Creating and updating findings in AWS Security Hub
In AWS Security Hub, a finding can originate from one of the following types of finding providers.
-
An enabled security control in Security Hub
-
An enabled integration with another AWS service
-
An enabled integration with a third-party product
After a finding is created, it can be updated by the finding provider or by the customer.
-
The finding provider uses the
BatchImportFindings
API operation to update the general information about a finding. Finding providers can only update findings that they created. -
The customer uses the
BatchUpdateFindings
API operation to update the status of the investigation into a finding.BatchUpdateFindings
can also be used by a ticketing, incident management, orchestration, remediation, or SIEM tool on behalf of the customer.From the Security Hub console, customers can manage the workflow status of findings and send findings to custom actions. See Taking action on findings in AWS Security Hub.
Security Hub also automatically updates and deletes findings. All findings are automatically deleted if they were not updated in the past 90 days.
If you enable cross-Region aggregation, then Security Hub automatically aggregates new findings from the linked Regions to the aggregation Region. Security Hub also replicates updates to findings. Updates that occur in the linked Regions are replicated to the aggregation Region. Updates that occur in the aggregation Region are replicated to the linked Region. For more information about cross-Region aggregation, see Cross-Region aggregation.