2026/07/07 - AWS SecurityHub - 7 new 31 updated api methods
Changes release SecurityHub MultiCloud integration with Azure
Disables an opt-in feature for the calling account in the current Amazon Web Services Region. The operation is idempotent. If the feature is already disabled, no changes are made. You cannot disable a feature that is managed by an organization policy.
See also: AWS API Documentation
Request Syntax
client.disable_security_hub_feature_v2(
FeatureName='NETWORK_SCANNING'
)
string
[REQUIRED]
The name of the feature to disable.
dict
Response Syntax
{}
Response Structure
(dict) --
Updates a CSPM connector's configuration, such as the scope or regions for the connected cloud provider.
See also: AWS API Documentation
Request Syntax
client.update_connector(
ConnectorId='string',
Description='string',
Provider={
'Azure': {
'ScopeConfiguration': {
'ScopeType': 'TENANT'|'SUBSCRIPTION',
'ScopeValues': [
'string',
]
},
'AzureRegions': [
'string',
]
}
}
)
string
[REQUIRED]
The unique identifier of the connector to update.
string
The updated description of the connector.
dict
The updated cloud provider configuration for the connector.
Azure (dict) --
The Azure update configuration.
ScopeConfiguration (dict) -- [REQUIRED]
The updated scope configuration.
ScopeType (string) -- [REQUIRED]
The type of scope. Valid values are tenant and subscription.
ScopeValues (list) --
The list of scope values, such as subscription IDs, when the scope type is subscription.
(string) --
AzureRegions (list) -- [REQUIRED]
The updated list of Azure regions to monitor.
(string) --
dict
Response Syntax
{
'ConnectorStatus': 'CONNECTED'|'DEGRADED'|'FAILED_TO_CONNECT'|'UNKNOWN',
'EnablementStatus': 'ENABLED'|'PENDING_ENABLEMENT'|'PENDING_UPDATE'|'PENDING_DELETION'
}
Response Structure
(dict) --
ConnectorStatus (string) --
The connectivity status of the connector after the update.
EnablementStatus (string) --
The enablement status of the connector after the update.
Creates a cloud service provider management (CSPM) connector in Security Hub CSPM. A connector establishes a connection between Security Hub CSPM and a third-party cloud provider, enabling Security Hub CSPM to ingest security findings and resource data from the connected environment.
See also: AWS API Documentation
Request Syntax
client.create_connector(
Name='string',
Description='string',
Provider={
'Azure': {
'AWSConfigConnectorArn': 'string',
'ScopeConfiguration': {
'ScopeType': 'TENANT'|'SUBSCRIPTION',
'ScopeValues': [
'string',
]
},
'AzureRegions': [
'string',
]
}
},
Tags={
'string': 'string'
},
ClientToken='string'
)
string
[REQUIRED]
The name of the connector. Must be unique within the account.
string
The description of the connector.
dict
[REQUIRED]
The configuration for the cloud provider to connect to. Currently supports Azure.
Azure (dict) --
The Azure provider configuration.
AWSConfigConnectorArn (string) -- [REQUIRED]
The ARN of the AWS Config connector used to establish the connection to Azure.
ScopeConfiguration (dict) -- [REQUIRED]
The scope configuration that defines which Azure resources are monitored.
ScopeType (string) -- [REQUIRED]
The type of scope. Valid values are tenant and subscription.
ScopeValues (list) --
The list of scope values, such as subscription IDs, when the scope type is subscription.
(string) --
AzureRegions (list) -- [REQUIRED]
The list of Azure regions to monitor.
(string) --
dict
The tags to add to the connector resource.
(string) --
(string) --
string
A unique identifier used to ensure idempotency of the request.
This field is autopopulated if not provided.
dict
Response Syntax
{
'ConnectorArn': 'string',
'ConnectorId': 'string',
'ConnectorStatus': 'CONNECTED'|'DEGRADED'|'FAILED_TO_CONNECT'|'UNKNOWN',
'EnablementStatus': 'ENABLED'|'PENDING_ENABLEMENT'|'PENDING_UPDATE'|'PENDING_DELETION'
}
Response Structure
(dict) --
ConnectorArn (string) --
The Amazon Resource Name (ARN) of the connector.
ConnectorId (string) --
The unique identifier of the connector.
ConnectorStatus (string) --
The connectivity status of the connector.
EnablementStatus (string) --
The enablement status of the connector.
Lists the CSPM connectors and their metadata for the calling account.
See also: AWS API Documentation
Request Syntax
client.list_connectors(
NextToken='string',
MaxResults=123,
ProviderName='AZURE',
ConnectorStatus='CONNECTED'|'DEGRADED'|'FAILED_TO_CONNECT'|'UNKNOWN',
EnablementStatus='ENABLED'|'PENDING_ENABLEMENT'|'PENDING_UPDATE'|'PENDING_DELETION'
)
string
The pagination token to request the next page of results.
integer
The maximum number of results to return.
string
The name of the cloud provider to filter connectors by.
string
The connectivity status to filter connectors by.
string
The enablement status to filter connectors by.
dict
Response Syntax
{
'NextToken': 'string',
'Connectors': [
{
'ConnectorArn': 'string',
'ConnectorId': 'string',
'Name': 'string',
'Description': 'string',
'ProviderSummary': {
'ProviderName': 'AZURE',
'ConnectorStatus': 'CONNECTED'|'DEGRADED'|'FAILED_TO_CONNECT'|'UNKNOWN',
'ProviderConfiguration': {
'Azure': {
'AWSConfigConnectorArn': 'string',
'ScopeConfiguration': {
'ScopeType': 'TENANT'|'SUBSCRIPTION',
'ScopeValues': [
'string',
]
},
'AzureRegions': [
'string',
]
}
}
},
'CreatedAt': datetime(2015, 1, 1),
'CreatedBy': 'string',
'EnablementStatus': 'ENABLED'|'PENDING_ENABLEMENT'|'PENDING_UPDATE'|'PENDING_DELETION'
},
]
}
Response Structure
(dict) --
NextToken (string) --
The pagination token to use to request the next page of results. If there are no additional results, this value is null.
Connectors (list) --
An array of connector summaries.
(dict) --
A summary of a CSPM connector.
ConnectorArn (string) --
The Amazon Resource Name (ARN) of the connector.
ConnectorId (string) --
The unique identifier of the connector.
Name (string) --
The name of the connector.
Description (string) --
The description of the connector.
ProviderSummary (dict) --
A summary of the cloud provider configuration for the connector.
ProviderName (string) --
The name of the cloud provider.
ConnectorStatus (string) --
The connectivity status of the connector.
ProviderConfiguration (dict) --
The provider configuration details.
Azure (dict) --
The Azure provider detail.
AWSConfigConnectorArn (string) --
The ARN of the AWS Config connector used to establish the connection to Azure.
ScopeConfiguration (dict) --
The scope configuration that defines which Azure resources are monitored.
ScopeType (string) --
The type of scope. Valid values are tenant and subscription.
ScopeValues (list) --
The list of scope values, such as subscription IDs, when the scope type is subscription.
(string) --
AzureRegions (list) --
The list of Azure regions being monitored.
(string) --
CreatedAt (datetime) --
The ISO 8601 UTC timestamp indicating when the connector was created.
CreatedBy (string) --
The service principal that created the connector.
EnablementStatus (string) --
The enablement status of the connector.
Retrieves details for a CSPM connector based on the connector ID.
See also: AWS API Documentation
Request Syntax
client.get_connector(
ConnectorId='string'
)
string
[REQUIRED]
The unique identifier of the connector to retrieve.
dict
Response Syntax
{
'ConnectorArn': 'string',
'ConnectorId': 'string',
'Name': 'string',
'Description': 'string',
'CreatedAt': datetime(2015, 1, 1),
'LastUpdatedAt': datetime(2015, 1, 1),
'Health': {
'ConnectorStatus': 'CONNECTED'|'DEGRADED'|'FAILED_TO_CONNECT'|'UNKNOWN',
'Message': 'string',
'LastCheckedAt': datetime(2015, 1, 1),
'Issues': [
{
'Code': 'AUTHENTICATION_FAILURE'|'STREAM_AUTHORIZATION_FAILURE'|'DISCOVERY_FAILURE'|'STREAM_LIMIT_EXCEEDED'|'STREAM_DISCONNECTED'|'RECORDING_FAILURE'|'NO_HEALTH_DATA',
'Message': 'string'
},
]
},
'ProviderDetail': {
'Azure': {
'AWSConfigConnectorArn': 'string',
'ScopeConfiguration': {
'ScopeType': 'TENANT'|'SUBSCRIPTION',
'ScopeValues': [
'string',
]
},
'AzureRegions': [
'string',
]
}
},
'CreatedBy': 'string',
'EnablementStatus': 'ENABLED'|'PENDING_ENABLEMENT'|'PENDING_UPDATE'|'PENDING_DELETION'
}
Response Structure
(dict) --
ConnectorArn (string) --
The Amazon Resource Name (ARN) of the connector.
ConnectorId (string) --
The unique identifier of the connector.
Name (string) --
The name of the connector.
Description (string) --
The description of the connector.
CreatedAt (datetime) --
The ISO 8601 UTC timestamp indicating when the connector was created.
LastUpdatedAt (datetime) --
The ISO 8601 UTC timestamp indicating when the connector was last updated.
Health (dict) --
The health status of the connector, including connectivity status and last check time.
ConnectorStatus (string) --
The connectivity status of the connector.
Message (string) --
A message describing the reason for the current connector status.
LastCheckedAt (datetime) --
The ISO 8601 UTC timestamp indicating when the health status was last checked.
Issues (list) --
A list of health issues associated with the connector.
(dict) --
Represents a specific health issue detected for a connector.
Code (string) --
The error code that identifies the type of health issue.
Message (string) --
A human-readable message that describes the health issue.
ProviderDetail (dict) --
The cloud provider configuration details for the connector.
Azure (dict) --
The Azure provider detail.
AWSConfigConnectorArn (string) --
The ARN of the AWS Config connector used to establish the connection to Azure.
ScopeConfiguration (dict) --
The scope configuration that defines which Azure resources are monitored.
ScopeType (string) --
The type of scope. Valid values are tenant and subscription.
ScopeValues (list) --
The list of scope values, such as subscription IDs, when the scope type is subscription.
(string) --
AzureRegions (list) --
The list of Azure regions being monitored.
(string) --
CreatedBy (string) --
The service principal that created the connector.
EnablementStatus (string) --
The enablement status of the connector.
Enables an opt-in feature for the calling account in the current Amazon Web Services Region. The service must be enabled before you can enable a feature. The operation is idempotent. If the feature is already enabled, no changes are made. You cannot enable a feature that is managed by an organization policy.
See also: AWS API Documentation
Request Syntax
client.enable_security_hub_feature_v2(
FeatureName='NETWORK_SCANNING'
)
string
[REQUIRED]
The name of the feature to enable.
dict
Response Syntax
{}
Response Structure
(dict) --
Deletes a CSPM connector. When you delete a connector, Security Hub CSPM stops ingesting findings and resource data from the connected cloud provider environment.
See also: AWS API Documentation
Request Syntax
client.delete_connector(
ConnectorId='string'
)
string
[REQUIRED]
The unique identifier of the connector to delete.
dict
Response Syntax
{
'EnablementStatus': 'ENABLED'|'PENDING_ENABLEMENT'|'PENDING_UPDATE'|'PENDING_DELETION'
}
Response Structure
(dict) --
EnablementStatus (string) --
The enablement status of the connector after the delete request.
{'StandardsSubscriptions': {'Provider': 'AWS | Azure',
'StandardsStatusReason': {'StatusReasonCode': {'NO_AVAILABLE_MULTICLOUD_CONNECTOR'}}}}
Disables the standards specified by the provided StandardsSubscriptionArns.
For more information, see Security Standards section of the Security Hub CSPM User Guide.
See also: AWS API Documentation
Request Syntax
client.batch_disable_standards(
StandardsSubscriptionArns=[
'string',
]
)
list
[REQUIRED]
The ARNs of the standards subscriptions to disable.
(string) --
dict
Response Syntax
{
'StandardsSubscriptions': [
{
'StandardsSubscriptionArn': 'string',
'StandardsArn': 'string',
'StandardsInput': {
'string': 'string'
},
'StandardsStatus': 'PENDING'|'READY'|'FAILED'|'DELETING'|'INCOMPLETE',
'StandardsControlsUpdatable': 'READY_FOR_UPDATES'|'NOT_READY_FOR_UPDATES',
'StandardsStatusReason': {
'StatusReasonCode': 'NO_AVAILABLE_CONFIGURATION_RECORDER'|'MAXIMUM_NUMBER_OF_CONFIG_RULES_EXCEEDED'|'NO_AVAILABLE_MULTICLOUD_CONNECTOR'|'INTERNAL_ERROR'
},
'Provider': 'AWS'|'Azure'
},
]
}
Response Structure
(dict) --
StandardsSubscriptions (list) --
The details of the standards subscriptions that were disabled.
(dict) --
A resource that represents your subscription to a supported standard.
StandardsSubscriptionArn (string) --
The ARN of the resource that represents your subscription to the standard.
StandardsArn (string) --
The ARN of the standard.
StandardsInput (dict) --
A key-value pair of input for the standard.
(string) --
(string) --
StandardsStatus (string) --
The status of your subscription to the standard. Possible values are:
PENDING - The standard is in the process of being enabled. Or the standard is already enabled and Security Hub CSPM is adding new controls to the standard.
READY - The standard is enabled.
INCOMPLETE - The standard could not be enabled completely. One or more errors ( StandardsStatusReason) occurred when Security Hub CSPM attempted to enable the standard.
DELETING - The standard is in the process of being disabled.
FAILED - The standard could not be disabled. One or more errors ( StandardsStatusReason) occurred when Security Hub CSPM attempted to disable the standard.
StandardsControlsUpdatable (string) --
Specifies whether you can retrieve information about and configure individual controls that apply to the standard. Possible values are:
READY_FOR_UPDATES - Controls in the standard can be retrieved and configured.
NOT_READY_FOR_UPDATES - Controls in the standard cannot be retrieved or configured.
StandardsStatusReason (dict) --
The reason for the current status.
StatusReasonCode (string) --
The reason code that represents the reason for the current status of a standard subscription.
Provider (string) --
The cloud provider whose resources the standard evaluates. For example, AWS or Azure.
{'StandardsSubscriptions': {'Provider': 'AWS | Azure',
'StandardsStatusReason': {'StatusReasonCode': {'NO_AVAILABLE_MULTICLOUD_CONNECTOR'}}}}
Enables the standards specified by the provided StandardsArn. To obtain the ARN for a standard, use the DescribeStandards operation.
For more information, see the Security Standards section of the Security Hub CSPM User Guide.
See also: AWS API Documentation
Request Syntax
client.batch_enable_standards(
StandardsSubscriptionRequests=[
{
'StandardsArn': 'string',
'StandardsInput': {
'string': 'string'
}
},
]
)
list
[REQUIRED]
The list of standards checks to enable.
(dict) --
The standard that you want to enable.
StandardsArn (string) -- [REQUIRED]
The ARN of the standard that you want to enable. To view the list of available standards and their ARNs, use the DescribeStandards operation.
StandardsInput (dict) --
A key-value pair of input for the standard.
(string) --
(string) --
dict
Response Syntax
{
'StandardsSubscriptions': [
{
'StandardsSubscriptionArn': 'string',
'StandardsArn': 'string',
'StandardsInput': {
'string': 'string'
},
'StandardsStatus': 'PENDING'|'READY'|'FAILED'|'DELETING'|'INCOMPLETE',
'StandardsControlsUpdatable': 'READY_FOR_UPDATES'|'NOT_READY_FOR_UPDATES',
'StandardsStatusReason': {
'StatusReasonCode': 'NO_AVAILABLE_CONFIGURATION_RECORDER'|'MAXIMUM_NUMBER_OF_CONFIG_RULES_EXCEEDED'|'NO_AVAILABLE_MULTICLOUD_CONNECTOR'|'INTERNAL_ERROR'
},
'Provider': 'AWS'|'Azure'
},
]
}
Response Structure
(dict) --
StandardsSubscriptions (list) --
The details of the standards subscriptions that were enabled.
(dict) --
A resource that represents your subscription to a supported standard.
StandardsSubscriptionArn (string) --
The ARN of the resource that represents your subscription to the standard.
StandardsArn (string) --
The ARN of the standard.
StandardsInput (dict) --
A key-value pair of input for the standard.
(string) --
(string) --
StandardsStatus (string) --
The status of your subscription to the standard. Possible values are:
PENDING - The standard is in the process of being enabled. Or the standard is already enabled and Security Hub CSPM is adding new controls to the standard.
READY - The standard is enabled.
INCOMPLETE - The standard could not be enabled completely. One or more errors ( StandardsStatusReason) occurred when Security Hub CSPM attempted to enable the standard.
DELETING - The standard is in the process of being disabled.
FAILED - The standard could not be disabled. One or more errors ( StandardsStatusReason) occurred when Security Hub CSPM attempted to disable the standard.
StandardsControlsUpdatable (string) --
Specifies whether you can retrieve information about and configure individual controls that apply to the standard. Possible values are:
READY_FOR_UPDATES - Controls in the standard can be retrieved and configured.
NOT_READY_FOR_UPDATES - Controls in the standard cannot be retrieved or configured.
StandardsStatusReason (dict) --
The reason for the current status.
StatusReasonCode (string) --
The reason code that represents the reason for the current status of a standard subscription.
Provider (string) --
The cloud provider whose resources the standard evaluates. For example, AWS or Azure.
{'Rules': {'Criteria': {'ResourceOwnerAccountId': [{'Comparison': 'EQUALS | '
'PREFIX | '
'NOT_EQUALS '
'| '
'PREFIX_NOT_EQUALS '
'| CONTAINS '
'| '
'NOT_CONTAINS '
'| '
'CONTAINS_WORD',
'Value': 'string'}],
'ResourceOwnerOrgId': [{'Comparison': 'EQUALS | PREFIX '
'| NOT_EQUALS | '
'PREFIX_NOT_EQUALS '
'| CONTAINS | '
'NOT_CONTAINS | '
'CONTAINS_WORD',
'Value': 'string'}],
'ResourceProvider': [{'Comparison': 'EQUALS | PREFIX | '
'NOT_EQUALS | '
'PREFIX_NOT_EQUALS '
'| CONTAINS | '
'NOT_CONTAINS | '
'CONTAINS_WORD',
'Value': 'string'}]}}}
Retrieves a list of details for automation rules based on rule Amazon Resource Names (ARNs).
See also: AWS API Documentation
Request Syntax
client.batch_get_automation_rules(
AutomationRulesArns=[
'string',
]
)
list
[REQUIRED]
A list of rule ARNs to get details for.
(string) --
dict
Response Syntax
{
'Rules': [
{
'RuleArn': 'string',
'RuleStatus': 'ENABLED'|'DISABLED',
'RuleOrder': 123,
'RuleName': 'string',
'Description': 'string',
'IsTerminal': True|False,
'Criteria': {
'ProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'AwsAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Id': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'GeneratorId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Type': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'FirstObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'LastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'CreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'UpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'Confidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'Criticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'Title': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Description': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'SourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ProductName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'CompanyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'SeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourcePartition': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceRegion': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceTags': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceDetailsOther': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ComplianceSecurityControlId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ComplianceAssociatedStandardsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'VerificationState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'WorkflowStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'RecordState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'RelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'RelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NoteText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NoteUpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'NoteUpdatedBy': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'UserDefinedFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceApplicationArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceApplicationName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'AwsAccountName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceProvider': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceOwnerAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceOwnerOrgId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
]
},
'Actions': [
{
'Type': 'FINDING_FIELDS_UPDATE',
'FindingFieldsUpdate': {
'Note': {
'Text': 'string',
'UpdatedBy': 'string'
},
'Severity': {
'Normalized': 123,
'Product': 123.0,
'Label': 'INFORMATIONAL'|'LOW'|'MEDIUM'|'HIGH'|'CRITICAL'
},
'VerificationState': 'UNKNOWN'|'TRUE_POSITIVE'|'FALSE_POSITIVE'|'BENIGN_POSITIVE',
'Confidence': 123,
'Criticality': 123,
'Types': [
'string',
],
'UserDefinedFields': {
'string': 'string'
},
'Workflow': {
'Status': 'NEW'|'NOTIFIED'|'RESOLVED'|'SUPPRESSED'
},
'RelatedFindings': [
{
'ProductArn': 'string',
'Id': 'string'
},
]
}
},
],
'CreatedAt': datetime(2015, 1, 1),
'UpdatedAt': datetime(2015, 1, 1),
'CreatedBy': 'string'
},
],
'UnprocessedAutomationRules': [
{
'RuleArn': 'string',
'ErrorCode': 123,
'ErrorMessage': 'string'
},
]
}
Response Structure
(dict) --
Rules (list) --
A list of rule details for the provided rule ARNs.
(dict) --
Defines the configuration of an automation rule.
RuleArn (string) --
The Amazon Resource Name (ARN) of a rule.
RuleStatus (string) --
Whether the rule is active after it is created. If this parameter is equal to ENABLED, Security Hub CSPM starts applying the rule to findings and finding updates after the rule is created.
RuleOrder (integer) --
An integer ranging from 1 to 1000 that represents the order in which the rule action is applied to findings. Security Hub CSPM applies rules with lower values for this parameter first.
RuleName (string) --
The name of the rule.
Description (string) --
A description of the rule.
IsTerminal (boolean) --
Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If a rule is terminal, Security Hub CSPM applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding. By default, a rule isn't terminal.
Criteria (dict) --
A set of Amazon Web Services Security Finding Format finding field attributes and corresponding expected values that Security Hub CSPM uses to filter findings. If a rule is enabled and a finding matches the conditions specified in this parameter, Security Hub CSPM applies the rule action to the finding.
ProductArn (list) --
The Amazon Resource Name (ARN) for a third-party product that generated a finding in Security Hub CSPM.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
AwsAccountId (list) --
The Amazon Web Services account ID in which a finding was generated.
Array Members: Minimum number of 1 item. Maximum number of 100 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
Id (list) --
The product-specific identifier for a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
GeneratorId (list) --
The identifier for the solution-specific component that generated a finding.
Array Members: Minimum number of 1 item. Maximum number of 100 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
Type (list) --
One or more finding types in the format of namespace/category/classifier that classify a finding. For a list of namespaces, classifiers, and categories, see Types taxonomy for ASFF in the Security Hub CSPM User Guide.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
FirstObservedAt (list) --
A timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings product.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
End (string) --
A timestamp that provides the end date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
Comparison (string) --
The condition to apply to a date range filter. If you specify WITHIN, Security Hub filters for dates within the specified date range. If you specify OLDER_THAN, Security Hub filters for dates before the specified date range. If you don't specify a value, the default is WITHIN.
LastObservedAt (list) --
A timestamp that indicates when the security findings provider most recently observed a change in the resource that is involved in the finding.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
End (string) --
A timestamp that provides the end date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
Comparison (string) --
The condition to apply to a date range filter. If you specify WITHIN, Security Hub filters for dates within the specified date range. If you specify OLDER_THAN, Security Hub filters for dates before the specified date range. If you don't specify a value, the default is WITHIN.
CreatedAt (list) --
A timestamp that indicates when this finding record was created.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
End (string) --
A timestamp that provides the end date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
Comparison (string) --
The condition to apply to a date range filter. If you specify WITHIN, Security Hub filters for dates within the specified date range. If you specify OLDER_THAN, Security Hub filters for dates before the specified date range. If you don't specify a value, the default is WITHIN.
UpdatedAt (list) --
A timestamp that indicates when the finding record was most recently updated.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
End (string) --
A timestamp that provides the end date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
Comparison (string) --
The condition to apply to a date range filter. If you specify WITHIN, Security Hub filters for dates within the specified date range. If you specify OLDER_THAN, Security Hub filters for dates before the specified date range. If you don't specify a value, the default is WITHIN.
Confidence (list) --
The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0–100 basis using a ratio scale. A value of 0 means 0 percent confidence, and a value of 100 means 100 percent confidence. For example, a data exfiltration detection based on a statistical deviation of network traffic has low confidence because an actual exfiltration hasn't been verified. For more information, see Confidence in the Security Hub CSPM User Guide.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
Gt (float) --
The greater-than condition to be applied to a single field when querying for findings.
Lt (float) --
The less-than condition to be applied to a single field when querying for findings.
Criticality (list) --
The level of importance that is assigned to the resources that are associated with a finding. Criticality is scored on a 0–100 basis, using a ratio scale that supports only full integers. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources. For more information, see Criticality in the Security Hub CSPM User Guide.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
Gt (float) --
The greater-than condition to be applied to a single field when querying for findings.
Lt (float) --
The less-than condition to be applied to a single field when querying for findings.
Title (list) --
A finding's title.
Array Members: Minimum number of 1 item. Maximum number of 100 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
Description (list) --
A finding's description.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
SourceUrl (list) --
Provides a URL that links to a page about the current finding in the finding product.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ProductName (list) --
Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub CSPM.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
CompanyName (list) --
The name of the company for the product that generated the finding. For control-based findings, the company is Amazon Web Services.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
SeverityLabel (list) --
The severity value of the finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ResourceType (list) --
The type of resource that the finding pertains to.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ResourceId (list) --
The identifier for the given resource type. For Amazon Web Services resources that are identified by Amazon Resource Names (ARNs), this is the ARN. For Amazon Web Services resources that lack ARNs, this is the identifier as defined by the Amazon Web Services service that created the resource. For non-Amazon Web Services resources, this is a unique identifier that is associated with the resource.
Array Members: Minimum number of 1 item. Maximum number of 100 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ResourcePartition (list) --
The partition in which the resource that the finding pertains to is located. A partition is a group of Amazon Web Services Regions. Each Amazon Web Services account is scoped to one partition.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ResourceRegion (list) --
The Amazon Web Services Region where the resource that a finding pertains to is located.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ResourceTags (list) --
A list of Amazon Web Services tags associated with a resource at the time the finding was processed.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A map filter for filtering Security Hub CSPM findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
Key (string) --
The key of the map filter. For example, for ResourceTags, Key identifies the name of the tag. For UserDefinedFields, Key is the name of the field.
Value (string) --
The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security. If you provide security as the filter value, then there's no match.
Comparison (string) --
The condition to apply to the key value when filtering Security Hub CSPM findings with a map filter.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.
To search for values that exactly match the filter value, use EQUALS. For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.
CONTAINS and EQUALS filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security, Finance, or both values.
To search for values that don't have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.
To search for values other than the filter value, use NOT_EQUALS. For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.
NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.
CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub CSPM User Guide.
ResourceDetailsOther (list) --
Custom fields and values about the resource that a finding pertains to.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A map filter for filtering Security Hub CSPM findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
Key (string) --
The key of the map filter. For example, for ResourceTags, Key identifies the name of the tag. For UserDefinedFields, Key is the name of the field.
Value (string) --
The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security. If you provide security as the filter value, then there's no match.
Comparison (string) --
The condition to apply to the key value when filtering Security Hub CSPM findings with a map filter.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.
To search for values that exactly match the filter value, use EQUALS. For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.
CONTAINS and EQUALS filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security, Finance, or both values.
To search for values that don't have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.
To search for values other than the filter value, use NOT_EQUALS. For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.
NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.
CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub CSPM User Guide.
ComplianceStatus (list) --
The result of a security check. This field is only used for findings generated from controls.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ComplianceSecurityControlId (list) --
The security control ID for which a finding was generated. Security control IDs are the same across standards.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ComplianceAssociatedStandardsId (list) --
The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the DescribeStandards API response.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
VerificationState (list) --
Provides the veracity of a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
WorkflowStatus (list) --
Provides information about the status of the investigation into a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
RecordState (list) --
Provides the current state of a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
RelatedFindingsProductArn (list) --
The ARN for the product that generated a related finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
RelatedFindingsId (list) --
The product-generated identifier for a related finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
NoteText (list) --
The text of a user-defined note that's added to a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
NoteUpdatedAt (list) --
The timestamp of when the note was updated.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
End (string) --
A timestamp that provides the end date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
Comparison (string) --
The condition to apply to a date range filter. If you specify WITHIN, Security Hub filters for dates within the specified date range. If you specify OLDER_THAN, Security Hub filters for dates before the specified date range. If you don't specify a value, the default is WITHIN.
NoteUpdatedBy (list) --
The principal that created a note.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
UserDefinedFields (list) --
A list of user-defined name and value string pairs added to a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A map filter for filtering Security Hub CSPM findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
Key (string) --
The key of the map filter. For example, for ResourceTags, Key identifies the name of the tag. For UserDefinedFields, Key is the name of the field.
Value (string) --
The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security. If you provide security as the filter value, then there's no match.
Comparison (string) --
The condition to apply to the key value when filtering Security Hub CSPM findings with a map filter.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.
To search for values that exactly match the filter value, use EQUALS. For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.
CONTAINS and EQUALS filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security, Finance, or both values.
To search for values that don't have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.
To search for values other than the filter value, use NOT_EQUALS. For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.
NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.
CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub CSPM User Guide.
ResourceApplicationArn (list) --
The Amazon Resource Name (ARN) of the application that is related to a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ResourceApplicationName (list) --
The name of the application that is related to a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
AwsAccountName (list) --
The name of the Amazon Web Services account in which a finding was generated.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ResourceProvider (list) --
The cloud provider that the resource belongs to. Valid values are AWS and Azure.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ResourceOwnerAccountId (list) --
The unique identifier of the account that owns the resource that the finding applies to, for example, Azure Subscription Id or Amazon Web Services Account Id
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ResourceOwnerOrgId (list) --
The unique identifier of the organization that owns the resource that the finding applies to, for example, Azure Tenant Id
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
Actions (list) --
One or more actions to update finding fields if a finding matches the defined criteria of the rule.
(dict) --
One or more actions that Security Hub CSPM takes when a finding matches the defined criteria of a rule.
Type (string) --
Specifies the type of action that Security Hub CSPM takes when a finding matches the defined criteria of a rule.
FindingFieldsUpdate (dict) --
Specifies that the automation rule action is an update to a finding field.
Note (dict) --
The updated note.
Text (string) --
The updated note text.
UpdatedBy (string) --
The principal that updated the note.
Severity (dict) --
Updates to the severity information for a finding.
Normalized (integer) --
The normalized severity for the finding. This attribute is to be deprecated in favor of Label.
If you provide Normalized and don't provide Label, Label is set automatically as follows.
0 - INFORMATIONAL
1–39 - LOW
40–69 - MEDIUM
70–89 - HIGH
90–100 - CRITICAL
Product (float) --
The native severity as defined by the Amazon Web Services service or integrated partner product that generated the finding.
Label (string) --
The severity value of the finding. The allowed values are the following.
INFORMATIONAL - No issue was found.
LOW - The issue does not require action on its own.
MEDIUM - The issue must be addressed but not urgently.
HIGH - The issue must be addressed as a priority.
CRITICAL - The issue must be remediated immediately to avoid it escalating.
VerificationState (string) --
The rule action updates the VerificationState field of a finding.
Confidence (integer) --
The rule action updates the Confidence field of a finding.
Criticality (integer) --
The rule action updates the Criticality field of a finding.
Types (list) --
The rule action updates the Types field of a finding.
(string) --
UserDefinedFields (dict) --
The rule action updates the UserDefinedFields field of a finding.
(string) --
(string) --
Workflow (dict) --
Used to update information about the investigation into the finding.
Status (string) --
The status of the investigation into the finding. The workflow status is specific to an individual finding. It does not affect the generation of new findings. For example, setting the workflow status to SUPPRESSED or RESOLVED does not prevent a new finding for the same issue.
The allowed values are the following.
NEW - The initial state of a finding, before it is reviewed. Security Hub CSPM also resets WorkFlowStatus from NOTIFIED or RESOLVED to NEW in the following cases:
The record state changes from ARCHIVED to ACTIVE.
The compliance status changes from PASSED to either WARNING, FAILED, or NOT_AVAILABLE.
NOTIFIED - Indicates that you notified the resource owner about the security issue. Used when the initial reviewer is not the resource owner, and needs intervention from the resource owner.
RESOLVED - The finding was reviewed and remediated and is now considered resolved.
SUPPRESSED - Indicates that you reviewed the finding and don't believe that any action is needed. The finding is no longer updated.
RelatedFindings (list) --
The rule action updates the RelatedFindings field of a finding.
(dict) --
Details about a related finding.
ProductArn (string) --
The ARN of the product that generated a related finding.
Id (string) --
The product-generated identifier for a related finding.
CreatedAt (datetime) --
A timestamp that indicates when the rule was created.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
UpdatedAt (datetime) --
A timestamp that indicates when the rule was most recently updated.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
CreatedBy (string) --
The principal that created a rule.
UnprocessedAutomationRules (list) --
A list of objects containing RuleArn, ErrorCode, and ErrorMessage. This parameter tells you which automation rules the request didn't retrieve and why.
(dict) --
A list of objects containing RuleArn, ErrorCode, and ErrorMessage. This parameter tells you which automation rules the request didn't process and why.
RuleArn (string) --
The Amazon Resource Name (ARN) for the unprocessed automation rule.
ErrorCode (integer) --
The error code associated with the unprocessed automation rule.
ErrorMessage (string) --
An error message describing why a request didn't process a specific rule.
{'SecurityControls': {'Provider': 'AWS | Azure'}}
Provides details about a batch of security controls for the current Amazon Web Services account and Amazon Web Services Region.
See also: AWS API Documentation
Request Syntax
client.batch_get_security_controls(
SecurityControlIds=[
'string',
]
)
list
[REQUIRED]
A list of security controls (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters). The security control ID or Amazon Resource Name (ARN) is the same across standards.
(string) --
dict
Response Syntax
{
'SecurityControls': [
{
'SecurityControlId': 'string',
'SecurityControlArn': 'string',
'Title': 'string',
'Description': 'string',
'RemediationUrl': 'string',
'SeverityRating': 'LOW'|'MEDIUM'|'HIGH'|'CRITICAL',
'SecurityControlStatus': 'ENABLED'|'DISABLED',
'UpdateStatus': 'READY'|'UPDATING',
'Parameters': {
'string': {
'ValueType': 'DEFAULT'|'CUSTOM',
'Value': {
'Integer': 123,
'IntegerList': [
123,
],
'Double': 123.0,
'String': 'string',
'StringList': [
'string',
],
'Boolean': True|False,
'Enum': 'string',
'EnumList': [
'string',
]
}
}
},
'LastUpdateReason': 'string',
'Provider': 'AWS'|'Azure'
},
],
'UnprocessedIds': [
{
'SecurityControlId': 'string',
'ErrorCode': 'INVALID_INPUT'|'ACCESS_DENIED'|'NOT_FOUND'|'RESOURCE_NOT_FOUND'|'LIMIT_EXCEEDED',
'ErrorReason': 'string'
},
]
}
Response Structure
(dict) --
SecurityControls (list) --
An array that returns the identifier, Amazon Resource Name (ARN), and other details about a security control. The same information is returned whether the request includes SecurityControlId or SecurityControlArn.
(dict) --
A security control in Security Hub CSPM describes a security best practice related to a specific resource.
SecurityControlId (string) --
The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Services service name and a number, such as APIGateway.3.
SecurityControlArn (string) --
The Amazon Resource Name (ARN) for a security control across standards, such as arn:aws:securityhub:eu-central-1:123456789012:security-control/S3.1. This parameter doesn't mention a specific standard.
Title (string) --
The title of a security control.
Description (string) --
The description of a security control across standards. This typically summarizes how Security Hub CSPM evaluates the control and the conditions under which it produces a failed finding. This parameter doesn't reference a specific standard.
RemediationUrl (string) --
A link to Security Hub CSPM documentation that explains how to remediate a failed finding for a security control.
SeverityRating (string) --
The severity of a security control. For more information about how Security Hub CSPM determines control severity, see Assigning severity to control findings in the Security Hub CSPM User Guide.
SecurityControlStatus (string) --
The enablement status of a security control in a specific standard.
UpdateStatus (string) --
Identifies whether customizable properties of a security control are reflected in Security Hub CSPM findings. A status of READY indicates that Security Hub CSPM uses the current control parameter values when running security checks of the control. A status of UPDATING indicates that all security checks might not use the current parameter values.
Parameters (dict) --
An object that identifies the name of a control parameter, its current value, and whether it has been customized.
(string) --
(dict) --
An object that provides the current value of a security control parameter and identifies whether it has been customized.
ValueType (string) --
Identifies whether a control parameter uses a custom user-defined value or subscribes to the default Security Hub CSPM behavior.
When ValueType is set equal to DEFAULT, the default behavior can be a specific Security Hub CSPM default value, or the default behavior can be to ignore a specific parameter. When ValueType is set equal to DEFAULT, Security Hub CSPM ignores user-provided input for the Value field.
When ValueType is set equal to CUSTOM, the Value field can't be empty.
Value (dict) --
The current value of a control parameter.
Integer (integer) --
A control parameter that is an integer.
IntegerList (list) --
A control parameter that is a list of integers.
(integer) --
Double (float) --
A control parameter that is a double.
String (string) --
A control parameter that is a string.
StringList (list) --
A control parameter that is a list of strings.
(string) --
Boolean (boolean) --
A control parameter that is a boolean.
Enum (string) --
A control parameter that is an enum.
EnumList (list) --
A control parameter that is a list of enums.
(string) --
LastUpdateReason (string) --
The most recent reason for updating the customizable properties of a security control. This differs from the UpdateReason field of the BatchUpdateStandardsControlAssociations API, which tracks the reason for updating the enablement status of a control. This field accepts alphanumeric characters in addition to white spaces, dashes, and underscores.
Provider (string) --
The cloud provider whose resources the security control evaluates. For example, AWS or Azure.
UnprocessedIds (list) --
A security control (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) for which details cannot be returned.
(dict) --
Provides details about a security control for which a response couldn't be returned.
SecurityControlId (string) --
The control (identified with SecurityControlId, SecurityControlArn, or a mix of both parameters) for which a response couldn't be returned.
ErrorCode (string) --
The error code for the unprocessed security control. The NOT_FOUND value has been deprecated and replaced by the RESOURCE_NOT_FOUND value.
ErrorReason (string) --
The reason why the security control was unprocessed.
{'Findings': {'Resources': {'Details': {'AzureResource': {}},
'Owner': {'Account': {'Id': 'string'},
'Org': {'Id': 'string'}},
'Partition': {'AzureCloud',
'aws-us-iso',
'aws-us-iso-b'},
'Provider': 'Azure | AWS'}}}
Imports security findings generated by a finding provider into Security Hub CSPM. This action is requested by the finding provider to import its findings into Security Hub CSPM.
BatchImportFindings must be called by one of the following:
The Amazon Web Services account that is associated with a finding if you are using the default product ARN or are a partner sending findings from within a customer's Amazon Web Services account. In these cases, the identifier of the account that you are calling BatchImportFindings from needs to be the same as the AwsAccountId attribute for the finding.
An Amazon Web Services account that Security Hub CSPM has allow-listed for an official partner integration. In this case, you can call BatchImportFindings from the allow-listed account and send findings from different customer accounts in the same batch.
The maximum allowed size for a finding is 240 Kb. An error is returned for any finding larger than 240 Kb.
After a finding is created, BatchImportFindings cannot be used to update the following finding fields and objects, which Security Hub CSPM customers use to manage their investigation workflow.
Note
UserDefinedFields
VerificationState
Workflow
Finding providers also should not use BatchImportFindings to update the following attributes.
Confidence
Criticality
RelatedFindings
Severity
Types
Instead, finding providers use FindingProviderFields to provide values for these attributes.
See also: AWS API Documentation
Request Syntax
# This section is too large to render. # Please see the AWS API Documentation linked below.Parameters
# This section is too large to render. # Please see the AWS API Documentation linked below.
dict
Response Syntax
{
'FailedCount': 123,
'SuccessCount': 123,
'FailedFindings': [
{
'Id': 'string',
'ErrorCode': 'string',
'ErrorMessage': 'string'
},
]
}
Response Structure
(dict) --
FailedCount (integer) --
The number of findings that failed to import.
SuccessCount (integer) --
The number of findings that were successfully imported.
FailedFindings (list) --
The list of findings that failed to import.
(dict) --
The list of the findings that cannot be imported. For each finding, the list provides the error.
Id (string) --
The identifier of the finding that could not be updated.
ErrorCode (string) --
The code of the error returned by the BatchImportFindings operation.
ErrorMessage (string) --
The message of the error returned by the BatchImportFindings operation.
{'UpdateAutomationRulesRequestItems': {'Criteria': {'ResourceOwnerAccountId': [{'Comparison': 'EQUALS '
'| '
'PREFIX '
'| '
'NOT_EQUALS '
'| '
'PREFIX_NOT_EQUALS '
'| '
'CONTAINS '
'| '
'NOT_CONTAINS '
'| '
'CONTAINS_WORD',
'Value': 'string'}],
'ResourceOwnerOrgId': [{'Comparison': 'EQUALS '
'| '
'PREFIX '
'| '
'NOT_EQUALS '
'| '
'PREFIX_NOT_EQUALS '
'| '
'CONTAINS '
'| '
'NOT_CONTAINS '
'| '
'CONTAINS_WORD',
'Value': 'string'}],
'ResourceProvider': [{'Comparison': 'EQUALS '
'| '
'PREFIX '
'| '
'NOT_EQUALS '
'| '
'PREFIX_NOT_EQUALS '
'| '
'CONTAINS '
'| '
'NOT_CONTAINS '
'| '
'CONTAINS_WORD',
'Value': 'string'}]}}}
Updates one or more automation rules based on rule Amazon Resource Names (ARNs) and input parameters.
See also: AWS API Documentation
Request Syntax
client.batch_update_automation_rules(
UpdateAutomationRulesRequestItems=[
{
'RuleArn': 'string',
'RuleStatus': 'ENABLED'|'DISABLED',
'RuleOrder': 123,
'Description': 'string',
'RuleName': 'string',
'IsTerminal': True|False,
'Criteria': {
'ProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'AwsAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Id': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'GeneratorId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Type': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'FirstObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'LastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'CreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'UpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'Confidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'Criticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'Title': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Description': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'SourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ProductName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'CompanyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'SeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourcePartition': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceRegion': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceTags': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceDetailsOther': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ComplianceSecurityControlId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ComplianceAssociatedStandardsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'VerificationState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'WorkflowStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'RecordState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'RelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'RelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NoteText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NoteUpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'NoteUpdatedBy': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'UserDefinedFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceApplicationArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceApplicationName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'AwsAccountName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceProvider': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceOwnerAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceOwnerOrgId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
]
},
'Actions': [
{
'Type': 'FINDING_FIELDS_UPDATE',
'FindingFieldsUpdate': {
'Note': {
'Text': 'string',
'UpdatedBy': 'string'
},
'Severity': {
'Normalized': 123,
'Product': 123.0,
'Label': 'INFORMATIONAL'|'LOW'|'MEDIUM'|'HIGH'|'CRITICAL'
},
'VerificationState': 'UNKNOWN'|'TRUE_POSITIVE'|'FALSE_POSITIVE'|'BENIGN_POSITIVE',
'Confidence': 123,
'Criticality': 123,
'Types': [
'string',
],
'UserDefinedFields': {
'string': 'string'
},
'Workflow': {
'Status': 'NEW'|'NOTIFIED'|'RESOLVED'|'SUPPRESSED'
},
'RelatedFindings': [
{
'ProductArn': 'string',
'Id': 'string'
},
]
}
},
]
},
]
)
list
[REQUIRED]
An array of ARNs for the rules that are to be updated. Optionally, you can also include RuleStatus and RuleOrder.
(dict) --
Specifies the parameters to update in an existing automation rule.
RuleArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) for the rule.
RuleStatus (string) --
Whether the rule is active after it is created. If this parameter is equal to ENABLED, Security Hub CSPM starts applying the rule to findings and finding updates after the rule is created. To change the value of this parameter after creating a rule, use BatchUpdateAutomationRules.
RuleOrder (integer) --
An integer ranging from 1 to 1000 that represents the order in which the rule action is applied to findings. Security Hub CSPM applies rules with lower values for this parameter first.
Description (string) --
A description of the rule.
RuleName (string) --
The name of the rule.
IsTerminal (boolean) --
Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If a rule is terminal, Security Hub CSPM applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding. By default, a rule isn't terminal.
Criteria (dict) --
A set of ASFF finding field attributes and corresponding expected values that Security Hub CSPM uses to filter findings. If a rule is enabled and a finding matches the conditions specified in this parameter, Security Hub CSPM applies the rule action to the finding.
ProductArn (list) --
The Amazon Resource Name (ARN) for a third-party product that generated a finding in Security Hub CSPM.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
AwsAccountId (list) --
The Amazon Web Services account ID in which a finding was generated.
Array Members: Minimum number of 1 item. Maximum number of 100 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
Id (list) --
The product-specific identifier for a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
GeneratorId (list) --
The identifier for the solution-specific component that generated a finding.
Array Members: Minimum number of 1 item. Maximum number of 100 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
Type (list) --
One or more finding types in the format of namespace/category/classifier that classify a finding. For a list of namespaces, classifiers, and categories, see Types taxonomy for ASFF in the Security Hub CSPM User Guide.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
FirstObservedAt (list) --
A timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings product.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
End (string) --
A timestamp that provides the end date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
Comparison (string) --
The condition to apply to a date range filter. If you specify WITHIN, Security Hub filters for dates within the specified date range. If you specify OLDER_THAN, Security Hub filters for dates before the specified date range. If you don't specify a value, the default is WITHIN.
LastObservedAt (list) --
A timestamp that indicates when the security findings provider most recently observed a change in the resource that is involved in the finding.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
End (string) --
A timestamp that provides the end date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
Comparison (string) --
The condition to apply to a date range filter. If you specify WITHIN, Security Hub filters for dates within the specified date range. If you specify OLDER_THAN, Security Hub filters for dates before the specified date range. If you don't specify a value, the default is WITHIN.
CreatedAt (list) --
A timestamp that indicates when this finding record was created.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
End (string) --
A timestamp that provides the end date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
Comparison (string) --
The condition to apply to a date range filter. If you specify WITHIN, Security Hub filters for dates within the specified date range. If you specify OLDER_THAN, Security Hub filters for dates before the specified date range. If you don't specify a value, the default is WITHIN.
UpdatedAt (list) --
A timestamp that indicates when the finding record was most recently updated.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
End (string) --
A timestamp that provides the end date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
Comparison (string) --
The condition to apply to a date range filter. If you specify WITHIN, Security Hub filters for dates within the specified date range. If you specify OLDER_THAN, Security Hub filters for dates before the specified date range. If you don't specify a value, the default is WITHIN.
Confidence (list) --
The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0–100 basis using a ratio scale. A value of 0 means 0 percent confidence, and a value of 100 means 100 percent confidence. For example, a data exfiltration detection based on a statistical deviation of network traffic has low confidence because an actual exfiltration hasn't been verified. For more information, see Confidence in the Security Hub CSPM User Guide.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
Gt (float) --
The greater-than condition to be applied to a single field when querying for findings.
Lt (float) --
The less-than condition to be applied to a single field when querying for findings.
Criticality (list) --
The level of importance that is assigned to the resources that are associated with a finding. Criticality is scored on a 0–100 basis, using a ratio scale that supports only full integers. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources. For more information, see Criticality in the Security Hub CSPM User Guide.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
Gt (float) --
The greater-than condition to be applied to a single field when querying for findings.
Lt (float) --
The less-than condition to be applied to a single field when querying for findings.
Title (list) --
A finding's title.
Array Members: Minimum number of 1 item. Maximum number of 100 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
Description (list) --
A finding's description.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
SourceUrl (list) --
Provides a URL that links to a page about the current finding in the finding product.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ProductName (list) --
Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub CSPM.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
CompanyName (list) --
The name of the company for the product that generated the finding. For control-based findings, the company is Amazon Web Services.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
SeverityLabel (list) --
The severity value of the finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ResourceType (list) --
The type of resource that the finding pertains to.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ResourceId (list) --
The identifier for the given resource type. For Amazon Web Services resources that are identified by Amazon Resource Names (ARNs), this is the ARN. For Amazon Web Services resources that lack ARNs, this is the identifier as defined by the Amazon Web Services service that created the resource. For non-Amazon Web Services resources, this is a unique identifier that is associated with the resource.
Array Members: Minimum number of 1 item. Maximum number of 100 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ResourcePartition (list) --
The partition in which the resource that the finding pertains to is located. A partition is a group of Amazon Web Services Regions. Each Amazon Web Services account is scoped to one partition.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ResourceRegion (list) --
The Amazon Web Services Region where the resource that a finding pertains to is located.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ResourceTags (list) --
A list of Amazon Web Services tags associated with a resource at the time the finding was processed.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A map filter for filtering Security Hub CSPM findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
Key (string) --
The key of the map filter. For example, for ResourceTags, Key identifies the name of the tag. For UserDefinedFields, Key is the name of the field.
Value (string) --
The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security. If you provide security as the filter value, then there's no match.
Comparison (string) --
The condition to apply to the key value when filtering Security Hub CSPM findings with a map filter.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.
To search for values that exactly match the filter value, use EQUALS. For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.
CONTAINS and EQUALS filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security, Finance, or both values.
To search for values that don't have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.
To search for values other than the filter value, use NOT_EQUALS. For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.
NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.
CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub CSPM User Guide.
ResourceDetailsOther (list) --
Custom fields and values about the resource that a finding pertains to.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A map filter for filtering Security Hub CSPM findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
Key (string) --
The key of the map filter. For example, for ResourceTags, Key identifies the name of the tag. For UserDefinedFields, Key is the name of the field.
Value (string) --
The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security. If you provide security as the filter value, then there's no match.
Comparison (string) --
The condition to apply to the key value when filtering Security Hub CSPM findings with a map filter.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.
To search for values that exactly match the filter value, use EQUALS. For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.
CONTAINS and EQUALS filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security, Finance, or both values.
To search for values that don't have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.
To search for values other than the filter value, use NOT_EQUALS. For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.
NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.
CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub CSPM User Guide.
ComplianceStatus (list) --
The result of a security check. This field is only used for findings generated from controls.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ComplianceSecurityControlId (list) --
The security control ID for which a finding was generated. Security control IDs are the same across standards.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ComplianceAssociatedStandardsId (list) --
The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the DescribeStandards API response.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
VerificationState (list) --
Provides the veracity of a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
WorkflowStatus (list) --
Provides information about the status of the investigation into a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
RecordState (list) --
Provides the current state of a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
RelatedFindingsProductArn (list) --
The ARN for the product that generated a related finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
RelatedFindingsId (list) --
The product-generated identifier for a related finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
NoteText (list) --
The text of a user-defined note that's added to a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
NoteUpdatedAt (list) --
The timestamp of when the note was updated.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
End (string) --
A timestamp that provides the end date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
Comparison (string) --
The condition to apply to a date range filter. If you specify WITHIN, Security Hub filters for dates within the specified date range. If you specify OLDER_THAN, Security Hub filters for dates before the specified date range. If you don't specify a value, the default is WITHIN.
NoteUpdatedBy (list) --
The principal that created a note.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
UserDefinedFields (list) --
A list of user-defined name and value string pairs added to a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A map filter for filtering Security Hub CSPM findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
Key (string) --
The key of the map filter. For example, for ResourceTags, Key identifies the name of the tag. For UserDefinedFields, Key is the name of the field.
Value (string) --
The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security. If you provide security as the filter value, then there's no match.
Comparison (string) --
The condition to apply to the key value when filtering Security Hub CSPM findings with a map filter.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.
To search for values that exactly match the filter value, use EQUALS. For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.
CONTAINS and EQUALS filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security, Finance, or both values.
To search for values that don't have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.
To search for values other than the filter value, use NOT_EQUALS. For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.
NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.
CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub CSPM User Guide.
ResourceApplicationArn (list) --
The Amazon Resource Name (ARN) of the application that is related to a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ResourceApplicationName (list) --
The name of the application that is related to a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
AwsAccountName (list) --
The name of the Amazon Web Services account in which a finding was generated.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ResourceProvider (list) --
The cloud provider that the resource belongs to. Valid values are AWS and Azure.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ResourceOwnerAccountId (list) --
The unique identifier of the account that owns the resource that the finding applies to, for example, Azure Subscription Id or Amazon Web Services Account Id
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ResourceOwnerOrgId (list) --
The unique identifier of the organization that owns the resource that the finding applies to, for example, Azure Tenant Id
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
Actions (list) --
One or more actions to update finding fields if a finding matches the conditions specified in Criteria.
(dict) --
One or more actions that Security Hub CSPM takes when a finding matches the defined criteria of a rule.
Type (string) --
Specifies the type of action that Security Hub CSPM takes when a finding matches the defined criteria of a rule.
FindingFieldsUpdate (dict) --
Specifies that the automation rule action is an update to a finding field.
Note (dict) --
The updated note.
Text (string) -- [REQUIRED]
The updated note text.
UpdatedBy (string) -- [REQUIRED]
The principal that updated the note.
Severity (dict) --
Updates to the severity information for a finding.
Normalized (integer) --
The normalized severity for the finding. This attribute is to be deprecated in favor of Label.
If you provide Normalized and don't provide Label, Label is set automatically as follows.
0 - INFORMATIONAL
1–39 - LOW
40–69 - MEDIUM
70–89 - HIGH
90–100 - CRITICAL
Product (float) --
The native severity as defined by the Amazon Web Services service or integrated partner product that generated the finding.
Label (string) --
The severity value of the finding. The allowed values are the following.
INFORMATIONAL - No issue was found.
LOW - The issue does not require action on its own.
MEDIUM - The issue must be addressed but not urgently.
HIGH - The issue must be addressed as a priority.
CRITICAL - The issue must be remediated immediately to avoid it escalating.
VerificationState (string) --
The rule action updates the VerificationState field of a finding.
Confidence (integer) --
The rule action updates the Confidence field of a finding.
Criticality (integer) --
The rule action updates the Criticality field of a finding.
Types (list) --
The rule action updates the Types field of a finding.
(string) --
UserDefinedFields (dict) --
The rule action updates the UserDefinedFields field of a finding.
(string) --
(string) --
Workflow (dict) --
Used to update information about the investigation into the finding.
Status (string) --
The status of the investigation into the finding. The workflow status is specific to an individual finding. It does not affect the generation of new findings. For example, setting the workflow status to SUPPRESSED or RESOLVED does not prevent a new finding for the same issue.
The allowed values are the following.
NEW - The initial state of a finding, before it is reviewed. Security Hub CSPM also resets WorkFlowStatus from NOTIFIED or RESOLVED to NEW in the following cases:
The record state changes from ARCHIVED to ACTIVE.
The compliance status changes from PASSED to either WARNING, FAILED, or NOT_AVAILABLE.
NOTIFIED - Indicates that you notified the resource owner about the security issue. Used when the initial reviewer is not the resource owner, and needs intervention from the resource owner.
RESOLVED - The finding was reviewed and remediated and is now considered resolved.
SUPPRESSED - Indicates that you reviewed the finding and don't believe that any action is needed. The finding is no longer updated.
RelatedFindings (list) --
The rule action updates the RelatedFindings field of a finding.
(dict) --
Details about a related finding.
ProductArn (string) -- [REQUIRED]
The ARN of the product that generated a related finding.
Id (string) -- [REQUIRED]
The product-generated identifier for a related finding.
dict
Response Syntax
{
'ProcessedAutomationRules': [
'string',
],
'UnprocessedAutomationRules': [
{
'RuleArn': 'string',
'ErrorCode': 123,
'ErrorMessage': 'string'
},
]
}
Response Structure
(dict) --
ProcessedAutomationRules (list) --
A list of properly processed rule ARNs.
(string) --
UnprocessedAutomationRules (list) --
A list of objects containing RuleArn, ErrorCode, and ErrorMessage. This parameter tells you which automation rules the request didn't update and why.
(dict) --
A list of objects containing RuleArn, ErrorCode, and ErrorMessage. This parameter tells you which automation rules the request didn't process and why.
RuleArn (string) --
The Amazon Resource Name (ARN) for the unprocessed automation rule.
ErrorCode (integer) --
The error code associated with the unprocessed automation rule.
ErrorMessage (string) --
An error message describing why a request didn't process a specific rule.
{'Criteria': {'ResourceOwnerAccountId': [{'Comparison': 'EQUALS | PREFIX | '
'NOT_EQUALS | '
'PREFIX_NOT_EQUALS | '
'CONTAINS | '
'NOT_CONTAINS | '
'CONTAINS_WORD',
'Value': 'string'}],
'ResourceOwnerOrgId': [{'Comparison': 'EQUALS | PREFIX | '
'NOT_EQUALS | '
'PREFIX_NOT_EQUALS | '
'CONTAINS | NOT_CONTAINS | '
'CONTAINS_WORD',
'Value': 'string'}],
'ResourceProvider': [{'Comparison': 'EQUALS | PREFIX | '
'NOT_EQUALS | '
'PREFIX_NOT_EQUALS | '
'CONTAINS | NOT_CONTAINS | '
'CONTAINS_WORD',
'Value': 'string'}]}}
Creates an automation rule based on input parameters.
See also: AWS API Documentation
Request Syntax
client.create_automation_rule(
Tags={
'string': 'string'
},
RuleStatus='ENABLED'|'DISABLED',
RuleOrder=123,
RuleName='string',
Description='string',
IsTerminal=True|False,
Criteria={
'ProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'AwsAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Id': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'GeneratorId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Type': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'FirstObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'LastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'CreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'UpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'Confidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'Criticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'Title': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Description': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'SourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ProductName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'CompanyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'SeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourcePartition': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceRegion': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceTags': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceDetailsOther': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ComplianceSecurityControlId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ComplianceAssociatedStandardsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'VerificationState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'WorkflowStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'RecordState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'RelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'RelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NoteText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NoteUpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'NoteUpdatedBy': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'UserDefinedFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceApplicationArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceApplicationName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'AwsAccountName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceProvider': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceOwnerAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceOwnerOrgId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
]
},
Actions=[
{
'Type': 'FINDING_FIELDS_UPDATE',
'FindingFieldsUpdate': {
'Note': {
'Text': 'string',
'UpdatedBy': 'string'
},
'Severity': {
'Normalized': 123,
'Product': 123.0,
'Label': 'INFORMATIONAL'|'LOW'|'MEDIUM'|'HIGH'|'CRITICAL'
},
'VerificationState': 'UNKNOWN'|'TRUE_POSITIVE'|'FALSE_POSITIVE'|'BENIGN_POSITIVE',
'Confidence': 123,
'Criticality': 123,
'Types': [
'string',
],
'UserDefinedFields': {
'string': 'string'
},
'Workflow': {
'Status': 'NEW'|'NOTIFIED'|'RESOLVED'|'SUPPRESSED'
},
'RelatedFindings': [
{
'ProductArn': 'string',
'Id': 'string'
},
]
}
},
]
)
dict
User-defined tags associated with an automation rule.
(string) --
(string) --
string
Whether the rule is active after it is created. If this parameter is equal to ENABLED, Security Hub CSPM starts applying the rule to findings and finding updates after the rule is created. To change the value of this parameter after creating a rule, use BatchUpdateAutomationRules.
integer
[REQUIRED]
An integer ranging from 1 to 1000 that represents the order in which the rule action is applied to findings. Security Hub CSPM applies rules with lower values for this parameter first.
string
[REQUIRED]
The name of the rule.
string
[REQUIRED]
A description of the rule.
boolean
Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If a rule is terminal, Security Hub CSPM applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding. By default, a rule isn't terminal.
dict
[REQUIRED]
A set of ASFF finding field attributes and corresponding expected values that Security Hub CSPM uses to filter findings. If a rule is enabled and a finding matches the conditions specified in this parameter, Security Hub CSPM applies the rule action to the finding.
ProductArn (list) --
The Amazon Resource Name (ARN) for a third-party product that generated a finding in Security Hub CSPM.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
AwsAccountId (list) --
The Amazon Web Services account ID in which a finding was generated.
Array Members: Minimum number of 1 item. Maximum number of 100 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
Id (list) --
The product-specific identifier for a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
GeneratorId (list) --
The identifier for the solution-specific component that generated a finding.
Array Members: Minimum number of 1 item. Maximum number of 100 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
Type (list) --
One or more finding types in the format of namespace/category/classifier that classify a finding. For a list of namespaces, classifiers, and categories, see Types taxonomy for ASFF in the Security Hub CSPM User Guide.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
FirstObservedAt (list) --
A timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings product.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
End (string) --
A timestamp that provides the end date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
Comparison (string) --
The condition to apply to a date range filter. If you specify WITHIN, Security Hub filters for dates within the specified date range. If you specify OLDER_THAN, Security Hub filters for dates before the specified date range. If you don't specify a value, the default is WITHIN.
LastObservedAt (list) --
A timestamp that indicates when the security findings provider most recently observed a change in the resource that is involved in the finding.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
End (string) --
A timestamp that provides the end date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
Comparison (string) --
The condition to apply to a date range filter. If you specify WITHIN, Security Hub filters for dates within the specified date range. If you specify OLDER_THAN, Security Hub filters for dates before the specified date range. If you don't specify a value, the default is WITHIN.
CreatedAt (list) --
A timestamp that indicates when this finding record was created.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
End (string) --
A timestamp that provides the end date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
Comparison (string) --
The condition to apply to a date range filter. If you specify WITHIN, Security Hub filters for dates within the specified date range. If you specify OLDER_THAN, Security Hub filters for dates before the specified date range. If you don't specify a value, the default is WITHIN.
UpdatedAt (list) --
A timestamp that indicates when the finding record was most recently updated.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
End (string) --
A timestamp that provides the end date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
Comparison (string) --
The condition to apply to a date range filter. If you specify WITHIN, Security Hub filters for dates within the specified date range. If you specify OLDER_THAN, Security Hub filters for dates before the specified date range. If you don't specify a value, the default is WITHIN.
Confidence (list) --
The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0–100 basis using a ratio scale. A value of 0 means 0 percent confidence, and a value of 100 means 100 percent confidence. For example, a data exfiltration detection based on a statistical deviation of network traffic has low confidence because an actual exfiltration hasn't been verified. For more information, see Confidence in the Security Hub CSPM User Guide.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
Gt (float) --
The greater-than condition to be applied to a single field when querying for findings.
Lt (float) --
The less-than condition to be applied to a single field when querying for findings.
Criticality (list) --
The level of importance that is assigned to the resources that are associated with a finding. Criticality is scored on a 0–100 basis, using a ratio scale that supports only full integers. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources. For more information, see Criticality in the Security Hub CSPM User Guide.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
Gt (float) --
The greater-than condition to be applied to a single field when querying for findings.
Lt (float) --
The less-than condition to be applied to a single field when querying for findings.
Title (list) --
A finding's title.
Array Members: Minimum number of 1 item. Maximum number of 100 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
Description (list) --
A finding's description.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
SourceUrl (list) --
Provides a URL that links to a page about the current finding in the finding product.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ProductName (list) --
Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub CSPM.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
CompanyName (list) --
The name of the company for the product that generated the finding. For control-based findings, the company is Amazon Web Services.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
SeverityLabel (list) --
The severity value of the finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ResourceType (list) --
The type of resource that the finding pertains to.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ResourceId (list) --
The identifier for the given resource type. For Amazon Web Services resources that are identified by Amazon Resource Names (ARNs), this is the ARN. For Amazon Web Services resources that lack ARNs, this is the identifier as defined by the Amazon Web Services service that created the resource. For non-Amazon Web Services resources, this is a unique identifier that is associated with the resource.
Array Members: Minimum number of 1 item. Maximum number of 100 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ResourcePartition (list) --
The partition in which the resource that the finding pertains to is located. A partition is a group of Amazon Web Services Regions. Each Amazon Web Services account is scoped to one partition.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ResourceRegion (list) --
The Amazon Web Services Region where the resource that a finding pertains to is located.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ResourceTags (list) --
A list of Amazon Web Services tags associated with a resource at the time the finding was processed.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A map filter for filtering Security Hub CSPM findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
Key (string) --
The key of the map filter. For example, for ResourceTags, Key identifies the name of the tag. For UserDefinedFields, Key is the name of the field.
Value (string) --
The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security. If you provide security as the filter value, then there's no match.
Comparison (string) --
The condition to apply to the key value when filtering Security Hub CSPM findings with a map filter.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.
To search for values that exactly match the filter value, use EQUALS. For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.
CONTAINS and EQUALS filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security, Finance, or both values.
To search for values that don't have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.
To search for values other than the filter value, use NOT_EQUALS. For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.
NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.
CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub CSPM User Guide.
ResourceDetailsOther (list) --
Custom fields and values about the resource that a finding pertains to.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A map filter for filtering Security Hub CSPM findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
Key (string) --
The key of the map filter. For example, for ResourceTags, Key identifies the name of the tag. For UserDefinedFields, Key is the name of the field.
Value (string) --
The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security. If you provide security as the filter value, then there's no match.
Comparison (string) --
The condition to apply to the key value when filtering Security Hub CSPM findings with a map filter.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.
To search for values that exactly match the filter value, use EQUALS. For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.
CONTAINS and EQUALS filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security, Finance, or both values.
To search for values that don't have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.
To search for values other than the filter value, use NOT_EQUALS. For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.
NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.
CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub CSPM User Guide.
ComplianceStatus (list) --
The result of a security check. This field is only used for findings generated from controls.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ComplianceSecurityControlId (list) --
The security control ID for which a finding was generated. Security control IDs are the same across standards.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ComplianceAssociatedStandardsId (list) --
The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the DescribeStandards API response.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
VerificationState (list) --
Provides the veracity of a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
WorkflowStatus (list) --
Provides information about the status of the investigation into a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
RecordState (list) --
Provides the current state of a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
RelatedFindingsProductArn (list) --
The ARN for the product that generated a related finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
RelatedFindingsId (list) --
The product-generated identifier for a related finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
NoteText (list) --
The text of a user-defined note that's added to a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
NoteUpdatedAt (list) --
The timestamp of when the note was updated.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
End (string) --
A timestamp that provides the end date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
Comparison (string) --
The condition to apply to a date range filter. If you specify WITHIN, Security Hub filters for dates within the specified date range. If you specify OLDER_THAN, Security Hub filters for dates before the specified date range. If you don't specify a value, the default is WITHIN.
NoteUpdatedBy (list) --
The principal that created a note.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
UserDefinedFields (list) --
A list of user-defined name and value string pairs added to a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A map filter for filtering Security Hub CSPM findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
Key (string) --
The key of the map filter. For example, for ResourceTags, Key identifies the name of the tag. For UserDefinedFields, Key is the name of the field.
Value (string) --
The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security. If you provide security as the filter value, then there's no match.
Comparison (string) --
The condition to apply to the key value when filtering Security Hub CSPM findings with a map filter.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.
To search for values that exactly match the filter value, use EQUALS. For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.
CONTAINS and EQUALS filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security, Finance, or both values.
To search for values that don't have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.
To search for values other than the filter value, use NOT_EQUALS. For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.
NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.
CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub CSPM User Guide.
ResourceApplicationArn (list) --
The Amazon Resource Name (ARN) of the application that is related to a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ResourceApplicationName (list) --
The name of the application that is related to a finding.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
AwsAccountName (list) --
The name of the Amazon Web Services account in which a finding was generated.
Array Members: Minimum number of 1 item. Maximum number of 20 items.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ResourceProvider (list) --
The cloud provider that the resource belongs to. Valid values are AWS and Azure.
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ResourceOwnerAccountId (list) --
The unique identifier of the account that owns the resource that the finding applies to, for example, Azure Subscription Id or Amazon Web Services Account Id
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
ResourceOwnerOrgId (list) --
The unique identifier of the organization that owns the resource that the finding applies to, for example, Azure Tenant Id
(dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
list
[REQUIRED]
One or more actions to update finding fields if a finding matches the conditions specified in Criteria.
(dict) --
One or more actions that Security Hub CSPM takes when a finding matches the defined criteria of a rule.
Type (string) --
Specifies the type of action that Security Hub CSPM takes when a finding matches the defined criteria of a rule.
FindingFieldsUpdate (dict) --
Specifies that the automation rule action is an update to a finding field.
Note (dict) --
The updated note.
Text (string) -- [REQUIRED]
The updated note text.
UpdatedBy (string) -- [REQUIRED]
The principal that updated the note.
Severity (dict) --
Updates to the severity information for a finding.
Normalized (integer) --
The normalized severity for the finding. This attribute is to be deprecated in favor of Label.
If you provide Normalized and don't provide Label, Label is set automatically as follows.
0 - INFORMATIONAL
1–39 - LOW
40–69 - MEDIUM
70–89 - HIGH
90–100 - CRITICAL
Product (float) --
The native severity as defined by the Amazon Web Services service or integrated partner product that generated the finding.
Label (string) --
The severity value of the finding. The allowed values are the following.
INFORMATIONAL - No issue was found.
LOW - The issue does not require action on its own.
MEDIUM - The issue must be addressed but not urgently.
HIGH - The issue must be addressed as a priority.
CRITICAL - The issue must be remediated immediately to avoid it escalating.
VerificationState (string) --
The rule action updates the VerificationState field of a finding.
Confidence (integer) --
The rule action updates the Confidence field of a finding.
Criticality (integer) --
The rule action updates the Criticality field of a finding.
Types (list) --
The rule action updates the Types field of a finding.
(string) --
UserDefinedFields (dict) --
The rule action updates the UserDefinedFields field of a finding.
(string) --
(string) --
Workflow (dict) --
Used to update information about the investigation into the finding.
Status (string) --
The status of the investigation into the finding. The workflow status is specific to an individual finding. It does not affect the generation of new findings. For example, setting the workflow status to SUPPRESSED or RESOLVED does not prevent a new finding for the same issue.
The allowed values are the following.
NEW - The initial state of a finding, before it is reviewed. Security Hub CSPM also resets WorkFlowStatus from NOTIFIED or RESOLVED to NEW in the following cases:
The record state changes from ARCHIVED to ACTIVE.
The compliance status changes from PASSED to either WARNING, FAILED, or NOT_AVAILABLE.
NOTIFIED - Indicates that you notified the resource owner about the security issue. Used when the initial reviewer is not the resource owner, and needs intervention from the resource owner.
RESOLVED - The finding was reviewed and remediated and is now considered resolved.
SUPPRESSED - Indicates that you reviewed the finding and don't believe that any action is needed. The finding is no longer updated.
RelatedFindings (list) --
The rule action updates the RelatedFindings field of a finding.
(dict) --
Details about a related finding.
ProductArn (string) -- [REQUIRED]
The ARN of the product that generated a related finding.
Id (string) -- [REQUIRED]
The product-generated identifier for a related finding.
dict
Response Syntax
{
'RuleArn': 'string'
}
Response Structure
(dict) --
RuleArn (string) --
The Amazon Resource Name (ARN) of the automation rule that you created.
{'Criteria': {'OcsfFindingCriteria': {'CompositeFilters': {'StringFilters': {'FieldName': {'resources.name',
'resources.owner.account.name',
'resources.owner.account.uid',
'resources.owner.org.uid',
'resources.provider'}}}}}}
Creates a V2 automation rule.
See also: AWS API Documentation
Request Syntax
client.create_automation_rule_v2(
RuleName='string',
RuleStatus='ENABLED'|'DISABLED',
Description='string',
RuleOrder=...,
Criteria={
'OcsfFindingCriteria': {
'CompositeFilters': [
{
'StringFilters': [
{
'FieldName': 'metadata.uid'|'activity_name'|'cloud.account.uid'|'cloud.provider'|'cloud.region'|'compliance.assessments.category'|'compliance.assessments.name'|'compliance.control'|'compliance.status'|'compliance.standards'|'finding_info.desc'|'finding_info.src_url'|'finding_info.title'|'finding_info.types'|'finding_info.uid'|'finding_info.related_events.traits.category'|'finding_info.related_events.uid'|'finding_info.related_events.product.uid'|'finding_info.related_events.title'|'metadata.product.name'|'metadata.product.uid'|'metadata.product.vendor_name'|'remediation.desc'|'remediation.references'|'resources.cloud_partition'|'resources.name'|'resources.owner.account.uid'|'resources.owner.org.uid'|'resources.owner.account.name'|'resources.provider'|'resources.region'|'resources.type'|'resources.uid'|'severity'|'status'|'comment'|'vulnerabilities.fix_coverage'|'class_name'|'databucket.encryption_details.algorithm'|'databucket.encryption_details.key_uid'|'databucket.file.data_classifications.classifier_details.type'|'evidences.actor.user.account.uid'|'evidences.api.operation'|'evidences.api.response.error_message'|'evidences.api.service.name'|'evidences.connection_info.direction'|'evidences.connection_info.protocol_name'|'evidences.dst_endpoint.autonomous_system.name'|'evidences.dst_endpoint.location.city'|'evidences.dst_endpoint.location.country'|'evidences.src_endpoint.autonomous_system.name'|'evidences.src_endpoint.hostname'|'evidences.src_endpoint.location.city'|'evidences.src_endpoint.location.country'|'finding_info.analytic.name'|'malware.name'|'malware_scan_info.uid'|'malware.severity'|'resources.cloud_function.layers.uid_alt'|'resources.cloud_function.runtime'|'resources.cloud_function.user.uid'|'resources.device.encryption_details.key_uid'|'resources.device.image.uid'|'resources.image.architecture'|'resources.image.registry_uid'|'resources.image.repository_name'|'resources.image.uid'|'resources.subnet_info.uid'|'resources.vpc_uid'|'vulnerabilities.affected_code.file.path'|'vulnerabilities.affected_packages.name'|'vulnerabilities.cve.epss.score'|'vulnerabilities.cve.uid'|'vulnerabilities.related_vulnerabilities'|'cloud.account.name'|'vendor_attributes.severity',
'Filter': {
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
}
},
],
'DateFilters': [
{
'FieldName': 'finding_info.created_time_dt'|'finding_info.first_seen_time_dt'|'finding_info.last_seen_time_dt'|'finding_info.modified_time_dt'|'resources.image.created_time_dt'|'resources.image.last_used_time_dt'|'resources.modified_time_dt',
'Filter': {
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
}
},
],
'BooleanFilters': [
{
'FieldName': 'compliance.assessments.meets_criteria'|'vulnerabilities.is_exploit_available'|'vulnerabilities.is_fix_available',
'Filter': {
'Value': True|False
}
},
],
'NumberFilters': [
{
'FieldName': 'activity_id'|'compliance.status_id'|'confidence_score'|'severity_id'|'status_id'|'finding_info.related_events_count'|'evidences.api.response.code'|'evidences.dst_endpoint.autonomous_system.number'|'evidences.dst_endpoint.port'|'evidences.src_endpoint.autonomous_system.number'|'evidences.src_endpoint.port'|'resources.image.in_use_count'|'vulnerabilities.cve.cvss.base_score'|'vendor_attributes.severity_id',
'Filter': {
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
}
},
],
'MapFilters': [
{
'FieldName': 'resources.tags'|'compliance.control_parameters'|'databucket.tags'|'finding_info.tags',
'Filter': {
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
}
},
],
'IpFilters': [
{
'FieldName': 'evidences.dst_endpoint.ip'|'evidences.src_endpoint.ip',
'Filter': {
'Cidr': 'string'
}
},
],
'NestedCompositeFilters': {'... recursive ...'},
'Operator': 'AND'|'OR'
},
],
'CompositeOperator': 'AND'|'OR'
}
},
Actions=[
{
'Type': 'FINDING_FIELDS_UPDATE'|'EXTERNAL_INTEGRATION',
'FindingFieldsUpdate': {
'SeverityId': 123,
'Comment': 'string',
'StatusId': 123
},
'ExternalIntegrationConfiguration': {
'ConnectorArn': 'string'
}
},
],
Tags={
'string': 'string'
},
ClientToken='string'
)
string
[REQUIRED]
The name of the V2 automation rule.
string
The status of the V2 automation rule.
string
[REQUIRED]
A description of the V2 automation rule.
float
[REQUIRED]
The value for the rule priority.
dict
[REQUIRED]
The filtering type and configuration of the automation rule.
OcsfFindingCriteria (dict) --
The filtering conditions that align with OCSF standards.
CompositeFilters (list) --
Enables the creation of complex filtering conditions by combining filter criteria.
(dict) --
Enables the creation of filtering criteria for security findings.
StringFilters (list) --
Enables filtering based on string field values.
(dict) --
Enables filtering of security findings based on string field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
DateFilters (list) --
Enables filtering based on date and timestamp fields.
(dict) --
Enables filtering of security findings based on date and timestamp fields in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
End (string) --
A timestamp that provides the end date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
Comparison (string) --
The condition to apply to a date range filter. If you specify WITHIN, Security Hub filters for dates within the specified date range. If you specify OLDER_THAN, Security Hub filters for dates before the specified date range. If you don't specify a value, the default is WITHIN.
BooleanFilters (list) --
Enables filtering based on boolean field values.
(dict) --
Enables filtering of security findings based on boolean field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
Boolean filter for querying findings.
Value (boolean) --
The value of the boolean.
NumberFilters (list) --
Enables filtering based on numerical field values.
(dict) --
Enables filtering of security findings based on numerical field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
Gt (float) --
The greater-than condition to be applied to a single field when querying for findings.
Lt (float) --
The less-than condition to be applied to a single field when querying for findings.
MapFilters (list) --
Enables filtering based on map field values.
(dict) --
Enables filtering of security findings based on map field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A map filter for filtering Security Hub CSPM findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
Key (string) --
The key of the map filter. For example, for ResourceTags, Key identifies the name of the tag. For UserDefinedFields, Key is the name of the field.
Value (string) --
The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security. If you provide security as the filter value, then there's no match.
Comparison (string) --
The condition to apply to the key value when filtering Security Hub CSPM findings with a map filter.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.
To search for values that exactly match the filter value, use EQUALS. For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.
CONTAINS and EQUALS filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security, Finance, or both values.
To search for values that don't have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.
To search for values other than the filter value, use NOT_EQUALS. For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.
NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.
CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub CSPM User Guide.
IpFilters (list) --
A list of IP address filters that allowing you to filter findings based on IP address properties.
(dict) --
The structure for filtering findings based on IP address attributes.
FieldName (string) --
The name of the IP address field to filter on.
Filter (dict) --
The IP filter for querying findings.
Cidr (string) --
A finding's CIDR value.
NestedCompositeFilters (list) --
Provides an additional level of filtering, creating a three-layer nested structure. The first layer is a CompositeFilters array with a CompositeOperator ( AND/ OR). The second layer is a CompositeFilter object that contains direct filters and NestedCompositeFilters. The third layer is NestedCompositeFilters, which contains additional filter conditions.
Operator (string) --
The logical operator used to combine multiple filter conditions.
CompositeOperator (string) --
The logical operators used to combine the filtering on multiple CompositeFilters.
list
[REQUIRED]
A list of actions to be performed when the rule criteria is met.
(dict) --
Allows you to configure automated responses.
Type (string) -- [REQUIRED]
The category of action to be executed by the automation rule.
FindingFieldsUpdate (dict) --
The changes to be applied to fields in a security finding when an automation rule is triggered.
SeverityId (integer) --
The severity level to be assigned to findings that match the automation rule criteria.
Comment (string) --
Notes or contextual information for findings that are modified by the automation rule.
StatusId (integer) --
The status to be applied to findings that match automation rule criteria.
ExternalIntegrationConfiguration (dict) --
The settings for integrating automation rule actions with external systems or service.
ConnectorArn (string) --
The ARN of the connector that establishes the integration.
dict
A list of key-value pairs associated with the V2 automation rule.
(string) --
(string) --
string
A unique identifier used to ensure idempotency.
This field is autopopulated if not provided.
dict
Response Syntax
{
'RuleArn': 'string',
'RuleId': 'string'
}
Response Structure
(dict) --
RuleArn (string) --
The ARN of the V2 automation rule.
RuleId (string) --
The ID of the V2 automation rule.
{'Provider': {'Azure': {'AWSConfigConnectorArn': 'string',
'AzureRegions': ['string'],
'ScopeConfiguration': {'ScopeType': 'TENANT | '
'SUBSCRIPTION',
'ScopeValues': ['string']}}}}
Response {'ConnectorStatus': {'DEGRADED', 'UNKNOWN'},
'EnablementStatus': 'ENABLED | PENDING_ENABLEMENT | FAILED_TO_ENABLE | '
'PENDING_UPDATE | FAILED_TO_UPDATE | PENDING_DELETION | '
'FAILED_TO_DELETE'}
Grants permission to create a connectorV2 based on input parameters.
See also: AWS API Documentation
Request Syntax
client.create_connector_v2(
Name='string',
Description='string',
Provider={
'JiraCloud': {
'ProjectKey': 'string'
},
'ServiceNow': {
'InstanceName': 'string',
'SecretArn': 'string'
},
'Azure': {
'AWSConfigConnectorArn': 'string',
'ScopeConfiguration': {
'ScopeType': 'TENANT'|'SUBSCRIPTION',
'ScopeValues': [
'string',
]
},
'AzureRegions': [
'string',
]
}
},
KmsKeyArn='string',
Tags={
'string': 'string'
},
ClientToken='string'
)
string
[REQUIRED]
The unique name of the connectorV2.
string
The description of the connectorV2.
dict
[REQUIRED]
The third-party provider’s service configuration.
JiraCloud (dict) --
The configuration settings required to establish an integration with Jira Cloud.
ProjectKey (string) --
The project key for a JiraCloud instance.
ServiceNow (dict) --
The configuration settings required to establish an integration with ServiceNow ITSM.
InstanceName (string) -- [REQUIRED]
The instance name of ServiceNow ITSM.
SecretArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the Amazon Web Services Secrets Manager secret that contains the ServiceNow credentials.
Azure (dict) --
The configuration settings required to establish a CSPM integration with Microsoft Azure.
AWSConfigConnectorArn (string) -- [REQUIRED]
The ARN of the AWS Config connector used to establish the connection to Azure.
ScopeConfiguration (dict) -- [REQUIRED]
The scope configuration that defines which Azure resources are monitored.
ScopeType (string) -- [REQUIRED]
The type of scope. Valid values are tenant and subscription.
ScopeValues (list) --
The list of scope values, such as subscription IDs, when the scope type is subscription.
(string) --
AzureRegions (list) -- [REQUIRED]
The list of Azure regions to monitor.
(string) --
string
The Amazon Resource Name (ARN) of KMS key used to encrypt secrets for the connectorV2.
dict
The tags to add to the connectorV2 when you create.
(string) --
(string) --
string
A unique identifier used to ensure idempotency.
This field is autopopulated if not provided.
dict
Response Syntax
{
'ConnectorArn': 'string',
'ConnectorId': 'string',
'AuthUrl': 'string',
'ConnectorStatus': 'CONNECTED'|'DEGRADED'|'FAILED_TO_CONNECT'|'PENDING_AUTHORIZATION'|'PENDING_CONFIGURATION'|'UNKNOWN',
'EnablementStatus': 'ENABLED'|'PENDING_ENABLEMENT'|'FAILED_TO_ENABLE'|'PENDING_UPDATE'|'FAILED_TO_UPDATE'|'PENDING_DELETION'|'FAILED_TO_DELETE'
}
Response Structure
(dict) --
ConnectorArn (string) --
The Amazon Resource Name (ARN) of the connectorV2.
ConnectorId (string) --
The UUID of the connectorV2 to identify connectorV2 resource.
AuthUrl (string) --
The Url provide to customers for OAuth auth code flow.
ConnectorStatus (string) --
The current status of the connectorV2.
EnablementStatus (string) --
The enablement status of the connector after creation.
{'Filters': {'ResourceOwnerAccountId': [{'Comparison': 'EQUALS | PREFIX | '
'NOT_EQUALS | '
'PREFIX_NOT_EQUALS | '
'CONTAINS | '
'NOT_CONTAINS | '
'CONTAINS_WORD',
'Value': 'string'}],
'ResourceOwnerOrgId': [{'Comparison': 'EQUALS | PREFIX | '
'NOT_EQUALS | '
'PREFIX_NOT_EQUALS | '
'CONTAINS | NOT_CONTAINS | '
'CONTAINS_WORD',
'Value': 'string'}],
'ResourceProvider': [{'Comparison': 'EQUALS | PREFIX | NOT_EQUALS '
'| PREFIX_NOT_EQUALS | '
'CONTAINS | NOT_CONTAINS | '
'CONTAINS_WORD',
'Value': 'string'}]}}
Creates a custom insight in Security Hub CSPM. An insight is a consolidation of findings that relate to a security issue that requires attention or remediation.
To group the related findings in the insight, use the GroupByAttribute.
See also: AWS API Documentation
Request Syntax
client.create_insight(
Name='string',
Filters={
'ProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'AwsAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Id': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'GeneratorId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Region': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Type': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'FirstObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'LastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'CreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'UpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'SeverityProduct': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'SeverityNormalized': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'SeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Confidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'Criticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'Title': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Description': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'RecommendationText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'SourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ProductFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ProductName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'CompanyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'UserDefinedFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'MalwareName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'MalwareType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'MalwarePath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'MalwareState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NetworkDirection': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NetworkProtocol': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NetworkSourceIpV4': [
{
'Cidr': 'string'
},
],
'NetworkSourceIpV6': [
{
'Cidr': 'string'
},
],
'NetworkSourcePort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'NetworkSourceDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NetworkSourceMac': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NetworkDestinationIpV4': [
{
'Cidr': 'string'
},
],
'NetworkDestinationIpV6': [
{
'Cidr': 'string'
},
],
'NetworkDestinationPort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'NetworkDestinationDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ProcessName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ProcessPath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ProcessPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'ProcessParentPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'ProcessLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'ProcessTerminatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'ThreatIntelIndicatorType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ThreatIntelIndicatorValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ThreatIntelIndicatorCategory': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ThreatIntelIndicatorLastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'ThreatIntelIndicatorSource': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ThreatIntelIndicatorSourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourcePartition': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceRegion': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceTags': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsEc2InstanceImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsEc2InstanceIpV4Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceIpV6Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceKeyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsEc2InstanceIamInstanceProfileArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsEc2InstanceVpcId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsEc2InstanceSubnetId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsEc2InstanceLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'ResourceAwsS3BucketOwnerId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsS3BucketOwnerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsIamAccessKeyUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsIamAccessKeyPrincipalName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsIamAccessKeyStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsIamAccessKeyCreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'ResourceAwsIamUserUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceContainerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceContainerImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceContainerImageName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceContainerLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'ResourceDetailsOther': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'VerificationState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'WorkflowState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'WorkflowStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'RecordState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'RelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'RelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NoteText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NoteUpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'NoteUpdatedBy': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Keyword': [
{
'Value': 'string'
},
],
'FindingProviderFieldsConfidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'FindingProviderFieldsCriticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'FindingProviderFieldsRelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'FindingProviderFieldsRelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'FindingProviderFieldsSeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'FindingProviderFieldsSeverityOriginal': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'FindingProviderFieldsTypes': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Sample': [
{
'Value': True|False
},
],
'ComplianceSecurityControlId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ComplianceAssociatedStandardsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'VulnerabilitiesExploitAvailable': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'VulnerabilitiesFixAvailable': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ComplianceSecurityControlParametersName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ComplianceSecurityControlParametersValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'AwsAccountName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceApplicationName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceApplicationArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceOwnerAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceOwnerOrgId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceProvider': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
]
},
GroupByAttribute='string'
)
**Parameters**
::
# This section is too large to render.
# Please see the AWS API Documentation linked below.
`AWS API Documentation <https://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/CreateInsight>`_
dict
Response Syntax
{
'InsightArn': 'string'
}
Response Structure
(dict) --
InsightArn (string) --
The ARN of the insight created.
{'EnablementStatus': 'ENABLED | PENDING_ENABLEMENT | FAILED_TO_ENABLE | '
'PENDING_UPDATE | FAILED_TO_UPDATE | PENDING_DELETION | '
'FAILED_TO_DELETE'}
Grants permission to delete a connectorV2.
See also: AWS API Documentation
Request Syntax
client.delete_connector_v2(
ConnectorId='string'
)
string
[REQUIRED]
The UUID of the connectorV2 to identify connectorV2 resource.
dict
Response Syntax
{
'EnablementStatus': 'ENABLED'|'PENDING_ENABLEMENT'|'FAILED_TO_ENABLE'|'PENDING_UPDATE'|'FAILED_TO_UPDATE'|'PENDING_DELETION'|'FAILED_TO_DELETE'
}
Response Structure
(dict) --
EnablementStatus (string) --
The enablement status of the connector after deletion.
{'Features': {'string': {'FeatureStatus': 'ENABLED | DISABLED',
'UpdatedAt': 'timestamp'}}}
Returns details about the service resource in your account.
See also: AWS API Documentation
Request Syntax
client.describe_security_hub_v2()
dict
Response Syntax
{
'HubV2Arn': 'string',
'SubscribedAt': 'string',
'Features': {
'string': {
'FeatureStatus': 'ENABLED'|'DISABLED',
'UpdatedAt': datetime(2015, 1, 1)
}
}
}
Response Structure
(dict) --
HubV2Arn (string) --
The ARN of the service resource.
SubscribedAt (string) --
The date and time when the service was enabled in the account.
Features (dict) --
A map of opt-in features and their current status and metadata for the account in the current Region.
(string) --
The name of a feature, used as a key in the features map.
(dict) --
Contains the status and metadata for an opt-in feature.
FeatureStatus (string) --
The current enablement status of the feature. Valid values: ENABLED | DISABLED.
UpdatedAt (datetime) --
The date and time when the feature status was last updated.
{'Providers': ['AWS | Azure']}
Response {'Standards': {'Provider': 'AWS | Azure'}}
Returns a list of the available standards in Security Hub CSPM.
For each standard, the results include the standard ARN, the name, and a description.
See also: AWS API Documentation
Request Syntax
client.describe_standards(
NextToken='string',
MaxResults=123,
Providers=[
'AWS'|'Azure',
]
)
string
The token that is required for pagination. On your first call to the DescribeStandards operation, set the value of this parameter to NULL.
For subsequent calls to the operation, to continue listing data, set the value of this parameter to the value returned from the previous response.
integer
The maximum number of standards to return.
list
A list of cloud providers to filter the standards by. For example, specify Azure to return only standards that evaluate Azure resources.
(string) --
dict
Response Syntax
{
'Standards': [
{
'StandardsArn': 'string',
'Name': 'string',
'Description': 'string',
'EnabledByDefault': True|False,
'Provider': 'AWS'|'Azure',
'StandardsManagedBy': {
'Company': 'string',
'Product': 'string'
}
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Standards (list) --
A list of available standards.
(dict) --
Provides information about a specific security standard.
StandardsArn (string) --
The ARN of the standard.
Name (string) --
The name of the standard.
Description (string) --
A description of the standard.
EnabledByDefault (boolean) --
Whether the standard is enabled by default. When Security Hub CSPM is enabled from the console, if a standard is enabled by default, the check box for that standard is selected by default.
When Security Hub CSPM is enabled using the EnableSecurityHub API operation, the standard is enabled by default unless EnableDefaultStandards is set to false.
Provider (string) --
The cloud provider whose resources the standard evaluates. For example, AWS or Azure.
StandardsManagedBy (dict) --
Provides details about the management of a standard.
Company (string) --
An identifier for the company that manages a specific security standard. For existing standards, the value is equal to Amazon Web Services.
Product (string) --
An identifier for the product that manages a specific security standard. For existing standards, the value is equal to the Amazon Web Services service that manages the standard.
NextToken (string) --
The pagination token to use to request the next page of results.
{'Criteria': {'OcsfFindingCriteria': {'CompositeFilters': {'StringFilters': {'FieldName': {'resources.name',
'resources.owner.account.name',
'resources.owner.account.uid',
'resources.owner.org.uid',
'resources.provider'}}}}}}
Returns an automation rule for the V2 service.
See also: AWS API Documentation
Request Syntax
client.get_automation_rule_v2(
Identifier='string'
)
string
[REQUIRED]
The ARN of the V2 automation rule.
dict
Response Syntax
{
'RuleArn': 'string',
'RuleId': 'string',
'RuleOrder': ...,
'RuleName': 'string',
'RuleStatus': 'ENABLED'|'DISABLED',
'Description': 'string',
'Criteria': {
'OcsfFindingCriteria': {
'CompositeFilters': [
{
'StringFilters': [
{
'FieldName': 'metadata.uid'|'activity_name'|'cloud.account.uid'|'cloud.provider'|'cloud.region'|'compliance.assessments.category'|'compliance.assessments.name'|'compliance.control'|'compliance.status'|'compliance.standards'|'finding_info.desc'|'finding_info.src_url'|'finding_info.title'|'finding_info.types'|'finding_info.uid'|'finding_info.related_events.traits.category'|'finding_info.related_events.uid'|'finding_info.related_events.product.uid'|'finding_info.related_events.title'|'metadata.product.name'|'metadata.product.uid'|'metadata.product.vendor_name'|'remediation.desc'|'remediation.references'|'resources.cloud_partition'|'resources.name'|'resources.owner.account.uid'|'resources.owner.org.uid'|'resources.owner.account.name'|'resources.provider'|'resources.region'|'resources.type'|'resources.uid'|'severity'|'status'|'comment'|'vulnerabilities.fix_coverage'|'class_name'|'databucket.encryption_details.algorithm'|'databucket.encryption_details.key_uid'|'databucket.file.data_classifications.classifier_details.type'|'evidences.actor.user.account.uid'|'evidences.api.operation'|'evidences.api.response.error_message'|'evidences.api.service.name'|'evidences.connection_info.direction'|'evidences.connection_info.protocol_name'|'evidences.dst_endpoint.autonomous_system.name'|'evidences.dst_endpoint.location.city'|'evidences.dst_endpoint.location.country'|'evidences.src_endpoint.autonomous_system.name'|'evidences.src_endpoint.hostname'|'evidences.src_endpoint.location.city'|'evidences.src_endpoint.location.country'|'finding_info.analytic.name'|'malware.name'|'malware_scan_info.uid'|'malware.severity'|'resources.cloud_function.layers.uid_alt'|'resources.cloud_function.runtime'|'resources.cloud_function.user.uid'|'resources.device.encryption_details.key_uid'|'resources.device.image.uid'|'resources.image.architecture'|'resources.image.registry_uid'|'resources.image.repository_name'|'resources.image.uid'|'resources.subnet_info.uid'|'resources.vpc_uid'|'vulnerabilities.affected_code.file.path'|'vulnerabilities.affected_packages.name'|'vulnerabilities.cve.epss.score'|'vulnerabilities.cve.uid'|'vulnerabilities.related_vulnerabilities'|'cloud.account.name'|'vendor_attributes.severity',
'Filter': {
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
}
},
],
'DateFilters': [
{
'FieldName': 'finding_info.created_time_dt'|'finding_info.first_seen_time_dt'|'finding_info.last_seen_time_dt'|'finding_info.modified_time_dt'|'resources.image.created_time_dt'|'resources.image.last_used_time_dt'|'resources.modified_time_dt',
'Filter': {
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
}
},
],
'BooleanFilters': [
{
'FieldName': 'compliance.assessments.meets_criteria'|'vulnerabilities.is_exploit_available'|'vulnerabilities.is_fix_available',
'Filter': {
'Value': True|False
}
},
],
'NumberFilters': [
{
'FieldName': 'activity_id'|'compliance.status_id'|'confidence_score'|'severity_id'|'status_id'|'finding_info.related_events_count'|'evidences.api.response.code'|'evidences.dst_endpoint.autonomous_system.number'|'evidences.dst_endpoint.port'|'evidences.src_endpoint.autonomous_system.number'|'evidences.src_endpoint.port'|'resources.image.in_use_count'|'vulnerabilities.cve.cvss.base_score'|'vendor_attributes.severity_id',
'Filter': {
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
}
},
],
'MapFilters': [
{
'FieldName': 'resources.tags'|'compliance.control_parameters'|'databucket.tags'|'finding_info.tags',
'Filter': {
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
}
},
],
'IpFilters': [
{
'FieldName': 'evidences.dst_endpoint.ip'|'evidences.src_endpoint.ip',
'Filter': {
'Cidr': 'string'
}
},
],
'NestedCompositeFilters': {'... recursive ...'},
'Operator': 'AND'|'OR'
},
],
'CompositeOperator': 'AND'|'OR'
}
},
'Actions': [
{
'Type': 'FINDING_FIELDS_UPDATE'|'EXTERNAL_INTEGRATION',
'FindingFieldsUpdate': {
'SeverityId': 123,
'Comment': 'string',
'StatusId': 123
},
'ExternalIntegrationConfiguration': {
'ConnectorArn': 'string'
}
},
],
'CreatedAt': datetime(2015, 1, 1),
'UpdatedAt': datetime(2015, 1, 1)
}
Response Structure
(dict) --
RuleArn (string) --
The ARN of the V2 automation rule.
RuleId (string) --
The ID of the V2 automation rule.
RuleOrder (float) --
The value for the rule priority.
RuleName (string) --
The name of the V2 automation rule.
RuleStatus (string) --
The status of the V2 automation automation rule.
Description (string) --
A description of the automation rule.
Criteria (dict) --
The filtering type and configuration of the V2 automation rule.
OcsfFindingCriteria (dict) --
The filtering conditions that align with OCSF standards.
CompositeFilters (list) --
Enables the creation of complex filtering conditions by combining filter criteria.
(dict) --
Enables the creation of filtering criteria for security findings.
StringFilters (list) --
Enables filtering based on string field values.
(dict) --
Enables filtering of security findings based on string field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
DateFilters (list) --
Enables filtering based on date and timestamp fields.
(dict) --
Enables filtering of security findings based on date and timestamp fields in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
End (string) --
A timestamp that provides the end date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
Comparison (string) --
The condition to apply to a date range filter. If you specify WITHIN, Security Hub filters for dates within the specified date range. If you specify OLDER_THAN, Security Hub filters for dates before the specified date range. If you don't specify a value, the default is WITHIN.
BooleanFilters (list) --
Enables filtering based on boolean field values.
(dict) --
Enables filtering of security findings based on boolean field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
Boolean filter for querying findings.
Value (boolean) --
The value of the boolean.
NumberFilters (list) --
Enables filtering based on numerical field values.
(dict) --
Enables filtering of security findings based on numerical field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
Gt (float) --
The greater-than condition to be applied to a single field when querying for findings.
Lt (float) --
The less-than condition to be applied to a single field when querying for findings.
MapFilters (list) --
Enables filtering based on map field values.
(dict) --
Enables filtering of security findings based on map field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A map filter for filtering Security Hub CSPM findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
Key (string) --
The key of the map filter. For example, for ResourceTags, Key identifies the name of the tag. For UserDefinedFields, Key is the name of the field.
Value (string) --
The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security. If you provide security as the filter value, then there's no match.
Comparison (string) --
The condition to apply to the key value when filtering Security Hub CSPM findings with a map filter.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.
To search for values that exactly match the filter value, use EQUALS. For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.
CONTAINS and EQUALS filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security, Finance, or both values.
To search for values that don't have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.
To search for values other than the filter value, use NOT_EQUALS. For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.
NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.
CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub CSPM User Guide.
IpFilters (list) --
A list of IP address filters that allowing you to filter findings based on IP address properties.
(dict) --
The structure for filtering findings based on IP address attributes.
FieldName (string) --
The name of the IP address field to filter on.
Filter (dict) --
The IP filter for querying findings.
Cidr (string) --
A finding's CIDR value.
NestedCompositeFilters (list) --
Provides an additional level of filtering, creating a three-layer nested structure. The first layer is a CompositeFilters array with a CompositeOperator ( AND/ OR). The second layer is a CompositeFilter object that contains direct filters and NestedCompositeFilters. The third layer is NestedCompositeFilters, which contains additional filter conditions.
Operator (string) --
The logical operator used to combine multiple filter conditions.
CompositeOperator (string) --
The logical operators used to combine the filtering on multiple CompositeFilters.
Actions (list) --
A list of actions performed when the rule criteria is met.
(dict) --
Allows you to configure automated responses.
Type (string) --
The category of action to be executed by the automation rule.
FindingFieldsUpdate (dict) --
The changes to be applied to fields in a security finding when an automation rule is triggered.
SeverityId (integer) --
The severity level to be assigned to findings that match the automation rule criteria.
Comment (string) --
Notes or contextual information for findings that are modified by the automation rule.
StatusId (integer) --
The status to be applied to findings that match automation rule criteria.
ExternalIntegrationConfiguration (dict) --
The settings for integrating automation rule actions with external systems or service.
ConnectorArn (string) --
The ARN of the connector that establishes the integration.
CreatedAt (datetime) --
The timestamp when the V2 automation rule was created.
UpdatedAt (datetime) --
The timestamp when the V2 automation rule was updated.
{'EnablementStatus': 'ENABLED | PENDING_ENABLEMENT | FAILED_TO_ENABLE | '
'PENDING_UPDATE | FAILED_TO_UPDATE | PENDING_DELETION | '
'FAILED_TO_DELETE',
'EnablementStatusReason': 'string',
'Health': {'ConnectorStatus': {'DEGRADED', 'UNKNOWN'},
'Issues': [{'Code': 'AUTHENTICATION_FAILURE | '
'STREAM_AUTHORIZATION_FAILURE | '
'DISCOVERY_FAILURE | STREAM_LIMIT_EXCEEDED | '
'STREAM_DISCONNECTED | RECORDING_FAILURE | '
'NO_HEALTH_DATA',
'Message': 'string'}]},
'ProviderDetail': {'Azure': {'AWSConfigConnectorArn': 'string',
'AzureRegions': ['string'],
'ScopeConfiguration': {'ScopeType': 'TENANT | '
'SUBSCRIPTION',
'ScopeValues': ['string']}}}}
Grants permission to retrieve details for a connectorV2 based on connector id.
See also: AWS API Documentation
Request Syntax
client.get_connector_v2(
ConnectorId='string'
)
string
[REQUIRED]
The UUID of the connectorV2 to identify connectorV2 resource.
dict
Response Syntax
{
'ConnectorArn': 'string',
'ConnectorId': 'string',
'Name': 'string',
'Description': 'string',
'KmsKeyArn': 'string',
'CreatedAt': datetime(2015, 1, 1),
'LastUpdatedAt': datetime(2015, 1, 1),
'Health': {
'ConnectorStatus': 'CONNECTED'|'DEGRADED'|'FAILED_TO_CONNECT'|'PENDING_AUTHORIZATION'|'PENDING_CONFIGURATION'|'UNKNOWN',
'Message': 'string',
'LastCheckedAt': datetime(2015, 1, 1),
'Issues': [
{
'Code': 'AUTHENTICATION_FAILURE'|'STREAM_AUTHORIZATION_FAILURE'|'DISCOVERY_FAILURE'|'STREAM_LIMIT_EXCEEDED'|'STREAM_DISCONNECTED'|'RECORDING_FAILURE'|'NO_HEALTH_DATA',
'Message': 'string'
},
]
},
'ProviderDetail': {
'JiraCloud': {
'CloudId': 'string',
'ProjectKey': 'string',
'Domain': 'string',
'AuthUrl': 'string',
'AuthStatus': 'ACTIVE'|'FAILED'
},
'ServiceNow': {
'InstanceName': 'string',
'SecretArn': 'string',
'AuthStatus': 'ACTIVE'|'FAILED'
},
'Azure': {
'AWSConfigConnectorArn': 'string',
'ScopeConfiguration': {
'ScopeType': 'TENANT'|'SUBSCRIPTION',
'ScopeValues': [
'string',
]
},
'AzureRegions': [
'string',
]
}
},
'EnablementStatus': 'ENABLED'|'PENDING_ENABLEMENT'|'FAILED_TO_ENABLE'|'PENDING_UPDATE'|'FAILED_TO_UPDATE'|'PENDING_DELETION'|'FAILED_TO_DELETE',
'EnablementStatusReason': 'string'
}
Response Structure
(dict) --
ConnectorArn (string) --
The Amazon Resource Name (ARN) of the connectorV2.
ConnectorId (string) --
The UUID of the connectorV2 to identify connectorV2 resource.
Name (string) --
The name of the connectorV2.
Description (string) --
The description of the connectorV2.
KmsKeyArn (string) --
The Amazon Resource Name (ARN) of KMS key used for the connectorV2.
CreatedAt (datetime) --
ISO 8601 UTC timestamp for the time create the connectorV2.
LastUpdatedAt (datetime) --
ISO 8601 UTC timestamp for the time update the connectorV2 connectorStatus.
Health (dict) --
The current health status for connectorV2
ConnectorStatus (string) --
The status of the connectorV2.
Message (string) --
The message for the reason of connectorStatus change.
LastCheckedAt (datetime) --
ISO 8601 UTC timestamp for the time check the health status of the connectorV2.
Issues (list) --
A list of health issues associated with the connector, including error codes and messages.
(dict) --
Represents a specific health issue detected for a connector.
Code (string) --
The error code that identifies the type of health issue.
Message (string) --
A human-readable message that describes the health issue.
ProviderDetail (dict) --
The third-party provider detail for a service configuration.
JiraCloud (dict) --
Details about a Jira Cloud integration.
CloudId (string) --
The cloud id of the Jira Cloud.
ProjectKey (string) --
The projectKey of Jira Cloud.
Domain (string) --
The URL domain of your Jira Cloud instance.
AuthUrl (string) --
The URL to provide to customers for OAuth auth code flow.
AuthStatus (string) --
The status of the authorization between Jira Cloud and the service.
ServiceNow (dict) --
Details about a ServiceNow ITSM integration.
InstanceName (string) --
The instanceName of ServiceNow ITSM.
SecretArn (string) --
The Amazon Resource Name (ARN) of the Amazon Web Services Secrets Manager secret that contains the ServiceNow credentials.
AuthStatus (string) --
The status of the authorization between ServiceNow and the service.
Azure (dict) --
Details about a Microsoft Azure CSPM integration.
AWSConfigConnectorArn (string) --
The ARN of the AWS Config connector used to establish the connection to Azure.
ScopeConfiguration (dict) --
The scope configuration that defines which Azure resources are monitored.
ScopeType (string) --
The type of scope. Valid values are tenant and subscription.
ScopeValues (list) --
The list of scope values, such as subscription IDs, when the scope type is subscription.
(string) --
AzureRegions (list) --
The list of Azure regions being monitored.
(string) --
EnablementStatus (string) --
The enablement status of the connector.
EnablementStatusReason (string) --
The reason for the current enablement status. Provides additional context when the connector is in a failed state.
{'Providers': ['AWS | Azure']}
Response {'StandardsSubscriptions': {'Provider': 'AWS | Azure',
'StandardsStatusReason': {'StatusReasonCode': {'NO_AVAILABLE_MULTICLOUD_CONNECTOR'}}}}
Returns a list of the standards that are currently enabled.
See also: AWS API Documentation
Request Syntax
client.get_enabled_standards(
StandardsSubscriptionArns=[
'string',
],
NextToken='string',
MaxResults=123,
Providers=[
'AWS'|'Azure',
]
)
list
The list of the standards subscription ARNs for the standards to retrieve.
(string) --
string
The token that is required for pagination. On your first call to the GetEnabledStandards operation, set the value of this parameter to NULL.
For subsequent calls to the operation, to continue listing data, set the value of this parameter to the value returned from the previous response.
integer
The maximum number of results to return in the response.
list
A list of cloud providers to filter the enabled standards by. For example, specify Azure to return only enabled standards that evaluate Azure resources.
(string) --
dict
Response Syntax
{
'StandardsSubscriptions': [
{
'StandardsSubscriptionArn': 'string',
'StandardsArn': 'string',
'StandardsInput': {
'string': 'string'
},
'StandardsStatus': 'PENDING'|'READY'|'FAILED'|'DELETING'|'INCOMPLETE',
'StandardsControlsUpdatable': 'READY_FOR_UPDATES'|'NOT_READY_FOR_UPDATES',
'StandardsStatusReason': {
'StatusReasonCode': 'NO_AVAILABLE_CONFIGURATION_RECORDER'|'MAXIMUM_NUMBER_OF_CONFIG_RULES_EXCEEDED'|'NO_AVAILABLE_MULTICLOUD_CONNECTOR'|'INTERNAL_ERROR'
},
'Provider': 'AWS'|'Azure'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
StandardsSubscriptions (list) --
The list of StandardsSubscriptions objects that include information about the enabled standards.
(dict) --
A resource that represents your subscription to a supported standard.
StandardsSubscriptionArn (string) --
The ARN of the resource that represents your subscription to the standard.
StandardsArn (string) --
The ARN of the standard.
StandardsInput (dict) --
A key-value pair of input for the standard.
(string) --
(string) --
StandardsStatus (string) --
The status of your subscription to the standard. Possible values are:
PENDING - The standard is in the process of being enabled. Or the standard is already enabled and Security Hub CSPM is adding new controls to the standard.
READY - The standard is enabled.
INCOMPLETE - The standard could not be enabled completely. One or more errors ( StandardsStatusReason) occurred when Security Hub CSPM attempted to enable the standard.
DELETING - The standard is in the process of being disabled.
FAILED - The standard could not be disabled. One or more errors ( StandardsStatusReason) occurred when Security Hub CSPM attempted to disable the standard.
StandardsControlsUpdatable (string) --
Specifies whether you can retrieve information about and configure individual controls that apply to the standard. Possible values are:
READY_FOR_UPDATES - Controls in the standard can be retrieved and configured.
NOT_READY_FOR_UPDATES - Controls in the standard cannot be retrieved or configured.
StandardsStatusReason (dict) --
The reason for the current status.
StatusReasonCode (string) --
The reason code that represents the reason for the current status of a standard subscription.
Provider (string) --
The cloud provider whose resources the standard evaluates. For example, AWS or Azure.
NextToken (string) --
The pagination token to use to request the next page of results.
{'GroupByRules': {'Filters': {'CompositeFilters': {'StringFilters': {'FieldName': {'resources.name',
'resources.owner.account.name',
'resources.owner.account.uid',
'resources.owner.org.uid',
'resources.provider'}}}},
'GroupByField': {'resources.cloud_partition',
'resources.name',
'resources.owner.account.name',
'resources.owner.account.uid',
'resources.owner.org.uid',
'resources.provider',
'resources.region'}}}
Returns aggregated statistical data about findings.
You can use the Scopes parameter to define the data boundary for the query. Currently, Scopes supports AwsOrganizations, which lets you aggregate findings from your entire organization or from specific organizational units. Only the delegated administrator account can use Scopes.
GetFindingStatisticsV2 uses securityhub:GetAdhocInsightResults in the Action element of an IAM policy statement. You must have permission to perform the securityhub:GetAdhocInsightResults action.
See also: AWS API Documentation
Request Syntax
client.get_finding_statistics_v2(
GroupByRules=[
{
'Filters': {
'CompositeFilters': [
{
'StringFilters': [
{
'FieldName': 'metadata.uid'|'activity_name'|'cloud.account.uid'|'cloud.provider'|'cloud.region'|'compliance.assessments.category'|'compliance.assessments.name'|'compliance.control'|'compliance.status'|'compliance.standards'|'finding_info.desc'|'finding_info.src_url'|'finding_info.title'|'finding_info.types'|'finding_info.uid'|'finding_info.related_events.traits.category'|'finding_info.related_events.uid'|'finding_info.related_events.product.uid'|'finding_info.related_events.title'|'metadata.product.name'|'metadata.product.uid'|'metadata.product.vendor_name'|'remediation.desc'|'remediation.references'|'resources.cloud_partition'|'resources.name'|'resources.owner.account.uid'|'resources.owner.org.uid'|'resources.owner.account.name'|'resources.provider'|'resources.region'|'resources.type'|'resources.uid'|'severity'|'status'|'comment'|'vulnerabilities.fix_coverage'|'class_name'|'databucket.encryption_details.algorithm'|'databucket.encryption_details.key_uid'|'databucket.file.data_classifications.classifier_details.type'|'evidences.actor.user.account.uid'|'evidences.api.operation'|'evidences.api.response.error_message'|'evidences.api.service.name'|'evidences.connection_info.direction'|'evidences.connection_info.protocol_name'|'evidences.dst_endpoint.autonomous_system.name'|'evidences.dst_endpoint.location.city'|'evidences.dst_endpoint.location.country'|'evidences.src_endpoint.autonomous_system.name'|'evidences.src_endpoint.hostname'|'evidences.src_endpoint.location.city'|'evidences.src_endpoint.location.country'|'finding_info.analytic.name'|'malware.name'|'malware_scan_info.uid'|'malware.severity'|'resources.cloud_function.layers.uid_alt'|'resources.cloud_function.runtime'|'resources.cloud_function.user.uid'|'resources.device.encryption_details.key_uid'|'resources.device.image.uid'|'resources.image.architecture'|'resources.image.registry_uid'|'resources.image.repository_name'|'resources.image.uid'|'resources.subnet_info.uid'|'resources.vpc_uid'|'vulnerabilities.affected_code.file.path'|'vulnerabilities.affected_packages.name'|'vulnerabilities.cve.epss.score'|'vulnerabilities.cve.uid'|'vulnerabilities.related_vulnerabilities'|'cloud.account.name'|'vendor_attributes.severity',
'Filter': {
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
}
},
],
'DateFilters': [
{
'FieldName': 'finding_info.created_time_dt'|'finding_info.first_seen_time_dt'|'finding_info.last_seen_time_dt'|'finding_info.modified_time_dt'|'resources.image.created_time_dt'|'resources.image.last_used_time_dt'|'resources.modified_time_dt',
'Filter': {
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
}
},
],
'BooleanFilters': [
{
'FieldName': 'compliance.assessments.meets_criteria'|'vulnerabilities.is_exploit_available'|'vulnerabilities.is_fix_available',
'Filter': {
'Value': True|False
}
},
],
'NumberFilters': [
{
'FieldName': 'activity_id'|'compliance.status_id'|'confidence_score'|'severity_id'|'status_id'|'finding_info.related_events_count'|'evidences.api.response.code'|'evidences.dst_endpoint.autonomous_system.number'|'evidences.dst_endpoint.port'|'evidences.src_endpoint.autonomous_system.number'|'evidences.src_endpoint.port'|'resources.image.in_use_count'|'vulnerabilities.cve.cvss.base_score'|'vendor_attributes.severity_id',
'Filter': {
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
}
},
],
'MapFilters': [
{
'FieldName': 'resources.tags'|'compliance.control_parameters'|'databucket.tags'|'finding_info.tags',
'Filter': {
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
}
},
],
'IpFilters': [
{
'FieldName': 'evidences.dst_endpoint.ip'|'evidences.src_endpoint.ip',
'Filter': {
'Cidr': 'string'
}
},
],
'NestedCompositeFilters': {'... recursive ...'},
'Operator': 'AND'|'OR'
},
],
'CompositeOperator': 'AND'|'OR'
},
'GroupByField': 'activity_name'|'cloud.account.uid'|'cloud.provider'|'cloud.region'|'compliance.assessments.name'|'compliance.status'|'compliance.control'|'finding_info.title'|'finding_info.related_events.traits.category'|'finding_info.types'|'metadata.product.name'|'metadata.product.uid'|'resources.type'|'resources.cloud_partition'|'resources.name'|'resources.owner.account.uid'|'resources.owner.org.uid'|'resources.owner.account.name'|'resources.provider'|'resources.region'|'resources.uid'|'severity'|'status'|'vulnerabilities.fix_coverage'|'class_name'|'vulnerabilities.affected_packages.name'|'finding_info.analytic.name'|'compliance.standards'|'cloud.account.name'|'vendor_attributes.severity'|'metadata.product.vendor_name'
},
],
Scopes={
'AwsOrganizations': [
{
'OrganizationId': 'string',
'OrganizationalUnitId': 'string'
},
]
},
SortOrder='asc'|'desc',
MaxStatisticResults=123
)
list
[REQUIRED]
Specifies how security findings should be aggregated and organized in the statistical analysis. It can accept up to 5 groupBy fields in a single call.
(dict) --
Defines the how the finding attribute should be grouped.
Filters (dict) --
The criteria used to select which security findings should be included in the grouping operation.
CompositeFilters (list) --
Enables the creation of complex filtering conditions by combining filter criteria.
(dict) --
Enables the creation of filtering criteria for security findings.
StringFilters (list) --
Enables filtering based on string field values.
(dict) --
Enables filtering of security findings based on string field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
DateFilters (list) --
Enables filtering based on date and timestamp fields.
(dict) --
Enables filtering of security findings based on date and timestamp fields in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
End (string) --
A timestamp that provides the end date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
Comparison (string) --
The condition to apply to a date range filter. If you specify WITHIN, Security Hub filters for dates within the specified date range. If you specify OLDER_THAN, Security Hub filters for dates before the specified date range. If you don't specify a value, the default is WITHIN.
BooleanFilters (list) --
Enables filtering based on boolean field values.
(dict) --
Enables filtering of security findings based on boolean field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
Boolean filter for querying findings.
Value (boolean) --
The value of the boolean.
NumberFilters (list) --
Enables filtering based on numerical field values.
(dict) --
Enables filtering of security findings based on numerical field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
Gt (float) --
The greater-than condition to be applied to a single field when querying for findings.
Lt (float) --
The less-than condition to be applied to a single field when querying for findings.
MapFilters (list) --
Enables filtering based on map field values.
(dict) --
Enables filtering of security findings based on map field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A map filter for filtering Security Hub CSPM findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
Key (string) --
The key of the map filter. For example, for ResourceTags, Key identifies the name of the tag. For UserDefinedFields, Key is the name of the field.
Value (string) --
The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security. If you provide security as the filter value, then there's no match.
Comparison (string) --
The condition to apply to the key value when filtering Security Hub CSPM findings with a map filter.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.
To search for values that exactly match the filter value, use EQUALS. For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.
CONTAINS and EQUALS filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security, Finance, or both values.
To search for values that don't have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.
To search for values other than the filter value, use NOT_EQUALS. For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.
NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.
CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub CSPM User Guide.
IpFilters (list) --
A list of IP address filters that allowing you to filter findings based on IP address properties.
(dict) --
The structure for filtering findings based on IP address attributes.
FieldName (string) --
The name of the IP address field to filter on.
Filter (dict) --
The IP filter for querying findings.
Cidr (string) --
A finding's CIDR value.
NestedCompositeFilters (list) --
Provides an additional level of filtering, creating a three-layer nested structure. The first layer is a CompositeFilters array with a CompositeOperator ( AND/ OR). The second layer is a CompositeFilter object that contains direct filters and NestedCompositeFilters. The third layer is NestedCompositeFilters, which contains additional filter conditions.
Operator (string) --
The logical operator used to combine multiple filter conditions.
CompositeOperator (string) --
The logical operators used to combine the filtering on multiple CompositeFilters.
GroupByField (string) -- [REQUIRED]
The attribute by which filtered findings should be grouped.
dict
Limits the results to findings from specific organizational units or from the delegated administrator's organization. Only the delegated administrator account can use this parameter. Other accounts receive an AccessDeniedException.
This parameter is optional. If you omit it, the delegated administrator sees statistics from all accounts across the entire organization. Other accounts see only statistics for their own findings.
You can specify up to 10 entries in Scopes.AwsOrganizations. If multiple entries are specified, the entries are combined using OR logic.
AwsOrganizations (list) --
A list of Organizations scopes to include in the query results. Each entry in the list specifies an organization or organizational unit to include for the delegated administrator's account. If the list specifies multiple entries, the entries are combined using OR logic.
(dict) --
Specifies an Organizations scope. Data from the specified organization or organizational unit is included in the response.
To scope to a specific organizational unit, provide OrganizationalUnitId. You can optionally include OrganizationId. If you omit OrganizationId, Security Hub uses the caller's organization ID. To scope to the delegated administrator's entire organization, provide only OrganizationId.
The organization ID and organizational unit must belong to the delegated administrator's own organization. Each request must use one scoping approach: either scope to the entire organization by providing an AwsOrganizationScope entry with only OrganizationId, or scope to specific organizational units by providing AwsOrganizationScope entries with OrganizationalUnitId. You can't combine both approaches in the same request.
OrganizationId (string) --
The unique identifier (ID) of the organization (for example, o-abcd1234567890). The organization must be the delegated administrator's own organization. If you omit this value and provide OrganizationalUnitId, Security Hub uses the caller's organization ID.
OrganizationalUnitId (string) --
The unique identifier (ID) of the organizational unit (OU) (for example, ou-ab12-cd345678). The OU must exist within the delegated administrator's own organization. When specified, the results include only data from accounts in this OU.
string
Orders the aggregation count in descending or ascending order. Descending order is the default.
integer
The maximum number of results to be returned.
dict
Response Syntax
{
'GroupByResults': [
{
'GroupByField': 'string',
'GroupByValues': [
{
'FieldValue': 'string',
'Count': 123
},
]
},
]
}
Response Structure
(dict) --
GroupByResults (list) --
Aggregated statistics about security findings based on specified grouping criteria.
(dict) --
Represents finding statistics grouped by GroupedByField.
GroupByField (string) --
The attribute by which filtered security findings should be grouped.
GroupByValues (list) --
An array of grouped values and their respective counts for each GroupByField.
(dict) --
Represents individual aggregated results when grouping security findings for each GroupByField.
FieldValue (string) --
The value of the field by which findings are grouped.
Count (integer) --
The number of findings for a specific FieldValue and GroupByField.
{'Filters': {'ResourceOwnerAccountId': [{'Comparison': 'EQUALS | PREFIX | '
'NOT_EQUALS | '
'PREFIX_NOT_EQUALS | '
'CONTAINS | '
'NOT_CONTAINS | '
'CONTAINS_WORD',
'Value': 'string'}],
'ResourceOwnerOrgId': [{'Comparison': 'EQUALS | PREFIX | '
'NOT_EQUALS | '
'PREFIX_NOT_EQUALS | '
'CONTAINS | NOT_CONTAINS | '
'CONTAINS_WORD',
'Value': 'string'}],
'ResourceProvider': [{'Comparison': 'EQUALS | PREFIX | NOT_EQUALS '
'| PREFIX_NOT_EQUALS | '
'CONTAINS | NOT_CONTAINS | '
'CONTAINS_WORD',
'Value': 'string'}]}}
Response {'Findings': {'Resources': {'Details': {'AzureResource': {}},
'Owner': {'Account': {'Id': 'string'},
'Org': {'Id': 'string'}},
'Partition': {'AzureCloud',
'aws-us-iso',
'aws-us-iso-b'},
'Provider': 'Azure | AWS'}}}
Returns a list of findings that match the specified criteria.
If cross-Region aggregation is enabled, then when you call GetFindings from the home Region, the results include all of the matching findings from both the home Region and linked Regions.
See also: AWS API Documentation
Request Syntax
client.get_findings(
Filters={
'ProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'AwsAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Id': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'GeneratorId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Region': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Type': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'FirstObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'LastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'CreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'UpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'SeverityProduct': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'SeverityNormalized': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'SeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Confidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'Criticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'Title': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Description': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'RecommendationText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'SourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ProductFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ProductName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'CompanyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'UserDefinedFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'MalwareName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'MalwareType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'MalwarePath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'MalwareState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NetworkDirection': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NetworkProtocol': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NetworkSourceIpV4': [
{
'Cidr': 'string'
},
],
'NetworkSourceIpV6': [
{
'Cidr': 'string'
},
],
'NetworkSourcePort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'NetworkSourceDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NetworkSourceMac': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NetworkDestinationIpV4': [
{
'Cidr': 'string'
},
],
'NetworkDestinationIpV6': [
{
'Cidr': 'string'
},
],
'NetworkDestinationPort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'NetworkDestinationDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ProcessName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ProcessPath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ProcessPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'ProcessParentPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'ProcessLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'ProcessTerminatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'ThreatIntelIndicatorType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ThreatIntelIndicatorValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ThreatIntelIndicatorCategory': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ThreatIntelIndicatorLastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'ThreatIntelIndicatorSource': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ThreatIntelIndicatorSourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourcePartition': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceRegion': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceTags': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsEc2InstanceImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsEc2InstanceIpV4Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceIpV6Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceKeyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsEc2InstanceIamInstanceProfileArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsEc2InstanceVpcId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsEc2InstanceSubnetId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsEc2InstanceLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'ResourceAwsS3BucketOwnerId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsS3BucketOwnerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsIamAccessKeyUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsIamAccessKeyPrincipalName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsIamAccessKeyStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsIamAccessKeyCreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'ResourceAwsIamUserUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceContainerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceContainerImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceContainerImageName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceContainerLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'ResourceDetailsOther': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'VerificationState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'WorkflowState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'WorkflowStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'RecordState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'RelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'RelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NoteText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NoteUpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'NoteUpdatedBy': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Keyword': [
{
'Value': 'string'
},
],
'FindingProviderFieldsConfidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'FindingProviderFieldsCriticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'FindingProviderFieldsRelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'FindingProviderFieldsRelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'FindingProviderFieldsSeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'FindingProviderFieldsSeverityOriginal': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'FindingProviderFieldsTypes': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Sample': [
{
'Value': True|False
},
],
'ComplianceSecurityControlId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ComplianceAssociatedStandardsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'VulnerabilitiesExploitAvailable': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'VulnerabilitiesFixAvailable': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ComplianceSecurityControlParametersName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ComplianceSecurityControlParametersValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'AwsAccountName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceApplicationName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceApplicationArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceOwnerAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceOwnerOrgId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceProvider': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
]
},
SortCriteria=[
{
'Field': 'string',
'SortOrder': 'asc'|'desc'
},
],
NextToken='string',
MaxResults=123
)
**Parameters**
::
# This section is too large to render.
# Please see the AWS API Documentation linked below.
`AWS API Documentation <https://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/GetFindings>`_
dict
Response Syntax
# This section is too large to render. # Please see the AWS API Documentation linked below.
Response Structure
# This section is too large to render. # Please see the AWS API Documentation linked below.
{'Filters': {'CompositeFilters': {'StringFilters': {'FieldName': {'resource_cloud_providers',
'resource_owner_ids',
'resource_owner_organization_ids',
'resource_regions'}}}}}
Returns findings trend data based on the specified criteria. This operation helps you analyze patterns and changes in findings over time.
See also: AWS API Documentation
Request Syntax
client.get_findings_trends_v2(
Filters={
'CompositeFilters': [
{
'StringFilters': [
{
'FieldName': 'account_id'|'region'|'finding_types'|'finding_status'|'finding_cve_ids'|'finding_compliance_status'|'finding_control_id'|'finding_class_name'|'finding_provider'|'finding_activity_name'|'resource_cloud_providers'|'resource_regions'|'resource_owner_ids'|'resource_owner_organization_ids',
'Filter': {
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
}
},
],
'NestedCompositeFilters': {'... recursive ...'},
'Operator': 'AND'|'OR'
},
],
'CompositeOperator': 'AND'|'OR'
},
StartTime=datetime(2015, 1, 1),
EndTime=datetime(2015, 1, 1),
NextToken='string',
MaxResults=123
)
dict
The filters to apply to the findings trend data.
CompositeFilters (list) --
A list of composite filters to apply to the findings trend data.
(dict) --
A filter structure that contains a logical combination of string filters and nested composite filters for findings trend data.
StringFilters (list) --
A list of string filters that apply to findings trend data fields.
(dict) --
A filter for string-based fields in findings trend data.
FieldName (string) --
The name of the findings field to filter on. You can specify one of the following fields.
account_id – The Amazon Web Services account ID associated with the finding.
region – The Amazon Web Services Region associated with the finding.
finding_types – The finding types associated with the finding.
finding_status – The status of the finding.
finding_cve_ids – The Common Vulnerabilities and Exposures (CVE) identifiers associated with the finding.
finding_compliance_status – The compliance status of the finding.
finding_control_id – The identifier of the security control associated with the finding.
finding_class_name – The finding class, such as Compliance Finding.
finding_provider – The name of the product that generated the finding.
finding_activity_name – The activity name associated with the finding.
resource_cloud_providers – The cloud providers of the resources that the finding is associated with. Valid values are AWS and Azure.
resource_regions – The Regions of the associated resources. For an Amazon Web Services resource, this is the Amazon Web Services Region. For an Azure resource, this is the Azure Region, such as eastus.
resource_owner_ids – The identifiers of the accounts that own the associated resources. For an Amazon Web Services resource, this is the Amazon Web Services account ID. For an Azure resource, this is the Azure subscription ID.
resource_owner_organization_ids – The identifiers of the organizations that own the associated resources. For an Amazon Web Services resource, this is the Amazon Web Services organization ID. For an Azure resource, this is the Azure tenant ID.
Filter (dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
NestedCompositeFilters (list) --
A list of nested composite filters that you can use to create complex filter conditions for findings trend data.
Operator (string) --
The logical operator (AND, OR) to apply between the string filters and nested composite filters.
CompositeOperator (string) --
The logical operator (AND, OR) to apply between multiple composite filters.
datetime
[REQUIRED]
The starting timestamp for the time period to analyze findings trends, in ISO 8601 format.
datetime
[REQUIRED]
The ending timestamp for the time period to analyze findings trends, in ISO 8601 format.
string
The token to use for paginating results. This value is returned in the response if more results are available.
integer
The maximum number of trend data points to return in a single response.
dict
Response Syntax
{
'Granularity': 'Daily'|'Weekly'|'Monthly',
'TrendsMetrics': [
{
'Timestamp': datetime(2015, 1, 1),
'TrendsValues': {
'SeverityTrends': {
'Unknown': 123,
'Informational': 123,
'Low': 123,
'Medium': 123,
'High': 123,
'Critical': 123,
'Fatal': 123,
'Other': 123
}
}
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Granularity (string) --
The time interval granularity for the returned trend data.
TrendsMetrics (list) --
The collection of time-series trend metrics, including counts of findings by severity across the specified time period.
(dict) --
Contains the findings trend metrics data for a specific time point in the requested time period.
Timestamp (datetime) --
The timestamp for this data point in the findings trend metrics.
TrendsValues (dict) --
The finding trend metric values associated with this timestamp, including severity counts.
SeverityTrends (dict) --
The count of findings organized by severity level for this data point in the trend timeline.
Unknown (integer) --
The count of findings with Unknown severity level at this point in the trend timeline.
Informational (integer) --
The count of findings with Informational severity level at this point in the trend timeline.
Low (integer) --
The count of findings with Low severity level at this point in the trend timeline.
Medium (integer) --
The count of findings with Medium severity level at this point in the trend timeline.
High (integer) --
The count of findings with High severity level at this point in the trend timeline.
Critical (integer) --
The count of findings with Critical severity level at this point in the trend timeline.
Fatal (integer) --
The count of findings with Fatal severity level at this point in the trend timeline.
Other (integer) --
The count of findings with severity levels not fitting into the standard categories at this point in the trend timeline.
NextToken (string) --
The token to use for retrieving the next page of results, if more trend data is available.
{'Filters': {'CompositeFilters': {'StringFilters': {'FieldName': {'resources.name',
'resources.owner.account.name',
'resources.owner.account.uid',
'resources.owner.org.uid',
'resources.provider'}}}}}
Returns a list of findings that match the specified criteria.
You can use the Scopes parameter to define the data boundary for the query. Currently, Scopes supports AwsOrganizations, which lets you retrieve findings from your entire organization or from specific organizational units. Only the delegated administrator account can use Scopes.
You can use the Filters parameter to refine results based on finding attributes. You can use Scopes and Filters independently or together. When both are provided, Scopes narrows the data set first, and then Filters refines results within that scoped data set.
GetFindings and GetFindingsV2 both use securityhub:GetFindings in the Action element of an IAM policy statement. You must have permission to perform the securityhub:GetFindings action.
See also: AWS API Documentation
Request Syntax
client.get_findings_v2(
Filters={
'CompositeFilters': [
{
'StringFilters': [
{
'FieldName': 'metadata.uid'|'activity_name'|'cloud.account.uid'|'cloud.provider'|'cloud.region'|'compliance.assessments.category'|'compliance.assessments.name'|'compliance.control'|'compliance.status'|'compliance.standards'|'finding_info.desc'|'finding_info.src_url'|'finding_info.title'|'finding_info.types'|'finding_info.uid'|'finding_info.related_events.traits.category'|'finding_info.related_events.uid'|'finding_info.related_events.product.uid'|'finding_info.related_events.title'|'metadata.product.name'|'metadata.product.uid'|'metadata.product.vendor_name'|'remediation.desc'|'remediation.references'|'resources.cloud_partition'|'resources.name'|'resources.owner.account.uid'|'resources.owner.org.uid'|'resources.owner.account.name'|'resources.provider'|'resources.region'|'resources.type'|'resources.uid'|'severity'|'status'|'comment'|'vulnerabilities.fix_coverage'|'class_name'|'databucket.encryption_details.algorithm'|'databucket.encryption_details.key_uid'|'databucket.file.data_classifications.classifier_details.type'|'evidences.actor.user.account.uid'|'evidences.api.operation'|'evidences.api.response.error_message'|'evidences.api.service.name'|'evidences.connection_info.direction'|'evidences.connection_info.protocol_name'|'evidences.dst_endpoint.autonomous_system.name'|'evidences.dst_endpoint.location.city'|'evidences.dst_endpoint.location.country'|'evidences.src_endpoint.autonomous_system.name'|'evidences.src_endpoint.hostname'|'evidences.src_endpoint.location.city'|'evidences.src_endpoint.location.country'|'finding_info.analytic.name'|'malware.name'|'malware_scan_info.uid'|'malware.severity'|'resources.cloud_function.layers.uid_alt'|'resources.cloud_function.runtime'|'resources.cloud_function.user.uid'|'resources.device.encryption_details.key_uid'|'resources.device.image.uid'|'resources.image.architecture'|'resources.image.registry_uid'|'resources.image.repository_name'|'resources.image.uid'|'resources.subnet_info.uid'|'resources.vpc_uid'|'vulnerabilities.affected_code.file.path'|'vulnerabilities.affected_packages.name'|'vulnerabilities.cve.epss.score'|'vulnerabilities.cve.uid'|'vulnerabilities.related_vulnerabilities'|'cloud.account.name'|'vendor_attributes.severity',
'Filter': {
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
}
},
],
'DateFilters': [
{
'FieldName': 'finding_info.created_time_dt'|'finding_info.first_seen_time_dt'|'finding_info.last_seen_time_dt'|'finding_info.modified_time_dt'|'resources.image.created_time_dt'|'resources.image.last_used_time_dt'|'resources.modified_time_dt',
'Filter': {
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
}
},
],
'BooleanFilters': [
{
'FieldName': 'compliance.assessments.meets_criteria'|'vulnerabilities.is_exploit_available'|'vulnerabilities.is_fix_available',
'Filter': {
'Value': True|False
}
},
],
'NumberFilters': [
{
'FieldName': 'activity_id'|'compliance.status_id'|'confidence_score'|'severity_id'|'status_id'|'finding_info.related_events_count'|'evidences.api.response.code'|'evidences.dst_endpoint.autonomous_system.number'|'evidences.dst_endpoint.port'|'evidences.src_endpoint.autonomous_system.number'|'evidences.src_endpoint.port'|'resources.image.in_use_count'|'vulnerabilities.cve.cvss.base_score'|'vendor_attributes.severity_id',
'Filter': {
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
}
},
],
'MapFilters': [
{
'FieldName': 'resources.tags'|'compliance.control_parameters'|'databucket.tags'|'finding_info.tags',
'Filter': {
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
}
},
],
'IpFilters': [
{
'FieldName': 'evidences.dst_endpoint.ip'|'evidences.src_endpoint.ip',
'Filter': {
'Cidr': 'string'
}
},
],
'NestedCompositeFilters': {'... recursive ...'},
'Operator': 'AND'|'OR'
},
],
'CompositeOperator': 'AND'|'OR'
},
Scopes={
'AwsOrganizations': [
{
'OrganizationId': 'string',
'OrganizationalUnitId': 'string'
},
]
},
SortCriteria=[
{
'Field': 'string',
'SortOrder': 'asc'|'desc'
},
],
NextToken='string',
MaxResults=123
)
dict
The finding attributes used to define a condition to filter the returned OCSF findings. You can filter up to 10 composite filters. For each filter type inside of a composite filter, you can provide up to 20 filters.
CompositeFilters (list) --
Enables the creation of complex filtering conditions by combining filter criteria.
(dict) --
Enables the creation of filtering criteria for security findings.
StringFilters (list) --
Enables filtering based on string field values.
(dict) --
Enables filtering of security findings based on string field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
DateFilters (list) --
Enables filtering based on date and timestamp fields.
(dict) --
Enables filtering of security findings based on date and timestamp fields in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
End (string) --
A timestamp that provides the end date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
Comparison (string) --
The condition to apply to a date range filter. If you specify WITHIN, Security Hub filters for dates within the specified date range. If you specify OLDER_THAN, Security Hub filters for dates before the specified date range. If you don't specify a value, the default is WITHIN.
BooleanFilters (list) --
Enables filtering based on boolean field values.
(dict) --
Enables filtering of security findings based on boolean field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
Boolean filter for querying findings.
Value (boolean) --
The value of the boolean.
NumberFilters (list) --
Enables filtering based on numerical field values.
(dict) --
Enables filtering of security findings based on numerical field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
Gt (float) --
The greater-than condition to be applied to a single field when querying for findings.
Lt (float) --
The less-than condition to be applied to a single field when querying for findings.
MapFilters (list) --
Enables filtering based on map field values.
(dict) --
Enables filtering of security findings based on map field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A map filter for filtering Security Hub CSPM findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
Key (string) --
The key of the map filter. For example, for ResourceTags, Key identifies the name of the tag. For UserDefinedFields, Key is the name of the field.
Value (string) --
The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security. If you provide security as the filter value, then there's no match.
Comparison (string) --
The condition to apply to the key value when filtering Security Hub CSPM findings with a map filter.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.
To search for values that exactly match the filter value, use EQUALS. For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.
CONTAINS and EQUALS filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security, Finance, or both values.
To search for values that don't have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.
To search for values other than the filter value, use NOT_EQUALS. For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.
NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.
CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub CSPM User Guide.
IpFilters (list) --
A list of IP address filters that allowing you to filter findings based on IP address properties.
(dict) --
The structure for filtering findings based on IP address attributes.
FieldName (string) --
The name of the IP address field to filter on.
Filter (dict) --
The IP filter for querying findings.
Cidr (string) --
A finding's CIDR value.
NestedCompositeFilters (list) --
Provides an additional level of filtering, creating a three-layer nested structure. The first layer is a CompositeFilters array with a CompositeOperator ( AND/ OR). The second layer is a CompositeFilter object that contains direct filters and NestedCompositeFilters. The third layer is NestedCompositeFilters, which contains additional filter conditions.
Operator (string) --
The logical operator used to combine multiple filter conditions.
CompositeOperator (string) --
The logical operators used to combine the filtering on multiple CompositeFilters.
dict
Limits the results to findings from specific organizational units or from the delegated administrator's organization. Only the delegated administrator account can use this parameter. Other accounts receive an AccessDeniedException.
This parameter is optional. If you omit it, the delegated administrator sees findings from all accounts across the entire organization. Other accounts see only their own findings.
You can specify up to 10 entries in Scopes.AwsOrganizations. If multiple entries are specified, the entries are combined using OR logic.
AwsOrganizations (list) --
A list of Organizations scopes to include in the query results. Each entry in the list specifies an organization or organizational unit to include for the delegated administrator's account. If the list specifies multiple entries, the entries are combined using OR logic.
(dict) --
Specifies an Organizations scope. Data from the specified organization or organizational unit is included in the response.
To scope to a specific organizational unit, provide OrganizationalUnitId. You can optionally include OrganizationId. If you omit OrganizationId, Security Hub uses the caller's organization ID. To scope to the delegated administrator's entire organization, provide only OrganizationId.
The organization ID and organizational unit must belong to the delegated administrator's own organization. Each request must use one scoping approach: either scope to the entire organization by providing an AwsOrganizationScope entry with only OrganizationId, or scope to specific organizational units by providing AwsOrganizationScope entries with OrganizationalUnitId. You can't combine both approaches in the same request.
OrganizationId (string) --
The unique identifier (ID) of the organization (for example, o-abcd1234567890). The organization must be the delegated administrator's own organization. If you omit this value and provide OrganizationalUnitId, Security Hub uses the caller's organization ID.
OrganizationalUnitId (string) --
The unique identifier (ID) of the organizational unit (OU) (for example, ou-ab12-cd345678). The OU must exist within the delegated administrator's own organization. When specified, the results include only data from accounts in this OU.
list
The finding attributes used to sort the list of returned findings.
(dict) --
A collection of finding attributes used to sort findings.
Field (string) --
The finding attribute used to sort findings.
SortOrder (string) --
The order used to sort findings.
string
The token required for pagination. On your first call, set the value of this parameter to NULL. For subsequent calls, to continue listing data, set the value of this parameter to the value returned in the previous response.
integer
The maximum number of results to return.
dict
Response Syntax
{
'Findings': [
{...}|[...]|123|123.4|'string'|True|None,
],
'NextToken': 'string'
}
Response Structure
(dict) --
Findings (list) --
An array of security findings returned by the operation.
(:ref:`document<document>`) --
NextToken (string) --
The pagination token to use to request the next page of results. Otherwise, this parameter is null.
{'Insights': {'Filters': {'ResourceOwnerAccountId': [{'Comparison': 'EQUALS | '
'PREFIX | '
'NOT_EQUALS '
'| '
'PREFIX_NOT_EQUALS '
'| '
'CONTAINS '
'| '
'NOT_CONTAINS '
'| '
'CONTAINS_WORD',
'Value': 'string'}],
'ResourceOwnerOrgId': [{'Comparison': 'EQUALS | '
'PREFIX | '
'NOT_EQUALS | '
'PREFIX_NOT_EQUALS '
'| CONTAINS | '
'NOT_CONTAINS '
'| '
'CONTAINS_WORD',
'Value': 'string'}],
'ResourceProvider': [{'Comparison': 'EQUALS | PREFIX '
'| NOT_EQUALS | '
'PREFIX_NOT_EQUALS '
'| CONTAINS | '
'NOT_CONTAINS | '
'CONTAINS_WORD',
'Value': 'string'}]}}}
Lists and describes insights for the specified insight ARNs.
See also: AWS API Documentation
Request Syntax
client.get_insights(
InsightArns=[
'string',
],
NextToken='string',
MaxResults=123
)
list
The ARNs of the insights to describe. If you don't provide any insight ARNs, then GetInsights returns all of your custom insights. It does not return any managed insights.
(string) --
string
The token that is required for pagination. On your first call to the GetInsights operation, set the value of this parameter to NULL.
For subsequent calls to the operation, to continue listing data, set the value of this parameter to the value returned from the previous response.
integer
The maximum number of items to return in the response.
dict
Response Syntax
{
'Insights': [
{
'InsightArn': 'string',
'Name': 'string',
'Filters': {
'ProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'AwsAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Id': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'GeneratorId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Region': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Type': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'FirstObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'LastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'CreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'UpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'SeverityProduct': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'SeverityNormalized': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'SeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Confidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'Criticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'Title': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Description': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'RecommendationText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'SourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ProductFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ProductName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'CompanyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'UserDefinedFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'MalwareName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'MalwareType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'MalwarePath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'MalwareState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NetworkDirection': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NetworkProtocol': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NetworkSourceIpV4': [
{
'Cidr': 'string'
},
],
'NetworkSourceIpV6': [
{
'Cidr': 'string'
},
],
'NetworkSourcePort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'NetworkSourceDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NetworkSourceMac': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NetworkDestinationIpV4': [
{
'Cidr': 'string'
},
],
'NetworkDestinationIpV6': [
{
'Cidr': 'string'
},
],
'NetworkDestinationPort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'NetworkDestinationDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ProcessName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ProcessPath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ProcessPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'ProcessParentPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'ProcessLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'ProcessTerminatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'ThreatIntelIndicatorType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ThreatIntelIndicatorValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ThreatIntelIndicatorCategory': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ThreatIntelIndicatorLastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'ThreatIntelIndicatorSource': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ThreatIntelIndicatorSourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourcePartition': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceRegion': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceTags': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsEc2InstanceImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsEc2InstanceIpV4Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceIpV6Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceKeyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsEc2InstanceIamInstanceProfileArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsEc2InstanceVpcId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsEc2InstanceSubnetId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsEc2InstanceLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'ResourceAwsS3BucketOwnerId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsS3BucketOwnerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsIamAccessKeyUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsIamAccessKeyPrincipalName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsIamAccessKeyStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsIamAccessKeyCreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'ResourceAwsIamUserUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceContainerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceContainerImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceContainerImageName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceContainerLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'ResourceDetailsOther': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'VerificationState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'WorkflowState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'WorkflowStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'RecordState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'RelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'RelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NoteText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NoteUpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'NoteUpdatedBy': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Keyword': [
{
'Value': 'string'
},
],
'FindingProviderFieldsConfidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'FindingProviderFieldsCriticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'FindingProviderFieldsRelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'FindingProviderFieldsRelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'FindingProviderFieldsSeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'FindingProviderFieldsSeverityOriginal': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'FindingProviderFieldsTypes': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Sample': [
{
'Value': True|False
},
],
'ComplianceSecurityControlId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ComplianceAssociatedStandardsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'VulnerabilitiesExploitAvailable': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'VulnerabilitiesFixAvailable': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ComplianceSecurityControlParametersName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ComplianceSecurityControlParametersValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'AwsAccountName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceApplicationName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceApplicationArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceOwnerAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceOwnerOrgId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceProvider': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
]
},
'GroupByAttribute': 'string'
},
],
'NextToken': 'string'
}
**Response Structure**
::
# This section is too large to render.
# Please see the AWS API Documentation linked below.
`AWS API Documentation <https://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/GetInsights>`_
{'GroupByRules': {'Filters': {'CompositeFilters': {'StringFilters': {'FieldName': {'AccountName',
'ResourceCloudPartition',
'ResourceOwnerAccountId',
'ResourceOwnerOrgId',
'ResourceProvider',
'ResourceRegion'}}}},
'GroupByField': {'AccountName',
'ResourceCloudPartition',
'ResourceOwnerAccountId',
'ResourceOwnerOrgId',
'ResourceProvider',
'ResourceRegion'}}}
Retrieves statistical information about Amazon Web Services resources and their associated security findings.
You can use the Scopes parameter to define the data boundary for the query. Currently, Scopes supports AwsOrganizations, which lets you aggregate resources from your entire organization or from specific organizational units. Only the delegated administrator account can use Scopes.
See also: AWS API Documentation
Request Syntax
client.get_resources_statistics_v2(
GroupByRules=[
{
'GroupByField': 'AccountId'|'AccountName'|'Region'|'ResourceProvider'|'ResourceOwnerAccountId'|'ResourceOwnerOrgId'|'ResourceCloudPartition'|'ResourceRegion'|'ResourceCategory'|'ResourceType'|'ResourceName'|'FindingsSummary.FindingType',
'Filters': {
'CompositeFilters': [
{
'StringFilters': [
{
'FieldName': 'ResourceGuid'|'ResourceId'|'AccountId'|'AccountName'|'Region'|'ResourceProvider'|'ResourceOwnerAccountId'|'ResourceOwnerOrgId'|'ResourceCloudPartition'|'ResourceRegion'|'ResourceCategory'|'ResourceType'|'ResourceName'|'FindingsSummary.FindingType'|'FindingsSummary.ProductName',
'Filter': {
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
}
},
],
'DateFilters': [
{
'FieldName': 'ResourceDetailCaptureTime'|'ResourceCreationTime',
'Filter': {
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
}
},
],
'NumberFilters': [
{
'FieldName': 'FindingsSummary.TotalFindings'|'FindingsSummary.Severities.Other'|'FindingsSummary.Severities.Fatal'|'FindingsSummary.Severities.Critical'|'FindingsSummary.Severities.High'|'FindingsSummary.Severities.Medium'|'FindingsSummary.Severities.Low'|'FindingsSummary.Severities.Informational'|'FindingsSummary.Severities.Unknown',
'Filter': {
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
}
},
],
'MapFilters': [
{
'FieldName': 'ResourceTags',
'Filter': {
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
}
},
],
'NestedCompositeFilters': {'... recursive ...'},
'Operator': 'AND'|'OR'
},
],
'CompositeOperator': 'AND'|'OR'
}
},
],
Scopes={
'AwsOrganizations': [
{
'OrganizationId': 'string',
'OrganizationalUnitId': 'string'
},
]
},
SortOrder='asc'|'desc',
MaxStatisticResults=123
)
list
[REQUIRED]
How resource statistics should be aggregated and organized in the response.
(dict) --
Defines the configuration for organizing and categorizing Amazon Web Services resources based on associated security findings.
GroupByField (string) -- [REQUIRED]
Specifies the attribute that resources should be grouped by.
Filters (dict) --
The criteria used to select resources and associated security findings.
CompositeFilters (list) --
A collection of complex filtering conditions that can be applied to Amazon Web Services resources.
(dict) --
Enables the creation of criteria for Amazon Web Services resources in Security Hub CSPM.
StringFilters (list) --
Enables filtering based on string field values.
(dict) --
Enables filtering of Amazon Web Services resources based on string field values.
FieldName (string) --
The name of the field.
Filter (dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
DateFilters (list) --
Enables filtering based on date and timestamp field values.
(dict) --
Enables the filtering of Amazon Web Services resources based on date and timestamp attributes.
FieldName (string) --
The name of the field.
Filter (dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
End (string) --
A timestamp that provides the end date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
Comparison (string) --
The condition to apply to a date range filter. If you specify WITHIN, Security Hub filters for dates within the specified date range. If you specify OLDER_THAN, Security Hub filters for dates before the specified date range. If you don't specify a value, the default is WITHIN.
NumberFilters (list) --
Enables filtering based on numerical field values.
(dict) --
Enables filtering of Amazon Web Services resources based on numerical values.
FieldName (string) --
The name of the field.
Filter (dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
Gt (float) --
The greater-than condition to be applied to a single field when querying for findings.
Lt (float) --
The less-than condition to be applied to a single field when querying for findings.
MapFilters (list) --
Enables filtering based on map-based field values.
(dict) --
Enables filtering of Amazon Web Services resources based on key-value map attributes.
FieldName (string) --
The name of the field.
Filter (dict) --
A map filter for filtering Security Hub CSPM findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
Key (string) --
The key of the map filter. For example, for ResourceTags, Key identifies the name of the tag. For UserDefinedFields, Key is the name of the field.
Value (string) --
The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security. If you provide security as the filter value, then there's no match.
Comparison (string) --
The condition to apply to the key value when filtering Security Hub CSPM findings with a map filter.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.
To search for values that exactly match the filter value, use EQUALS. For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.
CONTAINS and EQUALS filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security, Finance, or both values.
To search for values that don't have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.
To search for values other than the filter value, use NOT_EQUALS. For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.
NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.
CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub CSPM User Guide.
NestedCompositeFilters (list) --
Provides an additional level of filtering, creating a three-layer nested structure. The first layer is a CompositeFilters array with a CompositeOperator ( AND/ OR). The second layer is a CompositeFilter object that contains direct filters and NestedCompositeFilters. The third layer is NestedCompositeFilters, which contains additional filter conditions.
Operator (string) --
The logical operator used to combine multiple filter conditions.
CompositeOperator (string) --
The logical operator used to combine multiple filter conditions in the structure.
dict
Limits the results to resources from specific organizational units or from the delegated administrator's organization. Only the delegated administrator account can use this parameter. Other accounts receive an AccessDeniedException.
This parameter is optional. If you omit it, the delegated administrator sees statistics from all accounts across the entire organization. Other accounts see only statistics for their own resources.
You can specify up to 10 entries in Scopes.AwsOrganizations. If multiple entries are specified, the entries are combined using OR logic.
AwsOrganizations (list) --
A list of Organizations scopes to include in the query results. Each entry in the list specifies an organization or organizational unit to include for the delegated administrator's account. If the list specifies multiple entries, the entries are combined using OR logic.
(dict) --
Specifies an Organizations scope. Data from the specified organization or organizational unit is included in the response.
To scope to a specific organizational unit, provide OrganizationalUnitId. You can optionally include OrganizationId. If you omit OrganizationId, Security Hub uses the caller's organization ID. To scope to the delegated administrator's entire organization, provide only OrganizationId.
The organization ID and organizational unit must belong to the delegated administrator's own organization. Each request must use one scoping approach: either scope to the entire organization by providing an AwsOrganizationScope entry with only OrganizationId, or scope to specific organizational units by providing AwsOrganizationScope entries with OrganizationalUnitId. You can't combine both approaches in the same request.
OrganizationId (string) --
The unique identifier (ID) of the organization (for example, o-abcd1234567890). The organization must be the delegated administrator's own organization. If you omit this value and provide OrganizationalUnitId, Security Hub uses the caller's organization ID.
OrganizationalUnitId (string) --
The unique identifier (ID) of the organizational unit (OU) (for example, ou-ab12-cd345678). The OU must exist within the delegated administrator's own organization. When specified, the results include only data from accounts in this OU.
string
Sorts aggregated statistics.
integer
The maximum number of results to be returned.
dict
Response Syntax
{
'GroupByResults': [
{
'GroupByField': 'string',
'GroupByValues': [
{
'FieldValue': 'string',
'Count': 123
},
]
},
]
}
Response Structure
(dict) --
GroupByResults (list) --
The aggregated statistics about resources based on the specified grouping rule.
(dict) --
Represents finding statistics grouped by GroupedByField.
GroupByField (string) --
The attribute by which filtered security findings should be grouped.
GroupByValues (list) --
An array of grouped values and their respective counts for each GroupByField.
(dict) --
Represents individual aggregated results when grouping security findings for each GroupByField.
FieldValue (string) --
The value of the field by which findings are grouped.
Count (integer) --
The number of findings for a specific FieldValue and GroupByField.
{'Filters': {'CompositeFilters': {'StringFilters': {'FieldName': {'resource_cloud_provider',
'resource_owner_id',
'resource_owner_organization_id',
'resource_region'}}}}}
Returns resource trend data based on the specified criteria. This operation helps you analyze patterns and changes in resource compliance over time.
See also: AWS API Documentation
Request Syntax
client.get_resources_trends_v2(
Filters={
'CompositeFilters': [
{
'StringFilters': [
{
'FieldName': 'account_id'|'region'|'resource_type'|'resource_category'|'resource_cloud_provider'|'resource_region'|'resource_owner_id'|'resource_owner_organization_id',
'Filter': {
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
}
},
],
'NestedCompositeFilters': {'... recursive ...'},
'Operator': 'AND'|'OR'
},
],
'CompositeOperator': 'AND'|'OR'
},
StartTime=datetime(2015, 1, 1),
EndTime=datetime(2015, 1, 1),
NextToken='string',
MaxResults=123
)
dict
The filters to apply to the resources trend data.
CompositeFilters (list) --
A list of composite filters to apply to the resources trend data.
(dict) --
A filter structure that contains a logical combination of string filters and nested composite filters for resources trend data.
StringFilters (list) --
A list of string filters that apply to resources trend data fields.
(dict) --
A filter for string-based fields in resources trend data, such as resource type or account ID.
FieldName (string) --
The name of the resources field to filter on. You can specify one of the following fields.
account_id – The Amazon Web Services account ID that owns the resource.
region – The Amazon Web Services Region of the resource.
resource_type – The type of the resource.
resource_category – The category of the resource.
resource_cloud_provider – The cloud provider of the resource. Valid values are AWS and Azure.
resource_region – The Region of the resource. For an Amazon Web Services resource, this is the Amazon Web Services Region. For an Azure resource, this is the Azure Region, such as eastus.
resource_owner_id – The identifier of the account that owns the resource. For an Amazon Web Services resource, this is the Amazon Web Services account ID. For an Azure resource, this is the Azure subscription ID.
resource_owner_organization_id – The identifier of the organization that owns the resource. For an Amazon Web Services resource, this is the Amazon Web Services organization ID. For an Azure resource, this is the Azure tenant ID.
Filter (dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
NestedCompositeFilters (list) --
A list of nested composite filters that you can use to create complex filter conditions for resources trend data.
Operator (string) --
The logical operator (AND, OR) to apply between the string filters and nested composite filters.
CompositeOperator (string) --
The logical operator (AND, OR) to apply between multiple composite filters.
datetime
[REQUIRED]
The starting timestamp for the time period to analyze resources trends, in ISO 8601 format.
datetime
[REQUIRED]
The ending timestamp for the time period to analyze resources trends, in ISO 8601 format.
string
The token to use for paginating results. This value is returned in the response if more results are available.
integer
The maximum number of trend data points to return in a single response.
dict
Response Syntax
{
'Granularity': 'Daily'|'Weekly'|'Monthly',
'TrendsMetrics': [
{
'Timestamp': datetime(2015, 1, 1),
'TrendsValues': {
'ResourcesCount': {
'AllResources': 123
}
}
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Granularity (string) --
The time interval granularity for the returned trend data (such as DAILY or WEEKLY).
TrendsMetrics (list) --
The collection of time-series trend metrics, including counts of resources across the specified time period.
(dict) --
Contains the resource trend metrics data for a specific time point in the requested time period.
Timestamp (datetime) --
The timestamp for this data point in the resources trend metrics.
TrendsValues (dict) --
The resource trend metric values associated with this timestamp, including resource counts.
ResourcesCount (dict) --
The resource count statistics for this data point in the trend timeline.
AllResources (integer) --
The total count of all resources for the given time interval.
NextToken (string) --
The token to use for retrieving the next page of results, if more trend data is available.
{'Filters': {'CompositeFilters': {'StringFilters': {'FieldName': {'AccountName',
'ResourceCloudPartition',
'ResourceOwnerAccountId',
'ResourceOwnerOrgId',
'ResourceProvider',
'ResourceRegion'}}}}}
Response {'Resources': {'AccountName': 'string',
'ResourceCategory': {'Messaging'},
'ResourceCloudPartition': 'string',
'ResourceOwnerAccountId': 'string',
'ResourceOwnerOrgId': 'string',
'ResourceProvider': 'string',
'ResourceRegion': 'string'}}
Returns a list of resources.
You can use the Scopes parameter to define the data boundary for the query. Currently, Scopes supports AwsOrganizations, which lets you retrieve resources from your entire organization or from specific organizational units. Only the delegated administrator account can use Scopes.
You can use the Filters parameter to refine results based on resource attributes. You can use Scopes and Filters independently or together. When both are provided, Scopes narrows the data set first, and then Filters refines results within that scoped data set.
See also: AWS API Documentation
Request Syntax
client.get_resources_v2(
Filters={
'CompositeFilters': [
{
'StringFilters': [
{
'FieldName': 'ResourceGuid'|'ResourceId'|'AccountId'|'AccountName'|'Region'|'ResourceProvider'|'ResourceOwnerAccountId'|'ResourceOwnerOrgId'|'ResourceCloudPartition'|'ResourceRegion'|'ResourceCategory'|'ResourceType'|'ResourceName'|'FindingsSummary.FindingType'|'FindingsSummary.ProductName',
'Filter': {
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
}
},
],
'DateFilters': [
{
'FieldName': 'ResourceDetailCaptureTime'|'ResourceCreationTime',
'Filter': {
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
}
},
],
'NumberFilters': [
{
'FieldName': 'FindingsSummary.TotalFindings'|'FindingsSummary.Severities.Other'|'FindingsSummary.Severities.Fatal'|'FindingsSummary.Severities.Critical'|'FindingsSummary.Severities.High'|'FindingsSummary.Severities.Medium'|'FindingsSummary.Severities.Low'|'FindingsSummary.Severities.Informational'|'FindingsSummary.Severities.Unknown',
'Filter': {
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
}
},
],
'MapFilters': [
{
'FieldName': 'ResourceTags',
'Filter': {
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
}
},
],
'NestedCompositeFilters': {'... recursive ...'},
'Operator': 'AND'|'OR'
},
],
'CompositeOperator': 'AND'|'OR'
},
Scopes={
'AwsOrganizations': [
{
'OrganizationId': 'string',
'OrganizationalUnitId': 'string'
},
]
},
SortCriteria=[
{
'Field': 'string',
'SortOrder': 'asc'|'desc'
},
],
NextToken='string',
MaxResults=123
)
dict
Filters resources based on a set of criteria.
CompositeFilters (list) --
A collection of complex filtering conditions that can be applied to Amazon Web Services resources.
(dict) --
Enables the creation of criteria for Amazon Web Services resources in Security Hub CSPM.
StringFilters (list) --
Enables filtering based on string field values.
(dict) --
Enables filtering of Amazon Web Services resources based on string field values.
FieldName (string) --
The name of the field.
Filter (dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
DateFilters (list) --
Enables filtering based on date and timestamp field values.
(dict) --
Enables the filtering of Amazon Web Services resources based on date and timestamp attributes.
FieldName (string) --
The name of the field.
Filter (dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
End (string) --
A timestamp that provides the end date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
Comparison (string) --
The condition to apply to a date range filter. If you specify WITHIN, Security Hub filters for dates within the specified date range. If you specify OLDER_THAN, Security Hub filters for dates before the specified date range. If you don't specify a value, the default is WITHIN.
NumberFilters (list) --
Enables filtering based on numerical field values.
(dict) --
Enables filtering of Amazon Web Services resources based on numerical values.
FieldName (string) --
The name of the field.
Filter (dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
Gt (float) --
The greater-than condition to be applied to a single field when querying for findings.
Lt (float) --
The less-than condition to be applied to a single field when querying for findings.
MapFilters (list) --
Enables filtering based on map-based field values.
(dict) --
Enables filtering of Amazon Web Services resources based on key-value map attributes.
FieldName (string) --
The name of the field.
Filter (dict) --
A map filter for filtering Security Hub CSPM findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
Key (string) --
The key of the map filter. For example, for ResourceTags, Key identifies the name of the tag. For UserDefinedFields, Key is the name of the field.
Value (string) --
The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security. If you provide security as the filter value, then there's no match.
Comparison (string) --
The condition to apply to the key value when filtering Security Hub CSPM findings with a map filter.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.
To search for values that exactly match the filter value, use EQUALS. For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.
CONTAINS and EQUALS filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security, Finance, or both values.
To search for values that don't have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.
To search for values other than the filter value, use NOT_EQUALS. For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.
NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.
CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub CSPM User Guide.
NestedCompositeFilters (list) --
Provides an additional level of filtering, creating a three-layer nested structure. The first layer is a CompositeFilters array with a CompositeOperator ( AND/ OR). The second layer is a CompositeFilter object that contains direct filters and NestedCompositeFilters. The third layer is NestedCompositeFilters, which contains additional filter conditions.
Operator (string) --
The logical operator used to combine multiple filter conditions.
CompositeOperator (string) --
The logical operator used to combine multiple filter conditions in the structure.
dict
Limits the results to resources from specific organizational units or from the delegated administrator's organization. Only the delegated administrator account can use this parameter. Other accounts receive an AccessDeniedException.
This parameter is optional. If you omit it, the delegated administrator sees resources from all accounts across the entire organization. Other accounts see only their own resources.
You can specify up to 10 entries in Scopes.AwsOrganizations. If multiple entries are specified, the entries are combined using OR logic.
AwsOrganizations (list) --
A list of Organizations scopes to include in the query results. Each entry in the list specifies an organization or organizational unit to include for the delegated administrator's account. If the list specifies multiple entries, the entries are combined using OR logic.
(dict) --
Specifies an Organizations scope. Data from the specified organization or organizational unit is included in the response.
To scope to a specific organizational unit, provide OrganizationalUnitId. You can optionally include OrganizationId. If you omit OrganizationId, Security Hub uses the caller's organization ID. To scope to the delegated administrator's entire organization, provide only OrganizationId.
The organization ID and organizational unit must belong to the delegated administrator's own organization. Each request must use one scoping approach: either scope to the entire organization by providing an AwsOrganizationScope entry with only OrganizationId, or scope to specific organizational units by providing AwsOrganizationScope entries with OrganizationalUnitId. You can't combine both approaches in the same request.
OrganizationId (string) --
The unique identifier (ID) of the organization (for example, o-abcd1234567890). The organization must be the delegated administrator's own organization. If you omit this value and provide OrganizationalUnitId, Security Hub uses the caller's organization ID.
OrganizationalUnitId (string) --
The unique identifier (ID) of the organizational unit (OU) (for example, ou-ab12-cd345678). The OU must exist within the delegated administrator's own organization. When specified, the results include only data from accounts in this OU.
list
The resource attributes used to sort the list of returned resources.
(dict) --
A collection of finding attributes used to sort findings.
Field (string) --
The finding attribute used to sort findings.
SortOrder (string) --
The order used to sort findings.
string
The token required for pagination. On your first call, set the value of this parameter to NULL. For subsequent calls, to continue listing data, set the value of this parameter to the value returned in the previous response.
integer
The maximum number of results to return.
dict
Response Syntax
{
'Resources': [
{
'ResourceGuid': 'string',
'ResourceId': 'string',
'AccountId': 'string',
'AccountName': 'string',
'Region': 'string',
'ResourceProvider': 'string',
'ResourceOwnerAccountId': 'string',
'ResourceOwnerOrgId': 'string',
'ResourceCloudPartition': 'string',
'ResourceRegion': 'string',
'ResourceCategory': 'Compute'|'Database'|'Storage'|'Code'|'AI/ML'|'Identity'|'Network'|'Messaging'|'Other',
'ResourceType': 'string',
'ResourceName': 'string',
'ResourceCreationTimeDt': 'string',
'ResourceDetailCaptureTimeDt': 'string',
'FindingsSummary': [
{
'FindingType': 'string',
'ProductName': 'string',
'TotalFindings': 123,
'Severities': {
'Other': 123,
'Fatal': 123,
'Critical': 123,
'High': 123,
'Medium': 123,
'Low': 123,
'Informational': 123,
'Unknown': 123
}
},
],
'ResourceTags': [
{
'Key': 'string',
'Value': 'string'
},
],
'ResourceConfig': {...}|[...]|123|123.4|'string'|True|None
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Resources (list) --
An array of resources returned by the operation.
(dict) --
Provides comprehensive details about an Amazon Web Services resource and its associated security findings.
ResourceGuid (string) --
The global identifier used to identify a resource.
ResourceId (string) --
The unique identifier for a resource.
AccountId (string) --
The Amazon Web Services account that recorded the resource data in Security Hub.
AccountName (string) --
The name of the Amazon Web Services account that's associated with the resource.
Region (string) --
The Amazon Web Services Region that recorded the resource data in Security Hub.
ResourceProvider (string) --
The cloud provider where the resource exists. Valid values are AWS and Azure. This field is always included.
ResourceOwnerAccountId (string) --
The identifier of the cloud account that owns the resource. For Amazon Web Services resources, this is the Amazon Web Services account ID. For Azure resources, this is the Azure subscription ID.
ResourceOwnerOrgId (string) --
The identifier of the cloud organization that owns the resource. For Amazon Web Services resources, this is the Organizations ID. For Azure resources, this is the Azure tenant ID.
ResourceCloudPartition (string) --
The cloud partition where the resource exists. For Amazon Web Services, valid values include aws, aws-cn, and aws-us-gov. This field isn't returned for cloud providers that don't use partitions.
ResourceRegion (string) --
The native cloud region where the resource is located. For Amazon Web Services, this is an Amazon Web Services Region (for example, us-east-1). For Azure resources, this is the Azure region (for example, westus2). This field is always included.
ResourceCategory (string) --
The grouping where the resource belongs.
ResourceType (string) --
The type of resource.
ResourceName (string) --
The name of the resource.
ResourceCreationTimeDt (string) --
The time when the resource was created.
ResourceDetailCaptureTimeDt (string) --
The timestamp when information about the resource was captured.
FindingsSummary (list) --
An aggregated view of security findings associated with a resource.
(dict) --
A list of summaries for all finding types on a resource.
FindingType (string) --
The category or classification of the security finding.
ProductName (string) --
The name of the product associated with the security finding.
TotalFindings (integer) --
The total count of security findings.
Severities (dict) --
A breakdown of security findings by their severity levels.
Other (integer) --
The number of findings not in any of the severity categories.
Fatal (integer) --
The number of findings with a severity level of fatal.
Critical (integer) --
The number of findings with a severity level of critical.
High (integer) --
The number of findings with a severity level of high.
Medium (integer) --
The number of findings with a severity level of medium.
Low (integer) --
The number of findings with a severity level of low.
Informational (integer) --
The number of findings that provide security-related information.
Unknown (integer) --
The number of findings with a severity level cannot be determined.
ResourceTags (list) --
The key-value pairs associated with a resource.
(dict) --
Represents tag information associated with Amazon Web Services resources.
Key (string) --
The identifier or name of the tag.
Value (string) --
The data associated with the tag key.
ResourceConfig (:ref:`document<document>`) --
The configuration details of a resource.
NextToken (string) --
The pagination token to use to request the next page of results. Otherwise, this parameter is null.
{'SecurityControlDefinition': {'Provider': 'AWS | Azure'}}
Retrieves the definition of a security control. The definition includes the control title, description, Region availability, parameter definitions, and other details.
See also: AWS API Documentation
Request Syntax
client.get_security_control_definition(
SecurityControlId='string'
)
string
[REQUIRED]
The ID of the security control to retrieve the definition for. This field doesn’t accept an Amazon Resource Name (ARN).
dict
Response Syntax
{
'SecurityControlDefinition': {
'SecurityControlId': 'string',
'Title': 'string',
'Description': 'string',
'RemediationUrl': 'string',
'SeverityRating': 'LOW'|'MEDIUM'|'HIGH'|'CRITICAL',
'CurrentRegionAvailability': 'AVAILABLE'|'UNAVAILABLE',
'CustomizableProperties': [
'Parameters',
],
'ParameterDefinitions': {
'string': {
'Description': 'string',
'ConfigurationOptions': {
'Integer': {
'DefaultValue': 123,
'Min': 123,
'Max': 123
},
'IntegerList': {
'DefaultValue': [
123,
],
'Min': 123,
'Max': 123,
'MaxItems': 123
},
'Double': {
'DefaultValue': 123.0,
'Min': 123.0,
'Max': 123.0
},
'String': {
'DefaultValue': 'string',
'Re2Expression': 'string',
'ExpressionDescription': 'string'
},
'StringList': {
'DefaultValue': [
'string',
],
'Re2Expression': 'string',
'MaxItems': 123,
'ExpressionDescription': 'string'
},
'Boolean': {
'DefaultValue': True|False
},
'Enum': {
'DefaultValue': 'string',
'AllowedValues': [
'string',
]
},
'EnumList': {
'DefaultValue': [
'string',
],
'MaxItems': 123,
'AllowedValues': [
'string',
]
}
}
}
},
'Provider': 'AWS'|'Azure'
}
}
Response Structure
(dict) --
SecurityControlDefinition (dict) --
Provides metadata for a security control, including its unique standard-agnostic identifier, title, description, severity, availability in Amazon Web Services Regions, and a link to remediation steps.
SecurityControlId (string) --
The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Services service name and a number (for example, APIGateway.3). This parameter differs from SecurityControlArn, which is a unique Amazon Resource Name (ARN) assigned to a control. The ARN references the security control ID (for example, arn:aws:securityhub:eu-central-1:123456789012:security-control/APIGateway.3).
Title (string) --
The title of a security control.
Description (string) --
The description of a security control across standards. This typically summarizes how Security Hub CSPM evaluates the control and the conditions under which it produces a failed finding. This parameter doesn't reference a specific standard.
RemediationUrl (string) --
A link to Security Hub CSPM documentation that explains how to remediate a failed finding for a security control.
SeverityRating (string) --
The severity of a security control. For more information about how Security Hub CSPM determines control severity, see Assigning severity to control findings in the Security Hub CSPM User Guide.
CurrentRegionAvailability (string) --
Specifies whether a security control is available in the current Amazon Web Services Region.
CustomizableProperties (list) --
Security control properties that you can customize. Currently, only parameter customization is supported for select controls. An empty array is returned for controls that don’t support custom properties.
(string) --
ParameterDefinitions (dict) --
An object that provides a security control parameter name, description, and the options for customizing it. This object is excluded for a control that doesn't support custom parameters.
(string) --
(dict) --
An object that describes a security control parameter and the options for customizing it.
Description (string) --
Description of a control parameter.
ConfigurationOptions (dict) --
The options for customizing a control parameter. Customization options vary based on the data type of the parameter.
Integer (dict) --
The options for customizing a security control parameter that is an integer.
DefaultValue (integer) --
The Security Hub CSPM default value for a control parameter that is an integer.
Min (integer) --
The minimum valid value for a control parameter that is an integer.
Max (integer) --
The maximum valid value for a control parameter that is an integer.
IntegerList (dict) --
The options for customizing a security control parameter that is a list of integers.
DefaultValue (list) --
The Security Hub CSPM default value for a control parameter that is a list of integers.
(integer) --
Min (integer) --
The minimum valid value for a control parameter that is a list of integers.
Max (integer) --
The maximum valid value for a control parameter that is a list of integers.
MaxItems (integer) --
The maximum number of list items that an interger list control parameter can accept.
Double (dict) --
The options for customizing a security control parameter that is a double.
DefaultValue (float) --
The Security Hub CSPM default value for a control parameter that is a double.
Min (float) --
The minimum valid value for a control parameter that is a double.
Max (float) --
The maximum valid value for a control parameter that is a double.
String (dict) --
The options for customizing a security control parameter that is a string data type.
DefaultValue (string) --
The Security Hub CSPM default value for a control parameter that is a string.
Re2Expression (string) --
An RE2 regular expression that Security Hub CSPM uses to validate a user-provided control parameter string.
ExpressionDescription (string) --
The description of the RE2 regular expression.
StringList (dict) --
The options for customizing a security control parameter that is a list of strings.
DefaultValue (list) --
The Security Hub CSPM default value for a control parameter that is a list of strings.
(string) --
Re2Expression (string) --
An RE2 regular expression that Security Hub CSPM uses to validate a user-provided list of strings for a control parameter.
MaxItems (integer) --
The maximum number of list items that a string list control parameter can accept.
ExpressionDescription (string) --
The description of the RE2 regular expression.
Boolean (dict) --
The options for customizing a security control parameter that is a boolean. For a boolean parameter, the options are true and false.
DefaultValue (boolean) --
The Security Hub CSPM default value for a boolean parameter.
Enum (dict) --
The options for customizing a security control parameter that is an enum.
DefaultValue (string) --
The Security Hub CSPM default value for a control parameter that is an enum.
AllowedValues (list) --
The valid values for a control parameter that is an enum.
(string) --
EnumList (dict) --
The options for customizing a security control parameter that is a list of enums.
DefaultValue (list) --
The Security Hub CSPM default value for a control parameter that is a list of enums.
(string) --
MaxItems (integer) --
The maximum number of list items that an enum list control parameter can accept.
AllowedValues (list) --
The valid values for a control parameter that is a list of enums.
(string) --
Provider (string) --
The cloud provider whose resources the security control evaluates. For example, AWS or Azure.
{'ConnectorStatus': {'DEGRADED', 'UNKNOWN'},
'EnablementStatus': 'ENABLED | PENDING_ENABLEMENT | FAILED_TO_ENABLE | '
'PENDING_UPDATE | FAILED_TO_UPDATE | PENDING_DELETION | '
'FAILED_TO_DELETE',
'ProviderName': {'AZURE'}}
Response {'Connectors': {'EnablementStatus': 'ENABLED | PENDING_ENABLEMENT | '
'FAILED_TO_ENABLE | PENDING_UPDATE | '
'FAILED_TO_UPDATE | PENDING_DELETION | '
'FAILED_TO_DELETE',
'EnablementStatusReason': 'string',
'ProviderSummary': {'ConnectorStatus': {'DEGRADED', 'UNKNOWN'},
'ProviderConfiguration': {'Azure': {'AWSConfigConnectorArn': 'string',
'AzureRegions': ['string'],
'ScopeConfiguration': {'ScopeType': 'TENANT '
'| '
'SUBSCRIPTION',
'ScopeValues': ['string']}},
'JiraCloud': {'AuthStatus': 'ACTIVE '
'| '
'FAILED',
'AuthUrl': 'string',
'CloudId': 'string',
'Domain': 'string',
'ProjectKey': 'string'},
'ServiceNow': {'AuthStatus': 'ACTIVE '
'| '
'FAILED',
'InstanceName': 'string',
'SecretArn': 'string'}},
'ProviderName': {'AZURE'}}}}
Grants permission to retrieve a list of connectorsV2 and their metadata for the calling account.
See also: AWS API Documentation
Request Syntax
client.list_connectors_v2(
NextToken='string',
MaxResults=123,
ProviderName='JIRA_CLOUD'|'SERVICENOW'|'AZURE',
ConnectorStatus='CONNECTED'|'DEGRADED'|'FAILED_TO_CONNECT'|'PENDING_AUTHORIZATION'|'PENDING_CONFIGURATION'|'UNKNOWN',
EnablementStatus='ENABLED'|'PENDING_ENABLEMENT'|'FAILED_TO_ENABLE'|'PENDING_UPDATE'|'FAILED_TO_UPDATE'|'PENDING_DELETION'|'FAILED_TO_DELETE'
)
string
The pagination token per the Amazon Web Services Pagination standard
integer
The maximum number of results to be returned.
string
The name of the third-party provider.
string
The status for the connectorV2.
string
The enablement status to filter connectors by.
dict
Response Syntax
{
'NextToken': 'string',
'Connectors': [
{
'ConnectorArn': 'string',
'ConnectorId': 'string',
'Name': 'string',
'Description': 'string',
'ProviderSummary': {
'ProviderName': 'JIRA_CLOUD'|'SERVICENOW'|'AZURE',
'ConnectorStatus': 'CONNECTED'|'DEGRADED'|'FAILED_TO_CONNECT'|'PENDING_AUTHORIZATION'|'PENDING_CONFIGURATION'|'UNKNOWN',
'ProviderConfiguration': {
'JiraCloud': {
'CloudId': 'string',
'ProjectKey': 'string',
'Domain': 'string',
'AuthUrl': 'string',
'AuthStatus': 'ACTIVE'|'FAILED'
},
'ServiceNow': {
'InstanceName': 'string',
'SecretArn': 'string',
'AuthStatus': 'ACTIVE'|'FAILED'
},
'Azure': {
'AWSConfigConnectorArn': 'string',
'ScopeConfiguration': {
'ScopeType': 'TENANT'|'SUBSCRIPTION',
'ScopeValues': [
'string',
]
},
'AzureRegions': [
'string',
]
}
}
},
'CreatedAt': datetime(2015, 1, 1),
'EnablementStatus': 'ENABLED'|'PENDING_ENABLEMENT'|'FAILED_TO_ENABLE'|'PENDING_UPDATE'|'FAILED_TO_UPDATE'|'PENDING_DELETION'|'FAILED_TO_DELETE',
'EnablementStatusReason': 'string'
},
]
}
Response Structure
(dict) --
NextToken (string) --
The pagination token to use to request the next page of results. Otherwise, this parameter is null.
Connectors (list) --
An array of connectorV2 summaries.
(dict) --
A condensed overview of the connectorV2..
ConnectorArn (string) --
The Amazon Resource Name (ARN) of the connectorV2.
ConnectorId (string) --
The UUID of the connectorV2 to identify connectorV2 resource.
Name (string) --
The Name field contains the user-defined name assigned to the integration connector. This helps identify and manage multiple connectors within Security Hub.
Description (string) --
The description of the connectorV2.
ProviderSummary (dict) --
The connectorV2 third party provider configuration summary.
ProviderName (string) --
The name of the provider.
ConnectorStatus (string) --
The status for the connectorV2.
ProviderConfiguration (dict) --
The third-party provider detail for a service configuration.
JiraCloud (dict) --
Details about a Jira Cloud integration.
CloudId (string) --
The cloud id of the Jira Cloud.
ProjectKey (string) --
The projectKey of Jira Cloud.
Domain (string) --
The URL domain of your Jira Cloud instance.
AuthUrl (string) --
The URL to provide to customers for OAuth auth code flow.
AuthStatus (string) --
The status of the authorization between Jira Cloud and the service.
ServiceNow (dict) --
Details about a ServiceNow ITSM integration.
InstanceName (string) --
The instanceName of ServiceNow ITSM.
SecretArn (string) --
The Amazon Resource Name (ARN) of the Amazon Web Services Secrets Manager secret that contains the ServiceNow credentials.
AuthStatus (string) --
The status of the authorization between ServiceNow and the service.
Azure (dict) --
Details about a Microsoft Azure CSPM integration.
AWSConfigConnectorArn (string) --
The ARN of the AWS Config connector used to establish the connection to Azure.
ScopeConfiguration (dict) --
The scope configuration that defines which Azure resources are monitored.
ScopeType (string) --
The type of scope. Valid values are tenant and subscription.
ScopeValues (list) --
The list of scope values, such as subscription IDs, when the scope type is subscription.
(string) --
AzureRegions (list) --
The list of Azure regions being monitored.
(string) --
CreatedAt (datetime) --
ISO 8601 UTC timestamp for the time create the connectorV2.
EnablementStatus (string) --
The enablement status of the connector.
EnablementStatusReason (string) --
The reason for the current enablement status. Provides additional context when the connector is in a failed state.
{'Providers': ['AWS | Azure']}
Response {'SecurityControlDefinitions': {'Provider': 'AWS | Azure'}}
Lists all of the security controls that apply to a specified standard.
See also: AWS API Documentation
Request Syntax
client.list_security_control_definitions(
StandardsArn='string',
NextToken='string',
MaxResults=123,
Providers=[
'AWS'|'Azure',
]
)
string
The Amazon Resource Name (ARN) of the standard that you want to view controls for.
string
Optional pagination parameter.
integer
An optional parameter that limits the total results of the API response to the specified number. If this parameter isn't provided in the request, the results include the first 25 security controls that apply to the specified standard. The results also include a NextToken parameter that you can use in a subsequent API call to get the next 25 controls. This repeats until all controls for the standard are returned.
list
A list of cloud providers to filter the security control definitions by. For example, specify Azure to return only controls that evaluate Azure resources.
(string) --
dict
Response Syntax
{
'SecurityControlDefinitions': [
{
'SecurityControlId': 'string',
'Title': 'string',
'Description': 'string',
'RemediationUrl': 'string',
'SeverityRating': 'LOW'|'MEDIUM'|'HIGH'|'CRITICAL',
'CurrentRegionAvailability': 'AVAILABLE'|'UNAVAILABLE',
'CustomizableProperties': [
'Parameters',
],
'ParameterDefinitions': {
'string': {
'Description': 'string',
'ConfigurationOptions': {
'Integer': {
'DefaultValue': 123,
'Min': 123,
'Max': 123
},
'IntegerList': {
'DefaultValue': [
123,
],
'Min': 123,
'Max': 123,
'MaxItems': 123
},
'Double': {
'DefaultValue': 123.0,
'Min': 123.0,
'Max': 123.0
},
'String': {
'DefaultValue': 'string',
'Re2Expression': 'string',
'ExpressionDescription': 'string'
},
'StringList': {
'DefaultValue': [
'string',
],
'Re2Expression': 'string',
'MaxItems': 123,
'ExpressionDescription': 'string'
},
'Boolean': {
'DefaultValue': True|False
},
'Enum': {
'DefaultValue': 'string',
'AllowedValues': [
'string',
]
},
'EnumList': {
'DefaultValue': [
'string',
],
'MaxItems': 123,
'AllowedValues': [
'string',
]
}
}
}
},
'Provider': 'AWS'|'Azure'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
SecurityControlDefinitions (list) --
An array of controls that apply to the specified standard.
(dict) --
Provides metadata for a security control, including its unique standard-agnostic identifier, title, description, severity, availability in Amazon Web Services Regions, and a link to remediation steps.
SecurityControlId (string) --
The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Services service name and a number (for example, APIGateway.3). This parameter differs from SecurityControlArn, which is a unique Amazon Resource Name (ARN) assigned to a control. The ARN references the security control ID (for example, arn:aws:securityhub:eu-central-1:123456789012:security-control/APIGateway.3).
Title (string) --
The title of a security control.
Description (string) --
The description of a security control across standards. This typically summarizes how Security Hub CSPM evaluates the control and the conditions under which it produces a failed finding. This parameter doesn't reference a specific standard.
RemediationUrl (string) --
A link to Security Hub CSPM documentation that explains how to remediate a failed finding for a security control.
SeverityRating (string) --
The severity of a security control. For more information about how Security Hub CSPM determines control severity, see Assigning severity to control findings in the Security Hub CSPM User Guide.
CurrentRegionAvailability (string) --
Specifies whether a security control is available in the current Amazon Web Services Region.
CustomizableProperties (list) --
Security control properties that you can customize. Currently, only parameter customization is supported for select controls. An empty array is returned for controls that don’t support custom properties.
(string) --
ParameterDefinitions (dict) --
An object that provides a security control parameter name, description, and the options for customizing it. This object is excluded for a control that doesn't support custom parameters.
(string) --
(dict) --
An object that describes a security control parameter and the options for customizing it.
Description (string) --
Description of a control parameter.
ConfigurationOptions (dict) --
The options for customizing a control parameter. Customization options vary based on the data type of the parameter.
Integer (dict) --
The options for customizing a security control parameter that is an integer.
DefaultValue (integer) --
The Security Hub CSPM default value for a control parameter that is an integer.
Min (integer) --
The minimum valid value for a control parameter that is an integer.
Max (integer) --
The maximum valid value for a control parameter that is an integer.
IntegerList (dict) --
The options for customizing a security control parameter that is a list of integers.
DefaultValue (list) --
The Security Hub CSPM default value for a control parameter that is a list of integers.
(integer) --
Min (integer) --
The minimum valid value for a control parameter that is a list of integers.
Max (integer) --
The maximum valid value for a control parameter that is a list of integers.
MaxItems (integer) --
The maximum number of list items that an interger list control parameter can accept.
Double (dict) --
The options for customizing a security control parameter that is a double.
DefaultValue (float) --
The Security Hub CSPM default value for a control parameter that is a double.
Min (float) --
The minimum valid value for a control parameter that is a double.
Max (float) --
The maximum valid value for a control parameter that is a double.
String (dict) --
The options for customizing a security control parameter that is a string data type.
DefaultValue (string) --
The Security Hub CSPM default value for a control parameter that is a string.
Re2Expression (string) --
An RE2 regular expression that Security Hub CSPM uses to validate a user-provided control parameter string.
ExpressionDescription (string) --
The description of the RE2 regular expression.
StringList (dict) --
The options for customizing a security control parameter that is a list of strings.
DefaultValue (list) --
The Security Hub CSPM default value for a control parameter that is a list of strings.
(string) --
Re2Expression (string) --
An RE2 regular expression that Security Hub CSPM uses to validate a user-provided list of strings for a control parameter.
MaxItems (integer) --
The maximum number of list items that a string list control parameter can accept.
ExpressionDescription (string) --
The description of the RE2 regular expression.
Boolean (dict) --
The options for customizing a security control parameter that is a boolean. For a boolean parameter, the options are true and false.
DefaultValue (boolean) --
The Security Hub CSPM default value for a boolean parameter.
Enum (dict) --
The options for customizing a security control parameter that is an enum.
DefaultValue (string) --
The Security Hub CSPM default value for a control parameter that is an enum.
AllowedValues (list) --
The valid values for a control parameter that is an enum.
(string) --
EnumList (dict) --
The options for customizing a security control parameter that is a list of enums.
DefaultValue (list) --
The Security Hub CSPM default value for a control parameter that is a list of enums.
(string) --
MaxItems (integer) --
The maximum number of list items that an enum list control parameter can accept.
AllowedValues (list) --
The valid values for a control parameter that is a list of enums.
(string) --
Provider (string) --
The cloud provider whose resources the security control evaluates. For example, AWS or Azure.
NextToken (string) --
A pagination parameter that's included in the response only if it was included in the request.
{'Criteria': {'OcsfFindingCriteria': {'CompositeFilters': {'StringFilters': {'FieldName': {'resources.name',
'resources.owner.account.name',
'resources.owner.account.uid',
'resources.owner.org.uid',
'resources.provider'}}}}}}
Updates a V2 automation rule.
See also: AWS API Documentation
Request Syntax
client.update_automation_rule_v2(
Identifier='string',
RuleStatus='ENABLED'|'DISABLED',
RuleOrder=...,
Description='string',
RuleName='string',
Criteria={
'OcsfFindingCriteria': {
'CompositeFilters': [
{
'StringFilters': [
{
'FieldName': 'metadata.uid'|'activity_name'|'cloud.account.uid'|'cloud.provider'|'cloud.region'|'compliance.assessments.category'|'compliance.assessments.name'|'compliance.control'|'compliance.status'|'compliance.standards'|'finding_info.desc'|'finding_info.src_url'|'finding_info.title'|'finding_info.types'|'finding_info.uid'|'finding_info.related_events.traits.category'|'finding_info.related_events.uid'|'finding_info.related_events.product.uid'|'finding_info.related_events.title'|'metadata.product.name'|'metadata.product.uid'|'metadata.product.vendor_name'|'remediation.desc'|'remediation.references'|'resources.cloud_partition'|'resources.name'|'resources.owner.account.uid'|'resources.owner.org.uid'|'resources.owner.account.name'|'resources.provider'|'resources.region'|'resources.type'|'resources.uid'|'severity'|'status'|'comment'|'vulnerabilities.fix_coverage'|'class_name'|'databucket.encryption_details.algorithm'|'databucket.encryption_details.key_uid'|'databucket.file.data_classifications.classifier_details.type'|'evidences.actor.user.account.uid'|'evidences.api.operation'|'evidences.api.response.error_message'|'evidences.api.service.name'|'evidences.connection_info.direction'|'evidences.connection_info.protocol_name'|'evidences.dst_endpoint.autonomous_system.name'|'evidences.dst_endpoint.location.city'|'evidences.dst_endpoint.location.country'|'evidences.src_endpoint.autonomous_system.name'|'evidences.src_endpoint.hostname'|'evidences.src_endpoint.location.city'|'evidences.src_endpoint.location.country'|'finding_info.analytic.name'|'malware.name'|'malware_scan_info.uid'|'malware.severity'|'resources.cloud_function.layers.uid_alt'|'resources.cloud_function.runtime'|'resources.cloud_function.user.uid'|'resources.device.encryption_details.key_uid'|'resources.device.image.uid'|'resources.image.architecture'|'resources.image.registry_uid'|'resources.image.repository_name'|'resources.image.uid'|'resources.subnet_info.uid'|'resources.vpc_uid'|'vulnerabilities.affected_code.file.path'|'vulnerabilities.affected_packages.name'|'vulnerabilities.cve.epss.score'|'vulnerabilities.cve.uid'|'vulnerabilities.related_vulnerabilities'|'cloud.account.name'|'vendor_attributes.severity',
'Filter': {
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
}
},
],
'DateFilters': [
{
'FieldName': 'finding_info.created_time_dt'|'finding_info.first_seen_time_dt'|'finding_info.last_seen_time_dt'|'finding_info.modified_time_dt'|'resources.image.created_time_dt'|'resources.image.last_used_time_dt'|'resources.modified_time_dt',
'Filter': {
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
}
},
],
'BooleanFilters': [
{
'FieldName': 'compliance.assessments.meets_criteria'|'vulnerabilities.is_exploit_available'|'vulnerabilities.is_fix_available',
'Filter': {
'Value': True|False
}
},
],
'NumberFilters': [
{
'FieldName': 'activity_id'|'compliance.status_id'|'confidence_score'|'severity_id'|'status_id'|'finding_info.related_events_count'|'evidences.api.response.code'|'evidences.dst_endpoint.autonomous_system.number'|'evidences.dst_endpoint.port'|'evidences.src_endpoint.autonomous_system.number'|'evidences.src_endpoint.port'|'resources.image.in_use_count'|'vulnerabilities.cve.cvss.base_score'|'vendor_attributes.severity_id',
'Filter': {
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
}
},
],
'MapFilters': [
{
'FieldName': 'resources.tags'|'compliance.control_parameters'|'databucket.tags'|'finding_info.tags',
'Filter': {
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
}
},
],
'IpFilters': [
{
'FieldName': 'evidences.dst_endpoint.ip'|'evidences.src_endpoint.ip',
'Filter': {
'Cidr': 'string'
}
},
],
'NestedCompositeFilters': {'... recursive ...'},
'Operator': 'AND'|'OR'
},
],
'CompositeOperator': 'AND'|'OR'
}
},
Actions=[
{
'Type': 'FINDING_FIELDS_UPDATE'|'EXTERNAL_INTEGRATION',
'FindingFieldsUpdate': {
'SeverityId': 123,
'Comment': 'string',
'StatusId': 123
},
'ExternalIntegrationConfiguration': {
'ConnectorArn': 'string'
}
},
]
)
string
[REQUIRED]
The ARN of the automation rule.
string
The status of the automation rule.
float
Represents a value for the rule priority.
string
A description of the automation rule.
string
The name of the automation rule.
dict
The filtering type and configuration of the automation rule.
OcsfFindingCriteria (dict) --
The filtering conditions that align with OCSF standards.
CompositeFilters (list) --
Enables the creation of complex filtering conditions by combining filter criteria.
(dict) --
Enables the creation of filtering criteria for security findings.
StringFilters (list) --
Enables filtering based on string field values.
(dict) --
Enables filtering of security findings based on string field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A string filter for filtering Security Hub CSPM findings.
Value (string) --
The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there's no match.
Comparison (string) --
The condition to apply to a string value when filtering Security Hub CSPM findings.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.
To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.
To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn't match.
CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.
To search for values that don’t have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.
To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.
To search for values that don't start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.
NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can't provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.
For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.
ResourceType PREFIX AwsIam
ResourceType PREFIX AwsEc2
ResourceType NOT_EQUALS AwsIamPolicy
ResourceType NOT_EQUALS AwsEc2NetworkInterface
The CONTAINS operator works with automation rules V1 and V2. The NOT_CONTAINS operator works only with automation rules V1. The CONTAINS_WORD operator works only in the GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.
DateFilters (list) --
Enables filtering based on date and timestamp fields.
(dict) --
Enables filtering of security findings based on date and timestamp fields in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A date filter for querying findings.
Start (string) --
A timestamp that provides the start date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
End (string) --
A timestamp that provides the end date for the date filter.
For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
Comparison (string) --
The condition to apply to a date range filter. If you specify WITHIN, Security Hub filters for dates within the specified date range. If you specify OLDER_THAN, Security Hub filters for dates before the specified date range. If you don't specify a value, the default is WITHIN.
BooleanFilters (list) --
Enables filtering based on boolean field values.
(dict) --
Enables filtering of security findings based on boolean field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
Boolean filter for querying findings.
Value (boolean) --
The value of the boolean.
NumberFilters (list) --
Enables filtering based on numerical field values.
(dict) --
Enables filtering of security findings based on numerical field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
Gt (float) --
The greater-than condition to be applied to a single field when querying for findings.
Lt (float) --
The less-than condition to be applied to a single field when querying for findings.
MapFilters (list) --
Enables filtering based on map field values.
(dict) --
Enables filtering of security findings based on map field values in OCSF.
FieldName (string) --
The name of the field.
Filter (dict) --
A map filter for filtering Security Hub CSPM findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.
Key (string) --
The key of the map filter. For example, for ResourceTags, Key identifies the name of the tag. For UserDefinedFields, Key is the name of the field.
Value (string) --
The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security. If you provide security as the filter value, then there's no match.
Comparison (string) --
The condition to apply to the key value when filtering Security Hub CSPM findings with a map filter.
To search for values that have the filter value, use one of the following comparison operators:
To search for values that include the filter value, use CONTAINS. For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.
To search for values that exactly match the filter value, use EQUALS. For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.
CONTAINS and EQUALS filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security, Finance, or both values.
To search for values that don't have the filter value, use one of the following comparison operators:
To search for values that exclude the filter value, use NOT_CONTAINS. For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.
To search for values other than the filter value, use NOT_EQUALS. For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.
NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.
CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.
You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.
CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub CSPM User Guide.
IpFilters (list) --
A list of IP address filters that allowing you to filter findings based on IP address properties.
(dict) --
The structure for filtering findings based on IP address attributes.
FieldName (string) --
The name of the IP address field to filter on.
Filter (dict) --
The IP filter for querying findings.
Cidr (string) --
A finding's CIDR value.
NestedCompositeFilters (list) --
Provides an additional level of filtering, creating a three-layer nested structure. The first layer is a CompositeFilters array with a CompositeOperator ( AND/ OR). The second layer is a CompositeFilter object that contains direct filters and NestedCompositeFilters. The third layer is NestedCompositeFilters, which contains additional filter conditions.
Operator (string) --
The logical operator used to combine multiple filter conditions.
CompositeOperator (string) --
The logical operators used to combine the filtering on multiple CompositeFilters.
list
A list of actions to be performed when the rule criteria is met.
(dict) --
Allows you to configure automated responses.
Type (string) -- [REQUIRED]
The category of action to be executed by the automation rule.
FindingFieldsUpdate (dict) --
The changes to be applied to fields in a security finding when an automation rule is triggered.
SeverityId (integer) --
The severity level to be assigned to findings that match the automation rule criteria.
Comment (string) --
Notes or contextual information for findings that are modified by the automation rule.
StatusId (integer) --
The status to be applied to findings that match automation rule criteria.
ExternalIntegrationConfiguration (dict) --
The settings for integrating automation rule actions with external systems or service.
ConnectorArn (string) --
The ARN of the connector that establishes the integration.
dict
Response Syntax
{}
Response Structure
(dict) --
{'Provider': {'Azure': {'AzureRegions': ['string'],
'ScopeConfiguration': {'ScopeType': 'TENANT | '
'SUBSCRIPTION',
'ScopeValues': ['string']}}}}
Response {'ConnectorStatus': 'CONNECTED | DEGRADED | FAILED_TO_CONNECT | '
'PENDING_AUTHORIZATION | PENDING_CONFIGURATION | UNKNOWN',
'EnablementStatus': 'ENABLED | PENDING_ENABLEMENT | FAILED_TO_ENABLE | '
'PENDING_UPDATE | FAILED_TO_UPDATE | PENDING_DELETION | '
'FAILED_TO_DELETE'}
Grants permission to update a connectorV2 based on its id and input parameters.
See also: AWS API Documentation
Request Syntax
client.update_connector_v2(
ConnectorId='string',
Description='string',
Provider={
'JiraCloud': {
'ProjectKey': 'string'
},
'ServiceNow': {
'SecretArn': 'string'
},
'Azure': {
'ScopeConfiguration': {
'ScopeType': 'TENANT'|'SUBSCRIPTION',
'ScopeValues': [
'string',
]
},
'AzureRegions': [
'string',
]
}
}
)
string
[REQUIRED]
The UUID of the connectorV2 to identify connectorV2 resource.
string
The description of the connectorV2.
dict
The third-party provider’s service configuration.
JiraCloud (dict) --
The parameters required to update the configuration for a Jira Cloud integration.
ProjectKey (string) --
The project key for a JiraCloud instance.
ServiceNow (dict) --
The parameters required to update the configuration for a ServiceNow integration.
SecretArn (string) --
The Amazon Resource Name (ARN) of the Amazon Web Services Secrets Manager secret that contains the ServiceNow credentials.
Azure (dict) --
The parameters required to update the configuration for a Microsoft Azure CSPM integration.
ScopeConfiguration (dict) -- [REQUIRED]
The updated scope configuration.
ScopeType (string) -- [REQUIRED]
The type of scope. Valid values are tenant and subscription.
ScopeValues (list) --
The list of scope values, such as subscription IDs, when the scope type is subscription.
(string) --
AzureRegions (list) -- [REQUIRED]
The updated list of Azure regions to monitor.
(string) --
dict
Response Syntax
{
'ConnectorStatus': 'CONNECTED'|'DEGRADED'|'FAILED_TO_CONNECT'|'PENDING_AUTHORIZATION'|'PENDING_CONFIGURATION'|'UNKNOWN',
'EnablementStatus': 'ENABLED'|'PENDING_ENABLEMENT'|'FAILED_TO_ENABLE'|'PENDING_UPDATE'|'FAILED_TO_UPDATE'|'PENDING_DELETION'|'FAILED_TO_DELETE'
}
Response Structure
(dict) --
ConnectorStatus (string) --
The status of the connector after the update.
EnablementStatus (string) --
The enablement status of the connector after the update.
{'Filters': {'ResourceOwnerAccountId': [{'Comparison': 'EQUALS | PREFIX | '
'NOT_EQUALS | '
'PREFIX_NOT_EQUALS | '
'CONTAINS | '
'NOT_CONTAINS | '
'CONTAINS_WORD',
'Value': 'string'}],
'ResourceOwnerOrgId': [{'Comparison': 'EQUALS | PREFIX | '
'NOT_EQUALS | '
'PREFIX_NOT_EQUALS | '
'CONTAINS | NOT_CONTAINS | '
'CONTAINS_WORD',
'Value': 'string'}],
'ResourceProvider': [{'Comparison': 'EQUALS | PREFIX | NOT_EQUALS '
'| PREFIX_NOT_EQUALS | '
'CONTAINS | NOT_CONTAINS | '
'CONTAINS_WORD',
'Value': 'string'}]}}
UpdateFindings is a deprecated operation. Instead of UpdateFindings, use the BatchUpdateFindings operation.
The UpdateFindings operation updates the Note and RecordState of the Security Hub CSPM aggregated findings that the filter attributes specify. Any member account that can view the finding can also see the update to the finding.
Finding updates made with UpdateFindings aren't persisted if the same finding is later updated by the finding provider through the BatchImportFindings operation. In addition, Security Hub CSPM doesn't record updates made with UpdateFindings in the finding history.
See also: AWS API Documentation
Request Syntax
client.update_findings(
Filters={
'ProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'AwsAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Id': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'GeneratorId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Region': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Type': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'FirstObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'LastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'CreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'UpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'SeverityProduct': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'SeverityNormalized': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'SeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Confidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'Criticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'Title': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Description': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'RecommendationText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'SourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ProductFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ProductName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'CompanyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'UserDefinedFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'MalwareName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'MalwareType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'MalwarePath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'MalwareState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NetworkDirection': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NetworkProtocol': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NetworkSourceIpV4': [
{
'Cidr': 'string'
},
],
'NetworkSourceIpV6': [
{
'Cidr': 'string'
},
],
'NetworkSourcePort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'NetworkSourceDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NetworkSourceMac': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NetworkDestinationIpV4': [
{
'Cidr': 'string'
},
],
'NetworkDestinationIpV6': [
{
'Cidr': 'string'
},
],
'NetworkDestinationPort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'NetworkDestinationDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ProcessName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ProcessPath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ProcessPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'ProcessParentPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'ProcessLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'ProcessTerminatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'ThreatIntelIndicatorType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ThreatIntelIndicatorValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ThreatIntelIndicatorCategory': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ThreatIntelIndicatorLastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'ThreatIntelIndicatorSource': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ThreatIntelIndicatorSourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourcePartition': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceRegion': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceTags': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsEc2InstanceImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsEc2InstanceIpV4Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceIpV6Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceKeyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsEc2InstanceIamInstanceProfileArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsEc2InstanceVpcId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsEc2InstanceSubnetId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsEc2InstanceLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'ResourceAwsS3BucketOwnerId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsS3BucketOwnerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsIamAccessKeyUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsIamAccessKeyPrincipalName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsIamAccessKeyStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsIamAccessKeyCreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'ResourceAwsIamUserUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceContainerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceContainerImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceContainerImageName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceContainerLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'ResourceDetailsOther': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'VerificationState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'WorkflowState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'WorkflowStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'RecordState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'RelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'RelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NoteText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NoteUpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'NoteUpdatedBy': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Keyword': [
{
'Value': 'string'
},
],
'FindingProviderFieldsConfidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'FindingProviderFieldsCriticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'FindingProviderFieldsRelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'FindingProviderFieldsRelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'FindingProviderFieldsSeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'FindingProviderFieldsSeverityOriginal': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'FindingProviderFieldsTypes': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Sample': [
{
'Value': True|False
},
],
'ComplianceSecurityControlId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ComplianceAssociatedStandardsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'VulnerabilitiesExploitAvailable': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'VulnerabilitiesFixAvailable': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ComplianceSecurityControlParametersName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ComplianceSecurityControlParametersValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'AwsAccountName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceApplicationName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceApplicationArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceOwnerAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceOwnerOrgId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceProvider': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
]
},
Note={
'Text': 'string',
'UpdatedBy': 'string'
},
RecordState='ACTIVE'|'ARCHIVED'
)
**Parameters**
::
# This section is too large to render.
# Please see the AWS API Documentation linked below.
`AWS API Documentation <https://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/UpdateFindings>`_
dict
Response Syntax
{}
Response Structure
(dict) --
{'Filters': {'ResourceOwnerAccountId': [{'Comparison': 'EQUALS | PREFIX | '
'NOT_EQUALS | '
'PREFIX_NOT_EQUALS | '
'CONTAINS | '
'NOT_CONTAINS | '
'CONTAINS_WORD',
'Value': 'string'}],
'ResourceOwnerOrgId': [{'Comparison': 'EQUALS | PREFIX | '
'NOT_EQUALS | '
'PREFIX_NOT_EQUALS | '
'CONTAINS | NOT_CONTAINS | '
'CONTAINS_WORD',
'Value': 'string'}],
'ResourceProvider': [{'Comparison': 'EQUALS | PREFIX | NOT_EQUALS '
'| PREFIX_NOT_EQUALS | '
'CONTAINS | NOT_CONTAINS | '
'CONTAINS_WORD',
'Value': 'string'}]}}
Updates the Security Hub CSPM insight identified by the specified insight ARN.
See also: AWS API Documentation
Request Syntax
client.update_insight(
InsightArn='string',
Name='string',
Filters={
'ProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'AwsAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Id': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'GeneratorId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Region': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Type': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'FirstObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'LastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'CreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'UpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'SeverityProduct': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'SeverityNormalized': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'SeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Confidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'Criticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'Title': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Description': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'RecommendationText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'SourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ProductFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ProductName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'CompanyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'UserDefinedFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'MalwareName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'MalwareType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'MalwarePath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'MalwareState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NetworkDirection': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NetworkProtocol': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NetworkSourceIpV4': [
{
'Cidr': 'string'
},
],
'NetworkSourceIpV6': [
{
'Cidr': 'string'
},
],
'NetworkSourcePort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'NetworkSourceDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NetworkSourceMac': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NetworkDestinationIpV4': [
{
'Cidr': 'string'
},
],
'NetworkDestinationIpV6': [
{
'Cidr': 'string'
},
],
'NetworkDestinationPort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'NetworkDestinationDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ProcessName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ProcessPath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ProcessPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'ProcessParentPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'ProcessLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'ProcessTerminatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'ThreatIntelIndicatorType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ThreatIntelIndicatorValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ThreatIntelIndicatorCategory': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ThreatIntelIndicatorLastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'ThreatIntelIndicatorSource': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ThreatIntelIndicatorSourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourcePartition': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceRegion': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceTags': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ResourceAwsEc2InstanceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsEc2InstanceImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsEc2InstanceIpV4Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceIpV6Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceKeyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsEc2InstanceIamInstanceProfileArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsEc2InstanceVpcId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsEc2InstanceSubnetId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsEc2InstanceLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'ResourceAwsS3BucketOwnerId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsS3BucketOwnerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsIamAccessKeyUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsIamAccessKeyPrincipalName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsIamAccessKeyStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceAwsIamAccessKeyCreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'ResourceAwsIamUserUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceContainerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceContainerImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceContainerImageName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceContainerLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'ResourceDetailsOther': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
},
],
'ComplianceStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'VerificationState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'WorkflowState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'WorkflowStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'RecordState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'RelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'RelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NoteText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'NoteUpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS',
'Comparison': 'WITHIN'|'OLDER_THAN'
}
},
],
'NoteUpdatedBy': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Keyword': [
{
'Value': 'string'
},
],
'FindingProviderFieldsConfidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'FindingProviderFieldsCriticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0,
'Gt': 123.0,
'Lt': 123.0
},
],
'FindingProviderFieldsRelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'FindingProviderFieldsRelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'FindingProviderFieldsSeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'FindingProviderFieldsSeverityOriginal': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'FindingProviderFieldsTypes': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'Sample': [
{
'Value': True|False
},
],
'ComplianceSecurityControlId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ComplianceAssociatedStandardsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'VulnerabilitiesExploitAvailable': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'VulnerabilitiesFixAvailable': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ComplianceSecurityControlParametersName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ComplianceSecurityControlParametersValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'AwsAccountName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceApplicationName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceApplicationArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceOwnerAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceOwnerOrgId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
],
'ResourceProvider': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
},
]
},
GroupByAttribute='string'
)
**Parameters**
::
# This section is too large to render.
# Please see the AWS API Documentation linked below.
`AWS API Documentation <https://docs.aws.amazon.com/goto/WebAPI/securityhub-2018-10-26/UpdateInsight>`_
dict
Response Syntax
{}
Response Structure
(dict) --