AWS::SecurityHub::Insight AwsSecurityFindingFilters - Amazon CloudFormation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AWS::SecurityHub::Insight AwsSecurityFindingFilters

A collection of filters that are applied to all active findings aggregated by Amazon Security Hub.

You can filter by up to ten finding attributes. For each attribute, you can provide up to 20 filter values.

Syntax

To declare this entity in your Amazon CloudFormation template, use the following syntax:

JSON

{ "AwsAccountId" : [ StringFilter, ... ], "AwsAccountName" : [ StringFilter, ... ], "CompanyName" : [ StringFilter, ... ], "ComplianceAssociatedStandardsId" : [ StringFilter, ... ], "ComplianceSecurityControlId" : [ StringFilter, ... ], "ComplianceSecurityControlParametersName" : [ StringFilter, ... ], "ComplianceSecurityControlParametersValue" : [ StringFilter, ... ], "ComplianceStatus" : [ StringFilter, ... ], "Confidence" : [ NumberFilter, ... ], "CreatedAt" : [ DateFilter, ... ], "Criticality" : [ NumberFilter, ... ], "Description" : [ StringFilter, ... ], "FindingProviderFieldsConfidence" : [ NumberFilter, ... ], "FindingProviderFieldsCriticality" : [ NumberFilter, ... ], "FindingProviderFieldsRelatedFindingsId" : [ StringFilter, ... ], "FindingProviderFieldsRelatedFindingsProductArn" : [ StringFilter, ... ], "FindingProviderFieldsSeverityLabel" : [ StringFilter, ... ], "FindingProviderFieldsSeverityOriginal" : [ StringFilter, ... ], "FindingProviderFieldsTypes" : [ StringFilter, ... ], "FirstObservedAt" : [ DateFilter, ... ], "GeneratorId" : [ StringFilter, ... ], "Id" : [ StringFilter, ... ], "Keyword" : [ KeywordFilter, ... ], "LastObservedAt" : [ DateFilter, ... ], "MalwareName" : [ StringFilter, ... ], "MalwarePath" : [ StringFilter, ... ], "MalwareState" : [ StringFilter, ... ], "MalwareType" : [ StringFilter, ... ], "NetworkDestinationDomain" : [ StringFilter, ... ], "NetworkDestinationIpV4" : [ IpFilter, ... ], "NetworkDestinationIpV6" : [ IpFilter, ... ], "NetworkDestinationPort" : [ NumberFilter, ... ], "NetworkDirection" : [ StringFilter, ... ], "NetworkProtocol" : [ StringFilter, ... ], "NetworkSourceDomain" : [ StringFilter, ... ], "NetworkSourceIpV4" : [ IpFilter, ... ], "NetworkSourceIpV6" : [ IpFilter, ... ], "NetworkSourceMac" : [ StringFilter, ... ], "NetworkSourcePort" : [ NumberFilter, ... ], "NoteText" : [ StringFilter, ... ], "NoteUpdatedAt" : [ DateFilter, ... ], "NoteUpdatedBy" : [ StringFilter, ... ], "ProcessLaunchedAt" : [ DateFilter, ... ], "ProcessName" : [ StringFilter, ... ], "ProcessParentPid" : [ NumberFilter, ... ], "ProcessPath" : [ StringFilter, ... ], "ProcessPid" : [ NumberFilter, ... ], "ProcessTerminatedAt" : [ DateFilter, ... ], "ProductArn" : [ StringFilter, ... ], "ProductFields" : [ MapFilter, ... ], "ProductName" : [ StringFilter, ... ], "RecommendationText" : [ StringFilter, ... ], "RecordState" : [ StringFilter, ... ], "Region" : [ StringFilter, ... ], "RelatedFindingsId" : [ StringFilter, ... ], "RelatedFindingsProductArn" : [ StringFilter, ... ], "ResourceApplicationArn" : [ StringFilter, ... ], "ResourceApplicationName" : [ StringFilter, ... ], "ResourceAwsEc2InstanceIamInstanceProfileArn" : [ StringFilter, ... ], "ResourceAwsEc2InstanceImageId" : [ StringFilter, ... ], "ResourceAwsEc2InstanceIpV4Addresses" : [ IpFilter, ... ], "ResourceAwsEc2InstanceIpV6Addresses" : [ IpFilter, ... ], "ResourceAwsEc2InstanceKeyName" : [ StringFilter, ... ], "ResourceAwsEc2InstanceLaunchedAt" : [ DateFilter, ... ], "ResourceAwsEc2InstanceSubnetId" : [ StringFilter, ... ], "ResourceAwsEc2InstanceType" : [ StringFilter, ... ], "ResourceAwsEc2InstanceVpcId" : [ StringFilter, ... ], "ResourceAwsIamAccessKeyCreatedAt" : [ DateFilter, ... ], "ResourceAwsIamAccessKeyPrincipalName" : [ StringFilter, ... ], "ResourceAwsIamAccessKeyStatus" : [ StringFilter, ... ], "ResourceAwsIamAccessKeyUserName" : [ StringFilter, ... ], "ResourceAwsIamUserUserName" : [ StringFilter, ... ], "ResourceAwsS3BucketOwnerId" : [ StringFilter, ... ], "ResourceAwsS3BucketOwnerName" : [ StringFilter, ... ], "ResourceContainerImageId" : [ StringFilter, ... ], "ResourceContainerImageName" : [ StringFilter, ... ], "ResourceContainerLaunchedAt" : [ DateFilter, ... ], "ResourceContainerName" : [ StringFilter, ... ], "ResourceDetailsOther" : [ MapFilter, ... ], "ResourceId" : [ StringFilter, ... ], "ResourcePartition" : [ StringFilter, ... ], "ResourceRegion" : [ StringFilter, ... ], "ResourceTags" : [ MapFilter, ... ], "ResourceType" : [ StringFilter, ... ], "Sample" : [ BooleanFilter, ... ], "SeverityLabel" : [ StringFilter, ... ], "SeverityNormalized" : [ NumberFilter, ... ], "SeverityProduct" : [ NumberFilter, ... ], "SourceUrl" : [ StringFilter, ... ], "ThreatIntelIndicatorCategory" : [ StringFilter, ... ], "ThreatIntelIndicatorLastObservedAt" : [ DateFilter, ... ], "ThreatIntelIndicatorSource" : [ StringFilter, ... ], "ThreatIntelIndicatorSourceUrl" : [ StringFilter, ... ], "ThreatIntelIndicatorType" : [ StringFilter, ... ], "ThreatIntelIndicatorValue" : [ StringFilter, ... ], "Title" : [ StringFilter, ... ], "Type" : [ StringFilter, ... ], "UpdatedAt" : [ DateFilter, ... ], "UserDefinedFields" : [ MapFilter, ... ], "VerificationState" : [ StringFilter, ... ], "VulnerabilitiesExploitAvailable" : [ StringFilter, ... ], "VulnerabilitiesFixAvailable" : [ StringFilter, ... ], "WorkflowState" : [ StringFilter, ... ], "WorkflowStatus" : [ StringFilter, ... ] }

YAML

AwsAccountId: - StringFilter AwsAccountName: - StringFilter CompanyName: - StringFilter ComplianceAssociatedStandardsId: - StringFilter ComplianceSecurityControlId: - StringFilter ComplianceSecurityControlParametersName: - StringFilter ComplianceSecurityControlParametersValue: - StringFilter ComplianceStatus: - StringFilter Confidence: - NumberFilter CreatedAt: - DateFilter Criticality: - NumberFilter Description: - StringFilter FindingProviderFieldsConfidence: - NumberFilter FindingProviderFieldsCriticality: - NumberFilter FindingProviderFieldsRelatedFindingsId: - StringFilter FindingProviderFieldsRelatedFindingsProductArn: - StringFilter FindingProviderFieldsSeverityLabel: - StringFilter FindingProviderFieldsSeverityOriginal: - StringFilter FindingProviderFieldsTypes: - StringFilter FirstObservedAt: - DateFilter GeneratorId: - StringFilter Id: - StringFilter Keyword: - KeywordFilter LastObservedAt: - DateFilter MalwareName: - StringFilter MalwarePath: - StringFilter MalwareState: - StringFilter MalwareType: - StringFilter NetworkDestinationDomain: - StringFilter NetworkDestinationIpV4: - IpFilter NetworkDestinationIpV6: - IpFilter NetworkDestinationPort: - NumberFilter NetworkDirection: - StringFilter NetworkProtocol: - StringFilter NetworkSourceDomain: - StringFilter NetworkSourceIpV4: - IpFilter NetworkSourceIpV6: - IpFilter NetworkSourceMac: - StringFilter NetworkSourcePort: - NumberFilter NoteText: - StringFilter NoteUpdatedAt: - DateFilter NoteUpdatedBy: - StringFilter ProcessLaunchedAt: - DateFilter ProcessName: - StringFilter ProcessParentPid: - NumberFilter ProcessPath: - StringFilter ProcessPid: - NumberFilter ProcessTerminatedAt: - DateFilter ProductArn: - StringFilter ProductFields: - MapFilter ProductName: - StringFilter RecommendationText: - StringFilter RecordState: - StringFilter Region: - StringFilter RelatedFindingsId: - StringFilter RelatedFindingsProductArn: - StringFilter ResourceApplicationArn: - StringFilter ResourceApplicationName: - StringFilter ResourceAwsEc2InstanceIamInstanceProfileArn: - StringFilter ResourceAwsEc2InstanceImageId: - StringFilter ResourceAwsEc2InstanceIpV4Addresses: - IpFilter ResourceAwsEc2InstanceIpV6Addresses: - IpFilter ResourceAwsEc2InstanceKeyName: - StringFilter ResourceAwsEc2InstanceLaunchedAt: - DateFilter ResourceAwsEc2InstanceSubnetId: - StringFilter ResourceAwsEc2InstanceType: - StringFilter ResourceAwsEc2InstanceVpcId: - StringFilter ResourceAwsIamAccessKeyCreatedAt: - DateFilter ResourceAwsIamAccessKeyPrincipalName: - StringFilter ResourceAwsIamAccessKeyStatus: - StringFilter ResourceAwsIamAccessKeyUserName: - StringFilter ResourceAwsIamUserUserName: - StringFilter ResourceAwsS3BucketOwnerId: - StringFilter ResourceAwsS3BucketOwnerName: - StringFilter ResourceContainerImageId: - StringFilter ResourceContainerImageName: - StringFilter ResourceContainerLaunchedAt: - DateFilter ResourceContainerName: - StringFilter ResourceDetailsOther: - MapFilter ResourceId: - StringFilter ResourcePartition: - StringFilter ResourceRegion: - StringFilter ResourceTags: - MapFilter ResourceType: - StringFilter Sample: - BooleanFilter SeverityLabel: - StringFilter SeverityNormalized: - NumberFilter SeverityProduct: - NumberFilter SourceUrl: - StringFilter ThreatIntelIndicatorCategory: - StringFilter ThreatIntelIndicatorLastObservedAt: - DateFilter ThreatIntelIndicatorSource: - StringFilter ThreatIntelIndicatorSourceUrl: - StringFilter ThreatIntelIndicatorType: - StringFilter ThreatIntelIndicatorValue: - StringFilter Title: - StringFilter Type: - StringFilter UpdatedAt: - DateFilter UserDefinedFields: - MapFilter VerificationState: - StringFilter VulnerabilitiesExploitAvailable: - StringFilter VulnerabilitiesFixAvailable: - StringFilter WorkflowState: - StringFilter WorkflowStatus: - StringFilter

Properties

AwsAccountId

The Amazon Web Services account ID in which a finding is generated.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

AwsAccountName

The name of the Amazon Web Services account in which a finding is generated.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

CompanyName

The name of the findings provider (company) that owns the solution (product) that generates findings.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ComplianceAssociatedStandardsId

The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the DescribeStandards API response.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ComplianceSecurityControlId

The unique identifier of a control across standards. Values for this field typically consist of an Amazon Web Service and a number, such as APIGateway.5.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ComplianceSecurityControlParametersName

The name of a security control parameter.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ComplianceSecurityControlParametersValue

The current value of a security control parameter.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ComplianceStatus

Exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard, such as CIS Amazon Foundations. Contains security standard-related finding details.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

Confidence

A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify.

Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence.

Required: No

Type: Array of NumberFilter

Maximum: 20

Update requires: No interruption

CreatedAt

A timestamp that indicates when the security findings provider created the potential security issue that a finding reflects.

This field accepts only the specified formats. Timestamps can end with Z or ("+" / "-") time-hour [":" time-minute]. The time-secfrac after seconds is limited to a maximum of 9 digits. The offset is bounded by +/-18:00. Here are valid timestamp formats with examples:

  • YYYY-MM-DDTHH:MM:SSZ (for example, 2019-01-31T23:00:00Z)

  • YYYY-MM-DDTHH:MM:SS.mmmmmmmmmZ (for example, 2019-01-31T23:00:00.123456789Z)

  • YYYY-MM-DDTHH:MM:SS+HH:MM (for example, 2024-01-04T15:25:10+17:59)

  • YYYY-MM-DDTHH:MM:SS-HHMM (for example, 2024-01-04T15:25:10-1759)

  • YYYY-MM-DDTHH:MM:SS.mmmmmmmmm+HH:MM (for example, 2024-01-04T15:25:10.123456789+17:59)

Required: No

Type: Array of DateFilter

Maximum: 20

Update requires: No interruption

Criticality

The level of importance assigned to the resources associated with the finding.

A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.

Required: No

Type: Array of NumberFilter

Maximum: 20

Update requires: No interruption

Description

A finding's description.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

FindingProviderFieldsConfidence

The finding provider value for the finding confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify.

Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence.

Required: No

Type: Array of NumberFilter

Maximum: 20

Update requires: No interruption

FindingProviderFieldsCriticality

The finding provider value for the level of importance assigned to the resources associated with the findings.

A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.

Required: No

Type: Array of NumberFilter

Maximum: 20

Update requires: No interruption

FindingProviderFieldsRelatedFindingsId

The finding identifier of a related finding that is identified by the finding provider.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

FindingProviderFieldsRelatedFindingsProductArn

The ARN of the solution that generated a related finding that is identified by the finding provider.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

FindingProviderFieldsSeverityLabel

The finding provider value for the severity label.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

FindingProviderFieldsSeverityOriginal

The finding provider's original value for the severity.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

FindingProviderFieldsTypes

One or more finding types that the finding provider assigned to the finding. Uses the format of namespace/category/classifier that classify a finding.

Valid namespace values are: Software and Configuration Checks | TTPs | Effects | Unusual Behaviors | Sensitive Data Identifications

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

FirstObservedAt

A timestamp that indicates when the security findings provider first observed the potential security issue that a finding captured.

This field accepts only the specified formats. Timestamps can end with Z or ("+" / "-") time-hour [":" time-minute]. The time-secfrac after seconds is limited to a maximum of 9 digits. The offset is bounded by +/-18:00. Here are valid timestamp formats with examples:

  • YYYY-MM-DDTHH:MM:SSZ (for example, 2019-01-31T23:00:00Z)

  • YYYY-MM-DDTHH:MM:SS.mmmmmmmmmZ (for example, 2019-01-31T23:00:00.123456789Z)

  • YYYY-MM-DDTHH:MM:SS+HH:MM (for example, 2024-01-04T15:25:10+17:59)

  • YYYY-MM-DDTHH:MM:SS-HHMM (for example, 2024-01-04T15:25:10-1759)

  • YYYY-MM-DDTHH:MM:SS.mmmmmmmmm+HH:MM (for example, 2024-01-04T15:25:10.123456789+17:59)

Required: No

Type: Array of DateFilter

Maximum: 20

Update requires: No interruption

GeneratorId

The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security findings providers' solutions, this generator can be called a rule, a check, a detector, a plugin, etc.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

Id

The security findings provider-specific identifier for a finding.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

Keyword

This field is deprecated. A keyword for a finding.

Required: No

Type: Array of KeywordFilter

Maximum: 20

Update requires: No interruption

LastObservedAt

A timestamp that indicates when the security findings provider most recently observed the potential security issue that a finding captured.

This field accepts only the specified formats. Timestamps can end with Z or ("+" / "-") time-hour [":" time-minute]. The time-secfrac after seconds is limited to a maximum of 9 digits. The offset is bounded by +/-18:00. Here are valid timestamp formats with examples:

  • YYYY-MM-DDTHH:MM:SSZ (for example, 2019-01-31T23:00:00Z)

  • YYYY-MM-DDTHH:MM:SS.mmmmmmmmmZ (for example, 2019-01-31T23:00:00.123456789Z)

  • YYYY-MM-DDTHH:MM:SS+HH:MM (for example, 2024-01-04T15:25:10+17:59)

  • YYYY-MM-DDTHH:MM:SS-HHMM (for example, 2024-01-04T15:25:10-1759)

  • YYYY-MM-DDTHH:MM:SS.mmmmmmmmm+HH:MM (for example, 2024-01-04T15:25:10.123456789+17:59)

Required: No

Type: Array of DateFilter

Maximum: 20

Update requires: No interruption

MalwareName

The name of the malware that was observed.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

MalwarePath

The filesystem path of the malware that was observed.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

MalwareState

The state of the malware that was observed.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

MalwareType

The type of the malware that was observed.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

NetworkDestinationDomain

The destination domain of network-related information about a finding.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

NetworkDestinationIpV4

The destination IPv4 address of network-related information about a finding.

Required: No

Type: Array of IpFilter

Maximum: 20

Update requires: No interruption

NetworkDestinationIpV6

The destination IPv6 address of network-related information about a finding.

Required: No

Type: Array of IpFilter

Maximum: 20

Update requires: No interruption

NetworkDestinationPort

The destination port of network-related information about a finding.

Required: No

Type: Array of NumberFilter

Maximum: 20

Update requires: No interruption

NetworkDirection

Indicates the direction of network traffic associated with a finding.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

NetworkProtocol

The protocol of network-related information about a finding.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

NetworkSourceDomain

The source domain of network-related information about a finding.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

NetworkSourceIpV4

The source IPv4 address of network-related information about a finding.

Required: No

Type: Array of IpFilter

Maximum: 20

Update requires: No interruption

NetworkSourceIpV6

The source IPv6 address of network-related information about a finding.

Required: No

Type: Array of IpFilter

Maximum: 20

Update requires: No interruption

NetworkSourceMac

The source media access control (MAC) address of network-related information about a finding.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

NetworkSourcePort

The source port of network-related information about a finding.

Required: No

Type: Array of NumberFilter

Maximum: 20

Update requires: No interruption

NoteText

The text of a note.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

NoteUpdatedAt

The timestamp of when the note was updated.

Required: No

Type: Array of DateFilter

Maximum: 20

Update requires: No interruption

NoteUpdatedBy

The principal that created a note.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ProcessLaunchedAt

A timestamp that identifies when the process was launched.

This field accepts only the specified formats. Timestamps can end with Z or ("+" / "-") time-hour [":" time-minute]. The time-secfrac after seconds is limited to a maximum of 9 digits. The offset is bounded by +/-18:00. Here are valid timestamp formats with examples:

  • YYYY-MM-DDTHH:MM:SSZ (for example, 2019-01-31T23:00:00Z)

  • YYYY-MM-DDTHH:MM:SS.mmmmmmmmmZ (for example, 2019-01-31T23:00:00.123456789Z)

  • YYYY-MM-DDTHH:MM:SS+HH:MM (for example, 2024-01-04T15:25:10+17:59)

  • YYYY-MM-DDTHH:MM:SS-HHMM (for example, 2024-01-04T15:25:10-1759)

  • YYYY-MM-DDTHH:MM:SS.mmmmmmmmm+HH:MM (for example, 2024-01-04T15:25:10.123456789+17:59)

Required: No

Type: Array of DateFilter

Maximum: 20

Update requires: No interruption

ProcessName

The name of the process.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ProcessParentPid

The parent process ID. This field accepts positive integers between O and 2147483647.

Required: No

Type: Array of NumberFilter

Maximum: 20

Update requires: No interruption

ProcessPath

The path to the process executable.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ProcessPid

The process ID.

Required: No

Type: Array of NumberFilter

Maximum: 20

Update requires: No interruption

ProcessTerminatedAt

A timestamp that identifies when the process was terminated.

This field accepts only the specified formats. Timestamps can end with Z or ("+" / "-") time-hour [":" time-minute]. The time-secfrac after seconds is limited to a maximum of 9 digits. The offset is bounded by +/-18:00. Here are valid timestamp formats with examples:

  • YYYY-MM-DDTHH:MM:SSZ (for example, 2019-01-31T23:00:00Z)

  • YYYY-MM-DDTHH:MM:SS.mmmmmmmmmZ (for example, 2019-01-31T23:00:00.123456789Z)

  • YYYY-MM-DDTHH:MM:SS+HH:MM (for example, 2024-01-04T15:25:10+17:59)

  • YYYY-MM-DDTHH:MM:SS-HHMM (for example, 2024-01-04T15:25:10-1759)

  • YYYY-MM-DDTHH:MM:SS.mmmmmmmmm+HH:MM (for example, 2024-01-04T15:25:10.123456789+17:59)

Required: No

Type: Array of DateFilter

Maximum: 20

Update requires: No interruption

ProductArn

The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) after this provider's product (solution that generates findings) is registered with Security Hub.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ProductFields

A data type where security findings providers can include additional solution-specific details that aren't part of the defined AwsSecurityFinding format.

Required: No

Type: Array of MapFilter

Maximum: 20

Update requires: No interruption

ProductName

The name of the solution (product) that generates findings.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

RecommendationText

The recommendation of what to do about the issue described in a finding.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

RecordState

The updated record state for the finding.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

Region

The Region from which the finding was generated.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

RelatedFindingsId

The solution-generated identifier for a related finding.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

RelatedFindingsProductArn

The ARN of the solution that generated a related finding.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ResourceApplicationArn

The ARN of the application that is related to a finding.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ResourceApplicationName

The name of the application that is related to a finding.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ResourceAwsEc2InstanceIamInstanceProfileArn

The IAM profile ARN of the instance.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ResourceAwsEc2InstanceImageId

The Amazon Machine Image (AMI) ID of the instance.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ResourceAwsEc2InstanceIpV4Addresses

The IPv4 addresses associated with the instance.

Required: No

Type: Array of IpFilter

Maximum: 20

Update requires: No interruption

ResourceAwsEc2InstanceIpV6Addresses

The IPv6 addresses associated with the instance.

Required: No

Type: Array of IpFilter

Maximum: 20

Update requires: No interruption

ResourceAwsEc2InstanceKeyName

The key name associated with the instance.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ResourceAwsEc2InstanceLaunchedAt

The date and time the instance was launched.

Required: No

Type: Array of DateFilter

Maximum: 20

Update requires: No interruption

ResourceAwsEc2InstanceSubnetId

The identifier of the subnet that the instance was launched in.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ResourceAwsEc2InstanceType

The instance type of the instance.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ResourceAwsEc2InstanceVpcId

The identifier of the VPC that the instance was launched in.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ResourceAwsIamAccessKeyCreatedAt

The creation date/time of the IAM access key related to a finding.

Required: No

Type: Array of DateFilter

Maximum: 20

Update requires: No interruption

ResourceAwsIamAccessKeyPrincipalName

The name of the principal that is associated with an IAM access key.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ResourceAwsIamAccessKeyStatus

The status of the IAM access key related to a finding.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ResourceAwsIamAccessKeyUserName

This field is deprecated. The username associated with the IAM access key related to a finding.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ResourceAwsIamUserUserName

The name of an IAM user.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ResourceAwsS3BucketOwnerId

The canonical user ID of the owner of the S3 bucket.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ResourceAwsS3BucketOwnerName

The display name of the owner of the S3 bucket.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ResourceContainerImageId

The identifier of the image related to a finding.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ResourceContainerImageName

The name of the image related to a finding.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ResourceContainerLaunchedAt

A timestamp that identifies when the container was started.

This field accepts only the specified formats. Timestamps can end with Z or ("+" / "-") time-hour [":" time-minute]. The time-secfrac after seconds is limited to a maximum of 9 digits. The offset is bounded by +/-18:00. Here are valid timestamp formats with examples:

  • YYYY-MM-DDTHH:MM:SSZ (for example, 2019-01-31T23:00:00Z)

  • YYYY-MM-DDTHH:MM:SS.mmmmmmmmmZ (for example, 2019-01-31T23:00:00.123456789Z)

  • YYYY-MM-DDTHH:MM:SS+HH:MM (for example, 2024-01-04T15:25:10+17:59)

  • YYYY-MM-DDTHH:MM:SS-HHMM (for example, 2024-01-04T15:25:10-1759)

  • YYYY-MM-DDTHH:MM:SS.mmmmmmmmm+HH:MM (for example, 2024-01-04T15:25:10.123456789+17:59)

Required: No

Type: Array of DateFilter

Maximum: 20

Update requires: No interruption

ResourceContainerName

The name of the container related to a finding.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ResourceDetailsOther

The details of a resource that doesn't have a specific subfield for the resource type defined.

Required: No

Type: Array of MapFilter

Maximum: 20

Update requires: No interruption

ResourceId

The canonical identifier for the given resource type.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ResourcePartition

The canonical Amazon partition name that the Region is assigned to.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ResourceRegion

The canonical Amazon external Region name where this resource is located.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ResourceTags

A list of Amazon tags associated with a resource at the time the finding was processed.

Required: No

Type: Array of MapFilter

Maximum: 20

Update requires: No interruption

ResourceType

Specifies the type of the resource that details are provided for.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

Sample

Indicates whether or not sample findings are included in the filter results.

Required: No

Type: Array of BooleanFilter

Maximum: 20

Update requires: No interruption

SeverityLabel

The label of a finding's severity.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

SeverityNormalized

Deprecated. The normalized severity of a finding. Instead of providing Normalized, provide Label.

If you provide Label and do not provide Normalized, then Normalized is set automatically as follows.

  • INFORMATIONAL - 0

  • LOW - 1

  • MEDIUM - 40

  • HIGH - 70

  • CRITICAL - 90

Required: No

Type: Array of NumberFilter

Maximum: 20

Update requires: No interruption

SeverityProduct

Deprecated. This attribute isn't included in findings. Instead of providing Product, provide Original.

The native severity as defined by the Amazon service or integrated partner product that generated the finding.

Required: No

Type: Array of NumberFilter

Maximum: 20

Update requires: No interruption

SourceUrl

A URL that links to a page about the current finding in the security findings provider's solution.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ThreatIntelIndicatorCategory

The category of a threat intelligence indicator.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ThreatIntelIndicatorLastObservedAt

A timestamp that identifies the last observation of a threat intelligence indicator.

Required: No

Type: Array of DateFilter

Maximum: 20

Update requires: No interruption

ThreatIntelIndicatorSource

The source of the threat intelligence.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ThreatIntelIndicatorSourceUrl

The URL for more details from the source of the threat intelligence.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ThreatIntelIndicatorType

The type of a threat intelligence indicator.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

ThreatIntelIndicatorValue

The value of a threat intelligence indicator.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

Title

A finding's title.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

Type

A finding type in the format of namespace/category/classifier that classifies a finding.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

UpdatedAt

A timestamp that indicates when the security findings provider last updated the finding record.

This field accepts only the specified formats. Timestamps can end with Z or ("+" / "-") time-hour [":" time-minute]. The time-secfrac after seconds is limited to a maximum of 9 digits. The offset is bounded by +/-18:00. Here are valid timestamp formats with examples:

  • YYYY-MM-DDTHH:MM:SSZ (for example, 2019-01-31T23:00:00Z)

  • YYYY-MM-DDTHH:MM:SS.mmmmmmmmmZ (for example, 2019-01-31T23:00:00.123456789Z)

  • YYYY-MM-DDTHH:MM:SS+HH:MM (for example, 2024-01-04T15:25:10+17:59)

  • YYYY-MM-DDTHH:MM:SS-HHMM (for example, 2024-01-04T15:25:10-1759)

  • YYYY-MM-DDTHH:MM:SS.mmmmmmmmm+HH:MM (for example, 2024-01-04T15:25:10.123456789+17:59)

Required: No

Type: Array of DateFilter

Maximum: 20

Update requires: No interruption

UserDefinedFields

A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.

Required: No

Type: Array of MapFilter

Maximum: 20

Update requires: No interruption

VerificationState

The veracity of a finding.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

VulnerabilitiesExploitAvailable

Indicates whether a software vulnerability in your environment has a known exploit. You can filter findings by this field only if you use Security Hub and Amazon Inspector.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

VulnerabilitiesFixAvailable

Indicates whether a vulnerability is fixed in a newer version of the affected software packages. You can filter findings by this field only if you use Security Hub and Amazon Inspector.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

WorkflowState

The workflow state of a finding.

Note that this field is deprecated. To search for a finding based on its workflow status, use WorkflowStatus.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption

WorkflowStatus

The status of the investigation into a finding. Allowed values are the following.

  • NEW - The initial state of a finding, before it is reviewed.

    Security Hub also resets the workflow status from NOTIFIED or RESOLVED to NEW in the following cases:

    • RecordState changes from ARCHIVED to ACTIVE.

    • Compliance.Status changes from PASSED to either WARNING, FAILED, or NOT_AVAILABLE.

  • NOTIFIED - Indicates that the resource owner has been notified about the security issue. Used when the initial reviewer is not the resource owner, and needs intervention from the resource owner.

    If one of the following occurs, the workflow status is changed automatically from NOTIFIED to NEW:

    • RecordState changes from ARCHIVED to ACTIVE.

    • Compliance.Status changes from PASSED to FAILED, WARNING, or NOT_AVAILABLE.

  • SUPPRESSED - Indicates that you reviewed the finding and do not believe that any action is needed.

    The workflow status of a SUPPRESSED finding does not change if RecordState changes from ARCHIVED to ACTIVE.

  • RESOLVED - The finding was reviewed and remediated and is now considered resolved.

    The finding remains RESOLVED unless one of the following occurs:

    • RecordState changes from ARCHIVED to ACTIVE.

    • Compliance.Status changes from PASSED to FAILED, WARNING, or NOT_AVAILABLE.

    In those cases, the workflow status is automatically reset to NEW.

    For findings from controls, if Compliance.Status is PASSED, then Security Hub automatically sets the workflow status to RESOLVED.

Required: No

Type: Array of StringFilter

Maximum: 20

Update requires: No interruption