You are viewing documentation for version 2 of the AWS SDK for Ruby. Version 3 documentation can be found here.

Class: Aws::SecurityHub::Types::AwsSecurityFinding

Inherits:
Struct
  • Object
show all
Defined in:
(unknown)

Overview

Note:

When passing AwsSecurityFinding as input to an Aws::Client method, you can use a vanilla Hash:

{
  schema_version: "NonEmptyString", # required
  id: "NonEmptyString", # required
  product_arn: "NonEmptyString", # required
  generator_id: "NonEmptyString", # required
  aws_account_id: "NonEmptyString", # required
  types: ["NonEmptyString"], # required
  first_observed_at: "NonEmptyString",
  last_observed_at: "NonEmptyString",
  created_at: "NonEmptyString", # required
  updated_at: "NonEmptyString", # required
  severity: { # required
    product: 1.0,
    label: "INFORMATIONAL", # accepts INFORMATIONAL, LOW, MEDIUM, HIGH, CRITICAL
    normalized: 1,
  },
  confidence: 1,
  criticality: 1,
  title: "NonEmptyString", # required
  description: "NonEmptyString", # required
  remediation: {
    recommendation: {
      text: "NonEmptyString",
      url: "NonEmptyString",
    },
  },
  source_url: "NonEmptyString",
  product_fields: {
    "NonEmptyString" => "NonEmptyString",
  },
  user_defined_fields: {
    "NonEmptyString" => "NonEmptyString",
  },
  malware: [
    {
      name: "NonEmptyString", # required
      type: "ADWARE", # accepts ADWARE, BLENDED_THREAT, BOTNET_AGENT, COIN_MINER, EXPLOIT_KIT, KEYLOGGER, MACRO, POTENTIALLY_UNWANTED, SPYWARE, RANSOMWARE, REMOTE_ACCESS, ROOTKIT, TROJAN, VIRUS, WORM
      path: "NonEmptyString",
      state: "OBSERVED", # accepts OBSERVED, REMOVAL_FAILED, REMOVED
    },
  ],
  network: {
    direction: "IN", # accepts IN, OUT
    protocol: "NonEmptyString",
    source_ip_v4: "NonEmptyString",
    source_ip_v6: "NonEmptyString",
    source_port: 1,
    source_domain: "NonEmptyString",
    source_mac: "NonEmptyString",
    destination_ip_v4: "NonEmptyString",
    destination_ip_v6: "NonEmptyString",
    destination_port: 1,
    destination_domain: "NonEmptyString",
  },
  process: {
    name: "NonEmptyString",
    path: "NonEmptyString",
    pid: 1,
    parent_pid: 1,
    launched_at: "NonEmptyString",
    terminated_at: "NonEmptyString",
  },
  threat_intel_indicators: [
    {
      type: "DOMAIN", # accepts DOMAIN, EMAIL_ADDRESS, HASH_MD5, HASH_SHA1, HASH_SHA256, HASH_SHA512, IPV4_ADDRESS, IPV6_ADDRESS, MUTEX, PROCESS, URL
      value: "NonEmptyString",
      category: "BACKDOOR", # accepts BACKDOOR, CARD_STEALER, COMMAND_AND_CONTROL, DROP_SITE, EXPLOIT_SITE, KEYLOGGER
      last_observed_at: "NonEmptyString",
      source: "NonEmptyString",
      source_url: "NonEmptyString",
    },
  ],
  resources: [ # required
    {
      type: "NonEmptyString", # required
      id: "NonEmptyString", # required
      partition: "aws", # accepts aws, aws-cn, aws-us-gov
      region: "NonEmptyString",
      tags: {
        "NonEmptyString" => "NonEmptyString",
      },
      details: {
        aws_code_build_project: {
          encryption_key: "NonEmptyString",
          environment: {
            certificate: "NonEmptyString",
            image_pull_credentials_type: "NonEmptyString",
            registry_credential: {
              credential: "NonEmptyString",
              credential_provider: "NonEmptyString",
            },
            type: "NonEmptyString",
          },
          name: "NonEmptyString",
          source: {
            type: "NonEmptyString",
            location: "NonEmptyString",
            git_clone_depth: 1,
            insecure_ssl: false,
          },
          service_role: "NonEmptyString",
          vpc_config: {
            vpc_id: "NonEmptyString",
            subnets: ["NonEmptyString"],
            security_group_ids: ["NonEmptyString"],
          },
        },
        aws_cloud_front_distribution: {
          domain_name: "NonEmptyString",
          etag: "NonEmptyString",
          last_modified_time: "NonEmptyString",
          logging: {
            bucket: "NonEmptyString",
            enabled: false,
            include_cookies: false,
            prefix: "NonEmptyString",
          },
          origins: {
            items: [
              {
                domain_name: "NonEmptyString",
                id: "NonEmptyString",
                origin_path: "NonEmptyString",
              },
            ],
          },
          status: "NonEmptyString",
          web_acl_id: "NonEmptyString",
        },
        aws_ec2_instance: {
          type: "NonEmptyString",
          image_id: "NonEmptyString",
          ip_v4_addresses: ["NonEmptyString"],
          ip_v6_addresses: ["NonEmptyString"],
          key_name: "NonEmptyString",
          iam_instance_profile_arn: "NonEmptyString",
          vpc_id: "NonEmptyString",
          subnet_id: "NonEmptyString",
          launched_at: "NonEmptyString",
        },
        aws_ec2_network_interface: {
          attachment: {
            attach_time: "NonEmptyString",
            attachment_id: "NonEmptyString",
            delete_on_termination: false,
            device_index: 1,
            instance_id: "NonEmptyString",
            instance_owner_id: "NonEmptyString",
            status: "NonEmptyString",
          },
          network_interface_id: "NonEmptyString",
          security_groups: [
            {
              group_name: "NonEmptyString",
              group_id: "NonEmptyString",
            },
          ],
          source_dest_check: false,
        },
        aws_ec2_security_group: {
          group_name: "NonEmptyString",
          group_id: "NonEmptyString",
          owner_id: "NonEmptyString",
          vpc_id: "NonEmptyString",
          ip_permissions: [
            {
              ip_protocol: "NonEmptyString",
              from_port: 1,
              to_port: 1,
              user_id_group_pairs: [
                {
                  group_id: "NonEmptyString",
                  group_name: "NonEmptyString",
                  peering_status: "NonEmptyString",
                  user_id: "NonEmptyString",
                  vpc_id: "NonEmptyString",
                  vpc_peering_connection_id: "NonEmptyString",
                },
              ],
              ip_ranges: [
                {
                  cidr_ip: "NonEmptyString",
                },
              ],
              ipv_6_ranges: [
                {
                  cidr_ipv_6: "NonEmptyString",
                },
              ],
              prefix_list_ids: [
                {
                  prefix_list_id: "NonEmptyString",
                },
              ],
            },
          ],
          ip_permissions_egress: [
            {
              ip_protocol: "NonEmptyString",
              from_port: 1,
              to_port: 1,
              user_id_group_pairs: [
                {
                  group_id: "NonEmptyString",
                  group_name: "NonEmptyString",
                  peering_status: "NonEmptyString",
                  user_id: "NonEmptyString",
                  vpc_id: "NonEmptyString",
                  vpc_peering_connection_id: "NonEmptyString",
                },
              ],
              ip_ranges: [
                {
                  cidr_ip: "NonEmptyString",
                },
              ],
              ipv_6_ranges: [
                {
                  cidr_ipv_6: "NonEmptyString",
                },
              ],
              prefix_list_ids: [
                {
                  prefix_list_id: "NonEmptyString",
                },
              ],
            },
          ],
        },
        aws_elbv_2_load_balancer: {
          availability_zones: [
            {
              zone_name: "NonEmptyString",
              subnet_id: "NonEmptyString",
            },
          ],
          canonical_hosted_zone_id: "NonEmptyString",
          created_time: "NonEmptyString",
          dns_name: "NonEmptyString",
          ip_address_type: "NonEmptyString",
          scheme: "NonEmptyString",
          security_groups: ["NonEmptyString"],
          state: {
            code: "NonEmptyString",
            reason: "NonEmptyString",
          },
          type: "NonEmptyString",
          vpc_id: "NonEmptyString",
        },
        aws_elasticsearch_domain: {
          access_policies: "NonEmptyString",
          domain_endpoint_options: {
            enforce_https: false,
            tls_security_policy: "NonEmptyString",
          },
          domain_id: "NonEmptyString",
          domain_name: "NonEmptyString",
          endpoint: "NonEmptyString",
          endpoints: {
            "NonEmptyString" => "NonEmptyString",
          },
          elasticsearch_version: "NonEmptyString",
          encryption_at_rest_options: {
            enabled: false,
            kms_key_id: "NonEmptyString",
          },
          node_to_node_encryption_options: {
            enabled: false,
          },
          vpc_options: {
            availability_zones: ["NonEmptyString"],
            security_group_ids: ["NonEmptyString"],
            subnet_ids: ["NonEmptyString"],
            vpc_id: "NonEmptyString",
          },
        },
        aws_s3_bucket: {
          owner_id: "NonEmptyString",
          owner_name: "NonEmptyString",
          created_at: "NonEmptyString",
          server_side_encryption_configuration: {
            rules: [
              {
                apply_server_side_encryption_by_default: {
                  sse_algorithm: "NonEmptyString",
                  kms_master_key_id: "NonEmptyString",
                },
              },
            ],
          },
        },
        aws_s3_object: {
          last_modified: "NonEmptyString",
          etag: "NonEmptyString",
          version_id: "NonEmptyString",
          content_type: "NonEmptyString",
          server_side_encryption: "NonEmptyString",
          ssekms_key_id: "NonEmptyString",
        },
        aws_iam_access_key: {
          user_name: "NonEmptyString",
          status: "Active", # accepts Active, Inactive
          created_at: "NonEmptyString",
          principal_id: "NonEmptyString",
          principal_type: "NonEmptyString",
          principal_name: "NonEmptyString",
        },
        aws_iam_role: {
          assume_role_policy_document: "AwsIamRoleAssumeRolePolicyDocument",
          create_date: "NonEmptyString",
          role_id: "NonEmptyString",
          role_name: "NonEmptyString",
          max_session_duration: 1,
          path: "NonEmptyString",
        },
        aws_kms_key: {
          aws_account_id: "NonEmptyString",
          creation_date: 1.0,
          key_id: "NonEmptyString",
          key_manager: "NonEmptyString",
          key_state: "NonEmptyString",
          origin: "NonEmptyString",
        },
        aws_lambda_function: {
          code: {
            s3_bucket: "NonEmptyString",
            s3_key: "NonEmptyString",
            s3_object_version: "NonEmptyString",
            zip_file: "NonEmptyString",
          },
          code_sha_256: "NonEmptyString",
          dead_letter_config: {
            target_arn: "NonEmptyString",
          },
          environment: {
            variables: {
              "NonEmptyString" => "NonEmptyString",
            },
            error: {
              error_code: "NonEmptyString",
              message: "NonEmptyString",
            },
          },
          function_name: "NonEmptyString",
          handler: "NonEmptyString",
          kms_key_arn: "NonEmptyString",
          last_modified: "NonEmptyString",
          layers: [
            {
              arn: "NonEmptyString",
              code_size: 1,
            },
          ],
          master_arn: "NonEmptyString",
          memory_size: 1,
          revision_id: "NonEmptyString",
          role: "NonEmptyString",
          runtime: "NonEmptyString",
          timeout: 1,
          tracing_config: {
            mode: "NonEmptyString",
          },
          vpc_config: {
            security_group_ids: ["NonEmptyString"],
            subnet_ids: ["NonEmptyString"],
            vpc_id: "NonEmptyString",
          },
          version: "NonEmptyString",
        },
        aws_lambda_layer_version: {
          version: 1,
          compatible_runtimes: ["NonEmptyString"],
          created_date: "NonEmptyString",
        },
        aws_rds_db_instance: {
          associated_roles: [
            {
              role_arn: "NonEmptyString",
              feature_name: "NonEmptyString",
              status: "NonEmptyString",
            },
          ],
          ca_certificate_identifier: "NonEmptyString",
          db_cluster_identifier: "NonEmptyString",
          db_instance_identifier: "NonEmptyString",
          db_instance_class: "NonEmptyString",
          db_instance_port: 1,
          dbi_resource_id: "NonEmptyString",
          db_name: "NonEmptyString",
          deletion_protection: false,
          endpoint: {
            address: "NonEmptyString",
            port: 1,
            hosted_zone_id: "NonEmptyString",
          },
          engine: "NonEmptyString",
          engine_version: "NonEmptyString",
          iam_database_authentication_enabled: false,
          instance_create_time: "NonEmptyString",
          kms_key_id: "NonEmptyString",
          publicly_accessible: false,
          storage_encrypted: false,
          tde_credential_arn: "NonEmptyString",
          vpc_security_groups: [
            {
              vpc_security_group_id: "NonEmptyString",
              status: "NonEmptyString",
            },
          ],
        },
        aws_sns_topic: {
          kms_master_key_id: "NonEmptyString",
          subscription: [
            {
              endpoint: "NonEmptyString",
              protocol: "NonEmptyString",
            },
          ],
          topic_name: "NonEmptyString",
          owner: "NonEmptyString",
        },
        aws_sqs_queue: {
          kms_data_key_reuse_period_seconds: 1,
          kms_master_key_id: "NonEmptyString",
          queue_name: "NonEmptyString",
          dead_letter_target_arn: "NonEmptyString",
        },
        aws_waf_web_acl: {
          name: "NonEmptyString",
          default_action: "NonEmptyString",
          rules: [
            {
              action: {
                type: "NonEmptyString",
              },
              excluded_rules: [
                {
                  rule_id: "NonEmptyString",
                },
              ],
              override_action: {
                type: "NonEmptyString",
              },
              priority: 1,
              rule_id: "NonEmptyString",
              type: "NonEmptyString",
            },
          ],
          web_acl_id: "NonEmptyString",
        },
        container: {
          name: "NonEmptyString",
          image_id: "NonEmptyString",
          image_name: "NonEmptyString",
          launched_at: "NonEmptyString",
        },
        other: {
          "NonEmptyString" => "NonEmptyString",
        },
      },
    },
  ],
  compliance: {
    status: "PASSED", # accepts PASSED, WARNING, FAILED, NOT_AVAILABLE
    related_requirements: ["NonEmptyString"],
  },
  verification_state: "UNKNOWN", # accepts UNKNOWN, TRUE_POSITIVE, FALSE_POSITIVE, BENIGN_POSITIVE
  workflow_state: "NEW", # accepts NEW, ASSIGNED, IN_PROGRESS, DEFERRED, RESOLVED
  workflow: {
    status: "NEW", # accepts NEW, NOTIFIED, RESOLVED, SUPPRESSED
  },
  record_state: "ACTIVE", # accepts ACTIVE, ARCHIVED
  related_findings: [
    {
      product_arn: "NonEmptyString", # required
      id: "NonEmptyString", # required
    },
  ],
  note: {
    text: "NonEmptyString", # required
    updated_by: "NonEmptyString", # required
    updated_at: "NonEmptyString", # required
  },
}

Provides consistent format for the contents of the Security Hub-aggregated findings. AwsSecurityFinding format enables you to share findings between AWS security services and third-party solutions, and security standards checks.

A finding is a potential security issue generated either by AWS services (Amazon GuardDuty, Amazon Inspector, and Amazon Macie) or by the integrated third-party solutions and standards checks.

Instance Attribute Summary collapse

Instance Attribute Details

#aws_account_idString

The AWS account ID that a finding is generated in.

Returns:

  • (String)

    The AWS account ID that a finding is generated in.

#complianceTypes::Compliance

This data type is exclusive to findings that are generated as the result of a check run against a specific rule in a supported security standard, such as CIS AWS Foundations. Contains security standard-related finding details.

Returns:

  • (Types::Compliance)

    This data type is exclusive to findings that are generated as the result of a check run against a specific rule in a supported security standard, such as CIS AWS Foundations.

#confidenceInteger

A finding\'s confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify.

Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence.

Returns:

  • (Integer)

    A finding\'s confidence.

#created_atString

An ISO8601-formatted timestamp that indicates when the security-findings provider created the potential security issue that a finding captured.

Returns:

  • (String)

    An ISO8601-formatted timestamp that indicates when the security-findings provider created the potential security issue that a finding captured.

#criticalityInteger

The level of importance assigned to the resources associated with the finding.

A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.

Returns:

  • (Integer)

    The level of importance assigned to the resources associated with the finding.

#descriptionString

A finding\'s description.

In this release, Description is a required property.

Returns:

  • (String)

    A finding\'s description.

#first_observed_atString

An ISO8601-formatted timestamp that indicates when the security-findings provider first observed the potential security issue that a finding captured.

Returns:

  • (String)

    An ISO8601-formatted timestamp that indicates when the security-findings provider first observed the potential security issue that a finding captured.

#generator_idString

The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security-findings providers\' solutions, this generator can be called a rule, a check, a detector, a plug-in, etc.

Returns:

  • (String)

    The identifier for the solution-specific component (a discrete unit of logic) that generated a finding.

#idString

The security findings provider-specific identifier for a finding.

Returns:

  • (String)

    The security findings provider-specific identifier for a finding.

#last_observed_atString

An ISO8601-formatted timestamp that indicates when the security-findings provider most recently observed the potential security issue that a finding captured.

Returns:

  • (String)

    An ISO8601-formatted timestamp that indicates when the security-findings provider most recently observed the potential security issue that a finding captured.

#malwareArray<Types::Malware>

A list of malware related to a finding.

Returns:

#networkTypes::Network

The details of network-related information about a finding.

Returns:

  • (Types::Network)

    The details of network-related information about a finding.

#noteTypes::Note

A user-defined note added to a finding.

Returns:

  • (Types::Note)

    A user-defined note added to a finding.

#processTypes::ProcessDetails

The details of process-related information about a finding.

Returns:

#product_arnString

The ARN generated by Security Hub that uniquely identifies a product that generates findings. This can be the ARN for a third-party product that is integrated with Security Hub, or the ARN for a custom integration.

Returns:

  • (String)

    The ARN generated by Security Hub that uniquely identifies a product that generates findings.

#product_fieldsHash<String,String>

A data type where security-findings providers can include additional solution-specific details that aren\'t part of the defined AwsSecurityFinding format.

Returns:

  • (Hash<String,String>)

    A data type where security-findings providers can include additional solution-specific details that aren\'t part of the defined AwsSecurityFinding format.

#record_stateString

The record state of a finding.

Possible values:

  • ACTIVE
  • ARCHIVED

Returns:

  • (String)

    The record state of a finding.

A list of related findings.

Returns:

#remediationTypes::Remediation

A data type that describes the remediation options for a finding.

Returns:

  • (Types::Remediation)

    A data type that describes the remediation options for a finding.

#resourcesArray<Types::Resource>

A set of resource data types that describe the resources that the finding refers to.

Returns:

  • (Array<Types::Resource>)

    A set of resource data types that describe the resources that the finding refers to.

#schema_versionString

The schema version that a finding is formatted for.

Returns:

  • (String)

    The schema version that a finding is formatted for.

#severityTypes::Severity

A finding\'s severity.

Returns:

#source_urlString

A URL that links to a page about the current finding in the security-findings provider\'s solution.

Returns:

  • (String)

    A URL that links to a page about the current finding in the security-findings provider\'s solution.

#threat_intel_indicatorsArray<Types::ThreatIntelIndicator>

Threat intelligence details related to a finding.

Returns:

#titleString

A finding\'s title.

In this release, Title is a required property.

Returns:

  • (String)

    A finding\'s title.

#typesArray<String>

One or more finding types in the format of namespace/category/classifier that classify a finding.

Valid namespace values are: Software and Configuration Checks | TTPs | Effects | Unusual Behaviors | Sensitive Data Identifications

Returns:

  • (Array<String>)

    One or more finding types in the format of namespace/category/classifier that classify a finding.

#updated_atString

An ISO8601-formatted timestamp that indicates when the security-findings provider last updated the finding record.

Returns:

  • (String)

    An ISO8601-formatted timestamp that indicates when the security-findings provider last updated the finding record.

#user_defined_fieldsHash<String,String>

A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.

Returns:

  • (Hash<String,String>)

    A list of name/value string pairs associated with the finding.

#verification_stateString

Indicates the veracity of a finding.

Possible values:

  • UNKNOWN
  • TRUE_POSITIVE
  • FALSE_POSITIVE
  • BENIGN_POSITIVE

Returns:

  • (String)

    Indicates the veracity of a finding.

#workflowTypes::Workflow

Provides information about the status of the investigation into a finding.

Returns:

  • (Types::Workflow)

    Provides information about the status of the investigation into a finding.

#workflow_stateString

The workflow state of a finding.

Possible values:

  • NEW
  • ASSIGNED
  • IN_PROGRESS
  • DEFERRED
  • RESOLVED

Returns:

  • (String)

    The workflow state of a finding.