You are viewing documentation for version 2 of the AWS SDK for Ruby. Version 3 documentation can be found here.

Class: Aws::SecurityHub::Types::AwsSecurityFinding

Inherits:
Struct
  • Object
show all
Defined in:
(unknown)

Overview

Note:

When passing AwsSecurityFinding as input to an Aws::Client method, you can use a vanilla Hash:

{
  schema_version: "NonEmptyString", # required
  id: "NonEmptyString", # required
  product_arn: "NonEmptyString", # required
  generator_id: "NonEmptyString", # required
  aws_account_id: "NonEmptyString", # required
  types: ["NonEmptyString"], # required
  first_observed_at: "NonEmptyString",
  last_observed_at: "NonEmptyString",
  created_at: "NonEmptyString", # required
  updated_at: "NonEmptyString", # required
  severity: { # required
    product: 1.0,
    normalized: 1, # required
  },
  confidence: 1,
  criticality: 1,
  title: "NonEmptyString", # required
  description: "NonEmptyString", # required
  remediation: {
    recommendation: {
      text: "NonEmptyString",
      url: "NonEmptyString",
    },
  },
  source_url: "NonEmptyString",
  product_fields: {
    "NonEmptyString" => "NonEmptyString",
  },
  user_defined_fields: {
    "NonEmptyString" => "NonEmptyString",
  },
  malware: [
    {
      name: "NonEmptyString", # required
      type: "ADWARE", # accepts ADWARE, BLENDED_THREAT, BOTNET_AGENT, COIN_MINER, EXPLOIT_KIT, KEYLOGGER, MACRO, POTENTIALLY_UNWANTED, SPYWARE, RANSOMWARE, REMOTE_ACCESS, ROOTKIT, TROJAN, VIRUS, WORM
      path: "NonEmptyString",
      state: "OBSERVED", # accepts OBSERVED, REMOVAL_FAILED, REMOVED
    },
  ],
  network: {
    direction: "IN", # accepts IN, OUT
    protocol: "NonEmptyString",
    source_ip_v4: "NonEmptyString",
    source_ip_v6: "NonEmptyString",
    source_port: 1,
    source_domain: "NonEmptyString",
    source_mac: "NonEmptyString",
    destination_ip_v4: "NonEmptyString",
    destination_ip_v6: "NonEmptyString",
    destination_port: 1,
    destination_domain: "NonEmptyString",
  },
  process: {
    name: "NonEmptyString",
    path: "NonEmptyString",
    pid: 1,
    parent_pid: 1,
    launched_at: "NonEmptyString",
    terminated_at: "NonEmptyString",
  },
  threat_intel_indicators: [
    {
      type: "DOMAIN", # accepts DOMAIN, EMAIL_ADDRESS, HASH_MD5, HASH_SHA1, HASH_SHA256, HASH_SHA512, IPV4_ADDRESS, IPV6_ADDRESS, MUTEX, PROCESS, URL
      value: "NonEmptyString",
      category: "BACKDOOR", # accepts BACKDOOR, CARD_STEALER, COMMAND_AND_CONTROL, DROP_SITE, EXPLOIT_SITE, KEYLOGGER
      last_observed_at: "NonEmptyString",
      source: "NonEmptyString",
      source_url: "NonEmptyString",
    },
  ],
  resources: [ # required
    {
      type: "NonEmptyString", # required
      id: "NonEmptyString", # required
      partition: "aws", # accepts aws, aws-cn, aws-us-gov
      region: "NonEmptyString",
      tags: {
        "NonEmptyString" => "NonEmptyString",
      },
      details: {
        aws_ec2_instance: {
          type: "NonEmptyString",
          image_id: "NonEmptyString",
          ip_v4_addresses: ["NonEmptyString"],
          ip_v6_addresses: ["NonEmptyString"],
          key_name: "NonEmptyString",
          iam_instance_profile_arn: "NonEmptyString",
          vpc_id: "NonEmptyString",
          subnet_id: "NonEmptyString",
          launched_at: "NonEmptyString",
        },
        aws_s3_bucket: {
          owner_id: "NonEmptyString",
          owner_name: "NonEmptyString",
        },
        aws_iam_access_key: {
          user_name: "NonEmptyString",
          status: "Active", # accepts Active, Inactive
          created_at: "NonEmptyString",
        },
        container: {
          name: "NonEmptyString",
          image_id: "NonEmptyString",
          image_name: "NonEmptyString",
          launched_at: "NonEmptyString",
        },
        other: {
          "NonEmptyString" => "NonEmptyString",
        },
      },
    },
  ],
  compliance: {
    status: "PASSED", # accepts PASSED, WARNING, FAILED, NOT_AVAILABLE
  },
  verification_state: "UNKNOWN", # accepts UNKNOWN, TRUE_POSITIVE, FALSE_POSITIVE, BENIGN_POSITIVE
  workflow_state: "NEW", # accepts NEW, ASSIGNED, IN_PROGRESS, DEFERRED, RESOLVED
  record_state: "ACTIVE", # accepts ACTIVE, ARCHIVED
  related_findings: [
    {
      product_arn: "NonEmptyString", # required
      id: "NonEmptyString", # required
    },
  ],
  note: {
    text: "NonEmptyString", # required
    updated_by: "NonEmptyString", # required
    updated_at: "NonEmptyString", # required
  },
}

Provides consistent format for the contents of the Security Hub-aggregated findings. AwsSecurityFinding format enables you to share findings between AWS security services and third-party solutions, and compliance checks.

A finding is a potential security issue generated either by AWS services (Amazon GuardDuty, Amazon Inspector, and Amazon Macie) or by the integrated third-party solutions and compliance checks.

Instance Attribute Summary collapse

Instance Attribute Details

#aws_account_idString

The AWS account ID that a finding is generated in.

Returns:

  • (String)

    The AWS account ID that a finding is generated in.

#complianceTypes::Compliance

This data type is exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard (for example, CIS AWS Foundations). Contains compliance-related finding details.

Returns:

  • (Types::Compliance)

    This data type is exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard (for example, CIS AWS Foundations).

#confidenceInteger

A finding\'s confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence.

Returns:

  • (Integer)

    A finding\'s confidence.

#created_atString

An ISO8601-formatted timestamp that indicates when the security-findings provider created the potential security issue that a finding captured.

Returns:

  • (String)

    An ISO8601-formatted timestamp that indicates when the security-findings provider created the potential security issue that a finding captured.

#criticalityInteger

The level of importance assigned to the resources associated with the finding. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.

Returns:

  • (Integer)

    The level of importance assigned to the resources associated with the finding.

#descriptionString

A finding\'s description.

In this release, Description is a required property.

Returns:

  • (String)

    A finding\'s description.

#first_observed_atString

An ISO8601-formatted timestamp that indicates when the security-findings provider first observed the potential security issue that a finding captured.

Returns:

  • (String)

    An ISO8601-formatted timestamp that indicates when the security-findings provider first observed the potential security issue that a finding captured.

#generator_idString

The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security-findings providers\' solutions, this generator can be called a rule, a check, a detector, a plug-in, etc.

Returns:

  • (String)

    The identifier for the solution-specific component (a discrete unit of logic) that generated a finding.

#idString

The security findings provider-specific identifier for a finding.

Returns:

  • (String)

    The security findings provider-specific identifier for a finding.

#last_observed_atString

An ISO8601-formatted timestamp that indicates when the security-findings provider most recently observed the potential security issue that a finding captured.

Returns:

  • (String)

    An ISO8601-formatted timestamp that indicates when the security-findings provider most recently observed the potential security issue that a finding captured.

#malwareArray<Types::Malware>

A list of malware related to a finding.

Returns:

#networkTypes::Network

The details of network-related information about a finding.

Returns:

  • (Types::Network)

    The details of network-related information about a finding.

#noteTypes::Note

A user-defined note added to a finding.

Returns:

  • (Types::Note)

    A user-defined note added to a finding.

#processTypes::ProcessDetails

The details of process-related information about a finding.

Returns:

#product_arnString

The ARN generated by Security Hub that uniquely identifies a third-party company (security-findings provider) after this provider\'s product (solution that generates findings) is registered with Security Hub.

Returns:

  • (String)

    The ARN generated by Security Hub that uniquely identifies a third-party company (security-findings provider) after this provider\'s product (solution that generates findings) is registered with Security Hub.

#product_fieldsHash<String,String>

A data type where security-findings providers can include additional solution-specific details that aren\'t part of the defined AwsSecurityFinding format.

Returns:

  • (Hash<String,String>)

    A data type where security-findings providers can include additional solution-specific details that aren\'t part of the defined AwsSecurityFinding format.

#record_stateString

The record state of a finding.

Possible values:

  • ACTIVE
  • ARCHIVED

Returns:

  • (String)

    The record state of a finding.

A list of related findings.

Returns:

#remediationTypes::Remediation

A data type that describes the remediation options for a finding.

Returns:

  • (Types::Remediation)

    A data type that describes the remediation options for a finding.

#resourcesArray<Types::Resource>

A set of resource data types that describe the resources that the finding refers to.

Returns:

  • (Array<Types::Resource>)

    A set of resource data types that describe the resources that the finding refers to.

#schema_versionString

The schema version that a finding is formatted for.

Returns:

  • (String)

    The schema version that a finding is formatted for.

#severityTypes::Severity

A finding\'s severity.

Returns:

#source_urlString

A URL that links to a page about the current finding in the security-findings provider\'s solution.

Returns:

  • (String)

    A URL that links to a page about the current finding in the security-findings provider\'s solution.

#threat_intel_indicatorsArray<Types::ThreatIntelIndicator>

Threat intel details related to a finding.

Returns:

#titleString

A finding\'s title.

In this release, Title is a required property.

Returns:

  • (String)

    A finding\'s title.

#typesArray<String>

One or more finding types in the format of namespace/category/classifier that classify a finding.

Valid namespace values are: Software and Configuration Checks | TTPs | Effects | Unusual Behaviors | Sensitive Data Identifications

Returns:

  • (Array<String>)

    One or more finding types in the format of namespace/category/classifier that classify a finding.

#updated_atString

An ISO8601-formatted timestamp that indicates when the security-findings provider last updated the finding record.

Returns:

  • (String)

    An ISO8601-formatted timestamp that indicates when the security-findings provider last updated the finding record.

#user_defined_fieldsHash<String,String>

A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.

Returns:

  • (Hash<String,String>)

    A list of name/value string pairs associated with the finding.

#verification_stateString

Indicates the veracity of a finding.

Possible values:

  • UNKNOWN
  • TRUE_POSITIVE
  • FALSE_POSITIVE
  • BENIGN_POSITIVE

Returns:

  • (String)

    Indicates the veracity of a finding.

#workflow_stateString

The workflow state of a finding.

Possible values:

  • NEW
  • ASSIGNED
  • IN_PROGRESS
  • DEFERRED
  • RESOLVED

Returns:

  • (String)

    The workflow state of a finding.