AWS::SecurityHub::AutomationRule AutomationRulesFindingFilters

The criteria that determine which findings a rule applies to.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{
  "AwsAccountId" : [ StringFilter, ... ],
  "CompanyName" : [ StringFilter, ... ],
  "ComplianceAssociatedStandardsId" : [ StringFilter, ... ],
  "ComplianceSecurityControlId" : [ StringFilter, ... ],
  "ComplianceStatus" : [ StringFilter, ... ],
  "Confidence" : [ NumberFilter, ... ],
  "CreatedAt" : [ DateFilter, ... ],
  "Criticality" : [ NumberFilter, ... ],
  "Description" : [ StringFilter, ... ],
  "FirstObservedAt" : [ DateFilter, ... ],
  "GeneratorId" : [ StringFilter, ... ],
  "Id" : [ StringFilter, ... ],
  "LastObservedAt" : [ DateFilter, ... ],
  "NoteText" : [ StringFilter, ... ],
  "NoteUpdatedAt" : [ DateFilter, ... ],
  "NoteUpdatedBy" : [ StringFilter, ... ],
  "ProductArn" : [ StringFilter, ... ],
  "ProductName" : [ StringFilter, ... ],
  "RecordState" : [ StringFilter, ... ],
  "RelatedFindingsId" : [ StringFilter, ... ],
  "RelatedFindingsProductArn" : [ StringFilter, ... ],
  "ResourceDetailsOther" : [ MapFilter, ... ],
  "ResourceId" : [ StringFilter, ... ],
  "ResourcePartition" : [ StringFilter, ... ],
  "ResourceRegion" : [ StringFilter, ... ],
  "ResourceTags" : [ MapFilter, ... ],
  "ResourceType" : [ StringFilter, ... ],
  "SeverityLabel" : [ StringFilter, ... ],
  "SourceUrl" : [ StringFilter, ... ],
  "Title" : [ StringFilter, ... ],
  "Type" : [ StringFilter, ... ],
  "UpdatedAt" : [ DateFilter, ... ],
  "UserDefinedFields" : [ MapFilter, ... ],
  "VerificationState" : [ StringFilter, ... ],
  "WorkflowStatus" : [ StringFilter, ... ]
}

YAML

  AwsAccountId: 
    - StringFilter
  CompanyName: 
    - StringFilter
  ComplianceAssociatedStandardsId: 
    - StringFilter
  ComplianceSecurityControlId: 
    - StringFilter
  ComplianceStatus: 
    - StringFilter
  Confidence: 
    - NumberFilter
  CreatedAt: 
    - DateFilter
  Criticality: 
    - NumberFilter
  Description: 
    - StringFilter
  FirstObservedAt: 
    - DateFilter
  GeneratorId: 
    - StringFilter
  Id: 
    - StringFilter
  LastObservedAt: 
    - DateFilter
  NoteText: 
    - StringFilter
  NoteUpdatedAt: 
    - DateFilter
  NoteUpdatedBy: 
    - StringFilter
  ProductArn: 
    - StringFilter
  ProductName: 
    - StringFilter
  RecordState: 
    - StringFilter
  RelatedFindingsId: 
    - StringFilter
  RelatedFindingsProductArn: 
    - StringFilter
  ResourceDetailsOther: 
    - MapFilter
  ResourceId: 
    - StringFilter
  ResourcePartition: 
    - StringFilter
  ResourceRegion: 
    - StringFilter
  ResourceTags: 
    - MapFilter
  ResourceType: 
    - StringFilter
  SeverityLabel: 
    - StringFilter
  SourceUrl: 
    - StringFilter
  Title: 
    - StringFilter
  Type: 
    - StringFilter
  UpdatedAt: 
    - DateFilter
  UserDefinedFields: 
    - MapFilter
  VerificationState: 
    - StringFilter
  WorkflowStatus: 
    - StringFilter

Properties

AwsAccountId

The AWS account ID in which a finding was generated.

Array Members: Minimum number of 1 item. Maximum number of 100 items.

Required: No

Type: Array of StringFilter

Maximum: 100

Update requires: No interruption

CompanyName

The name of the company for the product that generated the finding. For control-based findings, the company is AWS.

Array Members: Minimum number of 1 item. Maximum number of 20 items.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ComplianceAssociatedStandardsId

The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the DescribeStandards API response.

Array Members: Minimum number of 1 item. Maximum number of 20 items.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ComplianceSecurityControlId

The security control ID for which a finding was generated. Security control IDs are the same across standards.

Array Members: Minimum number of 1 item. Maximum number of 20 items.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ComplianceStatus

The result of a security check. This field is only used for findings generated from controls.

Array Members: Minimum number of 1 item. Maximum number of 20 items.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

Confidence

The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0–100 basis using a ratio scale. A value of 0 means 0 percent confidence, and a value of 100 means 100 percent confidence. For example, a data exfiltration detection based on a statistical deviation of network traffic has low confidence because an actual exfiltration hasn't been verified. For more information, see Confidence in the AWS Security Hub User Guide.

Array Members: Minimum number of 1 item. Maximum number of 20 items.

Required: No

Type: Array of NumberFilter

Maximum: 20

Update requires: No interruption

CreatedAt

A timestamp that indicates when this finding record was created.

This field accepts only the specified formats. Timestamps can end with Z or ("+" / "-") time-hour [":" time-minute]. The time-secfrac after seconds is limited to a maximum of 9 digits. The offset is bounded by +/-18:00. Here are valid timestamp formats with examples:

• YYYY-MM-DDTHH:MM:SSZ (for example, 2019-01-31T23:00:00Z)

• YYYY-MM-DDTHH:MM:SS.mmmmmmmmmZ (for example, 2019-01-31T23:00:00.123456789Z)

• YYYY-MM-DDTHH:MM:SS+HH:MM (for example, 2024-01-04T15:25:10+17:59)

• YYYY-MM-DDTHH:MM:SS-HHMM (for example, 2024-01-04T15:25:10-1759)

• YYYY-MM-DDTHH:MM:SS.mmmmmmmmm+HH:MM (for example, 2024-01-04T15:25:10.123456789+17:59)

Array Members: Minimum number of 1 item. Maximum number of 20 items.

Required: No

Type: Array of DateFilter

Maximum: 20

Update requires: No interruption

Criticality

The level of importance that is assigned to the resources that are associated with a finding. Criticality is scored on a 0–100 basis, using a ratio scale that supports only full integers. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources. For more information, see Criticality in the AWS Security Hub User Guide.

Array Members: Minimum number of 1 item. Maximum number of 20 items.

Required: No

Type: Array of NumberFilter

Maximum: 20

Update requires: No interruption

Description

A finding's description.

Array Members: Minimum number of 1 item. Maximum number of 20 items.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

FirstObservedAt

A timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings product.

This field accepts only the specified formats. Timestamps can end with Z or ("+" / "-") time-hour [":" time-minute]. The time-secfrac after seconds is limited to a maximum of 9 digits. The offset is bounded by +/-18:00. Here are valid timestamp formats with examples:

• YYYY-MM-DDTHH:MM:SSZ (for example, 2019-01-31T23:00:00Z)

• YYYY-MM-DDTHH:MM:SS.mmmmmmmmmZ (for example, 2019-01-31T23:00:00.123456789Z)

• YYYY-MM-DDTHH:MM:SS+HH:MM (for example, 2024-01-04T15:25:10+17:59)

• YYYY-MM-DDTHH:MM:SS-HHMM (for example, 2024-01-04T15:25:10-1759)

• YYYY-MM-DDTHH:MM:SS.mmmmmmmmm+HH:MM (for example, 2024-01-04T15:25:10.123456789+17:59)

Array Members: Minimum number of 1 item. Maximum number of 20 items.

Required: No

Type: Array of DateFilter

Maximum: 20

Update requires: No interruption

GeneratorId

The identifier for the solution-specific component that generated a finding.

Array Members: Minimum number of 1 item. Maximum number of 100 items.

Required: No

Type: Array of StringFilter

Maximum: 100

Update requires: No interruption

Id

The product-specific identifier for a finding.

Array Members: Minimum number of 1 item. Maximum number of 20 items.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

LastObservedAt

A timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings product.

This field accepts only the specified formats. Timestamps can end with Z or ("+" / "-") time-hour [":" time-minute]. The time-secfrac after seconds is limited to a maximum of 9 digits. The offset is bounded by +/-18:00. Here are valid timestamp formats with examples:

• YYYY-MM-DDTHH:MM:SSZ (for example, 2019-01-31T23:00:00Z)

• YYYY-MM-DDTHH:MM:SS.mmmmmmmmmZ (for example, 2019-01-31T23:00:00.123456789Z)

• YYYY-MM-DDTHH:MM:SS+HH:MM (for example, 2024-01-04T15:25:10+17:59)

• YYYY-MM-DDTHH:MM:SS-HHMM (for example, 2024-01-04T15:25:10-1759)

• YYYY-MM-DDTHH:MM:SS.mmmmmmmmm+HH:MM (for example, 2024-01-04T15:25:10.123456789+17:59)

Array Members: Minimum number of 1 item. Maximum number of 20 items.

Required: No

Type: Array of DateFilter

Maximum: 20

Update requires: No interruption

NoteText

The text of a user-defined note that's added to a finding.

Array Members: Minimum number of 1 item. Maximum number of 20 items.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

NoteUpdatedAt

The timestamp of when the note was updated.

This field accepts only the specified formats. Timestamps can end with Z or ("+" / "-") time-hour [":" time-minute]. The time-secfrac after seconds is limited to a maximum of 9 digits. The offset is bounded by +/-18:00. Here are valid timestamp formats with examples:

• YYYY-MM-DDTHH:MM:SSZ (for example, 2019-01-31T23:00:00Z)

• YYYY-MM-DDTHH:MM:SS.mmmmmmmmmZ (for example, 2019-01-31T23:00:00.123456789Z)

• YYYY-MM-DDTHH:MM:SS+HH:MM (for example, 2024-01-04T15:25:10+17:59)

• YYYY-MM-DDTHH:MM:SS-HHMM (for example, 2024-01-04T15:25:10-1759)

• YYYY-MM-DDTHH:MM:SS.mmmmmmmmm+HH:MM (for example, 2024-01-04T15:25:10.123456789+17:59)

Array Members: Minimum number of 1 item. Maximum number of 20 items.

Required: No

Type: Array of DateFilter

Maximum: 20

Update requires: No interruption

NoteUpdatedBy

The principal that created a note.

Array Members: Minimum number of 1 item. Maximum number of 20 items.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ProductArn

The Amazon Resource Name (ARN) for a third-party product that generated a finding in Security Hub.

Array Members: Minimum number of 1 item. Maximum number of 20 items.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ProductName

Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub.

Array Members: Minimum number of 1 item. Maximum number of 20 items.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

RecordState

Provides the current state of a finding.

Array Members: Minimum number of 1 item. Maximum number of 20 items.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

RelatedFindingsId

The product-generated identifier for a related finding.

Array Members: Minimum number of 1 item. Maximum number of 20 items.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

RelatedFindingsProductArn

The ARN for the product that generated a related finding.

Array Members: Minimum number of 1 item. Maximum number of 20 items.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ResourceDetailsOther

Custom fields and values about the resource that a finding pertains to.

Array Members: Minimum number of 1 item. Maximum number of 20 items.

Required: No

Type: Array of MapFilter

Maximum: 20

Update requires: No interruption

ResourceId

The identifier for the given resource type. For AWS resources that are identified by Amazon Resource Names (ARNs), this is the ARN. For AWS resources that lack ARNs, this is the identifier as defined by the AWS service that created the resource. For non-AWS resources, this is a unique identifier that is associated with the resource.

Array Members: Minimum number of 1 item. Maximum number of 100 items.

Required: No

Type: Array of StringFilter

Maximum: 100

Update requires: No interruption

ResourcePartition

The partition in which the resource that the finding pertains to is located. A partition is a group of AWS Regions. Each AWS account is scoped to one partition.

Array Members: Minimum number of 1 item. Maximum number of 20 items.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ResourceRegion

The AWS Region where the resource that a finding pertains to is located.

Array Members: Minimum number of 1 item. Maximum number of 20 items.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ResourceTags

A list of AWS tags associated with a resource at the time the finding was processed.

Array Members: Minimum number of 1 item. Maximum number of 20 items.

Required: No

Type: Array of MapFilter

Maximum: 20

Update requires: No interruption

ResourceType

A finding's title.

Array Members: Minimum number of 1 item. Maximum number of 100 items.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

SeverityLabel

The severity value of the finding.

Array Members: Minimum number of 1 item. Maximum number of 20 items.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

SourceUrl

Provides a URL that links to a page about the current finding in the finding product.

Array Members: Minimum number of 1 item. Maximum number of 20 items.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

Title

A finding's title.

Array Members: Minimum number of 1 item. Maximum number of 100 items.

Required: No

Type: Array of StringFilter

Maximum: 100

Update requires: No interruption

Type

One or more finding types in the format of namespace/category/classifier that classify a finding. For a list of namespaces, classifiers, and categories, see Types taxonomy for ASFF in the AWS Security Hub User Guide.

Array Members: Minimum number of 1 item. Maximum number of 20 items.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

UpdatedAt

A timestamp that indicates when the finding record was most recently updated.

This field accepts only the specified formats. Timestamps can end with Z or ("+" / "-") time-hour [":" time-minute]. The time-secfrac after seconds is limited to a maximum of 9 digits. The offset is bounded by +/-18:00. Here are valid timestamp formats with examples:

• YYYY-MM-DDTHH:MM:SSZ (for example, 2019-01-31T23:00:00Z)

• YYYY-MM-DDTHH:MM:SS.mmmmmmmmmZ (for example, 2019-01-31T23:00:00.123456789Z)

• YYYY-MM-DDTHH:MM:SS+HH:MM (for example, 2024-01-04T15:25:10+17:59)

• YYYY-MM-DDTHH:MM:SS-HHMM (for example, 2024-01-04T15:25:10-1759)

• YYYY-MM-DDTHH:MM:SS.mmmmmmmmm+HH:MM (for example, 2024-01-04T15:25:10.123456789+17:59)

Array Members: Minimum number of 1 item. Maximum number of 20 items.

Required: No

Type: Array of DateFilter

Maximum: 20

Update requires: No interruption

UserDefinedFields

A list of user-defined name and value string pairs added to a finding.

Array Members: Minimum number of 1 item. Maximum number of 20 items.

Required: No

Type: Array of MapFilter

Maximum: 20

Update requires: No interruption

VerificationState

Provides the veracity of a finding.

Array Members: Minimum number of 1 item. Maximum number of 20 items.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

WorkflowStatus

Provides information about the status of the investigation into a finding.

Array Members: Minimum number of 1 item. Maximum number of 20 items.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption