ], "FindingProviderFieldsSeverityLabel" :[ StringFilter, ... ], "FindingProviderFieldsSeverityOriginal" :[ StringFilter, ... ], "FindingProviderFieldsTypes" :[ StringFilter, ... ], "FirstObservedAt" :[ DateFilter, ... ], "GeneratorId" :[ StringFilter, ... ], "Id" :[ StringFilter, ... ], "Keyword" :[ KeywordFilter, ... ], "LastObservedAt" :[ DateFilter, ... ], "MalwareName" :[ StringFilter, ... ], "MalwarePath" :[ StringFilter, ... ], "MalwareState" :[ StringFilter, ... ], "MalwareType" :[ StringFilter, ... ], "NetworkDestinationDomain" :[ StringFilter, ... ], "NetworkDestinationIpV4" :[ IpFilter, ... ], "NetworkDestinationIpV6" :[ IpFilter, ... ], "NetworkDestinationPort" :[ NumberFilter, ... ], "NetworkDirection" :[ StringFilter, ... ], "NetworkProtocol" :[ StringFilter, ... ], "NetworkSourceDomain" :[ StringFilter, ... ], "NetworkSourceIpV4" :[ IpFilter, ... ], "NetworkSourceIpV6" :[ IpFilter, ... ], "NetworkSourceMac" :[ StringFilter, ... ], "NetworkSourcePort" :[ NumberFilter, ... ], "NoteText" :[ StringFilter, ... ], "NoteUpdatedAt" :[ DateFilter, ... ], "NoteUpdatedBy" :[ StringFilter, ... ], "ProcessLaunchedAt" :[ DateFilter, ... ], "ProcessName" :[ StringFilter, ... ], "ProcessParentPid" :[ NumberFilter, ... ], "ProcessPath" :[ StringFilter, ... ], "ProcessPid" :[ NumberFilter, ... ], "ProcessTerminatedAt" :[ DateFilter, ... ], "ProductArn" :[ StringFilter, ... ], "ProductFields" :[ MapFilter, ... ], "ProductName" :[ StringFilter, ... ], "RecommendationText" :[ StringFilter, ... ], "RecordState" :[ StringFilter, ... ], "Region" :[ StringFilter, ... ], "RelatedFindingsId" :[ StringFilter, ... ], "RelatedFindingsProductArn" :[ StringFilter, ... ], "ResourceApplicationArn" :[ StringFilter, ... ], "ResourceApplicationName" :[ StringFilter, ... ], "ResourceAwsEc2InstanceIamInstanceProfileArn" :[ StringFilter, ... ], "ResourceAwsEc2InstanceImageId" :[ StringFilter, ... ], "ResourceAwsEc2InstanceIpV4Addresses" :[ IpFilter, ... ], "ResourceAwsEc2InstanceIpV6Addresses" :[ IpFilter, ... ], "ResourceAwsEc2InstanceKeyName" :[ StringFilter, ... ], "ResourceAwsEc2InstanceLaunchedAt" :[ DateFilter, ... ], "ResourceAwsEc2InstanceSubnetId" :[ StringFilter, ... ], "ResourceAwsEc2InstanceType" :[ StringFilter, ... ], "ResourceAwsEc2InstanceVpcId" :[ StringFilter, ... ], "ResourceAwsIamAccessKeyCreatedAt" :[ DateFilter, ... ], "ResourceAwsIamAccessKeyPrincipalName" :[ StringFilter, ... ], "ResourceAwsIamAccessKeyStatus" :[ StringFilter, ... ], "ResourceAwsIamAccessKeyUserName" :[ StringFilter, ... ], "ResourceAwsIamUserUserName" :[ StringFilter, ... ], "ResourceAwsS3BucketOwnerId" :[ StringFilter, ... ], "ResourceAwsS3BucketOwnerName" :[ StringFilter, ... ], "ResourceContainerImageId" :[ StringFilter, ... ], "ResourceContainerImageName" :[ StringFilter, ... ], "ResourceContainerLaunchedAt" :[ DateFilter, ... ], "ResourceContainerName" :[ StringFilter, ... ], "ResourceDetailsOther" :[ MapFilter, ... ], "ResourceId" :[ StringFilter, ... ], "ResourcePartition" :[ StringFilter, ... ], "ResourceRegion" :[ StringFilter, ... ], "ResourceTags" :[ MapFilter, ... ], "ResourceType" :[ StringFilter, ... ], "Sample" :[ BooleanFilter, ... ], "SeverityLabel" :[ StringFilter, ... ], "SeverityNormalized" :[ NumberFilter, ... ], "SeverityProduct" :[ NumberFilter, ... ], "SourceUrl" :[ StringFilter, ... ], "ThreatIntelIndicatorCategory" :[ StringFilter, ... ], "ThreatIntelIndicatorLastObservedAt" :[ DateFilter, ... ], "ThreatIntelIndicatorSource" :[ StringFilter, ... ], "ThreatIntelIndicatorSourceUrl" :[ StringFilter, ... ], "ThreatIntelIndicatorType" :[ StringFilter, ... ], "ThreatIntelIndicatorValue" :[ StringFilter, ... ], "Title" :[ StringFilter, ... ], "Type" :[ StringFilter, ... ], "UpdatedAt" :[ DateFilter, ... ], "UserDefinedFields" :[ MapFilter, ... ], "VerificationState" :[ StringFilter, ... ], "VulnerabilitiesExploitAvailable" :[ StringFilter, ... ], "VulnerabilitiesFixAvailable" :[ StringFilter, ... ], "WorkflowState" :[ StringFilter, ... ], "WorkflowStatus" :[ StringFilter, ... ]}
YAML
AwsAccountId:- StringFilterAwsAccountName:- StringFilterCompanyName:- StringFilterComplianceAssociatedStandardsId:- StringFilterComplianceSecurityControlId:- StringFilterComplianceSecurityControlParametersName:- StringFilterComplianceSecurityControlParametersValue:- StringFilterComplianceStatus:- StringFilterConfidence:- NumberFilterCreatedAt:- DateFilterCriticality:- NumberFilterDescription:- StringFilterFindingProviderFieldsConfidence:- NumberFilterFindingProviderFieldsCriticality:- NumberFilterFindingProviderFieldsRelatedFindingsId:- StringFilterFindingProviderFieldsRelatedFindingsProductArn:- StringFilterFindingProviderFieldsSeverityLabel:- StringFilterFindingProviderFieldsSeverityOriginal:- StringFilterFindingProviderFieldsTypes:- StringFilterFirstObservedAt:- DateFilterGeneratorId:- StringFilterId:- StringFilterKeyword:- KeywordFilterLastObservedAt:- DateFilterMalwareName:- StringFilterMalwarePath:- StringFilterMalwareState:- StringFilterMalwareType:- StringFilterNetworkDestinationDomain:- StringFilterNetworkDestinationIpV4:- IpFilterNetworkDestinationIpV6:- IpFilterNetworkDestinationPort:- NumberFilterNetworkDirection:- StringFilterNetworkProtocol:- StringFilterNetworkSourceDomain:- StringFilterNetworkSourceIpV4:- IpFilterNetworkSourceIpV6:- IpFilterNetworkSourceMac:- StringFilterNetworkSourcePort:- NumberFilterNoteText:- StringFilterNoteUpdatedAt:- DateFilterNoteUpdatedBy:- StringFilterProcessLaunchedAt:- DateFilterProcessName:- StringFilterProcessParentPid:- NumberFilterProcessPath:- StringFilterProcessPid:- NumberFilterProcessTerminatedAt:- DateFilterProductArn:- StringFilterProductFields:- MapFilterProductName:- StringFilterRecommendationText:- StringFilterRecordState:- StringFilterRegion:- StringFilterRelatedFindingsId:- StringFilterRelatedFindingsProductArn:- StringFilterResourceApplicationArn:- StringFilterResourceApplicationName:- StringFilterResourceAwsEc2InstanceIamInstanceProfileArn:- StringFilterResourceAwsEc2InstanceImageId:- StringFilterResourceAwsEc2InstanceIpV4Addresses:- IpFilterResourceAwsEc2InstanceIpV6Addresses:- IpFilterResourceAwsEc2InstanceKeyName:- StringFilterResourceAwsEc2InstanceLaunchedAt:- DateFilterResourceAwsEc2InstanceSubnetId:- StringFilterResourceAwsEc2InstanceType:- StringFilterResourceAwsEc2InstanceVpcId:- StringFilterResourceAwsIamAccessKeyCreatedAt:- DateFilterResourceAwsIamAccessKeyPrincipalName:- StringFilterResourceAwsIamAccessKeyStatus:- StringFilterResourceAwsIamAccessKeyUserName:- StringFilterResourceAwsIamUserUserName:- StringFilterResourceAwsS3BucketOwnerId:- StringFilterResourceAwsS3BucketOwnerName:- StringFilterResourceContainerImageId:- StringFilterResourceContainerImageName:- StringFilterResourceContainerLaunchedAt:- DateFilterResourceContainerName:- StringFilterResourceDetailsOther:- MapFilterResourceId:- StringFilterResourcePartition:- StringFilterResourceRegion:- StringFilterResourceTags:- MapFilterResourceType:- StringFilterSample:- BooleanFilterSeverityLabel:- StringFilterSeverityNormalized:- NumberFilterSeverityProduct:- NumberFilterSourceUrl:- StringFilterThreatIntelIndicatorCategory:- StringFilterThreatIntelIndicatorLastObservedAt:- DateFilterThreatIntelIndicatorSource:- StringFilterThreatIntelIndicatorSourceUrl:- StringFilterThreatIntelIndicatorType:- StringFilterThreatIntelIndicatorValue:- StringFilterTitle:- StringFilterType:- StringFilterUpdatedAt:- DateFilterUserDefinedFields:- MapFilterVerificationState:- StringFilterVulnerabilitiesExploitAvailable:- StringFilterVulnerabilitiesFixAvailable:- StringFilterWorkflowState:- StringFilterWorkflowStatus:- StringFilter
Properties
AwsAccountId-
The AWS account ID in which a finding is generated.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
AwsAccountName-
The name of the AWS account in which a finding is generated.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
CompanyName-
The name of the findings provider (company) that owns the solution (product) that generates findings.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ComplianceAssociatedStandardsId-
The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the DescribeStandards API response.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ComplianceSecurityControlId-
The unique identifier of a control across standards. Values for this field typically consist of an AWS service and a number, such as APIGateway.5.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ComplianceSecurityControlParametersName-
The name of a security control parameter.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ComplianceSecurityControlParametersValue-
The current value of a security control parameter.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ComplianceStatus-
Exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard, such as CIS AWS Foundations. Contains security standard-related finding details.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
Confidence-
A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify.
Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence.
Required: No
Type: Array of NumberFilter
Maximum:
20Update requires: No interruption
CreatedAt-
A timestamp that indicates when the security findings provider created the potential security issue that a finding reflects.
This field accepts only the specified formats. Timestamps can end with
Zor("+" / "-") time-hour [":" time-minute]. The time-secfrac after seconds is limited to a maximum of 9 digits. The offset is bounded by +/-18:00. Here are valid timestamp formats with examples:-
YYYY-MM-DDTHH:MM:SSZ(for example,2019-01-31T23:00:00Z) -
YYYY-MM-DDTHH:MM:SS.mmmmmmmmmZ(for example,2019-01-31T23:00:00.123456789Z) -
YYYY-MM-DDTHH:MM:SS+HH:MM(for example,2024-01-04T15:25:10+17:59) -
YYYY-MM-DDTHH:MM:SS-HHMM(for example,2024-01-04T15:25:10-1759) -
YYYY-MM-DDTHH:MM:SS.mmmmmmmmm+HH:MM(for example,2024-01-04T15:25:10.123456789+17:59)
Required: No
Type: Array of DateFilter
Maximum:
20Update requires: No interruption
-
Criticality-
The level of importance assigned to the resources associated with the finding.
A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.
Required: No
Type: Array of NumberFilter
Maximum:
20Update requires: No interruption
Description-
A finding's description.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
FindingProviderFieldsConfidence-
The finding provider value for the finding confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify.
Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence.
Required: No
Type: Array of NumberFilter
Maximum:
20Update requires: No interruption
FindingProviderFieldsCriticality-
The finding provider value for the level of importance assigned to the resources associated with the findings.
A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.
Required: No
Type: Array of NumberFilter
Maximum:
20Update requires: No interruption
-
The finding identifier of a related finding that is identified by the finding provider.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
-
The ARN of the solution that generated a related finding that is identified by the finding provider.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
FindingProviderFieldsSeverityLabel-
The finding provider value for the severity label.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
FindingProviderFieldsSeverityOriginal-
The finding provider's original value for the severity.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
FindingProviderFieldsTypes-
One or more finding types that the finding provider assigned to the finding. Uses the format of
namespace/category/classifierthat classify a finding.Valid namespace values are: Software and Configuration Checks | TTPs | Effects | Unusual Behaviors | Sensitive Data Identifications
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
FirstObservedAt-
A timestamp that indicates when the security findings provider first observed the potential security issue that a finding captured.
This field accepts only the specified formats. Timestamps can end with
Zor("+" / "-") time-hour [":" time-minute]. The time-secfrac after seconds is limited to a maximum of 9 digits. The offset is bounded by +/-18:00. Here are valid timestamp formats with examples:-
YYYY-MM-DDTHH:MM:SSZ(for example,2019-01-31T23:00:00Z) -
YYYY-MM-DDTHH:MM:SS.mmmmmmmmmZ(for example,2019-01-31T23:00:00.123456789Z) -
YYYY-MM-DDTHH:MM:SS+HH:MM(for example,2024-01-04T15:25:10+17:59) -
YYYY-MM-DDTHH:MM:SS-HHMM(for example,2024-01-04T15:25:10-1759) -
YYYY-MM-DDTHH:MM:SS.mmmmmmmmm+HH:MM(for example,2024-01-04T15:25:10.123456789+17:59)
Required: No
Type: Array of DateFilter
Maximum:
20Update requires: No interruption
-
GeneratorId-
The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security findings providers' solutions, this generator can be called a rule, a check, a detector, a plugin, etc.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
Id-
The security findings provider-specific identifier for a finding.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
Keyword-
This field is deprecated. A keyword for a finding.
Required: No
Type: Array of KeywordFilter
Maximum:
20Update requires: No interruption
LastObservedAt-
A timestamp that indicates when the security findings provider most recently observed the potential security issue that a finding captured.
This field accepts only the specified formats. Timestamps can end with
Zor("+" / "-") time-hour [":" time-minute]. The time-secfrac after seconds is limited to a maximum of 9 digits. The offset is bounded by +/-18:00. Here are valid timestamp formats with examples:-
YYYY-MM-DDTHH:MM:SSZ(for example,2019-01-31T23:00:00Z) -
YYYY-MM-DDTHH:MM:SS.mmmmmmmmmZ(for example,2019-01-31T23:00:00.123456789Z) -
YYYY-MM-DDTHH:MM:SS+HH:MM(for example,2024-01-04T15:25:10+17:59) -
YYYY-MM-DDTHH:MM:SS-HHMM(for example,2024-01-04T15:25:10-1759) -
YYYY-MM-DDTHH:MM:SS.mmmmmmmmm+HH:MM(for example,2024-01-04T15:25:10.123456789+17:59)
Required: No
Type: Array of DateFilter
Maximum:
20Update requires: No interruption
-
MalwareName-
The name of the malware that was observed.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
MalwarePath-
The filesystem path of the malware that was observed.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
MalwareState-
The state of the malware that was observed.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
MalwareType-
The type of the malware that was observed.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
NetworkDestinationDomain-
The destination domain of network-related information about a finding.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
NetworkDestinationIpV4-
The destination IPv4 address of network-related information about a finding.
Required: No
Type: Array of IpFilter
Maximum:
20Update requires: No interruption
NetworkDestinationIpV6-
The destination IPv6 address of network-related information about a finding.
Required: No
Type: Array of IpFilter
Maximum:
20Update requires: No interruption
NetworkDestinationPort-
The destination port of network-related information about a finding.
Required: No
Type: Array of NumberFilter
Maximum:
20Update requires: No interruption
NetworkDirection-
Indicates the direction of network traffic associated with a finding.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
NetworkProtocol-
The protocol of network-related information about a finding.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
NetworkSourceDomain-
The source domain of network-related information about a finding.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
NetworkSourceIpV4-
The source IPv4 address of network-related information about a finding.
Required: No
Type: Array of IpFilter
Maximum:
20Update requires: No interruption
NetworkSourceIpV6-
The source IPv6 address of network-related information about a finding.
Required: No
Type: Array of IpFilter
Maximum:
20Update requires: No interruption
NetworkSourceMac-
The source media access control (MAC) address of network-related information about a finding.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
NetworkSourcePort-
The source port of network-related information about a finding.
Required: No
Type: Array of NumberFilter
Maximum:
20Update requires: No interruption
NoteText-
The text of a note.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
NoteUpdatedAt-
The timestamp of when the note was updated.
Required: No
Type: Array of DateFilter
Maximum:
20Update requires: No interruption
NoteUpdatedBy-
The principal that created a note.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ProcessLaunchedAt-
A timestamp that identifies when the process was launched.
This field accepts only the specified formats. Timestamps can end with
Zor("+" / "-") time-hour [":" time-minute]. The time-secfrac after seconds is limited to a maximum of 9 digits. The offset is bounded by +/-18:00. Here are valid timestamp formats with examples:-
YYYY-MM-DDTHH:MM:SSZ(for example,2019-01-31T23:00:00Z) -
YYYY-MM-DDTHH:MM:SS.mmmmmmmmmZ(for example,2019-01-31T23:00:00.123456789Z) -
YYYY-MM-DDTHH:MM:SS+HH:MM(for example,2024-01-04T15:25:10+17:59) -
YYYY-MM-DDTHH:MM:SS-HHMM(for example,2024-01-04T15:25:10-1759) -
YYYY-MM-DDTHH:MM:SS.mmmmmmmmm+HH:MM(for example,2024-01-04T15:25:10.123456789+17:59)
Required: No
Type: Array of DateFilter
Maximum:
20Update requires: No interruption
-
ProcessName-
The name of the process.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ProcessParentPid-
The parent process ID. This field accepts positive integers between
Oand2147483647.Required: No
Type: Array of NumberFilter
Maximum:
20Update requires: No interruption
ProcessPath-
The path to the process executable.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ProcessPid-
The process ID.
Required: No
Type: Array of NumberFilter
Maximum:
20Update requires: No interruption
ProcessTerminatedAt-
A timestamp that identifies when the process was terminated.
This field accepts only the specified formats. Timestamps can end with
Zor("+" / "-") time-hour [":" time-minute]. The time-secfrac after seconds is limited to a maximum of 9 digits. The offset is bounded by +/-18:00. Here are valid timestamp formats with examples:-
YYYY-MM-DDTHH:MM:SSZ(for example,2019-01-31T23:00:00Z) -
YYYY-MM-DDTHH:MM:SS.mmmmmmmmmZ(for example,2019-01-31T23:00:00.123456789Z) -
YYYY-MM-DDTHH:MM:SS+HH:MM(for example,2024-01-04T15:25:10+17:59) -
YYYY-MM-DDTHH:MM:SS-HHMM(for example,2024-01-04T15:25:10-1759) -
YYYY-MM-DDTHH:MM:SS.mmmmmmmmm+HH:MM(for example,2024-01-04T15:25:10.123456789+17:59)
Required: No
Type: Array of DateFilter
Maximum:
20Update requires: No interruption
-
ProductArn-
The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) after this provider's product (solution that generates findings) is registered with Security Hub.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ProductFields-
A data type where security findings providers can include additional solution-specific details that aren't part of the defined
AwsSecurityFindingformat.Required: No
Type: Array of MapFilter
Maximum:
20Update requires: No interruption
ProductName-
The name of the solution (product) that generates findings.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
RecommendationText-
The recommendation of what to do about the issue described in a finding.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
RecordState-
The updated record state for the finding.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
Region-
The Region from which the finding was generated.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
-
The solution-generated identifier for a related finding.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
-
The ARN of the solution that generated a related finding.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ResourceApplicationArn-
The ARN of the application that is related to a finding.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ResourceApplicationName-
The name of the application that is related to a finding.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ResourceAwsEc2InstanceIamInstanceProfileArn-
The IAM profile ARN of the instance.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ResourceAwsEc2InstanceImageId-
The Amazon Machine Image (AMI) ID of the instance.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ResourceAwsEc2InstanceIpV4Addresses-
The IPv4 addresses associated with the instance.
Required: No
Type: Array of IpFilter
Maximum:
20Update requires: No interruption
ResourceAwsEc2InstanceIpV6Addresses-
The IPv6 addresses associated with the instance.
Required: No
Type: Array of IpFilter
Maximum:
20Update requires: No interruption
ResourceAwsEc2InstanceKeyName-
The key name associated with the instance.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ResourceAwsEc2InstanceLaunchedAt-
The date and time the instance was launched.
Required: No
Type: Array of DateFilter
Maximum:
20Update requires: No interruption
ResourceAwsEc2InstanceSubnetId-
The identifier of the subnet that the instance was launched in.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ResourceAwsEc2InstanceType-
The instance type of the instance.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ResourceAwsEc2InstanceVpcId-
The identifier of the VPC that the instance was launched in.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ResourceAwsIamAccessKeyCreatedAt-
The creation date/time of the IAM access key related to a finding.
Required: No
Type: Array of DateFilter
Maximum:
20Update requires: No interruption
ResourceAwsIamAccessKeyPrincipalName-
The name of the principal that is associated with an IAM access key.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ResourceAwsIamAccessKeyStatus-
The status of the IAM access key related to a finding.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ResourceAwsIamAccessKeyUserName-
This field is deprecated. The username associated with the IAM access key related to a finding.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ResourceAwsIamUserUserName-
The name of an IAM user.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ResourceAwsS3BucketOwnerId-
The canonical user ID of the owner of the S3 bucket.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ResourceAwsS3BucketOwnerName-
The display name of the owner of the S3 bucket.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ResourceContainerImageId-
The identifier of the image related to a finding.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ResourceContainerImageName-
The name of the image related to a finding.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ResourceContainerLaunchedAt-
A timestamp that identifies when the container was started.
This field accepts only the specified formats. Timestamps can end with
Zor("+" / "-") time-hour [":" time-minute]. The time-secfrac after seconds is limited to a maximum of 9 digits. The offset is bounded by +/-18:00. Here are valid timestamp formats with examples:-
YYYY-MM-DDTHH:MM:SSZ(for example,2019-01-31T23:00:00Z) -
YYYY-MM-DDTHH:MM:SS.mmmmmmmmmZ(for example,2019-01-31T23:00:00.123456789Z) -
YYYY-MM-DDTHH:MM:SS+HH:MM(for example,2024-01-04T15:25:10+17:59) -
YYYY-MM-DDTHH:MM:SS-HHMM(for example,2024-01-04T15:25:10-1759) -
YYYY-MM-DDTHH:MM:SS.mmmmmmmmm+HH:MM(for example,2024-01-04T15:25:10.123456789+17:59)
Required: No
Type: Array of DateFilter
Maximum:
20Update requires: No interruption
-
ResourceContainerName-
The name of the container related to a finding.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ResourceDetailsOther-
The details of a resource that doesn't have a specific subfield for the resource type defined.
Required: No
Type: Array of MapFilter
Maximum:
20Update requires: No interruption
ResourceId-
The canonical identifier for the given resource type.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ResourcePartition-
The canonical AWS partition name that the Region is assigned to.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ResourceRegion-
The canonical AWS external Region name where this resource is located.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
-
A list of AWS tags associated with a resource at the time the finding was processed.
Required: No
Type: Array of MapFilter
Maximum:
20Update requires: No interruption
ResourceType-
Specifies the type of the resource that details are provided for.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
Sample-
Indicates whether or not sample findings are included in the filter results.
Required: No
Type: Array of BooleanFilter
Maximum:
20Update requires: No interruption
SeverityLabel-
The label of a finding's severity.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
SeverityNormalized-
Deprecated. The normalized severity of a finding. Instead of providing
Normalized, provideLabel.The value of
Normalizedcan be an integer between0and100.If you provide
Labeland do not provideNormalized, thenNormalizedis set automatically as follows.-
INFORMATIONAL- 0 -
LOW- 1 -
MEDIUM- 40 -
HIGH- 70 -
CRITICAL- 90
Required: No
Type: Array of NumberFilter
Maximum:
20Update requires: No interruption
-
SeverityProduct-
Deprecated. This attribute isn't included in findings. Instead of providing
Product, provideOriginal.The native severity as defined by the AWS service or integrated partner product that generated the finding.
Required: No
Type: Array of NumberFilter
Maximum:
20Update requires: No interruption
SourceUrl-
A URL that links to a page about the current finding in the security findings provider's solution.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ThreatIntelIndicatorCategory-
The category of a threat intelligence indicator.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ThreatIntelIndicatorLastObservedAt-
A timestamp that identifies the last observation of a threat intelligence indicator.
Required: No
Type: Array of DateFilter
Maximum:
20Update requires: No interruption
ThreatIntelIndicatorSource-
The source of the threat intelligence.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ThreatIntelIndicatorSourceUrl-
The URL for more details from the source of the threat intelligence.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ThreatIntelIndicatorType-
The type of a threat intelligence indicator.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
ThreatIntelIndicatorValue-
The value of a threat intelligence indicator.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
Title-
A finding's title.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
Type-
A finding type in the format of
namespace/category/classifierthat classifies a finding.Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
UpdatedAt-
A timestamp that indicates when the security findings provider last updated the finding record.
This field accepts only the specified formats. Timestamps can end with
Zor("+" / "-") time-hour [":" time-minute]. The time-secfrac after seconds is limited to a maximum of 9 digits. The offset is bounded by +/-18:00. Here are valid timestamp formats with examples:-
YYYY-MM-DDTHH:MM:SSZ(for example,2019-01-31T23:00:00Z) -
YYYY-MM-DDTHH:MM:SS.mmmmmmmmmZ(for example,2019-01-31T23:00:00.123456789Z) -
YYYY-MM-DDTHH:MM:SS+HH:MM(for example,2024-01-04T15:25:10+17:59) -
YYYY-MM-DDTHH:MM:SS-HHMM(for example,2024-01-04T15:25:10-1759) -
YYYY-MM-DDTHH:MM:SS.mmmmmmmmm+HH:MM(for example,2024-01-04T15:25:10.123456789+17:59)
Required: No
Type: Array of DateFilter
Maximum:
20Update requires: No interruption
-
UserDefinedFields-
A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.
Required: No
Type: Array of MapFilter
Maximum:
20Update requires: No interruption
VerificationState-
The veracity of a finding.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
VulnerabilitiesExploitAvailable-
Indicates whether a software vulnerability in your environment has a known exploit. You can filter findings by this field only if you use Security Hub and Amazon Inspector.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
VulnerabilitiesFixAvailable-
Indicates whether a vulnerability is fixed in a newer version of the affected software packages. You can filter findings by this field only if you use Security Hub and Amazon Inspector.
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
WorkflowState-
The workflow state of a finding.
Note that this field is deprecated. To search for a finding based on its workflow status, use
WorkflowStatus.Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
WorkflowStatus-
The status of the investigation into a finding. Allowed values are the following.
-
NEW- The initial state of a finding, before it is reviewed.Security Hub also resets the workflow status from
NOTIFIEDorRESOLVEDtoNEWin the following cases:-
RecordStatechanges fromARCHIVEDtoACTIVE. -
Compliance.Statuschanges fromPASSEDto eitherWARNING,FAILED, orNOT_AVAILABLE.
-
-
NOTIFIED- Indicates that the resource owner has been notified about the security issue. Used when the initial reviewer is not the resource owner, and needs intervention from the resource owner.If one of the following occurs, the workflow status is changed automatically from
NOTIFIEDtoNEW:-
RecordStatechanges fromARCHIVEDtoACTIVE. -
Compliance.Statuschanges fromPASSEDtoFAILED,WARNING, orNOT_AVAILABLE.
-
-
SUPPRESSED- Indicates that you reviewed the finding and do not believe that any action is needed.The workflow status of a
SUPPRESSEDfinding does not change ifRecordStatechanges fromARCHIVEDtoACTIVE. -
RESOLVED- The finding was reviewed and remediated and is now considered resolved.The finding remains
RESOLVEDunless one of the following occurs:-
RecordStatechanges fromARCHIVEDtoACTIVE. -
Compliance.Statuschanges fromPASSEDtoFAILED,WARNING, orNOT_AVAILABLE.
In those cases, the workflow status is automatically reset to
NEW.For findings from controls, if
Compliance.StatusisPASSED, then Security Hub automatically sets the workflow status toRESOLVED. -
Required: No
Type: Array of StringFilter
Maximum:
20Update requires: No interruption
-
