Creating and updating findings in Security Hub
In AWS Security Hub, a finding is an observable record of a security check or security-related detection.
A finding can originate from one of the following sources in Security Hub:
-
Security check of an enabled control in Security Hub
-
An enabled integration with another AWS service
-
An enabled integration with a third-party product
-
A custom integration
After a finding is created, the finding provider or a Security Hub user can update it as follows:
-
The finding provider can use the BatchImportFindings operation of the Security Hub API to update the general information about a finding. Finding providers can only update findings that they created.
-
The customer can use the BatchUpdateFindings operation of the Security Hub API to update the status of the investigation into a finding.
BatchUpdateFindingscan also be used by a ticketing, incident management, orchestration, remediation, or SIEM tool on behalf of the customer.Customers can also update findings on the Security Hub console.
Security Hub normalizes findings from all sources into a standard syntax and format called the AWS Security Finding Format (ASFF). For more information about ASFF, see AWS Security Finding Format (ASFF).
Security Hub automatically deletes findings that weren't updated in the past 90 days. Specifically, Security Hub retains an existing finding
in an account for 90 days after the most recent value of the UpdatedAt
ASFF field. The finding is retained for 90 days after this date even if Security Hub is disabled. At the end of this 90 day period,
Security Hub permanently deletes the finding from the account. Finding providers can change the
value of the UpdatedAt field by using the
BatchImportFindings operation of the Security Hub API to update a finding.
If you enable cross-Region aggregation, then Security Hub automatically aggregates new and updated findings from the linked Regions to the aggregation Region. For more information, see Understanding cross-Region aggregation in Security Hub.
