interface AwsSecurityFindingFiltersProperty
Language | Type name |
---|---|
.NET | Amazon.CDK.AWS.SecurityHub.CfnInsight.AwsSecurityFindingFiltersProperty |
Go | github.com/aws/aws-cdk-go/awscdk/v2/awssecurityhub#CfnInsight_AwsSecurityFindingFiltersProperty |
Java | software.amazon.awscdk.services.securityhub.CfnInsight.AwsSecurityFindingFiltersProperty |
Python | aws_cdk.aws_securityhub.CfnInsight.AwsSecurityFindingFiltersProperty |
TypeScript | aws-cdk-lib » aws_securityhub » CfnInsight » AwsSecurityFindingFiltersProperty |
A collection of filters that are applied to all active findings aggregated by AWS Security Hub .
You can filter by up to ten finding attributes. For each attribute, you can provide up to 20 filter values.
Example
// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import { aws_securityhub as securityhub } from 'aws-cdk-lib';
const awsSecurityFindingFiltersProperty: securityhub.CfnInsight.AwsSecurityFindingFiltersProperty = {
awsAccountId: [{
comparison: 'comparison',
value: 'value',
}],
awsAccountName: [{
comparison: 'comparison',
value: 'value',
}],
companyName: [{
comparison: 'comparison',
value: 'value',
}],
complianceAssociatedStandardsId: [{
comparison: 'comparison',
value: 'value',
}],
complianceSecurityControlId: [{
comparison: 'comparison',
value: 'value',
}],
complianceSecurityControlParametersName: [{
comparison: 'comparison',
value: 'value',
}],
complianceSecurityControlParametersValue: [{
comparison: 'comparison',
value: 'value',
}],
complianceStatus: [{
comparison: 'comparison',
value: 'value',
}],
confidence: [{
eq: 123,
gte: 123,
lte: 123,
}],
createdAt: [{
dateRange: {
unit: 'unit',
value: 123,
},
end: 'end',
start: 'start',
}],
criticality: [{
eq: 123,
gte: 123,
lte: 123,
}],
description: [{
comparison: 'comparison',
value: 'value',
}],
findingProviderFieldsConfidence: [{
eq: 123,
gte: 123,
lte: 123,
}],
findingProviderFieldsCriticality: [{
eq: 123,
gte: 123,
lte: 123,
}],
findingProviderFieldsRelatedFindingsId: [{
comparison: 'comparison',
value: 'value',
}],
findingProviderFieldsRelatedFindingsProductArn: [{
comparison: 'comparison',
value: 'value',
}],
findingProviderFieldsSeverityLabel: [{
comparison: 'comparison',
value: 'value',
}],
findingProviderFieldsSeverityOriginal: [{
comparison: 'comparison',
value: 'value',
}],
findingProviderFieldsTypes: [{
comparison: 'comparison',
value: 'value',
}],
firstObservedAt: [{
dateRange: {
unit: 'unit',
value: 123,
},
end: 'end',
start: 'start',
}],
generatorId: [{
comparison: 'comparison',
value: 'value',
}],
id: [{
comparison: 'comparison',
value: 'value',
}],
keyword: [{
value: 'value',
}],
lastObservedAt: [{
dateRange: {
unit: 'unit',
value: 123,
},
end: 'end',
start: 'start',
}],
malwareName: [{
comparison: 'comparison',
value: 'value',
}],
malwarePath: [{
comparison: 'comparison',
value: 'value',
}],
malwareState: [{
comparison: 'comparison',
value: 'value',
}],
malwareType: [{
comparison: 'comparison',
value: 'value',
}],
networkDestinationDomain: [{
comparison: 'comparison',
value: 'value',
}],
networkDestinationIpV4: [{
cidr: 'cidr',
}],
networkDestinationIpV6: [{
cidr: 'cidr',
}],
networkDestinationPort: [{
eq: 123,
gte: 123,
lte: 123,
}],
networkDirection: [{
comparison: 'comparison',
value: 'value',
}],
networkProtocol: [{
comparison: 'comparison',
value: 'value',
}],
networkSourceDomain: [{
comparison: 'comparison',
value: 'value',
}],
networkSourceIpV4: [{
cidr: 'cidr',
}],
networkSourceIpV6: [{
cidr: 'cidr',
}],
networkSourceMac: [{
comparison: 'comparison',
value: 'value',
}],
networkSourcePort: [{
eq: 123,
gte: 123,
lte: 123,
}],
noteText: [{
comparison: 'comparison',
value: 'value',
}],
noteUpdatedAt: [{
dateRange: {
unit: 'unit',
value: 123,
},
end: 'end',
start: 'start',
}],
noteUpdatedBy: [{
comparison: 'comparison',
value: 'value',
}],
processLaunchedAt: [{
dateRange: {
unit: 'unit',
value: 123,
},
end: 'end',
start: 'start',
}],
processName: [{
comparison: 'comparison',
value: 'value',
}],
processParentPid: [{
eq: 123,
gte: 123,
lte: 123,
}],
processPath: [{
comparison: 'comparison',
value: 'value',
}],
processPid: [{
eq: 123,
gte: 123,
lte: 123,
}],
processTerminatedAt: [{
dateRange: {
unit: 'unit',
value: 123,
},
end: 'end',
start: 'start',
}],
productArn: [{
comparison: 'comparison',
value: 'value',
}],
productFields: [{
comparison: 'comparison',
key: 'key',
value: 'value',
}],
productName: [{
comparison: 'comparison',
value: 'value',
}],
recommendationText: [{
comparison: 'comparison',
value: 'value',
}],
recordState: [{
comparison: 'comparison',
value: 'value',
}],
region: [{
comparison: 'comparison',
value: 'value',
}],
relatedFindingsId: [{
comparison: 'comparison',
value: 'value',
}],
relatedFindingsProductArn: [{
comparison: 'comparison',
value: 'value',
}],
resourceApplicationArn: [{
comparison: 'comparison',
value: 'value',
}],
resourceApplicationName: [{
comparison: 'comparison',
value: 'value',
}],
resourceAwsEc2InstanceIamInstanceProfileArn: [{
comparison: 'comparison',
value: 'value',
}],
resourceAwsEc2InstanceImageId: [{
comparison: 'comparison',
value: 'value',
}],
resourceAwsEc2InstanceIpV4Addresses: [{
cidr: 'cidr',
}],
resourceAwsEc2InstanceIpV6Addresses: [{
cidr: 'cidr',
}],
resourceAwsEc2InstanceKeyName: [{
comparison: 'comparison',
value: 'value',
}],
resourceAwsEc2InstanceLaunchedAt: [{
dateRange: {
unit: 'unit',
value: 123,
},
end: 'end',
start: 'start',
}],
resourceAwsEc2InstanceSubnetId: [{
comparison: 'comparison',
value: 'value',
}],
resourceAwsEc2InstanceType: [{
comparison: 'comparison',
value: 'value',
}],
resourceAwsEc2InstanceVpcId: [{
comparison: 'comparison',
value: 'value',
}],
resourceAwsIamAccessKeyCreatedAt: [{
dateRange: {
unit: 'unit',
value: 123,
},
end: 'end',
start: 'start',
}],
resourceAwsIamAccessKeyPrincipalName: [{
comparison: 'comparison',
value: 'value',
}],
resourceAwsIamAccessKeyStatus: [{
comparison: 'comparison',
value: 'value',
}],
resourceAwsIamAccessKeyUserName: [{
comparison: 'comparison',
value: 'value',
}],
resourceAwsIamUserUserName: [{
comparison: 'comparison',
value: 'value',
}],
resourceAwsS3BucketOwnerId: [{
comparison: 'comparison',
value: 'value',
}],
resourceAwsS3BucketOwnerName: [{
comparison: 'comparison',
value: 'value',
}],
resourceContainerImageId: [{
comparison: 'comparison',
value: 'value',
}],
resourceContainerImageName: [{
comparison: 'comparison',
value: 'value',
}],
resourceContainerLaunchedAt: [{
dateRange: {
unit: 'unit',
value: 123,
},
end: 'end',
start: 'start',
}],
resourceContainerName: [{
comparison: 'comparison',
value: 'value',
}],
resourceDetailsOther: [{
comparison: 'comparison',
key: 'key',
value: 'value',
}],
resourceId: [{
comparison: 'comparison',
value: 'value',
}],
resourcePartition: [{
comparison: 'comparison',
value: 'value',
}],
resourceRegion: [{
comparison: 'comparison',
value: 'value',
}],
resourceTags: [{
comparison: 'comparison',
key: 'key',
value: 'value',
}],
resourceType: [{
comparison: 'comparison',
value: 'value',
}],
sample: [{
value: false,
}],
severityLabel: [{
comparison: 'comparison',
value: 'value',
}],
severityNormalized: [{
eq: 123,
gte: 123,
lte: 123,
}],
severityProduct: [{
eq: 123,
gte: 123,
lte: 123,
}],
sourceUrl: [{
comparison: 'comparison',
value: 'value',
}],
threatIntelIndicatorCategory: [{
comparison: 'comparison',
value: 'value',
}],
threatIntelIndicatorLastObservedAt: [{
dateRange: {
unit: 'unit',
value: 123,
},
end: 'end',
start: 'start',
}],
threatIntelIndicatorSource: [{
comparison: 'comparison',
value: 'value',
}],
threatIntelIndicatorSourceUrl: [{
comparison: 'comparison',
value: 'value',
}],
threatIntelIndicatorType: [{
comparison: 'comparison',
value: 'value',
}],
threatIntelIndicatorValue: [{
comparison: 'comparison',
value: 'value',
}],
title: [{
comparison: 'comparison',
value: 'value',
}],
type: [{
comparison: 'comparison',
value: 'value',
}],
updatedAt: [{
dateRange: {
unit: 'unit',
value: 123,
},
end: 'end',
start: 'start',
}],
userDefinedFields: [{
comparison: 'comparison',
key: 'key',
value: 'value',
}],
verificationState: [{
comparison: 'comparison',
value: 'value',
}],
vulnerabilitiesExploitAvailable: [{
comparison: 'comparison',
value: 'value',
}],
vulnerabilitiesFixAvailable: [{
comparison: 'comparison',
value: 'value',
}],
workflowState: [{
comparison: 'comparison',
value: 'value',
}],
workflowStatus: [{
comparison: 'comparison',
value: 'value',
}],
};
Properties
Name | Type | Description |
---|---|---|
aws | IResolvable | IResolvable | String [] | The AWS account ID in which a finding is generated. |
aws | IResolvable | IResolvable | String [] | The name of the AWS account in which a finding is generated. |
company | IResolvable | IResolvable | String [] | The name of the findings provider (company) that owns the solution (product) that generates findings. |
compliance | IResolvable | IResolvable | String [] | The unique identifier of a standard in which a control is enabled. |
compliance | IResolvable | IResolvable | String [] | The unique identifier of a control across standards. |
compliance | IResolvable | IResolvable | String [] | The name of a security control parameter. |
compliance | IResolvable | IResolvable | String [] | The current value of a security control parameter. |
compliance | IResolvable | IResolvable | String [] | Exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard, such as CIS AWS Foundations. |
confidence? | IResolvable | IResolvable | Number [] | A finding's confidence. |
created | IResolvable | IResolvable | Date [] | A timestamp that indicates when the security findings provider created the potential security issue that a finding reflects. |
criticality? | IResolvable | IResolvable | Number [] | The level of importance assigned to the resources associated with the finding. |
description? | IResolvable | IResolvable | String [] | A finding's description. |
finding | IResolvable | IResolvable | Number [] | The finding provider value for the finding confidence. |
finding | IResolvable | IResolvable | Number [] | The finding provider value for the level of importance assigned to the resources associated with the findings. |
finding | IResolvable | IResolvable | String [] | The finding identifier of a related finding that is identified by the finding provider. |
finding | IResolvable | IResolvable | String [] | The ARN of the solution that generated a related finding that is identified by the finding provider. |
finding | IResolvable | IResolvable | String [] | The finding provider value for the severity label. |
finding | IResolvable | IResolvable | String [] | The finding provider's original value for the severity. |
finding | IResolvable | IResolvable | String [] | One or more finding types that the finding provider assigned to the finding. |
first | IResolvable | IResolvable | Date [] | A timestamp that indicates when the security findings provider first observed the potential security issue that a finding captured. |
generator | IResolvable | IResolvable | String [] | The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. |
id? | IResolvable | IResolvable | String [] | The security findings provider-specific identifier for a finding. |
keyword? | IResolvable | IResolvable | Keyword [] | This field is deprecated. |
last | IResolvable | IResolvable | Date [] | A timestamp that indicates when the security findings provider most recently observed the potential security issue that a finding captured. |
malware | IResolvable | IResolvable | String [] | The name of the malware that was observed. |
malware | IResolvable | IResolvable | String [] | The filesystem path of the malware that was observed. |
malware | IResolvable | IResolvable | String [] | The state of the malware that was observed. |
malware | IResolvable | IResolvable | String [] | The type of the malware that was observed. |
network | IResolvable | IResolvable | String [] | The destination domain of network-related information about a finding. |
network | IResolvable | IResolvable | Ip [] | The destination IPv4 address of network-related information about a finding. |
network | IResolvable | IResolvable | Ip [] | The destination IPv6 address of network-related information about a finding. |
network | IResolvable | IResolvable | Number [] | The destination port of network-related information about a finding. |
network | IResolvable | IResolvable | String [] | Indicates the direction of network traffic associated with a finding. |
network | IResolvable | IResolvable | String [] | The protocol of network-related information about a finding. |
network | IResolvable | IResolvable | String [] | The source domain of network-related information about a finding. |
network | IResolvable | IResolvable | Ip [] | The source IPv4 address of network-related information about a finding. |
network | IResolvable | IResolvable | Ip [] | The source IPv6 address of network-related information about a finding. |
network | IResolvable | IResolvable | String [] | The source media access control (MAC) address of network-related information about a finding. |
network | IResolvable | IResolvable | Number [] | The source port of network-related information about a finding. |
note | IResolvable | IResolvable | String [] | The text of a note. |
note | IResolvable | IResolvable | Date [] | The timestamp of when the note was updated. |
note | IResolvable | IResolvable | String [] | The principal that created a note. |
process | IResolvable | IResolvable | Date [] | A timestamp that identifies when the process was launched. |
process | IResolvable | IResolvable | String [] | The name of the process. |
process | IResolvable | IResolvable | Number [] | The parent process ID. |
process | IResolvable | IResolvable | String [] | The path to the process executable. |
process | IResolvable | IResolvable | Number [] | The process ID. |
process | IResolvable | IResolvable | Date [] | A timestamp that identifies when the process was terminated. |
product | IResolvable | IResolvable | String [] | The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) after this provider's product (solution that generates findings) is registered with Security Hub. |
product | IResolvable | IResolvable | Map [] | A data type where security findings providers can include additional solution-specific details that aren't part of the defined AwsSecurityFinding format. |
product | IResolvable | IResolvable | String [] | The name of the solution (product) that generates findings. |
recommendation | IResolvable | IResolvable | String [] | The recommendation of what to do about the issue described in a finding. |
record | IResolvable | IResolvable | String [] | The updated record state for the finding. |
region? | IResolvable | IResolvable | String [] | The Region from which the finding was generated. |
related | IResolvable | IResolvable | String [] | The solution-generated identifier for a related finding. |
related | IResolvable | IResolvable | String [] | The ARN of the solution that generated a related finding. |
resource | IResolvable | IResolvable | String [] | The ARN of the application that is related to a finding. |
resource | IResolvable | IResolvable | String [] | The name of the application that is related to a finding. |
resource | IResolvable | IResolvable | String [] | The IAM profile ARN of the instance. |
resource | IResolvable | IResolvable | String [] | The Amazon Machine Image (AMI) ID of the instance. |
resource | IResolvable | IResolvable | Ip [] | The IPv4 addresses associated with the instance. |
resource | IResolvable | IResolvable | Ip [] | The IPv6 addresses associated with the instance. |
resource | IResolvable | IResolvable | String [] | The key name associated with the instance. |
resource | IResolvable | IResolvable | Date [] | The date and time the instance was launched. |
resource | IResolvable | IResolvable | String [] | The identifier of the subnet that the instance was launched in. |
resource | IResolvable | IResolvable | String [] | The instance type of the instance. |
resource | IResolvable | IResolvable | String [] | The identifier of the VPC that the instance was launched in. |
resource | IResolvable | IResolvable | Date [] | The creation date/time of the IAM access key related to a finding. |
resource | IResolvable | IResolvable | String [] | The name of the principal that is associated with an IAM access key. |
resource | IResolvable | IResolvable | String [] | The status of the IAM access key related to a finding. |
resource | IResolvable | IResolvable | String [] | This field is deprecated. |
resource | IResolvable | IResolvable | String [] | The name of an IAM user. |
resource | IResolvable | IResolvable | String [] | The canonical user ID of the owner of the S3 bucket. |
resource | IResolvable | IResolvable | String [] | The display name of the owner of the S3 bucket. |
resource | IResolvable | IResolvable | String [] | The identifier of the image related to a finding. |
resource | IResolvable | IResolvable | String [] | The name of the image related to a finding. |
resource | IResolvable | IResolvable | Date [] | A timestamp that identifies when the container was started. |
resource | IResolvable | IResolvable | String [] | The name of the container related to a finding. |
resource | IResolvable | IResolvable | Map [] | The details of a resource that doesn't have a specific subfield for the resource type defined. |
resource | IResolvable | IResolvable | String [] | The canonical identifier for the given resource type. |
resource | IResolvable | IResolvable | String [] | The canonical AWS partition name that the Region is assigned to. |
resource | IResolvable | IResolvable | String [] | The canonical AWS external Region name where this resource is located. |
resource | IResolvable | IResolvable | Map [] | A list of AWS tags associated with a resource at the time the finding was processed. |
resource | IResolvable | IResolvable | String [] | Specifies the type of the resource that details are provided for. |
sample? | IResolvable | IResolvable | Boolean [] | Indicates whether or not sample findings are included in the filter results. |
severity | IResolvable | IResolvable | String [] | The label of a finding's severity. |
severity | IResolvable | IResolvable | Number [] | Deprecated. The normalized severity of a finding. Instead of providing Normalized , provide Label . |
severity | IResolvable | IResolvable | Number [] | Deprecated. This attribute isn't included in findings. Instead of providing Product , provide Original . |
source | IResolvable | IResolvable | String [] | A URL that links to a page about the current finding in the security findings provider's solution. |
threat | IResolvable | IResolvable | String [] | The category of a threat intelligence indicator. |
threat | IResolvable | IResolvable | Date [] | A timestamp that identifies the last observation of a threat intelligence indicator. |
threat | IResolvable | IResolvable | String [] | The source of the threat intelligence. |
threat | IResolvable | IResolvable | String [] | The URL for more details from the source of the threat intelligence. |
threat | IResolvable | IResolvable | String [] | The type of a threat intelligence indicator. |
threat | IResolvable | IResolvable | String [] | The value of a threat intelligence indicator. |
title? | IResolvable | IResolvable | String [] | A finding's title. |
type? | IResolvable | IResolvable | String [] | A finding type in the format of namespace/category/classifier that classifies a finding. |
updated | IResolvable | IResolvable | Date [] | A timestamp that indicates when the security findings provider last updated the finding record. |
user | IResolvable | IResolvable | Map [] | A list of name/value string pairs associated with the finding. |
verification | IResolvable | IResolvable | String [] | The veracity of a finding. |
vulnerabilities | IResolvable | IResolvable | String [] | Indicates whether a software vulnerability in your environment has a known exploit. |
vulnerabilities | IResolvable | IResolvable | String [] | Indicates whether a vulnerability is fixed in a newer version of the affected software packages. |
workflow | IResolvable | IResolvable | String [] | The workflow state of a finding. |
workflow | IResolvable | IResolvable | String [] | The status of the investigation into a finding. Allowed values are the following. |
awsAccountId?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The AWS account ID in which a finding is generated.
awsAccountName?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The name of the AWS account in which a finding is generated.
companyName?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The name of the findings provider (company) that owns the solution (product) that generates findings.
complianceAssociatedStandardsId?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The unique identifier of a standard in which a control is enabled.
This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the DescribeStandards API response.
complianceSecurityControlId?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The unique identifier of a control across standards.
Values for this field typically consist of an AWS service and a number, such as APIGateway.5.
complianceSecurityControlParametersName?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The name of a security control parameter.
complianceSecurityControlParametersValue?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The current value of a security control parameter.
complianceStatus?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
Exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard, such as CIS AWS Foundations.
Contains security standard-related finding details.
confidence?
Type:
IResolvable
|
IResolvable
|
Number
[]
(optional)
A finding's confidence.
Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify.
Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence.
createdAt?
Type:
IResolvable
|
IResolvable
|
Date
[]
(optional)
A timestamp that indicates when the security findings provider created the potential security issue that a finding reflects.
This field accepts only the specified formats. Timestamps can end with Z
or ("+" / "-") time-hour [":" time-minute]
. The time-secfrac after seconds is limited to a maximum of 9 digits. The offset is bounded by +/-18:00. Here are valid timestamp formats with examples:
YYYY-MM-DDTHH:MM:SSZ
(for example,2019-01-31T23:00:00Z
)YYYY-MM-DDTHH:MM:SS.mmmmmmmmmZ
(for example,2019-01-31T23:00:00.123456789Z
)YYYY-MM-DDTHH:MM:SS+HH:MM
(for example,2024-01-04T15:25:10+17:59
)YYYY-MM-DDTHH:MM:SS-HHMM
(for example,2024-01-04T15:25:10-1759
)YYYY-MM-DDTHH:MM:SS.mmmmmmmmm+HH:MM
(for example,2024-01-04T15:25:10.123456789+17:59
)
criticality?
Type:
IResolvable
|
IResolvable
|
Number
[]
(optional)
The level of importance assigned to the resources associated with the finding.
A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.
description?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
A finding's description.
findingProviderFieldsConfidence?
Type:
IResolvable
|
IResolvable
|
Number
[]
(optional)
The finding provider value for the finding confidence.
Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify.
Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence.
findingProviderFieldsCriticality?
Type:
IResolvable
|
IResolvable
|
Number
[]
(optional)
The finding provider value for the level of importance assigned to the resources associated with the findings.
A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.
findingProviderFieldsRelatedFindingsId?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The finding identifier of a related finding that is identified by the finding provider.
findingProviderFieldsRelatedFindingsProductArn?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The ARN of the solution that generated a related finding that is identified by the finding provider.
findingProviderFieldsSeverityLabel?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The finding provider value for the severity label.
findingProviderFieldsSeverityOriginal?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The finding provider's original value for the severity.
findingProviderFieldsTypes?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
One or more finding types that the finding provider assigned to the finding.
Uses the format of namespace/category/classifier
that classify a finding.
Valid namespace values are: Software and Configuration Checks | TTPs | Effects | Unusual Behaviors | Sensitive Data Identifications
firstObservedAt?
Type:
IResolvable
|
IResolvable
|
Date
[]
(optional)
A timestamp that indicates when the security findings provider first observed the potential security issue that a finding captured.
This field accepts only the specified formats. Timestamps can end with Z
or ("+" / "-") time-hour [":" time-minute]
. The time-secfrac after seconds is limited to a maximum of 9 digits. The offset is bounded by +/-18:00. Here are valid timestamp formats with examples:
YYYY-MM-DDTHH:MM:SSZ
(for example,2019-01-31T23:00:00Z
)YYYY-MM-DDTHH:MM:SS.mmmmmmmmmZ
(for example,2019-01-31T23:00:00.123456789Z
)YYYY-MM-DDTHH:MM:SS+HH:MM
(for example,2024-01-04T15:25:10+17:59
)YYYY-MM-DDTHH:MM:SS-HHMM
(for example,2024-01-04T15:25:10-1759
)YYYY-MM-DDTHH:MM:SS.mmmmmmmmm+HH:MM
(for example,2024-01-04T15:25:10.123456789+17:59
)
generatorId?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The identifier for the solution-specific component (a discrete unit of logic) that generated a finding.
In various security findings providers' solutions, this generator can be called a rule, a check, a detector, a plugin, etc.
id?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The security findings provider-specific identifier for a finding.
keyword?
Type:
IResolvable
|
IResolvable
|
Keyword
[]
(optional)
This field is deprecated.
A keyword for a finding.
lastObservedAt?
Type:
IResolvable
|
IResolvable
|
Date
[]
(optional)
A timestamp that indicates when the security findings provider most recently observed the potential security issue that a finding captured.
This field accepts only the specified formats. Timestamps can end with Z
or ("+" / "-") time-hour [":" time-minute]
. The time-secfrac after seconds is limited to a maximum of 9 digits. The offset is bounded by +/-18:00. Here are valid timestamp formats with examples:
YYYY-MM-DDTHH:MM:SSZ
(for example,2019-01-31T23:00:00Z
)YYYY-MM-DDTHH:MM:SS.mmmmmmmmmZ
(for example,2019-01-31T23:00:00.123456789Z
)YYYY-MM-DDTHH:MM:SS+HH:MM
(for example,2024-01-04T15:25:10+17:59
)YYYY-MM-DDTHH:MM:SS-HHMM
(for example,2024-01-04T15:25:10-1759
)YYYY-MM-DDTHH:MM:SS.mmmmmmmmm+HH:MM
(for example,2024-01-04T15:25:10.123456789+17:59
)
malwareName?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The name of the malware that was observed.
malwarePath?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The filesystem path of the malware that was observed.
malwareState?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The state of the malware that was observed.
malwareType?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The type of the malware that was observed.
networkDestinationDomain?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The destination domain of network-related information about a finding.
networkDestinationIpV4?
Type:
IResolvable
|
IResolvable
|
Ip
[]
(optional)
The destination IPv4 address of network-related information about a finding.
networkDestinationIpV6?
Type:
IResolvable
|
IResolvable
|
Ip
[]
(optional)
The destination IPv6 address of network-related information about a finding.
networkDestinationPort?
Type:
IResolvable
|
IResolvable
|
Number
[]
(optional)
The destination port of network-related information about a finding.
networkDirection?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
Indicates the direction of network traffic associated with a finding.
networkProtocol?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The protocol of network-related information about a finding.
networkSourceDomain?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The source domain of network-related information about a finding.
networkSourceIpV4?
Type:
IResolvable
|
IResolvable
|
Ip
[]
(optional)
The source IPv4 address of network-related information about a finding.
networkSourceIpV6?
Type:
IResolvable
|
IResolvable
|
Ip
[]
(optional)
The source IPv6 address of network-related information about a finding.
networkSourceMac?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The source media access control (MAC) address of network-related information about a finding.
networkSourcePort?
Type:
IResolvable
|
IResolvable
|
Number
[]
(optional)
The source port of network-related information about a finding.
noteText?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The text of a note.
noteUpdatedAt?
Type:
IResolvable
|
IResolvable
|
Date
[]
(optional)
The timestamp of when the note was updated.
noteUpdatedBy?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The principal that created a note.
processLaunchedAt?
Type:
IResolvable
|
IResolvable
|
Date
[]
(optional)
A timestamp that identifies when the process was launched.
This field accepts only the specified formats. Timestamps can end with Z
or ("+" / "-") time-hour [":" time-minute]
. The time-secfrac after seconds is limited to a maximum of 9 digits. The offset is bounded by +/-18:00. Here are valid timestamp formats with examples:
YYYY-MM-DDTHH:MM:SSZ
(for example,2019-01-31T23:00:00Z
)YYYY-MM-DDTHH:MM:SS.mmmmmmmmmZ
(for example,2019-01-31T23:00:00.123456789Z
)YYYY-MM-DDTHH:MM:SS+HH:MM
(for example,2024-01-04T15:25:10+17:59
)YYYY-MM-DDTHH:MM:SS-HHMM
(for example,2024-01-04T15:25:10-1759
)YYYY-MM-DDTHH:MM:SS.mmmmmmmmm+HH:MM
(for example,2024-01-04T15:25:10.123456789+17:59
)
processName?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The name of the process.
processParentPid?
Type:
IResolvable
|
IResolvable
|
Number
[]
(optional)
The parent process ID.
This field accepts positive integers between O
and 2147483647
.
processPath?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The path to the process executable.
processPid?
Type:
IResolvable
|
IResolvable
|
Number
[]
(optional)
The process ID.
processTerminatedAt?
Type:
IResolvable
|
IResolvable
|
Date
[]
(optional)
A timestamp that identifies when the process was terminated.
This field accepts only the specified formats. Timestamps can end with Z
or ("+" / "-") time-hour [":" time-minute]
. The time-secfrac after seconds is limited to a maximum of 9 digits. The offset is bounded by +/-18:00. Here are valid timestamp formats with examples:
YYYY-MM-DDTHH:MM:SSZ
(for example,2019-01-31T23:00:00Z
)YYYY-MM-DDTHH:MM:SS.mmmmmmmmmZ
(for example,2019-01-31T23:00:00.123456789Z
)YYYY-MM-DDTHH:MM:SS+HH:MM
(for example,2024-01-04T15:25:10+17:59
)YYYY-MM-DDTHH:MM:SS-HHMM
(for example,2024-01-04T15:25:10-1759
)YYYY-MM-DDTHH:MM:SS.mmmmmmmmm+HH:MM
(for example,2024-01-04T15:25:10.123456789+17:59
)
productArn?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) after this provider's product (solution that generates findings) is registered with Security Hub.
productFields?
Type:
IResolvable
|
IResolvable
|
Map
[]
(optional)
A data type where security findings providers can include additional solution-specific details that aren't part of the defined AwsSecurityFinding
format.
productName?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The name of the solution (product) that generates findings.
recommendationText?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The recommendation of what to do about the issue described in a finding.
recordState?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The updated record state for the finding.
region?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The Region from which the finding was generated.
relatedFindingsId?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The solution-generated identifier for a related finding.
relatedFindingsProductArn?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The ARN of the solution that generated a related finding.
resourceApplicationArn?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The ARN of the application that is related to a finding.
resourceApplicationName?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The name of the application that is related to a finding.
resourceAwsEc2InstanceIamInstanceProfileArn?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The IAM profile ARN of the instance.
resourceAwsEc2InstanceImageId?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The Amazon Machine Image (AMI) ID of the instance.
resourceAwsEc2InstanceIpV4Addresses?
Type:
IResolvable
|
IResolvable
|
Ip
[]
(optional)
The IPv4 addresses associated with the instance.
resourceAwsEc2InstanceIpV6Addresses?
Type:
IResolvable
|
IResolvable
|
Ip
[]
(optional)
The IPv6 addresses associated with the instance.
resourceAwsEc2InstanceKeyName?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The key name associated with the instance.
resourceAwsEc2InstanceLaunchedAt?
Type:
IResolvable
|
IResolvable
|
Date
[]
(optional)
The date and time the instance was launched.
resourceAwsEc2InstanceSubnetId?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The identifier of the subnet that the instance was launched in.
resourceAwsEc2InstanceType?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The instance type of the instance.
resourceAwsEc2InstanceVpcId?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The identifier of the VPC that the instance was launched in.
resourceAwsIamAccessKeyCreatedAt?
Type:
IResolvable
|
IResolvable
|
Date
[]
(optional)
The creation date/time of the IAM access key related to a finding.
resourceAwsIamAccessKeyPrincipalName?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The name of the principal that is associated with an IAM access key.
resourceAwsIamAccessKeyStatus?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The status of the IAM access key related to a finding.
resourceAwsIamAccessKeyUserName?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
This field is deprecated.
The username associated with the IAM access key related to a finding.
resourceAwsIamUserUserName?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The name of an IAM user.
resourceAwsS3BucketOwnerId?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The canonical user ID of the owner of the S3 bucket.
resourceAwsS3BucketOwnerName?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The display name of the owner of the S3 bucket.
resourceContainerImageId?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The identifier of the image related to a finding.
resourceContainerImageName?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The name of the image related to a finding.
resourceContainerLaunchedAt?
Type:
IResolvable
|
IResolvable
|
Date
[]
(optional)
A timestamp that identifies when the container was started.
This field accepts only the specified formats. Timestamps can end with Z
or ("+" / "-") time-hour [":" time-minute]
. The time-secfrac after seconds is limited to a maximum of 9 digits. The offset is bounded by +/-18:00. Here are valid timestamp formats with examples:
YYYY-MM-DDTHH:MM:SSZ
(for example,2019-01-31T23:00:00Z
)YYYY-MM-DDTHH:MM:SS.mmmmmmmmmZ
(for example,2019-01-31T23:00:00.123456789Z
)YYYY-MM-DDTHH:MM:SS+HH:MM
(for example,2024-01-04T15:25:10+17:59
)YYYY-MM-DDTHH:MM:SS-HHMM
(for example,2024-01-04T15:25:10-1759
)YYYY-MM-DDTHH:MM:SS.mmmmmmmmm+HH:MM
(for example,2024-01-04T15:25:10.123456789+17:59
)
resourceContainerName?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The name of the container related to a finding.
resourceDetailsOther?
Type:
IResolvable
|
IResolvable
|
Map
[]
(optional)
The details of a resource that doesn't have a specific subfield for the resource type defined.
resourceId?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The canonical identifier for the given resource type.
resourcePartition?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The canonical AWS partition name that the Region is assigned to.
resourceRegion?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The canonical AWS external Region name where this resource is located.
resourceTags?
Type:
IResolvable
|
IResolvable
|
Map
[]
(optional)
A list of AWS tags associated with a resource at the time the finding was processed.
resourceType?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
Specifies the type of the resource that details are provided for.
sample?
Type:
IResolvable
|
IResolvable
|
Boolean
[]
(optional)
Indicates whether or not sample findings are included in the filter results.
severityLabel?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The label of a finding's severity.
severityNormalized?
Type:
IResolvable
|
IResolvable
|
Number
[]
(optional)
Deprecated. The normalized severity of a finding. Instead of providing Normalized
, provide Label
.
If you provide Label
and do not provide Normalized
, then Normalized
is set automatically as follows.
INFORMATIONAL
- 0LOW
- 1MEDIUM
- 40HIGH
- 70CRITICAL
- 90
severityProduct?
Type:
IResolvable
|
IResolvable
|
Number
[]
(optional)
Deprecated. This attribute isn't included in findings. Instead of providing Product
, provide Original
.
The native severity as defined by the AWS service or integrated partner product that generated the finding.
sourceUrl?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
A URL that links to a page about the current finding in the security findings provider's solution.
threatIntelIndicatorCategory?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The category of a threat intelligence indicator.
threatIntelIndicatorLastObservedAt?
Type:
IResolvable
|
IResolvable
|
Date
[]
(optional)
A timestamp that identifies the last observation of a threat intelligence indicator.
threatIntelIndicatorSource?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The source of the threat intelligence.
threatIntelIndicatorSourceUrl?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The URL for more details from the source of the threat intelligence.
threatIntelIndicatorType?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The type of a threat intelligence indicator.
threatIntelIndicatorValue?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The value of a threat intelligence indicator.
title?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
A finding's title.
type?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
A finding type in the format of namespace/category/classifier
that classifies a finding.
updatedAt?
Type:
IResolvable
|
IResolvable
|
Date
[]
(optional)
A timestamp that indicates when the security findings provider last updated the finding record.
This field accepts only the specified formats. Timestamps can end with Z
or ("+" / "-") time-hour [":" time-minute]
. The time-secfrac after seconds is limited to a maximum of 9 digits. The offset is bounded by +/-18:00. Here are valid timestamp formats with examples:
YYYY-MM-DDTHH:MM:SSZ
(for example,2019-01-31T23:00:00Z
)YYYY-MM-DDTHH:MM:SS.mmmmmmmmmZ
(for example,2019-01-31T23:00:00.123456789Z
)YYYY-MM-DDTHH:MM:SS+HH:MM
(for example,2024-01-04T15:25:10+17:59
)YYYY-MM-DDTHH:MM:SS-HHMM
(for example,2024-01-04T15:25:10-1759
)YYYY-MM-DDTHH:MM:SS.mmmmmmmmm+HH:MM
(for example,2024-01-04T15:25:10.123456789+17:59
)
userDefinedFields?
Type:
IResolvable
|
IResolvable
|
Map
[]
(optional)
A list of name/value string pairs associated with the finding.
These are custom, user-defined fields added to a finding.
verificationState?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The veracity of a finding.
vulnerabilitiesExploitAvailable?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
Indicates whether a software vulnerability in your environment has a known exploit.
You can filter findings by this field only if you use Security Hub and Amazon Inspector.
vulnerabilitiesFixAvailable?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
Indicates whether a vulnerability is fixed in a newer version of the affected software packages.
You can filter findings by this field only if you use Security Hub and Amazon Inspector.
workflowState?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The workflow state of a finding.
Note that this field is deprecated. To search for a finding based on its workflow status, use WorkflowStatus
.
workflowStatus?
Type:
IResolvable
|
IResolvable
|
String
[]
(optional)
The status of the investigation into a finding. Allowed values are the following.
NEW
- The initial state of a finding, before it is reviewed.
Security Hub also resets the workflow status from NOTIFIED
or RESOLVED
to NEW
in the following cases:
RecordState
changes fromARCHIVED
toACTIVE
.Compliance.Status
changes fromPASSED
to eitherWARNING
,FAILED
, orNOT_AVAILABLE
.NOTIFIED
- Indicates that the resource owner has been notified about the security issue. Used when the initial reviewer is not the resource owner, and needs intervention from the resource owner.
If one of the following occurs, the workflow status is changed automatically from NOTIFIED
to NEW
:
RecordState
changes fromARCHIVED
toACTIVE
.Compliance.Status
changes fromPASSED
toFAILED
,WARNING
, orNOT_AVAILABLE
.SUPPRESSED
- Indicates that you reviewed the finding and do not believe that any action is needed.
The workflow status of a SUPPRESSED
finding does not change if RecordState
changes from ARCHIVED
to ACTIVE
.
RESOLVED
- The finding was reviewed and remediated and is now considered resolved.
The finding remains RESOLVED
unless one of the following occurs:
RecordState
changes fromARCHIVED
toACTIVE
.Compliance.Status
changes fromPASSED
toFAILED
,WARNING
, orNOT_AVAILABLE
.
In those cases, the workflow status is automatically reset to NEW
.
For findings from controls, if Compliance.Status
is PASSED
, then Security Hub automatically sets the workflow status to RESOLVED
.