Available fields for BatchUpdateFindings Configuring access to BatchUpdateFindings

BatchUpdateFindings for customers

Security Hub customers, and entities acting on their behalf, can use the BatchUpdateFindings operation to update information related to a customer's processing of Security Hub findings from finding providers. A customer or a SIEM, ticketing, incident management, or SOAR tool that works on behalf of a customer can use this operation.

You can't use BatchUpdateFindings to create new findings. You can use it to update up to 100 findings at a time. In your request, you specify which AWS Security Finding Format (ASFF) fields you want to update.

When Security Hub receives a BatchUpdateFindings request to update a finding, it automatically generates a Security Hub Findings - Imported event in Amazon EventBridge. You can take automated action on that event. For information, see Using EventBridge for automated response and remediation.

BatchUpdateFindings doesn't change the UpdatedAt field for the finding. UpdatedAt reflects the most recent update from the finding provider.

Available fields for BatchUpdateFindings

If you are signed in to a Security Hub administrator account, you can use BatchUpdateFindings to update findings that were generated by the administrator account or member accounts. Member accounts can use BatchUpdateFindings to update findings for their account only.

Customers can use BatchUpdateFindings to update the following fields and objects:

Confidence
Criticality
Note
RelatedFindings
Severity
Types
UserDefinedFields
VerificationState
Workflow

Configuring access to BatchUpdateFindings

You can configure AWS Identity and Access Management (IAM) policies to restrict access to using BatchUpdateFindings to update finding fields and field values.

In a statement to restrict access to BatchUpdateFindings, use the following values:

Action is securityhub:BatchUpdateFindings
Effect is Deny
For Condition, you can deny a BatchUpdateFindings request based on the following:
- The finding includes a specific field.
- The finding includes a specific field value.

Condition keys

These are the condition keys for restricting access to BatchUpdateFindings.

ASFF field

The condition key for an ASFF field is as follows:


securityhub:ASFFSyntaxPath/<fieldName>

Replace <fieldName> with the ASFF field. When configuring access to BatchUpdateFindings, include one or more specific ASFF fields in your IAM policy rather than a parent-level field. For example, to restrict access to the Workflow.Status field, you must include securityhub:ASFFSyntaxPath/Workflow.Status in your policy instead of the Workflow parent-level field.

Disallowing all updates to a field

To prevent a user from making any update to a specific field, use a condition like this:


 "Condition": {
                "Null": {
                    "securityhub:ASFFSyntaxPath/<fieldName>": "false"
               }
}

For example, the following statement indicates that BatchUpdateFindings can't be used to update the Workflow.Status field of findings.


{
    "Sid": "VisualEditor0",
    "Effect": "Deny",
    "Action": "securityhub:BatchUpdateFindings",
    "Resource": "*",
    "Condition": {
        "Null": {
            "securityhub:ASFFSyntaxPath/Workflow.Status": "false"
        }
    }
}

Disallowing specific field values

To prevent a user from setting a field to a specific value, use a condition like this:


"Condition": {
                "StringEquals": {
                    "securityhub:ASFFSyntaxPath/<fieldName>": "<fieldValue>"
               }
}

For example, the following statement indicates that BatchUpdateFindings can't be used to set Workflow.Status to SUPPRESSED.


{
    "Sid": "VisualEditor0",
    "Effect": "Deny",
    "Action": "securityhub:BatchUpdateFindings",
    "Resource": "*",
    "Condition": {
    "StringEquals": {
        "securityhub:ASFFSyntaxPath/Workflow.Status": "SUPPRESSED"
    }
}

You can also provide a list of values that are not permitted.


 "Condition": {
                "StringEquals": {
                    "securityhub:ASFFSyntaxPath/<fieldName>": [ "<fieldValue1>", "<fieldValue2>", "<fieldValuen>" ]
               }
}

For example, the following statement indicates that BatchUpdateFindings can't be used to set Workflow.Status to either RESOLVED or SUPPRESSED.


{
    "Sid": "VisualEditor0",
    "Effect": "Deny",
    "Action": "securityhub:BatchUpdateFindings",
    "Resource": "*",
    "Condition": {
    "StringEquals": {
        "securityhub:ASFFSyntaxPath/Workflow.Status": [
            "RESOLVED",
            "NOTIFIED"
        ]
    }
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

BatchImportFindings for finding providers

Reviewing finding details and history