AwsSecurityFinding - AWS Security Hub

AwsSecurityFinding

Provides consistent format for the contents of the Security Hub-aggregated findings. AwsSecurityFinding format enables you to share findings between AWS security services and third-party solutions, and security standards checks.

Note

A finding is a potential security issue generated either by AWS services (Amazon GuardDuty, Amazon Inspector, and Amazon Macie) or by the integrated third-party solutions and standards checks.

Contents

AwsAccountId

The AWS account ID that a finding is generated in.

Type: String

Pattern: .*\S.*

Required: Yes

Compliance

This data type is exclusive to findings that are generated as the result of a check run against a specific rule in a supported security standard, such as CIS AWS Foundations. Contains security standard-related finding details.

Type: Compliance object

Required: No

Confidence

A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify.

Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence.

Type: Integer

Required: No

CreatedAt

Indicates when the security-findings provider created the potential security issue that a finding captured.

Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z.

Type: String

Pattern: .*\S.*

Required: Yes

Criticality

The level of importance assigned to the resources associated with the finding.

A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.

Type: Integer

Required: No

Description

A finding's description.

Note

In this release, Description is a required property.

Type: String

Pattern: .*\S.*

Required: Yes

FirstObservedAt

Indicates when the security-findings provider first observed the potential security issue that a finding captured.

Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z.

Type: String

Pattern: .*\S.*

Required: No

GeneratorId

The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security-findings providers' solutions, this generator can be called a rule, a check, a detector, a plugin, etc.

Type: String

Pattern: .*\S.*

Required: Yes

Id

The security findings provider-specific identifier for a finding.

Type: String

Pattern: .*\S.*

Required: Yes

LastObservedAt

Indicates when the security-findings provider most recently observed the potential security issue that a finding captured.

Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z.

Type: String

Pattern: .*\S.*

Required: No

Malware

A list of malware related to a finding.

Type: Array of Malware objects

Required: No

Network

The details of network-related information about a finding.

Type: Network object

Required: No

NetworkPath

Provides information about a network path that is relevant to a finding. Each entry under NetworkPath represents a component of that path.

Type: Array of NetworkPathComponent objects

Required: No

Note

A user-defined note added to a finding.

Type: Note object

Required: No

Process

The details of process-related information about a finding.

Type: ProcessDetails object

Required: No

ProductArn

The ARN generated by Security Hub that uniquely identifies a product that generates findings. This can be the ARN for a third-party product that is integrated with Security Hub, or the ARN for a custom integration.

Type: String

Pattern: .*\S.*

Required: Yes

ProductFields

A data type where security-findings providers can include additional solution-specific details that aren't part of the defined AwsSecurityFinding format.

Type: String to string map

Key Pattern: .*\S.*

Value Pattern: .*\S.*

Required: No

RecordState

The record state of a finding.

Type: String

Valid Values: ACTIVE | ARCHIVED

Required: No

RelatedFindings

A list of related findings.

Type: Array of RelatedFinding objects

Required: No

Remediation

A data type that describes the remediation options for a finding.

Type: Remediation object

Required: No

Resources

A set of resource data types that describe the resources that the finding refers to.

Type: Array of Resource objects

Required: Yes

SchemaVersion

The schema version that a finding is formatted for.

Type: String

Pattern: .*\S.*

Required: Yes

Severity

A finding's severity.

Type: Severity object

Required: Yes

SourceUrl

A URL that links to a page about the current finding in the security-findings provider's solution.

Type: String

Pattern: .*\S.*

Required: No

ThreatIntelIndicators

Threat intelligence details related to a finding.

Type: Array of ThreatIntelIndicator objects

Required: No

Title

A finding's title.

Note

In this release, Title is a required property.

Type: String

Pattern: .*\S.*

Required: Yes

Types

One or more finding types in the format of namespace/category/classifier that classify a finding.

Valid namespace values are: Software and Configuration Checks | TTPs | Effects | Unusual Behaviors | Sensitive Data Identifications

Type: Array of strings

Pattern: .*\S.*

Required: Yes

UpdatedAt

Indicates when the security-findings provider last updated the finding record.

Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format. The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z.

Type: String

Pattern: .*\S.*

Required: Yes

UserDefinedFields

A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.

Type: String to string map

Key Pattern: .*\S.*

Value Pattern: .*\S.*

Required: No

VerificationState

Indicates the veracity of a finding.

Type: String

Valid Values: UNKNOWN | TRUE_POSITIVE | FALSE_POSITIVE | BENIGN_POSITIVE

Required: No

Vulnerabilities

Provides a list of vulnerabilities associated with the findings.

Type: Array of Vulnerability objects

Required: No

Workflow

Provides information about the status of the investigation into a finding.

Type: Workflow object

Required: No

WorkflowState

This member has been deprecated.

The workflow state of a finding.

Type: String

Valid Values: NEW | ASSIGNED | IN_PROGRESS | DEFERRED | RESOLVED

Required: No

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: