AwsSecurityFindingFilters - Amazon Security Hub
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

AwsSecurityFindingFilters

A collection of attributes that are applied to all active Security Hub-aggregated findings and that result in a subset of findings that are included in this insight.

You can filter by up to 10 finding attributes. For each attribute, you can provide up to 20 filter values.

Contents

AwsAccountId

The Amazon account ID that a finding is generated in.

Type: Array of StringFilter objects

Required: No

CompanyName

The name of the findings provider (company) that owns the solution (product) that generates findings.

Note that this is a filter against the aws/securityhub/CompanyName field in ProductFields. It is not a filter for the top-level CompanyName field.

Type: Array of StringFilter objects

Required: No

ComplianceStatus

Exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard, such as CIS Amazon Foundations. Contains security standard-related finding details.

Type: Array of StringFilter objects

Required: No

Confidence

A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify.

Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence.

Type: Array of NumberFilter objects

Required: No

CreatedAt

An ISO8601-formatted timestamp that indicates when the security-findings provider captured the potential security issue that a finding captured.

Type: Array of DateFilter objects

Required: No

Criticality

The level of importance assigned to the resources associated with the finding.

A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.

Type: Array of NumberFilter objects

Required: No

Description

A finding's description.

Type: Array of StringFilter objects

Required: No

FindingProviderFieldsConfidence

The finding provider value for the finding confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify.

Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence.

Type: Array of NumberFilter objects

Required: No

FindingProviderFieldsCriticality

The finding provider value for the level of importance assigned to the resources associated with the findings.

A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.

Type: Array of NumberFilter objects

Required: No

FindingProviderFieldsRelatedFindingsId

The finding identifier of a related finding that is identified by the finding provider.

Type: Array of StringFilter objects

Required: No

FindingProviderFieldsRelatedFindingsProductArn

The ARN of the solution that generated a related finding that is identified by the finding provider.

Type: Array of StringFilter objects

Required: No

FindingProviderFieldsSeverityLabel

The finding provider value for the severity label.

Type: Array of StringFilter objects

Required: No

FindingProviderFieldsSeverityOriginal

The finding provider's original value for the severity.

Type: Array of StringFilter objects

Required: No

FindingProviderFieldsTypes

One or more finding types that the finding provider assigned to the finding. Uses the format of namespace/category/classifier that classify a finding.

Valid namespace values are: Software and Configuration Checks | TTPs | Effects | Unusual Behaviors | Sensitive Data Identifications

Type: Array of StringFilter objects

Required: No

FirstObservedAt

An ISO8601-formatted timestamp that indicates when the security-findings provider first observed the potential security issue that a finding captured.

Type: Array of DateFilter objects

Required: No

GeneratorId

The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security-findings providers' solutions, this generator can be called a rule, a check, a detector, a plugin, etc.

Type: Array of StringFilter objects

Required: No

Id

The security findings provider-specific identifier for a finding.

Type: Array of StringFilter objects

Required: No

Keyword

This member has been deprecated.

A keyword for a finding.

Type: Array of KeywordFilter objects

Required: No

LastObservedAt

An ISO8601-formatted timestamp that indicates when the security-findings provider most recently observed the potential security issue that a finding captured.

Type: Array of DateFilter objects

Required: No

MalwareName

The name of the malware that was observed.

Type: Array of StringFilter objects

Required: No

MalwarePath

The filesystem path of the malware that was observed.

Type: Array of StringFilter objects

Required: No

MalwareState

The state of the malware that was observed.

Type: Array of StringFilter objects

Required: No

MalwareType

The type of the malware that was observed.

Type: Array of StringFilter objects

Required: No

NetworkDestinationDomain

The destination domain of network-related information about a finding.

Type: Array of StringFilter objects

Required: No

NetworkDestinationIpV4

The destination IPv4 address of network-related information about a finding.

Type: Array of IpFilter objects

Required: No

NetworkDestinationIpV6

The destination IPv6 address of network-related information about a finding.

Type: Array of IpFilter objects

Required: No

NetworkDestinationPort

The destination port of network-related information about a finding.

Type: Array of NumberFilter objects

Required: No

NetworkDirection

Indicates the direction of network traffic associated with a finding.

Type: Array of StringFilter objects

Required: No

NetworkProtocol

The protocol of network-related information about a finding.

Type: Array of StringFilter objects

Required: No

NetworkSourceDomain

The source domain of network-related information about a finding.

Type: Array of StringFilter objects

Required: No

NetworkSourceIpV4

The source IPv4 address of network-related information about a finding.

Type: Array of IpFilter objects

Required: No

NetworkSourceIpV6

The source IPv6 address of network-related information about a finding.

Type: Array of IpFilter objects

Required: No

NetworkSourceMac

The source media access control (MAC) address of network-related information about a finding.

Type: Array of StringFilter objects

Required: No

NetworkSourcePort

The source port of network-related information about a finding.

Type: Array of NumberFilter objects

Required: No

NoteText

The text of a note.

Type: Array of StringFilter objects

Required: No

NoteUpdatedAt

The timestamp of when the note was updated.

Type: Array of DateFilter objects

Required: No

NoteUpdatedBy

The principal that created a note.

Type: Array of StringFilter objects

Required: No

ProcessLaunchedAt

The date/time that the process was launched.

Type: Array of DateFilter objects

Required: No

ProcessName

The name of the process.

Type: Array of StringFilter objects

Required: No

ProcessParentPid

The parent process ID.

Type: Array of NumberFilter objects

Required: No

ProcessPath

The path to the process executable.

Type: Array of StringFilter objects

Required: No

ProcessPid

The process ID.

Type: Array of NumberFilter objects

Required: No

ProcessTerminatedAt

The date/time that the process was terminated.

Type: Array of DateFilter objects

Required: No

ProductArn

The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) after this provider's product (solution that generates findings) is registered with Security Hub.

Type: Array of StringFilter objects

Required: No

ProductFields

A data type where security-findings providers can include additional solution-specific details that aren't part of the defined AwsSecurityFinding format.

Type: Array of MapFilter objects

Required: No

ProductName

The name of the solution (product) that generates findings.

Note that this is a filter against the aws/securityhub/ProductName field in ProductFields. It is not a filter for the top-level ProductName field.

Type: Array of StringFilter objects

Required: No

RecommendationText

The recommendation of what to do about the issue described in a finding.

Type: Array of StringFilter objects

Required: No

RecordState

The updated record state for the finding.

Type: Array of StringFilter objects

Required: No

Region

The Region from which the finding was generated.

Type: Array of StringFilter objects

Required: No

RelatedFindingsId

The solution-generated identifier for a related finding.

Type: Array of StringFilter objects

Required: No

RelatedFindingsProductArn

The ARN of the solution that generated a related finding.

Type: Array of StringFilter objects

Required: No

ResourceAwsEc2InstanceIamInstanceProfileArn

The IAM profile ARN of the instance.

Type: Array of StringFilter objects

Required: No

ResourceAwsEc2InstanceImageId

The Amazon Machine Image (AMI) ID of the instance.

Type: Array of StringFilter objects

Required: No

ResourceAwsEc2InstanceIpV4Addresses

The IPv4 addresses associated with the instance.

Type: Array of IpFilter objects

Required: No

ResourceAwsEc2InstanceIpV6Addresses

The IPv6 addresses associated with the instance.

Type: Array of IpFilter objects

Required: No

ResourceAwsEc2InstanceKeyName

The key name associated with the instance.

Type: Array of StringFilter objects

Required: No

ResourceAwsEc2InstanceLaunchedAt

The date and time the instance was launched.

Type: Array of DateFilter objects

Required: No

ResourceAwsEc2InstanceSubnetId

The identifier of the subnet that the instance was launched in.

Type: Array of StringFilter objects

Required: No

ResourceAwsEc2InstanceType

The instance type of the instance.

Type: Array of StringFilter objects

Required: No

ResourceAwsEc2InstanceVpcId

The identifier of the VPC that the instance was launched in.

Type: Array of StringFilter objects

Required: No

ResourceAwsIamAccessKeyCreatedAt

The creation date/time of the IAM access key related to a finding.

Type: Array of DateFilter objects

Required: No

ResourceAwsIamAccessKeyPrincipalName

The name of the principal that is associated with an IAM access key.

Type: Array of StringFilter objects

Required: No

ResourceAwsIamAccessKeyStatus

The status of the IAM access key related to a finding.

Type: Array of StringFilter objects

Required: No

ResourceAwsIamAccessKeyUserName

This member has been deprecated.

The user associated with the IAM access key related to a finding.

Type: Array of StringFilter objects

Required: No

ResourceAwsIamUserUserName

The name of an IAM user.

Type: Array of StringFilter objects

Required: No

ResourceAwsS3BucketOwnerId

The canonical user ID of the owner of the S3 bucket.

Type: Array of StringFilter objects

Required: No

ResourceAwsS3BucketOwnerName

The display name of the owner of the S3 bucket.

Type: Array of StringFilter objects

Required: No

ResourceContainerImageId

The identifier of the image related to a finding.

Type: Array of StringFilter objects

Required: No

ResourceContainerImageName

The name of the image related to a finding.

Type: Array of StringFilter objects

Required: No

ResourceContainerLaunchedAt

The date/time that the container was started.

Type: Array of DateFilter objects

Required: No

ResourceContainerName

The name of the container related to a finding.

Type: Array of StringFilter objects

Required: No

ResourceDetailsOther

The details of a resource that doesn't have a specific subfield for the resource type defined.

Type: Array of MapFilter objects

Required: No

ResourceId

The canonical identifier for the given resource type.

Type: Array of StringFilter objects

Required: No

ResourcePartition

The canonical Amazon partition name that the Region is assigned to.

Type: Array of StringFilter objects

Required: No

ResourceRegion

The canonical Amazon external Region name where this resource is located.

Type: Array of StringFilter objects

Required: No

ResourceTags

A list of Amazon tags associated with a resource at the time the finding was processed.

Type: Array of MapFilter objects

Required: No

ResourceType

Specifies the type of the resource that details are provided for.

Type: Array of StringFilter objects

Required: No

SeverityLabel

The label of a finding's severity.

Type: Array of StringFilter objects

Required: No

SeverityNormalized

This member has been deprecated.

The normalized severity of a finding.

Type: Array of NumberFilter objects

Required: No

SeverityProduct

This member has been deprecated.

The native severity as defined by the security-findings provider's solution that generated the finding.

Type: Array of NumberFilter objects

Required: No

SourceUrl

A URL that links to a page about the current finding in the security-findings provider's solution.

Type: Array of StringFilter objects

Required: No

ThreatIntelIndicatorCategory

The category of a threat intelligence indicator.

Type: Array of StringFilter objects

Required: No

ThreatIntelIndicatorLastObservedAt

The date/time of the last observation of a threat intelligence indicator.

Type: Array of DateFilter objects

Required: No

ThreatIntelIndicatorSource

The source of the threat intelligence.

Type: Array of StringFilter objects

Required: No

ThreatIntelIndicatorSourceUrl

The URL for more details from the source of the threat intelligence.

Type: Array of StringFilter objects

Required: No

ThreatIntelIndicatorType

The type of a threat intelligence indicator.

Type: Array of StringFilter objects

Required: No

ThreatIntelIndicatorValue

The value of a threat intelligence indicator.

Type: Array of StringFilter objects

Required: No

Title

A finding's title.

Type: Array of StringFilter objects

Required: No

Type

A finding type in the format of namespace/category/classifier that classifies a finding.

Type: Array of StringFilter objects

Required: No

UpdatedAt

An ISO8601-formatted timestamp that indicates when the security-findings provider last updated the finding record.

Type: Array of DateFilter objects

Required: No

UserDefinedFields

A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.

Type: Array of MapFilter objects

Required: No

VerificationState

The veracity of a finding.

Type: Array of StringFilter objects

Required: No

WorkflowState

The workflow state of a finding.

Note that this field is deprecated. To search for a finding based on its workflow status, use WorkflowStatus.

Type: Array of StringFilter objects

Required: No

WorkflowStatus

The status of the investigation into a finding. Allowed values are the following.

  • NEW - The initial state of a finding, before it is reviewed.

    Security Hub also resets the workflow status from NOTIFIED or RESOLVED to NEW in the following cases:

    • The record state changes from ARCHIVED to ACTIVE.

    • The compliance status changes from PASSED to either WARNING, FAILED, or NOT_AVAILABLE.

  • NOTIFIED - Indicates that the resource owner has been notified about the security issue. Used when the initial reviewer is not the resource owner, and needs intervention from the resource owner.

  • SUPPRESSED - The finding will not be reviewed again and will not be acted upon.

  • RESOLVED - The finding was reviewed and remediated and is now considered resolved.

Type: Array of StringFilter objects

Required: No

See Also

For more information about using this API in one of the language-specific Amazon SDKs, see the following: