AWS SecurityHub

2023/06/13 - AWS SecurityHub - 5 new api methods

Changes  Add support for Security Hub Automation Rules

ListAutomationRules (new) Link ¶

A list of automation rules and their metadata for the calling account.

See also: AWS API Documentation

Request Syntax

client.list_automation_rules(
    NextToken='string',
    MaxResults=123
)
type NextToken

string

param NextToken

A token to specify where to start paginating the response. This is the NextToken from a previously truncated response. On your first call to the ListAutomationRules API, set the value of this parameter to NULL .

type MaxResults

integer

param MaxResults

The maximum number of rules to return in the response. This currently ranges from 1 to 100.

rtype

dict

returns

Response Syntax

{
    'AutomationRulesMetadata': [
        {
            'RuleArn': 'string',
            'RuleStatus': 'ENABLED'|'DISABLED',
            'RuleOrder': 123,
            'RuleName': 'string',
            'Description': 'string',
            'IsTerminal': True|False,
            'CreatedAt': datetime(2015, 1, 1),
            'UpdatedAt': datetime(2015, 1, 1),
            'CreatedBy': 'string'
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • AutomationRulesMetadata (list) --

      Metadata for rules in the calling account. The response includes rules with a RuleStatus of ENABLED and DISABLED .

      • (dict) --

        Metadata for automation rules in the calling account. The response includes rules with a RuleStatus of ENABLED and DISABLED .

        • RuleArn (string) --

          The Amazon Resource Name (ARN) for the rule.

        • RuleStatus (string) --

          Whether the rule is active after it is created. If this parameter is equal to ENABLED , Security Hub will apply the rule to findings and finding updates after the rule is created. To change the value of this parameter after creating a rule, use BatchUpdateAutomationRules .

        • RuleOrder (integer) --

          An integer ranging from 1 to 1000 that represents the order in which the rule action is applied to findings. Security Hub applies rules with lower values for this parameter first.

        • RuleName (string) --

          The name of the rule.

        • Description (string) --

          A description of the rule.

        • IsTerminal (boolean) --

          Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If the value of this field is set to true for a rule, Security Hub applies the rule action to a finding that matches the rule criteria and won't evaluate other rules for the finding. The default value of this field is false .

        • CreatedAt (datetime) --

          A timestamp that indicates when the rule was created.

          Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format . The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .

        • UpdatedAt (datetime) --

          A timestamp that indicates when the rule was most recently updated.

          Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format . The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .

        • CreatedBy (string) --

          The principal that created a rule.

    • NextToken (string) --

      A pagination token for the response.

BatchGetAutomationRules (new) Link ¶

Retrieves a list of details for automation rules based on rule Amazon Resource Names (ARNs).

See also: AWS API Documentation

Request Syntax

client.batch_get_automation_rules(
    AutomationRulesArns=[
        'string',
    ]
)
type AutomationRulesArns

list

param AutomationRulesArns

[REQUIRED]

A list of rule ARNs to get details for.

  • (string) --

rtype

dict

returns

Response Syntax

{
    'Rules': [
        {
            'RuleArn': 'string',
            'RuleStatus': 'ENABLED'|'DISABLED',
            'RuleOrder': 123,
            'RuleName': 'string',
            'Description': 'string',
            'IsTerminal': True|False,
            'Criteria': {
                'ProductArn': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'AwsAccountId': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'Id': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'GeneratorId': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'Type': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'FirstObservedAt': [
                    {
                        'Start': 'string',
                        'End': 'string',
                        'DateRange': {
                            'Value': 123,
                            'Unit': 'DAYS'
                        }
                    },
                ],
                'LastObservedAt': [
                    {
                        'Start': 'string',
                        'End': 'string',
                        'DateRange': {
                            'Value': 123,
                            'Unit': 'DAYS'
                        }
                    },
                ],
                'CreatedAt': [
                    {
                        'Start': 'string',
                        'End': 'string',
                        'DateRange': {
                            'Value': 123,
                            'Unit': 'DAYS'
                        }
                    },
                ],
                'UpdatedAt': [
                    {
                        'Start': 'string',
                        'End': 'string',
                        'DateRange': {
                            'Value': 123,
                            'Unit': 'DAYS'
                        }
                    },
                ],
                'Confidence': [
                    {
                        'Gte': 123.0,
                        'Lte': 123.0,
                        'Eq': 123.0
                    },
                ],
                'Criticality': [
                    {
                        'Gte': 123.0,
                        'Lte': 123.0,
                        'Eq': 123.0
                    },
                ],
                'Title': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'Description': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'SourceUrl': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'ProductName': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'CompanyName': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'SeverityLabel': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'ResourceType': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'ResourceId': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'ResourcePartition': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'ResourceRegion': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'ResourceTags': [
                    {
                        'Key': 'string',
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'NOT_EQUALS'
                    },
                ],
                'ResourceDetailsOther': [
                    {
                        'Key': 'string',
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'NOT_EQUALS'
                    },
                ],
                'ComplianceStatus': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'ComplianceSecurityControlId': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'ComplianceAssociatedStandardsId': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'VerificationState': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'WorkflowStatus': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'RecordState': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'RelatedFindingsProductArn': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'RelatedFindingsId': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'NoteText': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'NoteUpdatedAt': [
                    {
                        'Start': 'string',
                        'End': 'string',
                        'DateRange': {
                            'Value': 123,
                            'Unit': 'DAYS'
                        }
                    },
                ],
                'NoteUpdatedBy': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'UserDefinedFields': [
                    {
                        'Key': 'string',
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'NOT_EQUALS'
                    },
                ]
            },
            'Actions': [
                {
                    'Type': 'FINDING_FIELDS_UPDATE',
                    'FindingFieldsUpdate': {
                        'Note': {
                            'Text': 'string',
                            'UpdatedBy': 'string'
                        },
                        'Severity': {
                            'Normalized': 123,
                            'Product': 123.0,
                            'Label': 'INFORMATIONAL'|'LOW'|'MEDIUM'|'HIGH'|'CRITICAL'
                        },
                        'VerificationState': 'UNKNOWN'|'TRUE_POSITIVE'|'FALSE_POSITIVE'|'BENIGN_POSITIVE',
                        'Confidence': 123,
                        'Criticality': 123,
                        'Types': [
                            'string',
                        ],
                        'UserDefinedFields': {
                            'string': 'string'
                        },
                        'Workflow': {
                            'Status': 'NEW'|'NOTIFIED'|'RESOLVED'|'SUPPRESSED'
                        },
                        'RelatedFindings': [
                            {
                                'ProductArn': 'string',
                                'Id': 'string'
                            },
                        ]
                    }
                },
            ],
            'CreatedAt': datetime(2015, 1, 1),
            'UpdatedAt': datetime(2015, 1, 1),
            'CreatedBy': 'string'
        },
    ],
    'UnprocessedAutomationRules': [
        {
            'RuleArn': 'string',
            'ErrorCode': 123,
            'ErrorMessage': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • Rules (list) --

      A list of rule details for the provided rule ARNs.

      • (dict) --

        Defines the configuration of an automation rule.

        • RuleArn (string) --

          The Amazon Resource Name (ARN) of a rule.

        • RuleStatus (string) --

          Whether the rule is active after it is created. If this parameter is equal to >ENABLED , Security Hub will apply the rule to findings and finding updates after the rule is created.

        • RuleOrder (integer) --

          An integer ranging from 1 to 1000 that represents the order in which the rule action is applied to findings. Security Hub applies rules with lower values for this parameter first.

        • RuleName (string) --

          The name of the rule.

        • Description (string) --

          A description of the rule.

        • IsTerminal (boolean) --

          Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If the value of this field is set to true for a rule, Security Hub applies the rule action to a finding that matches the rule criteria and won't evaluate other rules for the finding. The default value of this field is false .

        • Criteria (dict) --

          A set of Amazon Web Services Security Finding Format finding field attributes and corresponding expected values that Security Hub uses to filter findings. If a finding matches the conditions specified in this parameter, Security Hub applies the rule action to the finding.

          • ProductArn (list) --

            The Amazon Resource Name (ARN) for a third-party product that generated a finding in Security Hub.

            • (dict) --

              A string filter for querying findings.

              • Value (string) --

                The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

              • Comparison (string) --

                The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

                • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

                • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

                EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

                To search for values that do not contain the filter criteria value, use one of the following comparison operators:

                • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

                • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

                NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

                For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

                You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

                For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

                • ResourceType PREFIX AwsIam

                • ResourceType PREFIX AwsEc2

                • ResourceType NOT_EQUALS AwsIamPolicy

                • ResourceType NOT_EQUALS AwsEc2NetworkInterface

          • AwsAccountId (list) --

            The Amazon Web Services account ID in which a finding was generated.

            • (dict) --

              A string filter for querying findings.

              • Value (string) --

                The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

              • Comparison (string) --

                The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

                • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

                • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

                EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

                To search for values that do not contain the filter criteria value, use one of the following comparison operators:

                • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

                • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

                NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

                For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

                You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

                For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

                • ResourceType PREFIX AwsIam

                • ResourceType PREFIX AwsEc2

                • ResourceType NOT_EQUALS AwsIamPolicy

                • ResourceType NOT_EQUALS AwsEc2NetworkInterface

          • Id (list) --

            The product-specific identifier for a finding.

            • (dict) --

              A string filter for querying findings.

              • Value (string) --

                The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

              • Comparison (string) --

                The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

                • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

                • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

                EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

                To search for values that do not contain the filter criteria value, use one of the following comparison operators:

                • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

                • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

                NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

                For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

                You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

                For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

                • ResourceType PREFIX AwsIam

                • ResourceType PREFIX AwsEc2

                • ResourceType NOT_EQUALS AwsIamPolicy

                • ResourceType NOT_EQUALS AwsEc2NetworkInterface

          • GeneratorId (list) --

            The identifier for the solution-specific component that generated a finding.

            • (dict) --

              A string filter for querying findings.

              • Value (string) --

                The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

              • Comparison (string) --

                The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

                • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

                • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

                EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

                To search for values that do not contain the filter criteria value, use one of the following comparison operators:

                • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

                • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

                NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

                For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

                You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

                For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

                • ResourceType PREFIX AwsIam

                • ResourceType PREFIX AwsEc2

                • ResourceType NOT_EQUALS AwsIamPolicy

                • ResourceType NOT_EQUALS AwsEc2NetworkInterface

          • Type (list) --

            One or more finding types in the format of namespace/category/classifier that classify a finding. For a list of namespaces, classifiers, and categories, see Types taxonomy for ASFF in the Security Hub User Guide .

            • (dict) --

              A string filter for querying findings.

              • Value (string) --

                The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

              • Comparison (string) --

                The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

                • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

                • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

                EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

                To search for values that do not contain the filter criteria value, use one of the following comparison operators:

                • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

                • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

                NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

                For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

                You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

                For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

                • ResourceType PREFIX AwsIam

                • ResourceType PREFIX AwsEc2

                • ResourceType NOT_EQUALS AwsIamPolicy

                • ResourceType NOT_EQUALS AwsEc2NetworkInterface

          • FirstObservedAt (list) --

            A timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings product.

            Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format . The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .

            • (dict) --

              A date filter for querying findings.

              • Start (string) --

                A timestamp that provides the start date for the date filter.

                A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format .

              • End (string) --

                A timestamp that provides the end date for the date filter.

                A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format .

              • DateRange (dict) --

                A date range for the date filter.

                • Value (integer) --

                  A date range value for the date filter.

                • Unit (string) --

                  A date range unit for the date filter.

          • LastObservedAt (list) --

            A timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings product.

            Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format . The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .

            • (dict) --

              A date filter for querying findings.

              • Start (string) --

                A timestamp that provides the start date for the date filter.

                A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format .

              • End (string) --

                A timestamp that provides the end date for the date filter.

                A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format .

              • DateRange (dict) --

                A date range for the date filter.

                • Value (integer) --

                  A date range value for the date filter.

                • Unit (string) --

                  A date range unit for the date filter.

          • CreatedAt (list) --

            A timestamp that indicates when this finding record was created.

            Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format . The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .

            • (dict) --

              A date filter for querying findings.

              • Start (string) --

                A timestamp that provides the start date for the date filter.

                A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format .

              • End (string) --

                A timestamp that provides the end date for the date filter.

                A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format .

              • DateRange (dict) --

                A date range for the date filter.

                • Value (integer) --

                  A date range value for the date filter.

                • Unit (string) --

                  A date range unit for the date filter.

          • UpdatedAt (list) --

            A timestamp that indicates when the finding record was most recently updated.

            Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format . The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .

            • (dict) --

              A date filter for querying findings.

              • Start (string) --

                A timestamp that provides the start date for the date filter.

                A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format .

              • End (string) --

                A timestamp that provides the end date for the date filter.

                A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format .

              • DateRange (dict) --

                A date range for the date filter.

                • Value (integer) --

                  A date range value for the date filter.

                • Unit (string) --

                  A date range unit for the date filter.

          • Confidence (list) --

            The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0–100 basis using a ratio scale. A value of 0 means 0 percent confidence, and a value of 100 means 100 percent confidence. For example, a data exfiltration detection based on a statistical deviation of network traffic has low confidence because an actual exfiltration hasn't been verified. For more information, see Confidence in the Security Hub User Guide .

            • (dict) --

              A number filter for querying findings.

              • Gte (float) --

                The greater-than-equal condition to be applied to a single field when querying for findings.

              • Lte (float) --

                The less-than-equal condition to be applied to a single field when querying for findings.

              • Eq (float) --

                The equal-to condition to be applied to a single field when querying for findings.

          • Criticality (list) --

            The level of importance that is assigned to the resources that are associated with a finding. Criticality is scored on a 0–100 basis, using a ratio scale that supports only full integers. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources. For more information, see Criticality in the Security Hub User Guide .

            • (dict) --

              A number filter for querying findings.

              • Gte (float) --

                The greater-than-equal condition to be applied to a single field when querying for findings.

              • Lte (float) --

                The less-than-equal condition to be applied to a single field when querying for findings.

              • Eq (float) --

                The equal-to condition to be applied to a single field when querying for findings.

          • Title (list) --

            A finding's title.

            • (dict) --

              A string filter for querying findings.

              • Value (string) --

                The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

              • Comparison (string) --

                The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

                • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

                • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

                EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

                To search for values that do not contain the filter criteria value, use one of the following comparison operators:

                • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

                • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

                NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

                For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

                You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

                For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

                • ResourceType PREFIX AwsIam

                • ResourceType PREFIX AwsEc2

                • ResourceType NOT_EQUALS AwsIamPolicy

                • ResourceType NOT_EQUALS AwsEc2NetworkInterface

          • Description (list) --

            A finding's description.

            • (dict) --

              A string filter for querying findings.

              • Value (string) --

                The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

              • Comparison (string) --

                The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

                • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

                • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

                EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

                To search for values that do not contain the filter criteria value, use one of the following comparison operators:

                • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

                • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

                NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

                For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

                You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

                For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

                • ResourceType PREFIX AwsIam

                • ResourceType PREFIX AwsEc2

                • ResourceType NOT_EQUALS AwsIamPolicy

                • ResourceType NOT_EQUALS AwsEc2NetworkInterface

          • SourceUrl (list) --

            Provides a URL that links to a page about the current finding in the finding product.

            • (dict) --

              A string filter for querying findings.

              • Value (string) --

                The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

              • Comparison (string) --

                The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

                • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

                • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

                EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

                To search for values that do not contain the filter criteria value, use one of the following comparison operators:

                • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

                • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

                NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

                For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

                You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

                For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

                • ResourceType PREFIX AwsIam

                • ResourceType PREFIX AwsEc2

                • ResourceType NOT_EQUALS AwsIamPolicy

                • ResourceType NOT_EQUALS AwsEc2NetworkInterface

          • ProductName (list) --

            Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub.

            • (dict) --

              A string filter for querying findings.

              • Value (string) --

                The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

              • Comparison (string) --

                The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

                • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

                • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

                EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

                To search for values that do not contain the filter criteria value, use one of the following comparison operators:

                • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

                • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

                NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

                For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

                You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

                For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

                • ResourceType PREFIX AwsIam

                • ResourceType PREFIX AwsEc2

                • ResourceType NOT_EQUALS AwsIamPolicy

                • ResourceType NOT_EQUALS AwsEc2NetworkInterface

          • CompanyName (list) --

            The name of the company for the product that generated the finding. For control-based findings, the company is Amazon Web Services.

            • (dict) --

              A string filter for querying findings.

              • Value (string) --

                The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

              • Comparison (string) --

                The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

                • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

                • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

                EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

                To search for values that do not contain the filter criteria value, use one of the following comparison operators:

                • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

                • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

                NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

                For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

                You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

                For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

                • ResourceType PREFIX AwsIam

                • ResourceType PREFIX AwsEc2

                • ResourceType NOT_EQUALS AwsIamPolicy

                • ResourceType NOT_EQUALS AwsEc2NetworkInterface

          • SeverityLabel (list) --

            The severity value of the finding.

            • (dict) --

              A string filter for querying findings.

              • Value (string) --

                The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

              • Comparison (string) --

                The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

                • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

                • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

                EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

                To search for values that do not contain the filter criteria value, use one of the following comparison operators:

                • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

                • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

                NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

                For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

                You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

                For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

                • ResourceType PREFIX AwsIam

                • ResourceType PREFIX AwsEc2

                • ResourceType NOT_EQUALS AwsIamPolicy

                • ResourceType NOT_EQUALS AwsEc2NetworkInterface

          • ResourceType (list) --

            The type of resource that the finding pertains to.

            • (dict) --

              A string filter for querying findings.

              • Value (string) --

                The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

              • Comparison (string) --

                The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

                • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

                • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

                EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

                To search for values that do not contain the filter criteria value, use one of the following comparison operators:

                • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

                • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

                NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

                For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

                You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

                For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

                • ResourceType PREFIX AwsIam

                • ResourceType PREFIX AwsEc2

                • ResourceType NOT_EQUALS AwsIamPolicy

                • ResourceType NOT_EQUALS AwsEc2NetworkInterface

          • ResourceId (list) --

            The identifier for the given resource type. For Amazon Web Services resources that are identified by Amazon Resource Names (ARNs), this is the ARN. For Amazon Web Services resources that lack ARNs, this is the identifier as defined by the Amazon Web Service that created the resource. For non-Amazon Web Services resources, this is a unique identifier that is associated with the resource.

            • (dict) --

              A string filter for querying findings.

              • Value (string) --

                The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

              • Comparison (string) --

                The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

                • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

                • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

                EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

                To search for values that do not contain the filter criteria value, use one of the following comparison operators:

                • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

                • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

                NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

                For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

                You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

                For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

                • ResourceType PREFIX AwsIam

                • ResourceType PREFIX AwsEc2

                • ResourceType NOT_EQUALS AwsIamPolicy

                • ResourceType NOT_EQUALS AwsEc2NetworkInterface

          • ResourcePartition (list) --

            The partition in which the resource that the finding pertains to is located. A partition is a group of Amazon Web Services Regions. Each Amazon Web Services account is scoped to one partition.

            • (dict) --

              A string filter for querying findings.

              • Value (string) --

                The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

              • Comparison (string) --

                The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

                • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

                • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

                EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

                To search for values that do not contain the filter criteria value, use one of the following comparison operators:

                • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

                • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

                NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

                For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

                You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

                For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

                • ResourceType PREFIX AwsIam

                • ResourceType PREFIX AwsEc2

                • ResourceType NOT_EQUALS AwsIamPolicy

                • ResourceType NOT_EQUALS AwsEc2NetworkInterface

          • ResourceRegion (list) --

            The Amazon Web Services Region where the resource that a finding pertains to is located.

            • (dict) --

              A string filter for querying findings.

              • Value (string) --

                The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

              • Comparison (string) --

                The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

                • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

                • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

                EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

                To search for values that do not contain the filter criteria value, use one of the following comparison operators:

                • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

                • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

                NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

                For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

                You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

                For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

                • ResourceType PREFIX AwsIam

                • ResourceType PREFIX AwsEc2

                • ResourceType NOT_EQUALS AwsIamPolicy

                • ResourceType NOT_EQUALS AwsEc2NetworkInterface

          • ResourceTags (list) --

            A list of Amazon Web Services tags associated with a resource at the time the finding was processed.

            • (dict) --

              A map filter for querying findings. Each map filter provides the field to check, the value to look for, and the comparison operator.

              • Key (string) --

                The key of the map filter. For example, for ResourceTags , Key identifies the name of the tag. For UserDefinedFields , Key is the name of the field.

              • Value (string) --

                The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security . If you provide security as the filter value, then there is no match.

              • Comparison (string) --

                The condition to apply to the key value when querying for findings with a map filter.

                To search for values that exactly match the filter value, use EQUALS . For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the tag Department .

                To search for values other than the filter value, use NOT_EQUALS . For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that do not have the value Finance for the tag Department .

                EQUALS filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

                NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

                You cannot have both an EQUALS filter and a NOT_EQUALS filter on the same field.

          • ResourceDetailsOther (list) --

            Custom fields and values about the resource that a finding pertains to.

            • (dict) --

              A map filter for querying findings. Each map filter provides the field to check, the value to look for, and the comparison operator.

              • Key (string) --

                The key of the map filter. For example, for ResourceTags , Key identifies the name of the tag. For UserDefinedFields , Key is the name of the field.

              • Value (string) --

                The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security . If you provide security as the filter value, then there is no match.

              • Comparison (string) --

                The condition to apply to the key value when querying for findings with a map filter.

                To search for values that exactly match the filter value, use EQUALS . For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the tag Department .

                To search for values other than the filter value, use NOT_EQUALS . For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that do not have the value Finance for the tag Department .

                EQUALS filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

                NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

                You cannot have both an EQUALS filter and a NOT_EQUALS filter on the same field.

          • ComplianceStatus (list) --

            The result of a security check. This field is only used for findings generated from controls.

            • (dict) --

              A string filter for querying findings.

              • Value (string) --

                The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

              • Comparison (string) --

                The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

                • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

                • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

                EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

                To search for values that do not contain the filter criteria value, use one of the following comparison operators:

                • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

                • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

                NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

                For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

                You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

                For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

                • ResourceType PREFIX AwsIam

                • ResourceType PREFIX AwsEc2

                • ResourceType NOT_EQUALS AwsIamPolicy

                • ResourceType NOT_EQUALS AwsEc2NetworkInterface

          • ComplianceSecurityControlId (list) --

            The security control ID for which a finding was generated. Security control IDs are the same across standards.

            • (dict) --

              A string filter for querying findings.

              • Value (string) --

                The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

              • Comparison (string) --

                The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

                • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

                • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

                EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

                To search for values that do not contain the filter criteria value, use one of the following comparison operators:

                • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

                • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

                NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

                For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

                You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

                For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

                • ResourceType PREFIX AwsIam

                • ResourceType PREFIX AwsEc2

                • ResourceType NOT_EQUALS AwsIamPolicy

                • ResourceType NOT_EQUALS AwsEc2NetworkInterface

          • ComplianceAssociatedStandardsId (list) --

            The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the DescribeStandards API response.

            • (dict) --

              A string filter for querying findings.

              • Value (string) --

                The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

              • Comparison (string) --

                The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

                • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

                • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

                EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

                To search for values that do not contain the filter criteria value, use one of the following comparison operators:

                • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

                • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

                NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

                For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

                You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

                For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

                • ResourceType PREFIX AwsIam

                • ResourceType PREFIX AwsEc2

                • ResourceType NOT_EQUALS AwsIamPolicy

                • ResourceType NOT_EQUALS AwsEc2NetworkInterface

          • VerificationState (list) --

            Provides the veracity of a finding.

            • (dict) --

              A string filter for querying findings.

              • Value (string) --

                The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

              • Comparison (string) --

                The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

                • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

                • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

                EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

                To search for values that do not contain the filter criteria value, use one of the following comparison operators:

                • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

                • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

                NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

                For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

                You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

                For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

                • ResourceType PREFIX AwsIam

                • ResourceType PREFIX AwsEc2

                • ResourceType NOT_EQUALS AwsIamPolicy

                • ResourceType NOT_EQUALS AwsEc2NetworkInterface

          • WorkflowStatus (list) --

            Provides information about the status of the investigation into a finding.

            • (dict) --

              A string filter for querying findings.

              • Value (string) --

                The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

              • Comparison (string) --

                The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

                • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

                • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

                EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

                To search for values that do not contain the filter criteria value, use one of the following comparison operators:

                • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

                • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

                NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

                For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

                You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

                For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

                • ResourceType PREFIX AwsIam

                • ResourceType PREFIX AwsEc2

                • ResourceType NOT_EQUALS AwsIamPolicy

                • ResourceType NOT_EQUALS AwsEc2NetworkInterface

          • RecordState (list) --

            Provides the current state of a finding.

            • (dict) --

              A string filter for querying findings.

              • Value (string) --

                The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

              • Comparison (string) --

                The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

                • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

                • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

                EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

                To search for values that do not contain the filter criteria value, use one of the following comparison operators:

                • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

                • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

                NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

                For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

                You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

                For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

                • ResourceType PREFIX AwsIam

                • ResourceType PREFIX AwsEc2

                • ResourceType NOT_EQUALS AwsIamPolicy

                • ResourceType NOT_EQUALS AwsEc2NetworkInterface

          • RelatedFindingsProductArn (list) --

            The ARN for the product that generated a related finding.

            • (dict) --

              A string filter for querying findings.

              • Value (string) --

                The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

              • Comparison (string) --

                The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

                • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

                • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

                EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

                To search for values that do not contain the filter criteria value, use one of the following comparison operators:

                • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

                • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

                NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

                For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

                You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

                For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

                • ResourceType PREFIX AwsIam

                • ResourceType PREFIX AwsEc2

                • ResourceType NOT_EQUALS AwsIamPolicy

                • ResourceType NOT_EQUALS AwsEc2NetworkInterface

          • RelatedFindingsId (list) --

            The product-generated identifier for a related finding.

            • (dict) --

              A string filter for querying findings.

              • Value (string) --

                The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

              • Comparison (string) --

                The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

                • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

                • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

                EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

                To search for values that do not contain the filter criteria value, use one of the following comparison operators:

                • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

                • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

                NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

                For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

                You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

                For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

                • ResourceType PREFIX AwsIam

                • ResourceType PREFIX AwsEc2

                • ResourceType NOT_EQUALS AwsIamPolicy

                • ResourceType NOT_EQUALS AwsEc2NetworkInterface

          • NoteText (list) --

            The text of a user-defined note that's added to a finding.

            • (dict) --

              A string filter for querying findings.

              • Value (string) --

                The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

              • Comparison (string) --

                The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

                • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

                • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

                EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

                To search for values that do not contain the filter criteria value, use one of the following comparison operators:

                • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

                • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

                NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

                For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

                You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

                For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

                • ResourceType PREFIX AwsIam

                • ResourceType PREFIX AwsEc2

                • ResourceType NOT_EQUALS AwsIamPolicy

                • ResourceType NOT_EQUALS AwsEc2NetworkInterface

          • NoteUpdatedAt (list) --

            The timestamp of when the note was updated. Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format . The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .

            • (dict) --

              A date filter for querying findings.

              • Start (string) --

                A timestamp that provides the start date for the date filter.

                A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format .

              • End (string) --

                A timestamp that provides the end date for the date filter.

                A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format .

              • DateRange (dict) --

                A date range for the date filter.

                • Value (integer) --

                  A date range value for the date filter.

                • Unit (string) --

                  A date range unit for the date filter.

          • NoteUpdatedBy (list) --

            The principal that created a note.

            • (dict) --

              A string filter for querying findings.

              • Value (string) --

                The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

              • Comparison (string) --

                The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

                • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

                • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

                EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

                To search for values that do not contain the filter criteria value, use one of the following comparison operators:

                • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

                • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

                NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

                For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

                You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

                For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

                • ResourceType PREFIX AwsIam

                • ResourceType PREFIX AwsEc2

                • ResourceType NOT_EQUALS AwsIamPolicy

                • ResourceType NOT_EQUALS AwsEc2NetworkInterface

          • UserDefinedFields (list) --

            A list of user-defined name and value string pairs added to a finding.

            • (dict) --

              A map filter for querying findings. Each map filter provides the field to check, the value to look for, and the comparison operator.

              • Key (string) --

                The key of the map filter. For example, for ResourceTags , Key identifies the name of the tag. For UserDefinedFields , Key is the name of the field.

              • Value (string) --

                The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security . If you provide security as the filter value, then there is no match.

              • Comparison (string) --

                The condition to apply to the key value when querying for findings with a map filter.

                To search for values that exactly match the filter value, use EQUALS . For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the tag Department .

                To search for values other than the filter value, use NOT_EQUALS . For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that do not have the value Finance for the tag Department .

                EQUALS filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

                NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

                You cannot have both an EQUALS filter and a NOT_EQUALS filter on the same field.

        • Actions (list) --

          One or more actions to update finding fields if a finding matches the defined criteria of the rule.

          • (dict) --

            One or more actions to update finding fields if a finding matches the defined criteria of the rule.

            • Type (string) --

              Specifies that the rule action should update the Types finding field. The Types finding field provides one or more finding types in the format of namespace/category/classifier that classify a finding. For more information, see Types taxonomy for ASFF in the Security Hub User Guide .

            • FindingFieldsUpdate (dict) --

              Specifies that the automation rule action is an update to a finding field.

              • Note (dict) --

                The updated note.

                • Text (string) --

                  The updated note text.

                • UpdatedBy (string) --

                  The principal that updated the note.

              • Severity (dict) --

                Updates to the severity information for a finding.

                • Normalized (integer) --

                  The normalized severity for the finding. This attribute is to be deprecated in favor of Label .

                  If you provide Normalized and do not provide Label , Label is set automatically as follows.

                  • 0 - INFORMATIONAL

                  • 1–39 - LOW

                  • 40–69 - MEDIUM

                  • 70–89 - HIGH

                  • 90–100 - CRITICAL

                • Product (float) --

                  The native severity as defined by the Amazon Web Services service or integrated partner product that generated the finding.

                • Label (string) --

                  The severity value of the finding. The allowed values are the following.

                  • INFORMATIONAL - No issue was found.

                  • LOW - The issue does not require action on its own.

                  • MEDIUM - The issue must be addressed but not urgently.

                  • HIGH - The issue must be addressed as a priority.

                  • CRITICAL - The issue must be remediated immediately to avoid it escalating.

              • VerificationState (string) --

                The rule action will update the VerificationState field of a finding.

              • Confidence (integer) --

                The rule action will update the Confidence field of a finding.

              • Criticality (integer) --

                The rule action will update the Criticality field of a finding.

              • Types (list) --

                The rule action will update the Types field of a finding.

                • (string) --

              • UserDefinedFields (dict) --

                The rule action will update the UserDefinedFields field of a finding.

                • (string) --

                  • (string) --

              • Workflow (dict) --

                Used to update information about the investigation into the finding.

                • Status (string) --

                  The status of the investigation into the finding. The workflow status is specific to an individual finding. It does not affect the generation of new findings. For example, setting the workflow status to SUPPRESSED or RESOLVED does not prevent a new finding for the same issue.

                  The allowed values are the following.

                  • NEW - The initial state of a finding, before it is reviewed. Security Hub also resets WorkFlowStatus from NOTIFIED or RESOLVED to NEW in the following cases:

                    • The record state changes from ARCHIVED to ACTIVE .

                    • The compliance status changes from PASSED to either WARNING , FAILED , or NOT_AVAILABLE .

                  • NOTIFIED - Indicates that you notified the resource owner about the security issue. Used when the initial reviewer is not the resource owner, and needs intervention from the resource owner.

                  • RESOLVED - The finding was reviewed and remediated and is now considered resolved.

                  • SUPPRESSED - Indicates that you reviewed the finding and do not believe that any action is needed. The finding is no longer updated.

              • RelatedFindings (list) --

                A list of findings that are related to a finding.

                • (dict) --

                  Details about a related finding.

                  • ProductArn (string) --

                    The ARN of the product that generated a related finding.

                  • Id (string) --

                    The product-generated identifier for a related finding.

        • CreatedAt (datetime) --

          A timestamp that indicates when the rule was created.

          Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format . The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .

        • UpdatedAt (datetime) --

          A timestamp that indicates when the rule was most recently updated.

          Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format . The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .

        • CreatedBy (string) --

          The principal that created a rule.

    • UnprocessedAutomationRules (list) --

      A list of objects containing RuleArn , ErrorCode , and ErrorMessage . This parameter tells you which automation rules the request didn't retrieve and why.

      • (dict) --

        A list of objects containing RuleArn , ErrorCode , and ErrorMessage . This parameter tells you which automation rules the request didn't process and why.

        • RuleArn (string) --

          The Amazon Resource Name (ARN) for the unprocessed automation rule.

        • ErrorCode (integer) --

          The error code associated with the unprocessed automation rule.

        • ErrorMessage (string) --

          An error message describing why a request didn't process a specific rule.

BatchDeleteAutomationRules (new) Link ¶

Deletes one or more automation rules.

See also: AWS API Documentation

Request Syntax

client.batch_delete_automation_rules(
    AutomationRulesArns=[
        'string',
    ]
)
type AutomationRulesArns

list

param AutomationRulesArns

[REQUIRED]

A list of Amazon Resource Names (ARNs) for the rules that are to be deleted.

  • (string) --

rtype

dict

returns

Response Syntax

{
    'ProcessedAutomationRules': [
        'string',
    ],
    'UnprocessedAutomationRules': [
        {
            'RuleArn': 'string',
            'ErrorCode': 123,
            'ErrorMessage': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • ProcessedAutomationRules (list) --

      A list of properly processed rule ARNs.

      • (string) --

    • UnprocessedAutomationRules (list) --

      A list of objects containing RuleArn , ErrorCode , and ErrorMessage . This parameter tells you which automation rules the request didn't delete and why.

      • (dict) --

        A list of objects containing RuleArn , ErrorCode , and ErrorMessage . This parameter tells you which automation rules the request didn't process and why.

        • RuleArn (string) --

          The Amazon Resource Name (ARN) for the unprocessed automation rule.

        • ErrorCode (integer) --

          The error code associated with the unprocessed automation rule.

        • ErrorMessage (string) --

          An error message describing why a request didn't process a specific rule.

CreateAutomationRule (new) Link ¶

Creates an automation rule based on input parameters.

See also: AWS API Documentation

Request Syntax

client.create_automation_rule(
    Tags={
        'string': 'string'
    },
    RuleStatus='ENABLED'|'DISABLED',
    RuleOrder=123,
    RuleName='string',
    Description='string',
    IsTerminal=True|False,
    Criteria={
        'ProductArn': [
            {
                'Value': 'string',
                'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
            },
        ],
        'AwsAccountId': [
            {
                'Value': 'string',
                'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
            },
        ],
        'Id': [
            {
                'Value': 'string',
                'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
            },
        ],
        'GeneratorId': [
            {
                'Value': 'string',
                'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
            },
        ],
        'Type': [
            {
                'Value': 'string',
                'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
            },
        ],
        'FirstObservedAt': [
            {
                'Start': 'string',
                'End': 'string',
                'DateRange': {
                    'Value': 123,
                    'Unit': 'DAYS'
                }
            },
        ],
        'LastObservedAt': [
            {
                'Start': 'string',
                'End': 'string',
                'DateRange': {
                    'Value': 123,
                    'Unit': 'DAYS'
                }
            },
        ],
        'CreatedAt': [
            {
                'Start': 'string',
                'End': 'string',
                'DateRange': {
                    'Value': 123,
                    'Unit': 'DAYS'
                }
            },
        ],
        'UpdatedAt': [
            {
                'Start': 'string',
                'End': 'string',
                'DateRange': {
                    'Value': 123,
                    'Unit': 'DAYS'
                }
            },
        ],
        'Confidence': [
            {
                'Gte': 123.0,
                'Lte': 123.0,
                'Eq': 123.0
            },
        ],
        'Criticality': [
            {
                'Gte': 123.0,
                'Lte': 123.0,
                'Eq': 123.0
            },
        ],
        'Title': [
            {
                'Value': 'string',
                'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
            },
        ],
        'Description': [
            {
                'Value': 'string',
                'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
            },
        ],
        'SourceUrl': [
            {
                'Value': 'string',
                'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
            },
        ],
        'ProductName': [
            {
                'Value': 'string',
                'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
            },
        ],
        'CompanyName': [
            {
                'Value': 'string',
                'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
            },
        ],
        'SeverityLabel': [
            {
                'Value': 'string',
                'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
            },
        ],
        'ResourceType': [
            {
                'Value': 'string',
                'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
            },
        ],
        'ResourceId': [
            {
                'Value': 'string',
                'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
            },
        ],
        'ResourcePartition': [
            {
                'Value': 'string',
                'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
            },
        ],
        'ResourceRegion': [
            {
                'Value': 'string',
                'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
            },
        ],
        'ResourceTags': [
            {
                'Key': 'string',
                'Value': 'string',
                'Comparison': 'EQUALS'|'NOT_EQUALS'
            },
        ],
        'ResourceDetailsOther': [
            {
                'Key': 'string',
                'Value': 'string',
                'Comparison': 'EQUALS'|'NOT_EQUALS'
            },
        ],
        'ComplianceStatus': [
            {
                'Value': 'string',
                'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
            },
        ],
        'ComplianceSecurityControlId': [
            {
                'Value': 'string',
                'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
            },
        ],
        'ComplianceAssociatedStandardsId': [
            {
                'Value': 'string',
                'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
            },
        ],
        'VerificationState': [
            {
                'Value': 'string',
                'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
            },
        ],
        'WorkflowStatus': [
            {
                'Value': 'string',
                'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
            },
        ],
        'RecordState': [
            {
                'Value': 'string',
                'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
            },
        ],
        'RelatedFindingsProductArn': [
            {
                'Value': 'string',
                'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
            },
        ],
        'RelatedFindingsId': [
            {
                'Value': 'string',
                'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
            },
        ],
        'NoteText': [
            {
                'Value': 'string',
                'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
            },
        ],
        'NoteUpdatedAt': [
            {
                'Start': 'string',
                'End': 'string',
                'DateRange': {
                    'Value': 123,
                    'Unit': 'DAYS'
                }
            },
        ],
        'NoteUpdatedBy': [
            {
                'Value': 'string',
                'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
            },
        ],
        'UserDefinedFields': [
            {
                'Key': 'string',
                'Value': 'string',
                'Comparison': 'EQUALS'|'NOT_EQUALS'
            },
        ]
    },
    Actions=[
        {
            'Type': 'FINDING_FIELDS_UPDATE',
            'FindingFieldsUpdate': {
                'Note': {
                    'Text': 'string',
                    'UpdatedBy': 'string'
                },
                'Severity': {
                    'Normalized': 123,
                    'Product': 123.0,
                    'Label': 'INFORMATIONAL'|'LOW'|'MEDIUM'|'HIGH'|'CRITICAL'
                },
                'VerificationState': 'UNKNOWN'|'TRUE_POSITIVE'|'FALSE_POSITIVE'|'BENIGN_POSITIVE',
                'Confidence': 123,
                'Criticality': 123,
                'Types': [
                    'string',
                ],
                'UserDefinedFields': {
                    'string': 'string'
                },
                'Workflow': {
                    'Status': 'NEW'|'NOTIFIED'|'RESOLVED'|'SUPPRESSED'
                },
                'RelatedFindings': [
                    {
                        'ProductArn': 'string',
                        'Id': 'string'
                    },
                ]
            }
        },
    ]
)
type Tags

dict

param Tags

User-defined tags that help you label the purpose of a rule.

  • (string) --

    • (string) --

type RuleStatus

string

param RuleStatus

Whether the rule is active after it is created. If this parameter is equal to Enabled , Security Hub will apply the rule to findings and finding updates after the rule is created. To change the value of this parameter after creating a rule, use BatchUpdateAutomationRules .

type RuleOrder

integer

param RuleOrder

[REQUIRED]

An integer ranging from 1 to 1000 that represents the order in which the rule action is applied to findings. Security Hub applies rules with lower values for this parameter first.

type RuleName

string

param RuleName

[REQUIRED]

The name of the rule.

type Description

string

param Description

[REQUIRED]

A description of the rule.

type IsTerminal

boolean

param IsTerminal

Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If the value of this field is set to true for a rule, Security Hub applies the rule action to a finding that matches the rule criteria and won't evaluate other rules for the finding. The default value of this field is false .

type Criteria

dict

param Criteria

[REQUIRED]

A set of ASFF finding field attributes and corresponding expected values that Security Hub uses to filter findings. If a finding matches the conditions specified in this parameter, Security Hub applies the rule action to the finding.

  • ProductArn (list) --

    The Amazon Resource Name (ARN) for a third-party product that generated a finding in Security Hub.

    • (dict) --

      A string filter for querying findings.

      • Value (string) --

        The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

      • Comparison (string) --

        The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

        • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

        • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

        EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

        To search for values that do not contain the filter criteria value, use one of the following comparison operators:

        • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

        • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

        NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

        For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

        You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

        For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

        • ResourceType PREFIX AwsIam

        • ResourceType PREFIX AwsEc2

        • ResourceType NOT_EQUALS AwsIamPolicy

        • ResourceType NOT_EQUALS AwsEc2NetworkInterface

  • AwsAccountId (list) --

    The Amazon Web Services account ID in which a finding was generated.

    • (dict) --

      A string filter for querying findings.

      • Value (string) --

        The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

      • Comparison (string) --

        The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

        • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

        • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

        EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

        To search for values that do not contain the filter criteria value, use one of the following comparison operators:

        • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

        • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

        NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

        For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

        You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

        For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

        • ResourceType PREFIX AwsIam

        • ResourceType PREFIX AwsEc2

        • ResourceType NOT_EQUALS AwsIamPolicy

        • ResourceType NOT_EQUALS AwsEc2NetworkInterface

  • Id (list) --

    The product-specific identifier for a finding.

    • (dict) --

      A string filter for querying findings.

      • Value (string) --

        The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

      • Comparison (string) --

        The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

        • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

        • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

        EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

        To search for values that do not contain the filter criteria value, use one of the following comparison operators:

        • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

        • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

        NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

        For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

        You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

        For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

        • ResourceType PREFIX AwsIam

        • ResourceType PREFIX AwsEc2

        • ResourceType NOT_EQUALS AwsIamPolicy

        • ResourceType NOT_EQUALS AwsEc2NetworkInterface

  • GeneratorId (list) --

    The identifier for the solution-specific component that generated a finding.

    • (dict) --

      A string filter for querying findings.

      • Value (string) --

        The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

      • Comparison (string) --

        The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

        • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

        • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

        EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

        To search for values that do not contain the filter criteria value, use one of the following comparison operators:

        • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

        • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

        NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

        For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

        You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

        For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

        • ResourceType PREFIX AwsIam

        • ResourceType PREFIX AwsEc2

        • ResourceType NOT_EQUALS AwsIamPolicy

        • ResourceType NOT_EQUALS AwsEc2NetworkInterface

  • Type (list) --

    One or more finding types in the format of namespace/category/classifier that classify a finding. For a list of namespaces, classifiers, and categories, see Types taxonomy for ASFF in the Security Hub User Guide .

    • (dict) --

      A string filter for querying findings.

      • Value (string) --

        The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

      • Comparison (string) --

        The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

        • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

        • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

        EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

        To search for values that do not contain the filter criteria value, use one of the following comparison operators:

        • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

        • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

        NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

        For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

        You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

        For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

        • ResourceType PREFIX AwsIam

        • ResourceType PREFIX AwsEc2

        • ResourceType NOT_EQUALS AwsIamPolicy

        • ResourceType NOT_EQUALS AwsEc2NetworkInterface

  • FirstObservedAt (list) --

    A timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings product.

    Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format . The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .

    • (dict) --

      A date filter for querying findings.

      • Start (string) --

        A timestamp that provides the start date for the date filter.

        A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format .

      • End (string) --

        A timestamp that provides the end date for the date filter.

        A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format .

      • DateRange (dict) --

        A date range for the date filter.

        • Value (integer) --

          A date range value for the date filter.

        • Unit (string) --

          A date range unit for the date filter.

  • LastObservedAt (list) --

    A timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings product.

    Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format . The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .

    • (dict) --

      A date filter for querying findings.

      • Start (string) --

        A timestamp that provides the start date for the date filter.

        A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format .

      • End (string) --

        A timestamp that provides the end date for the date filter.

        A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format .

      • DateRange (dict) --

        A date range for the date filter.

        • Value (integer) --

          A date range value for the date filter.

        • Unit (string) --

          A date range unit for the date filter.

  • CreatedAt (list) --

    A timestamp that indicates when this finding record was created.

    Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format . The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .

    • (dict) --

      A date filter for querying findings.

      • Start (string) --

        A timestamp that provides the start date for the date filter.

        A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format .

      • End (string) --

        A timestamp that provides the end date for the date filter.

        A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format .

      • DateRange (dict) --

        A date range for the date filter.

        • Value (integer) --

          A date range value for the date filter.

        • Unit (string) --

          A date range unit for the date filter.

  • UpdatedAt (list) --

    A timestamp that indicates when the finding record was most recently updated.

    Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format . The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .

    • (dict) --

      A date filter for querying findings.

      • Start (string) --

        A timestamp that provides the start date for the date filter.

        A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format .

      • End (string) --

        A timestamp that provides the end date for the date filter.

        A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format .

      • DateRange (dict) --

        A date range for the date filter.

        • Value (integer) --

          A date range value for the date filter.

        • Unit (string) --

          A date range unit for the date filter.

  • Confidence (list) --

    The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0–100 basis using a ratio scale. A value of 0 means 0 percent confidence, and a value of 100 means 100 percent confidence. For example, a data exfiltration detection based on a statistical deviation of network traffic has low confidence because an actual exfiltration hasn't been verified. For more information, see Confidence in the Security Hub User Guide .

    • (dict) --

      A number filter for querying findings.

      • Gte (float) --

        The greater-than-equal condition to be applied to a single field when querying for findings.

      • Lte (float) --

        The less-than-equal condition to be applied to a single field when querying for findings.

      • Eq (float) --

        The equal-to condition to be applied to a single field when querying for findings.

  • Criticality (list) --

    The level of importance that is assigned to the resources that are associated with a finding. Criticality is scored on a 0–100 basis, using a ratio scale that supports only full integers. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources. For more information, see Criticality in the Security Hub User Guide .

    • (dict) --

      A number filter for querying findings.

      • Gte (float) --

        The greater-than-equal condition to be applied to a single field when querying for findings.

      • Lte (float) --

        The less-than-equal condition to be applied to a single field when querying for findings.

      • Eq (float) --

        The equal-to condition to be applied to a single field when querying for findings.

  • Title (list) --

    A finding's title.

    • (dict) --

      A string filter for querying findings.

      • Value (string) --

        The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

      • Comparison (string) --

        The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

        • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

        • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

        EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

        To search for values that do not contain the filter criteria value, use one of the following comparison operators:

        • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

        • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

        NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

        For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

        You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

        For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

        • ResourceType PREFIX AwsIam

        • ResourceType PREFIX AwsEc2

        • ResourceType NOT_EQUALS AwsIamPolicy

        • ResourceType NOT_EQUALS AwsEc2NetworkInterface

  • Description (list) --

    A finding's description.

    • (dict) --

      A string filter for querying findings.

      • Value (string) --

        The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

      • Comparison (string) --

        The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

        • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

        • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

        EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

        To search for values that do not contain the filter criteria value, use one of the following comparison operators:

        • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

        • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

        NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

        For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

        You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

        For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

        • ResourceType PREFIX AwsIam

        • ResourceType PREFIX AwsEc2

        • ResourceType NOT_EQUALS AwsIamPolicy

        • ResourceType NOT_EQUALS AwsEc2NetworkInterface

  • SourceUrl (list) --

    Provides a URL that links to a page about the current finding in the finding product.

    • (dict) --

      A string filter for querying findings.

      • Value (string) --

        The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

      • Comparison (string) --

        The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

        • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

        • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

        EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

        To search for values that do not contain the filter criteria value, use one of the following comparison operators:

        • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

        • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

        NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

        For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

        You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

        For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

        • ResourceType PREFIX AwsIam

        • ResourceType PREFIX AwsEc2

        • ResourceType NOT_EQUALS AwsIamPolicy

        • ResourceType NOT_EQUALS AwsEc2NetworkInterface

  • ProductName (list) --

    Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub.

    • (dict) --

      A string filter for querying findings.

      • Value (string) --

        The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

      • Comparison (string) --

        The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

        • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

        • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

        EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

        To search for values that do not contain the filter criteria value, use one of the following comparison operators:

        • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

        • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

        NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

        For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

        You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

        For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

        • ResourceType PREFIX AwsIam

        • ResourceType PREFIX AwsEc2

        • ResourceType NOT_EQUALS AwsIamPolicy

        • ResourceType NOT_EQUALS AwsEc2NetworkInterface

  • CompanyName (list) --

    The name of the company for the product that generated the finding. For control-based findings, the company is Amazon Web Services.

    • (dict) --

      A string filter for querying findings.

      • Value (string) --

        The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

      • Comparison (string) --

        The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

        • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

        • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

        EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

        To search for values that do not contain the filter criteria value, use one of the following comparison operators:

        • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

        • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

        NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

        For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

        You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

        For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

        • ResourceType PREFIX AwsIam

        • ResourceType PREFIX AwsEc2

        • ResourceType NOT_EQUALS AwsIamPolicy

        • ResourceType NOT_EQUALS AwsEc2NetworkInterface

  • SeverityLabel (list) --

    The severity value of the finding.

    • (dict) --

      A string filter for querying findings.

      • Value (string) --

        The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

      • Comparison (string) --

        The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

        • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

        • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

        EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

        To search for values that do not contain the filter criteria value, use one of the following comparison operators:

        • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

        • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

        NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

        For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

        You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

        For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

        • ResourceType PREFIX AwsIam

        • ResourceType PREFIX AwsEc2

        • ResourceType NOT_EQUALS AwsIamPolicy

        • ResourceType NOT_EQUALS AwsEc2NetworkInterface

  • ResourceType (list) --

    The type of resource that the finding pertains to.

    • (dict) --

      A string filter for querying findings.

      • Value (string) --

        The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

      • Comparison (string) --

        The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

        • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

        • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

        EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

        To search for values that do not contain the filter criteria value, use one of the following comparison operators:

        • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

        • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

        NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

        For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

        You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

        For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

        • ResourceType PREFIX AwsIam

        • ResourceType PREFIX AwsEc2

        • ResourceType NOT_EQUALS AwsIamPolicy

        • ResourceType NOT_EQUALS AwsEc2NetworkInterface

  • ResourceId (list) --

    The identifier for the given resource type. For Amazon Web Services resources that are identified by Amazon Resource Names (ARNs), this is the ARN. For Amazon Web Services resources that lack ARNs, this is the identifier as defined by the Amazon Web Service that created the resource. For non-Amazon Web Services resources, this is a unique identifier that is associated with the resource.

    • (dict) --

      A string filter for querying findings.

      • Value (string) --

        The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

      • Comparison (string) --

        The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

        • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

        • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

        EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

        To search for values that do not contain the filter criteria value, use one of the following comparison operators:

        • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

        • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

        NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

        For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

        You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

        For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

        • ResourceType PREFIX AwsIam

        • ResourceType PREFIX AwsEc2

        • ResourceType NOT_EQUALS AwsIamPolicy

        • ResourceType NOT_EQUALS AwsEc2NetworkInterface

  • ResourcePartition (list) --

    The partition in which the resource that the finding pertains to is located. A partition is a group of Amazon Web Services Regions. Each Amazon Web Services account is scoped to one partition.

    • (dict) --

      A string filter for querying findings.

      • Value (string) --

        The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

      • Comparison (string) --

        The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

        • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

        • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

        EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

        To search for values that do not contain the filter criteria value, use one of the following comparison operators:

        • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

        • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

        NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

        For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

        You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

        For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

        • ResourceType PREFIX AwsIam

        • ResourceType PREFIX AwsEc2

        • ResourceType NOT_EQUALS AwsIamPolicy

        • ResourceType NOT_EQUALS AwsEc2NetworkInterface

  • ResourceRegion (list) --

    The Amazon Web Services Region where the resource that a finding pertains to is located.

    • (dict) --

      A string filter for querying findings.

      • Value (string) --

        The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

      • Comparison (string) --

        The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

        • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

        • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

        EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

        To search for values that do not contain the filter criteria value, use one of the following comparison operators:

        • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

        • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

        NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

        For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

        You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

        For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

        • ResourceType PREFIX AwsIam

        • ResourceType PREFIX AwsEc2

        • ResourceType NOT_EQUALS AwsIamPolicy

        • ResourceType NOT_EQUALS AwsEc2NetworkInterface

  • ResourceTags (list) --

    A list of Amazon Web Services tags associated with a resource at the time the finding was processed.

    • (dict) --

      A map filter for querying findings. Each map filter provides the field to check, the value to look for, and the comparison operator.

      • Key (string) --

        The key of the map filter. For example, for ResourceTags , Key identifies the name of the tag. For UserDefinedFields , Key is the name of the field.

      • Value (string) --

        The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security . If you provide security as the filter value, then there is no match.

      • Comparison (string) --

        The condition to apply to the key value when querying for findings with a map filter.

        To search for values that exactly match the filter value, use EQUALS . For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the tag Department .

        To search for values other than the filter value, use NOT_EQUALS . For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that do not have the value Finance for the tag Department .

        EQUALS filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

        NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

        You cannot have both an EQUALS filter and a NOT_EQUALS filter on the same field.

  • ResourceDetailsOther (list) --

    Custom fields and values about the resource that a finding pertains to.

    • (dict) --

      A map filter for querying findings. Each map filter provides the field to check, the value to look for, and the comparison operator.

      • Key (string) --

        The key of the map filter. For example, for ResourceTags , Key identifies the name of the tag. For UserDefinedFields , Key is the name of the field.

      • Value (string) --

        The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security . If you provide security as the filter value, then there is no match.

      • Comparison (string) --

        The condition to apply to the key value when querying for findings with a map filter.

        To search for values that exactly match the filter value, use EQUALS . For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the tag Department .

        To search for values other than the filter value, use NOT_EQUALS . For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that do not have the value Finance for the tag Department .

        EQUALS filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

        NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

        You cannot have both an EQUALS filter and a NOT_EQUALS filter on the same field.

  • ComplianceStatus (list) --

    The result of a security check. This field is only used for findings generated from controls.

    • (dict) --

      A string filter for querying findings.

      • Value (string) --

        The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

      • Comparison (string) --

        The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

        • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

        • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

        EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

        To search for values that do not contain the filter criteria value, use one of the following comparison operators:

        • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

        • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

        NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

        For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

        You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

        For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

        • ResourceType PREFIX AwsIam

        • ResourceType PREFIX AwsEc2

        • ResourceType NOT_EQUALS AwsIamPolicy

        • ResourceType NOT_EQUALS AwsEc2NetworkInterface

  • ComplianceSecurityControlId (list) --

    The security control ID for which a finding was generated. Security control IDs are the same across standards.

    • (dict) --

      A string filter for querying findings.

      • Value (string) --

        The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

      • Comparison (string) --

        The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

        • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

        • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

        EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

        To search for values that do not contain the filter criteria value, use one of the following comparison operators:

        • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

        • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

        NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

        For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

        You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

        For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

        • ResourceType PREFIX AwsIam

        • ResourceType PREFIX AwsEc2

        • ResourceType NOT_EQUALS AwsIamPolicy

        • ResourceType NOT_EQUALS AwsEc2NetworkInterface

  • ComplianceAssociatedStandardsId (list) --

    The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the DescribeStandards API response.

    • (dict) --

      A string filter for querying findings.

      • Value (string) --

        The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

      • Comparison (string) --

        The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

        • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

        • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

        EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

        To search for values that do not contain the filter criteria value, use one of the following comparison operators:

        • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

        • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

        NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

        For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

        You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

        For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

        • ResourceType PREFIX AwsIam

        • ResourceType PREFIX AwsEc2

        • ResourceType NOT_EQUALS AwsIamPolicy

        • ResourceType NOT_EQUALS AwsEc2NetworkInterface

  • VerificationState (list) --

    Provides the veracity of a finding.

    • (dict) --

      A string filter for querying findings.

      • Value (string) --

        The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

      • Comparison (string) --

        The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

        • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

        • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

        EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

        To search for values that do not contain the filter criteria value, use one of the following comparison operators:

        • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

        • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

        NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

        For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

        You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

        For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

        • ResourceType PREFIX AwsIam

        • ResourceType PREFIX AwsEc2

        • ResourceType NOT_EQUALS AwsIamPolicy

        • ResourceType NOT_EQUALS AwsEc2NetworkInterface

  • WorkflowStatus (list) --

    Provides information about the status of the investigation into a finding.

    • (dict) --

      A string filter for querying findings.

      • Value (string) --

        The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

      • Comparison (string) --

        The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

        • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

        • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

        EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

        To search for values that do not contain the filter criteria value, use one of the following comparison operators:

        • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

        • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

        NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

        For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

        You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

        For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

        • ResourceType PREFIX AwsIam

        • ResourceType PREFIX AwsEc2

        • ResourceType NOT_EQUALS AwsIamPolicy

        • ResourceType NOT_EQUALS AwsEc2NetworkInterface

  • RecordState (list) --

    Provides the current state of a finding.

    • (dict) --

      A string filter for querying findings.

      • Value (string) --

        The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

      • Comparison (string) --

        The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

        • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

        • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

        EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

        To search for values that do not contain the filter criteria value, use one of the following comparison operators:

        • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

        • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

        NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

        For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

        You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

        For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

        • ResourceType PREFIX AwsIam

        • ResourceType PREFIX AwsEc2

        • ResourceType NOT_EQUALS AwsIamPolicy

        • ResourceType NOT_EQUALS AwsEc2NetworkInterface

  • RelatedFindingsProductArn (list) --

    The ARN for the product that generated a related finding.

    • (dict) --

      A string filter for querying findings.

      • Value (string) --

        The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

      • Comparison (string) --

        The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

        • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

        • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

        EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

        To search for values that do not contain the filter criteria value, use one of the following comparison operators:

        • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

        • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

        NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

        For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

        You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

        For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

        • ResourceType PREFIX AwsIam

        • ResourceType PREFIX AwsEc2

        • ResourceType NOT_EQUALS AwsIamPolicy

        • ResourceType NOT_EQUALS AwsEc2NetworkInterface

  • RelatedFindingsId (list) --

    The product-generated identifier for a related finding.

    • (dict) --

      A string filter for querying findings.

      • Value (string) --

        The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

      • Comparison (string) --

        The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

        • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

        • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

        EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

        To search for values that do not contain the filter criteria value, use one of the following comparison operators:

        • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

        • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

        NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

        For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

        You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

        For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

        • ResourceType PREFIX AwsIam

        • ResourceType PREFIX AwsEc2

        • ResourceType NOT_EQUALS AwsIamPolicy

        • ResourceType NOT_EQUALS AwsEc2NetworkInterface

  • NoteText (list) --

    The text of a user-defined note that's added to a finding.

    • (dict) --

      A string filter for querying findings.

      • Value (string) --

        The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

      • Comparison (string) --

        The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

        • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

        • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

        EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

        To search for values that do not contain the filter criteria value, use one of the following comparison operators:

        • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

        • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

        NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

        For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

        You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

        For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

        • ResourceType PREFIX AwsIam

        • ResourceType PREFIX AwsEc2

        • ResourceType NOT_EQUALS AwsIamPolicy

        • ResourceType NOT_EQUALS AwsEc2NetworkInterface

  • NoteUpdatedAt (list) --

    The timestamp of when the note was updated. Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format . The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .

    • (dict) --

      A date filter for querying findings.

      • Start (string) --

        A timestamp that provides the start date for the date filter.

        A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format .

      • End (string) --

        A timestamp that provides the end date for the date filter.

        A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format .

      • DateRange (dict) --

        A date range for the date filter.

        • Value (integer) --

          A date range value for the date filter.

        • Unit (string) --

          A date range unit for the date filter.

  • NoteUpdatedBy (list) --

    The principal that created a note.

    • (dict) --

      A string filter for querying findings.

      • Value (string) --

        The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

      • Comparison (string) --

        The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

        • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

        • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

        EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

        To search for values that do not contain the filter criteria value, use one of the following comparison operators:

        • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

        • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

        NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

        For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

        You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

        For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

        • ResourceType PREFIX AwsIam

        • ResourceType PREFIX AwsEc2

        • ResourceType NOT_EQUALS AwsIamPolicy

        • ResourceType NOT_EQUALS AwsEc2NetworkInterface

  • UserDefinedFields (list) --

    A list of user-defined name and value string pairs added to a finding.

    • (dict) --

      A map filter for querying findings. Each map filter provides the field to check, the value to look for, and the comparison operator.

      • Key (string) --

        The key of the map filter. For example, for ResourceTags , Key identifies the name of the tag. For UserDefinedFields , Key is the name of the field.

      • Value (string) --

        The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security . If you provide security as the filter value, then there is no match.

      • Comparison (string) --

        The condition to apply to the key value when querying for findings with a map filter.

        To search for values that exactly match the filter value, use EQUALS . For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the tag Department .

        To search for values other than the filter value, use NOT_EQUALS . For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that do not have the value Finance for the tag Department .

        EQUALS filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

        NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

        You cannot have both an EQUALS filter and a NOT_EQUALS filter on the same field.

type Actions

list

param Actions

[REQUIRED]

One or more actions to update finding fields if a finding matches the conditions specified in Criteria .

  • (dict) --

    One or more actions to update finding fields if a finding matches the defined criteria of the rule.

    • Type (string) --

      Specifies that the rule action should update the Types finding field. The Types finding field provides one or more finding types in the format of namespace/category/classifier that classify a finding. For more information, see Types taxonomy for ASFF in the Security Hub User Guide .

    • FindingFieldsUpdate (dict) --

      Specifies that the automation rule action is an update to a finding field.

      • Note (dict) --

        The updated note.

        • Text (string) -- [REQUIRED]

          The updated note text.

        • UpdatedBy (string) -- [REQUIRED]

          The principal that updated the note.

      • Severity (dict) --

        Updates to the severity information for a finding.

        • Normalized (integer) --

          The normalized severity for the finding. This attribute is to be deprecated in favor of Label .

          If you provide Normalized and do not provide Label , Label is set automatically as follows.

          • 0 - INFORMATIONAL

          • 1–39 - LOW

          • 40–69 - MEDIUM

          • 70–89 - HIGH

          • 90–100 - CRITICAL

        • Product (float) --

          The native severity as defined by the Amazon Web Services service or integrated partner product that generated the finding.

        • Label (string) --

          The severity value of the finding. The allowed values are the following.

          • INFORMATIONAL - No issue was found.

          • LOW - The issue does not require action on its own.

          • MEDIUM - The issue must be addressed but not urgently.

          • HIGH - The issue must be addressed as a priority.

          • CRITICAL - The issue must be remediated immediately to avoid it escalating.

      • VerificationState (string) --

        The rule action will update the VerificationState field of a finding.

      • Confidence (integer) --

        The rule action will update the Confidence field of a finding.

      • Criticality (integer) --

        The rule action will update the Criticality field of a finding.

      • Types (list) --

        The rule action will update the Types field of a finding.

        • (string) --

      • UserDefinedFields (dict) --

        The rule action will update the UserDefinedFields field of a finding.

        • (string) --

          • (string) --

      • Workflow (dict) --

        Used to update information about the investigation into the finding.

        • Status (string) --

          The status of the investigation into the finding. The workflow status is specific to an individual finding. It does not affect the generation of new findings. For example, setting the workflow status to SUPPRESSED or RESOLVED does not prevent a new finding for the same issue.

          The allowed values are the following.

          • NEW - The initial state of a finding, before it is reviewed. Security Hub also resets WorkFlowStatus from NOTIFIED or RESOLVED to NEW in the following cases:

            • The record state changes from ARCHIVED to ACTIVE .

            • The compliance status changes from PASSED to either WARNING , FAILED , or NOT_AVAILABLE .

          • NOTIFIED - Indicates that you notified the resource owner about the security issue. Used when the initial reviewer is not the resource owner, and needs intervention from the resource owner.

          • RESOLVED - The finding was reviewed and remediated and is now considered resolved.

          • SUPPRESSED - Indicates that you reviewed the finding and do not believe that any action is needed. The finding is no longer updated.

      • RelatedFindings (list) --

        A list of findings that are related to a finding.

        • (dict) --

          Details about a related finding.

          • ProductArn (string) -- [REQUIRED]

            The ARN of the product that generated a related finding.

          • Id (string) -- [REQUIRED]

            The product-generated identifier for a related finding.

rtype

dict

returns

Response Syntax

{
    'RuleArn': 'string'
}

Response Structure

  • (dict) --

    • RuleArn (string) --

      The Amazon Resource Name (ARN) of the automation rule that you created.

BatchUpdateAutomationRules (new) Link ¶

Updates one or more automation rules based on rule Amazon Resource Names (ARNs) and input parameters.

See also: AWS API Documentation

Request Syntax

client.batch_update_automation_rules(
    UpdateAutomationRulesRequestItems=[
        {
            'RuleArn': 'string',
            'RuleStatus': 'ENABLED'|'DISABLED',
            'RuleOrder': 123,
            'Description': 'string',
            'RuleName': 'string',
            'IsTerminal': True|False,
            'Criteria': {
                'ProductArn': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'AwsAccountId': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'Id': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'GeneratorId': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'Type': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'FirstObservedAt': [
                    {
                        'Start': 'string',
                        'End': 'string',
                        'DateRange': {
                            'Value': 123,
                            'Unit': 'DAYS'
                        }
                    },
                ],
                'LastObservedAt': [
                    {
                        'Start': 'string',
                        'End': 'string',
                        'DateRange': {
                            'Value': 123,
                            'Unit': 'DAYS'
                        }
                    },
                ],
                'CreatedAt': [
                    {
                        'Start': 'string',
                        'End': 'string',
                        'DateRange': {
                            'Value': 123,
                            'Unit': 'DAYS'
                        }
                    },
                ],
                'UpdatedAt': [
                    {
                        'Start': 'string',
                        'End': 'string',
                        'DateRange': {
                            'Value': 123,
                            'Unit': 'DAYS'
                        }
                    },
                ],
                'Confidence': [
                    {
                        'Gte': 123.0,
                        'Lte': 123.0,
                        'Eq': 123.0
                    },
                ],
                'Criticality': [
                    {
                        'Gte': 123.0,
                        'Lte': 123.0,
                        'Eq': 123.0
                    },
                ],
                'Title': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'Description': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'SourceUrl': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'ProductName': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'CompanyName': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'SeverityLabel': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'ResourceType': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'ResourceId': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'ResourcePartition': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'ResourceRegion': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'ResourceTags': [
                    {
                        'Key': 'string',
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'NOT_EQUALS'
                    },
                ],
                'ResourceDetailsOther': [
                    {
                        'Key': 'string',
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'NOT_EQUALS'
                    },
                ],
                'ComplianceStatus': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'ComplianceSecurityControlId': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'ComplianceAssociatedStandardsId': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'VerificationState': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'WorkflowStatus': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'RecordState': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'RelatedFindingsProductArn': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'RelatedFindingsId': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'NoteText': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'NoteUpdatedAt': [
                    {
                        'Start': 'string',
                        'End': 'string',
                        'DateRange': {
                            'Value': 123,
                            'Unit': 'DAYS'
                        }
                    },
                ],
                'NoteUpdatedBy': [
                    {
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'
                    },
                ],
                'UserDefinedFields': [
                    {
                        'Key': 'string',
                        'Value': 'string',
                        'Comparison': 'EQUALS'|'NOT_EQUALS'
                    },
                ]
            },
            'Actions': [
                {
                    'Type': 'FINDING_FIELDS_UPDATE',
                    'FindingFieldsUpdate': {
                        'Note': {
                            'Text': 'string',
                            'UpdatedBy': 'string'
                        },
                        'Severity': {
                            'Normalized': 123,
                            'Product': 123.0,
                            'Label': 'INFORMATIONAL'|'LOW'|'MEDIUM'|'HIGH'|'CRITICAL'
                        },
                        'VerificationState': 'UNKNOWN'|'TRUE_POSITIVE'|'FALSE_POSITIVE'|'BENIGN_POSITIVE',
                        'Confidence': 123,
                        'Criticality': 123,
                        'Types': [
                            'string',
                        ],
                        'UserDefinedFields': {
                            'string': 'string'
                        },
                        'Workflow': {
                            'Status': 'NEW'|'NOTIFIED'|'RESOLVED'|'SUPPRESSED'
                        },
                        'RelatedFindings': [
                            {
                                'ProductArn': 'string',
                                'Id': 'string'
                            },
                        ]
                    }
                },
            ]
        },
    ]
)
type UpdateAutomationRulesRequestItems

list

param UpdateAutomationRulesRequestItems

[REQUIRED]

An array of ARNs for the rules that are to be updated. Optionally, you can also include RuleStatus and RuleOrder .

  • (dict) --

    Specifies the parameters to update in an existing automation rule.

    • RuleArn (string) -- [REQUIRED]

      The Amazon Resource Name (ARN) for the rule.

    • RuleStatus (string) --

      Whether the rule is active after it is created. If this parameter is equal to ENABLED , Security Hub will apply the rule to findings and finding updates after the rule is created. To change the value of this parameter after creating a rule, use BatchUpdateAutomationRules .

    • RuleOrder (integer) --

      An integer ranging from 1 to 1000 that represents the order in which the rule action is applied to findings. Security Hub applies rules with lower values for this parameter first.

    • Description (string) --

      A description of the rule.

    • RuleName (string) --

      The name of the rule.

    • IsTerminal (boolean) --

      Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If the value of this field is set to true for a rule, Security Hub applies the rule action to a finding that matches the rule criteria and won't evaluate other rules for the finding. The default value of this field is false .

    • Criteria (dict) --

      A set of ASFF finding field attributes and corresponding expected values that Security Hub uses to filter findings. If a finding matches the conditions specified in this parameter, Security Hub applies the rule action to the finding.

      • ProductArn (list) --

        The Amazon Resource Name (ARN) for a third-party product that generated a finding in Security Hub.

        • (dict) --

          A string filter for querying findings.

          • Value (string) --

            The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

          • Comparison (string) --

            The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

            • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

            • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

            EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

            To search for values that do not contain the filter criteria value, use one of the following comparison operators:

            • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

            • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

            NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

            For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

            You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

            For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

            • ResourceType PREFIX AwsIam

            • ResourceType PREFIX AwsEc2

            • ResourceType NOT_EQUALS AwsIamPolicy

            • ResourceType NOT_EQUALS AwsEc2NetworkInterface

      • AwsAccountId (list) --

        The Amazon Web Services account ID in which a finding was generated.

        • (dict) --

          A string filter for querying findings.

          • Value (string) --

            The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

          • Comparison (string) --

            The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

            • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

            • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

            EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

            To search for values that do not contain the filter criteria value, use one of the following comparison operators:

            • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

            • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

            NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

            For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

            You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

            For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

            • ResourceType PREFIX AwsIam

            • ResourceType PREFIX AwsEc2

            • ResourceType NOT_EQUALS AwsIamPolicy

            • ResourceType NOT_EQUALS AwsEc2NetworkInterface

      • Id (list) --

        The product-specific identifier for a finding.

        • (dict) --

          A string filter for querying findings.

          • Value (string) --

            The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

          • Comparison (string) --

            The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

            • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

            • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

            EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

            To search for values that do not contain the filter criteria value, use one of the following comparison operators:

            • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

            • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

            NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

            For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

            You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

            For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

            • ResourceType PREFIX AwsIam

            • ResourceType PREFIX AwsEc2

            • ResourceType NOT_EQUALS AwsIamPolicy

            • ResourceType NOT_EQUALS AwsEc2NetworkInterface

      • GeneratorId (list) --

        The identifier for the solution-specific component that generated a finding.

        • (dict) --

          A string filter for querying findings.

          • Value (string) --

            The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

          • Comparison (string) --

            The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

            • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

            • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

            EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

            To search for values that do not contain the filter criteria value, use one of the following comparison operators:

            • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

            • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

            NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

            For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

            You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

            For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

            • ResourceType PREFIX AwsIam

            • ResourceType PREFIX AwsEc2

            • ResourceType NOT_EQUALS AwsIamPolicy

            • ResourceType NOT_EQUALS AwsEc2NetworkInterface

      • Type (list) --

        One or more finding types in the format of namespace/category/classifier that classify a finding. For a list of namespaces, classifiers, and categories, see Types taxonomy for ASFF in the Security Hub User Guide .

        • (dict) --

          A string filter for querying findings.

          • Value (string) --

            The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

          • Comparison (string) --

            The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

            • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

            • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

            EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

            To search for values that do not contain the filter criteria value, use one of the following comparison operators:

            • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

            • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

            NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

            For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

            You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

            For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

            • ResourceType PREFIX AwsIam

            • ResourceType PREFIX AwsEc2

            • ResourceType NOT_EQUALS AwsIamPolicy

            • ResourceType NOT_EQUALS AwsEc2NetworkInterface

      • FirstObservedAt (list) --

        A timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings product.

        Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format . The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .

        • (dict) --

          A date filter for querying findings.

          • Start (string) --

            A timestamp that provides the start date for the date filter.

            A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format .

          • End (string) --

            A timestamp that provides the end date for the date filter.

            A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format .

          • DateRange (dict) --

            A date range for the date filter.

            • Value (integer) --

              A date range value for the date filter.

            • Unit (string) --

              A date range unit for the date filter.

      • LastObservedAt (list) --

        A timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings product.

        Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format . The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .

        • (dict) --

          A date filter for querying findings.

          • Start (string) --

            A timestamp that provides the start date for the date filter.

            A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format .

          • End (string) --

            A timestamp that provides the end date for the date filter.

            A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format .

          • DateRange (dict) --

            A date range for the date filter.

            • Value (integer) --

              A date range value for the date filter.

            • Unit (string) --

              A date range unit for the date filter.

      • CreatedAt (list) --

        A timestamp that indicates when this finding record was created.

        Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format . The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .

        • (dict) --

          A date filter for querying findings.

          • Start (string) --

            A timestamp that provides the start date for the date filter.

            A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format .

          • End (string) --

            A timestamp that provides the end date for the date filter.

            A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format .

          • DateRange (dict) --

            A date range for the date filter.

            • Value (integer) --

              A date range value for the date filter.

            • Unit (string) --

              A date range unit for the date filter.

      • UpdatedAt (list) --

        A timestamp that indicates when the finding record was most recently updated.

        Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format . The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .

        • (dict) --

          A date filter for querying findings.

          • Start (string) --

            A timestamp that provides the start date for the date filter.

            A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format .

          • End (string) --

            A timestamp that provides the end date for the date filter.

            A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format .

          • DateRange (dict) --

            A date range for the date filter.

            • Value (integer) --

              A date range value for the date filter.

            • Unit (string) --

              A date range unit for the date filter.

      • Confidence (list) --

        The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0–100 basis using a ratio scale. A value of 0 means 0 percent confidence, and a value of 100 means 100 percent confidence. For example, a data exfiltration detection based on a statistical deviation of network traffic has low confidence because an actual exfiltration hasn't been verified. For more information, see Confidence in the Security Hub User Guide .

        • (dict) --

          A number filter for querying findings.

          • Gte (float) --

            The greater-than-equal condition to be applied to a single field when querying for findings.

          • Lte (float) --

            The less-than-equal condition to be applied to a single field when querying for findings.

          • Eq (float) --

            The equal-to condition to be applied to a single field when querying for findings.

      • Criticality (list) --

        The level of importance that is assigned to the resources that are associated with a finding. Criticality is scored on a 0–100 basis, using a ratio scale that supports only full integers. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources. For more information, see Criticality in the Security Hub User Guide .

        • (dict) --

          A number filter for querying findings.

          • Gte (float) --

            The greater-than-equal condition to be applied to a single field when querying for findings.

          • Lte (float) --

            The less-than-equal condition to be applied to a single field when querying for findings.

          • Eq (float) --

            The equal-to condition to be applied to a single field when querying for findings.

      • Title (list) --

        A finding's title.

        • (dict) --

          A string filter for querying findings.

          • Value (string) --

            The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

          • Comparison (string) --

            The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

            • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

            • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

            EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

            To search for values that do not contain the filter criteria value, use one of the following comparison operators:

            • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

            • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

            NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

            For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

            You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

            For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

            • ResourceType PREFIX AwsIam

            • ResourceType PREFIX AwsEc2

            • ResourceType NOT_EQUALS AwsIamPolicy

            • ResourceType NOT_EQUALS AwsEc2NetworkInterface

      • Description (list) --

        A finding's description.

        • (dict) --

          A string filter for querying findings.

          • Value (string) --

            The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

          • Comparison (string) --

            The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

            • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

            • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

            EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

            To search for values that do not contain the filter criteria value, use one of the following comparison operators:

            • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

            • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

            NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

            For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

            You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

            For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

            • ResourceType PREFIX AwsIam

            • ResourceType PREFIX AwsEc2

            • ResourceType NOT_EQUALS AwsIamPolicy

            • ResourceType NOT_EQUALS AwsEc2NetworkInterface

      • SourceUrl (list) --

        Provides a URL that links to a page about the current finding in the finding product.

        • (dict) --

          A string filter for querying findings.

          • Value (string) --

            The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

          • Comparison (string) --

            The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

            • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

            • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

            EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

            To search for values that do not contain the filter criteria value, use one of the following comparison operators:

            • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

            • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

            NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

            For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

            You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

            For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

            • ResourceType PREFIX AwsIam

            • ResourceType PREFIX AwsEc2

            • ResourceType NOT_EQUALS AwsIamPolicy

            • ResourceType NOT_EQUALS AwsEc2NetworkInterface

      • ProductName (list) --

        Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub.

        • (dict) --

          A string filter for querying findings.

          • Value (string) --

            The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

          • Comparison (string) --

            The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

            • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

            • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

            EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

            To search for values that do not contain the filter criteria value, use one of the following comparison operators:

            • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

            • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

            NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

            For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

            You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

            For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

            • ResourceType PREFIX AwsIam

            • ResourceType PREFIX AwsEc2

            • ResourceType NOT_EQUALS AwsIamPolicy

            • ResourceType NOT_EQUALS AwsEc2NetworkInterface

      • CompanyName (list) --

        The name of the company for the product that generated the finding. For control-based findings, the company is Amazon Web Services.

        • (dict) --

          A string filter for querying findings.

          • Value (string) --

            The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

          • Comparison (string) --

            The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

            • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

            • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

            EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

            To search for values that do not contain the filter criteria value, use one of the following comparison operators:

            • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

            • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

            NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

            For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

            You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

            For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

            • ResourceType PREFIX AwsIam

            • ResourceType PREFIX AwsEc2

            • ResourceType NOT_EQUALS AwsIamPolicy

            • ResourceType NOT_EQUALS AwsEc2NetworkInterface

      • SeverityLabel (list) --

        The severity value of the finding.

        • (dict) --

          A string filter for querying findings.

          • Value (string) --

            The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

          • Comparison (string) --

            The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

            • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

            • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

            EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

            To search for values that do not contain the filter criteria value, use one of the following comparison operators:

            • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

            • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

            NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

            For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

            You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

            For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

            • ResourceType PREFIX AwsIam

            • ResourceType PREFIX AwsEc2

            • ResourceType NOT_EQUALS AwsIamPolicy

            • ResourceType NOT_EQUALS AwsEc2NetworkInterface

      • ResourceType (list) --

        The type of resource that the finding pertains to.

        • (dict) --

          A string filter for querying findings.

          • Value (string) --

            The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

          • Comparison (string) --

            The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

            • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

            • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

            EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

            To search for values that do not contain the filter criteria value, use one of the following comparison operators:

            • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

            • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

            NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

            For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

            You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

            For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

            • ResourceType PREFIX AwsIam

            • ResourceType PREFIX AwsEc2

            • ResourceType NOT_EQUALS AwsIamPolicy

            • ResourceType NOT_EQUALS AwsEc2NetworkInterface

      • ResourceId (list) --

        The identifier for the given resource type. For Amazon Web Services resources that are identified by Amazon Resource Names (ARNs), this is the ARN. For Amazon Web Services resources that lack ARNs, this is the identifier as defined by the Amazon Web Service that created the resource. For non-Amazon Web Services resources, this is a unique identifier that is associated with the resource.

        • (dict) --

          A string filter for querying findings.

          • Value (string) --

            The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

          • Comparison (string) --

            The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

            • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

            • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

            EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

            To search for values that do not contain the filter criteria value, use one of the following comparison operators:

            • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

            • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

            NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

            For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

            You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

            For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

            • ResourceType PREFIX AwsIam

            • ResourceType PREFIX AwsEc2

            • ResourceType NOT_EQUALS AwsIamPolicy

            • ResourceType NOT_EQUALS AwsEc2NetworkInterface

      • ResourcePartition (list) --

        The partition in which the resource that the finding pertains to is located. A partition is a group of Amazon Web Services Regions. Each Amazon Web Services account is scoped to one partition.

        • (dict) --

          A string filter for querying findings.

          • Value (string) --

            The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

          • Comparison (string) --

            The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

            • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

            • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

            EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

            To search for values that do not contain the filter criteria value, use one of the following comparison operators:

            • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

            • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

            NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

            For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

            You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

            For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

            • ResourceType PREFIX AwsIam

            • ResourceType PREFIX AwsEc2

            • ResourceType NOT_EQUALS AwsIamPolicy

            • ResourceType NOT_EQUALS AwsEc2NetworkInterface

      • ResourceRegion (list) --

        The Amazon Web Services Region where the resource that a finding pertains to is located.

        • (dict) --

          A string filter for querying findings.

          • Value (string) --

            The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

          • Comparison (string) --

            The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

            • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

            • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

            EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

            To search for values that do not contain the filter criteria value, use one of the following comparison operators:

            • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

            • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

            NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

            For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

            You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

            For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

            • ResourceType PREFIX AwsIam

            • ResourceType PREFIX AwsEc2

            • ResourceType NOT_EQUALS AwsIamPolicy

            • ResourceType NOT_EQUALS AwsEc2NetworkInterface

      • ResourceTags (list) --

        A list of Amazon Web Services tags associated with a resource at the time the finding was processed.

        • (dict) --

          A map filter for querying findings. Each map filter provides the field to check, the value to look for, and the comparison operator.

          • Key (string) --

            The key of the map filter. For example, for ResourceTags , Key identifies the name of the tag. For UserDefinedFields , Key is the name of the field.

          • Value (string) --

            The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security . If you provide security as the filter value, then there is no match.

          • Comparison (string) --

            The condition to apply to the key value when querying for findings with a map filter.

            To search for values that exactly match the filter value, use EQUALS . For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the tag Department .

            To search for values other than the filter value, use NOT_EQUALS . For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that do not have the value Finance for the tag Department .

            EQUALS filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

            NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

            You cannot have both an EQUALS filter and a NOT_EQUALS filter on the same field.

      • ResourceDetailsOther (list) --

        Custom fields and values about the resource that a finding pertains to.

        • (dict) --

          A map filter for querying findings. Each map filter provides the field to check, the value to look for, and the comparison operator.

          • Key (string) --

            The key of the map filter. For example, for ResourceTags , Key identifies the name of the tag. For UserDefinedFields , Key is the name of the field.

          • Value (string) --

            The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security . If you provide security as the filter value, then there is no match.

          • Comparison (string) --

            The condition to apply to the key value when querying for findings with a map filter.

            To search for values that exactly match the filter value, use EQUALS . For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the tag Department .

            To search for values other than the filter value, use NOT_EQUALS . For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that do not have the value Finance for the tag Department .

            EQUALS filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

            NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

            You cannot have both an EQUALS filter and a NOT_EQUALS filter on the same field.

      • ComplianceStatus (list) --

        The result of a security check. This field is only used for findings generated from controls.

        • (dict) --

          A string filter for querying findings.

          • Value (string) --

            The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

          • Comparison (string) --

            The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

            • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

            • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

            EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

            To search for values that do not contain the filter criteria value, use one of the following comparison operators:

            • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

            • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

            NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

            For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

            You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

            For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

            • ResourceType PREFIX AwsIam

            • ResourceType PREFIX AwsEc2

            • ResourceType NOT_EQUALS AwsIamPolicy

            • ResourceType NOT_EQUALS AwsEc2NetworkInterface

      • ComplianceSecurityControlId (list) --

        The security control ID for which a finding was generated. Security control IDs are the same across standards.

        • (dict) --

          A string filter for querying findings.

          • Value (string) --

            The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

          • Comparison (string) --

            The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

            • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

            • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

            EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

            To search for values that do not contain the filter criteria value, use one of the following comparison operators:

            • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

            • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

            NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

            For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

            You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

            For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

            • ResourceType PREFIX AwsIam

            • ResourceType PREFIX AwsEc2

            • ResourceType NOT_EQUALS AwsIamPolicy

            • ResourceType NOT_EQUALS AwsEc2NetworkInterface

      • ComplianceAssociatedStandardsId (list) --

        The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the DescribeStandards API response.

        • (dict) --

          A string filter for querying findings.

          • Value (string) --

            The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

          • Comparison (string) --

            The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

            • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

            • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

            EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

            To search for values that do not contain the filter criteria value, use one of the following comparison operators:

            • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

            • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

            NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

            For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

            You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

            For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

            • ResourceType PREFIX AwsIam

            • ResourceType PREFIX AwsEc2

            • ResourceType NOT_EQUALS AwsIamPolicy

            • ResourceType NOT_EQUALS AwsEc2NetworkInterface

      • VerificationState (list) --

        Provides the veracity of a finding.

        • (dict) --

          A string filter for querying findings.

          • Value (string) --

            The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

          • Comparison (string) --

            The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

            • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

            • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

            EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

            To search for values that do not contain the filter criteria value, use one of the following comparison operators:

            • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

            • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

            NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

            For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

            You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

            For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

            • ResourceType PREFIX AwsIam

            • ResourceType PREFIX AwsEc2

            • ResourceType NOT_EQUALS AwsIamPolicy

            • ResourceType NOT_EQUALS AwsEc2NetworkInterface

      • WorkflowStatus (list) --

        Provides information about the status of the investigation into a finding.

        • (dict) --

          A string filter for querying findings.

          • Value (string) --

            The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

          • Comparison (string) --

            The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

            • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

            • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

            EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

            To search for values that do not contain the filter criteria value, use one of the following comparison operators:

            • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

            • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

            NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

            For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

            You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

            For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

            • ResourceType PREFIX AwsIam

            • ResourceType PREFIX AwsEc2

            • ResourceType NOT_EQUALS AwsIamPolicy

            • ResourceType NOT_EQUALS AwsEc2NetworkInterface

      • RecordState (list) --

        Provides the current state of a finding.

        • (dict) --

          A string filter for querying findings.

          • Value (string) --

            The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

          • Comparison (string) --

            The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

            • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

            • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

            EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

            To search for values that do not contain the filter criteria value, use one of the following comparison operators:

            • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

            • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

            NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

            For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

            You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

            For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

            • ResourceType PREFIX AwsIam

            • ResourceType PREFIX AwsEc2

            • ResourceType NOT_EQUALS AwsIamPolicy

            • ResourceType NOT_EQUALS AwsEc2NetworkInterface

      • RelatedFindingsProductArn (list) --

        The ARN for the product that generated a related finding.

        • (dict) --

          A string filter for querying findings.

          • Value (string) --

            The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

          • Comparison (string) --

            The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

            • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

            • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

            EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

            To search for values that do not contain the filter criteria value, use one of the following comparison operators:

            • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

            • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

            NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

            For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

            You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

            For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

            • ResourceType PREFIX AwsIam

            • ResourceType PREFIX AwsEc2

            • ResourceType NOT_EQUALS AwsIamPolicy

            • ResourceType NOT_EQUALS AwsEc2NetworkInterface

      • RelatedFindingsId (list) --

        The product-generated identifier for a related finding.

        • (dict) --

          A string filter for querying findings.

          • Value (string) --

            The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

          • Comparison (string) --

            The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

            • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

            • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

            EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

            To search for values that do not contain the filter criteria value, use one of the following comparison operators:

            • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

            • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

            NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

            For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

            You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

            For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

            • ResourceType PREFIX AwsIam

            • ResourceType PREFIX AwsEc2

            • ResourceType NOT_EQUALS AwsIamPolicy

            • ResourceType NOT_EQUALS AwsEc2NetworkInterface

      • NoteText (list) --

        The text of a user-defined note that's added to a finding.

        • (dict) --

          A string filter for querying findings.

          • Value (string) --

            The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

          • Comparison (string) --

            The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

            • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

            • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

            EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

            To search for values that do not contain the filter criteria value, use one of the following comparison operators:

            • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

            • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

            NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

            For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

            You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

            For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

            • ResourceType PREFIX AwsIam

            • ResourceType PREFIX AwsEc2

            • ResourceType NOT_EQUALS AwsIamPolicy

            • ResourceType NOT_EQUALS AwsEc2NetworkInterface

      • NoteUpdatedAt (list) --

        The timestamp of when the note was updated. Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format . The value cannot contain spaces. For example, 2020-03-22T13:22:13.933Z .

        • (dict) --

          A date filter for querying findings.

          • Start (string) --

            A timestamp that provides the start date for the date filter.

            A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format .

          • End (string) --

            A timestamp that provides the end date for the date filter.

            A correctly formatted example is 2020-05-21T20:16:34.724Z . The value cannot contain spaces, and date and time should be separated by T . For more information, see RFC 3339 section 5.6, Internet Date/Time Format .

          • DateRange (dict) --

            A date range for the date filter.

            • Value (integer) --

              A date range value for the date filter.

            • Unit (string) --

              A date range unit for the date filter.

      • NoteUpdatedBy (list) --

        The principal that created a note.

        • (dict) --

          A string filter for querying findings.

          • Value (string) --

            The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub . If you provide security hub as the filter text, then there is no match.

          • Comparison (string) --

            The condition to apply to a string value when querying for findings. To search for values that contain the filter criteria value, use one of the following comparison operators:

            • To search for values that exactly match the filter value, use EQUALS . For example, the filter ResourceType EQUALS AwsEc2SecurityGroup only matches findings that have a resource type of AwsEc2SecurityGroup .

            • To search for values that start with the filter value, use PREFIX . For example, the filter ResourceType PREFIX AwsIam matches findings that have a resource type that starts with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all match.

            EQUALS and PREFIX filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

            To search for values that do not contain the filter criteria value, use one of the following comparison operators:

            • To search for values that do not exactly match the filter value, use NOT_EQUALS . For example, the filter ResourceType NOT_EQUALS AwsIamPolicy matches findings that have a resource type other than AwsIamPolicy .

            • To search for values that do not start with the filter value, use PREFIX_NOT_EQUALS . For example, the filter ResourceType PREFIX_NOT_EQUALS AwsIam matches findings that have a resource type that does not start with AwsIam . Findings with a resource type of AwsIamPolicy , AwsIamRole , or AwsIamUser would all be excluded from the results.

            NOT_EQUALS and PREFIX_NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

            For filters on the same field, you cannot provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter. Combining filters in this way always returns an error, even if the provided filter values would return valid results.

            You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub first processes the PREFIX filters, then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

            For example, for the following filter, Security Hub first identifies findings that have resource types that start with either AwsIAM or AwsEc2 . It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface .

            • ResourceType PREFIX AwsIam

            • ResourceType PREFIX AwsEc2

            • ResourceType NOT_EQUALS AwsIamPolicy

            • ResourceType NOT_EQUALS AwsEc2NetworkInterface

      • UserDefinedFields (list) --

        A list of user-defined name and value string pairs added to a finding.

        • (dict) --

          A map filter for querying findings. Each map filter provides the field to check, the value to look for, and the comparison operator.

          • Key (string) --

            The key of the map filter. For example, for ResourceTags , Key identifies the name of the tag. For UserDefinedFields , Key is the name of the field.

          • Value (string) --

            The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security . If you provide security as the filter value, then there is no match.

          • Comparison (string) --

            The condition to apply to the key value when querying for findings with a map filter.

            To search for values that exactly match the filter value, use EQUALS . For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the tag Department .

            To search for values other than the filter value, use NOT_EQUALS . For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that do not have the value Finance for the tag Department .

            EQUALS filters on the same field are joined by OR . A finding matches if it matches any one of those filters.

            NOT_EQUALS filters on the same field are joined by AND . A finding matches only if it matches all of those filters.

            You cannot have both an EQUALS filter and a NOT_EQUALS filter on the same field.

    • Actions (list) --

      One or more actions to update finding fields if a finding matches the conditions specified in Criteria .

      • (dict) --

        One or more actions to update finding fields if a finding matches the defined criteria of the rule.

        • Type (string) --

          Specifies that the rule action should update the Types finding field. The Types finding field provides one or more finding types in the format of namespace/category/classifier that classify a finding. For more information, see Types taxonomy for ASFF in the Security Hub User Guide .

        • FindingFieldsUpdate (dict) --

          Specifies that the automation rule action is an update to a finding field.

          • Note (dict) --

            The updated note.

            • Text (string) -- [REQUIRED]

              The updated note text.

            • UpdatedBy (string) -- [REQUIRED]

              The principal that updated the note.

          • Severity (dict) --

            Updates to the severity information for a finding.

            • Normalized (integer) --

              The normalized severity for the finding. This attribute is to be deprecated in favor of Label .

              If you provide Normalized and do not provide Label , Label is set automatically as follows.

              • 0 - INFORMATIONAL

              • 1–39 - LOW

              • 40–69 - MEDIUM

              • 70–89 - HIGH

              • 90–100 - CRITICAL

            • Product (float) --

              The native severity as defined by the Amazon Web Services service or integrated partner product that generated the finding.

            • Label (string) --

              The severity value of the finding. The allowed values are the following.

              • INFORMATIONAL - No issue was found.

              • LOW - The issue does not require action on its own.

              • MEDIUM - The issue must be addressed but not urgently.

              • HIGH - The issue must be addressed as a priority.

              • CRITICAL - The issue must be remediated immediately to avoid it escalating.

          • VerificationState (string) --

            The rule action will update the VerificationState field of a finding.

          • Confidence (integer) --

            The rule action will update the Confidence field of a finding.

          • Criticality (integer) --

            The rule action will update the Criticality field of a finding.

          • Types (list) --

            The rule action will update the Types field of a finding.

            • (string) --

          • UserDefinedFields (dict) --

            The rule action will update the UserDefinedFields field of a finding.

            • (string) --

              • (string) --

          • Workflow (dict) --

            Used to update information about the investigation into the finding.

            • Status (string) --

              The status of the investigation into the finding. The workflow status is specific to an individual finding. It does not affect the generation of new findings. For example, setting the workflow status to SUPPRESSED or RESOLVED does not prevent a new finding for the same issue.

              The allowed values are the following.

              • NEW - The initial state of a finding, before it is reviewed. Security Hub also resets WorkFlowStatus from NOTIFIED or RESOLVED to NEW in the following cases:

                • The record state changes from ARCHIVED to ACTIVE .

                • The compliance status changes from PASSED to either WARNING , FAILED , or NOT_AVAILABLE .

              • NOTIFIED - Indicates that you notified the resource owner about the security issue. Used when the initial reviewer is not the resource owner, and needs intervention from the resource owner.

              • RESOLVED - The finding was reviewed and remediated and is now considered resolved.

              • SUPPRESSED - Indicates that you reviewed the finding and do not believe that any action is needed. The finding is no longer updated.

          • RelatedFindings (list) --

            A list of findings that are related to a finding.

            • (dict) --

              Details about a related finding.

              • ProductArn (string) -- [REQUIRED]

                The ARN of the product that generated a related finding.

              • Id (string) -- [REQUIRED]

                The product-generated identifier for a related finding.

rtype

dict

returns

Response Syntax

{
    'ProcessedAutomationRules': [
        'string',
    ],
    'UnprocessedAutomationRules': [
        {
            'RuleArn': 'string',
            'ErrorCode': 123,
            'ErrorMessage': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • ProcessedAutomationRules (list) --

      A list of properly processed rule ARNs.

      • (string) --

    • UnprocessedAutomationRules (list) --

      A list of objects containing RuleArn , ErrorCode , and ErrorMessage . This parameter tells you which automation rules the request didn't update and why.

      • (dict) --

        A list of objects containing RuleArn , ErrorCode , and ErrorMessage . This parameter tells you which automation rules the request didn't process and why.

        • RuleArn (string) --

          The Amazon Resource Name (ARN) for the unprocessed automation rule.

        • ErrorCode (integer) --

          The error code associated with the unprocessed automation rule.

        • ErrorMessage (string) --

          An error message describing why a request didn't process a specific rule.