Table Of Contents

Feedback

User Guide

First time using the AWS CLI? See the User Guide for help getting started.

Note: You are viewing the documentation for an older major version of the AWS CLI (version 1).

AWS CLI version 2, the latest major version of AWS CLI, is now stable and recommended for general use. To view this page for the AWS CLI version 2, click here. For more information see the AWS CLI version 2 installation instructions and migration guide.

[ aws . securityhub ]

get-insights

Description

Lists and describes insights for the specified insight ARNs.

See also: AWS API Documentation

See 'aws help' for descriptions of global parameters.

get-insights is a paginated operation. Multiple API calls may be issued in order to retrieve the entire data set of results. You can disable pagination by providing the --no-paginate argument. When using --output text and the --query argument on a paginated response, the --query argument must extract data from the results of the following query expressions: Insights

Synopsis

  get-insights
[--insight-arns <value>]
[--cli-input-json <value>]
[--starting-token <value>]
[--page-size <value>]
[--max-items <value>]
[--generate-cli-skeleton <value>]

Options

--insight-arns (list)

The ARNs of the insights to describe. If you do not provide any insight ARNs, then GetInsights returns all of your custom insights. It does not return any managed insights.

(string)

Syntax:

"string" "string" ...

--cli-input-json (string) Performs service operation based on the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, the CLI values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally.

--starting-token (string)

A token to specify where to start paginating. This is the NextToken from a previously truncated response.

For usage examples, see Pagination in the AWS Command Line Interface User Guide .

--page-size (integer)

The size of each page to get in the AWS service call. This does not affect the number of items returned in the command's output. Setting a smaller page size results in more calls to the AWS service, retrieving fewer items in each call. This can help prevent the AWS service calls from timing out.

For usage examples, see Pagination in the AWS Command Line Interface User Guide .

--max-items (integer)

The total number of items to return in the command's output. If the total number of items available is more than the value specified, a NextToken is provided in the command's output. To resume pagination, provide the NextToken value in the starting-token argument of a subsequent command. Do not use the NextToken response element directly outside of the AWS CLI.

For usage examples, see Pagination in the AWS Command Line Interface User Guide .

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See 'aws help' for descriptions of global parameters.

Examples

To retrieve details about an insight

The following get-insights example retrieves the configuration details for the insight with the specified ARN.

aws securityhub get-insights \
    --insight-arns "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"

Output:

{
    "Insights": [
        {
            "Filters": {
               "ResourceType": [
                    {
                        "Comparison": "EQUALS",
                        "Value": "AwsIamRole"
                    }
                ],
                "SeverityLabel": [
                    {
                        "Comparison": "EQUALS",
                        "Value": "CRITICAL"
                    }
                ],
            },
            "GroupByAttribute": "ResourceId",
            "InsightArn": "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
            "Name": "Critical role findings"
        }
    ]
}

For more information, see Insights in AWS Security Hub in the AWS Security Hub User Guide.

Output

Insights -> (list)

The insights returned by the operation.

(structure)

Contains information about a Security Hub insight.

InsightArn -> (string)

The ARN of a Security Hub insight.

Name -> (string)

The name of a Security Hub insight.

Filters -> (structure)

One or more attributes used to filter the findings included in the insight. The insight only includes findings that match the criteria defined in the filters.

ProductArn -> (list)

The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) after this provider's product (solution that generates findings) is registered with Security Hub.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

AwsAccountId -> (list)

The Amazon Web Services account ID that a finding is generated in.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

Id -> (list)

The security findings provider-specific identifier for a finding.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

GeneratorId -> (list)

The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security-findings providers' solutions, this generator can be called a rule, a check, a detector, a plugin, etc.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

Region -> (list)

The Region from which the finding was generated.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

Type -> (list)

A finding type in the format of namespace/category/classifier that classifies a finding.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

FirstObservedAt -> (list)

An ISO8601-formatted timestamp that indicates when the security-findings provider first observed the potential security issue that a finding captured.

(structure)

A date filter for querying findings.

Start -> (string)

A start date for the date filter.

End -> (string)

An end date for the date filter.

DateRange -> (structure)

A date range for the date filter.

Value -> (integer)

A date range value for the date filter.

Unit -> (string)

A date range unit for the date filter.

LastObservedAt -> (list)

An ISO8601-formatted timestamp that indicates when the security-findings provider most recently observed the potential security issue that a finding captured.

(structure)

A date filter for querying findings.

Start -> (string)

A start date for the date filter.

End -> (string)

An end date for the date filter.

DateRange -> (structure)

A date range for the date filter.

Value -> (integer)

A date range value for the date filter.

Unit -> (string)

A date range unit for the date filter.

CreatedAt -> (list)

An ISO8601-formatted timestamp that indicates when the security-findings provider captured the potential security issue that a finding captured.

(structure)

A date filter for querying findings.

Start -> (string)

A start date for the date filter.

End -> (string)

An end date for the date filter.

DateRange -> (structure)

A date range for the date filter.

Value -> (integer)

A date range value for the date filter.

Unit -> (string)

A date range unit for the date filter.

UpdatedAt -> (list)

An ISO8601-formatted timestamp that indicates when the security-findings provider last updated the finding record.

(structure)

A date filter for querying findings.

Start -> (string)

A start date for the date filter.

End -> (string)

An end date for the date filter.

DateRange -> (structure)

A date range for the date filter.

Value -> (integer)

A date range value for the date filter.

Unit -> (string)

A date range unit for the date filter.

SeverityProduct -> (list)

The native severity as defined by the security-findings provider's solution that generated the finding.

(structure)

A number filter for querying findings.

Gte -> (double)

The greater-than-equal condition to be applied to a single field when querying for findings.

Lte -> (double)

The less-than-equal condition to be applied to a single field when querying for findings.

Eq -> (double)

The equal-to condition to be applied to a single field when querying for findings.

SeverityNormalized -> (list)

The normalized severity of a finding.

(structure)

A number filter for querying findings.

Gte -> (double)

The greater-than-equal condition to be applied to a single field when querying for findings.

Lte -> (double)

The less-than-equal condition to be applied to a single field when querying for findings.

Eq -> (double)

The equal-to condition to be applied to a single field when querying for findings.

SeverityLabel -> (list)

The label of a finding's severity.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

Confidence -> (list)

A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify.

Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence.

(structure)

A number filter for querying findings.

Gte -> (double)

The greater-than-equal condition to be applied to a single field when querying for findings.

Lte -> (double)

The less-than-equal condition to be applied to a single field when querying for findings.

Eq -> (double)

The equal-to condition to be applied to a single field when querying for findings.

Criticality -> (list)

The level of importance assigned to the resources associated with the finding.

A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.

(structure)

A number filter for querying findings.

Gte -> (double)

The greater-than-equal condition to be applied to a single field when querying for findings.

Lte -> (double)

The less-than-equal condition to be applied to a single field when querying for findings.

Eq -> (double)

The equal-to condition to be applied to a single field when querying for findings.

Title -> (list)

A finding's title.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

Description -> (list)

A finding's description.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

RecommendationText -> (list)

The recommendation of what to do about the issue described in a finding.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

SourceUrl -> (list)

A URL that links to a page about the current finding in the security-findings provider's solution.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

ProductFields -> (list)

A data type where security-findings providers can include additional solution-specific details that aren't part of the defined AwsSecurityFinding format.

(structure)

A map filter for querying findings. Each map filter provides the field to check, the value to look for, and the comparison operator.

Key -> (string)

The key of the map filter. For example, for ResourceTags , Key identifies the name of the tag. For UserDefinedFields , Key is the name of the field.

Value -> (string)

The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security . If you provide security as the filter value, then there is no match.

Comparison -> (string)

The condition to apply to the key value when querying for findings with a map filter.

To search for values that exactly match the filter value, use EQUALS . For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the tag Department .

To search for values other than the filter value, use NOT_EQUALS . For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that do not have the value Finance for the tag Department .

EQUALS filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

You cannot have both an EQUALS filter and a NOT_EQUALS filter on the same field.

ProductName -> (list)

The name of the solution (product) that generates findings.

Note that this is a filter against the aws/securityhub/ProductName field in ProductFields . It is not a filter for the top-level ProductName field.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

CompanyName -> (list)

The name of the findings provider (company) that owns the solution (product) that generates findings.

Note that this is a filter against the aws/securityhub/CompanyName field in ProductFields . It is not a filter for the top-level CompanyName field.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

UserDefinedFields -> (list)

A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.

(structure)

A map filter for querying findings. Each map filter provides the field to check, the value to look for, and the comparison operator.

Key -> (string)

The key of the map filter. For example, for ResourceTags , Key identifies the name of the tag. For UserDefinedFields , Key is the name of the field.

Value -> (string)

The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security . If you provide security as the filter value, then there is no match.

Comparison -> (string)

The condition to apply to the key value when querying for findings with a map filter.

To search for values that exactly match the filter value, use EQUALS . For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the tag Department .

To search for values other than the filter value, use NOT_EQUALS . For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that do not have the value Finance for the tag Department .

EQUALS filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

You cannot have both an EQUALS filter and a NOT_EQUALS filter on the same field.

MalwareName -> (list)

The name of the malware that was observed.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

MalwareType -> (list)

The type of the malware that was observed.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

MalwarePath -> (list)

The filesystem path of the malware that was observed.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

MalwareState -> (list)

The state of the malware that was observed.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

NetworkDirection -> (list)

Indicates the direction of network traffic associated with a finding.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

NetworkProtocol -> (list)

The protocol of network-related information about a finding.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

NetworkSourceIpV4 -> (list)

The source IPv4 address of network-related information about a finding.

(structure)

The IP filter for querying findings.

Cidr -> (string)

A finding's CIDR value.

NetworkSourceIpV6 -> (list)

The source IPv6 address of network-related information about a finding.

(structure)

The IP filter for querying findings.

Cidr -> (string)

A finding's CIDR value.

NetworkSourcePort -> (list)

The source port of network-related information about a finding.

(structure)

A number filter for querying findings.

Gte -> (double)

The greater-than-equal condition to be applied to a single field when querying for findings.

Lte -> (double)

The less-than-equal condition to be applied to a single field when querying for findings.

Eq -> (double)

The equal-to condition to be applied to a single field when querying for findings.

NetworkSourceDomain -> (list)

The source domain of network-related information about a finding.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

NetworkSourceMac -> (list)

The source media access control (MAC) address of network-related information about a finding.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

NetworkDestinationIpV4 -> (list)

The destination IPv4 address of network-related information about a finding.

(structure)

The IP filter for querying findings.

Cidr -> (string)

A finding's CIDR value.

NetworkDestinationIpV6 -> (list)

The destination IPv6 address of network-related information about a finding.

(structure)

The IP filter for querying findings.

Cidr -> (string)

A finding's CIDR value.

NetworkDestinationPort -> (list)

The destination port of network-related information about a finding.

(structure)

A number filter for querying findings.

Gte -> (double)

The greater-than-equal condition to be applied to a single field when querying for findings.

Lte -> (double)

The less-than-equal condition to be applied to a single field when querying for findings.

Eq -> (double)

The equal-to condition to be applied to a single field when querying for findings.

NetworkDestinationDomain -> (list)

The destination domain of network-related information about a finding.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

ProcessName -> (list)

The name of the process.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

ProcessPath -> (list)

The path to the process executable.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

ProcessPid -> (list)

The process ID.

(structure)

A number filter for querying findings.

Gte -> (double)

The greater-than-equal condition to be applied to a single field when querying for findings.

Lte -> (double)

The less-than-equal condition to be applied to a single field when querying for findings.

Eq -> (double)

The equal-to condition to be applied to a single field when querying for findings.

ProcessParentPid -> (list)

The parent process ID.

(structure)

A number filter for querying findings.

Gte -> (double)

The greater-than-equal condition to be applied to a single field when querying for findings.

Lte -> (double)

The less-than-equal condition to be applied to a single field when querying for findings.

Eq -> (double)

The equal-to condition to be applied to a single field when querying for findings.

ProcessLaunchedAt -> (list)

The date/time that the process was launched.

(structure)

A date filter for querying findings.

Start -> (string)

A start date for the date filter.

End -> (string)

An end date for the date filter.

DateRange -> (structure)

A date range for the date filter.

Value -> (integer)

A date range value for the date filter.

Unit -> (string)

A date range unit for the date filter.

ProcessTerminatedAt -> (list)

The date/time that the process was terminated.

(structure)

A date filter for querying findings.

Start -> (string)

A start date for the date filter.

End -> (string)

An end date for the date filter.

DateRange -> (structure)

A date range for the date filter.

Value -> (integer)

A date range value for the date filter.

Unit -> (string)

A date range unit for the date filter.

ThreatIntelIndicatorType -> (list)

The type of a threat intelligence indicator.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

ThreatIntelIndicatorValue -> (list)

The value of a threat intelligence indicator.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

ThreatIntelIndicatorCategory -> (list)

The category of a threat intelligence indicator.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

ThreatIntelIndicatorLastObservedAt -> (list)

The date/time of the last observation of a threat intelligence indicator.

(structure)

A date filter for querying findings.

Start -> (string)

A start date for the date filter.

End -> (string)

An end date for the date filter.

DateRange -> (structure)

A date range for the date filter.

Value -> (integer)

A date range value for the date filter.

Unit -> (string)

A date range unit for the date filter.

ThreatIntelIndicatorSource -> (list)

The source of the threat intelligence.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

ThreatIntelIndicatorSourceUrl -> (list)

The URL for more details from the source of the threat intelligence.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

ResourceType -> (list)

Specifies the type of the resource that details are provided for.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

ResourceId -> (list)

The canonical identifier for the given resource type.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

ResourcePartition -> (list)

The canonical Amazon Web Services partition name that the Region is assigned to.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

ResourceRegion -> (list)

The canonical Amazon Web Services external Region name where this resource is located.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

ResourceTags -> (list)

A list of Amazon Web Services tags associated with a resource at the time the finding was processed.

(structure)

A map filter for querying findings. Each map filter provides the field to check, the value to look for, and the comparison operator.

Key -> (string)

The key of the map filter. For example, for ResourceTags , Key identifies the name of the tag. For UserDefinedFields , Key is the name of the field.

Value -> (string)

The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security . If you provide security as the filter value, then there is no match.

Comparison -> (string)

The condition to apply to the key value when querying for findings with a map filter.

To search for values that exactly match the filter value, use EQUALS . For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the tag Department .

To search for values other than the filter value, use NOT_EQUALS . For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that do not have the value Finance for the tag Department .

EQUALS filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

You cannot have both an EQUALS filter and a NOT_EQUALS filter on the same field.

ResourceAwsEc2InstanceType -> (list)

The instance type of the instance.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

ResourceAwsEc2InstanceImageId -> (list)

The Amazon Machine Image (AMI) ID of the instance.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

ResourceAwsEc2InstanceIpV4Addresses -> (list)

The IPv4 addresses associated with the instance.

(structure)

The IP filter for querying findings.

Cidr -> (string)

A finding's CIDR value.

ResourceAwsEc2InstanceIpV6Addresses -> (list)

The IPv6 addresses associated with the instance.

(structure)

The IP filter for querying findings.

Cidr -> (string)

A finding's CIDR value.

ResourceAwsEc2InstanceKeyName -> (list)

The key name associated with the instance.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

ResourceAwsEc2InstanceIamInstanceProfileArn -> (list)

The IAM profile ARN of the instance.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

ResourceAwsEc2InstanceVpcId -> (list)

The identifier of the VPC that the instance was launched in.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

ResourceAwsEc2InstanceSubnetId -> (list)

The identifier of the subnet that the instance was launched in.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

ResourceAwsEc2InstanceLaunchedAt -> (list)

The date and time the instance was launched.

(structure)

A date filter for querying findings.

Start -> (string)

A start date for the date filter.

End -> (string)

An end date for the date filter.

DateRange -> (structure)

A date range for the date filter.

Value -> (integer)

A date range value for the date filter.

Unit -> (string)

A date range unit for the date filter.

ResourceAwsS3BucketOwnerId -> (list)

The canonical user ID of the owner of the S3 bucket.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

ResourceAwsS3BucketOwnerName -> (list)

The display name of the owner of the S3 bucket.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

ResourceAwsIamAccessKeyUserName -> (list)

The user associated with the IAM access key related to a finding.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

ResourceAwsIamAccessKeyPrincipalName -> (list)

The name of the principal that is associated with an IAM access key.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

ResourceAwsIamAccessKeyStatus -> (list)

The status of the IAM access key related to a finding.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

ResourceAwsIamAccessKeyCreatedAt -> (list)

The creation date/time of the IAM access key related to a finding.

(structure)

A date filter for querying findings.

Start -> (string)

A start date for the date filter.

End -> (string)

An end date for the date filter.

DateRange -> (structure)

A date range for the date filter.

Value -> (integer)

A date range value for the date filter.

Unit -> (string)

A date range unit for the date filter.

ResourceAwsIamUserUserName -> (list)

The name of an IAM user.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

ResourceContainerName -> (list)

The name of the container related to a finding.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

ResourceContainerImageId -> (list)

The identifier of the image related to a finding.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

ResourceContainerImageName -> (list)

The name of the image related to a finding.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

ResourceContainerLaunchedAt -> (list)

The date/time that the container was started.

(structure)

A date filter for querying findings.

Start -> (string)

A start date for the date filter.

End -> (string)

An end date for the date filter.

DateRange -> (structure)

A date range for the date filter.

Value -> (integer)

A date range value for the date filter.

Unit -> (string)

A date range unit for the date filter.

ResourceDetailsOther -> (list)

The details of a resource that doesn't have a specific subfield for the resource type defined.

(structure)

A map filter for querying findings. Each map filter provides the field to check, the value to look for, and the comparison operator.

Key -> (string)

The key of the map filter. For example, for ResourceTags , Key identifies the name of the tag. For UserDefinedFields , Key is the name of the field.

Value -> (string)

The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security . If you provide security as the filter value, then there is no match.

Comparison -> (string)

The condition to apply to the key value when querying for findings with a map filter.

To search for values that exactly match the filter value, use EQUALS . For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the tag Department .

To search for values other than the filter value, use NOT_EQUALS . For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that do not have the value Finance for the tag Department .

EQUALS filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

You cannot have both an EQUALS filter and a NOT_EQUALS filter on the same field.

ComplianceStatus -> (list)

Exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard, such as CIS Amazon Web Services Foundations. Contains security standard-related finding details.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

VerificationState -> (list)

The veracity of a finding.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

WorkflowState -> (list)

The workflow state of a finding.

Note that this field is deprecated. To search for a finding based on its workflow status, use WorkflowStatus .

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

WorkflowStatus -> (list)

The status of the investigation into a finding. Allowed values are the following.

  • NEW - The initial state of a finding, before it is reviewed. Security Hub also resets the workflow status from NOTIFIED or RESOLVED to NEW in the following cases:
    • The record state changes from ARCHIVED to ACTIVE .
    • The compliance status changes from PASSED to either WARNING , FAILED , or NOT_AVAILABLE .
  • NOTIFIED - Indicates that the resource owner has been notified about the security issue. Used when the initial reviewer is not the resource owner, and needs intervention from the resource owner.
  • SUPPRESSED - The finding will not be reviewed again and will not be acted upon.
  • RESOLVED - The finding was reviewed and remediated and is now considered resolved.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

RecordState -> (list)

The updated record state for the finding.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

RelatedFindingsProductArn -> (list)

The ARN of the solution that generated a related finding.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

RelatedFindingsId -> (list)

The solution-generated identifier for a related finding.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

NoteText -> (list)

The text of a note.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

NoteUpdatedAt -> (list)

The timestamp of when the note was updated.

(structure)

A date filter for querying findings.

Start -> (string)

A start date for the date filter.

End -> (string)

An end date for the date filter.

DateRange -> (structure)

A date range for the date filter.

Value -> (integer)

A date range value for the date filter.

Unit -> (string)

A date range unit for the date filter.

NoteUpdatedBy -> (list)

The principal that created a note.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

Keyword -> (list)

A keyword for a finding.

(structure)

A keyword filter for querying findings.

Value -> (string)

A value for the keyword.

FindingProviderFieldsConfidence -> (list)

The finding provider value for the finding confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify.

Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence.

(structure)

A number filter for querying findings.

Gte -> (double)

The greater-than-equal condition to be applied to a single field when querying for findings.

Lte -> (double)

The less-than-equal condition to be applied to a single field when querying for findings.

Eq -> (double)

The equal-to condition to be applied to a single field when querying for findings.

FindingProviderFieldsCriticality -> (list)

The finding provider value for the level of importance assigned to the resources associated with the findings.

A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.

(structure)

A number filter for querying findings.

Gte -> (double)

The greater-than-equal condition to be applied to a single field when querying for findings.

Lte -> (double)

The less-than-equal condition to be applied to a single field when querying for findings.

Eq -> (double)

The equal-to condition to be applied to a single field when querying for findings.

FindingProviderFieldsRelatedFindingsId -> (list)

The finding identifier of a related finding that is identified by the finding provider.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

FindingProviderFieldsRelatedFindingsProductArn -> (list)

The ARN of the solution that generated a related finding that is identified by the finding provider.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

FindingProviderFieldsSeverityLabel -> (list)

The finding provider value for the severity label.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

FindingProviderFieldsSeverityOriginal -> (list)

The finding provider's original value for the severity.

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

FindingProviderFieldsTypes -> (list)

One or more finding types that the finding provider assigned to the finding. Uses the format of namespace/category/classifier that classify a finding.

Valid namespace values are: Software and Configuration Checks | TTPs | Effects | Unusual Behaviors | Sensitive Data Identifications

(structure)

A string filter for querying findings.

Value -> (string)

The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

Comparison -> (string)

The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

  • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .
  • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.
EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

To search for values that do not contain the filter criteria value, use one of the following comparison operators:

  • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .
  • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.
NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

  • ResourceType PREFIX AwsIam
  • ResourceType PREFIX AwsEc2
  • ResourceType NOT_EQUALS AwsIamPolicy
  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

GroupByAttribute -> (string)

The grouping attribute for the insight's findings. Indicates how to group the matching findings, and identifies the type of item that the insight applies to. For example, if an insight is grouped by resource identifier, then the insight produces a list of resource identifiers.

NextToken -> (string)

The pagination token to use to request the next page of results.