AWS Security Hub
API Reference (API Version 2018-10-26)

AwsSecurityFindingFilters

A collection of attributes that are applied to all active Security Hub-aggregated findings and that result in a subset of findings that are included in this insight.

Contents

AwsAccountId

The AWS account ID that a finding is generated in.

Type: Array of StringFilter objects

Required: No

CompanyName

The name of the findings provider (company) that owns the solution (product) that generates findings.

Type: Array of StringFilter objects

Required: No

ComplianceStatus

Exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard (for example, CIS AWS Foundations). Contains compliance-related finding details.

Type: Array of StringFilter objects

Required: No

Confidence

A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence.

Type: Array of NumberFilter objects

Required: No

CreatedAt

An ISO8601-formatted timestamp that indicates when the security-findings provider captured the potential security issue that a finding captured.

Type: Array of DateFilter objects

Required: No

Criticality

The level of importance assigned to the resources associated with the finding. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.

Type: Array of NumberFilter objects

Required: No

Description

A finding's description.

Type: Array of StringFilter objects

Required: No

FirstObservedAt

An ISO8601-formatted timestamp that indicates when the security-findings provider first observed the potential security issue that a finding captured.

Type: Array of DateFilter objects

Required: No

GeneratorId

The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security-findings providers' solutions, this generator can be called a rule, a check, a detector, a plug-in, etc.

Type: Array of StringFilter objects

Required: No

Id

The security findings provider-specific identifier for a finding.

Type: Array of StringFilter objects

Required: No

Keyword

A keyword for a finding.

Type: Array of KeywordFilter objects

Required: No

LastObservedAt

An ISO8601-formatted timestamp that indicates when the security-findings provider most recently observed the potential security issue that a finding captured.

Type: Array of DateFilter objects

Required: No

MalwareName

The name of the malware that was observed.

Type: Array of StringFilter objects

Required: No

MalwarePath

The filesystem path of the malware that was observed.

Type: Array of StringFilter objects

Required: No

MalwareState

The state of the malware that was observed.

Type: Array of StringFilter objects

Required: No

MalwareType

The type of the malware that was observed.

Type: Array of StringFilter objects

Required: No

NetworkDestinationDomain

The destination domain of network-related information about a finding.

Type: Array of StringFilter objects

Required: No

NetworkDestinationIpV4

The destination IPv4 address of network-related information about a finding.

Type: Array of IpFilter objects

Required: No

NetworkDestinationIpV6

The destination IPv6 address of network-related information about a finding.

Type: Array of IpFilter objects

Required: No

NetworkDestinationPort

The destination port of network-related information about a finding.

Type: Array of NumberFilter objects

Required: No

NetworkDirection

Indicates the direction of network traffic associated with a finding.

Type: Array of StringFilter objects

Required: No

NetworkProtocol

The protocol of network-related information about a finding.

Type: Array of StringFilter objects

Required: No

NetworkSourceDomain

The source domain of network-related information about a finding.

Type: Array of StringFilter objects

Required: No

NetworkSourceIpV4

The source IPv4 address of network-related information about a finding.

Type: Array of IpFilter objects

Required: No

NetworkSourceIpV6

The source IPv6 address of network-related information about a finding.

Type: Array of IpFilter objects

Required: No

NetworkSourceMac

The source media access control (MAC) address of network-related information about a finding.

Type: Array of StringFilter objects

Required: No

NetworkSourcePort

The source port of network-related information about a finding.

Type: Array of NumberFilter objects

Required: No

NoteText

The text of a note.

Type: Array of StringFilter objects

Required: No

NoteUpdatedAt

The timestamp of when the note was updated.

Type: Array of DateFilter objects

Required: No

NoteUpdatedBy

The principal that created a note.

Type: Array of StringFilter objects

Required: No

ProcessLaunchedAt

The date/time that the process was launched.

Type: Array of DateFilter objects

Required: No

ProcessName

The name of the process.

Type: Array of StringFilter objects

Required: No

ProcessParentPid

The parent process ID.

Type: Array of NumberFilter objects

Required: No

ProcessPath

The path to the process executable.

Type: Array of StringFilter objects

Required: No

ProcessPid

The process ID.

Type: Array of NumberFilter objects

Required: No

ProcessTerminatedAt

The date/time that the process was terminated.

Type: Array of DateFilter objects

Required: No

ProductArn

The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) after this provider's product (solution that generates findings) is registered with Security Hub.

Type: Array of StringFilter objects

Required: No

ProductFields

A data type where security-findings providers can include additional solution-specific details that aren't part of the defined AwsSecurityFinding format.

Type: Array of MapFilter objects

Required: No

ProductName

The name of the solution (product) that generates findings.

Type: Array of StringFilter objects

Required: No

RecommendationText

The recommendation of what to do about the issue described in a finding.

Type: Array of StringFilter objects

Required: No

RecordState

The updated record state for the finding.

Type: Array of StringFilter objects

Required: No

RelatedFindingsId

The solution-generated identifier for a related finding.

Type: Array of StringFilter objects

Required: No

RelatedFindingsProductArn

The ARN of the solution that generated a related finding.

Type: Array of StringFilter objects

Required: No

ResourceAwsEc2InstanceIamInstanceProfileArn

The IAM profile ARN of the instance.

Type: Array of StringFilter objects

Required: No

ResourceAwsEc2InstanceImageId

The Amazon Machine Image (AMI) ID of the instance.

Type: Array of StringFilter objects

Required: No

ResourceAwsEc2InstanceIpV4Addresses

The IPv4 addresses associated with the instance.

Type: Array of IpFilter objects

Required: No

ResourceAwsEc2InstanceIpV6Addresses

The IPv6 addresses associated with the instance.

Type: Array of IpFilter objects

Required: No

ResourceAwsEc2InstanceKeyName

The key name associated with the instance.

Type: Array of StringFilter objects

Required: No

ResourceAwsEc2InstanceLaunchedAt

The date/time the instance was launched.

Type: Array of DateFilter objects

Required: No

ResourceAwsEc2InstanceSubnetId

The identifier of the subnet that the instance was launched in.

Type: Array of StringFilter objects

Required: No

ResourceAwsEc2InstanceType

The instance type of the instance.

Type: Array of StringFilter objects

Required: No

ResourceAwsEc2InstanceVpcId

The identifier of the VPC that the instance was launched in.

Type: Array of StringFilter objects

Required: No

ResourceAwsIamAccessKeyCreatedAt

The creation date/time of the IAM access key related to a finding.

Type: Array of DateFilter objects

Required: No

ResourceAwsIamAccessKeyStatus

The status of the IAM access key related to a finding.

Type: Array of StringFilter objects

Required: No

ResourceAwsIamAccessKeyUserName

The user associated with the IAM access key related to a finding.

Type: Array of StringFilter objects

Required: No

ResourceAwsS3BucketOwnerId

The canonical user ID of the owner of the S3 bucket.

Type: Array of StringFilter objects

Required: No

ResourceAwsS3BucketOwnerName

The display name of the owner of the S3 bucket.

Type: Array of StringFilter objects

Required: No

ResourceContainerImageId

The identifier of the image related to a finding.

Type: Array of StringFilter objects

Required: No

ResourceContainerImageName

The name of the image related to a finding.

Type: Array of StringFilter objects

Required: No

ResourceContainerLaunchedAt

The date/time that the container was started.

Type: Array of DateFilter objects

Required: No

ResourceContainerName

The name of the container related to a finding.

Type: Array of StringFilter objects

Required: No

ResourceDetailsOther

The details of a resource that doesn't have a specific subfield for the resource type defined.

Type: Array of MapFilter objects

Required: No

ResourceId

The canonical identifier for the given resource type.

Type: Array of StringFilter objects

Required: No

ResourcePartition

The canonical AWS partition name that the Region is assigned to.

Type: Array of StringFilter objects

Required: No

ResourceRegion

The canonical AWS external Region name where this resource is located.

Type: Array of StringFilter objects

Required: No

ResourceTags

A list of AWS tags associated with a resource at the time the finding was processed.

Type: Array of MapFilter objects

Required: No

ResourceType

Specifies the type of the resource that details are provided for.

Type: Array of StringFilter objects

Required: No

SeverityLabel

The label of a finding's severity.

Type: Array of StringFilter objects

Required: No

SeverityNormalized

The normalized severity of a finding.

Type: Array of NumberFilter objects

Required: No

SeverityProduct

The native severity as defined by the security-findings provider's solution that generated the finding.

Type: Array of NumberFilter objects

Required: No

SourceUrl

A URL that links to a page about the current finding in the security-findings provider's solution.

Type: Array of StringFilter objects

Required: No

ThreatIntelIndicatorCategory

The category of a threat intel indicator.

Type: Array of StringFilter objects

Required: No

ThreatIntelIndicatorLastObservedAt

The date/time of the last observation of a threat intel indicator.

Type: Array of DateFilter objects

Required: No

ThreatIntelIndicatorSource

The source of the threat intel.

Type: Array of StringFilter objects

Required: No

ThreatIntelIndicatorSourceUrl

The URL for more details from the source of the threat intel.

Type: Array of StringFilter objects

Required: No

ThreatIntelIndicatorType

The type of a threat intel indicator.

Type: Array of StringFilter objects

Required: No

ThreatIntelIndicatorValue

The value of a threat intel indicator.

Type: Array of StringFilter objects

Required: No

Title

A finding's title.

Type: Array of StringFilter objects

Required: No

Type

A finding type in the format of namespace/category/classifier that classifies a finding.

Type: Array of StringFilter objects

Required: No

UpdatedAt

An ISO8601-formatted timestamp that indicates when the security-findings provider last updated the finding record.

Type: Array of DateFilter objects

Required: No

UserDefinedFields

A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.

Type: Array of MapFilter objects

Required: No

VerificationState

The veracity of a finding.

Type: Array of StringFilter objects

Required: No

WorkflowState

The workflow state of a finding.

Type: Array of StringFilter objects

Required: No

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following:

On this page: