Creating and updating findings in AWS Security Hub

In AWS Security Hub, a finding can originate from one of the following types of finding providers.

An enabled security control in Security Hub
An enabled integration with another AWS service
An enabled integration with a third-party product

After a finding is created, it can be updated by the finding provider or by the customer.

The finding provider uses the BatchImportFindings API operation to update the general information about a finding. Finding providers can only update findings that they created.
The customer uses the BatchUpdateFindings API operation to update the status of the investigation into a finding. BatchUpdateFindings can also be used by a ticketing, incident management, orchestration, remediation, or SIEM tool on behalf of the customer.

From the Security Hub console, customers can manage the workflow status of findings and send findings to custom actions. See Taking action on findings in AWS Security Hub.

Security Hub also automatically updates and deletes findings. All findings are automatically deleted if they were not updated in the past 90 days.

If you enable cross-Region aggregation, then Security Hub automatically aggregates new findings from the linked Regions to the aggregation Region. Security Hub also replicates updates to findings. Updates that occur in the linked Regions are replicated to the aggregation Region. Updates that occur in the aggregation Region are replicated to the linked Region. For more information about cross-Region aggregation, see Cross-Region aggregation.

Topics

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Findings

Using BatchImportFindings