Table of Contents
A low-level client representing AWS SecurityHub:
import boto3
client = boto3.client('securityhub')
These are the available methods:
Accepts the invitation to be a member account and be monitored by the Security Hub master account that the invitation was sent from. When the member account accepts the invitation, permission is granted to the master account to view findings generated in the member account.
See also: AWS API Documentation
Request Syntax
response = client.accept_invitation(
MasterId='string',
InvitationId='string'
)
dict
Response Syntax
{}
Response Structure
Disables the standards specified by the provided StandardsSubscriptionArns . For more information, see Standards Supported in AWS Security Hub .
See also: AWS API Documentation
Request Syntax
response = client.batch_disable_standards(
StandardsSubscriptionArns=[
'string',
]
)
[REQUIRED]
The ARNs of the standards subscriptions to disable.
{
'StandardsSubscriptions': [
{
'StandardsSubscriptionArn': 'string',
'StandardsArn': 'string',
'StandardsInput': {
'string': 'string'
},
'StandardsStatus': 'PENDING'|'READY'|'FAILED'|'DELETING'|'INCOMPLETE'
},
]
}
Response Structure
The details of the standards subscriptions that were disabled.
A resource that represents your subscription to a supported standard.
The ARN of a resource that represents your subscription to a supported standard.
The ARN of a standard.
In this release, Security Hub supports only the CIS AWS Foundations standard, which uses the following ARN: arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0.
A key-value pair of input for the standard.
The status of the standards subscription.
Enables the standards specified by the provided standardsArn . In this release, only CIS AWS Foundations standards are supported. For more information, see Standards Supported in AWS Security Hub .
See also: AWS API Documentation
Request Syntax
response = client.batch_enable_standards(
StandardsSubscriptionRequests=[
{
'StandardsArn': 'string',
'StandardsInput': {
'string': 'string'
}
},
]
)
[REQUIRED]
The list of standards compliance checks to enable.
Warning
In this release, Security Hub supports only the CIS AWS Foundations standard.
The ARN for the standard is arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0 .
The standard that you want to enable.
The ARN of the standard that you want to enable.
Warning
In this release, Security Hub only supports the CIS AWS Foundations standard.
Its ARN is arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0 .
A key-value pair of input for the standard.
{
'StandardsSubscriptions': [
{
'StandardsSubscriptionArn': 'string',
'StandardsArn': 'string',
'StandardsInput': {
'string': 'string'
},
'StandardsStatus': 'PENDING'|'READY'|'FAILED'|'DELETING'|'INCOMPLETE'
},
]
}
Response Structure
The details of the standards subscriptions that were enabled.
A resource that represents your subscription to a supported standard.
The ARN of a resource that represents your subscription to a supported standard.
The ARN of a standard.
In this release, Security Hub supports only the CIS AWS Foundations standard, which uses the following ARN: arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0.
A key-value pair of input for the standard.
The status of the standards subscription.
Imports security findings generated from an integrated third-party product into Security Hub. This action is requested by the integrated product to import its findings into Security Hub. The maximum allowed size for a finding is 240 Kb. An error is returned for any finding larger than 240 Kb.
See also: AWS API Documentation
Request Syntax
response = client.batch_import_findings(
Findings=[
{
'SchemaVersion': 'string',
'Id': 'string',
'ProductArn': 'string',
'GeneratorId': 'string',
'AwsAccountId': 'string',
'Types': [
'string',
],
'FirstObservedAt': 'string',
'LastObservedAt': 'string',
'CreatedAt': 'string',
'UpdatedAt': 'string',
'Severity': {
'Product': 123.0,
'Normalized': 123
},
'Confidence': 123,
'Criticality': 123,
'Title': 'string',
'Description': 'string',
'Remediation': {
'Recommendation': {
'Text': 'string',
'Url': 'string'
}
},
'SourceUrl': 'string',
'ProductFields': {
'string': 'string'
},
'UserDefinedFields': {
'string': 'string'
},
'Malware': [
{
'Name': 'string',
'Type': 'ADWARE'|'BLENDED_THREAT'|'BOTNET_AGENT'|'COIN_MINER'|'EXPLOIT_KIT'|'KEYLOGGER'|'MACRO'|'POTENTIALLY_UNWANTED'|'SPYWARE'|'RANSOMWARE'|'REMOTE_ACCESS'|'ROOTKIT'|'TROJAN'|'VIRUS'|'WORM',
'Path': 'string',
'State': 'OBSERVED'|'REMOVAL_FAILED'|'REMOVED'
},
],
'Network': {
'Direction': 'IN'|'OUT',
'Protocol': 'string',
'SourceIpV4': 'string',
'SourceIpV6': 'string',
'SourcePort': 123,
'SourceDomain': 'string',
'SourceMac': 'string',
'DestinationIpV4': 'string',
'DestinationIpV6': 'string',
'DestinationPort': 123,
'DestinationDomain': 'string'
},
'Process': {
'Name': 'string',
'Path': 'string',
'Pid': 123,
'ParentPid': 123,
'LaunchedAt': 'string',
'TerminatedAt': 'string'
},
'ThreatIntelIndicators': [
{
'Type': 'DOMAIN'|'EMAIL_ADDRESS'|'HASH_MD5'|'HASH_SHA1'|'HASH_SHA256'|'HASH_SHA512'|'IPV4_ADDRESS'|'IPV6_ADDRESS'|'MUTEX'|'PROCESS'|'URL',
'Value': 'string',
'Category': 'BACKDOOR'|'CARD_STEALER'|'COMMAND_AND_CONTROL'|'DROP_SITE'|'EXPLOIT_SITE'|'KEYLOGGER',
'LastObservedAt': 'string',
'Source': 'string',
'SourceUrl': 'string'
},
],
'Resources': [
{
'Type': 'string',
'Id': 'string',
'Partition': 'aws'|'aws-cn'|'aws-us-gov',
'Region': 'string',
'Tags': {
'string': 'string'
},
'Details': {
'AwsEc2Instance': {
'Type': 'string',
'ImageId': 'string',
'IpV4Addresses': [
'string',
],
'IpV6Addresses': [
'string',
],
'KeyName': 'string',
'IamInstanceProfileArn': 'string',
'VpcId': 'string',
'SubnetId': 'string',
'LaunchedAt': 'string'
},
'AwsS3Bucket': {
'OwnerId': 'string',
'OwnerName': 'string'
},
'AwsIamAccessKey': {
'UserName': 'string',
'Status': 'Active'|'Inactive',
'CreatedAt': 'string'
},
'Container': {
'Name': 'string',
'ImageId': 'string',
'ImageName': 'string',
'LaunchedAt': 'string'
},
'Other': {
'string': 'string'
}
}
},
],
'Compliance': {
'Status': 'PASSED'|'WARNING'|'FAILED'|'NOT_AVAILABLE'
},
'VerificationState': 'UNKNOWN'|'TRUE_POSITIVE'|'FALSE_POSITIVE'|'BENIGN_POSITIVE',
'WorkflowState': 'NEW'|'ASSIGNED'|'IN_PROGRESS'|'DEFERRED'|'RESOLVED',
'RecordState': 'ACTIVE'|'ARCHIVED',
'RelatedFindings': [
{
'ProductArn': 'string',
'Id': 'string'
},
],
'Note': {
'Text': 'string',
'UpdatedBy': 'string',
'UpdatedAt': 'string'
}
},
]
)
[REQUIRED]
A list of findings to import. To successfully import a finding, it must follow the AWS Security Finding Format .
Provides consistent format for the contents of the Security Hub-aggregated findings. AwsSecurityFinding format enables you to share findings between AWS security services and third-party solutions, and compliance checks.
Note
A finding is a potential security issue generated either by AWS services (Amazon GuardDuty, Amazon Inspector, and Amazon Macie) or by the integrated third-party solutions and compliance checks.
The schema version that a finding is formatted for.
The security findings provider-specific identifier for a finding.
The ARN generated by Security Hub that uniquely identifies a third-party company (security-findings provider) after this provider's product (solution that generates findings) is registered with Security Hub.
The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security-findings providers' solutions, this generator can be called a rule, a check, a detector, a plug-in, etc.
The AWS account ID that a finding is generated in.
One or more finding types in the format of namespace/category/classifier that classify a finding.
Valid namespace values are: Software and Configuration Checks | TTPs | Effects | Unusual Behaviors | Sensitive Data Identifications
An ISO8601-formatted timestamp that indicates when the security-findings provider first observed the potential security issue that a finding captured.
An ISO8601-formatted timestamp that indicates when the security-findings provider most recently observed the potential security issue that a finding captured.
An ISO8601-formatted timestamp that indicates when the security-findings provider created the potential security issue that a finding captured.
An ISO8601-formatted timestamp that indicates when the security-findings provider last updated the finding record.
A finding's severity.
The native severity as defined by the AWS service or integrated partner product that generated the finding.
The normalized severity of a finding.
A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence.
The level of importance assigned to the resources associated with the finding. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.
A finding's title.
Note
In this release, Title is a required property.
A finding's description.
Note
In this release, Description is a required property.
A data type that describes the remediation options for a finding.
A recommendation on the steps to take to remediate the issue identified by a finding.
Describes the recommended steps to take to remediate an issue identified in a finding.
A URL to a page or site that contains information about how to remediate a finding.
A URL that links to a page about the current finding in the security-findings provider's solution.
A data type where security-findings providers can include additional solution-specific details that aren't part of the defined AwsSecurityFinding format.
A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.
A list of malware related to a finding.
A list of malware related to a finding.
The name of the malware that was observed.
The type of the malware that was observed.
The file system path of the malware that was observed.
The state of the malware that was observed.
The details of network-related information about a finding.
The direction of network traffic associated with a finding.
The protocol of network-related information about a finding.
The source IPv4 address of network-related information about a finding.
The source IPv6 address of network-related information about a finding.
The source port of network-related information about a finding.
The source domain of network-related information about a finding.
The source media access control (MAC) address of network-related information about a finding.
The destination IPv4 address of network-related information about a finding.
The destination IPv6 address of network-related information about a finding.
The destination port of network-related information about a finding.
The destination domain of network-related information about a finding.
The details of process-related information about a finding.
The name of the process.
The path to the process executable.
The process ID.
The parent process ID.
The date/time that the process was launched.
The date and time when the process was terminated.
Threat intel details related to a finding.
Details about the threat intel related to a finding.
The type of a threat intel indicator.
The value of a threat intel indicator.
The category of a threat intel indicator.
The date and time when the most recent instance of a threat intel indicator was observed.
The source of the threat intel indicator.
The URL to the page or site where you can get more information about the threat intel indicator.
A set of resource data types that describe the resources that the finding refers to.
A resource related to a finding.
The type of the resource that details are provided for.
The canonical identifier for the given resource type.
The canonical AWS partition name that the Region is assigned to.
The canonical AWS external Region name where this resource is located.
A list of AWS tags associated with a resource at the time the finding was processed.
Additional details about the resource related to a finding.
Details about an Amazon EC2 instance related to a finding.
The instance type of the instance.
The Amazon Machine Image (AMI) ID of the instance.
The IPv4 addresses associated with the instance.
The IPv6 addresses associated with the instance.
The key name associated with the instance.
The IAM profile ARN of the instance.
The identifier of the VPC that the instance was launched in.
The identifier of the subnet that the instance was launched in.
The date/time the instance was launched.
Details about an Amazon S3 Bucket related to a finding.
The canonical user ID of the owner of the S3 bucket.
The display name of the owner of the S3 bucket.
Details about an IAM access key related to a finding.
The user associated with the IAM access key related to a finding.
The status of the IAM access key related to a finding.
The creation date/time of the IAM access key related to a finding.
Details about a container resource related to a finding.
The name of the container related to a finding.
The identifier of the image related to a finding.
The name of the image related to a finding.
The date and time when the container started.
Details about a resource that doesn't have a specific type defined.
This data type is exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard (for example, CIS AWS Foundations). Contains compliance-related finding details.
The result of a compliance check.
Indicates the veracity of a finding.
The workflow state of a finding.
The record state of a finding.
A list of related findings.
Details about a related finding.
The ARN of the product that generated a related finding.
The product-generated identifier for a related finding.
A user-defined note added to a finding.
The text of a note.
The principal that created a note.
The timestamp of when the note was updated.
{
'FailedCount': 123,
'SuccessCount': 123,
'FailedFindings': [
{
'Id': 'string',
'ErrorCode': 'string',
'ErrorMessage': 'string'
},
]
}
Response Structure
The number of findings that failed to import.
The number of findings that were successfully imported.
The list of the findings that failed to import.
Includes details of the list of the findings that can't be imported.
The ID of the error made during the BatchImportFindings operation.
The code of the error made during the BatchImportFindings operation.
The message of the error made during the BatchImportFindings operation.
Check if an operation can be paginated.
Creates a custom action target in Security Hub. You can use custom actions on findings and insights in Security Hub to trigger target actions in Amazon CloudWatch Events.
See also: AWS API Documentation
Request Syntax
response = client.create_action_target(
Name='string',
Description='string',
Id='string'
)
[REQUIRED]
The name of the custom action target.
[REQUIRED]
The description for the custom action target.
[REQUIRED]
The ID for the custom action target.
dict
Response Syntax
{
'ActionTargetArn': 'string'
}
Response Structure
(dict) --
ActionTargetArn (string) --
The ARN for the custom action target.
Creates a custom insight in Security Hub. An insight is a consolidation of findings that relate to a security issue that requires attention or remediation. Use the GroupByAttribute to group the related findings in the insight.
See also: AWS API Documentation
Request Syntax
response = client.create_insight(
Name='string',
Filters={
'ProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'AwsAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Id': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'GeneratorId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Type': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'FirstObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'LastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'CreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'UpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'SeverityProduct': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'SeverityNormalized': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'SeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Confidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'Criticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'Title': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Description': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'RecommendationText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'SourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ProductFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'
},
],
'ProductName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'CompanyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'UserDefinedFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'
},
],
'MalwareName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'MalwareType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'MalwarePath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'MalwareState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkDirection': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkProtocol': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkSourceIpV4': [
{
'Cidr': 'string'
},
],
'NetworkSourceIpV6': [
{
'Cidr': 'string'
},
],
'NetworkSourcePort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'NetworkSourceDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkSourceMac': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkDestinationIpV4': [
{
'Cidr': 'string'
},
],
'NetworkDestinationIpV6': [
{
'Cidr': 'string'
},
],
'NetworkDestinationPort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'NetworkDestinationDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ProcessName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ProcessPath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ProcessPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'ProcessParentPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'ProcessLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ProcessTerminatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ThreatIntelIndicatorValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ThreatIntelIndicatorCategory': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ThreatIntelIndicatorLastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorSource': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ThreatIntelIndicatorSourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourcePartition': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceRegion': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceTags': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'
},
],
'ResourceAwsEc2InstanceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceIpV4Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceIpV6Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceKeyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceIamInstanceProfileArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceVpcId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceSubnetId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceAwsS3BucketOwnerId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsS3BucketOwnerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyCreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceContainerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceContainerImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceContainerImageName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceContainerLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceDetailsOther': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'
},
],
'ComplianceStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'VerificationState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'WorkflowState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'RecordState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'RelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'RelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NoteText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NoteUpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'NoteUpdatedBy': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Keyword': [
{
'Value': 'string'
},
]
},
GroupByAttribute='string'
)
[REQUIRED]
The name of the custom insight to create.
[REQUIRED]
One or more attributes used to filter the findings included in the insight. Only findings that match the criteria defined in the filters are included in the insight.
The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) after this provider's product (solution that generates findings) is registered with Security Hub.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The AWS account ID that a finding is generated in.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The security findings provider-specific identifier for a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security-findings providers' solutions, this generator can be called a rule, a check, a detector, a plug-in, etc.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A finding type in the format of namespace/category/classifier that classifies a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
An ISO8601-formatted timestamp that indicates when the security-findings provider first observed the potential security issue that a finding captured.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
An ISO8601-formatted timestamp that indicates when the security-findings provider most recently observed the potential security issue that a finding captured.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
An ISO8601-formatted timestamp that indicates when the security-findings provider captured the potential security issue that a finding captured.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
An ISO8601-formatted timestamp that indicates when the security-findings provider last updated the finding record.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The native severity as defined by the security-findings provider's solution that generated the finding.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The normalized severity of a finding.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The label of a finding's severity.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The level of importance assigned to the resources associated with the finding. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
A finding's title.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A finding's description.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The recommendation of what to do about the issue described in a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A URL that links to a page about the current finding in the security-findings provider's solution.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A data type where security-findings providers can include additional solution-specific details that aren't part of the defined AwsSecurityFinding format.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
The condition to apply to a key value when querying for findings with a map filter.
The name of the solution (product) that generates findings.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The name of the findings provider (company) that owns the solution (product) that generates findings.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
The condition to apply to a key value when querying for findings with a map filter.
The name of the malware that was observed.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The type of the malware that was observed.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The filesystem path of the malware that was observed.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The state of the malware that was observed.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
Indicates the direction of network traffic associated with a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The protocol of network-related information about a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The source IPv4 address of network-related information about a finding.
The IP filter for querying findings.
A finding's CIDR value.
The source IPv6 address of network-related information about a finding.
The IP filter for querying findings.
A finding's CIDR value.
The source port of network-related information about a finding.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The source domain of network-related information about a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The source media access control (MAC) address of network-related information about a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The destination IPv4 address of network-related information about a finding.
The IP filter for querying findings.
A finding's CIDR value.
The destination IPv6 address of network-related information about a finding.
The IP filter for querying findings.
A finding's CIDR value.
The destination port of network-related information about a finding.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The destination domain of network-related information about a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The name of the process.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The path to the process executable.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The process ID.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The parent process ID.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The date/time that the process was launched.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The date/time that the process was terminated.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The type of a threat intel indicator.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The value of a threat intel indicator.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The category of a threat intel indicator.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The date/time of the last observation of a threat intel indicator.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The source of the threat intel.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The URL for more details from the source of the threat intel.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
Specifies the type of the resource that details are provided for.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The canonical identifier for the given resource type.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The canonical AWS partition name that the Region is assigned to.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The canonical AWS external Region name where this resource is located.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A list of AWS tags associated with a resource at the time the finding was processed.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
The condition to apply to a key value when querying for findings with a map filter.
The instance type of the instance.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The Amazon Machine Image (AMI) ID of the instance.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The IPv4 addresses associated with the instance.
The IP filter for querying findings.
A finding's CIDR value.
The IPv6 addresses associated with the instance.
The IP filter for querying findings.
A finding's CIDR value.
The key name associated with the instance.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The IAM profile ARN of the instance.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The identifier of the VPC that the instance was launched in.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The identifier of the subnet that the instance was launched in.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The date/time the instance was launched.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The canonical user ID of the owner of the S3 bucket.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The display name of the owner of the S3 bucket.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The user associated with the IAM access key related to a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The status of the IAM access key related to a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The creation date/time of the IAM access key related to a finding.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The name of the container related to a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The identifier of the image related to a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The name of the image related to a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The date/time that the container was started.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The details of a resource that doesn't have a specific subfield for the resource type defined.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
The condition to apply to a key value when querying for findings with a map filter.
Exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard (for example, CIS AWS Foundations). Contains compliance-related finding details.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The veracity of a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The workflow state of a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The updated record state for the finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The ARN of the solution that generated a related finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The solution-generated identifier for a related finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The text of a note.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The timestamp of when the note was updated.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The principal that created a note.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A keyword for a finding.
A keyword filter for querying findings.
A value for the keyword.
[REQUIRED]
The attribute used as the aggregator to group related findings for the insight.
dict
Response Syntax
{
'InsightArn': 'string'
}
Response Structure
(dict) --
InsightArn (string) --
The ARN of the insight created.
Creates a member association in Security Hub between the specified accounts and the account used to make the request, which is the master account. To successfully create a member, you must use this action from an account that already has Security Hub enabled. You can use the EnableSecurityHub to enable Security Hub.
After you use CreateMembers to create member account associations in Security Hub, you need to use the InviteMembers action, which invites the accounts to enable Security Hub and become member accounts in Security Hub. If the invitation is accepted by the account owner, the account becomes a member account in Security Hub, and a permission policy is added that permits the master account to view the findings generated in the member account. When Security Hub is enabled in the invited account, findings start being sent to both the member and master accounts.
You can remove the association between the master and member accounts by using the DisassociateFromMasterAccount or DisassociateMembers operation.
See also: AWS API Documentation
Request Syntax
response = client.create_members(
AccountDetails=[
{
'AccountId': 'string',
'Email': 'string'
},
]
)
A list of account ID and email address pairs of the accounts to associate with the Security Hub master account.
The details of an AWS account.
The ID of an AWS account.
The email of an AWS account.
{
'UnprocessedAccounts': [
{
'AccountId': 'string',
'ProcessingResult': 'string'
},
]
}
Response Structure
A list of account ID and email address pairs of the AWS accounts that weren't processed.
Details about the account that wasn't processed.
An AWS account ID of the account that wasn't be processed.
The reason that the account wasn't be processed.
Declines invitations to become a member account.
See also: AWS API Documentation
Request Syntax
response = client.decline_invitations(
AccountIds=[
'string',
]
)
A list of account IDs that specify the accounts that invitations to Security Hub are declined from.
{
'UnprocessedAccounts': [
{
'AccountId': 'string',
'ProcessingResult': 'string'
},
]
}
Response Structure
A list of account ID and email address pairs of the AWS accounts that weren't processed.
Details about the account that wasn't processed.
An AWS account ID of the account that wasn't be processed.
The reason that the account wasn't be processed.
Deletes a custom action target from Security Hub. Deleting a custom action target doesn't affect any findings or insights that were already sent to Amazon CloudWatch Events using the custom action.
See also: AWS API Documentation
Request Syntax
response = client.delete_action_target(
ActionTargetArn='string'
)
[REQUIRED]
The ARN of the custom action target to delete.
{
'ActionTargetArn': 'string'
}
Response Structure
The ARN of the custom action target that was deleted.
Deletes the insight specified by the InsightArn .
See also: AWS API Documentation
Request Syntax
response = client.delete_insight(
InsightArn='string'
)
[REQUIRED]
The ARN of the insight to delete.
{
'InsightArn': 'string'
}
Response Structure
The ARN of the insight that was deleted.
Deletes invitations received by the AWS account to become a member account.
See also: AWS API Documentation
Request Syntax
response = client.delete_invitations(
AccountIds=[
'string',
]
)
A list of the account IDs that sent the invitations to delete.
{
'UnprocessedAccounts': [
{
'AccountId': 'string',
'ProcessingResult': 'string'
},
]
}
Response Structure
A list of account ID and email address pairs of the AWS accounts that invitations weren't deleted for.
Details about the account that wasn't processed.
An AWS account ID of the account that wasn't be processed.
The reason that the account wasn't be processed.
Deletes the specified member accounts from Security Hub.
See also: AWS API Documentation
Request Syntax
response = client.delete_members(
AccountIds=[
'string',
]
)
A list of account IDs of the member accounts to delete.
{
'UnprocessedAccounts': [
{
'AccountId': 'string',
'ProcessingResult': 'string'
},
]
}
Response Structure
A list of account ID and email address pairs of the AWS accounts that weren't deleted.
Details about the account that wasn't processed.
An AWS account ID of the account that wasn't be processed.
The reason that the account wasn't be processed.
Returns a list of the custom action targets in Security Hub in your account.
See also: AWS API Documentation
Request Syntax
response = client.describe_action_targets(
ActionTargetArns=[
'string',
],
NextToken='string',
MaxResults=123
)
A list of custom action target ARNs for the custom action targets to retrieve.
dict
Response Syntax
{
'ActionTargets': [
{
'ActionTargetArn': 'string',
'Name': 'string',
'Description': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
ActionTargets (list) --
A list of ActionTarget objects. Each object includes the ActionTargetArn , Description , and Name of a custom action target available in Security Hub.
(dict) --
An ActionTarget object.
ActionTargetArn (string) --
The ARN for the target action.
Name (string) --
The name of the action target.
Description (string) --
The description of the target action.
NextToken (string) --
The token that is required for pagination.
Returns details about the Hub resource in your account, including the HubArn and the time when you enabled Security Hub.
See also: AWS API Documentation
Request Syntax
response = client.describe_hub(
HubArn='string'
)
{
'HubArn': 'string',
'SubscribedAt': 'string'
}
Response Structure
The ARN of the Hub resource retrieved.
The date and time when Security Hub was enabled in the account.
Returns information about the products available that you can subscribe to and integrate with Security Hub to consolidate findings.
See also: AWS API Documentation
Request Syntax
response = client.describe_products(
NextToken='string',
MaxResults=123
)
dict
Response Syntax
{
'Products': [
{
'ProductArn': 'string',
'ProductName': 'string',
'CompanyName': 'string',
'Description': 'string',
'Categories': [
'string',
],
'MarketplaceUrl': 'string',
'ActivationUrl': 'string',
'ProductSubscriptionResourcePolicy': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Products (list) --
A list of products, including details for each product.
(dict) --
Contains details about a product.
ProductArn (string) --
The ARN assigned to the product.
ProductName (string) --
The name of the product.
CompanyName (string) --
The name of the company that provides the product.
Description (string) --
A description of the product.
Categories (list) --
The categories assigned to the product.
MarketplaceUrl (string) --
The URL for the page that contains more information about the product.
ActivationUrl (string) --
The URL used to activate the product.
ProductSubscriptionResourcePolicy (string) --
The resource policy associated with the product.
NextToken (string) --
The token that is required for pagination.
Disables the integration of the specified product with Security Hub. Findings from that product are no longer sent to Security Hub after the integration is disabled.
See also: AWS API Documentation
Request Syntax
response = client.disable_import_findings_for_product(
ProductSubscriptionArn='string'
)
[REQUIRED]
The ARN of the integrated product to disable the integration for.
{}
Response Structure
Disables Security Hub in your account only in the current Region. To disable Security Hub in all Regions, you must submit one request per Region where you have enabled Security Hub. When you disable Security Hub for a master account, it doesn't disable Security Hub for any associated member accounts.
When you disable Security Hub, your existing findings and insights and any Security Hub configuration settings are deleted after 90 days and can't be recovered. Any standards that were enabled are disabled, and your master and member account associations are removed. If you want to save your existing findings, you must export them before you disable Security Hub.
See also: AWS API Documentation
Request Syntax
response = client.disable_security_hub()
{}
Response Structure
Disassociates the current Security Hub member account from the associated master account.
See also: AWS API Documentation
Request Syntax
response = client.disassociate_from_master_account()
{}
Response Structure
Disassociates the specified member accounts from the associated master account.
See also: AWS API Documentation
Request Syntax
response = client.disassociate_members(
AccountIds=[
'string',
]
)
The account IDs of the member accounts to disassociate from the master account.
{}
Response Structure
Enables the integration of a partner product with Security Hub. Integrated products send findings to Security Hub. When you enable a product integration, a permission policy that grants permission for the product to send findings to Security Hub is applied.
See also: AWS API Documentation
Request Syntax
response = client.enable_import_findings_for_product(
ProductArn='string'
)
[REQUIRED]
The ARN of the product to enable the integration for.
{
'ProductSubscriptionArn': 'string'
}
Response Structure
The ARN of your subscription to the product to enable integrations for.
Enables Security Hub for your account in the current Region or the Region you specify in the request. When you enable Security Hub, you grant to Security Hub the permissions necessary to gather findings from AWS Config, Amazon GuardDuty, Amazon Inspector, and Amazon Macie. To learn more, see Setting Up AWS Security Hub .
See also: AWS API Documentation
Request Syntax
response = client.enable_security_hub(
Tags={
'string': 'string'
}
)
The tags to add to the Hub resource when you enable Security Hub.
{}
Response Structure
Generate a presigned url given a client, its method, and arguments
The presigned url
Returns a list of the standards that are currently enabled.
See also: AWS API Documentation
Request Syntax
response = client.get_enabled_standards(
StandardsSubscriptionArns=[
'string',
],
NextToken='string',
MaxResults=123
)
A list of the standards subscription ARNs for the standards to retrieve.
dict
Response Syntax
{
'StandardsSubscriptions': [
{
'StandardsSubscriptionArn': 'string',
'StandardsArn': 'string',
'StandardsInput': {
'string': 'string'
},
'StandardsStatus': 'PENDING'|'READY'|'FAILED'|'DELETING'|'INCOMPLETE'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
StandardsSubscriptions (list) --
A list of StandardsSubscriptions objects that include information about the enabled standards.
(dict) --
A resource that represents your subscription to a supported standard.
StandardsSubscriptionArn (string) --
The ARN of a resource that represents your subscription to a supported standard.
StandardsArn (string) --
The ARN of a standard.
In this release, Security Hub supports only the CIS AWS Foundations standard, which uses the following ARN: arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0.
StandardsInput (dict) --
A key-value pair of input for the standard.
StandardsStatus (string) --
The status of the standards subscription.
NextToken (string) --
The token that is required for pagination.
Returns a list of findings that match the specified criteria.
See also: AWS API Documentation
Request Syntax
response = client.get_findings(
Filters={
'ProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'AwsAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Id': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'GeneratorId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Type': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'FirstObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'LastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'CreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'UpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'SeverityProduct': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'SeverityNormalized': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'SeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Confidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'Criticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'Title': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Description': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'RecommendationText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'SourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ProductFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'
},
],
'ProductName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'CompanyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'UserDefinedFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'
},
],
'MalwareName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'MalwareType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'MalwarePath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'MalwareState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkDirection': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkProtocol': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkSourceIpV4': [
{
'Cidr': 'string'
},
],
'NetworkSourceIpV6': [
{
'Cidr': 'string'
},
],
'NetworkSourcePort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'NetworkSourceDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkSourceMac': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkDestinationIpV4': [
{
'Cidr': 'string'
},
],
'NetworkDestinationIpV6': [
{
'Cidr': 'string'
},
],
'NetworkDestinationPort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'NetworkDestinationDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ProcessName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ProcessPath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ProcessPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'ProcessParentPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'ProcessLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ProcessTerminatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ThreatIntelIndicatorValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ThreatIntelIndicatorCategory': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ThreatIntelIndicatorLastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorSource': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ThreatIntelIndicatorSourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourcePartition': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceRegion': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceTags': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'
},
],
'ResourceAwsEc2InstanceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceIpV4Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceIpV6Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceKeyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceIamInstanceProfileArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceVpcId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceSubnetId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceAwsS3BucketOwnerId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsS3BucketOwnerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyCreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceContainerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceContainerImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceContainerImageName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceContainerLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceDetailsOther': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'
},
],
'ComplianceStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'VerificationState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'WorkflowState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'RecordState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'RelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'RelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NoteText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NoteUpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'NoteUpdatedBy': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Keyword': [
{
'Value': 'string'
},
]
},
SortCriteria=[
{
'Field': 'string',
'SortOrder': 'asc'|'desc'
},
],
NextToken='string',
MaxResults=123
)
The findings attributes used to define a condition to filter the findings returned.
The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) after this provider's product (solution that generates findings) is registered with Security Hub.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The AWS account ID that a finding is generated in.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The security findings provider-specific identifier for a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security-findings providers' solutions, this generator can be called a rule, a check, a detector, a plug-in, etc.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A finding type in the format of namespace/category/classifier that classifies a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
An ISO8601-formatted timestamp that indicates when the security-findings provider first observed the potential security issue that a finding captured.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
An ISO8601-formatted timestamp that indicates when the security-findings provider most recently observed the potential security issue that a finding captured.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
An ISO8601-formatted timestamp that indicates when the security-findings provider captured the potential security issue that a finding captured.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
An ISO8601-formatted timestamp that indicates when the security-findings provider last updated the finding record.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The native severity as defined by the security-findings provider's solution that generated the finding.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The normalized severity of a finding.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The label of a finding's severity.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The level of importance assigned to the resources associated with the finding. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
A finding's title.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A finding's description.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The recommendation of what to do about the issue described in a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A URL that links to a page about the current finding in the security-findings provider's solution.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A data type where security-findings providers can include additional solution-specific details that aren't part of the defined AwsSecurityFinding format.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
The condition to apply to a key value when querying for findings with a map filter.
The name of the solution (product) that generates findings.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The name of the findings provider (company) that owns the solution (product) that generates findings.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
The condition to apply to a key value when querying for findings with a map filter.
The name of the malware that was observed.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The type of the malware that was observed.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The filesystem path of the malware that was observed.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The state of the malware that was observed.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
Indicates the direction of network traffic associated with a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The protocol of network-related information about a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The source IPv4 address of network-related information about a finding.
The IP filter for querying findings.
A finding's CIDR value.
The source IPv6 address of network-related information about a finding.
The IP filter for querying findings.
A finding's CIDR value.
The source port of network-related information about a finding.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The source domain of network-related information about a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The source media access control (MAC) address of network-related information about a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The destination IPv4 address of network-related information about a finding.
The IP filter for querying findings.
A finding's CIDR value.
The destination IPv6 address of network-related information about a finding.
The IP filter for querying findings.
A finding's CIDR value.
The destination port of network-related information about a finding.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The destination domain of network-related information about a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The name of the process.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The path to the process executable.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The process ID.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The parent process ID.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The date/time that the process was launched.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The date/time that the process was terminated.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The type of a threat intel indicator.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The value of a threat intel indicator.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The category of a threat intel indicator.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The date/time of the last observation of a threat intel indicator.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The source of the threat intel.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The URL for more details from the source of the threat intel.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
Specifies the type of the resource that details are provided for.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The canonical identifier for the given resource type.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The canonical AWS partition name that the Region is assigned to.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The canonical AWS external Region name where this resource is located.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A list of AWS tags associated with a resource at the time the finding was processed.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
The condition to apply to a key value when querying for findings with a map filter.
The instance type of the instance.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The Amazon Machine Image (AMI) ID of the instance.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The IPv4 addresses associated with the instance.
The IP filter for querying findings.
A finding's CIDR value.
The IPv6 addresses associated with the instance.
The IP filter for querying findings.
A finding's CIDR value.
The key name associated with the instance.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The IAM profile ARN of the instance.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The identifier of the VPC that the instance was launched in.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The identifier of the subnet that the instance was launched in.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The date/time the instance was launched.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The canonical user ID of the owner of the S3 bucket.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The display name of the owner of the S3 bucket.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The user associated with the IAM access key related to a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The status of the IAM access key related to a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The creation date/time of the IAM access key related to a finding.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The name of the container related to a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The identifier of the image related to a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The name of the image related to a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The date/time that the container was started.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The details of a resource that doesn't have a specific subfield for the resource type defined.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
The condition to apply to a key value when querying for findings with a map filter.
Exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard (for example, CIS AWS Foundations). Contains compliance-related finding details.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The veracity of a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The workflow state of a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The updated record state for the finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The ARN of the solution that generated a related finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The solution-generated identifier for a related finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The text of a note.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The timestamp of when the note was updated.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The principal that created a note.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A keyword for a finding.
A keyword filter for querying findings.
A value for the keyword.
Findings attributes used to sort the list of findings returned.
A collection of finding attributes used to sort findings.
The finding attribute used to sort findings.
The order used to sort findings.
dict
Response Syntax
{
'Findings': [
{
'SchemaVersion': 'string',
'Id': 'string',
'ProductArn': 'string',
'GeneratorId': 'string',
'AwsAccountId': 'string',
'Types': [
'string',
],
'FirstObservedAt': 'string',
'LastObservedAt': 'string',
'CreatedAt': 'string',
'UpdatedAt': 'string',
'Severity': {
'Product': 123.0,
'Normalized': 123
},
'Confidence': 123,
'Criticality': 123,
'Title': 'string',
'Description': 'string',
'Remediation': {
'Recommendation': {
'Text': 'string',
'Url': 'string'
}
},
'SourceUrl': 'string',
'ProductFields': {
'string': 'string'
},
'UserDefinedFields': {
'string': 'string'
},
'Malware': [
{
'Name': 'string',
'Type': 'ADWARE'|'BLENDED_THREAT'|'BOTNET_AGENT'|'COIN_MINER'|'EXPLOIT_KIT'|'KEYLOGGER'|'MACRO'|'POTENTIALLY_UNWANTED'|'SPYWARE'|'RANSOMWARE'|'REMOTE_ACCESS'|'ROOTKIT'|'TROJAN'|'VIRUS'|'WORM',
'Path': 'string',
'State': 'OBSERVED'|'REMOVAL_FAILED'|'REMOVED'
},
],
'Network': {
'Direction': 'IN'|'OUT',
'Protocol': 'string',
'SourceIpV4': 'string',
'SourceIpV6': 'string',
'SourcePort': 123,
'SourceDomain': 'string',
'SourceMac': 'string',
'DestinationIpV4': 'string',
'DestinationIpV6': 'string',
'DestinationPort': 123,
'DestinationDomain': 'string'
},
'Process': {
'Name': 'string',
'Path': 'string',
'Pid': 123,
'ParentPid': 123,
'LaunchedAt': 'string',
'TerminatedAt': 'string'
},
'ThreatIntelIndicators': [
{
'Type': 'DOMAIN'|'EMAIL_ADDRESS'|'HASH_MD5'|'HASH_SHA1'|'HASH_SHA256'|'HASH_SHA512'|'IPV4_ADDRESS'|'IPV6_ADDRESS'|'MUTEX'|'PROCESS'|'URL',
'Value': 'string',
'Category': 'BACKDOOR'|'CARD_STEALER'|'COMMAND_AND_CONTROL'|'DROP_SITE'|'EXPLOIT_SITE'|'KEYLOGGER',
'LastObservedAt': 'string',
'Source': 'string',
'SourceUrl': 'string'
},
],
'Resources': [
{
'Type': 'string',
'Id': 'string',
'Partition': 'aws'|'aws-cn'|'aws-us-gov',
'Region': 'string',
'Tags': {
'string': 'string'
},
'Details': {
'AwsEc2Instance': {
'Type': 'string',
'ImageId': 'string',
'IpV4Addresses': [
'string',
],
'IpV6Addresses': [
'string',
],
'KeyName': 'string',
'IamInstanceProfileArn': 'string',
'VpcId': 'string',
'SubnetId': 'string',
'LaunchedAt': 'string'
},
'AwsS3Bucket': {
'OwnerId': 'string',
'OwnerName': 'string'
},
'AwsIamAccessKey': {
'UserName': 'string',
'Status': 'Active'|'Inactive',
'CreatedAt': 'string'
},
'Container': {
'Name': 'string',
'ImageId': 'string',
'ImageName': 'string',
'LaunchedAt': 'string'
},
'Other': {
'string': 'string'
}
}
},
],
'Compliance': {
'Status': 'PASSED'|'WARNING'|'FAILED'|'NOT_AVAILABLE'
},
'VerificationState': 'UNKNOWN'|'TRUE_POSITIVE'|'FALSE_POSITIVE'|'BENIGN_POSITIVE',
'WorkflowState': 'NEW'|'ASSIGNED'|'IN_PROGRESS'|'DEFERRED'|'RESOLVED',
'RecordState': 'ACTIVE'|'ARCHIVED',
'RelatedFindings': [
{
'ProductArn': 'string',
'Id': 'string'
},
],
'Note': {
'Text': 'string',
'UpdatedBy': 'string',
'UpdatedAt': 'string'
}
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Findings (list) --
The findings that matched the filters specified in the request.
(dict) --
Provides consistent format for the contents of the Security Hub-aggregated findings. AwsSecurityFinding format enables you to share findings between AWS security services and third-party solutions, and compliance checks.
Note
A finding is a potential security issue generated either by AWS services (Amazon GuardDuty, Amazon Inspector, and Amazon Macie) or by the integrated third-party solutions and compliance checks.
SchemaVersion (string) --
The schema version that a finding is formatted for.
Id (string) --
The security findings provider-specific identifier for a finding.
ProductArn (string) --
The ARN generated by Security Hub that uniquely identifies a third-party company (security-findings provider) after this provider's product (solution that generates findings) is registered with Security Hub.
GeneratorId (string) --
The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security-findings providers' solutions, this generator can be called a rule, a check, a detector, a plug-in, etc.
AwsAccountId (string) --
The AWS account ID that a finding is generated in.
Types (list) --
One or more finding types in the format of namespace/category/classifier that classify a finding.
Valid namespace values are: Software and Configuration Checks | TTPs | Effects | Unusual Behaviors | Sensitive Data Identifications
FirstObservedAt (string) --
An ISO8601-formatted timestamp that indicates when the security-findings provider first observed the potential security issue that a finding captured.
LastObservedAt (string) --
An ISO8601-formatted timestamp that indicates when the security-findings provider most recently observed the potential security issue that a finding captured.
CreatedAt (string) --
An ISO8601-formatted timestamp that indicates when the security-findings provider created the potential security issue that a finding captured.
UpdatedAt (string) --
An ISO8601-formatted timestamp that indicates when the security-findings provider last updated the finding record.
Severity (dict) --
A finding's severity.
Product (float) --
The native severity as defined by the AWS service or integrated partner product that generated the finding.
Normalized (integer) --
The normalized severity of a finding.
Confidence (integer) --
A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence.
Criticality (integer) --
The level of importance assigned to the resources associated with the finding. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.
Title (string) --
A finding's title.
Note
In this release, Title is a required property.
Description (string) --
A finding's description.
Note
In this release, Description is a required property.
Remediation (dict) --
A data type that describes the remediation options for a finding.
Recommendation (dict) --
A recommendation on the steps to take to remediate the issue identified by a finding.
Text (string) --
Describes the recommended steps to take to remediate an issue identified in a finding.
Url (string) --
A URL to a page or site that contains information about how to remediate a finding.
SourceUrl (string) --
A URL that links to a page about the current finding in the security-findings provider's solution.
ProductFields (dict) --
A data type where security-findings providers can include additional solution-specific details that aren't part of the defined AwsSecurityFinding format.
UserDefinedFields (dict) --
A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.
Malware (list) --
A list of malware related to a finding.
(dict) --
A list of malware related to a finding.
Name (string) --
The name of the malware that was observed.
Type (string) --
The type of the malware that was observed.
Path (string) --
The file system path of the malware that was observed.
State (string) --
The state of the malware that was observed.
Network (dict) --
The details of network-related information about a finding.
Direction (string) --
The direction of network traffic associated with a finding.
Protocol (string) --
The protocol of network-related information about a finding.
SourceIpV4 (string) --
The source IPv4 address of network-related information about a finding.
SourceIpV6 (string) --
The source IPv6 address of network-related information about a finding.
SourcePort (integer) --
The source port of network-related information about a finding.
SourceDomain (string) --
The source domain of network-related information about a finding.
SourceMac (string) --
The source media access control (MAC) address of network-related information about a finding.
DestinationIpV4 (string) --
The destination IPv4 address of network-related information about a finding.
DestinationIpV6 (string) --
The destination IPv6 address of network-related information about a finding.
DestinationPort (integer) --
The destination port of network-related information about a finding.
DestinationDomain (string) --
The destination domain of network-related information about a finding.
Process (dict) --
The details of process-related information about a finding.
Name (string) --
The name of the process.
Path (string) --
The path to the process executable.
Pid (integer) --
The process ID.
ParentPid (integer) --
The parent process ID.
LaunchedAt (string) --
The date/time that the process was launched.
TerminatedAt (string) --
The date and time when the process was terminated.
ThreatIntelIndicators (list) --
Threat intel details related to a finding.
(dict) --
Details about the threat intel related to a finding.
Type (string) --
The type of a threat intel indicator.
Value (string) --
The value of a threat intel indicator.
Category (string) --
The category of a threat intel indicator.
LastObservedAt (string) --
The date and time when the most recent instance of a threat intel indicator was observed.
Source (string) --
The source of the threat intel indicator.
SourceUrl (string) --
The URL to the page or site where you can get more information about the threat intel indicator.
Resources (list) --
A set of resource data types that describe the resources that the finding refers to.
(dict) --
A resource related to a finding.
Type (string) --
The type of the resource that details are provided for.
Id (string) --
The canonical identifier for the given resource type.
Partition (string) --
The canonical AWS partition name that the Region is assigned to.
Region (string) --
The canonical AWS external Region name where this resource is located.
Tags (dict) --
A list of AWS tags associated with a resource at the time the finding was processed.
Details (dict) --
Additional details about the resource related to a finding.
AwsEc2Instance (dict) --
Details about an Amazon EC2 instance related to a finding.
Type (string) --
The instance type of the instance.
ImageId (string) --
The Amazon Machine Image (AMI) ID of the instance.
IpV4Addresses (list) --
The IPv4 addresses associated with the instance.
IpV6Addresses (list) --
The IPv6 addresses associated with the instance.
KeyName (string) --
The key name associated with the instance.
IamInstanceProfileArn (string) --
The IAM profile ARN of the instance.
VpcId (string) --
The identifier of the VPC that the instance was launched in.
SubnetId (string) --
The identifier of the subnet that the instance was launched in.
LaunchedAt (string) --
The date/time the instance was launched.
AwsS3Bucket (dict) --
Details about an Amazon S3 Bucket related to a finding.
OwnerId (string) --
The canonical user ID of the owner of the S3 bucket.
OwnerName (string) --
The display name of the owner of the S3 bucket.
AwsIamAccessKey (dict) --
Details about an IAM access key related to a finding.
UserName (string) --
The user associated with the IAM access key related to a finding.
Status (string) --
The status of the IAM access key related to a finding.
CreatedAt (string) --
The creation date/time of the IAM access key related to a finding.
Container (dict) --
Details about a container resource related to a finding.
Name (string) --
The name of the container related to a finding.
ImageId (string) --
The identifier of the image related to a finding.
ImageName (string) --
The name of the image related to a finding.
LaunchedAt (string) --
The date and time when the container started.
Other (dict) --
Details about a resource that doesn't have a specific type defined.
Compliance (dict) --
This data type is exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard (for example, CIS AWS Foundations). Contains compliance-related finding details.
Status (string) --
The result of a compliance check.
VerificationState (string) --
Indicates the veracity of a finding.
WorkflowState (string) --
The workflow state of a finding.
RecordState (string) --
The record state of a finding.
RelatedFindings (list) --
A list of related findings.
(dict) --
Details about a related finding.
ProductArn (string) --
The ARN of the product that generated a related finding.
Id (string) --
The product-generated identifier for a related finding.
Note (dict) --
A user-defined note added to a finding.
Text (string) --
The text of a note.
UpdatedBy (string) --
The principal that created a note.
UpdatedAt (string) --
The timestamp of when the note was updated.
NextToken (string) --
The token that is required for pagination.
Lists the results of the Security Hub insight that the insight ARN specifies.
See also: AWS API Documentation
Request Syntax
response = client.get_insight_results(
InsightArn='string'
)
[REQUIRED]
The ARN of the insight whose results you want to see.
{
'InsightResults': {
'InsightArn': 'string',
'GroupByAttribute': 'string',
'ResultValues': [
{
'GroupByAttributeValue': 'string',
'Count': 123
},
]
}
}
Response Structure
The insight results returned by the operation.
The ARN of the insight whose results are returned by the GetInsightResults operation.
The attribute that the findings are grouped by for the insight whose results are returned by the GetInsightResults operation.
The list of insight result values returned by the GetInsightResults operation.
The insight result values returned by the GetInsightResults operation.
The value of the attribute that the findings are grouped by for the insight whose results are returned by the GetInsightResults operation.
The number of findings returned for each GroupByAttributeValue .
Lists and describes insights that insight ARNs specify.
See also: AWS API Documentation
Request Syntax
response = client.get_insights(
InsightArns=[
'string',
],
NextToken='string',
MaxResults=123
)
The ARNs of the insights that you want to describe.
dict
Response Syntax
{
'Insights': [
{
'InsightArn': 'string',
'Name': 'string',
'Filters': {
'ProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'AwsAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Id': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'GeneratorId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Type': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'FirstObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'LastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'CreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'UpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'SeverityProduct': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'SeverityNormalized': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'SeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Confidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'Criticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'Title': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Description': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'RecommendationText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'SourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ProductFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'
},
],
'ProductName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'CompanyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'UserDefinedFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'
},
],
'MalwareName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'MalwareType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'MalwarePath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'MalwareState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkDirection': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkProtocol': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkSourceIpV4': [
{
'Cidr': 'string'
},
],
'NetworkSourceIpV6': [
{
'Cidr': 'string'
},
],
'NetworkSourcePort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'NetworkSourceDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkSourceMac': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkDestinationIpV4': [
{
'Cidr': 'string'
},
],
'NetworkDestinationIpV6': [
{
'Cidr': 'string'
},
],
'NetworkDestinationPort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'NetworkDestinationDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ProcessName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ProcessPath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ProcessPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'ProcessParentPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'ProcessLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ProcessTerminatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ThreatIntelIndicatorValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ThreatIntelIndicatorCategory': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ThreatIntelIndicatorLastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorSource': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ThreatIntelIndicatorSourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourcePartition': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceRegion': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceTags': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'
},
],
'ResourceAwsEc2InstanceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceIpV4Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceIpV6Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceKeyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceIamInstanceProfileArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceVpcId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceSubnetId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceAwsS3BucketOwnerId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsS3BucketOwnerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyCreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceContainerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceContainerImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceContainerImageName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceContainerLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceDetailsOther': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'
},
],
'ComplianceStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'VerificationState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'WorkflowState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'RecordState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'RelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'RelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NoteText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NoteUpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'NoteUpdatedBy': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Keyword': [
{
'Value': 'string'
},
]
},
'GroupByAttribute': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Insights (list) --
The insights returned by the operation.
(dict) --
Contains information about a Security Hub insight.
InsightArn (string) --
The ARN of a Security Hub insight.
Name (string) --
The name of a Security Hub insight.
Filters (dict) --
One or more attributes used to filter the findings included in the insight. Only findings that match the criteria defined in the filters are included in the insight.
ProductArn (list) --
The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) after this provider's product (solution that generates findings) is registered with Security Hub.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
AwsAccountId (list) --
The AWS account ID that a finding is generated in.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
Id (list) --
The security findings provider-specific identifier for a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
GeneratorId (list) --
The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security-findings providers' solutions, this generator can be called a rule, a check, a detector, a plug-in, etc.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
Type (list) --
A finding type in the format of namespace/category/classifier that classifies a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
FirstObservedAt (list) --
An ISO8601-formatted timestamp that indicates when the security-findings provider first observed the potential security issue that a finding captured.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
LastObservedAt (list) --
An ISO8601-formatted timestamp that indicates when the security-findings provider most recently observed the potential security issue that a finding captured.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
CreatedAt (list) --
An ISO8601-formatted timestamp that indicates when the security-findings provider captured the potential security issue that a finding captured.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
UpdatedAt (list) --
An ISO8601-formatted timestamp that indicates when the security-findings provider last updated the finding record.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
SeverityProduct (list) --
The native severity as defined by the security-findings provider's solution that generated the finding.
(dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
SeverityNormalized (list) --
The normalized severity of a finding.
(dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
SeverityLabel (list) --
The label of a finding's severity.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
Confidence (list) --
A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence.
(dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
Criticality (list) --
The level of importance assigned to the resources associated with the finding. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.
(dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
Title (list) --
A finding's title.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
Description (list) --
A finding's description.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
RecommendationText (list) --
The recommendation of what to do about the issue described in a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
SourceUrl (list) --
A URL that links to a page about the current finding in the security-findings provider's solution.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ProductFields (list) --
A data type where security-findings providers can include additional solution-specific details that aren't part of the defined AwsSecurityFinding format.
(dict) --
The map filter for querying findings.
Key (string) --
The key of the map filter.
Value (string) --
The value for the key in the map filter.
Comparison (string) --
The condition to apply to a key value when querying for findings with a map filter.
ProductName (list) --
The name of the solution (product) that generates findings.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
CompanyName (list) --
The name of the findings provider (company) that owns the solution (product) that generates findings.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
UserDefinedFields (list) --
A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.
(dict) --
The map filter for querying findings.
Key (string) --
The key of the map filter.
Value (string) --
The value for the key in the map filter.
Comparison (string) --
The condition to apply to a key value when querying for findings with a map filter.
MalwareName (list) --
The name of the malware that was observed.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
MalwareType (list) --
The type of the malware that was observed.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
MalwarePath (list) --
The filesystem path of the malware that was observed.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
MalwareState (list) --
The state of the malware that was observed.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
NetworkDirection (list) --
Indicates the direction of network traffic associated with a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
NetworkProtocol (list) --
The protocol of network-related information about a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
NetworkSourceIpV4 (list) --
The source IPv4 address of network-related information about a finding.
(dict) --
The IP filter for querying findings.
Cidr (string) --
A finding's CIDR value.
NetworkSourceIpV6 (list) --
The source IPv6 address of network-related information about a finding.
(dict) --
The IP filter for querying findings.
Cidr (string) --
A finding's CIDR value.
NetworkSourcePort (list) --
The source port of network-related information about a finding.
(dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
NetworkSourceDomain (list) --
The source domain of network-related information about a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
NetworkSourceMac (list) --
The source media access control (MAC) address of network-related information about a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
NetworkDestinationIpV4 (list) --
The destination IPv4 address of network-related information about a finding.
(dict) --
The IP filter for querying findings.
Cidr (string) --
A finding's CIDR value.
NetworkDestinationIpV6 (list) --
The destination IPv6 address of network-related information about a finding.
(dict) --
The IP filter for querying findings.
Cidr (string) --
A finding's CIDR value.
NetworkDestinationPort (list) --
The destination port of network-related information about a finding.
(dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
NetworkDestinationDomain (list) --
The destination domain of network-related information about a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ProcessName (list) --
The name of the process.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ProcessPath (list) --
The path to the process executable.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ProcessPid (list) --
The process ID.
(dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
ProcessParentPid (list) --
The parent process ID.
(dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
ProcessLaunchedAt (list) --
The date/time that the process was launched.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
ProcessTerminatedAt (list) --
The date/time that the process was terminated.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
ThreatIntelIndicatorType (list) --
The type of a threat intel indicator.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ThreatIntelIndicatorValue (list) --
The value of a threat intel indicator.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ThreatIntelIndicatorCategory (list) --
The category of a threat intel indicator.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ThreatIntelIndicatorLastObservedAt (list) --
The date/time of the last observation of a threat intel indicator.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
ThreatIntelIndicatorSource (list) --
The source of the threat intel.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ThreatIntelIndicatorSourceUrl (list) --
The URL for more details from the source of the threat intel.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceType (list) --
Specifies the type of the resource that details are provided for.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceId (list) --
The canonical identifier for the given resource type.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourcePartition (list) --
The canonical AWS partition name that the Region is assigned to.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceRegion (list) --
The canonical AWS external Region name where this resource is located.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceTags (list) --
A list of AWS tags associated with a resource at the time the finding was processed.
(dict) --
The map filter for querying findings.
Key (string) --
The key of the map filter.
Value (string) --
The value for the key in the map filter.
Comparison (string) --
The condition to apply to a key value when querying for findings with a map filter.
ResourceAwsEc2InstanceType (list) --
The instance type of the instance.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceImageId (list) --
The Amazon Machine Image (AMI) ID of the instance.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceIpV4Addresses (list) --
The IPv4 addresses associated with the instance.
(dict) --
The IP filter for querying findings.
Cidr (string) --
A finding's CIDR value.
ResourceAwsEc2InstanceIpV6Addresses (list) --
The IPv6 addresses associated with the instance.
(dict) --
The IP filter for querying findings.
Cidr (string) --
A finding's CIDR value.
ResourceAwsEc2InstanceKeyName (list) --
The key name associated with the instance.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceIamInstanceProfileArn (list) --
The IAM profile ARN of the instance.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceVpcId (list) --
The identifier of the VPC that the instance was launched in.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceSubnetId (list) --
The identifier of the subnet that the instance was launched in.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceLaunchedAt (list) --
The date/time the instance was launched.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
ResourceAwsS3BucketOwnerId (list) --
The canonical user ID of the owner of the S3 bucket.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceAwsS3BucketOwnerName (list) --
The display name of the owner of the S3 bucket.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceAwsIamAccessKeyUserName (list) --
The user associated with the IAM access key related to a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceAwsIamAccessKeyStatus (list) --
The status of the IAM access key related to a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceAwsIamAccessKeyCreatedAt (list) --
The creation date/time of the IAM access key related to a finding.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
ResourceContainerName (list) --
The name of the container related to a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceContainerImageId (list) --
The identifier of the image related to a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceContainerImageName (list) --
The name of the image related to a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceContainerLaunchedAt (list) --
The date/time that the container was started.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
ResourceDetailsOther (list) --
The details of a resource that doesn't have a specific subfield for the resource type defined.
(dict) --
The map filter for querying findings.
Key (string) --
The key of the map filter.
Value (string) --
The value for the key in the map filter.
Comparison (string) --
The condition to apply to a key value when querying for findings with a map filter.
ComplianceStatus (list) --
Exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard (for example, CIS AWS Foundations). Contains compliance-related finding details.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
VerificationState (list) --
The veracity of a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
WorkflowState (list) --
The workflow state of a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
RecordState (list) --
The updated record state for the finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
RelatedFindingsProductArn (list) --
The ARN of the solution that generated a related finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
RelatedFindingsId (list) --
The solution-generated identifier for a related finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
NoteText (list) --
The text of a note.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
NoteUpdatedAt (list) --
The timestamp of when the note was updated.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
NoteUpdatedBy (list) --
The principal that created a note.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
Keyword (list) --
A keyword for a finding.
(dict) --
A keyword filter for querying findings.
Value (string) --
A value for the keyword.
GroupByAttribute (string) --
The attribute that the insight's findings are grouped by. This attribute is used as a findings aggregator for the purposes of viewing and managing multiple related findings under a single operand.
NextToken (string) --
The token that is required for pagination.
Returns the count of all Security Hub membership invitations that were sent to the current member account, not including the currently accepted invitation.
See also: AWS API Documentation
Request Syntax
response = client.get_invitations_count()
{
'InvitationsCount': 123
}
Response Structure
The number of all membership invitations sent to this Security Hub member account, not including the currently accepted invitation.
Provides the details for the Security Hub master account to the current member account.
See also: AWS API Documentation
Request Syntax
response = client.get_master_account()
{
'Master': {
'AccountId': 'string',
'InvitationId': 'string',
'InvitedAt': datetime(2015, 1, 1),
'MemberStatus': 'string'
}
}
Response Structure
A list of details about the Security Hub master account for the current member account.
The account ID of the Security Hub master account that the invitation was sent from.
The ID of the invitation sent to the member account.
The timestamp of when the invitation was sent.
The current status of the association between member and master accounts.
Returns the details on the Security Hub member accounts that the account IDs specify.
See also: AWS API Documentation
Request Syntax
response = client.get_members(
AccountIds=[
'string',
]
)
[REQUIRED]
A list of account IDs for the Security Hub member accounts that you want to return the details for.
{
'Members': [
{
'AccountId': 'string',
'Email': 'string',
'MasterId': 'string',
'MemberStatus': 'string',
'InvitedAt': datetime(2015, 1, 1),
'UpdatedAt': datetime(2015, 1, 1)
},
],
'UnprocessedAccounts': [
{
'AccountId': 'string',
'ProcessingResult': 'string'
},
]
}
Response Structure
A list of details about the Security Hub member accounts.
The details about a member account.
The AWS account ID of the member account.
The email address of the member account.
The AWS account ID of the Security Hub master account associated with this member account.
The status of the relationship between the member account and its master account.
A timestamp for the date and time when the invitation was sent to the member account.
The timestamp for the date and time when the member account was updated.
A list of account ID and email address pairs of the AWS accounts that couldn't be processed.
Details about the account that wasn't processed.
An AWS account ID of the account that wasn't be processed.
The reason that the account wasn't be processed.
Create a paginator for an operation.
Returns an object that can wait for some condition.
Invites other AWS accounts to become member accounts for the Security Hub master account that the invitation is sent from. Before you can use this action to invite a member, you must first create the member account in Security Hub by using the CreateMembers action. When the account owner accepts the invitation to become a member account and enables Security Hub, the master account can view the findings generated from member account.
See also: AWS API Documentation
Request Syntax
response = client.invite_members(
AccountIds=[
'string',
]
)
A list of IDs of the AWS accounts that you want to invite to Security Hub as members.
{
'UnprocessedAccounts': [
{
'AccountId': 'string',
'ProcessingResult': 'string'
},
]
}
Response Structure
A list of account ID and email address pairs of the AWS accounts that couldn't be processed.
Details about the account that wasn't processed.
An AWS account ID of the account that wasn't be processed.
The reason that the account wasn't be processed.
Lists all findings-generating solutions (products) whose findings you have subscribed to receive in Security Hub.
See also: AWS API Documentation
Request Syntax
response = client.list_enabled_products_for_import(
NextToken='string',
MaxResults=123
)
dict
Response Syntax
{
'ProductSubscriptions': [
'string',
],
'NextToken': 'string'
}
Response Structure
(dict) --
ProductSubscriptions (list) --
A list of ARNs for the resources that represent your subscriptions to products.
NextToken (string) --
The token that is required for pagination.
Lists all Security Hub membership invitations that were sent to the current AWS account.
See also: AWS API Documentation
Request Syntax
response = client.list_invitations(
MaxResults=123,
NextToken='string'
)
dict
Response Syntax
{
'Invitations': [
{
'AccountId': 'string',
'InvitationId': 'string',
'InvitedAt': datetime(2015, 1, 1),
'MemberStatus': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Invitations (list) --
The details of the invitations returned by the operation.
(dict) --
Details about an invitation.
AccountId (string) --
The account ID of the Security Hub master account that the invitation was sent from.
InvitationId (string) --
The ID of the invitation sent to the member account.
InvitedAt (datetime) --
The timestamp of when the invitation was sent.
MemberStatus (string) --
The current status of the association between member and master accounts.
NextToken (string) --
The token that is required for pagination.
Lists details about all member accounts for the current Security Hub master account.
See also: AWS API Documentation
Request Syntax
response = client.list_members(
OnlyAssociated=True|False,
MaxResults=123,
NextToken='string'
)
dict
Response Syntax
{
'Members': [
{
'AccountId': 'string',
'Email': 'string',
'MasterId': 'string',
'MemberStatus': 'string',
'InvitedAt': datetime(2015, 1, 1),
'UpdatedAt': datetime(2015, 1, 1)
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Members (list) --
Member details returned by the operation.
(dict) --
The details about a member account.
AccountId (string) --
The AWS account ID of the member account.
Email (string) --
The email address of the member account.
MasterId (string) --
The AWS account ID of the Security Hub master account associated with this member account.
MemberStatus (string) --
The status of the relationship between the member account and its master account.
InvitedAt (datetime) --
A timestamp for the date and time when the invitation was sent to the member account.
UpdatedAt (datetime) --
The timestamp for the date and time when the member account was updated.
NextToken (string) --
The token that is required for pagination.
Returns a list of tags associated with a resource.
See also: AWS API Documentation
Request Syntax
response = client.list_tags_for_resource(
ResourceArn='string'
)
[REQUIRED]
The ARN of the resource to retrieve tags for.
{
'Tags': {
'string': 'string'
}
}
Response Structure
The tags associated with a resource.
Adds one or more tags to a resource.
See also: AWS API Documentation
Request Syntax
response = client.tag_resource(
ResourceArn='string',
Tags={
'string': 'string'
}
)
[REQUIRED]
The ARN of the resource to apply the tags to.
[REQUIRED]
The tags to add to the resource.
dict
Response Syntax
{}
Response Structure
Removes one or more tags from a resource.
See also: AWS API Documentation
Request Syntax
response = client.untag_resource(
ResourceArn='string',
TagKeys=[
'string',
]
)
[REQUIRED]
The ARN of the resource to remove the tags from.
[REQUIRED]
The tag keys associated with the tags to remove from the resource.
dict
Response Syntax
{}
Response Structure
Updates the name and description of a custom action target in Security Hub.
See also: AWS API Documentation
Request Syntax
response = client.update_action_target(
ActionTargetArn='string',
Name='string',
Description='string'
)
[REQUIRED]
The ARN of the custom action target to update.
dict
Response Syntax
{}
Response Structure
Updates the Note and RecordState of the Security Hub-aggregated findings that the filter attributes specify. Any member account that can view the finding also sees the update to the finding.
See also: AWS API Documentation
Request Syntax
response = client.update_findings(
Filters={
'ProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'AwsAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Id': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'GeneratorId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Type': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'FirstObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'LastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'CreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'UpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'SeverityProduct': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'SeverityNormalized': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'SeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Confidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'Criticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'Title': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Description': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'RecommendationText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'SourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ProductFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'
},
],
'ProductName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'CompanyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'UserDefinedFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'
},
],
'MalwareName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'MalwareType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'MalwarePath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'MalwareState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkDirection': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkProtocol': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkSourceIpV4': [
{
'Cidr': 'string'
},
],
'NetworkSourceIpV6': [
{
'Cidr': 'string'
},
],
'NetworkSourcePort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'NetworkSourceDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkSourceMac': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkDestinationIpV4': [
{
'Cidr': 'string'
},
],
'NetworkDestinationIpV6': [
{
'Cidr': 'string'
},
],
'NetworkDestinationPort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'NetworkDestinationDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ProcessName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ProcessPath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ProcessPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'ProcessParentPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'ProcessLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ProcessTerminatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ThreatIntelIndicatorValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ThreatIntelIndicatorCategory': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ThreatIntelIndicatorLastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorSource': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ThreatIntelIndicatorSourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourcePartition': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceRegion': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceTags': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'
},
],
'ResourceAwsEc2InstanceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceIpV4Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceIpV6Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceKeyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceIamInstanceProfileArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceVpcId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceSubnetId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceAwsS3BucketOwnerId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsS3BucketOwnerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyCreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceContainerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceContainerImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceContainerImageName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceContainerLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceDetailsOther': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'
},
],
'ComplianceStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'VerificationState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'WorkflowState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'RecordState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'RelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'RelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NoteText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NoteUpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'NoteUpdatedBy': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Keyword': [
{
'Value': 'string'
},
]
},
Note={
'Text': 'string',
'UpdatedBy': 'string'
},
RecordState='ACTIVE'|'ARCHIVED'
)
[REQUIRED]
A collection of attributes that specify which findings you want to update.
The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) after this provider's product (solution that generates findings) is registered with Security Hub.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The AWS account ID that a finding is generated in.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The security findings provider-specific identifier for a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security-findings providers' solutions, this generator can be called a rule, a check, a detector, a plug-in, etc.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A finding type in the format of namespace/category/classifier that classifies a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
An ISO8601-formatted timestamp that indicates when the security-findings provider first observed the potential security issue that a finding captured.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
An ISO8601-formatted timestamp that indicates when the security-findings provider most recently observed the potential security issue that a finding captured.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
An ISO8601-formatted timestamp that indicates when the security-findings provider captured the potential security issue that a finding captured.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
An ISO8601-formatted timestamp that indicates when the security-findings provider last updated the finding record.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The native severity as defined by the security-findings provider's solution that generated the finding.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The normalized severity of a finding.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The label of a finding's severity.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The level of importance assigned to the resources associated with the finding. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
A finding's title.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A finding's description.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The recommendation of what to do about the issue described in a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A URL that links to a page about the current finding in the security-findings provider's solution.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A data type where security-findings providers can include additional solution-specific details that aren't part of the defined AwsSecurityFinding format.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
The condition to apply to a key value when querying for findings with a map filter.
The name of the solution (product) that generates findings.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The name of the findings provider (company) that owns the solution (product) that generates findings.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
The condition to apply to a key value when querying for findings with a map filter.
The name of the malware that was observed.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The type of the malware that was observed.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The filesystem path of the malware that was observed.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The state of the malware that was observed.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
Indicates the direction of network traffic associated with a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The protocol of network-related information about a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The source IPv4 address of network-related information about a finding.
The IP filter for querying findings.
A finding's CIDR value.
The source IPv6 address of network-related information about a finding.
The IP filter for querying findings.
A finding's CIDR value.
The source port of network-related information about a finding.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The source domain of network-related information about a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The source media access control (MAC) address of network-related information about a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The destination IPv4 address of network-related information about a finding.
The IP filter for querying findings.
A finding's CIDR value.
The destination IPv6 address of network-related information about a finding.
The IP filter for querying findings.
A finding's CIDR value.
The destination port of network-related information about a finding.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The destination domain of network-related information about a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The name of the process.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The path to the process executable.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The process ID.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The parent process ID.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The date/time that the process was launched.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The date/time that the process was terminated.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The type of a threat intel indicator.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The value of a threat intel indicator.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The category of a threat intel indicator.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The date/time of the last observation of a threat intel indicator.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The source of the threat intel.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The URL for more details from the source of the threat intel.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
Specifies the type of the resource that details are provided for.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The canonical identifier for the given resource type.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The canonical AWS partition name that the Region is assigned to.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The canonical AWS external Region name where this resource is located.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A list of AWS tags associated with a resource at the time the finding was processed.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
The condition to apply to a key value when querying for findings with a map filter.
The instance type of the instance.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The Amazon Machine Image (AMI) ID of the instance.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The IPv4 addresses associated with the instance.
The IP filter for querying findings.
A finding's CIDR value.
The IPv6 addresses associated with the instance.
The IP filter for querying findings.
A finding's CIDR value.
The key name associated with the instance.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The IAM profile ARN of the instance.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The identifier of the VPC that the instance was launched in.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The identifier of the subnet that the instance was launched in.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The date/time the instance was launched.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The canonical user ID of the owner of the S3 bucket.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The display name of the owner of the S3 bucket.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The user associated with the IAM access key related to a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The status of the IAM access key related to a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The creation date/time of the IAM access key related to a finding.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The name of the container related to a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The identifier of the image related to a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The name of the image related to a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The date/time that the container was started.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The details of a resource that doesn't have a specific subfield for the resource type defined.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
The condition to apply to a key value when querying for findings with a map filter.
Exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard (for example, CIS AWS Foundations). Contains compliance-related finding details.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The veracity of a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The workflow state of a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The updated record state for the finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The ARN of the solution that generated a related finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The solution-generated identifier for a related finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The text of a note.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The timestamp of when the note was updated.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The principal that created a note.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A keyword for a finding.
A keyword filter for querying findings.
A value for the keyword.
The updated note for the finding.
The updated note text.
The principal that updated the note.
dict
Response Syntax
{}
Response Structure
Updates the Security Hub insight that the insight ARN specifies.
See also: AWS API Documentation
Request Syntax
response = client.update_insight(
InsightArn='string',
Name='string',
Filters={
'ProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'AwsAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Id': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'GeneratorId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Type': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'FirstObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'LastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'CreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'UpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'SeverityProduct': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'SeverityNormalized': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'SeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Confidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'Criticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'Title': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Description': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'RecommendationText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'SourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ProductFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'
},
],
'ProductName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'CompanyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'UserDefinedFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'
},
],
'MalwareName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'MalwareType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'MalwarePath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'MalwareState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkDirection': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkProtocol': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkSourceIpV4': [
{
'Cidr': 'string'
},
],
'NetworkSourceIpV6': [
{
'Cidr': 'string'
},
],
'NetworkSourcePort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'NetworkSourceDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkSourceMac': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkDestinationIpV4': [
{
'Cidr': 'string'
},
],
'NetworkDestinationIpV6': [
{
'Cidr': 'string'
},
],
'NetworkDestinationPort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'NetworkDestinationDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ProcessName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ProcessPath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ProcessPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'ProcessParentPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'ProcessLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ProcessTerminatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ThreatIntelIndicatorValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ThreatIntelIndicatorCategory': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ThreatIntelIndicatorLastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorSource': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ThreatIntelIndicatorSourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourcePartition': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceRegion': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceTags': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'
},
],
'ResourceAwsEc2InstanceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceIpV4Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceIpV6Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceKeyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceIamInstanceProfileArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceVpcId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceSubnetId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceAwsS3BucketOwnerId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsS3BucketOwnerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyCreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceContainerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceContainerImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceContainerImageName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceContainerLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceDetailsOther': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'
},
],
'ComplianceStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'VerificationState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'WorkflowState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'RecordState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'RelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'RelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NoteText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NoteUpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'NoteUpdatedBy': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Keyword': [
{
'Value': 'string'
},
]
},
GroupByAttribute='string'
)
[REQUIRED]
The ARN of the insight that you want to update.
The updated filters that define this insight.
The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) after this provider's product (solution that generates findings) is registered with Security Hub.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The AWS account ID that a finding is generated in.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The security findings provider-specific identifier for a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security-findings providers' solutions, this generator can be called a rule, a check, a detector, a plug-in, etc.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A finding type in the format of namespace/category/classifier that classifies a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
An ISO8601-formatted timestamp that indicates when the security-findings provider first observed the potential security issue that a finding captured.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
An ISO8601-formatted timestamp that indicates when the security-findings provider most recently observed the potential security issue that a finding captured.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
An ISO8601-formatted timestamp that indicates when the security-findings provider captured the potential security issue that a finding captured.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
An ISO8601-formatted timestamp that indicates when the security-findings provider last updated the finding record.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The native severity as defined by the security-findings provider's solution that generated the finding.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The normalized severity of a finding.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The label of a finding's severity.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The level of importance assigned to the resources associated with the finding. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
A finding's title.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A finding's description.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The recommendation of what to do about the issue described in a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A URL that links to a page about the current finding in the security-findings provider's solution.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A data type where security-findings providers can include additional solution-specific details that aren't part of the defined AwsSecurityFinding format.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
The condition to apply to a key value when querying for findings with a map filter.
The name of the solution (product) that generates findings.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The name of the findings provider (company) that owns the solution (product) that generates findings.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
The condition to apply to a key value when querying for findings with a map filter.
The name of the malware that was observed.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The type of the malware that was observed.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The filesystem path of the malware that was observed.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The state of the malware that was observed.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
Indicates the direction of network traffic associated with a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The protocol of network-related information about a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The source IPv4 address of network-related information about a finding.
The IP filter for querying findings.
A finding's CIDR value.
The source IPv6 address of network-related information about a finding.
The IP filter for querying findings.
A finding's CIDR value.
The source port of network-related information about a finding.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The source domain of network-related information about a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The source media access control (MAC) address of network-related information about a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The destination IPv4 address of network-related information about a finding.
The IP filter for querying findings.
A finding's CIDR value.
The destination IPv6 address of network-related information about a finding.
The IP filter for querying findings.
A finding's CIDR value.
The destination port of network-related information about a finding.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The destination domain of network-related information about a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The name of the process.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The path to the process executable.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The process ID.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The parent process ID.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The date/time that the process was launched.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The date/time that the process was terminated.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The type of a threat intel indicator.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The value of a threat intel indicator.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The category of a threat intel indicator.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The date/time of the last observation of a threat intel indicator.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The source of the threat intel.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The URL for more details from the source of the threat intel.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
Specifies the type of the resource that details are provided for.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The canonical identifier for the given resource type.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The canonical AWS partition name that the Region is assigned to.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The canonical AWS external Region name where this resource is located.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A list of AWS tags associated with a resource at the time the finding was processed.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
The condition to apply to a key value when querying for findings with a map filter.
The instance type of the instance.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The Amazon Machine Image (AMI) ID of the instance.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The IPv4 addresses associated with the instance.
The IP filter for querying findings.
A finding's CIDR value.
The IPv6 addresses associated with the instance.
The IP filter for querying findings.
A finding's CIDR value.
The key name associated with the instance.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The IAM profile ARN of the instance.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The identifier of the VPC that the instance was launched in.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The identifier of the subnet that the instance was launched in.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The date/time the instance was launched.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The canonical user ID of the owner of the S3 bucket.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The display name of the owner of the S3 bucket.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The user associated with the IAM access key related to a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The status of the IAM access key related to a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The creation date/time of the IAM access key related to a finding.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The name of the container related to a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The identifier of the image related to a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The name of the image related to a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The date/time that the container was started.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The details of a resource that doesn't have a specific subfield for the resource type defined.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
The condition to apply to a key value when querying for findings with a map filter.
Exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard (for example, CIS AWS Foundations). Contains compliance-related finding details.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The veracity of a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The workflow state of a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The updated record state for the finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The ARN of the solution that generated a related finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The solution-generated identifier for a related finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The text of a note.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The timestamp of when the note was updated.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The principal that created a note.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A keyword for a finding.
A keyword filter for querying findings.
A value for the keyword.
dict
Response Syntax
{}
Response Structure
The available paginators are:
paginator = client.get_paginator('get_enabled_standards')
Creates an iterator that will paginate through responses from SecurityHub.Client.get_enabled_standards().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
StandardsSubscriptionArns=[
'string',
],
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
A list of the standards subscription ARNs for the standards to retrieve.
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
dict
Response Syntax
{
'StandardsSubscriptions': [
{
'StandardsSubscriptionArn': 'string',
'StandardsArn': 'string',
'StandardsInput': {
'string': 'string'
},
'StandardsStatus': 'PENDING'|'READY'|'FAILED'|'DELETING'|'INCOMPLETE'
},
],
}
Response Structure
(dict) --
StandardsSubscriptions (list) --
A list of StandardsSubscriptions objects that include information about the enabled standards.
(dict) --
A resource that represents your subscription to a supported standard.
StandardsSubscriptionArn (string) --
The ARN of a resource that represents your subscription to a supported standard.
StandardsArn (string) --
The ARN of a standard.
In this release, Security Hub supports only the CIS AWS Foundations standard, which uses the following ARN: arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0.
StandardsInput (dict) --
A key-value pair of input for the standard.
StandardsStatus (string) --
The status of the standards subscription.
paginator = client.get_paginator('get_findings')
Creates an iterator that will paginate through responses from SecurityHub.Client.get_findings().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
Filters={
'ProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'AwsAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Id': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'GeneratorId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Type': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'FirstObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'LastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'CreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'UpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'SeverityProduct': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'SeverityNormalized': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'SeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Confidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'Criticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'Title': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Description': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'RecommendationText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'SourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ProductFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'
},
],
'ProductName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'CompanyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'UserDefinedFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'
},
],
'MalwareName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'MalwareType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'MalwarePath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'MalwareState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkDirection': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkProtocol': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkSourceIpV4': [
{
'Cidr': 'string'
},
],
'NetworkSourceIpV6': [
{
'Cidr': 'string'
},
],
'NetworkSourcePort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'NetworkSourceDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkSourceMac': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkDestinationIpV4': [
{
'Cidr': 'string'
},
],
'NetworkDestinationIpV6': [
{
'Cidr': 'string'
},
],
'NetworkDestinationPort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'NetworkDestinationDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ProcessName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ProcessPath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ProcessPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'ProcessParentPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'ProcessLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ProcessTerminatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ThreatIntelIndicatorValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ThreatIntelIndicatorCategory': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ThreatIntelIndicatorLastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorSource': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ThreatIntelIndicatorSourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourcePartition': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceRegion': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceTags': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'
},
],
'ResourceAwsEc2InstanceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceIpV4Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceIpV6Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceKeyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceIamInstanceProfileArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceVpcId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceSubnetId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceAwsS3BucketOwnerId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsS3BucketOwnerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyCreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceContainerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceContainerImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceContainerImageName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceContainerLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceDetailsOther': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'
},
],
'ComplianceStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'VerificationState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'WorkflowState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'RecordState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'RelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'RelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NoteText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NoteUpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'NoteUpdatedBy': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Keyword': [
{
'Value': 'string'
},
]
},
SortCriteria=[
{
'Field': 'string',
'SortOrder': 'asc'|'desc'
},
],
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
The findings attributes used to define a condition to filter the findings returned.
The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) after this provider's product (solution that generates findings) is registered with Security Hub.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The AWS account ID that a finding is generated in.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The security findings provider-specific identifier for a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security-findings providers' solutions, this generator can be called a rule, a check, a detector, a plug-in, etc.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A finding type in the format of namespace/category/classifier that classifies a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
An ISO8601-formatted timestamp that indicates when the security-findings provider first observed the potential security issue that a finding captured.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
An ISO8601-formatted timestamp that indicates when the security-findings provider most recently observed the potential security issue that a finding captured.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
An ISO8601-formatted timestamp that indicates when the security-findings provider captured the potential security issue that a finding captured.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
An ISO8601-formatted timestamp that indicates when the security-findings provider last updated the finding record.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The native severity as defined by the security-findings provider's solution that generated the finding.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The normalized severity of a finding.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The label of a finding's severity.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The level of importance assigned to the resources associated with the finding. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
A finding's title.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A finding's description.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The recommendation of what to do about the issue described in a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A URL that links to a page about the current finding in the security-findings provider's solution.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A data type where security-findings providers can include additional solution-specific details that aren't part of the defined AwsSecurityFinding format.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
The condition to apply to a key value when querying for findings with a map filter.
The name of the solution (product) that generates findings.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The name of the findings provider (company) that owns the solution (product) that generates findings.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
The condition to apply to a key value when querying for findings with a map filter.
The name of the malware that was observed.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The type of the malware that was observed.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The filesystem path of the malware that was observed.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The state of the malware that was observed.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
Indicates the direction of network traffic associated with a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The protocol of network-related information about a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The source IPv4 address of network-related information about a finding.
The IP filter for querying findings.
A finding's CIDR value.
The source IPv6 address of network-related information about a finding.
The IP filter for querying findings.
A finding's CIDR value.
The source port of network-related information about a finding.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The source domain of network-related information about a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The source media access control (MAC) address of network-related information about a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The destination IPv4 address of network-related information about a finding.
The IP filter for querying findings.
A finding's CIDR value.
The destination IPv6 address of network-related information about a finding.
The IP filter for querying findings.
A finding's CIDR value.
The destination port of network-related information about a finding.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The destination domain of network-related information about a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The name of the process.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The path to the process executable.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The process ID.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The parent process ID.
A number filter for querying findings.
The greater-than-equal condition to be applied to a single field when querying for findings.
The less-than-equal condition to be applied to a single field when querying for findings.
The equal-to condition to be applied to a single field when querying for findings.
The date/time that the process was launched.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The date/time that the process was terminated.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The type of a threat intel indicator.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The value of a threat intel indicator.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The category of a threat intel indicator.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The date/time of the last observation of a threat intel indicator.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The source of the threat intel.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The URL for more details from the source of the threat intel.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
Specifies the type of the resource that details are provided for.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The canonical identifier for the given resource type.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The canonical AWS partition name that the Region is assigned to.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The canonical AWS external Region name where this resource is located.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A list of AWS tags associated with a resource at the time the finding was processed.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
The condition to apply to a key value when querying for findings with a map filter.
The instance type of the instance.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The Amazon Machine Image (AMI) ID of the instance.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The IPv4 addresses associated with the instance.
The IP filter for querying findings.
A finding's CIDR value.
The IPv6 addresses associated with the instance.
The IP filter for querying findings.
A finding's CIDR value.
The key name associated with the instance.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The IAM profile ARN of the instance.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The identifier of the VPC that the instance was launched in.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The identifier of the subnet that the instance was launched in.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The date/time the instance was launched.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The canonical user ID of the owner of the S3 bucket.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The display name of the owner of the S3 bucket.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The user associated with the IAM access key related to a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The status of the IAM access key related to a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The creation date/time of the IAM access key related to a finding.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The name of the container related to a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The identifier of the image related to a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The name of the image related to a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The date/time that the container was started.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The details of a resource that doesn't have a specific subfield for the resource type defined.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
The condition to apply to a key value when querying for findings with a map filter.
Exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard (for example, CIS AWS Foundations). Contains compliance-related finding details.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The veracity of a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The workflow state of a finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The updated record state for the finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The ARN of the solution that generated a related finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The solution-generated identifier for a related finding.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The text of a note.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
The timestamp of when the note was updated.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The principal that created a note.
A string filter for querying findings.
The string filter value.
The condition to be applied to a string value when querying for findings.
A keyword for a finding.
A keyword filter for querying findings.
A value for the keyword.
Findings attributes used to sort the list of findings returned.
A collection of finding attributes used to sort findings.
The finding attribute used to sort findings.
The order used to sort findings.
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
dict
Response Syntax
{
'Findings': [
{
'SchemaVersion': 'string',
'Id': 'string',
'ProductArn': 'string',
'GeneratorId': 'string',
'AwsAccountId': 'string',
'Types': [
'string',
],
'FirstObservedAt': 'string',
'LastObservedAt': 'string',
'CreatedAt': 'string',
'UpdatedAt': 'string',
'Severity': {
'Product': 123.0,
'Normalized': 123
},
'Confidence': 123,
'Criticality': 123,
'Title': 'string',
'Description': 'string',
'Remediation': {
'Recommendation': {
'Text': 'string',
'Url': 'string'
}
},
'SourceUrl': 'string',
'ProductFields': {
'string': 'string'
},
'UserDefinedFields': {
'string': 'string'
},
'Malware': [
{
'Name': 'string',
'Type': 'ADWARE'|'BLENDED_THREAT'|'BOTNET_AGENT'|'COIN_MINER'|'EXPLOIT_KIT'|'KEYLOGGER'|'MACRO'|'POTENTIALLY_UNWANTED'|'SPYWARE'|'RANSOMWARE'|'REMOTE_ACCESS'|'ROOTKIT'|'TROJAN'|'VIRUS'|'WORM',
'Path': 'string',
'State': 'OBSERVED'|'REMOVAL_FAILED'|'REMOVED'
},
],
'Network': {
'Direction': 'IN'|'OUT',
'Protocol': 'string',
'SourceIpV4': 'string',
'SourceIpV6': 'string',
'SourcePort': 123,
'SourceDomain': 'string',
'SourceMac': 'string',
'DestinationIpV4': 'string',
'DestinationIpV6': 'string',
'DestinationPort': 123,
'DestinationDomain': 'string'
},
'Process': {
'Name': 'string',
'Path': 'string',
'Pid': 123,
'ParentPid': 123,
'LaunchedAt': 'string',
'TerminatedAt': 'string'
},
'ThreatIntelIndicators': [
{
'Type': 'DOMAIN'|'EMAIL_ADDRESS'|'HASH_MD5'|'HASH_SHA1'|'HASH_SHA256'|'HASH_SHA512'|'IPV4_ADDRESS'|'IPV6_ADDRESS'|'MUTEX'|'PROCESS'|'URL',
'Value': 'string',
'Category': 'BACKDOOR'|'CARD_STEALER'|'COMMAND_AND_CONTROL'|'DROP_SITE'|'EXPLOIT_SITE'|'KEYLOGGER',
'LastObservedAt': 'string',
'Source': 'string',
'SourceUrl': 'string'
},
],
'Resources': [
{
'Type': 'string',
'Id': 'string',
'Partition': 'aws'|'aws-cn'|'aws-us-gov',
'Region': 'string',
'Tags': {
'string': 'string'
},
'Details': {
'AwsEc2Instance': {
'Type': 'string',
'ImageId': 'string',
'IpV4Addresses': [
'string',
],
'IpV6Addresses': [
'string',
],
'KeyName': 'string',
'IamInstanceProfileArn': 'string',
'VpcId': 'string',
'SubnetId': 'string',
'LaunchedAt': 'string'
},
'AwsS3Bucket': {
'OwnerId': 'string',
'OwnerName': 'string'
},
'AwsIamAccessKey': {
'UserName': 'string',
'Status': 'Active'|'Inactive',
'CreatedAt': 'string'
},
'Container': {
'Name': 'string',
'ImageId': 'string',
'ImageName': 'string',
'LaunchedAt': 'string'
},
'Other': {
'string': 'string'
}
}
},
],
'Compliance': {
'Status': 'PASSED'|'WARNING'|'FAILED'|'NOT_AVAILABLE'
},
'VerificationState': 'UNKNOWN'|'TRUE_POSITIVE'|'FALSE_POSITIVE'|'BENIGN_POSITIVE',
'WorkflowState': 'NEW'|'ASSIGNED'|'IN_PROGRESS'|'DEFERRED'|'RESOLVED',
'RecordState': 'ACTIVE'|'ARCHIVED',
'RelatedFindings': [
{
'ProductArn': 'string',
'Id': 'string'
},
],
'Note': {
'Text': 'string',
'UpdatedBy': 'string',
'UpdatedAt': 'string'
}
},
],
}
Response Structure
(dict) --
Findings (list) --
The findings that matched the filters specified in the request.
(dict) --
Provides consistent format for the contents of the Security Hub-aggregated findings. AwsSecurityFinding format enables you to share findings between AWS security services and third-party solutions, and compliance checks.
Note
A finding is a potential security issue generated either by AWS services (Amazon GuardDuty, Amazon Inspector, and Amazon Macie) or by the integrated third-party solutions and compliance checks.
SchemaVersion (string) --
The schema version that a finding is formatted for.
Id (string) --
The security findings provider-specific identifier for a finding.
ProductArn (string) --
The ARN generated by Security Hub that uniquely identifies a third-party company (security-findings provider) after this provider's product (solution that generates findings) is registered with Security Hub.
GeneratorId (string) --
The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security-findings providers' solutions, this generator can be called a rule, a check, a detector, a plug-in, etc.
AwsAccountId (string) --
The AWS account ID that a finding is generated in.
Types (list) --
One or more finding types in the format of namespace/category/classifier that classify a finding.
Valid namespace values are: Software and Configuration Checks | TTPs | Effects | Unusual Behaviors | Sensitive Data Identifications
FirstObservedAt (string) --
An ISO8601-formatted timestamp that indicates when the security-findings provider first observed the potential security issue that a finding captured.
LastObservedAt (string) --
An ISO8601-formatted timestamp that indicates when the security-findings provider most recently observed the potential security issue that a finding captured.
CreatedAt (string) --
An ISO8601-formatted timestamp that indicates when the security-findings provider created the potential security issue that a finding captured.
UpdatedAt (string) --
An ISO8601-formatted timestamp that indicates when the security-findings provider last updated the finding record.
Severity (dict) --
A finding's severity.
Product (float) --
The native severity as defined by the AWS service or integrated partner product that generated the finding.
Normalized (integer) --
The normalized severity of a finding.
Confidence (integer) --
A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence.
Criticality (integer) --
The level of importance assigned to the resources associated with the finding. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.
Title (string) --
A finding's title.
Note
In this release, Title is a required property.
Description (string) --
A finding's description.
Note
In this release, Description is a required property.
Remediation (dict) --
A data type that describes the remediation options for a finding.
Recommendation (dict) --
A recommendation on the steps to take to remediate the issue identified by a finding.
Text (string) --
Describes the recommended steps to take to remediate an issue identified in a finding.
Url (string) --
A URL to a page or site that contains information about how to remediate a finding.
SourceUrl (string) --
A URL that links to a page about the current finding in the security-findings provider's solution.
ProductFields (dict) --
A data type where security-findings providers can include additional solution-specific details that aren't part of the defined AwsSecurityFinding format.
UserDefinedFields (dict) --
A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.
Malware (list) --
A list of malware related to a finding.
(dict) --
A list of malware related to a finding.
Name (string) --
The name of the malware that was observed.
Type (string) --
The type of the malware that was observed.
Path (string) --
The file system path of the malware that was observed.
State (string) --
The state of the malware that was observed.
Network (dict) --
The details of network-related information about a finding.
Direction (string) --
The direction of network traffic associated with a finding.
Protocol (string) --
The protocol of network-related information about a finding.
SourceIpV4 (string) --
The source IPv4 address of network-related information about a finding.
SourceIpV6 (string) --
The source IPv6 address of network-related information about a finding.
SourcePort (integer) --
The source port of network-related information about a finding.
SourceDomain (string) --
The source domain of network-related information about a finding.
SourceMac (string) --
The source media access control (MAC) address of network-related information about a finding.
DestinationIpV4 (string) --
The destination IPv4 address of network-related information about a finding.
DestinationIpV6 (string) --
The destination IPv6 address of network-related information about a finding.
DestinationPort (integer) --
The destination port of network-related information about a finding.
DestinationDomain (string) --
The destination domain of network-related information about a finding.
Process (dict) --
The details of process-related information about a finding.
Name (string) --
The name of the process.
Path (string) --
The path to the process executable.
Pid (integer) --
The process ID.
ParentPid (integer) --
The parent process ID.
LaunchedAt (string) --
The date/time that the process was launched.
TerminatedAt (string) --
The date and time when the process was terminated.
ThreatIntelIndicators (list) --
Threat intel details related to a finding.
(dict) --
Details about the threat intel related to a finding.
Type (string) --
The type of a threat intel indicator.
Value (string) --
The value of a threat intel indicator.
Category (string) --
The category of a threat intel indicator.
LastObservedAt (string) --
The date and time when the most recent instance of a threat intel indicator was observed.
Source (string) --
The source of the threat intel indicator.
SourceUrl (string) --
The URL to the page or site where you can get more information about the threat intel indicator.
Resources (list) --
A set of resource data types that describe the resources that the finding refers to.
(dict) --
A resource related to a finding.
Type (string) --
The type of the resource that details are provided for.
Id (string) --
The canonical identifier for the given resource type.
Partition (string) --
The canonical AWS partition name that the Region is assigned to.
Region (string) --
The canonical AWS external Region name where this resource is located.
Tags (dict) --
A list of AWS tags associated with a resource at the time the finding was processed.
Details (dict) --
Additional details about the resource related to a finding.
AwsEc2Instance (dict) --
Details about an Amazon EC2 instance related to a finding.
Type (string) --
The instance type of the instance.
ImageId (string) --
The Amazon Machine Image (AMI) ID of the instance.
IpV4Addresses (list) --
The IPv4 addresses associated with the instance.
IpV6Addresses (list) --
The IPv6 addresses associated with the instance.
KeyName (string) --
The key name associated with the instance.
IamInstanceProfileArn (string) --
The IAM profile ARN of the instance.
VpcId (string) --
The identifier of the VPC that the instance was launched in.
SubnetId (string) --
The identifier of the subnet that the instance was launched in.
LaunchedAt (string) --
The date/time the instance was launched.
AwsS3Bucket (dict) --
Details about an Amazon S3 Bucket related to a finding.
OwnerId (string) --
The canonical user ID of the owner of the S3 bucket.
OwnerName (string) --
The display name of the owner of the S3 bucket.
AwsIamAccessKey (dict) --
Details about an IAM access key related to a finding.
UserName (string) --
The user associated with the IAM access key related to a finding.
Status (string) --
The status of the IAM access key related to a finding.
CreatedAt (string) --
The creation date/time of the IAM access key related to a finding.
Container (dict) --
Details about a container resource related to a finding.
Name (string) --
The name of the container related to a finding.
ImageId (string) --
The identifier of the image related to a finding.
ImageName (string) --
The name of the image related to a finding.
LaunchedAt (string) --
The date and time when the container started.
Other (dict) --
Details about a resource that doesn't have a specific type defined.
Compliance (dict) --
This data type is exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard (for example, CIS AWS Foundations). Contains compliance-related finding details.
Status (string) --
The result of a compliance check.
VerificationState (string) --
Indicates the veracity of a finding.
WorkflowState (string) --
The workflow state of a finding.
RecordState (string) --
The record state of a finding.
RelatedFindings (list) --
A list of related findings.
(dict) --
Details about a related finding.
ProductArn (string) --
The ARN of the product that generated a related finding.
Id (string) --
The product-generated identifier for a related finding.
Note (dict) --
A user-defined note added to a finding.
Text (string) --
The text of a note.
UpdatedBy (string) --
The principal that created a note.
UpdatedAt (string) --
The timestamp of when the note was updated.
paginator = client.get_paginator('get_insights')
Creates an iterator that will paginate through responses from SecurityHub.Client.get_insights().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
InsightArns=[
'string',
],
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
The ARNs of the insights that you want to describe.
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
dict
Response Syntax
{
'Insights': [
{
'InsightArn': 'string',
'Name': 'string',
'Filters': {
'ProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'AwsAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Id': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'GeneratorId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Type': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'FirstObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'LastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'CreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'UpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'SeverityProduct': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'SeverityNormalized': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'SeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Confidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'Criticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'Title': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Description': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'RecommendationText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'SourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ProductFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'
},
],
'ProductName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'CompanyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'UserDefinedFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'
},
],
'MalwareName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'MalwareType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'MalwarePath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'MalwareState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkDirection': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkProtocol': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkSourceIpV4': [
{
'Cidr': 'string'
},
],
'NetworkSourceIpV6': [
{
'Cidr': 'string'
},
],
'NetworkSourcePort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'NetworkSourceDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkSourceMac': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NetworkDestinationIpV4': [
{
'Cidr': 'string'
},
],
'NetworkDestinationIpV6': [
{
'Cidr': 'string'
},
],
'NetworkDestinationPort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'NetworkDestinationDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ProcessName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ProcessPath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ProcessPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'ProcessParentPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'ProcessLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ProcessTerminatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ThreatIntelIndicatorValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ThreatIntelIndicatorCategory': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ThreatIntelIndicatorLastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorSource': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ThreatIntelIndicatorSourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourcePartition': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceRegion': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceTags': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'
},
],
'ResourceAwsEc2InstanceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceIpV4Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceIpV6Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceKeyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceIamInstanceProfileArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceVpcId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceSubnetId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceAwsS3BucketOwnerId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsS3BucketOwnerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyCreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceContainerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceContainerImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceContainerImageName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'ResourceContainerLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceDetailsOther': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'EQUALS'
},
],
'ComplianceStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'VerificationState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'WorkflowState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'RecordState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'RelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'RelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NoteText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'NoteUpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'NoteUpdatedBy': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'PREFIX'
},
],
'Keyword': [
{
'Value': 'string'
},
]
},
'GroupByAttribute': 'string'
},
],
}
Response Structure
(dict) --
Insights (list) --
The insights returned by the operation.
(dict) --
Contains information about a Security Hub insight.
InsightArn (string) --
The ARN of a Security Hub insight.
Name (string) --
The name of a Security Hub insight.
Filters (dict) --
One or more attributes used to filter the findings included in the insight. Only findings that match the criteria defined in the filters are included in the insight.
ProductArn (list) --
The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) after this provider's product (solution that generates findings) is registered with Security Hub.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
AwsAccountId (list) --
The AWS account ID that a finding is generated in.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
Id (list) --
The security findings provider-specific identifier for a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
GeneratorId (list) --
The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security-findings providers' solutions, this generator can be called a rule, a check, a detector, a plug-in, etc.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
Type (list) --
A finding type in the format of namespace/category/classifier that classifies a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
FirstObservedAt (list) --
An ISO8601-formatted timestamp that indicates when the security-findings provider first observed the potential security issue that a finding captured.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
LastObservedAt (list) --
An ISO8601-formatted timestamp that indicates when the security-findings provider most recently observed the potential security issue that a finding captured.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
CreatedAt (list) --
An ISO8601-formatted timestamp that indicates when the security-findings provider captured the potential security issue that a finding captured.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
UpdatedAt (list) --
An ISO8601-formatted timestamp that indicates when the security-findings provider last updated the finding record.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
SeverityProduct (list) --
The native severity as defined by the security-findings provider's solution that generated the finding.
(dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
SeverityNormalized (list) --
The normalized severity of a finding.
(dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
SeverityLabel (list) --
The label of a finding's severity.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
Confidence (list) --
A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence.
(dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
Criticality (list) --
The level of importance assigned to the resources associated with the finding. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.
(dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
Title (list) --
A finding's title.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
Description (list) --
A finding's description.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
RecommendationText (list) --
The recommendation of what to do about the issue described in a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
SourceUrl (list) --
A URL that links to a page about the current finding in the security-findings provider's solution.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ProductFields (list) --
A data type where security-findings providers can include additional solution-specific details that aren't part of the defined AwsSecurityFinding format.
(dict) --
The map filter for querying findings.
Key (string) --
The key of the map filter.
Value (string) --
The value for the key in the map filter.
Comparison (string) --
The condition to apply to a key value when querying for findings with a map filter.
ProductName (list) --
The name of the solution (product) that generates findings.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
CompanyName (list) --
The name of the findings provider (company) that owns the solution (product) that generates findings.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
UserDefinedFields (list) --
A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.
(dict) --
The map filter for querying findings.
Key (string) --
The key of the map filter.
Value (string) --
The value for the key in the map filter.
Comparison (string) --
The condition to apply to a key value when querying for findings with a map filter.
MalwareName (list) --
The name of the malware that was observed.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
MalwareType (list) --
The type of the malware that was observed.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
MalwarePath (list) --
The filesystem path of the malware that was observed.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
MalwareState (list) --
The state of the malware that was observed.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
NetworkDirection (list) --
Indicates the direction of network traffic associated with a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
NetworkProtocol (list) --
The protocol of network-related information about a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
NetworkSourceIpV4 (list) --
The source IPv4 address of network-related information about a finding.
(dict) --
The IP filter for querying findings.
Cidr (string) --
A finding's CIDR value.
NetworkSourceIpV6 (list) --
The source IPv6 address of network-related information about a finding.
(dict) --
The IP filter for querying findings.
Cidr (string) --
A finding's CIDR value.
NetworkSourcePort (list) --
The source port of network-related information about a finding.
(dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
NetworkSourceDomain (list) --
The source domain of network-related information about a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
NetworkSourceMac (list) --
The source media access control (MAC) address of network-related information about a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
NetworkDestinationIpV4 (list) --
The destination IPv4 address of network-related information about a finding.
(dict) --
The IP filter for querying findings.
Cidr (string) --
A finding's CIDR value.
NetworkDestinationIpV6 (list) --
The destination IPv6 address of network-related information about a finding.
(dict) --
The IP filter for querying findings.
Cidr (string) --
A finding's CIDR value.
NetworkDestinationPort (list) --
The destination port of network-related information about a finding.
(dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
NetworkDestinationDomain (list) --
The destination domain of network-related information about a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ProcessName (list) --
The name of the process.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ProcessPath (list) --
The path to the process executable.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ProcessPid (list) --
The process ID.
(dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
ProcessParentPid (list) --
The parent process ID.
(dict) --
A number filter for querying findings.
Gte (float) --
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte (float) --
The less-than-equal condition to be applied to a single field when querying for findings.
Eq (float) --
The equal-to condition to be applied to a single field when querying for findings.
ProcessLaunchedAt (list) --
The date/time that the process was launched.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
ProcessTerminatedAt (list) --
The date/time that the process was terminated.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
ThreatIntelIndicatorType (list) --
The type of a threat intel indicator.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ThreatIntelIndicatorValue (list) --
The value of a threat intel indicator.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ThreatIntelIndicatorCategory (list) --
The category of a threat intel indicator.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ThreatIntelIndicatorLastObservedAt (list) --
The date/time of the last observation of a threat intel indicator.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
ThreatIntelIndicatorSource (list) --
The source of the threat intel.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ThreatIntelIndicatorSourceUrl (list) --
The URL for more details from the source of the threat intel.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceType (list) --
Specifies the type of the resource that details are provided for.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceId (list) --
The canonical identifier for the given resource type.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourcePartition (list) --
The canonical AWS partition name that the Region is assigned to.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceRegion (list) --
The canonical AWS external Region name where this resource is located.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceTags (list) --
A list of AWS tags associated with a resource at the time the finding was processed.
(dict) --
The map filter for querying findings.
Key (string) --
The key of the map filter.
Value (string) --
The value for the key in the map filter.
Comparison (string) --
The condition to apply to a key value when querying for findings with a map filter.
ResourceAwsEc2InstanceType (list) --
The instance type of the instance.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceImageId (list) --
The Amazon Machine Image (AMI) ID of the instance.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceIpV4Addresses (list) --
The IPv4 addresses associated with the instance.
(dict) --
The IP filter for querying findings.
Cidr (string) --
A finding's CIDR value.
ResourceAwsEc2InstanceIpV6Addresses (list) --
The IPv6 addresses associated with the instance.
(dict) --
The IP filter for querying findings.
Cidr (string) --
A finding's CIDR value.
ResourceAwsEc2InstanceKeyName (list) --
The key name associated with the instance.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceIamInstanceProfileArn (list) --
The IAM profile ARN of the instance.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceVpcId (list) --
The identifier of the VPC that the instance was launched in.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceSubnetId (list) --
The identifier of the subnet that the instance was launched in.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceLaunchedAt (list) --
The date/time the instance was launched.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
ResourceAwsS3BucketOwnerId (list) --
The canonical user ID of the owner of the S3 bucket.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceAwsS3BucketOwnerName (list) --
The display name of the owner of the S3 bucket.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceAwsIamAccessKeyUserName (list) --
The user associated with the IAM access key related to a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceAwsIamAccessKeyStatus (list) --
The status of the IAM access key related to a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceAwsIamAccessKeyCreatedAt (list) --
The creation date/time of the IAM access key related to a finding.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
ResourceContainerName (list) --
The name of the container related to a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceContainerImageId (list) --
The identifier of the image related to a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceContainerImageName (list) --
The name of the image related to a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
ResourceContainerLaunchedAt (list) --
The date/time that the container was started.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
ResourceDetailsOther (list) --
The details of a resource that doesn't have a specific subfield for the resource type defined.
(dict) --
The map filter for querying findings.
Key (string) --
The key of the map filter.
Value (string) --
The value for the key in the map filter.
Comparison (string) --
The condition to apply to a key value when querying for findings with a map filter.
ComplianceStatus (list) --
Exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard (for example, CIS AWS Foundations). Contains compliance-related finding details.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
VerificationState (list) --
The veracity of a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
WorkflowState (list) --
The workflow state of a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
RecordState (list) --
The updated record state for the finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
RelatedFindingsProductArn (list) --
The ARN of the solution that generated a related finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
RelatedFindingsId (list) --
The solution-generated identifier for a related finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
NoteText (list) --
The text of a note.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
NoteUpdatedAt (list) --
The timestamp of when the note was updated.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
NoteUpdatedBy (list) --
The principal that created a note.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
The condition to be applied to a string value when querying for findings.
Keyword (list) --
A keyword for a finding.
(dict) --
A keyword filter for querying findings.
Value (string) --
A value for the keyword.
GroupByAttribute (string) --
The attribute that the insight's findings are grouped by. This attribute is used as a findings aggregator for the purposes of viewing and managing multiple related findings under a single operand.
paginator = client.get_paginator('list_enabled_products_for_import')
Creates an iterator that will paginate through responses from SecurityHub.Client.list_enabled_products_for_import().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
{
'ProductSubscriptions': [
'string',
],
}
Response Structure
A list of ARNs for the resources that represent your subscriptions to products.
paginator = client.get_paginator('list_invitations')
Creates an iterator that will paginate through responses from SecurityHub.Client.list_invitations().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
{
'Invitations': [
{
'AccountId': 'string',
'InvitationId': 'string',
'InvitedAt': datetime(2015, 1, 1),
'MemberStatus': 'string'
},
],
}
Response Structure
The details of the invitations returned by the operation.
Details about an invitation.
The account ID of the Security Hub master account that the invitation was sent from.
The ID of the invitation sent to the member account.
The timestamp of when the invitation was sent.
The current status of the association between member and master accounts.
paginator = client.get_paginator('list_members')
Creates an iterator that will paginate through responses from SecurityHub.Client.list_members().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
OnlyAssociated=True|False,
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
dict
Response Syntax
{
'Members': [
{
'AccountId': 'string',
'Email': 'string',
'MasterId': 'string',
'MemberStatus': 'string',
'InvitedAt': datetime(2015, 1, 1),
'UpdatedAt': datetime(2015, 1, 1)
},
],
}
Response Structure
(dict) --
Members (list) --
Member details returned by the operation.
(dict) --
The details about a member account.
AccountId (string) --
The AWS account ID of the member account.
Email (string) --
The email address of the member account.
MasterId (string) --
The AWS account ID of the Security Hub master account associated with this member account.
MemberStatus (string) --
The status of the relationship between the member account and its master account.
InvitedAt (datetime) --
A timestamp for the date and time when the invitation was sent to the member account.
UpdatedAt (datetime) --
The timestamp for the date and time when the member account was updated.