Table of Contents
A low-level client representing AWS SecurityHub:
import boto3
client = boto3.client('securityhub')
These are the available methods:
Accepts the invitation to be monitored by a master SecurityHub account.
See also: AWS API Documentation
Request Syntax
response = client.accept_invitation(
MasterId='string',
InvitationId='string'
)
dict
Response Syntax
{}
Response Structure
Disables the standards specified by the standards subscription ARNs. In the context of Security Hub, supported standards (for example, CIS AWS Foundations) are automated and continuous checks that help determine your compliance status against security industry (including AWS) best practices.
See also: AWS API Documentation
Request Syntax
response = client.batch_disable_standards(
StandardsSubscriptionArns=[
'string',
]
)
[REQUIRED]
The ARNS of the standards subscriptions that you want to disable.
{
'StandardsSubscriptions': [
{
'StandardsSubscriptionArn': 'string',
'StandardsArn': 'string',
'StandardsInput': {
'string': 'string'
},
'StandardsStatus': 'PENDING'|'READY'|'FAILED'|'DELETING'
},
]
}
Response Structure
The details of the standards subscriptions that were disabled.
A resource that represents your subscription to a supported standard.
The ARN of a resource that represents your subscription to a supported standard.
The ARN of a standard.
The standard's status.
Enables the standards specified by the standards ARNs. In the context of Security Hub, supported standards (for example, CIS AWS Foundations) are automated and continuous checks that help determine your compliance status against security industry (including AWS) best practices.
See also: AWS API Documentation
Request Syntax
response = client.batch_enable_standards(
StandardsSubscriptionRequests=[
{
'StandardsArn': 'string',
'StandardsInput': {
'string': 'string'
}
},
]
)
[REQUIRED]
The list of standards that you want to enable.
The standard that you want to enable.
The ARN of the standard that you want to enable.
{
'StandardsSubscriptions': [
{
'StandardsSubscriptionArn': 'string',
'StandardsArn': 'string',
'StandardsInput': {
'string': 'string'
},
'StandardsStatus': 'PENDING'|'READY'|'FAILED'|'DELETING'
},
]
}
Response Structure
The details of the standards subscriptions that were enabled.
A resource that represents your subscription to a supported standard.
The ARN of a resource that represents your subscription to a supported standard.
The ARN of a standard.
The standard's status.
Imports security findings that are generated by the integrated third-party products into Security Hub.
See also: AWS API Documentation
Request Syntax
response = client.batch_import_findings(
Findings=[
{
'SchemaVersion': 'string',
'Id': 'string',
'ProductArn': 'string',
'GeneratorId': 'string',
'AwsAccountId': 'string',
'Types': [
'string',
],
'FirstObservedAt': 'string',
'LastObservedAt': 'string',
'CreatedAt': 'string',
'UpdatedAt': 'string',
'Severity': {
'Product': 123.0,
'Normalized': 123
},
'Confidence': 123,
'Criticality': 123,
'Title': 'string',
'Description': 'string',
'Remediation': {
'Recommendation': {
'Text': 'string',
'Url': 'string'
}
},
'SourceUrl': 'string',
'ProductFields': {
'string': 'string'
},
'UserDefinedFields': {
'string': 'string'
},
'Malware': [
{
'Name': 'string',
'Type': 'ADWARE'|'BLENDED_THREAT'|'BOTNET_AGENT'|'COIN_MINER'|'EXPLOIT_KIT'|'KEYLOGGER'|'MACRO'|'POTENTIALLY_UNWANTED'|'SPYWARE'|'RANSOMWARE'|'REMOTE_ACCESS'|'ROOTKIT'|'TROJAN'|'VIRUS'|'WORM',
'Path': 'string',
'State': 'OBSERVED'|'REMOVAL_FAILED'|'REMOVED'
},
],
'Network': {
'Direction': 'IN'|'OUT',
'Protocol': 'string',
'SourceIpV4': 'string',
'SourceIpV6': 'string',
'SourcePort': 123,
'SourceDomain': 'string',
'SourceMac': 'string',
'DestinationIpV4': 'string',
'DestinationIpV6': 'string',
'DestinationPort': 123,
'DestinationDomain': 'string'
},
'Process': {
'Name': 'string',
'Path': 'string',
'Pid': 123,
'ParentPid': 123,
'LaunchedAt': 'string',
'TerminatedAt': 'string'
},
'ThreatIntelIndicators': [
{
'Type': 'DOMAIN'|'EMAIL_ADDRESS'|'HASH_MD5'|'HASH_SHA1'|'HASH_SHA256'|'HASH_SHA512'|'IPV4_ADDRESS'|'IPV6_ADDRESS'|'MUTEX'|'PROCESS'|'URL',
'Value': 'string',
'Category': 'BACKDOOR'|'CARD_STEALER'|'COMMAND_AND_CONTROL'|'DROP_SITE'|'EXPLOIT_SITE'|'KEYLOGGER',
'LastObservedAt': 'string',
'Source': 'string',
'SourceUrl': 'string'
},
],
'Resources': [
{
'Type': 'string',
'Id': 'string',
'Partition': 'aws'|'aws-cn'|'aws-us-gov',
'Region': 'string',
'Tags': {
'string': 'string'
},
'Details': {
'AwsEc2Instance': {
'Type': 'string',
'ImageId': 'string',
'IpV4Addresses': [
'string',
],
'IpV6Addresses': [
'string',
],
'KeyName': 'string',
'IamInstanceProfileArn': 'string',
'VpcId': 'string',
'SubnetId': 'string',
'LaunchedAt': 'string'
},
'AwsS3Bucket': {
'OwnerId': 'string',
'OwnerName': 'string'
},
'AwsIamAccessKey': {
'UserName': 'string',
'Status': 'Active'|'Inactive',
'CreatedAt': 'string'
},
'Container': {
'Name': 'string',
'ImageId': 'string',
'ImageName': 'string',
'LaunchedAt': 'string'
},
'Other': {
'string': 'string'
}
}
},
],
'Compliance': {
'Status': 'PASSED'|'WARNING'|'FAILED'|'NOT_AVAILABLE'
},
'VerificationState': 'UNKNOWN'|'TRUE_POSITIVE'|'FALSE_POSITIVE'|'BENIGN_POSITIVE',
'WorkflowState': 'NEW'|'ASSIGNED'|'IN_PROGRESS'|'DEFERRED'|'RESOLVED',
'RecordState': 'ACTIVE'|'ARCHIVED',
'RelatedFindings': [
{
'ProductArn': 'string',
'Id': 'string'
},
],
'Note': {
'Text': 'string',
'UpdatedBy': 'string',
'UpdatedAt': 'string'
}
},
]
)
[REQUIRED]
A list of findings that you want to import. Must be submitted in the AWSSecurityFinding format.
Provides consistent format for the contents of the Security Hub-aggregated findings. AwsSecurityFinding format enables you to share findings between AWS security services and third-party solutions, and compliance checks.
Note
A finding is a potential security issue generated either by AWS services (GuardDuty, Inspector, Macie) or by the integrated third-party solutions and compliance checks.
The schema version for which a finding is formatted.
The security findings provider-specific identifier for a finding.
The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) once this provider's product (solution that generates findings) is registered with Security Hub.
This is the identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security findings provider's solutions, this generator can be called a rule, a check, a detector, a plug-in, etc.
The AWS account ID in which a finding is generated.
One or more finding types in the format of 'namespace/category/classifier' that classify a finding.
Valid namespace values are: Software and Configuration Checks | TTPs | Effects | Unusual Behaviors | Sensitive Data Identifications
An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings provider.
An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings provider.
An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was created by the security findings provider.
An ISO8601-formatted timestamp that indicates when the finding record was last updated by the security findings provider.
A finding's severity.
The native severity as defined by the security findings provider's solution that generated the finding.
The normalized severity of a finding.
A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale. 0 equates zero percent confidence and 100 equates to 100 percent confidence.
The level of importance assigned to the resources associated with the finding. A score of 0 means the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.
A finding's title.
A finding's description.
An data type that describes the remediation options for a finding.
Provides a recommendation on how to remediate the issue identified within a finding.
The recommendation of what to do about the issue described in a finding.
A URL to link to general remediation information for the finding type of a finding.
A URL that links to a page about the current finding in the security findings provider's solution.
A data type where security findings providers can include additional solution-specific details that are not part of the defined AwsSecurityFinding format.
A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.
A list of malware related to a finding.
A list of malware related to a finding.
The name of the malware that was observed.
The type of the malware that was observed.
The filesystem path of the malware that was observed.
The state of the malware that was observed.
The details of network-related information about a finding.
Indicates the direction of network traffic associated with a finding.
The protocol of network-related information about a finding.
The source IPv4 address of network-related information about a finding.
The source IPv6 address of network-related information about a finding.
The source port of network-related information about a finding.
The source domain of network-related information about a finding.
The source media access control (MAC) address of network-related information about a finding.
The destination IPv4 address of network-related information about a finding.
The destination IPv6 address of network-related information about a finding.
The destination port of network-related information about a finding.
The destination domain of network-related information about a finding.
The details of process-related information about a finding.
The name of the process.
The path to the process executable.
The process ID.
The parent process ID.
The date/time that the process was launched.
The date/time that the process was terminated.
Threat intel details related to a finding.
Threat intel details related to a finding.
The type of a threat intel indicator.
The value of a threat intel indicator.
The category of a threat intel indicator.
The date/time of the last observation of a threat intel indicator.
The source of the threat intel.
The URL for more details from the source of the threat intel.
A set of resource data types that describe the resources to which the finding refers.
A resource data type that describes a resource to which the finding refers.
Specifies the type of the resource for which details are provided.
The canonical identifier for the given resource type.
The canonical AWS partition name to which the region is assigned.
The canonical AWS external region name where this resource is located.
A list of AWS tags associated with a resource at the time the finding was processed.
Provides additional details about the resource.
The details of an AWS EC2 instance.
The instance type of the instance.
The Amazon Machine Image (AMI) ID of the instance.
The IPv4 addresses associated with the instance.
The IPv6 addresses associated with the instance.
The key name associated with the instance.
The IAM profile ARN of the instance.
The identifier of the VPC in which the instance was launched.
The identifier of the subnet in which the instance was launched.
The date/time the instance was launched.
The details of an AWS S3 Bucket.
The canonical user ID of the owner of the S3 bucket.
The display name of the owner of the S3 bucket.
AWS IAM access key details related to a finding.
The user associated with the IAM access key related to a finding.
The status of the IAM access key related to a finding.
The creation date/time of the IAM access key related to a finding.
Container details related to a finding.
The name of the container related to a finding.
The identifier of the image related to a finding.
The name of the image related to a finding.
The date/time that the container was started.
The details of a resource that does not have a specific sub-field for the resource type defined.
This data type is exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard (for example, AWS CIS Foundations). Contains compliance-related finding details.
Indicates the result of a compliance check.
Indicates the veracity of a finding.
The workflow state of a finding.
The record state of a finding.
A list of related findings.
Related finding's details.
The ARN of the solution that generated a related finding.
The solution-generated identifier for a related finding.
A user-defined note added to a finding.
The text of a note.
The principal that created a note.
The timestamp of when the note was updated.
{
'FailedCount': 123,
'SuccessCount': 123,
'FailedFindings': [
{
'Id': 'string',
'ErrorCode': 'string',
'ErrorMessage': 'string'
},
]
}
Response Structure
The number of findings that cannot be imported.
The number of findings that were successfully imported
The list of the findings that cannot be imported.
Includes details of the list of the findings that cannot be imported.
The id of the error made during the BatchImportFindings operation.
The code of the error made during the BatchImportFindings operation.
The message of the error made during the BatchImportFindings operation.
Check if an operation can be paginated.
Creates an insight, which is a consolidation of findings that identifies a security area that requires attention or intervention.
See also: AWS API Documentation
Request Syntax
response = client.create_insight(
Name='string',
Filters={
'ProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'AwsAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Id': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'GeneratorId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Type': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'FirstObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'LastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'CreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'UpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'SeverityProduct': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'SeverityNormalized': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'SeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Confidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'Criticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'Title': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Description': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'RecommendationText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'SourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ProductFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'CONTAINS'
},
],
'ProductName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'CompanyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'UserDefinedFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'CONTAINS'
},
],
'MalwareName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'MalwareType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'MalwarePath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'MalwareState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkDirection': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkProtocol': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkSourceIpV4': [
{
'Cidr': 'string'
},
],
'NetworkSourceIpV6': [
{
'Cidr': 'string'
},
],
'NetworkSourcePort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'NetworkSourceDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkSourceMac': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkDestinationIpV4': [
{
'Cidr': 'string'
},
],
'NetworkDestinationIpV6': [
{
'Cidr': 'string'
},
],
'NetworkDestinationPort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'NetworkDestinationDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ProcessName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ProcessPath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ProcessPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'ProcessParentPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'ProcessLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ProcessTerminatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ThreatIntelIndicatorValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ThreatIntelIndicatorCategory': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ThreatIntelIndicatorLastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorSource': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ThreatIntelIndicatorSourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourcePartition': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceRegion': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceTags': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'CONTAINS'
},
],
'ResourceAwsEc2InstanceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceIpV4Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceIpV6Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceKeyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceIamInstanceProfileArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceVpcId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceSubnetId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceAwsS3BucketOwnerId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsS3BucketOwnerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyCreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceContainerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceContainerImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceContainerImageName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceContainerLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceDetailsOther': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'CONTAINS'
},
],
'ComplianceStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'VerificationState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'WorkflowState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'RecordState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'RelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'RelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NoteText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NoteUpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'NoteUpdatedBy': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Keyword': [
{
'Value': 'string'
},
]
},
GroupByAttribute='string'
)
[REQUIRED]
The user-defined name that identifies the insight that you want to create.
[REQUIRED]
A collection of attributes that are applied to all active Security Hub-aggregated findings and that result in a subset of findings that are included in this insight.
The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) once this provider's product (solution that generates findings) is registered with Security Hub.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The AWS account ID in which a finding is generated.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The security findings provider-specific identifier for a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
This is the identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security findings provider's solutions, this generator can be called a rule, a check, a detector, a plug-in, etc.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A finding type in the format of 'namespace/category/classifier' that classifies a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings provider.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings provider.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was created by the security findings provider.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
An ISO8601-formatted timestamp that indicates when the finding record was last updated by the security findings provider.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The native severity as defined by the security findings provider's solution that generated the finding.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The normalized severity of a finding.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The label of a finding's severity.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale. 0 equates zero percent confidence and 100 equates to 100 percent confidence.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The level of importance assigned to the resources associated with the finding. A score of 0 means the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
A finding's title.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A finding's description.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The recommendation of what to do about the issue described in a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A URL that links to a page about the current finding in the security findings provider's solution.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A data type where security findings providers can include additional solution-specific details that are not part of the defined AwsSecurityFinding format.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
Represents the condition to be applied to a key value when querying for findings with a map filter.
The name of the solution (product) that generates findings.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The name of the findings provider (company) that owns the solution (product) that generates findings.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
Represents the condition to be applied to a key value when querying for findings with a map filter.
The name of the malware that was observed.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The type of the malware that was observed.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The filesystem path of the malware that was observed.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The state of the malware that was observed.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
Indicates the direction of network traffic associated with a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The protocol of network-related information about a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The source IPv4 address of network-related information about a finding.
The IP filter for querying findings.>
Finding's CIDR value.
The source IPv6 address of network-related information about a finding.
The IP filter for querying findings.>
Finding's CIDR value.
The source port of network-related information about a finding.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The source domain of network-related information about a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The source media access control (MAC) address of network-related information about a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The destination IPv4 address of network-related information about a finding.
The IP filter for querying findings.>
Finding's CIDR value.
The destination IPv6 address of network-related information about a finding.
The IP filter for querying findings.>
Finding's CIDR value.
The destination port of network-related information about a finding.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The destination domain of network-related information about a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The name of the process.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The path to the process executable.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The process ID.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The parent process ID.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The date/time that the process was launched.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The date/time that the process was terminated.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The type of a threat intel indicator.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The value of a threat intel indicator.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The category of a threat intel indicator.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The date/time of the last observation of a threat intel indicator.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The source of the threat intel.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The URL for more details from the source of the threat intel.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
Specifies the type of the resource for which details are provided.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The canonical identifier for the given resource type.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The canonical AWS partition name to which the region is assigned.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The canonical AWS external region name where this resource is located.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A list of AWS tags associated with a resource at the time the finding was processed.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
Represents the condition to be applied to a key value when querying for findings with a map filter.
The instance type of the instance.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The Amazon Machine Image (AMI) ID of the instance.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The IPv4 addresses associated with the instance.
The IP filter for querying findings.>
Finding's CIDR value.
The IPv6 addresses associated with the instance.
The IP filter for querying findings.>
Finding's CIDR value.
The key name associated with the instance.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The IAM profile ARN of the instance.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The identifier of the VPC in which the instance was launched.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The identifier of the subnet in which the instance was launched.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The date/time the instance was launched.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The canonical user ID of the owner of the S3 bucket.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The display name of the owner of the S3 bucket.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The user associated with the IAM access key related to a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The status of the IAM access key related to a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The creation date/time of the IAM access key related to a finding.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The name of the container related to a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The identifier of the image related to a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The name of the image related to a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The date/time that the container was started.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The details of a resource that does not have a specific sub-field for the resource type defined.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
Represents the condition to be applied to a key value when querying for findings with a map filter.
Exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard (for example, AWS CIS Foundations). Contains compliance-related finding details.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
Indicates the veracity of a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The workflow state of a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The updated record state for the finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The ARN of the solution that generated a related finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The solution-generated identifier for a related finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The text of a note.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The timestamp of when the note was updated.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The principal that created a note.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A keyword for a finding.
A keyword filter for querying findings.
A value for the keyword.
[REQUIRED]
The attribute by which the insight's findings are grouped. This attribute is used as a findings aggregator for the purposes of viewing and managing multiple related findings under a single operand.
dict
Response Syntax
{
'InsightArn': 'string'
}
Response Structure
(dict) --
InsightArn (string) --
The ARN Of the created insight.
Creates member Security Hub accounts in the current AWS account (which becomes the master Security Hub account) that has Security Hub enabled.
See also: AWS API Documentation
Request Syntax
response = client.create_members(
AccountDetails=[
{
'AccountId': 'string',
'Email': 'string'
},
]
)
A list of account ID and email address pairs of the accounts that you want to associate with the master Security Hub account.
The details of an AWS account.
The ID of an AWS account.
The email of an AWS account.
{
'UnprocessedAccounts': [
{
'AccountId': 'string',
'ProcessingResult': 'string'
},
]
}
Response Structure
A list of account ID and email address pairs of the AWS accounts that could not be processed.
The account details that could not be processed.
An ID of the AWS account that could not be processed.
The reason for why an account could not be processed.
Declines invitations that are sent to this AWS account (invitee) by the AWS accounts (inviters) that are specified by the account IDs.
See also: AWS API Documentation
Request Syntax
response = client.decline_invitations(
AccountIds=[
'string',
]
)
A list of account IDs specifying accounts whose invitations to Security Hub you want to decline.
{
'UnprocessedAccounts': [
{
'AccountId': 'string',
'ProcessingResult': 'string'
},
]
}
Response Structure
A list of account ID and email address pairs of the AWS accounts that could not be processed.
The account details that could not be processed.
An ID of the AWS account that could not be processed.
The reason for why an account could not be processed.
Deletes an insight that is specified by the insight ARN.
See also: AWS API Documentation
Request Syntax
response = client.delete_insight(
InsightArn='string'
)
[REQUIRED]
The ARN of the insight that you want to delete.
{
'InsightArn': 'string'
}
Response Structure
The ARN of the insight that was deleted.
Deletes invitations that are sent to this AWS account (invitee) by the AWS accounts (inviters) that are specified by their account IDs.
See also: AWS API Documentation
Request Syntax
response = client.delete_invitations(
AccountIds=[
'string',
]
)
A list of account IDs specifying accounts whose invitations to Security Hub you want to delete.
{
'UnprocessedAccounts': [
{
'AccountId': 'string',
'ProcessingResult': 'string'
},
]
}
Response Structure
A list of account ID and email address pairs of the AWS accounts that could not be processed.
The account details that could not be processed.
An ID of the AWS account that could not be processed.
The reason for why an account could not be processed.
Deletes the Security Hub member accounts that are specified by the account IDs.
See also: AWS API Documentation
Request Syntax
response = client.delete_members(
AccountIds=[
'string',
]
)
A list of account IDs of the Security Hub member accounts that you want to delete.
{
'UnprocessedAccounts': [
{
'AccountId': 'string',
'ProcessingResult': 'string'
},
]
}
Response Structure
A list of account ID and email address pairs of the AWS accounts that could not be processed.
The account details that could not be processed.
An ID of the AWS account that could not be processed.
The reason for why an account could not be processed.
Stops you from being able to import findings generated by integrated third-party providers into Security Hub.
See also: AWS API Documentation
Request Syntax
response = client.disable_import_findings_for_product(
ProductSubscriptionArn='string'
)
[REQUIRED]
The ARN of a resource that represents your subscription to a supported product.
{}
Response Structure
Disables the AWS Security Hub Service.
See also: AWS API Documentation
Request Syntax
response = client.disable_security_hub()
{}
Response Structure
Disassociates the current Security Hub member account from its master account.
See also: AWS API Documentation
Request Syntax
response = client.disassociate_from_master_account()
{}
Response Structure
Disassociates the Security Hub member accounts that are specified by the account IDs from their master account.
See also: AWS API Documentation
Request Syntax
response = client.disassociate_members(
AccountIds=[
'string',
]
)
The account IDs of the member accounts that you want to disassociate from the master account.
{}
Response Structure
Enables you to import findings generated by integrated third-party providers into Security Hub.
See also: AWS API Documentation
Request Syntax
response = client.enable_import_findings_for_product(
ProductArn='string'
)
[REQUIRED]
The ARN of the product that generates findings that you want to import into Security Hub.
{
'ProductSubscriptionArn': 'string'
}
Response Structure
The ARN of a resource that represents your subscription to the product that generates the findings that you want to import into Security Hub.
Enables the AWS Security Hub service.
See also: AWS API Documentation
Request Syntax
response = client.enable_security_hub()
{}
Response Structure
Generate a presigned url given a client, its method, and arguments
The presigned url
Lists and describes enabled standards.
See also: AWS API Documentation
Request Syntax
response = client.get_enabled_standards(
StandardsSubscriptionArns=[
'string',
],
NextToken='string',
MaxResults=123
)
The list of standards subscription ARNS that you want to list and describe.
dict
Response Syntax
{
'StandardsSubscriptions': [
{
'StandardsSubscriptionArn': 'string',
'StandardsArn': 'string',
'StandardsInput': {
'string': 'string'
},
'StandardsStatus': 'PENDING'|'READY'|'FAILED'|'DELETING'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
StandardsSubscriptions (list) --
The standards subscription details returned by the operation.
(dict) --
A resource that represents your subscription to a supported standard.
StandardsSubscriptionArn (string) --
The ARN of a resource that represents your subscription to a supported standard.
StandardsArn (string) --
The ARN of a standard.
StandardsInput (dict) --
StandardsStatus (string) --
The standard's status.
NextToken (string) --
The token that is required for pagination.
Lists and describes Security Hub-aggregated findings that are specified by filter attributes.
See also: AWS API Documentation
Request Syntax
response = client.get_findings(
Filters={
'ProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'AwsAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Id': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'GeneratorId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Type': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'FirstObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'LastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'CreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'UpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'SeverityProduct': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'SeverityNormalized': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'SeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Confidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'Criticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'Title': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Description': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'RecommendationText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'SourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ProductFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'CONTAINS'
},
],
'ProductName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'CompanyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'UserDefinedFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'CONTAINS'
},
],
'MalwareName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'MalwareType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'MalwarePath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'MalwareState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkDirection': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkProtocol': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkSourceIpV4': [
{
'Cidr': 'string'
},
],
'NetworkSourceIpV6': [
{
'Cidr': 'string'
},
],
'NetworkSourcePort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'NetworkSourceDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkSourceMac': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkDestinationIpV4': [
{
'Cidr': 'string'
},
],
'NetworkDestinationIpV6': [
{
'Cidr': 'string'
},
],
'NetworkDestinationPort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'NetworkDestinationDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ProcessName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ProcessPath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ProcessPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'ProcessParentPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'ProcessLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ProcessTerminatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ThreatIntelIndicatorValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ThreatIntelIndicatorCategory': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ThreatIntelIndicatorLastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorSource': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ThreatIntelIndicatorSourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourcePartition': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceRegion': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceTags': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'CONTAINS'
},
],
'ResourceAwsEc2InstanceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceIpV4Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceIpV6Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceKeyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceIamInstanceProfileArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceVpcId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceSubnetId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceAwsS3BucketOwnerId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsS3BucketOwnerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyCreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceContainerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceContainerImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceContainerImageName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceContainerLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceDetailsOther': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'CONTAINS'
},
],
'ComplianceStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'VerificationState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'WorkflowState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'RecordState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'RelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'RelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NoteText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NoteUpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'NoteUpdatedBy': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Keyword': [
{
'Value': 'string'
},
]
},
SortCriteria=[
{
'Field': 'string',
'SortOrder': 'asc'|'desc'
},
],
NextToken='string',
MaxResults=123
)
A collection of attributes that is use for querying findings.
The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) once this provider's product (solution that generates findings) is registered with Security Hub.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The AWS account ID in which a finding is generated.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The security findings provider-specific identifier for a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
This is the identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security findings provider's solutions, this generator can be called a rule, a check, a detector, a plug-in, etc.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A finding type in the format of 'namespace/category/classifier' that classifies a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings provider.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings provider.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was created by the security findings provider.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
An ISO8601-formatted timestamp that indicates when the finding record was last updated by the security findings provider.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The native severity as defined by the security findings provider's solution that generated the finding.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The normalized severity of a finding.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The label of a finding's severity.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale. 0 equates zero percent confidence and 100 equates to 100 percent confidence.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The level of importance assigned to the resources associated with the finding. A score of 0 means the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
A finding's title.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A finding's description.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The recommendation of what to do about the issue described in a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A URL that links to a page about the current finding in the security findings provider's solution.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A data type where security findings providers can include additional solution-specific details that are not part of the defined AwsSecurityFinding format.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
Represents the condition to be applied to a key value when querying for findings with a map filter.
The name of the solution (product) that generates findings.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The name of the findings provider (company) that owns the solution (product) that generates findings.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
Represents the condition to be applied to a key value when querying for findings with a map filter.
The name of the malware that was observed.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The type of the malware that was observed.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The filesystem path of the malware that was observed.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The state of the malware that was observed.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
Indicates the direction of network traffic associated with a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The protocol of network-related information about a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The source IPv4 address of network-related information about a finding.
The IP filter for querying findings.>
Finding's CIDR value.
The source IPv6 address of network-related information about a finding.
The IP filter for querying findings.>
Finding's CIDR value.
The source port of network-related information about a finding.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The source domain of network-related information about a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The source media access control (MAC) address of network-related information about a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The destination IPv4 address of network-related information about a finding.
The IP filter for querying findings.>
Finding's CIDR value.
The destination IPv6 address of network-related information about a finding.
The IP filter for querying findings.>
Finding's CIDR value.
The destination port of network-related information about a finding.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The destination domain of network-related information about a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The name of the process.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The path to the process executable.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The process ID.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The parent process ID.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The date/time that the process was launched.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The date/time that the process was terminated.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The type of a threat intel indicator.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The value of a threat intel indicator.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The category of a threat intel indicator.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The date/time of the last observation of a threat intel indicator.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The source of the threat intel.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The URL for more details from the source of the threat intel.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
Specifies the type of the resource for which details are provided.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The canonical identifier for the given resource type.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The canonical AWS partition name to which the region is assigned.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The canonical AWS external region name where this resource is located.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A list of AWS tags associated with a resource at the time the finding was processed.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
Represents the condition to be applied to a key value when querying for findings with a map filter.
The instance type of the instance.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The Amazon Machine Image (AMI) ID of the instance.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The IPv4 addresses associated with the instance.
The IP filter for querying findings.>
Finding's CIDR value.
The IPv6 addresses associated with the instance.
The IP filter for querying findings.>
Finding's CIDR value.
The key name associated with the instance.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The IAM profile ARN of the instance.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The identifier of the VPC in which the instance was launched.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The identifier of the subnet in which the instance was launched.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The date/time the instance was launched.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The canonical user ID of the owner of the S3 bucket.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The display name of the owner of the S3 bucket.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The user associated with the IAM access key related to a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The status of the IAM access key related to a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The creation date/time of the IAM access key related to a finding.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The name of the container related to a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The identifier of the image related to a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The name of the image related to a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The date/time that the container was started.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The details of a resource that does not have a specific sub-field for the resource type defined.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
Represents the condition to be applied to a key value when querying for findings with a map filter.
Exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard (for example, AWS CIS Foundations). Contains compliance-related finding details.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
Indicates the veracity of a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The workflow state of a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The updated record state for the finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The ARN of the solution that generated a related finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The solution-generated identifier for a related finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The text of a note.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The timestamp of when the note was updated.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The principal that created a note.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A keyword for a finding.
A keyword filter for querying findings.
A value for the keyword.
A collection of attributes used for sorting findings.
A collection of attributes used for sorting findings.
The finding attribute used for sorting findings.
The order used for sorting findings.
dict
Response Syntax
{
'Findings': [
{
'SchemaVersion': 'string',
'Id': 'string',
'ProductArn': 'string',
'GeneratorId': 'string',
'AwsAccountId': 'string',
'Types': [
'string',
],
'FirstObservedAt': 'string',
'LastObservedAt': 'string',
'CreatedAt': 'string',
'UpdatedAt': 'string',
'Severity': {
'Product': 123.0,
'Normalized': 123
},
'Confidence': 123,
'Criticality': 123,
'Title': 'string',
'Description': 'string',
'Remediation': {
'Recommendation': {
'Text': 'string',
'Url': 'string'
}
},
'SourceUrl': 'string',
'ProductFields': {
'string': 'string'
},
'UserDefinedFields': {
'string': 'string'
},
'Malware': [
{
'Name': 'string',
'Type': 'ADWARE'|'BLENDED_THREAT'|'BOTNET_AGENT'|'COIN_MINER'|'EXPLOIT_KIT'|'KEYLOGGER'|'MACRO'|'POTENTIALLY_UNWANTED'|'SPYWARE'|'RANSOMWARE'|'REMOTE_ACCESS'|'ROOTKIT'|'TROJAN'|'VIRUS'|'WORM',
'Path': 'string',
'State': 'OBSERVED'|'REMOVAL_FAILED'|'REMOVED'
},
],
'Network': {
'Direction': 'IN'|'OUT',
'Protocol': 'string',
'SourceIpV4': 'string',
'SourceIpV6': 'string',
'SourcePort': 123,
'SourceDomain': 'string',
'SourceMac': 'string',
'DestinationIpV4': 'string',
'DestinationIpV6': 'string',
'DestinationPort': 123,
'DestinationDomain': 'string'
},
'Process': {
'Name': 'string',
'Path': 'string',
'Pid': 123,
'ParentPid': 123,
'LaunchedAt': 'string',
'TerminatedAt': 'string'
},
'ThreatIntelIndicators': [
{
'Type': 'DOMAIN'|'EMAIL_ADDRESS'|'HASH_MD5'|'HASH_SHA1'|'HASH_SHA256'|'HASH_SHA512'|'IPV4_ADDRESS'|'IPV6_ADDRESS'|'MUTEX'|'PROCESS'|'URL',
'Value': 'string',
'Category': 'BACKDOOR'|'CARD_STEALER'|'COMMAND_AND_CONTROL'|'DROP_SITE'|'EXPLOIT_SITE'|'KEYLOGGER',
'LastObservedAt': 'string',
'Source': 'string',
'SourceUrl': 'string'
},
],
'Resources': [
{
'Type': 'string',
'Id': 'string',
'Partition': 'aws'|'aws-cn'|'aws-us-gov',
'Region': 'string',
'Tags': {
'string': 'string'
},
'Details': {
'AwsEc2Instance': {
'Type': 'string',
'ImageId': 'string',
'IpV4Addresses': [
'string',
],
'IpV6Addresses': [
'string',
],
'KeyName': 'string',
'IamInstanceProfileArn': 'string',
'VpcId': 'string',
'SubnetId': 'string',
'LaunchedAt': 'string'
},
'AwsS3Bucket': {
'OwnerId': 'string',
'OwnerName': 'string'
},
'AwsIamAccessKey': {
'UserName': 'string',
'Status': 'Active'|'Inactive',
'CreatedAt': 'string'
},
'Container': {
'Name': 'string',
'ImageId': 'string',
'ImageName': 'string',
'LaunchedAt': 'string'
},
'Other': {
'string': 'string'
}
}
},
],
'Compliance': {
'Status': 'PASSED'|'WARNING'|'FAILED'|'NOT_AVAILABLE'
},
'VerificationState': 'UNKNOWN'|'TRUE_POSITIVE'|'FALSE_POSITIVE'|'BENIGN_POSITIVE',
'WorkflowState': 'NEW'|'ASSIGNED'|'IN_PROGRESS'|'DEFERRED'|'RESOLVED',
'RecordState': 'ACTIVE'|'ARCHIVED',
'RelatedFindings': [
{
'ProductArn': 'string',
'Id': 'string'
},
],
'Note': {
'Text': 'string',
'UpdatedBy': 'string',
'UpdatedAt': 'string'
}
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Findings (list) --
Findings details returned by the operation.
(dict) --
Provides consistent format for the contents of the Security Hub-aggregated findings. AwsSecurityFinding format enables you to share findings between AWS security services and third-party solutions, and compliance checks.
Note
A finding is a potential security issue generated either by AWS services (GuardDuty, Inspector, Macie) or by the integrated third-party solutions and compliance checks.
SchemaVersion (string) --
The schema version for which a finding is formatted.
Id (string) --
The security findings provider-specific identifier for a finding.
ProductArn (string) --
The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) once this provider's product (solution that generates findings) is registered with Security Hub.
GeneratorId (string) --
This is the identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security findings provider's solutions, this generator can be called a rule, a check, a detector, a plug-in, etc.
AwsAccountId (string) --
The AWS account ID in which a finding is generated.
Types (list) --
One or more finding types in the format of 'namespace/category/classifier' that classify a finding.
Valid namespace values are: Software and Configuration Checks | TTPs | Effects | Unusual Behaviors | Sensitive Data Identifications
FirstObservedAt (string) --
An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings provider.
LastObservedAt (string) --
An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings provider.
CreatedAt (string) --
An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was created by the security findings provider.
UpdatedAt (string) --
An ISO8601-formatted timestamp that indicates when the finding record was last updated by the security findings provider.
Severity (dict) --
A finding's severity.
Product (float) --
The native severity as defined by the security findings provider's solution that generated the finding.
Normalized (integer) --
The normalized severity of a finding.
Confidence (integer) --
A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale. 0 equates zero percent confidence and 100 equates to 100 percent confidence.
Criticality (integer) --
The level of importance assigned to the resources associated with the finding. A score of 0 means the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.
Title (string) --
A finding's title.
Description (string) --
A finding's description.
Remediation (dict) --
An data type that describes the remediation options for a finding.
Recommendation (dict) --
Provides a recommendation on how to remediate the issue identified within a finding.
Text (string) --
The recommendation of what to do about the issue described in a finding.
Url (string) --
A URL to link to general remediation information for the finding type of a finding.
SourceUrl (string) --
A URL that links to a page about the current finding in the security findings provider's solution.
ProductFields (dict) --
A data type where security findings providers can include additional solution-specific details that are not part of the defined AwsSecurityFinding format.
UserDefinedFields (dict) --
A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.
Malware (list) --
A list of malware related to a finding.
(dict) --
A list of malware related to a finding.
Name (string) --
The name of the malware that was observed.
Type (string) --
The type of the malware that was observed.
Path (string) --
The filesystem path of the malware that was observed.
State (string) --
The state of the malware that was observed.
Network (dict) --
The details of network-related information about a finding.
Direction (string) --
Indicates the direction of network traffic associated with a finding.
Protocol (string) --
The protocol of network-related information about a finding.
SourceIpV4 (string) --
The source IPv4 address of network-related information about a finding.
SourceIpV6 (string) --
The source IPv6 address of network-related information about a finding.
SourcePort (integer) --
The source port of network-related information about a finding.
SourceDomain (string) --
The source domain of network-related information about a finding.
SourceMac (string) --
The source media access control (MAC) address of network-related information about a finding.
DestinationIpV4 (string) --
The destination IPv4 address of network-related information about a finding.
DestinationIpV6 (string) --
The destination IPv6 address of network-related information about a finding.
DestinationPort (integer) --
The destination port of network-related information about a finding.
DestinationDomain (string) --
The destination domain of network-related information about a finding.
Process (dict) --
The details of process-related information about a finding.
Name (string) --
The name of the process.
Path (string) --
The path to the process executable.
Pid (integer) --
The process ID.
ParentPid (integer) --
The parent process ID.
LaunchedAt (string) --
The date/time that the process was launched.
TerminatedAt (string) --
The date/time that the process was terminated.
ThreatIntelIndicators (list) --
Threat intel details related to a finding.
(dict) --
Threat intel details related to a finding.
Type (string) --
The type of a threat intel indicator.
Value (string) --
The value of a threat intel indicator.
Category (string) --
The category of a threat intel indicator.
LastObservedAt (string) --
The date/time of the last observation of a threat intel indicator.
Source (string) --
The source of the threat intel.
SourceUrl (string) --
The URL for more details from the source of the threat intel.
Resources (list) --
A set of resource data types that describe the resources to which the finding refers.
(dict) --
A resource data type that describes a resource to which the finding refers.
Type (string) --
Specifies the type of the resource for which details are provided.
Id (string) --
The canonical identifier for the given resource type.
Partition (string) --
The canonical AWS partition name to which the region is assigned.
Region (string) --
The canonical AWS external region name where this resource is located.
Tags (dict) --
A list of AWS tags associated with a resource at the time the finding was processed.
Details (dict) --
Provides additional details about the resource.
AwsEc2Instance (dict) --
The details of an AWS EC2 instance.
Type (string) --
The instance type of the instance.
ImageId (string) --
The Amazon Machine Image (AMI) ID of the instance.
IpV4Addresses (list) --
The IPv4 addresses associated with the instance.
IpV6Addresses (list) --
The IPv6 addresses associated with the instance.
KeyName (string) --
The key name associated with the instance.
IamInstanceProfileArn (string) --
The IAM profile ARN of the instance.
VpcId (string) --
The identifier of the VPC in which the instance was launched.
SubnetId (string) --
The identifier of the subnet in which the instance was launched.
LaunchedAt (string) --
The date/time the instance was launched.
AwsS3Bucket (dict) --
The details of an AWS S3 Bucket.
OwnerId (string) --
The canonical user ID of the owner of the S3 bucket.
OwnerName (string) --
The display name of the owner of the S3 bucket.
AwsIamAccessKey (dict) --
AWS IAM access key details related to a finding.
UserName (string) --
The user associated with the IAM access key related to a finding.
Status (string) --
The status of the IAM access key related to a finding.
CreatedAt (string) --
The creation date/time of the IAM access key related to a finding.
Container (dict) --
Container details related to a finding.
Name (string) --
The name of the container related to a finding.
ImageId (string) --
The identifier of the image related to a finding.
ImageName (string) --
The name of the image related to a finding.
LaunchedAt (string) --
The date/time that the container was started.
Other (dict) --
The details of a resource that does not have a specific sub-field for the resource type defined.
Compliance (dict) --
This data type is exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard (for example, AWS CIS Foundations). Contains compliance-related finding details.
Status (string) --
Indicates the result of a compliance check.
VerificationState (string) --
Indicates the veracity of a finding.
WorkflowState (string) --
The workflow state of a finding.
RecordState (string) --
The record state of a finding.
RelatedFindings (list) --
A list of related findings.
(dict) --
Related finding's details.
ProductArn (string) --
The ARN of the solution that generated a related finding.
Id (string) --
The solution-generated identifier for a related finding.
Note (dict) --
A user-defined note added to a finding.
Text (string) --
The text of a note.
UpdatedBy (string) --
The principal that created a note.
UpdatedAt (string) --
The timestamp of when the note was updated.
NextToken (string) --
The token that is required for pagination.
Lists the results of the Security Hub insight specified by the insight ARN.
See also: AWS API Documentation
Request Syntax
response = client.get_insight_results(
InsightArn='string'
)
[REQUIRED]
The ARN of the insight whose results you want to see.
{
'InsightResults': {
'InsightArn': 'string',
'GroupByAttribute': 'string',
'ResultValues': [
{
'GroupByAttributeValue': 'string',
'Count': 123
},
]
}
}
Response Structure
The insight results returned by the operation.
The ARN of the insight whose results are returned by the GetInsightResults operation.
The attribute by which the findings are grouped for the insight's whose results are returned by the GetInsightResults operation.
The list of insight result values returned by the GetInsightResults operation.
The insight result values returned by the GetInsightResults operation.
The value of the attribute by which the findings are grouped for the insight's whose results are returned by the GetInsightResults operation.
The number of findings returned for each GroupByAttributeValue.
Lists and describes insights that are specified by insight ARNs.
See also: AWS API Documentation
Request Syntax
response = client.get_insights(
InsightArns=[
'string',
],
NextToken='string',
MaxResults=123
)
The ARNS of the insights that you want to describe.
dict
Response Syntax
{
'Insights': [
{
'InsightArn': 'string',
'Name': 'string',
'Filters': {
'ProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'AwsAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Id': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'GeneratorId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Type': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'FirstObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'LastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'CreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'UpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'SeverityProduct': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'SeverityNormalized': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'SeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Confidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'Criticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'Title': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Description': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'RecommendationText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'SourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ProductFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'CONTAINS'
},
],
'ProductName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'CompanyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'UserDefinedFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'CONTAINS'
},
],
'MalwareName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'MalwareType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'MalwarePath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'MalwareState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkDirection': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkProtocol': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkSourceIpV4': [
{
'Cidr': 'string'
},
],
'NetworkSourceIpV6': [
{
'Cidr': 'string'
},
],
'NetworkSourcePort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'NetworkSourceDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkSourceMac': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkDestinationIpV4': [
{
'Cidr': 'string'
},
],
'NetworkDestinationIpV6': [
{
'Cidr': 'string'
},
],
'NetworkDestinationPort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'NetworkDestinationDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ProcessName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ProcessPath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ProcessPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'ProcessParentPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'ProcessLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ProcessTerminatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ThreatIntelIndicatorValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ThreatIntelIndicatorCategory': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ThreatIntelIndicatorLastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorSource': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ThreatIntelIndicatorSourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourcePartition': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceRegion': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceTags': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'CONTAINS'
},
],
'ResourceAwsEc2InstanceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceIpV4Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceIpV6Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceKeyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceIamInstanceProfileArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceVpcId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceSubnetId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceAwsS3BucketOwnerId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsS3BucketOwnerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyCreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceContainerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceContainerImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceContainerImageName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceContainerLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceDetailsOther': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'CONTAINS'
},
],
'ComplianceStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'VerificationState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'WorkflowState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'RecordState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'RelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'RelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NoteText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NoteUpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'NoteUpdatedBy': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Keyword': [
{
'Value': 'string'
},
]
},
'GroupByAttribute': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Insights (list) --
The insights returned by the operation.
(dict) --
Contains information about a Security Hub insight.
InsightArn (string) --
The ARN of a Security Hub insight.
Name (string) --
The name of a Security Hub insight.
Filters (dict) --
A collection of attributes that are applied to all active Security Hub-aggregated findings and that result in a subset of findings that are included in this insight.
ProductArn (list) --
The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) once this provider's product (solution that generates findings) is registered with Security Hub.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
AwsAccountId (list) --
The AWS account ID in which a finding is generated.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
Id (list) --
The security findings provider-specific identifier for a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
GeneratorId (list) --
This is the identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security findings provider's solutions, this generator can be called a rule, a check, a detector, a plug-in, etc.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
Type (list) --
A finding type in the format of 'namespace/category/classifier' that classifies a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
FirstObservedAt (list) --
An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings provider.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
LastObservedAt (list) --
An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings provider.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
CreatedAt (list) --
An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was created by the security findings provider.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
UpdatedAt (list) --
An ISO8601-formatted timestamp that indicates when the finding record was last updated by the security findings provider.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
SeverityProduct (list) --
The native severity as defined by the security findings provider's solution that generated the finding.
(dict) --
A number filter for querying findings.
Gte (float) --
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Lte (float) --
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Eq (float) --
Represents the "equal to" condition to be applied to a single field when querying for findings.
SeverityNormalized (list) --
The normalized severity of a finding.
(dict) --
A number filter for querying findings.
Gte (float) --
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Lte (float) --
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Eq (float) --
Represents the "equal to" condition to be applied to a single field when querying for findings.
SeverityLabel (list) --
The label of a finding's severity.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
Confidence (list) --
A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale. 0 equates zero percent confidence and 100 equates to 100 percent confidence.
(dict) --
A number filter for querying findings.
Gte (float) --
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Lte (float) --
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Eq (float) --
Represents the "equal to" condition to be applied to a single field when querying for findings.
Criticality (list) --
The level of importance assigned to the resources associated with the finding. A score of 0 means the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.
(dict) --
A number filter for querying findings.
Gte (float) --
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Lte (float) --
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Eq (float) --
Represents the "equal to" condition to be applied to a single field when querying for findings.
Title (list) --
A finding's title.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
Description (list) --
A finding's description.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
RecommendationText (list) --
The recommendation of what to do about the issue described in a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
SourceUrl (list) --
A URL that links to a page about the current finding in the security findings provider's solution.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ProductFields (list) --
A data type where security findings providers can include additional solution-specific details that are not part of the defined AwsSecurityFinding format.
(dict) --
The map filter for querying findings.
Key (string) --
The key of the map filter.
Value (string) --
The value for the key in the map filter.
Comparison (string) --
Represents the condition to be applied to a key value when querying for findings with a map filter.
ProductName (list) --
The name of the solution (product) that generates findings.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
CompanyName (list) --
The name of the findings provider (company) that owns the solution (product) that generates findings.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
UserDefinedFields (list) --
A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.
(dict) --
The map filter for querying findings.
Key (string) --
The key of the map filter.
Value (string) --
The value for the key in the map filter.
Comparison (string) --
Represents the condition to be applied to a key value when querying for findings with a map filter.
MalwareName (list) --
The name of the malware that was observed.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
MalwareType (list) --
The type of the malware that was observed.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
MalwarePath (list) --
The filesystem path of the malware that was observed.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
MalwareState (list) --
The state of the malware that was observed.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
NetworkDirection (list) --
Indicates the direction of network traffic associated with a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
NetworkProtocol (list) --
The protocol of network-related information about a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
NetworkSourceIpV4 (list) --
The source IPv4 address of network-related information about a finding.
(dict) --
The IP filter for querying findings.>
Cidr (string) --
Finding's CIDR value.
NetworkSourceIpV6 (list) --
The source IPv6 address of network-related information about a finding.
(dict) --
The IP filter for querying findings.>
Cidr (string) --
Finding's CIDR value.
NetworkSourcePort (list) --
The source port of network-related information about a finding.
(dict) --
A number filter for querying findings.
Gte (float) --
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Lte (float) --
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Eq (float) --
Represents the "equal to" condition to be applied to a single field when querying for findings.
NetworkSourceDomain (list) --
The source domain of network-related information about a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
NetworkSourceMac (list) --
The source media access control (MAC) address of network-related information about a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
NetworkDestinationIpV4 (list) --
The destination IPv4 address of network-related information about a finding.
(dict) --
The IP filter for querying findings.>
Cidr (string) --
Finding's CIDR value.
NetworkDestinationIpV6 (list) --
The destination IPv6 address of network-related information about a finding.
(dict) --
The IP filter for querying findings.>
Cidr (string) --
Finding's CIDR value.
NetworkDestinationPort (list) --
The destination port of network-related information about a finding.
(dict) --
A number filter for querying findings.
Gte (float) --
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Lte (float) --
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Eq (float) --
Represents the "equal to" condition to be applied to a single field when querying for findings.
NetworkDestinationDomain (list) --
The destination domain of network-related information about a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ProcessName (list) --
The name of the process.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ProcessPath (list) --
The path to the process executable.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ProcessPid (list) --
The process ID.
(dict) --
A number filter for querying findings.
Gte (float) --
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Lte (float) --
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Eq (float) --
Represents the "equal to" condition to be applied to a single field when querying for findings.
ProcessParentPid (list) --
The parent process ID.
(dict) --
A number filter for querying findings.
Gte (float) --
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Lte (float) --
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Eq (float) --
Represents the "equal to" condition to be applied to a single field when querying for findings.
ProcessLaunchedAt (list) --
The date/time that the process was launched.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
ProcessTerminatedAt (list) --
The date/time that the process was terminated.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
ThreatIntelIndicatorType (list) --
The type of a threat intel indicator.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ThreatIntelIndicatorValue (list) --
The value of a threat intel indicator.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ThreatIntelIndicatorCategory (list) --
The category of a threat intel indicator.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ThreatIntelIndicatorLastObservedAt (list) --
The date/time of the last observation of a threat intel indicator.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
ThreatIntelIndicatorSource (list) --
The source of the threat intel.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ThreatIntelIndicatorSourceUrl (list) --
The URL for more details from the source of the threat intel.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceType (list) --
Specifies the type of the resource for which details are provided.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceId (list) --
The canonical identifier for the given resource type.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourcePartition (list) --
The canonical AWS partition name to which the region is assigned.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceRegion (list) --
The canonical AWS external region name where this resource is located.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceTags (list) --
A list of AWS tags associated with a resource at the time the finding was processed.
(dict) --
The map filter for querying findings.
Key (string) --
The key of the map filter.
Value (string) --
The value for the key in the map filter.
Comparison (string) --
Represents the condition to be applied to a key value when querying for findings with a map filter.
ResourceAwsEc2InstanceType (list) --
The instance type of the instance.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceImageId (list) --
The Amazon Machine Image (AMI) ID of the instance.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceIpV4Addresses (list) --
The IPv4 addresses associated with the instance.
(dict) --
The IP filter for querying findings.>
Cidr (string) --
Finding's CIDR value.
ResourceAwsEc2InstanceIpV6Addresses (list) --
The IPv6 addresses associated with the instance.
(dict) --
The IP filter for querying findings.>
Cidr (string) --
Finding's CIDR value.
ResourceAwsEc2InstanceKeyName (list) --
The key name associated with the instance.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceIamInstanceProfileArn (list) --
The IAM profile ARN of the instance.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceVpcId (list) --
The identifier of the VPC in which the instance was launched.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceSubnetId (list) --
The identifier of the subnet in which the instance was launched.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceLaunchedAt (list) --
The date/time the instance was launched.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
ResourceAwsS3BucketOwnerId (list) --
The canonical user ID of the owner of the S3 bucket.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceAwsS3BucketOwnerName (list) --
The display name of the owner of the S3 bucket.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceAwsIamAccessKeyUserName (list) --
The user associated with the IAM access key related to a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceAwsIamAccessKeyStatus (list) --
The status of the IAM access key related to a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceAwsIamAccessKeyCreatedAt (list) --
The creation date/time of the IAM access key related to a finding.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
ResourceContainerName (list) --
The name of the container related to a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceContainerImageId (list) --
The identifier of the image related to a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceContainerImageName (list) --
The name of the image related to a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceContainerLaunchedAt (list) --
The date/time that the container was started.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
ResourceDetailsOther (list) --
The details of a resource that does not have a specific sub-field for the resource type defined.
(dict) --
The map filter for querying findings.
Key (string) --
The key of the map filter.
Value (string) --
The value for the key in the map filter.
Comparison (string) --
Represents the condition to be applied to a key value when querying for findings with a map filter.
ComplianceStatus (list) --
Exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard (for example, AWS CIS Foundations). Contains compliance-related finding details.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
VerificationState (list) --
Indicates the veracity of a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
WorkflowState (list) --
The workflow state of a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
RecordState (list) --
The updated record state for the finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
RelatedFindingsProductArn (list) --
The ARN of the solution that generated a related finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
RelatedFindingsId (list) --
The solution-generated identifier for a related finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
NoteText (list) --
The text of a note.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
NoteUpdatedAt (list) --
The timestamp of when the note was updated.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
NoteUpdatedBy (list) --
The principal that created a note.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
Keyword (list) --
A keyword for a finding.
(dict) --
A keyword filter for querying findings.
Value (string) --
A value for the keyword.
GroupByAttribute (string) --
The attribute by which the insight's findings are grouped. This attribute is used as a findings aggregator for the purposes of viewing and managing multiple related findings under a single operand.
NextToken (string) --
The token that is required for pagination.
Returns the count of all Security Hub membership invitations that were sent to the current member account, not including the currently accepted invitation.
See also: AWS API Documentation
Request Syntax
response = client.get_invitations_count()
{
'InvitationsCount': 123
}
Response Structure
The number of all membership invitations sent to this Security Hub member account, not including the currently accepted invitation.
Provides the details for the Security Hub master account to the current member account.
See also: AWS API Documentation
Request Syntax
response = client.get_master_account()
{
'Master': {
'AccountId': 'string',
'InvitationId': 'string',
'InvitedAt': datetime(2015, 1, 1),
'MemberStatus': 'string'
}
}
Response Structure
A list of details about the Security Hub master account for the current member account.
The account ID of the master Security Hub account who sent the invitation.
The ID of the invitation sent by the master Security Hub account.
The timestamp of when the invitation was sent.
The current relationship status between the inviter and invitee accounts.
Returns the details on the Security Hub member accounts that are specified by the account IDs.
See also: AWS API Documentation
Request Syntax
response = client.get_members(
AccountIds=[
'string',
]
)
[REQUIRED]
A list of account IDs for the Security Hub member accounts on which you want to return the details.
{
'Members': [
{
'AccountId': 'string',
'Email': 'string',
'MasterId': 'string',
'MemberStatus': 'string',
'InvitedAt': datetime(2015, 1, 1),
'UpdatedAt': datetime(2015, 1, 1)
},
],
'UnprocessedAccounts': [
{
'AccountId': 'string',
'ProcessingResult': 'string'
},
]
}
Response Structure
A list of details about the Security Hub member accounts.
The details for a Security Hub member account.
The AWS account ID of a Security Hub member account.
The email of a Security Hub member account.
The AWS account ID of the master Security Hub account to this member account.
The status of the relationship between the member account and its master account.
Time stamp at which the member account was invited to Security Hub.
Time stamp at which this member account was updated.
A list of account ID and email address pairs of the AWS accounts that could not be processed.
The account details that could not be processed.
An ID of the AWS account that could not be processed.
The reason for why an account could not be processed.
Create a paginator for an operation.
Returns an object that can wait for some condition.
Invites other AWS accounts to enable Security Hub and become Security Hub member accounts. When an account accepts the invitation and becomes a member account, the master account can view Security Hub findings of the member account.
See also: AWS API Documentation
Request Syntax
response = client.invite_members(
AccountIds=[
'string',
]
)
A list of IDs of the AWS accounts that you want to invite to Security Hub as members.
{
'UnprocessedAccounts': [
{
'AccountId': 'string',
'ProcessingResult': 'string'
},
]
}
Response Structure
A list of account ID and email address pairs of the AWS accounts that could not be processed.
The account details that could not be processed.
An ID of the AWS account that could not be processed.
The reason for why an account could not be processed.
Lists all Security Hub-integrated third-party findings providers.
See also: AWS API Documentation
Request Syntax
response = client.list_enabled_products_for_import(
NextToken='string',
MaxResults=123
)
dict
Response Syntax
{
'ProductSubscriptions': [
'string',
],
'NextToken': 'string'
}
Response Structure
(dict) --
ProductSubscriptions (list) --
A list of ARNs for the resources that represent your subscriptions to products.
NextToken (string) --
The token that is required for pagination.
Lists all Security Hub membership invitations that were sent to the current AWS account.
See also: AWS API Documentation
Request Syntax
response = client.list_invitations(
MaxResults=123,
NextToken='string'
)
dict
Response Syntax
{
'Invitations': [
{
'AccountId': 'string',
'InvitationId': 'string',
'InvitedAt': datetime(2015, 1, 1),
'MemberStatus': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Invitations (list) --
The details of the invitations returned by the operation.
(dict) --
The details of an invitation sent to an AWS account by the Security Hub master account.
AccountId (string) --
The account ID of the master Security Hub account who sent the invitation.
InvitationId (string) --
The ID of the invitation sent by the master Security Hub account.
InvitedAt (datetime) --
The timestamp of when the invitation was sent.
MemberStatus (string) --
The current relationship status between the inviter and invitee accounts.
NextToken (string) --
The token that is required for pagination.
Lists details about all member accounts for the current Security Hub master account.
See also: AWS API Documentation
Request Syntax
response = client.list_members(
OnlyAssociated=True|False,
MaxResults=123,
NextToken='string'
)
dict
Response Syntax
{
'Members': [
{
'AccountId': 'string',
'Email': 'string',
'MasterId': 'string',
'MemberStatus': 'string',
'InvitedAt': datetime(2015, 1, 1),
'UpdatedAt': datetime(2015, 1, 1)
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
Members (list) --
Member details returned by the operation.
(dict) --
The details for a Security Hub member account.
AccountId (string) --
The AWS account ID of a Security Hub member account.
Email (string) --
The email of a Security Hub member account.
MasterId (string) --
The AWS account ID of the master Security Hub account to this member account.
MemberStatus (string) --
The status of the relationship between the member account and its master account.
InvitedAt (datetime) --
Time stamp at which the member account was invited to Security Hub.
UpdatedAt (datetime) --
Time stamp at which this member account was updated.
NextToken (string) --
The token that is required for pagination.
Updates the AWS Security Hub-aggregated findings specified by the filter attributes.
See also: AWS API Documentation
Request Syntax
response = client.update_findings(
Filters={
'ProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'AwsAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Id': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'GeneratorId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Type': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'FirstObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'LastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'CreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'UpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'SeverityProduct': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'SeverityNormalized': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'SeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Confidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'Criticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'Title': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Description': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'RecommendationText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'SourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ProductFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'CONTAINS'
},
],
'ProductName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'CompanyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'UserDefinedFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'CONTAINS'
},
],
'MalwareName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'MalwareType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'MalwarePath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'MalwareState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkDirection': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkProtocol': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkSourceIpV4': [
{
'Cidr': 'string'
},
],
'NetworkSourceIpV6': [
{
'Cidr': 'string'
},
],
'NetworkSourcePort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'NetworkSourceDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkSourceMac': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkDestinationIpV4': [
{
'Cidr': 'string'
},
],
'NetworkDestinationIpV6': [
{
'Cidr': 'string'
},
],
'NetworkDestinationPort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'NetworkDestinationDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ProcessName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ProcessPath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ProcessPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'ProcessParentPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'ProcessLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ProcessTerminatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ThreatIntelIndicatorValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ThreatIntelIndicatorCategory': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ThreatIntelIndicatorLastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorSource': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ThreatIntelIndicatorSourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourcePartition': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceRegion': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceTags': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'CONTAINS'
},
],
'ResourceAwsEc2InstanceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceIpV4Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceIpV6Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceKeyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceIamInstanceProfileArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceVpcId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceSubnetId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceAwsS3BucketOwnerId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsS3BucketOwnerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyCreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceContainerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceContainerImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceContainerImageName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceContainerLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceDetailsOther': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'CONTAINS'
},
],
'ComplianceStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'VerificationState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'WorkflowState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'RecordState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'RelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'RelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NoteText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NoteUpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'NoteUpdatedBy': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Keyword': [
{
'Value': 'string'
},
]
},
Note={
'Text': 'string',
'UpdatedBy': 'string'
},
RecordState='ACTIVE'|'ARCHIVED'
)
[REQUIRED]
A collection of attributes that specify what findings you want to update.
The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) once this provider's product (solution that generates findings) is registered with Security Hub.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The AWS account ID in which a finding is generated.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The security findings provider-specific identifier for a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
This is the identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security findings provider's solutions, this generator can be called a rule, a check, a detector, a plug-in, etc.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A finding type in the format of 'namespace/category/classifier' that classifies a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings provider.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings provider.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was created by the security findings provider.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
An ISO8601-formatted timestamp that indicates when the finding record was last updated by the security findings provider.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The native severity as defined by the security findings provider's solution that generated the finding.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The normalized severity of a finding.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The label of a finding's severity.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale. 0 equates zero percent confidence and 100 equates to 100 percent confidence.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The level of importance assigned to the resources associated with the finding. A score of 0 means the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
A finding's title.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A finding's description.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The recommendation of what to do about the issue described in a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A URL that links to a page about the current finding in the security findings provider's solution.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A data type where security findings providers can include additional solution-specific details that are not part of the defined AwsSecurityFinding format.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
Represents the condition to be applied to a key value when querying for findings with a map filter.
The name of the solution (product) that generates findings.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The name of the findings provider (company) that owns the solution (product) that generates findings.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
Represents the condition to be applied to a key value when querying for findings with a map filter.
The name of the malware that was observed.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The type of the malware that was observed.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The filesystem path of the malware that was observed.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The state of the malware that was observed.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
Indicates the direction of network traffic associated with a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The protocol of network-related information about a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The source IPv4 address of network-related information about a finding.
The IP filter for querying findings.>
Finding's CIDR value.
The source IPv6 address of network-related information about a finding.
The IP filter for querying findings.>
Finding's CIDR value.
The source port of network-related information about a finding.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The source domain of network-related information about a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The source media access control (MAC) address of network-related information about a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The destination IPv4 address of network-related information about a finding.
The IP filter for querying findings.>
Finding's CIDR value.
The destination IPv6 address of network-related information about a finding.
The IP filter for querying findings.>
Finding's CIDR value.
The destination port of network-related information about a finding.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The destination domain of network-related information about a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The name of the process.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The path to the process executable.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The process ID.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The parent process ID.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The date/time that the process was launched.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The date/time that the process was terminated.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The type of a threat intel indicator.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The value of a threat intel indicator.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The category of a threat intel indicator.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The date/time of the last observation of a threat intel indicator.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The source of the threat intel.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The URL for more details from the source of the threat intel.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
Specifies the type of the resource for which details are provided.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The canonical identifier for the given resource type.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The canonical AWS partition name to which the region is assigned.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The canonical AWS external region name where this resource is located.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A list of AWS tags associated with a resource at the time the finding was processed.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
Represents the condition to be applied to a key value when querying for findings with a map filter.
The instance type of the instance.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The Amazon Machine Image (AMI) ID of the instance.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The IPv4 addresses associated with the instance.
The IP filter for querying findings.>
Finding's CIDR value.
The IPv6 addresses associated with the instance.
The IP filter for querying findings.>
Finding's CIDR value.
The key name associated with the instance.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The IAM profile ARN of the instance.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The identifier of the VPC in which the instance was launched.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The identifier of the subnet in which the instance was launched.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The date/time the instance was launched.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The canonical user ID of the owner of the S3 bucket.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The display name of the owner of the S3 bucket.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The user associated with the IAM access key related to a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The status of the IAM access key related to a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The creation date/time of the IAM access key related to a finding.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The name of the container related to a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The identifier of the image related to a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The name of the image related to a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The date/time that the container was started.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The details of a resource that does not have a specific sub-field for the resource type defined.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
Represents the condition to be applied to a key value when querying for findings with a map filter.
Exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard (for example, AWS CIS Foundations). Contains compliance-related finding details.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
Indicates the veracity of a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The workflow state of a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The updated record state for the finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The ARN of the solution that generated a related finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The solution-generated identifier for a related finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The text of a note.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The timestamp of when the note was updated.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The principal that created a note.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A keyword for a finding.
A keyword filter for querying findings.
A value for the keyword.
The updated note for the finding.
The updated note text.
The principal that updated the note.
dict
Response Syntax
{}
Response Structure
Updates the AWS Security Hub insight specified by the insight ARN.
See also: AWS API Documentation
Request Syntax
response = client.update_insight(
InsightArn='string',
Name='string',
Filters={
'ProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'AwsAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Id': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'GeneratorId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Type': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'FirstObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'LastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'CreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'UpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'SeverityProduct': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'SeverityNormalized': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'SeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Confidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'Criticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'Title': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Description': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'RecommendationText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'SourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ProductFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'CONTAINS'
},
],
'ProductName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'CompanyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'UserDefinedFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'CONTAINS'
},
],
'MalwareName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'MalwareType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'MalwarePath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'MalwareState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkDirection': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkProtocol': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkSourceIpV4': [
{
'Cidr': 'string'
},
],
'NetworkSourceIpV6': [
{
'Cidr': 'string'
},
],
'NetworkSourcePort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'NetworkSourceDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkSourceMac': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkDestinationIpV4': [
{
'Cidr': 'string'
},
],
'NetworkDestinationIpV6': [
{
'Cidr': 'string'
},
],
'NetworkDestinationPort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'NetworkDestinationDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ProcessName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ProcessPath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ProcessPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'ProcessParentPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'ProcessLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ProcessTerminatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ThreatIntelIndicatorValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ThreatIntelIndicatorCategory': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ThreatIntelIndicatorLastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorSource': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ThreatIntelIndicatorSourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourcePartition': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceRegion': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceTags': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'CONTAINS'
},
],
'ResourceAwsEc2InstanceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceIpV4Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceIpV6Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceKeyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceIamInstanceProfileArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceVpcId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceSubnetId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceAwsS3BucketOwnerId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsS3BucketOwnerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyCreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceContainerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceContainerImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceContainerImageName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceContainerLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceDetailsOther': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'CONTAINS'
},
],
'ComplianceStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'VerificationState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'WorkflowState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'RecordState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'RelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'RelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NoteText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NoteUpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'NoteUpdatedBy': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Keyword': [
{
'Value': 'string'
},
]
},
GroupByAttribute='string'
)
[REQUIRED]
The ARN of the insight that you want to update.
The updated filters that define this insight.
The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) once this provider's product (solution that generates findings) is registered with Security Hub.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The AWS account ID in which a finding is generated.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The security findings provider-specific identifier for a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
This is the identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security findings provider's solutions, this generator can be called a rule, a check, a detector, a plug-in, etc.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A finding type in the format of 'namespace/category/classifier' that classifies a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings provider.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings provider.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was created by the security findings provider.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
An ISO8601-formatted timestamp that indicates when the finding record was last updated by the security findings provider.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The native severity as defined by the security findings provider's solution that generated the finding.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The normalized severity of a finding.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The label of a finding's severity.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale. 0 equates zero percent confidence and 100 equates to 100 percent confidence.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The level of importance assigned to the resources associated with the finding. A score of 0 means the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
A finding's title.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A finding's description.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The recommendation of what to do about the issue described in a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A URL that links to a page about the current finding in the security findings provider's solution.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A data type where security findings providers can include additional solution-specific details that are not part of the defined AwsSecurityFinding format.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
Represents the condition to be applied to a key value when querying for findings with a map filter.
The name of the solution (product) that generates findings.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The name of the findings provider (company) that owns the solution (product) that generates findings.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
Represents the condition to be applied to a key value when querying for findings with a map filter.
The name of the malware that was observed.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The type of the malware that was observed.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The filesystem path of the malware that was observed.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The state of the malware that was observed.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
Indicates the direction of network traffic associated with a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The protocol of network-related information about a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The source IPv4 address of network-related information about a finding.
The IP filter for querying findings.>
Finding's CIDR value.
The source IPv6 address of network-related information about a finding.
The IP filter for querying findings.>
Finding's CIDR value.
The source port of network-related information about a finding.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The source domain of network-related information about a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The source media access control (MAC) address of network-related information about a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The destination IPv4 address of network-related information about a finding.
The IP filter for querying findings.>
Finding's CIDR value.
The destination IPv6 address of network-related information about a finding.
The IP filter for querying findings.>
Finding's CIDR value.
The destination port of network-related information about a finding.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The destination domain of network-related information about a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The name of the process.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The path to the process executable.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The process ID.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The parent process ID.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The date/time that the process was launched.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The date/time that the process was terminated.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The type of a threat intel indicator.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The value of a threat intel indicator.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The category of a threat intel indicator.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The date/time of the last observation of a threat intel indicator.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The source of the threat intel.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The URL for more details from the source of the threat intel.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
Specifies the type of the resource for which details are provided.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The canonical identifier for the given resource type.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The canonical AWS partition name to which the region is assigned.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The canonical AWS external region name where this resource is located.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A list of AWS tags associated with a resource at the time the finding was processed.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
Represents the condition to be applied to a key value when querying for findings with a map filter.
The instance type of the instance.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The Amazon Machine Image (AMI) ID of the instance.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The IPv4 addresses associated with the instance.
The IP filter for querying findings.>
Finding's CIDR value.
The IPv6 addresses associated with the instance.
The IP filter for querying findings.>
Finding's CIDR value.
The key name associated with the instance.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The IAM profile ARN of the instance.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The identifier of the VPC in which the instance was launched.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The identifier of the subnet in which the instance was launched.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The date/time the instance was launched.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The canonical user ID of the owner of the S3 bucket.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The display name of the owner of the S3 bucket.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The user associated with the IAM access key related to a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The status of the IAM access key related to a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The creation date/time of the IAM access key related to a finding.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The name of the container related to a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The identifier of the image related to a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The name of the image related to a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The date/time that the container was started.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The details of a resource that does not have a specific sub-field for the resource type defined.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
Represents the condition to be applied to a key value when querying for findings with a map filter.
Exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard (for example, AWS CIS Foundations). Contains compliance-related finding details.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
Indicates the veracity of a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The workflow state of a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The updated record state for the finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The ARN of the solution that generated a related finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The solution-generated identifier for a related finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The text of a note.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The timestamp of when the note was updated.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The principal that created a note.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A keyword for a finding.
A keyword filter for querying findings.
A value for the keyword.
dict
Response Syntax
{}
Response Structure
The available paginators are:
paginator = client.get_paginator('get_enabled_standards')
Creates an iterator that will paginate through responses from SecurityHub.Client.get_enabled_standards().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
StandardsSubscriptionArns=[
'string',
],
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
The list of standards subscription ARNS that you want to list and describe.
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
dict
Response Syntax
{
'StandardsSubscriptions': [
{
'StandardsSubscriptionArn': 'string',
'StandardsArn': 'string',
'StandardsInput': {
'string': 'string'
},
'StandardsStatus': 'PENDING'|'READY'|'FAILED'|'DELETING'
},
],
}
Response Structure
(dict) --
StandardsSubscriptions (list) --
The standards subscription details returned by the operation.
(dict) --
A resource that represents your subscription to a supported standard.
StandardsSubscriptionArn (string) --
The ARN of a resource that represents your subscription to a supported standard.
StandardsArn (string) --
The ARN of a standard.
StandardsInput (dict) --
StandardsStatus (string) --
The standard's status.
paginator = client.get_paginator('get_findings')
Creates an iterator that will paginate through responses from SecurityHub.Client.get_findings().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
Filters={
'ProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'AwsAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Id': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'GeneratorId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Type': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'FirstObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'LastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'CreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'UpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'SeverityProduct': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'SeverityNormalized': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'SeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Confidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'Criticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'Title': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Description': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'RecommendationText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'SourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ProductFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'CONTAINS'
},
],
'ProductName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'CompanyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'UserDefinedFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'CONTAINS'
},
],
'MalwareName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'MalwareType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'MalwarePath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'MalwareState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkDirection': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkProtocol': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkSourceIpV4': [
{
'Cidr': 'string'
},
],
'NetworkSourceIpV6': [
{
'Cidr': 'string'
},
],
'NetworkSourcePort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'NetworkSourceDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkSourceMac': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkDestinationIpV4': [
{
'Cidr': 'string'
},
],
'NetworkDestinationIpV6': [
{
'Cidr': 'string'
},
],
'NetworkDestinationPort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'NetworkDestinationDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ProcessName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ProcessPath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ProcessPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'ProcessParentPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'ProcessLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ProcessTerminatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ThreatIntelIndicatorValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ThreatIntelIndicatorCategory': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ThreatIntelIndicatorLastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorSource': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ThreatIntelIndicatorSourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourcePartition': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceRegion': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceTags': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'CONTAINS'
},
],
'ResourceAwsEc2InstanceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceIpV4Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceIpV6Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceKeyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceIamInstanceProfileArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceVpcId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceSubnetId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceAwsS3BucketOwnerId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsS3BucketOwnerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyCreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceContainerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceContainerImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceContainerImageName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceContainerLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceDetailsOther': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'CONTAINS'
},
],
'ComplianceStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'VerificationState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'WorkflowState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'RecordState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'RelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'RelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NoteText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NoteUpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'NoteUpdatedBy': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Keyword': [
{
'Value': 'string'
},
]
},
SortCriteria=[
{
'Field': 'string',
'SortOrder': 'asc'|'desc'
},
],
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
A collection of attributes that is use for querying findings.
The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) once this provider's product (solution that generates findings) is registered with Security Hub.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The AWS account ID in which a finding is generated.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The security findings provider-specific identifier for a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
This is the identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security findings provider's solutions, this generator can be called a rule, a check, a detector, a plug-in, etc.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A finding type in the format of 'namespace/category/classifier' that classifies a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings provider.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings provider.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was created by the security findings provider.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
An ISO8601-formatted timestamp that indicates when the finding record was last updated by the security findings provider.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The native severity as defined by the security findings provider's solution that generated the finding.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The normalized severity of a finding.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The label of a finding's severity.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale. 0 equates zero percent confidence and 100 equates to 100 percent confidence.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The level of importance assigned to the resources associated with the finding. A score of 0 means the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
A finding's title.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A finding's description.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The recommendation of what to do about the issue described in a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A URL that links to a page about the current finding in the security findings provider's solution.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A data type where security findings providers can include additional solution-specific details that are not part of the defined AwsSecurityFinding format.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
Represents the condition to be applied to a key value when querying for findings with a map filter.
The name of the solution (product) that generates findings.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The name of the findings provider (company) that owns the solution (product) that generates findings.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
Represents the condition to be applied to a key value when querying for findings with a map filter.
The name of the malware that was observed.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The type of the malware that was observed.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The filesystem path of the malware that was observed.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The state of the malware that was observed.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
Indicates the direction of network traffic associated with a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The protocol of network-related information about a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The source IPv4 address of network-related information about a finding.
The IP filter for querying findings.>
Finding's CIDR value.
The source IPv6 address of network-related information about a finding.
The IP filter for querying findings.>
Finding's CIDR value.
The source port of network-related information about a finding.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The source domain of network-related information about a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The source media access control (MAC) address of network-related information about a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The destination IPv4 address of network-related information about a finding.
The IP filter for querying findings.>
Finding's CIDR value.
The destination IPv6 address of network-related information about a finding.
The IP filter for querying findings.>
Finding's CIDR value.
The destination port of network-related information about a finding.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The destination domain of network-related information about a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The name of the process.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The path to the process executable.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The process ID.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The parent process ID.
A number filter for querying findings.
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Represents the "equal to" condition to be applied to a single field when querying for findings.
The date/time that the process was launched.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The date/time that the process was terminated.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The type of a threat intel indicator.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The value of a threat intel indicator.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The category of a threat intel indicator.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The date/time of the last observation of a threat intel indicator.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The source of the threat intel.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The URL for more details from the source of the threat intel.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
Specifies the type of the resource for which details are provided.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The canonical identifier for the given resource type.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The canonical AWS partition name to which the region is assigned.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The canonical AWS external region name where this resource is located.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A list of AWS tags associated with a resource at the time the finding was processed.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
Represents the condition to be applied to a key value when querying for findings with a map filter.
The instance type of the instance.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The Amazon Machine Image (AMI) ID of the instance.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The IPv4 addresses associated with the instance.
The IP filter for querying findings.>
Finding's CIDR value.
The IPv6 addresses associated with the instance.
The IP filter for querying findings.>
Finding's CIDR value.
The key name associated with the instance.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The IAM profile ARN of the instance.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The identifier of the VPC in which the instance was launched.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The identifier of the subnet in which the instance was launched.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The date/time the instance was launched.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The canonical user ID of the owner of the S3 bucket.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The display name of the owner of the S3 bucket.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The user associated with the IAM access key related to a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The status of the IAM access key related to a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The creation date/time of the IAM access key related to a finding.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The name of the container related to a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The identifier of the image related to a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The name of the image related to a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The date/time that the container was started.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The details of a resource that does not have a specific sub-field for the resource type defined.
The map filter for querying findings.
The key of the map filter.
The value for the key in the map filter.
Represents the condition to be applied to a key value when querying for findings with a map filter.
Exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard (for example, AWS CIS Foundations). Contains compliance-related finding details.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
Indicates the veracity of a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The workflow state of a finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The updated record state for the finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The ARN of the solution that generated a related finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The solution-generated identifier for a related finding.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The text of a note.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
The timestamp of when the note was updated.
A date filter for querying findings.
A start date for the date filter.
An end date for the date filter.
A date range for the date filter.
A date range value for the date filter.
A date range unit for the date filter.
The principal that created a note.
A string filter for querying findings.
The string filter value.
Represents the condition to be applied to a string value when querying for findings.
A keyword for a finding.
A keyword filter for querying findings.
A value for the keyword.
A collection of attributes used for sorting findings.
A collection of attributes used for sorting findings.
The finding attribute used for sorting findings.
The order used for sorting findings.
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
dict
Response Syntax
{
'Findings': [
{
'SchemaVersion': 'string',
'Id': 'string',
'ProductArn': 'string',
'GeneratorId': 'string',
'AwsAccountId': 'string',
'Types': [
'string',
],
'FirstObservedAt': 'string',
'LastObservedAt': 'string',
'CreatedAt': 'string',
'UpdatedAt': 'string',
'Severity': {
'Product': 123.0,
'Normalized': 123
},
'Confidence': 123,
'Criticality': 123,
'Title': 'string',
'Description': 'string',
'Remediation': {
'Recommendation': {
'Text': 'string',
'Url': 'string'
}
},
'SourceUrl': 'string',
'ProductFields': {
'string': 'string'
},
'UserDefinedFields': {
'string': 'string'
},
'Malware': [
{
'Name': 'string',
'Type': 'ADWARE'|'BLENDED_THREAT'|'BOTNET_AGENT'|'COIN_MINER'|'EXPLOIT_KIT'|'KEYLOGGER'|'MACRO'|'POTENTIALLY_UNWANTED'|'SPYWARE'|'RANSOMWARE'|'REMOTE_ACCESS'|'ROOTKIT'|'TROJAN'|'VIRUS'|'WORM',
'Path': 'string',
'State': 'OBSERVED'|'REMOVAL_FAILED'|'REMOVED'
},
],
'Network': {
'Direction': 'IN'|'OUT',
'Protocol': 'string',
'SourceIpV4': 'string',
'SourceIpV6': 'string',
'SourcePort': 123,
'SourceDomain': 'string',
'SourceMac': 'string',
'DestinationIpV4': 'string',
'DestinationIpV6': 'string',
'DestinationPort': 123,
'DestinationDomain': 'string'
},
'Process': {
'Name': 'string',
'Path': 'string',
'Pid': 123,
'ParentPid': 123,
'LaunchedAt': 'string',
'TerminatedAt': 'string'
},
'ThreatIntelIndicators': [
{
'Type': 'DOMAIN'|'EMAIL_ADDRESS'|'HASH_MD5'|'HASH_SHA1'|'HASH_SHA256'|'HASH_SHA512'|'IPV4_ADDRESS'|'IPV6_ADDRESS'|'MUTEX'|'PROCESS'|'URL',
'Value': 'string',
'Category': 'BACKDOOR'|'CARD_STEALER'|'COMMAND_AND_CONTROL'|'DROP_SITE'|'EXPLOIT_SITE'|'KEYLOGGER',
'LastObservedAt': 'string',
'Source': 'string',
'SourceUrl': 'string'
},
],
'Resources': [
{
'Type': 'string',
'Id': 'string',
'Partition': 'aws'|'aws-cn'|'aws-us-gov',
'Region': 'string',
'Tags': {
'string': 'string'
},
'Details': {
'AwsEc2Instance': {
'Type': 'string',
'ImageId': 'string',
'IpV4Addresses': [
'string',
],
'IpV6Addresses': [
'string',
],
'KeyName': 'string',
'IamInstanceProfileArn': 'string',
'VpcId': 'string',
'SubnetId': 'string',
'LaunchedAt': 'string'
},
'AwsS3Bucket': {
'OwnerId': 'string',
'OwnerName': 'string'
},
'AwsIamAccessKey': {
'UserName': 'string',
'Status': 'Active'|'Inactive',
'CreatedAt': 'string'
},
'Container': {
'Name': 'string',
'ImageId': 'string',
'ImageName': 'string',
'LaunchedAt': 'string'
},
'Other': {
'string': 'string'
}
}
},
],
'Compliance': {
'Status': 'PASSED'|'WARNING'|'FAILED'|'NOT_AVAILABLE'
},
'VerificationState': 'UNKNOWN'|'TRUE_POSITIVE'|'FALSE_POSITIVE'|'BENIGN_POSITIVE',
'WorkflowState': 'NEW'|'ASSIGNED'|'IN_PROGRESS'|'DEFERRED'|'RESOLVED',
'RecordState': 'ACTIVE'|'ARCHIVED',
'RelatedFindings': [
{
'ProductArn': 'string',
'Id': 'string'
},
],
'Note': {
'Text': 'string',
'UpdatedBy': 'string',
'UpdatedAt': 'string'
}
},
],
}
Response Structure
(dict) --
Findings (list) --
Findings details returned by the operation.
(dict) --
Provides consistent format for the contents of the Security Hub-aggregated findings. AwsSecurityFinding format enables you to share findings between AWS security services and third-party solutions, and compliance checks.
Note
A finding is a potential security issue generated either by AWS services (GuardDuty, Inspector, Macie) or by the integrated third-party solutions and compliance checks.
SchemaVersion (string) --
The schema version for which a finding is formatted.
Id (string) --
The security findings provider-specific identifier for a finding.
ProductArn (string) --
The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) once this provider's product (solution that generates findings) is registered with Security Hub.
GeneratorId (string) --
This is the identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security findings provider's solutions, this generator can be called a rule, a check, a detector, a plug-in, etc.
AwsAccountId (string) --
The AWS account ID in which a finding is generated.
Types (list) --
One or more finding types in the format of 'namespace/category/classifier' that classify a finding.
Valid namespace values are: Software and Configuration Checks | TTPs | Effects | Unusual Behaviors | Sensitive Data Identifications
FirstObservedAt (string) --
An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings provider.
LastObservedAt (string) --
An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings provider.
CreatedAt (string) --
An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was created by the security findings provider.
UpdatedAt (string) --
An ISO8601-formatted timestamp that indicates when the finding record was last updated by the security findings provider.
Severity (dict) --
A finding's severity.
Product (float) --
The native severity as defined by the security findings provider's solution that generated the finding.
Normalized (integer) --
The normalized severity of a finding.
Confidence (integer) --
A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale. 0 equates zero percent confidence and 100 equates to 100 percent confidence.
Criticality (integer) --
The level of importance assigned to the resources associated with the finding. A score of 0 means the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.
Title (string) --
A finding's title.
Description (string) --
A finding's description.
Remediation (dict) --
An data type that describes the remediation options for a finding.
Recommendation (dict) --
Provides a recommendation on how to remediate the issue identified within a finding.
Text (string) --
The recommendation of what to do about the issue described in a finding.
Url (string) --
A URL to link to general remediation information for the finding type of a finding.
SourceUrl (string) --
A URL that links to a page about the current finding in the security findings provider's solution.
ProductFields (dict) --
A data type where security findings providers can include additional solution-specific details that are not part of the defined AwsSecurityFinding format.
UserDefinedFields (dict) --
A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.
Malware (list) --
A list of malware related to a finding.
(dict) --
A list of malware related to a finding.
Name (string) --
The name of the malware that was observed.
Type (string) --
The type of the malware that was observed.
Path (string) --
The filesystem path of the malware that was observed.
State (string) --
The state of the malware that was observed.
Network (dict) --
The details of network-related information about a finding.
Direction (string) --
Indicates the direction of network traffic associated with a finding.
Protocol (string) --
The protocol of network-related information about a finding.
SourceIpV4 (string) --
The source IPv4 address of network-related information about a finding.
SourceIpV6 (string) --
The source IPv6 address of network-related information about a finding.
SourcePort (integer) --
The source port of network-related information about a finding.
SourceDomain (string) --
The source domain of network-related information about a finding.
SourceMac (string) --
The source media access control (MAC) address of network-related information about a finding.
DestinationIpV4 (string) --
The destination IPv4 address of network-related information about a finding.
DestinationIpV6 (string) --
The destination IPv6 address of network-related information about a finding.
DestinationPort (integer) --
The destination port of network-related information about a finding.
DestinationDomain (string) --
The destination domain of network-related information about a finding.
Process (dict) --
The details of process-related information about a finding.
Name (string) --
The name of the process.
Path (string) --
The path to the process executable.
Pid (integer) --
The process ID.
ParentPid (integer) --
The parent process ID.
LaunchedAt (string) --
The date/time that the process was launched.
TerminatedAt (string) --
The date/time that the process was terminated.
ThreatIntelIndicators (list) --
Threat intel details related to a finding.
(dict) --
Threat intel details related to a finding.
Type (string) --
The type of a threat intel indicator.
Value (string) --
The value of a threat intel indicator.
Category (string) --
The category of a threat intel indicator.
LastObservedAt (string) --
The date/time of the last observation of a threat intel indicator.
Source (string) --
The source of the threat intel.
SourceUrl (string) --
The URL for more details from the source of the threat intel.
Resources (list) --
A set of resource data types that describe the resources to which the finding refers.
(dict) --
A resource data type that describes a resource to which the finding refers.
Type (string) --
Specifies the type of the resource for which details are provided.
Id (string) --
The canonical identifier for the given resource type.
Partition (string) --
The canonical AWS partition name to which the region is assigned.
Region (string) --
The canonical AWS external region name where this resource is located.
Tags (dict) --
A list of AWS tags associated with a resource at the time the finding was processed.
Details (dict) --
Provides additional details about the resource.
AwsEc2Instance (dict) --
The details of an AWS EC2 instance.
Type (string) --
The instance type of the instance.
ImageId (string) --
The Amazon Machine Image (AMI) ID of the instance.
IpV4Addresses (list) --
The IPv4 addresses associated with the instance.
IpV6Addresses (list) --
The IPv6 addresses associated with the instance.
KeyName (string) --
The key name associated with the instance.
IamInstanceProfileArn (string) --
The IAM profile ARN of the instance.
VpcId (string) --
The identifier of the VPC in which the instance was launched.
SubnetId (string) --
The identifier of the subnet in which the instance was launched.
LaunchedAt (string) --
The date/time the instance was launched.
AwsS3Bucket (dict) --
The details of an AWS S3 Bucket.
OwnerId (string) --
The canonical user ID of the owner of the S3 bucket.
OwnerName (string) --
The display name of the owner of the S3 bucket.
AwsIamAccessKey (dict) --
AWS IAM access key details related to a finding.
UserName (string) --
The user associated with the IAM access key related to a finding.
Status (string) --
The status of the IAM access key related to a finding.
CreatedAt (string) --
The creation date/time of the IAM access key related to a finding.
Container (dict) --
Container details related to a finding.
Name (string) --
The name of the container related to a finding.
ImageId (string) --
The identifier of the image related to a finding.
ImageName (string) --
The name of the image related to a finding.
LaunchedAt (string) --
The date/time that the container was started.
Other (dict) --
The details of a resource that does not have a specific sub-field for the resource type defined.
Compliance (dict) --
This data type is exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard (for example, AWS CIS Foundations). Contains compliance-related finding details.
Status (string) --
Indicates the result of a compliance check.
VerificationState (string) --
Indicates the veracity of a finding.
WorkflowState (string) --
The workflow state of a finding.
RecordState (string) --
The record state of a finding.
RelatedFindings (list) --
A list of related findings.
(dict) --
Related finding's details.
ProductArn (string) --
The ARN of the solution that generated a related finding.
Id (string) --
The solution-generated identifier for a related finding.
Note (dict) --
A user-defined note added to a finding.
Text (string) --
The text of a note.
UpdatedBy (string) --
The principal that created a note.
UpdatedAt (string) --
The timestamp of when the note was updated.
paginator = client.get_paginator('get_insights')
Creates an iterator that will paginate through responses from SecurityHub.Client.get_insights().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
InsightArns=[
'string',
],
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
The ARNS of the insights that you want to describe.
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
dict
Response Syntax
{
'Insights': [
{
'InsightArn': 'string',
'Name': 'string',
'Filters': {
'ProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'AwsAccountId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Id': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'GeneratorId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Type': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'FirstObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'LastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'CreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'UpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'SeverityProduct': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'SeverityNormalized': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'SeverityLabel': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Confidence': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'Criticality': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'Title': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Description': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'RecommendationText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'SourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ProductFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'CONTAINS'
},
],
'ProductName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'CompanyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'UserDefinedFields': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'CONTAINS'
},
],
'MalwareName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'MalwareType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'MalwarePath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'MalwareState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkDirection': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkProtocol': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkSourceIpV4': [
{
'Cidr': 'string'
},
],
'NetworkSourceIpV6': [
{
'Cidr': 'string'
},
],
'NetworkSourcePort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'NetworkSourceDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkSourceMac': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NetworkDestinationIpV4': [
{
'Cidr': 'string'
},
],
'NetworkDestinationIpV6': [
{
'Cidr': 'string'
},
],
'NetworkDestinationPort': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'NetworkDestinationDomain': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ProcessName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ProcessPath': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ProcessPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'ProcessParentPid': [
{
'Gte': 123.0,
'Lte': 123.0,
'Eq': 123.0
},
],
'ProcessLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ProcessTerminatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ThreatIntelIndicatorValue': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ThreatIntelIndicatorCategory': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ThreatIntelIndicatorLastObservedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ThreatIntelIndicatorSource': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ThreatIntelIndicatorSourceUrl': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourcePartition': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceRegion': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceTags': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'CONTAINS'
},
],
'ResourceAwsEc2InstanceType': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceIpV4Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceIpV6Addresses': [
{
'Cidr': 'string'
},
],
'ResourceAwsEc2InstanceKeyName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceIamInstanceProfileArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceVpcId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceSubnetId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsEc2InstanceLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceAwsS3BucketOwnerId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsS3BucketOwnerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyUserName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceAwsIamAccessKeyCreatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceContainerName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceContainerImageId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceContainerImageName': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'ResourceContainerLaunchedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'ResourceDetailsOther': [
{
'Key': 'string',
'Value': 'string',
'Comparison': 'CONTAINS'
},
],
'ComplianceStatus': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'VerificationState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'WorkflowState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'RecordState': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'RelatedFindingsProductArn': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'RelatedFindingsId': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NoteText': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'NoteUpdatedAt': [
{
'Start': 'string',
'End': 'string',
'DateRange': {
'Value': 123,
'Unit': 'DAYS'
}
},
],
'NoteUpdatedBy': [
{
'Value': 'string',
'Comparison': 'EQUALS'|'CONTAINS'|'PREFIX'
},
],
'Keyword': [
{
'Value': 'string'
},
]
},
'GroupByAttribute': 'string'
},
],
}
Response Structure
(dict) --
Insights (list) --
The insights returned by the operation.
(dict) --
Contains information about a Security Hub insight.
InsightArn (string) --
The ARN of a Security Hub insight.
Name (string) --
The name of a Security Hub insight.
Filters (dict) --
A collection of attributes that are applied to all active Security Hub-aggregated findings and that result in a subset of findings that are included in this insight.
ProductArn (list) --
The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) once this provider's product (solution that generates findings) is registered with Security Hub.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
AwsAccountId (list) --
The AWS account ID in which a finding is generated.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
Id (list) --
The security findings provider-specific identifier for a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
GeneratorId (list) --
This is the identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security findings provider's solutions, this generator can be called a rule, a check, a detector, a plug-in, etc.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
Type (list) --
A finding type in the format of 'namespace/category/classifier' that classifies a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
FirstObservedAt (list) --
An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings provider.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
LastObservedAt (list) --
An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings provider.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
CreatedAt (list) --
An ISO8601-formatted timestamp that indicates when the potential security issue captured by a finding was created by the security findings provider.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
UpdatedAt (list) --
An ISO8601-formatted timestamp that indicates when the finding record was last updated by the security findings provider.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
SeverityProduct (list) --
The native severity as defined by the security findings provider's solution that generated the finding.
(dict) --
A number filter for querying findings.
Gte (float) --
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Lte (float) --
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Eq (float) --
Represents the "equal to" condition to be applied to a single field when querying for findings.
SeverityNormalized (list) --
The normalized severity of a finding.
(dict) --
A number filter for querying findings.
Gte (float) --
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Lte (float) --
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Eq (float) --
Represents the "equal to" condition to be applied to a single field when querying for findings.
SeverityLabel (list) --
The label of a finding's severity.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
Confidence (list) --
A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale. 0 equates zero percent confidence and 100 equates to 100 percent confidence.
(dict) --
A number filter for querying findings.
Gte (float) --
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Lte (float) --
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Eq (float) --
Represents the "equal to" condition to be applied to a single field when querying for findings.
Criticality (list) --
The level of importance assigned to the resources associated with the finding. A score of 0 means the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.
(dict) --
A number filter for querying findings.
Gte (float) --
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Lte (float) --
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Eq (float) --
Represents the "equal to" condition to be applied to a single field when querying for findings.
Title (list) --
A finding's title.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
Description (list) --
A finding's description.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
RecommendationText (list) --
The recommendation of what to do about the issue described in a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
SourceUrl (list) --
A URL that links to a page about the current finding in the security findings provider's solution.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ProductFields (list) --
A data type where security findings providers can include additional solution-specific details that are not part of the defined AwsSecurityFinding format.
(dict) --
The map filter for querying findings.
Key (string) --
The key of the map filter.
Value (string) --
The value for the key in the map filter.
Comparison (string) --
Represents the condition to be applied to a key value when querying for findings with a map filter.
ProductName (list) --
The name of the solution (product) that generates findings.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
CompanyName (list) --
The name of the findings provider (company) that owns the solution (product) that generates findings.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
UserDefinedFields (list) --
A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.
(dict) --
The map filter for querying findings.
Key (string) --
The key of the map filter.
Value (string) --
The value for the key in the map filter.
Comparison (string) --
Represents the condition to be applied to a key value when querying for findings with a map filter.
MalwareName (list) --
The name of the malware that was observed.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
MalwareType (list) --
The type of the malware that was observed.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
MalwarePath (list) --
The filesystem path of the malware that was observed.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
MalwareState (list) --
The state of the malware that was observed.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
NetworkDirection (list) --
Indicates the direction of network traffic associated with a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
NetworkProtocol (list) --
The protocol of network-related information about a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
NetworkSourceIpV4 (list) --
The source IPv4 address of network-related information about a finding.
(dict) --
The IP filter for querying findings.>
Cidr (string) --
Finding's CIDR value.
NetworkSourceIpV6 (list) --
The source IPv6 address of network-related information about a finding.
(dict) --
The IP filter for querying findings.>
Cidr (string) --
Finding's CIDR value.
NetworkSourcePort (list) --
The source port of network-related information about a finding.
(dict) --
A number filter for querying findings.
Gte (float) --
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Lte (float) --
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Eq (float) --
Represents the "equal to" condition to be applied to a single field when querying for findings.
NetworkSourceDomain (list) --
The source domain of network-related information about a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
NetworkSourceMac (list) --
The source media access control (MAC) address of network-related information about a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
NetworkDestinationIpV4 (list) --
The destination IPv4 address of network-related information about a finding.
(dict) --
The IP filter for querying findings.>
Cidr (string) --
Finding's CIDR value.
NetworkDestinationIpV6 (list) --
The destination IPv6 address of network-related information about a finding.
(dict) --
The IP filter for querying findings.>
Cidr (string) --
Finding's CIDR value.
NetworkDestinationPort (list) --
The destination port of network-related information about a finding.
(dict) --
A number filter for querying findings.
Gte (float) --
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Lte (float) --
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Eq (float) --
Represents the "equal to" condition to be applied to a single field when querying for findings.
NetworkDestinationDomain (list) --
The destination domain of network-related information about a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ProcessName (list) --
The name of the process.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ProcessPath (list) --
The path to the process executable.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ProcessPid (list) --
The process ID.
(dict) --
A number filter for querying findings.
Gte (float) --
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Lte (float) --
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Eq (float) --
Represents the "equal to" condition to be applied to a single field when querying for findings.
ProcessParentPid (list) --
The parent process ID.
(dict) --
A number filter for querying findings.
Gte (float) --
Represents the "greater than equal" condition to be applied to a single field when querying for findings.
Lte (float) --
Represents the "less than equal" condition to be applied to a single field when querying for findings.
Eq (float) --
Represents the "equal to" condition to be applied to a single field when querying for findings.
ProcessLaunchedAt (list) --
The date/time that the process was launched.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
ProcessTerminatedAt (list) --
The date/time that the process was terminated.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
ThreatIntelIndicatorType (list) --
The type of a threat intel indicator.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ThreatIntelIndicatorValue (list) --
The value of a threat intel indicator.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ThreatIntelIndicatorCategory (list) --
The category of a threat intel indicator.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ThreatIntelIndicatorLastObservedAt (list) --
The date/time of the last observation of a threat intel indicator.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
ThreatIntelIndicatorSource (list) --
The source of the threat intel.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ThreatIntelIndicatorSourceUrl (list) --
The URL for more details from the source of the threat intel.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceType (list) --
Specifies the type of the resource for which details are provided.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceId (list) --
The canonical identifier for the given resource type.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourcePartition (list) --
The canonical AWS partition name to which the region is assigned.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceRegion (list) --
The canonical AWS external region name where this resource is located.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceTags (list) --
A list of AWS tags associated with a resource at the time the finding was processed.
(dict) --
The map filter for querying findings.
Key (string) --
The key of the map filter.
Value (string) --
The value for the key in the map filter.
Comparison (string) --
Represents the condition to be applied to a key value when querying for findings with a map filter.
ResourceAwsEc2InstanceType (list) --
The instance type of the instance.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceImageId (list) --
The Amazon Machine Image (AMI) ID of the instance.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceIpV4Addresses (list) --
The IPv4 addresses associated with the instance.
(dict) --
The IP filter for querying findings.>
Cidr (string) --
Finding's CIDR value.
ResourceAwsEc2InstanceIpV6Addresses (list) --
The IPv6 addresses associated with the instance.
(dict) --
The IP filter for querying findings.>
Cidr (string) --
Finding's CIDR value.
ResourceAwsEc2InstanceKeyName (list) --
The key name associated with the instance.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceIamInstanceProfileArn (list) --
The IAM profile ARN of the instance.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceVpcId (list) --
The identifier of the VPC in which the instance was launched.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceSubnetId (list) --
The identifier of the subnet in which the instance was launched.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceLaunchedAt (list) --
The date/time the instance was launched.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
ResourceAwsS3BucketOwnerId (list) --
The canonical user ID of the owner of the S3 bucket.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceAwsS3BucketOwnerName (list) --
The display name of the owner of the S3 bucket.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceAwsIamAccessKeyUserName (list) --
The user associated with the IAM access key related to a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceAwsIamAccessKeyStatus (list) --
The status of the IAM access key related to a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceAwsIamAccessKeyCreatedAt (list) --
The creation date/time of the IAM access key related to a finding.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
ResourceContainerName (list) --
The name of the container related to a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceContainerImageId (list) --
The identifier of the image related to a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceContainerImageName (list) --
The name of the image related to a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
ResourceContainerLaunchedAt (list) --
The date/time that the container was started.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
ResourceDetailsOther (list) --
The details of a resource that does not have a specific sub-field for the resource type defined.
(dict) --
The map filter for querying findings.
Key (string) --
The key of the map filter.
Value (string) --
The value for the key in the map filter.
Comparison (string) --
Represents the condition to be applied to a key value when querying for findings with a map filter.
ComplianceStatus (list) --
Exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard (for example, AWS CIS Foundations). Contains compliance-related finding details.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
VerificationState (list) --
Indicates the veracity of a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
WorkflowState (list) --
The workflow state of a finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
RecordState (list) --
The updated record state for the finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
RelatedFindingsProductArn (list) --
The ARN of the solution that generated a related finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
RelatedFindingsId (list) --
The solution-generated identifier for a related finding.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
NoteText (list) --
The text of a note.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
NoteUpdatedAt (list) --
The timestamp of when the note was updated.
(dict) --
A date filter for querying findings.
Start (string) --
A start date for the date filter.
End (string) --
An end date for the date filter.
DateRange (dict) --
A date range for the date filter.
Value (integer) --
A date range value for the date filter.
Unit (string) --
A date range unit for the date filter.
NoteUpdatedBy (list) --
The principal that created a note.
(dict) --
A string filter for querying findings.
Value (string) --
The string filter value.
Comparison (string) --
Represents the condition to be applied to a string value when querying for findings.
Keyword (list) --
A keyword for a finding.
(dict) --
A keyword filter for querying findings.
Value (string) --
A value for the keyword.
GroupByAttribute (string) --
The attribute by which the insight's findings are grouped. This attribute is used as a findings aggregator for the purposes of viewing and managing multiple related findings under a single operand.
paginator = client.get_paginator('list_enabled_products_for_import')
Creates an iterator that will paginate through responses from SecurityHub.Client.list_enabled_products_for_import().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
{
'ProductSubscriptions': [
'string',
],
}
Response Structure
A list of ARNs for the resources that represent your subscriptions to products.
paginator = client.get_paginator('list_invitations')
Creates an iterator that will paginate through responses from SecurityHub.Client.list_invitations().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
{
'Invitations': [
{
'AccountId': 'string',
'InvitationId': 'string',
'InvitedAt': datetime(2015, 1, 1),
'MemberStatus': 'string'
},
],
}
Response Structure
The details of the invitations returned by the operation.
The details of an invitation sent to an AWS account by the Security Hub master account.
The account ID of the master Security Hub account who sent the invitation.
The ID of the invitation sent by the master Security Hub account.
The timestamp of when the invitation was sent.
The current relationship status between the inviter and invitee accounts.
paginator = client.get_paginator('list_members')
Creates an iterator that will paginate through responses from SecurityHub.Client.list_members().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
OnlyAssociated=True|False,
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
dict
Response Syntax
{
'Members': [
{
'AccountId': 'string',
'Email': 'string',
'MasterId': 'string',
'MemberStatus': 'string',
'InvitedAt': datetime(2015, 1, 1),
'UpdatedAt': datetime(2015, 1, 1)
},
],
}
Response Structure
(dict) --
Members (list) --
Member details returned by the operation.
(dict) --
The details for a Security Hub member account.
AccountId (string) --
The AWS account ID of a Security Hub member account.
Email (string) --
The email of a Security Hub member account.
MasterId (string) --
The AWS account ID of the master Security Hub account to this member account.
MemberStatus (string) --
The status of the relationship between the member account and its master account.
InvitedAt (datetime) --
Time stamp at which the member account was invited to Security Hub.
UpdatedAt (datetime) --
Time stamp at which this member account was updated.