SecurityHub *********** Client ====== class SecurityHub.Client A low-level client representing AWS SecurityHub Security Hub provides you with a comprehensive view of your security state in Amazon Web Services and helps you assess your Amazon Web Services environment against security industry standards and best practices. Security Hub collects security data across Amazon Web Services accounts, Amazon Web Services services, and supported third-party products and helps you analyze your security trends and identify the highest priority security issues. To help you manage the security state of your organization, Security Hub supports multiple security standards. These include the Amazon Web Services Foundational Security Best Practices (FSBP) standard developed by Amazon Web Services, and external compliance frameworks such as the Center for Internet Security (CIS), the Payment Card Industry Data Security Standard (PCI DSS), and the National Institute of Standards and Technology (NIST). Each standard includes several security controls, each of which represents a security best practice. Security Hub runs checks against security controls and generates control findings to help you assess your compliance against security best practices. In addition to generating control findings, Security Hub also receives findings from other Amazon Web Services services, such as Amazon GuardDuty and Amazon Inspector, and supported third-party products. This gives you a single pane of glass into a variety of security-related issues. You can also send Security Hub findings to other Amazon Web Services services and supported third-party products. Security Hub offers automation features that help you triage and remediate security issues. For example, you can use automation rules to automatically update critical findings when a security check fails. You can also leverage the integration with Amazon EventBridge to trigger automatic responses to specific findings. This guide, the *Security Hub API Reference*, provides information about the Security Hub API. This includes supported resources, HTTP methods, parameters, and schemas. If you're new to Security Hub, you might find it helpful to also review the Security Hub User Guide. The user guide explains key concepts and provides procedures that demonstrate how to use Security Hub features. It also provides information about topics such as integrating Security Hub with other Amazon Web Services services. In addition to interacting with Security Hub by making calls to the Security Hub API, you can use a current version of an Amazon Web Services command line tool or SDK. Amazon Web Services provides tools and SDKs that consist of libraries and sample code for various languages and platforms, such as PowerShell, Java, Go, Python, C++, and .NET. These tools and SDKs provide convenient, programmatic access to Security Hub and other Amazon Web Services services . They also handle tasks such as signing requests, managing errors, and retrying requests automatically. For information about installing and using the Amazon Web Services tools and SDKs, see Tools to Build on Amazon Web Services. With the exception of operations that are related to central configuration, Security Hub API requests are executed only in the Amazon Web Services Region that is currently active or in the specific Amazon Web Services Region that you specify in your request. Any configuration or settings change that results from the operation is applied only to that Region. To make the same change in other Regions, call the same API operation in each Region in which you want to apply the change. When you use central configuration, API requests for enabling Security Hub, standards, and controls are executed in the home Region and all linked Regions. For a list of central configuration operations, see the Central configuration terms and concepts section of the *Security Hub User Guide*. The following throttling limits apply to Security Hub API operations. * "BatchEnableStandards" - "RateLimit" of 1 request per second. "BurstLimit" of 1 request per second. * "GetFindings" - "RateLimit" of 3 requests per second. "BurstLimit" of 6 requests per second. * "BatchImportFindings" - "RateLimit" of 10 requests per second. "BurstLimit" of 30 requests per second. * "BatchUpdateFindings" - "RateLimit" of 10 requests per second. "BurstLimit" of 30 requests per second. * "UpdateStandardsControl" - "RateLimit" of 1 request per second. "BurstLimit" of 5 requests per second. * All other operations - "RateLimit" of 10 requests per second. "BurstLimit" of 30 requests per second. import boto3 client = boto3.client('securityhub') These are the available methods: * accept_administrator_invitation * accept_invitation * batch_delete_automation_rules * batch_disable_standards * batch_enable_standards * batch_get_automation_rules * batch_get_configuration_policy_associations * batch_get_security_controls * batch_get_standards_control_associations * batch_import_findings * batch_update_automation_rules * batch_update_findings * batch_update_findings_v2 * batch_update_standards_control_associations * can_paginate * close * connector_registrations_v2 * create_action_target * create_aggregator_v2 * create_automation_rule * create_automation_rule_v2 * create_configuration_policy * create_connector_v2 * create_finding_aggregator * create_insight * create_members * create_ticket_v2 * decline_invitations * delete_action_target * delete_aggregator_v2 * delete_automation_rule_v2 * delete_configuration_policy * delete_connector_v2 * delete_finding_aggregator * delete_insight * delete_invitations * delete_members * describe_action_targets * describe_hub * describe_organization_configuration * describe_products * describe_products_v2 * describe_security_hub_v2 * describe_standards * describe_standards_controls * disable_import_findings_for_product * disable_organization_admin_account * disable_security_hub * disable_security_hub_v2 * disassociate_from_administrator_account * disassociate_from_master_account * disassociate_members * enable_import_findings_for_product * enable_organization_admin_account * enable_security_hub * enable_security_hub_v2 * get_administrator_account * get_aggregator_v2 * get_automation_rule_v2 * get_configuration_policy * get_configuration_policy_association * get_connector_v2 * get_enabled_standards * get_finding_aggregator * get_finding_history * get_finding_statistics_v2 * get_findings * get_findings_v2 * get_insight_results * get_insights * get_invitations_count * get_master_account * get_members * get_paginator * get_resources_statistics_v2 * get_resources_v2 * get_security_control_definition * get_waiter * invite_members * list_aggregators_v2 * list_automation_rules * list_automation_rules_v2 * list_configuration_policies * list_configuration_policy_associations * list_connectors_v2 * list_enabled_products_for_import * list_finding_aggregators * list_invitations * list_members * list_organization_admin_accounts * list_security_control_definitions * list_standards_control_associations * list_tags_for_resource * start_configuration_policy_association * start_configuration_policy_disassociation * tag_resource * untag_resource * update_action_target * update_aggregator_v2 * update_automation_rule_v2 * update_configuration_policy * update_connector_v2 * update_finding_aggregator * update_findings * update_insight * update_organization_configuration * update_security_control * update_security_hub_configuration * update_standards_control Paginators ========== Paginators are available on a client instance via the "get_paginator" method. For more detailed instructions and examples on the usage of paginators, see the paginators user guide. The available paginators are: * DescribeActionTargets * DescribeProducts * DescribeProductsV2 * DescribeStandards * DescribeStandardsControls * GetEnabledStandards * GetFindingHistory * GetFindings * GetFindingsV2 * GetInsights * GetResourcesV2 * ListAggregatorsV2 * ListConfigurationPolicies * ListConfigurationPolicyAssociations * ListEnabledProductsForImport * ListFindingAggregators * ListInvitations * ListMembers * ListOrganizationAdminAccounts * ListSecurityControlDefinitions * ListStandardsControlAssociations SecurityHub / Paginator / DescribeProducts DescribeProducts **************** class SecurityHub.Paginator.DescribeProducts paginator = client.get_paginator('describe_products') paginate(**kwargs) Creates an iterator that will paginate through responses from "SecurityHub.Client.describe_products()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( ProductArn='string', PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **ProductArn** (*string*) -- The ARN of the integration to return. * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'Products': [ { 'ProductArn': 'string', 'ProductName': 'string', 'CompanyName': 'string', 'Description': 'string', 'Categories': [ 'string', ], 'IntegrationTypes': [ 'SEND_FINDINGS_TO_SECURITY_HUB'|'RECEIVE_FINDINGS_FROM_SECURITY_HUB'|'UPDATE_FINDINGS_IN_SECURITY_HUB', ], 'MarketplaceUrl': 'string', 'ActivationUrl': 'string', 'ProductSubscriptionResourcePolicy': 'string' }, ], } **Response Structure** * *(dict) --* * **Products** *(list) --* A list of products, including details for each product. * *(dict) --* Contains details about a product. * **ProductArn** *(string) --* The ARN assigned to the product. * **ProductName** *(string) --* The name of the product. * **CompanyName** *(string) --* The name of the company that provides the product. * **Description** *(string) --* A description of the product. * **Categories** *(list) --* The categories assigned to the product. * *(string) --* * **IntegrationTypes** *(list) --* The types of integration that the product supports. Available values are the following. * "SEND_FINDINGS_TO_SECURITY_HUB" - The integration sends findings to Security Hub. * "RECEIVE_FINDINGS_FROM_SECURITY_HUB" - The integration receives findings from Security Hub. * "UPDATE_FINDINGS_IN_SECURITY_HUB" - The integration does not send new findings to Security Hub, but does make updates to the findings that it receives from Security Hub. * *(string) --* * **MarketplaceUrl** *(string) --* For integrations with Amazon Web Services services, the Amazon Web Services Console URL from which to activate the service. For integrations with third-party products, the Amazon Web Services Marketplace URL from which to subscribe to or purchase the product. * **ActivationUrl** *(string) --* The URL to the service or product documentation about the integration with Security Hub, including how to activate the integration. * **ProductSubscriptionResourcePolicy** *(string) --* The resource policy associated with the product. SecurityHub / Paginator / GetResourcesV2 GetResourcesV2 ************** class SecurityHub.Paginator.GetResourcesV2 paginator = client.get_paginator('get_resources_v2') paginate(**kwargs) Creates an iterator that will paginate through responses from "SecurityHub.Client.get_resources_v2()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( Filters={ 'CompositeFilters': [ { 'StringFilters': [ { 'FieldName': 'resource_arn'|'resource_id'|'account_id'|'region'|'resource_category'|'resource_type'|'resource_name'|'findings_summary.finding_type'|'findings_summary.product_name', 'Filter': { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' } }, ], 'DateFilters': [ { 'FieldName': 'resource_detail_capture_time_dt'|'resource_creation_time_dt', 'Filter': { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } } }, ], 'NumberFilters': [ { 'FieldName': 'findings_summary.total_findings'|'findings_summary.severities.other'|'findings_summary.severities.fatal'|'findings_summary.severities.critical'|'findings_summary.severities.high'|'findings_summary.severities.medium'|'findings_summary.severities.low'|'findings_summary.severities.informational'|'findings_summary.severities.unknown', 'Filter': { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 } }, ], 'MapFilters': [ { 'FieldName': 'tags', 'Filter': { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' } }, ], 'Operator': 'AND'|'OR' }, ], 'CompositeOperator': 'AND'|'OR' }, SortCriteria=[ { 'Field': 'string', 'SortOrder': 'asc'|'desc' }, ], PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **Filters** (*dict*) -- Filters resources based on a set of criteria. * **CompositeFilters** *(list) --* A collection of complex filtering conditions that can be applied to Amazon Web Services resources. * *(dict) --* Enables the creation of criteria for Amazon Web Services resources in Security Hub. * **StringFilters** *(list) --* Enables filtering based on string field values. * *(dict) --* Enables filtering of Amazon Web Services resources based on string field values. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **DateFilters** *(list) --* Enables filtering based on date and timestamp field values. * *(dict) --* Enables the filtering of Amazon Web Services resources based on date and timestamp attributes. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A date filter for querying findings. * **Start** *(string) --* A timestamp that provides the start date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **End** *(string) --* A timestamp that provides the end date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **DateRange** *(dict) --* A date range for the date filter. * **Value** *(integer) --* A date range value for the date filter. * **Unit** *(string) --* A date range unit for the date filter. * **NumberFilters** *(list) --* Enables filtering based on numerical field values. * *(dict) --* Enables filtering of Amazon Web Services resources based on numerical values. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A number filter for querying findings. * **Gte** *(float) --* The greater-than-equal condition to be applied to a single field when querying for findings. * **Lte** *(float) --* The less-than-equal condition to be applied to a single field when querying for findings. * **Eq** *(float) --* The equal-to condition to be applied to a single field when querying for findings. * **Gt** *(float) --* The greater-than condition to be applied to a single field when querying for findings. * **Lt** *(float) --* The less-than condition to be applied to a single field when querying for findings. * **MapFilters** *(list) --* Enables filtering based on map-based field values. * *(dict) --* Enables filtering of Amazon Web Services resources based on key-value map attributes. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator. * **Key** *(string) --* The key of the map filter. For example, for "ResourceTags", "Key" identifies the name of the tag. For "UserDefinedFields", "Key" is the name of the field. * **Value** *(string) --* The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called "Department" might be "Security". If you provide "security" as the filter value, then there's no match. * **Comparison** *(string) --* The condition to apply to the key value when filtering Security Hub findings with a map filter. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, for the "ResourceTags" field, the filter "Department CONTAINS Security" matches findings that include the value "Security" for the "Department" tag. In the same example, a finding with a value of "Security team" for the "Department" tag is a match. * To search for values that exactly match the filter value, use "EQUALS". For example, for the "ResourceTags" field, the filter "Department EQUALS Security" matches findings that have the value "Security" for the "Department" tag. "CONTAINS" and "EQUALS" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Department CONTAINS Security OR Department CONTAINS Finance" match a finding that includes either "Security", "Finance", or both values. To search for values that don't have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, for the "ResourceTags" field, the filter "Department NOT_CONTAINS Finance" matches findings that exclude the value "Finance" for the "Department" tag. * To search for values other than the filter value, use "NOT_EQUALS". For example, for the "ResourceTags" field, the filter "Department NOT_EQUALS Finance" matches findings that don’t have the value "Finance" for the "Department" tag. "NOT_CONTAINS" and "NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance" match a finding that excludes both the "Security" and "Finance" values. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can’t have both an "EQUALS" filter and a "NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules. For more information, see Automation rules in the *Security Hub User Guide*. * **Operator** *(string) --* The logical operator used to combine multiple filter conditions. * **CompositeOperator** *(string) --* The logical operator used to combine multiple filter conditions in the structure. * **SortCriteria** (*list*) -- The finding attributes used to sort the list of returned findings. * *(dict) --* A collection of finding attributes used to sort findings. * **Field** *(string) --* The finding attribute used to sort findings. * **SortOrder** *(string) --* The order used to sort findings. * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'Resources': [ { 'ResourceArn': 'string', 'ResourceId': 'string', 'AccountId': 'string', 'Region': 'string', 'ResourceCategory': 'Compute'|'Database'|'Storage'|'Code'|'AI/ML'|'Identity'|'Network'|'Other', 'ResourceType': 'string', 'ResourceName': 'string', 'ResourceCreationTimeDt': 'string', 'ResourceDetailCaptureTimeDt': 'string', 'FindingsSummary': [ { 'FindingType': 'string', 'ProductName': 'string', 'TotalFindings': 123, 'Severities': { 'Other': 123, 'Fatal': 123, 'Critical': 123, 'High': 123, 'Medium': 123, 'Low': 123, 'Informational': 123, 'Unknown': 123 } }, ], 'ResourceTags': [ { 'Key': 'string', 'Value': 'string' }, ], 'ResourceConfig': {...}|[...]|123|123.4|'string'|True|None }, ], } **Response Structure** * *(dict) --* * **Resources** *(list) --* Filters resources based on a set of criteria. * *(dict) --* Provides comprehensive details about an Amazon Web Services resource and its associated security findings. * **ResourceArn** *(string) --* Specifies the ARN that uniquely identifies a resource. * **ResourceId** *(string) --* The unique identifier for a resource. * **AccountId** *(string) --* The Amazon Web Services account that owns the resource. * **Region** *(string) --* The Amazon Web Services Region where the resource is located. * **ResourceCategory** *(string) --* The grouping where the resource belongs. * **ResourceType** *(string) --* The type of resource. * **ResourceName** *(string) --* The name of the resource. * **ResourceCreationTimeDt** *(string) --* The time when the resource was created. * **ResourceDetailCaptureTimeDt** *(string) --* The timestamp when information about the resource was captured. * **FindingsSummary** *(list) --* An aggregated view of security findings associated with a resource. * *(dict) --* A list of summaries for all finding types on a resource. * **FindingType** *(string) --* The category or classification of the security finding. * **ProductName** *(string) --* The name of the product associated with the security finding. * **TotalFindings** *(integer) --* The total count of security findings. * **Severities** *(dict) --* A breakdown of security findings by their severity levels. * **Other** *(integer) --* The number of findings not in any of the severity categories. * **Fatal** *(integer) --* The number of findings with a severity level of fatal. * **Critical** *(integer) --* The number of findings with a severity level of critical. * **High** *(integer) --* The number of findings with a severity level of high. * **Medium** *(integer) --* The number of findings with a severity level of medium. * **Low** *(integer) --* The number of findings with a severity level of low. * **Informational** *(integer) --* The number of findings that provide security- related information. * **Unknown** *(integer) --* The number of findings with a severity level cannot be determined. * **ResourceTags** *(list) --* The key-value pairs associated with a resource. * *(dict) --* Represents tag information associated with Amazon Web Services resources. * **Key** *(string) --* The identifier or name of the tag. * **Value** *(string) --* The data associated with the tag key. * **ResourceConfig** (*document*) -- The configuration details of a resource. SecurityHub / Paginator / ListInvitations ListInvitations *************** class SecurityHub.Paginator.ListInvitations paginator = client.get_paginator('list_invitations') paginate(**kwargs) Creates an iterator that will paginate through responses from "SecurityHub.Client.list_invitations()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max- items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'Invitations': [ { 'AccountId': 'string', 'InvitationId': 'string', 'InvitedAt': datetime(2015, 1, 1), 'MemberStatus': 'string' }, ], } **Response Structure** * *(dict) --* * **Invitations** *(list) --* The details of the invitations returned by the operation. * *(dict) --* Details about an invitation. * **AccountId** *(string) --* The account ID of the Security Hub administrator account that the invitation was sent from. * **InvitationId** *(string) --* The ID of the invitation sent to the member account. * **InvitedAt** *(datetime) --* The timestamp of when the invitation was sent. * **MemberStatus** *(string) --* The current status of the association between the member and administrator accounts. SecurityHub / Paginator / ListOrganizationAdminAccounts ListOrganizationAdminAccounts ***************************** class SecurityHub.Paginator.ListOrganizationAdminAccounts paginator = client.get_paginator('list_organization_admin_accounts') paginate(**kwargs) Creates an iterator that will paginate through responses from "SecurityHub.Client.list_organization_admin_accounts()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( Feature='SecurityHub'|'SecurityHubV2', PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **Feature** (*string*) -- The feature where the delegated administrator account is listed. Defaults to Security Hub if not specified. * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'AdminAccounts': [ { 'AccountId': 'string', 'Status': 'ENABLED'|'DISABLE_IN_PROGRESS' }, ], 'Feature': 'SecurityHub'|'SecurityHubV2' } **Response Structure** * *(dict) --* * **AdminAccounts** *(list) --* The list of Security Hub administrator accounts. * *(dict) --* Represents a Security Hub administrator account designated by an organization management account. * **AccountId** *(string) --* The Amazon Web Services account identifier of the Security Hub administrator account. * **Status** *(string) --* The current status of the Security Hub administrator account. Indicates whether the account is currently enabled as a Security Hub administrator. * **Feature** *(string) --* The feature where the delegated administrator account is listed. Defaults to Security Hub CSPM if not specified. SecurityHub / Paginator / ListMembers ListMembers *********** class SecurityHub.Paginator.ListMembers paginator = client.get_paginator('list_members') paginate(**kwargs) Creates an iterator that will paginate through responses from "SecurityHub.Client.list_members()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( OnlyAssociated=True|False, PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **OnlyAssociated** (*boolean*) -- Specifies which member accounts to include in the response based on their relationship status with the administrator account. The default value is "TRUE". If "OnlyAssociated" is set to "TRUE", the response includes member accounts whose relationship status with the administrator account is set to "ENABLED". If "OnlyAssociated" is set to "FALSE", the response includes all existing member accounts. * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'Members': [ { 'AccountId': 'string', 'Email': 'string', 'MasterId': 'string', 'AdministratorId': 'string', 'MemberStatus': 'string', 'InvitedAt': datetime(2015, 1, 1), 'UpdatedAt': datetime(2015, 1, 1) }, ], } **Response Structure** * *(dict) --* * **Members** *(list) --* Member details returned by the operation. * *(dict) --* The details about a member account. * **AccountId** *(string) --* The Amazon Web Services account ID of the member account. * **Email** *(string) --* The email address of the member account. * **MasterId** *(string) --* This is replaced by "AdministratorID". The Amazon Web Services account ID of the Security Hub administrator account associated with this member account. * **AdministratorId** *(string) --* The Amazon Web Services account ID of the Security Hub administrator account associated with this member account. * **MemberStatus** *(string) --* The status of the relationship between the member account and its administrator account. The status can have one of the following values: * "Created" - Indicates that the administrator account added the member account, but has not yet invited the member account. * "Invited" - Indicates that the administrator account invited the member account. The member account has not yet responded to the invitation. * "Enabled" - Indicates that the member account is currently active. For manually invited member accounts, indicates that the member account accepted the invitation. * "Removed" - Indicates that the administrator account disassociated the member account. * "Resigned" - Indicates that the member account disassociated themselves from the administrator account. * "Deleted" - Indicates that the administrator account deleted the member account. * "AccountSuspended" - Indicates that an organization account was suspended from Amazon Web Services at the same time that the administrator account tried to enable the organization account as a member account. * **InvitedAt** *(datetime) --* A timestamp for the date and time when the invitation was sent to the member account. * **UpdatedAt** *(datetime) --* The timestamp for the date and time when the member account was updated. SecurityHub / Paginator / DescribeStandardsControls DescribeStandardsControls ************************* class SecurityHub.Paginator.DescribeStandardsControls paginator = client.get_paginator('describe_standards_controls') paginate(**kwargs) Creates an iterator that will paginate through responses from "SecurityHub.Client.describe_standards_controls()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( StandardsSubscriptionArn='string', PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **StandardsSubscriptionArn** (*string*) -- **[REQUIRED]** The ARN of a resource that represents your subscription to a supported standard. To get the subscription ARNs of the standards you have enabled, use the "GetEnabledStandards" operation. * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'Controls': [ { 'StandardsControlArn': 'string', 'ControlStatus': 'ENABLED'|'DISABLED', 'DisabledReason': 'string', 'ControlStatusUpdatedAt': datetime(2015, 1, 1), 'ControlId': 'string', 'Title': 'string', 'Description': 'string', 'RemediationUrl': 'string', 'SeverityRating': 'LOW'|'MEDIUM'|'HIGH'|'CRITICAL', 'RelatedRequirements': [ 'string', ] }, ], } **Response Structure** * *(dict) --* * **Controls** *(list) --* A list of security standards controls. * *(dict) --* Details for an individual security standard control. * **StandardsControlArn** *(string) --* The ARN of the security standard control. * **ControlStatus** *(string) --* The current status of the security standard control. Indicates whether the control is enabled or disabled. Security Hub does not check against disabled controls. * **DisabledReason** *(string) --* The reason provided for the most recent change in status for the control. * **ControlStatusUpdatedAt** *(datetime) --* The date and time that the status of the security standard control was most recently updated. * **ControlId** *(string) --* The identifier of the security standard control. * **Title** *(string) --* The title of the security standard control. * **Description** *(string) --* The longer description of the security standard control. Provides information about what the control is checking for. * **RemediationUrl** *(string) --* A link to remediation information for the control in the Security Hub user documentation. * **SeverityRating** *(string) --* The severity of findings generated from this security standard control. The finding severity is based on an assessment of how easy it would be to compromise Amazon Web Services resources if the issue is detected. * **RelatedRequirements** *(list) --* The list of requirements that are related to this control. * *(string) --* SecurityHub / Paginator / DescribeProductsV2 DescribeProductsV2 ****************** class SecurityHub.Paginator.DescribeProductsV2 paginator = client.get_paginator('describe_products_v2') paginate(**kwargs) Creates an iterator that will paginate through responses from "SecurityHub.Client.describe_products_v2()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max- items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'ProductsV2': [ { 'ProductV2Name': 'string', 'CompanyName': 'string', 'Description': 'string', 'Categories': [ 'string', ], 'IntegrationV2Types': [ 'SEND_FINDINGS_TO_SECURITY_HUB'|'RECEIVE_FINDINGS_FROM_SECURITY_HUB'|'UPDATE_FINDINGS_IN_SECURITY_HUB', ], 'MarketplaceUrl': 'string', 'ActivationUrl': 'string' }, ], } **Response Structure** * *(dict) --* * **ProductsV2** *(list) --* Gets information about the product integration. * *(dict) --* Defines the structure for the productV2. * **ProductV2Name** *(string) --* The name of the productV2. * **CompanyName** *(string) --* The name of the organization or vendor that provides the productV2. * **Description** *(string) --* Detailed information about the productV2. * **Categories** *(list) --* The domains or functional areas the productV2 addresses. * *(string) --* * **IntegrationV2Types** *(list) --* The type of integration. * *(string) --* * **MarketplaceUrl** *(string) --* The console URL where you can purchase or subscribe to products. * **ActivationUrl** *(string) --* The URL to the serviceV@ or productV2 documentation about the integration, which includes how to activate the integration. SecurityHub / Paginator / GetFindings GetFindings *********** class SecurityHub.Paginator.GetFindings paginator = client.get_paginator('get_findings') paginate(**kwargs) Creates an iterator that will paginate through responses from "SecurityHub.Client.get_findings()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( Filters={ 'ProductArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'AwsAccountId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Id': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'GeneratorId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Region': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Type': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FirstObservedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'LastObservedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'CreatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'UpdatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'SeverityProduct': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'SeverityNormalized': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'SeverityLabel': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Confidence': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'Criticality': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'Title': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Description': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RecommendationText': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'SourceUrl': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ProductFields': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'ProductName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'CompanyName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'UserDefinedFields': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'MalwareName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'MalwareType': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'MalwarePath': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'MalwareState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkDirection': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkProtocol': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkSourceIpV4': [ { 'Cidr': 'string' }, ], 'NetworkSourceIpV6': [ { 'Cidr': 'string' }, ], 'NetworkSourcePort': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'NetworkSourceDomain': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkSourceMac': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkDestinationIpV4': [ { 'Cidr': 'string' }, ], 'NetworkDestinationIpV6': [ { 'Cidr': 'string' }, ], 'NetworkDestinationPort': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'NetworkDestinationDomain': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ProcessName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ProcessPath': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ProcessPid': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'ProcessParentPid': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'ProcessLaunchedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ProcessTerminatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ThreatIntelIndicatorType': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ThreatIntelIndicatorValue': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ThreatIntelIndicatorCategory': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ThreatIntelIndicatorLastObservedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ThreatIntelIndicatorSource': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ThreatIntelIndicatorSourceUrl': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceType': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourcePartition': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceRegion': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceTags': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'ResourceAwsEc2InstanceType': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceImageId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceIpV4Addresses': [ { 'Cidr': 'string' }, ], 'ResourceAwsEc2InstanceIpV6Addresses': [ { 'Cidr': 'string' }, ], 'ResourceAwsEc2InstanceKeyName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceIamInstanceProfileArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceVpcId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceSubnetId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceLaunchedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ResourceAwsS3BucketOwnerId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsS3BucketOwnerName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsIamAccessKeyUserName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsIamAccessKeyPrincipalName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsIamAccessKeyStatus': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsIamAccessKeyCreatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ResourceAwsIamUserUserName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceContainerName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceContainerImageId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceContainerImageName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceContainerLaunchedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ResourceDetailsOther': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'ComplianceStatus': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'VerificationState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'WorkflowState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'WorkflowStatus': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RecordState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RelatedFindingsProductArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RelatedFindingsId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NoteText': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NoteUpdatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'NoteUpdatedBy': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Keyword': [ { 'Value': 'string' }, ], 'FindingProviderFieldsConfidence': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'FindingProviderFieldsCriticality': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'FindingProviderFieldsRelatedFindingsId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FindingProviderFieldsRelatedFindingsProductArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FindingProviderFieldsSeverityLabel': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FindingProviderFieldsSeverityOriginal': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FindingProviderFieldsTypes': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Sample': [ { 'Value': True|False }, ], 'ComplianceSecurityControlId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ComplianceAssociatedStandardsId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'VulnerabilitiesExploitAvailable': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'VulnerabilitiesFixAvailable': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ComplianceSecurityControlParametersName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ComplianceSecurityControlParametersValue': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'AwsAccountName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceApplicationName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceApplicationArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ] }, SortCriteria=[ { 'Field': 'string', 'SortOrder': 'asc'|'desc' }, ], PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) **Parameters** # This section is too large to render. # Please see the AWS API Documentation linked below. AWS API Documentation Return type: dict Returns: **Response Syntax** # This section is too large to render. # Please see the AWS API Documentation linked below. AWS API Documentation **Response Structure** # This section is too large to render. # Please see the AWS API Documentation linked below. AWS API Documentation SecurityHub / Paginator / ListStandardsControlAssociations ListStandardsControlAssociations ******************************** class SecurityHub.Paginator.ListStandardsControlAssociations paginator = client.get_paginator('list_standards_control_associations') paginate(**kwargs) Creates an iterator that will paginate through responses from "SecurityHub.Client.list_standards_control_associations()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( SecurityControlId='string', PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **SecurityControlId** (*string*) -- **[REQUIRED]** The identifier of the control (identified with "SecurityControlId", "SecurityControlArn", or a mix of both parameters) that you want to determine the enablement status of in each enabled standard. * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'StandardsControlAssociationSummaries': [ { 'StandardsArn': 'string', 'SecurityControlId': 'string', 'SecurityControlArn': 'string', 'AssociationStatus': 'ENABLED'|'DISABLED', 'RelatedRequirements': [ 'string', ], 'UpdatedAt': datetime(2015, 1, 1), 'UpdatedReason': 'string', 'StandardsControlTitle': 'string', 'StandardsControlDescription': 'string' }, ], } **Response Structure** * *(dict) --* * **StandardsControlAssociationSummaries** *(list) --* An array that provides the enablement status and other details for each security control that applies to each enabled standard. * *(dict) --* An array that provides the enablement status and other details for each control that applies to each enabled standard. * **StandardsArn** *(string) --* The Amazon Resource Name (ARN) of a standard. * **SecurityControlId** *(string) --* A unique standard-agnostic identifier for a control. Values for this field typically consist of an Amazon Web Services service and a number, such as APIGateway.5. This field doesn't reference a specific standard. * **SecurityControlArn** *(string) --* The ARN of a control, such as "arn:aws:securityhub :eu-central-1:123456789012:security-control/S3.1". This parameter doesn't mention a specific standard. * **AssociationStatus** *(string) --* The enablement status of a control in a specific standard. * **RelatedRequirements** *(list) --* The requirement that underlies this control in the compliance framework related to the standard. * *(string) --* * **UpdatedAt** *(datetime) --* The last time that a control's enablement status in a specified standard was updated. * **UpdatedReason** *(string) --* The reason for updating a control's enablement status in a specified standard. * **StandardsControlTitle** *(string) --* The title of a control. * **StandardsControlDescription** *(string) --* The description of a control. This typically summarizes how Security Hub evaluates the control and the conditions under which it produces a failed finding. The parameter may reference a specific standard. SecurityHub / Paginator / GetEnabledStandards GetEnabledStandards ******************* class SecurityHub.Paginator.GetEnabledStandards paginator = client.get_paginator('get_enabled_standards') paginate(**kwargs) Creates an iterator that will paginate through responses from "SecurityHub.Client.get_enabled_standards()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( StandardsSubscriptionArns=[ 'string', ], PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **StandardsSubscriptionArns** (*list*) -- The list of the standards subscription ARNs for the standards to retrieve. * *(string) --* * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'StandardsSubscriptions': [ { 'StandardsSubscriptionArn': 'string', 'StandardsArn': 'string', 'StandardsInput': { 'string': 'string' }, 'StandardsStatus': 'PENDING'|'READY'|'FAILED'|'DELETING'|'INCOMPLETE', 'StandardsControlsUpdatable': 'READY_FOR_UPDATES'|'NOT_READY_FOR_UPDATES', 'StandardsStatusReason': { 'StatusReasonCode': 'NO_AVAILABLE_CONFIGURATION_RECORDER'|'MAXIMUM_NUMBER_OF_CONFIG_RULES_EXCEEDED'|'INTERNAL_ERROR' } }, ], } **Response Structure** * *(dict) --* * **StandardsSubscriptions** *(list) --* The list of "StandardsSubscriptions" objects that include information about the enabled standards. * *(dict) --* A resource that represents your subscription to a supported standard. * **StandardsSubscriptionArn** *(string) --* The ARN of the resource that represents your subscription to the standard. * **StandardsArn** *(string) --* The ARN of the standard. * **StandardsInput** *(dict) --* A key-value pair of input for the standard. * *(string) --* * *(string) --* * **StandardsStatus** *(string) --* The status of your subscription to the standard. Possible values are: * "PENDING" - The standard is in the process of being enabled. Or the standard is already enabled and Security Hub is adding new controls to the standard. * "READY" - The standard is enabled. * "INCOMPLETE" - The standard could not be enabled completely. One or more errors ( "StandardsStatusReason") occurred when Security Hub attempted to enable the standard. * "DELETING" - The standard is in the process of being disabled. * "FAILED" - The standard could not be disabled. One or more errors ( "StandardsStatusReason") occurred when Security Hub attempted to disable the standard. * **StandardsControlsUpdatable** *(string) --* Specifies whether you can retrieve information about and configure individual controls that apply to the standard. Possible values are: * "READY_FOR_UPDATES" - Controls in the standard can be retrieved and configured. * "NOT_READY_FOR_UPDATES" - Controls in the standard cannot be retrieved or configured. * **StandardsStatusReason** *(dict) --* The reason for the current status. * **StatusReasonCode** *(string) --* The reason code that represents the reason for the current status of a standard subscription. SecurityHub / Paginator / ListSecurityControlDefinitions ListSecurityControlDefinitions ****************************** class SecurityHub.Paginator.ListSecurityControlDefinitions paginator = client.get_paginator('list_security_control_definitions') paginate(**kwargs) Creates an iterator that will paginate through responses from "SecurityHub.Client.list_security_control_definitions()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( StandardsArn='string', PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **StandardsArn** (*string*) -- The Amazon Resource Name (ARN) of the standard that you want to view controls for. * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'SecurityControlDefinitions': [ { 'SecurityControlId': 'string', 'Title': 'string', 'Description': 'string', 'RemediationUrl': 'string', 'SeverityRating': 'LOW'|'MEDIUM'|'HIGH'|'CRITICAL', 'CurrentRegionAvailability': 'AVAILABLE'|'UNAVAILABLE', 'CustomizableProperties': [ 'Parameters', ], 'ParameterDefinitions': { 'string': { 'Description': 'string', 'ConfigurationOptions': { 'Integer': { 'DefaultValue': 123, 'Min': 123, 'Max': 123 }, 'IntegerList': { 'DefaultValue': [ 123, ], 'Min': 123, 'Max': 123, 'MaxItems': 123 }, 'Double': { 'DefaultValue': 123.0, 'Min': 123.0, 'Max': 123.0 }, 'String': { 'DefaultValue': 'string', 'Re2Expression': 'string', 'ExpressionDescription': 'string' }, 'StringList': { 'DefaultValue': [ 'string', ], 'Re2Expression': 'string', 'MaxItems': 123, 'ExpressionDescription': 'string' }, 'Boolean': { 'DefaultValue': True|False }, 'Enum': { 'DefaultValue': 'string', 'AllowedValues': [ 'string', ] }, 'EnumList': { 'DefaultValue': [ 'string', ], 'MaxItems': 123, 'AllowedValues': [ 'string', ] } } } } }, ], } **Response Structure** * *(dict) --* * **SecurityControlDefinitions** *(list) --* An array of controls that apply to the specified standard. * *(dict) --* Provides metadata for a security control, including its unique standard-agnostic identifier, title, description, severity, availability in Amazon Web Services Regions, and a link to remediation steps. * **SecurityControlId** *(string) --* The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Services service name and a number (for example, APIGateway.3). This parameter differs from "SecurityControlArn", which is a unique Amazon Resource Name (ARN) assigned to a control. The ARN references the security control ID (for example, arn:aws:securityhub:eu-central-1:123456789012 :security-control/APIGateway.3). * **Title** *(string) --* The title of a security control. * **Description** *(string) --* The description of a security control across standards. This typically summarizes how Security Hub evaluates the control and the conditions under which it produces a failed finding. This parameter doesn't reference a specific standard. * **RemediationUrl** *(string) --* A link to Security Hub documentation that explains how to remediate a failed finding for a security control. * **SeverityRating** *(string) --* The severity of a security control. For more information about how Security Hub determines control severity, see Assigning severity to control findings in the *Security Hub User Guide*. * **CurrentRegionAvailability** *(string) --* Specifies whether a security control is available in the current Amazon Web Services Region. * **CustomizableProperties** *(list) --* Security control properties that you can customize. Currently, only parameter customization is supported for select controls. An empty array is returned for controls that don’t support custom properties. * *(string) --* * **ParameterDefinitions** *(dict) --* An object that provides a security control parameter name, description, and the options for customizing it. This object is excluded for a control that doesn't support custom parameters. * *(string) --* * *(dict) --* An object that describes a security control parameter and the options for customizing it. * **Description** *(string) --* Description of a control parameter. * **ConfigurationOptions** *(dict) --* The options for customizing a control parameter. Customization options vary based on the data type of the parameter. Note: This is a Tagged Union structure. Only one of the following top level keys will be set: "Integer", "IntegerList", "Double", "String", "StringList", "Boolean", "Enum", "EnumList". If a client receives an unknown member it will set "SDK_UNKNOWN_MEMBER" as the top level key, which maps to the name or tag of the unknown member. The structure of "SDK_UNKNOWN_MEMBER" is as follows: 'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'} * **Integer** *(dict) --* The options for customizing a security control parameter that is an integer. * **DefaultValue** *(integer) --* The Security Hub default value for a control parameter that is an integer. * **Min** *(integer) --* The minimum valid value for a control parameter that is an integer. * **Max** *(integer) --* The maximum valid value for a control parameter that is an integer. * **IntegerList** *(dict) --* The options for customizing a security control parameter that is a list of integers. * **DefaultValue** *(list) --* The Security Hub default value for a control parameter that is a list of integers. * *(integer) --* * **Min** *(integer) --* The minimum valid value for a control parameter that is a list of integers. * **Max** *(integer) --* The maximum valid value for a control parameter that is a list of integers. * **MaxItems** *(integer) --* The maximum number of list items that an interger list control parameter can accept. * **Double** *(dict) --* The options for customizing a security control parameter that is a double. * **DefaultValue** *(float) --* The Security Hub default value for a control parameter that is a double. * **Min** *(float) --* The minimum valid value for a control parameter that is a double. * **Max** *(float) --* The maximum valid value for a control parameter that is a double. * **String** *(dict) --* The options for customizing a security control parameter that is a string data type. * **DefaultValue** *(string) --* The Security Hub default value for a control parameter that is a string. * **Re2Expression** *(string) --* An RE2 regular expression that Security Hub uses to validate a user-provided control parameter string. * **ExpressionDescription** *(string) --* The description of the RE2 regular expression. * **StringList** *(dict) --* The options for customizing a security control parameter that is a list of strings. * **DefaultValue** *(list) --* The Security Hub default value for a control parameter that is a list of strings. * *(string) --* * **Re2Expression** *(string) --* An RE2 regular expression that Security Hub uses to validate a user-provided list of strings for a control parameter. * **MaxItems** *(integer) --* The maximum number of list items that a string list control parameter can accept. * **ExpressionDescription** *(string) --* The description of the RE2 regular expression. * **Boolean** *(dict) --* The options for customizing a security control parameter that is a boolean. For a boolean parameter, the options are "true" and "false". * **DefaultValue** *(boolean) --* The Security Hub default value for a boolean parameter. * **Enum** *(dict) --* The options for customizing a security control parameter that is an enum. * **DefaultValue** *(string) --* The Security Hub default value for a control parameter that is an enum. * **AllowedValues** *(list) --* The valid values for a control parameter that is an enum. * *(string) --* * **EnumList** *(dict) --* The options for customizing a security control parameter that is a list of enums. * **DefaultValue** *(list) --* The Security Hub default value for a control parameter that is a list of enums. * *(string) --* * **MaxItems** *(integer) --* The maximum number of list items that an enum list control parameter can accept. * **AllowedValues** *(list) --* The valid values for a control parameter that is a list of enums. * *(string) --* SecurityHub / Paginator / ListConfigurationPolicyAssociations ListConfigurationPolicyAssociations *********************************** class SecurityHub.Paginator.ListConfigurationPolicyAssociations paginator = client.get_paginator('list_configuration_policy_associations') paginate(**kwargs) Creates an iterator that will paginate through responses from "SecurityHub.Client.list_configuration_policy_associations()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( Filters={ 'ConfigurationPolicyId': 'string', 'AssociationType': 'INHERITED'|'APPLIED', 'AssociationStatus': 'PENDING'|'SUCCESS'|'FAILED' }, PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **Filters** (*dict*) -- Options for filtering the "ListConfigurationPolicyAssociations" response. You can filter by the Amazon Resource Name (ARN) or universally unique identifier (UUID) of a configuration, "AssociationType", or "AssociationStatus". * **ConfigurationPolicyId** *(string) --* The ARN or UUID of the configuration policy. * **AssociationType** *(string) --* Indicates whether the association between a target and a configuration was directly applied by the Security Hub delegated administrator or inherited from a parent. * **AssociationStatus** *(string) --* The current status of the association between a target and a configuration policy. * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'ConfigurationPolicyAssociationSummaries': [ { 'ConfigurationPolicyId': 'string', 'TargetId': 'string', 'TargetType': 'ACCOUNT'|'ORGANIZATIONAL_UNIT'|'ROOT', 'AssociationType': 'INHERITED'|'APPLIED', 'UpdatedAt': datetime(2015, 1, 1), 'AssociationStatus': 'PENDING'|'SUCCESS'|'FAILED', 'AssociationStatusMessage': 'string' }, ], } **Response Structure** * *(dict) --* * **ConfigurationPolicyAssociationSummaries** *(list) --* An object that contains the details of each configuration policy association that’s returned in a "ListConfigurationPolicyAssociations" request. * *(dict) --* An object that contains the details of a configuration policy association that’s returned in a "ListConfigurationPolicyAssociations" request. * **ConfigurationPolicyId** *(string) --* The universally unique identifier (UUID) of the configuration policy. * **TargetId** *(string) --* The identifier of the target account, organizational unit, or the root. * **TargetType** *(string) --* Specifies whether the target is an Amazon Web Services account, organizational unit, or the root. * **AssociationType** *(string) --* Indicates whether the association between the specified target and the configuration was directly applied by the Security Hub delegated administrator or inherited from a parent. * **UpdatedAt** *(datetime) --* The date and time, in UTC and ISO 8601 format, that the configuration policy association was last updated. * **AssociationStatus** *(string) --* The current status of the association between the specified target and the configuration. * **AssociationStatusMessage** *(string) --* The explanation for a "FAILED" value for "AssociationStatus". SecurityHub / Paginator / ListEnabledProductsForImport ListEnabledProductsForImport **************************** class SecurityHub.Paginator.ListEnabledProductsForImport paginator = client.get_paginator('list_enabled_products_for_import') paginate(**kwargs) Creates an iterator that will paginate through responses from "SecurityHub.Client.list_enabled_products_for_import()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max- items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'ProductSubscriptions': [ 'string', ], } **Response Structure** * *(dict) --* * **ProductSubscriptions** *(list) --* The list of ARNs for the resources that represent your subscriptions to products. * *(string) --* SecurityHub / Paginator / GetInsights GetInsights *********** class SecurityHub.Paginator.GetInsights paginator = client.get_paginator('get_insights') paginate(**kwargs) Creates an iterator that will paginate through responses from "SecurityHub.Client.get_insights()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( InsightArns=[ 'string', ], PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **InsightArns** (*list*) -- The ARNs of the insights to describe. If you don't provide any insight ARNs, then "GetInsights" returns all of your custom insights. It does not return any managed insights. * *(string) --* * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'Insights': [ { 'InsightArn': 'string', 'Name': 'string', 'Filters': { 'ProductArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'AwsAccountId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Id': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'GeneratorId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Region': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Type': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FirstObservedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'LastObservedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'CreatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'UpdatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'SeverityProduct': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'SeverityNormalized': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'SeverityLabel': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Confidence': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'Criticality': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'Title': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Description': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RecommendationText': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'SourceUrl': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ProductFields': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'ProductName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'CompanyName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'UserDefinedFields': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'MalwareName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'MalwareType': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'MalwarePath': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'MalwareState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkDirection': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkProtocol': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkSourceIpV4': [ { 'Cidr': 'string' }, ], 'NetworkSourceIpV6': [ { 'Cidr': 'string' }, ], 'NetworkSourcePort': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'NetworkSourceDomain': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkSourceMac': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkDestinationIpV4': [ { 'Cidr': 'string' }, ], 'NetworkDestinationIpV6': [ { 'Cidr': 'string' }, ], 'NetworkDestinationPort': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'NetworkDestinationDomain': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ProcessName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ProcessPath': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ProcessPid': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'ProcessParentPid': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'ProcessLaunchedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ProcessTerminatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ThreatIntelIndicatorType': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ThreatIntelIndicatorValue': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ThreatIntelIndicatorCategory': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ThreatIntelIndicatorLastObservedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ThreatIntelIndicatorSource': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ThreatIntelIndicatorSourceUrl': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceType': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourcePartition': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceRegion': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceTags': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'ResourceAwsEc2InstanceType': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceImageId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceIpV4Addresses': [ { 'Cidr': 'string' }, ], 'ResourceAwsEc2InstanceIpV6Addresses': [ { 'Cidr': 'string' }, ], 'ResourceAwsEc2InstanceKeyName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceIamInstanceProfileArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceVpcId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceSubnetId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceLaunchedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ResourceAwsS3BucketOwnerId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsS3BucketOwnerName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsIamAccessKeyUserName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsIamAccessKeyPrincipalName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsIamAccessKeyStatus': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsIamAccessKeyCreatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ResourceAwsIamUserUserName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceContainerName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceContainerImageId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceContainerImageName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceContainerLaunchedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ResourceDetailsOther': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'ComplianceStatus': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'VerificationState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'WorkflowState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'WorkflowStatus': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RecordState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RelatedFindingsProductArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RelatedFindingsId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NoteText': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NoteUpdatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'NoteUpdatedBy': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Keyword': [ { 'Value': 'string' }, ], 'FindingProviderFieldsConfidence': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'FindingProviderFieldsCriticality': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'FindingProviderFieldsRelatedFindingsId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FindingProviderFieldsRelatedFindingsProductArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FindingProviderFieldsSeverityLabel': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FindingProviderFieldsSeverityOriginal': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FindingProviderFieldsTypes': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Sample': [ { 'Value': True|False }, ], 'ComplianceSecurityControlId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ComplianceAssociatedStandardsId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'VulnerabilitiesExploitAvailable': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'VulnerabilitiesFixAvailable': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ComplianceSecurityControlParametersName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ComplianceSecurityControlParametersValue': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'AwsAccountName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceApplicationName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceApplicationArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ] }, 'GroupByAttribute': 'string' }, ], } **Response Structure** # This section is too large to render. # Please see the AWS API Documentation linked below. AWS API Documentation SecurityHub / Paginator / ListConfigurationPolicies ListConfigurationPolicies ************************* class SecurityHub.Paginator.ListConfigurationPolicies paginator = client.get_paginator('list_configuration_policies') paginate(**kwargs) Creates an iterator that will paginate through responses from "SecurityHub.Client.list_configuration_policies()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max- items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'ConfigurationPolicySummaries': [ { 'Arn': 'string', 'Id': 'string', 'Name': 'string', 'Description': 'string', 'UpdatedAt': datetime(2015, 1, 1), 'ServiceEnabled': True|False }, ], } **Response Structure** * *(dict) --* * **ConfigurationPolicySummaries** *(list) --* Provides metadata for each of your configuration policies. * *(dict) --* An object that contains the details of an Security Hub configuration policy that’s returned in a "ListConfigurationPolicies" request. * **Arn** *(string) --* The Amazon Resource Name (ARN) of the configuration policy. * **Id** *(string) --* The universally unique identifier (UUID) of the configuration policy. * **Name** *(string) --* The name of the configuration policy. Alphanumeric characters and the following ASCII characters are permitted: "-, ., !, *, /". * **Description** *(string) --* The description of the configuration policy. * **UpdatedAt** *(datetime) --* The date and time, in UTC and ISO 8601 format, that the configuration policy was last updated. * **ServiceEnabled** *(boolean) --* Indicates whether the service that the configuration policy applies to is enabled in the policy. SecurityHub / Paginator / GetFindingsV2 GetFindingsV2 ************* class SecurityHub.Paginator.GetFindingsV2 paginator = client.get_paginator('get_findings_v2') paginate(**kwargs) Creates an iterator that will paginate through responses from "SecurityHub.Client.get_findings_v2()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( Filters={ 'CompositeFilters': [ { 'StringFilters': [ { 'FieldName': 'metadata.uid'|'activity_name'|'cloud.account.uid'|'cloud.provider'|'cloud.region'|'compliance.assessments.category'|'compliance.assessments.name'|'compliance.control'|'compliance.status'|'compliance.standards'|'finding_info.desc'|'finding_info.src_url'|'finding_info.title'|'finding_info.types'|'finding_info.uid'|'finding_info.related_events.uid'|'finding_info.related_events.product.uid'|'finding_info.related_events.title'|'metadata.product.name'|'metadata.product.uid'|'metadata.product.vendor_name'|'remediation.desc'|'remediation.references'|'resources.cloud_partition'|'resources.region'|'resources.type'|'resources.uid'|'severity'|'status'|'comment'|'vulnerabilities.fix_coverage'|'class_name', 'Filter': { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' } }, ], 'DateFilters': [ { 'FieldName': 'finding_info.created_time_dt'|'finding_info.first_seen_time_dt'|'finding_info.last_seen_time_dt'|'finding_info.modified_time_dt', 'Filter': { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } } }, ], 'BooleanFilters': [ { 'FieldName': 'compliance.assessments.meets_criteria'|'vulnerabilities.is_exploit_available'|'vulnerabilities.is_fix_available', 'Filter': { 'Value': True|False } }, ], 'NumberFilters': [ { 'FieldName': 'activity_id'|'compliance.status_id'|'confidence_score'|'severity_id'|'status_id'|'finding_info.related_events_count', 'Filter': { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 } }, ], 'MapFilters': [ { 'FieldName': 'resources.tags', 'Filter': { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' } }, ], 'Operator': 'AND'|'OR' }, ], 'CompositeOperator': 'AND'|'OR' }, SortCriteria=[ { 'Field': 'string', 'SortOrder': 'asc'|'desc' }, ], PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **Filters** (*dict*) -- The finding attributes used to define a condition to filter the returned OCSF findings. You can filter up to 10 composite filters. For each filter type inside of a composite filter, you can provide up to 20 filters. * **CompositeFilters** *(list) --* Enables the creation of complex filtering conditions by combining filter criteria. * *(dict) --* Enables the creation of filtering criteria for security findings. * **StringFilters** *(list) --* Enables filtering based on string field values. * *(dict) --* Enables filtering of security findings based on string field values in OCSF. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **DateFilters** *(list) --* Enables filtering based on date and timestamp fields. * *(dict) --* Enables filtering of security findings based on date and timestamp fields in OCSF. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A date filter for querying findings. * **Start** *(string) --* A timestamp that provides the start date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **End** *(string) --* A timestamp that provides the end date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **DateRange** *(dict) --* A date range for the date filter. * **Value** *(integer) --* A date range value for the date filter. * **Unit** *(string) --* A date range unit for the date filter. * **BooleanFilters** *(list) --* Enables filtering based on boolean field values. * *(dict) --* Enables filtering of security findings based on boolean field values in OCSF. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* Boolean filter for querying findings. * **Value** *(boolean) --* The value of the boolean. * **NumberFilters** *(list) --* Enables filtering based on numerical field values. * *(dict) --* Enables filtering of security findings based on numerical field values in OCSF. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A number filter for querying findings. * **Gte** *(float) --* The greater-than-equal condition to be applied to a single field when querying for findings. * **Lte** *(float) --* The less-than-equal condition to be applied to a single field when querying for findings. * **Eq** *(float) --* The equal-to condition to be applied to a single field when querying for findings. * **Gt** *(float) --* The greater-than condition to be applied to a single field when querying for findings. * **Lt** *(float) --* The less-than condition to be applied to a single field when querying for findings. * **MapFilters** *(list) --* Enables filtering based on map field values. * *(dict) --* Enables filtering of security findings based on map field values in OCSF. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator. * **Key** *(string) --* The key of the map filter. For example, for "ResourceTags", "Key" identifies the name of the tag. For "UserDefinedFields", "Key" is the name of the field. * **Value** *(string) --* The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called "Department" might be "Security". If you provide "security" as the filter value, then there's no match. * **Comparison** *(string) --* The condition to apply to the key value when filtering Security Hub findings with a map filter. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, for the "ResourceTags" field, the filter "Department CONTAINS Security" matches findings that include the value "Security" for the "Department" tag. In the same example, a finding with a value of "Security team" for the "Department" tag is a match. * To search for values that exactly match the filter value, use "EQUALS". For example, for the "ResourceTags" field, the filter "Department EQUALS Security" matches findings that have the value "Security" for the "Department" tag. "CONTAINS" and "EQUALS" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Department CONTAINS Security OR Department CONTAINS Finance" match a finding that includes either "Security", "Finance", or both values. To search for values that don't have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, for the "ResourceTags" field, the filter "Department NOT_CONTAINS Finance" matches findings that exclude the value "Finance" for the "Department" tag. * To search for values other than the filter value, use "NOT_EQUALS". For example, for the "ResourceTags" field, the filter "Department NOT_EQUALS Finance" matches findings that don’t have the value "Finance" for the "Department" tag. "NOT_CONTAINS" and "NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance" match a finding that excludes both the "Security" and "Finance" values. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can’t have both an "EQUALS" filter and a "NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules. For more information, see Automation rules in the *Security Hub User Guide*. * **Operator** *(string) --* The logical operator used to combine multiple filter conditions. * **CompositeOperator** *(string) --* The logical operators used to combine the filtering on multiple "CompositeFilters". * **SortCriteria** (*list*) -- The finding attributes used to sort the list of returned findings. * *(dict) --* A collection of finding attributes used to sort findings. * **Field** *(string) --* The finding attribute used to sort findings. * **SortOrder** *(string) --* The order used to sort findings. * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'Findings': [ {...}|[...]|123|123.4|'string'|True|None, ], } **Response Structure** * *(dict) --* * **Findings** *(list) --* An array of security findings returned by the operation. * (*document*) -- SecurityHub / Paginator / ListFindingAggregators ListFindingAggregators ********************** class SecurityHub.Paginator.ListFindingAggregators paginator = client.get_paginator('list_finding_aggregators') paginate(**kwargs) Creates an iterator that will paginate through responses from "SecurityHub.Client.list_finding_aggregators()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max- items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'FindingAggregators': [ { 'FindingAggregatorArn': 'string' }, ], } **Response Structure** * *(dict) --* * **FindingAggregators** *(list) --* The list of finding aggregators. This operation currently only returns a single result. * *(dict) --* A finding aggregator is a Security Hub resource that specifies cross-Region aggregation settings, including the home Region and any linked Regions. * **FindingAggregatorArn** *(string) --* The ARN of the finding aggregator. You use the finding aggregator ARN to retrieve details for, update, and delete the finding aggregator. SecurityHub / Paginator / GetFindingHistory GetFindingHistory ***************** class SecurityHub.Paginator.GetFindingHistory paginator = client.get_paginator('get_finding_history') paginate(**kwargs) Creates an iterator that will paginate through responses from "SecurityHub.Client.get_finding_history()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( FindingIdentifier={ 'Id': 'string', 'ProductArn': 'string' }, StartTime=datetime(2015, 1, 1), EndTime=datetime(2015, 1, 1), PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **FindingIdentifier** (*dict*) -- **[REQUIRED]** Identifies which finding to get the finding history for. * **Id** *(string) --* **[REQUIRED]** The identifier of the finding that was specified by the finding provider. * **ProductArn** *(string) --* **[REQUIRED]** The ARN generated by Security Hub that uniquely identifies a product that generates findings. This can be the ARN for a third-party product that is integrated with Security Hub, or the ARN for a custom integration. * **StartTime** (*datetime*) -- A timestamp that indicates the start time of the requested finding history. If you provide values for both "StartTime" and "EndTime", Security Hub returns finding history for the specified time period. If you provide a value for "StartTime" but not for "EndTime", Security Hub returns finding history from the "StartTime" to the time at which the API is called. If you provide a value for "EndTime" but not for "StartTime", Security Hub returns finding history from the CreatedAt timestamp of the finding to the "EndTime". If you provide neither "StartTime" nor "EndTime", Security Hub returns finding history from the "CreatedAt" timestamp of the finding to the time at which the API is called. In all of these scenarios, the response is limited to 100 results. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **EndTime** (*datetime*) -- An ISO 8601-formatted timestamp that indicates the end time of the requested finding history. If you provide values for both "StartTime" and "EndTime", Security Hub returns finding history for the specified time period. If you provide a value for "StartTime" but not for "EndTime", Security Hub returns finding history from the "StartTime" to the time at which the API is called. If you provide a value for "EndTime" but not for "StartTime", Security Hub returns finding history from the CreatedAt timestamp of the finding to the "EndTime". If you provide neither "StartTime" nor "EndTime", Security Hub returns finding history from the "CreatedAt" timestamp of the finding to the time at which the API is called. In all of these scenarios, the response is limited to 100 results. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'Records': [ { 'FindingIdentifier': { 'Id': 'string', 'ProductArn': 'string' }, 'UpdateTime': datetime(2015, 1, 1), 'FindingCreated': True|False, 'UpdateSource': { 'Type': 'BATCH_UPDATE_FINDINGS'|'BATCH_IMPORT_FINDINGS', 'Identity': 'string' }, 'Updates': [ { 'UpdatedField': 'string', 'OldValue': 'string', 'NewValue': 'string' }, ], 'NextToken': 'string' }, ], } **Response Structure** * *(dict) --* * **Records** *(list) --* A list of events that altered the specified finding during the specified time period. * *(dict) --* A list of events that changed the specified finding during the specified time period. Each record represents a single finding change event. * **FindingIdentifier** *(dict) --* Identifies which finding to get the finding history for. * **Id** *(string) --* The identifier of the finding that was specified by the finding provider. * **ProductArn** *(string) --* The ARN generated by Security Hub that uniquely identifies a product that generates findings. This can be the ARN for a third-party product that is integrated with Security Hub, or the ARN for a custom integration. * **UpdateTime** *(datetime) --* A timestamp that indicates when Security Hub processed the updated finding record. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **FindingCreated** *(boolean) --* Identifies whether the event marks the creation of a new finding. A value of "True" means that the finding is newly created. A value of "False" means that the finding isn’t newly created. * **UpdateSource** *(dict) --* Identifies the source of the event that changed the finding. For example, an integrated Amazon Web Services service or third-party partner integration may call BatchImportFindings, or an Security Hub customer may call BatchUpdateFindings. * **Type** *(string) --* Describes the type of finding change event, such as a call to BatchImportFindings (by an integrated Amazon Web Services service or third party partner integration) or BatchUpdateFindings (by a Security Hub customer). * **Identity** *(string) --* The identity of the source that initiated the finding change event. For example, the Amazon Resource Name (ARN) of a partner that calls BatchImportFindings or of a customer that calls BatchUpdateFindings. * **Updates** *(list) --* An array of objects that provides details about the finding change event, including the Amazon Web Services Security Finding Format (ASFF) field that changed, the value of the field before the change, and the value of the field after the change. * *(dict) --* An array of objects that provides details about a change to a finding, including the Amazon Web Services Security Finding Format (ASFF) field that changed, the value of the field before the change, and the value of the field after the change. * **UpdatedField** *(string) --* The ASFF field that changed during the finding change event. * **OldValue** *(string) --* The value of the ASFF field before the finding change event. * **NewValue** *(string) --* The value of the ASFF field after the finding change event. To preserve storage and readability, Security Hub omits this value if FindingHistoryRecord exceeds database limits. * **NextToken** *(string) --* A token for pagination purposes. Provide this token in the subsequent request to GetFindingsHistory to get up to an additional 100 results of history for the same finding that you specified in your initial request. SecurityHub / Paginator / DescribeActionTargets DescribeActionTargets ********************* class SecurityHub.Paginator.DescribeActionTargets paginator = client.get_paginator('describe_action_targets') paginate(**kwargs) Creates an iterator that will paginate through responses from "SecurityHub.Client.describe_action_targets()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( ActionTargetArns=[ 'string', ], PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **ActionTargetArns** (*list*) -- A list of custom action target ARNs for the custom action targets to retrieve. * *(string) --* * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'ActionTargets': [ { 'ActionTargetArn': 'string', 'Name': 'string', 'Description': 'string' }, ], } **Response Structure** * *(dict) --* * **ActionTargets** *(list) --* A list of "ActionTarget" objects. Each object includes the "ActionTargetArn", "Description", and "Name" of a custom action target available in Security Hub. * *(dict) --* An "ActionTarget" object. * **ActionTargetArn** *(string) --* The ARN for the target action. * **Name** *(string) --* The name of the action target. * **Description** *(string) --* The description of the target action. SecurityHub / Paginator / DescribeStandards DescribeStandards ***************** class SecurityHub.Paginator.DescribeStandards paginator = client.get_paginator('describe_standards') paginate(**kwargs) Creates an iterator that will paginate through responses from "SecurityHub.Client.describe_standards()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max- items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'Standards': [ { 'StandardsArn': 'string', 'Name': 'string', 'Description': 'string', 'EnabledByDefault': True|False, 'StandardsManagedBy': { 'Company': 'string', 'Product': 'string' } }, ], } **Response Structure** * *(dict) --* * **Standards** *(list) --* A list of available standards. * *(dict) --* Provides information about a specific security standard. * **StandardsArn** *(string) --* The ARN of the standard. * **Name** *(string) --* The name of the standard. * **Description** *(string) --* A description of the standard. * **EnabledByDefault** *(boolean) --* Whether the standard is enabled by default. When Security Hub is enabled from the console, if a standard is enabled by default, the check box for that standard is selected by default. When Security Hub is enabled using the "EnableSecurityHub" API operation, the standard is enabled by default unless "EnableDefaultStandards" is set to "false". * **StandardsManagedBy** *(dict) --* Provides details about the management of a standard. * **Company** *(string) --* An identifier for the company that manages a specific security standard. For existing standards, the value is equal to "Amazon Web Services". * **Product** *(string) --* An identifier for the product that manages a specific security standard. For existing standards, the value is equal to the Amazon Web Services service that manages the standard. SecurityHub / Paginator / ListAggregatorsV2 ListAggregatorsV2 ***************** class SecurityHub.Paginator.ListAggregatorsV2 paginator = client.get_paginator('list_aggregators_v2') paginate(**kwargs) Creates an iterator that will paginate through responses from "SecurityHub.Client.list_aggregators_v2()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max- items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'AggregatorsV2': [ { 'AggregatorV2Arn': 'string' }, ], } **Response Structure** * *(dict) --* * **AggregatorsV2** *(list) --* An array of aggregators. * *(dict) --* Specifies a cross-Region data aggregation configuration, including the aggregation Region and any linked Regions. * **AggregatorV2Arn** *(string) --* The ARN of the aggregatorV2. SecurityHub / Client / connector_registrations_v2 connector_registrations_v2 ************************** SecurityHub.Client.connector_registrations_v2(**kwargs) Grants permission to complete the authorization based on input parameters. This API is in preview release and subject to change. See also: AWS API Documentation **Request Syntax** response = client.connector_registrations_v2( AuthCode='string', AuthState='string' ) Parameters: * **AuthCode** (*string*) -- **[REQUIRED]** The authCode retrieved from authUrl to complete the OAuth 2.0 authorization code flow. * **AuthState** (*string*) -- **[REQUIRED]** The authState retrieved from authUrl to complete the OAuth 2.0 authorization code flow. Return type: dict Returns: **Response Syntax** { 'ConnectorArn': 'string', 'ConnectorId': 'string' } **Response Structure** * *(dict) --* * **ConnectorArn** *(string) --* The Amazon Resource Name (ARN) of the connectorV2. * **ConnectorId** *(string) --* The UUID of the connectorV2 to identify connectorV2 resource. **Exceptions** * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.InternalServerException" * "SecurityHub.Client.exceptions.ValidationException" * "SecurityHub.Client.exceptions.ThrottlingException" * "SecurityHub.Client.exceptions.ConflictException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / get_findings get_findings ************ SecurityHub.Client.get_findings(**kwargs) Returns a list of findings that match the specified criteria. If cross-Region aggregation is enabled, then when you call "GetFindings" from the home Region, the results include all of the matching findings from both the home Region and linked Regions. See also: AWS API Documentation **Request Syntax** response = client.get_findings( Filters={ 'ProductArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'AwsAccountId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Id': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'GeneratorId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Region': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Type': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FirstObservedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'LastObservedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'CreatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'UpdatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'SeverityProduct': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'SeverityNormalized': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'SeverityLabel': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Confidence': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'Criticality': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'Title': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Description': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RecommendationText': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'SourceUrl': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ProductFields': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'ProductName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'CompanyName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'UserDefinedFields': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'MalwareName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'MalwareType': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'MalwarePath': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'MalwareState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkDirection': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkProtocol': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkSourceIpV4': [ { 'Cidr': 'string' }, ], 'NetworkSourceIpV6': [ { 'Cidr': 'string' }, ], 'NetworkSourcePort': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'NetworkSourceDomain': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkSourceMac': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkDestinationIpV4': [ { 'Cidr': 'string' }, ], 'NetworkDestinationIpV6': [ { 'Cidr': 'string' }, ], 'NetworkDestinationPort': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'NetworkDestinationDomain': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ProcessName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ProcessPath': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ProcessPid': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'ProcessParentPid': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'ProcessLaunchedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ProcessTerminatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ThreatIntelIndicatorType': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ThreatIntelIndicatorValue': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ThreatIntelIndicatorCategory': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ThreatIntelIndicatorLastObservedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ThreatIntelIndicatorSource': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ThreatIntelIndicatorSourceUrl': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceType': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourcePartition': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceRegion': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceTags': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'ResourceAwsEc2InstanceType': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceImageId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceIpV4Addresses': [ { 'Cidr': 'string' }, ], 'ResourceAwsEc2InstanceIpV6Addresses': [ { 'Cidr': 'string' }, ], 'ResourceAwsEc2InstanceKeyName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceIamInstanceProfileArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceVpcId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceSubnetId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceLaunchedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ResourceAwsS3BucketOwnerId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsS3BucketOwnerName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsIamAccessKeyUserName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsIamAccessKeyPrincipalName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsIamAccessKeyStatus': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsIamAccessKeyCreatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ResourceAwsIamUserUserName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceContainerName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceContainerImageId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceContainerImageName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceContainerLaunchedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ResourceDetailsOther': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'ComplianceStatus': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'VerificationState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'WorkflowState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'WorkflowStatus': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RecordState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RelatedFindingsProductArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RelatedFindingsId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NoteText': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NoteUpdatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'NoteUpdatedBy': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Keyword': [ { 'Value': 'string' }, ], 'FindingProviderFieldsConfidence': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'FindingProviderFieldsCriticality': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'FindingProviderFieldsRelatedFindingsId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FindingProviderFieldsRelatedFindingsProductArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FindingProviderFieldsSeverityLabel': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FindingProviderFieldsSeverityOriginal': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FindingProviderFieldsTypes': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Sample': [ { 'Value': True|False }, ], 'ComplianceSecurityControlId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ComplianceAssociatedStandardsId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'VulnerabilitiesExploitAvailable': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'VulnerabilitiesFixAvailable': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ComplianceSecurityControlParametersName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ComplianceSecurityControlParametersValue': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'AwsAccountName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceApplicationName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceApplicationArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ] }, SortCriteria=[ { 'Field': 'string', 'SortOrder': 'asc'|'desc' }, ], NextToken='string', MaxResults=123 ) **Parameters** :: # This section is too large to render. # Please see the AWS API Documentation linked below. `AWS API Documentation `_ Return type: dict Returns: **Response Syntax** # This section is too large to render. # Please see the AWS API Documentation linked below. AWS API Documentation **Response Structure** # This section is too large to render. # Please see the AWS API Documentation linked below. AWS API Documentation **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.LimitExceededException" SecurityHub / Client / disable_security_hub_v2 disable_security_hub_v2 *********************** SecurityHub.Client.disable_security_hub_v2() Disable the service for the current Amazon Web Services Region or specified Amazon Web Services Region. This API is in private preview and subject to change. See also: AWS API Documentation **Request Syntax** response = client.disable_security_hub_v2() Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.InternalServerException" * "SecurityHub.Client.exceptions.ThrottlingException" * "SecurityHub.Client.exceptions.ValidationException" SecurityHub / Client / create_automation_rule create_automation_rule ********************** SecurityHub.Client.create_automation_rule(**kwargs) Creates an automation rule based on input parameters. See also: AWS API Documentation **Request Syntax** response = client.create_automation_rule( Tags={ 'string': 'string' }, RuleStatus='ENABLED'|'DISABLED', RuleOrder=123, RuleName='string', Description='string', IsTerminal=True|False, Criteria={ 'ProductArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'AwsAccountId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Id': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'GeneratorId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Type': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FirstObservedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'LastObservedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'CreatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'UpdatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'Confidence': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'Criticality': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'Title': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Description': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'SourceUrl': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ProductName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'CompanyName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'SeverityLabel': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceType': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourcePartition': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceRegion': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceTags': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'ResourceDetailsOther': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'ComplianceStatus': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ComplianceSecurityControlId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ComplianceAssociatedStandardsId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'VerificationState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'WorkflowStatus': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RecordState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RelatedFindingsProductArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RelatedFindingsId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NoteText': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NoteUpdatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'NoteUpdatedBy': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'UserDefinedFields': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'ResourceApplicationArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceApplicationName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'AwsAccountName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ] }, Actions=[ { 'Type': 'FINDING_FIELDS_UPDATE', 'FindingFieldsUpdate': { 'Note': { 'Text': 'string', 'UpdatedBy': 'string' }, 'Severity': { 'Normalized': 123, 'Product': 123.0, 'Label': 'INFORMATIONAL'|'LOW'|'MEDIUM'|'HIGH'|'CRITICAL' }, 'VerificationState': 'UNKNOWN'|'TRUE_POSITIVE'|'FALSE_POSITIVE'|'BENIGN_POSITIVE', 'Confidence': 123, 'Criticality': 123, 'Types': [ 'string', ], 'UserDefinedFields': { 'string': 'string' }, 'Workflow': { 'Status': 'NEW'|'NOTIFIED'|'RESOLVED'|'SUPPRESSED' }, 'RelatedFindings': [ { 'ProductArn': 'string', 'Id': 'string' }, ] } }, ] ) Parameters: * **Tags** (*dict*) -- User-defined tags associated with an automation rule. * *(string) --* * *(string) --* * **RuleStatus** (*string*) -- Whether the rule is active after it is created. If this parameter is equal to "ENABLED", Security Hub starts applying the rule to findings and finding updates after the rule is created. To change the value of this parameter after creating a rule, use BatchUpdateAutomationRules. * **RuleOrder** (*integer*) -- **[REQUIRED]** An integer ranging from 1 to 1000 that represents the order in which the rule action is applied to findings. Security Hub applies rules with lower values for this parameter first. * **RuleName** (*string*) -- **[REQUIRED]** The name of the rule. * **Description** (*string*) -- **[REQUIRED]** A description of the rule. * **IsTerminal** (*boolean*) -- Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If a rule is terminal, Security Hub applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding. By default, a rule isn't terminal. * **Criteria** (*dict*) -- **[REQUIRED]** A set of ASFF finding field attributes and corresponding expected values that Security Hub uses to filter findings. If a rule is enabled and a finding matches the conditions specified in this parameter, Security Hub applies the rule action to the finding. * **ProductArn** *(list) --* The Amazon Resource Name (ARN) for a third-party product that generated a finding in Security Hub. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **AwsAccountId** *(list) --* The Amazon Web Services account ID in which a finding was generated. Array Members: Minimum number of 1 item. Maximum number of 100 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **Id** *(list) --* The product-specific identifier for a finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **GeneratorId** *(list) --* The identifier for the solution-specific component that generated a finding. Array Members: Minimum number of 1 item. Maximum number of 100 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **Type** *(list) --* One or more finding types in the format of namespace/category/classifier that classify a finding. For a list of namespaces, classifiers, and categories, see Types taxonomy for ASFF in the *Security Hub User Guide*. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **FirstObservedAt** *(list) --* A timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings product. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A date filter for querying findings. * **Start** *(string) --* A timestamp that provides the start date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **End** *(string) --* A timestamp that provides the end date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **DateRange** *(dict) --* A date range for the date filter. * **Value** *(integer) --* A date range value for the date filter. * **Unit** *(string) --* A date range unit for the date filter. * **LastObservedAt** *(list) --* A timestamp that indicates when the security findings provider most recently observed a change in the resource that is involved in the finding. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A date filter for querying findings. * **Start** *(string) --* A timestamp that provides the start date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **End** *(string) --* A timestamp that provides the end date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **DateRange** *(dict) --* A date range for the date filter. * **Value** *(integer) --* A date range value for the date filter. * **Unit** *(string) --* A date range unit for the date filter. * **CreatedAt** *(list) --* A timestamp that indicates when this finding record was created. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A date filter for querying findings. * **Start** *(string) --* A timestamp that provides the start date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **End** *(string) --* A timestamp that provides the end date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **DateRange** *(dict) --* A date range for the date filter. * **Value** *(integer) --* A date range value for the date filter. * **Unit** *(string) --* A date range unit for the date filter. * **UpdatedAt** *(list) --* A timestamp that indicates when the finding record was most recently updated. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A date filter for querying findings. * **Start** *(string) --* A timestamp that provides the start date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **End** *(string) --* A timestamp that provides the end date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **DateRange** *(dict) --* A date range for the date filter. * **Value** *(integer) --* A date range value for the date filter. * **Unit** *(string) --* A date range unit for the date filter. * **Confidence** *(list) --* The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. "Confidence" is scored on a 0–100 basis using a ratio scale. A value of "0" means 0 percent confidence, and a value of "100" means 100 percent confidence. For example, a data exfiltration detection based on a statistical deviation of network traffic has low confidence because an actual exfiltration hasn't been verified. For more information, see Confidence in the *Security Hub User Guide*. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A number filter for querying findings. * **Gte** *(float) --* The greater-than-equal condition to be applied to a single field when querying for findings. * **Lte** *(float) --* The less-than-equal condition to be applied to a single field when querying for findings. * **Eq** *(float) --* The equal-to condition to be applied to a single field when querying for findings. * **Gt** *(float) --* The greater-than condition to be applied to a single field when querying for findings. * **Lt** *(float) --* The less-than condition to be applied to a single field when querying for findings. * **Criticality** *(list) --* The level of importance that is assigned to the resources that are associated with a finding. "Criticality" is scored on a 0–100 basis, using a ratio scale that supports only full integers. A score of "0" means that the underlying resources have no criticality, and a score of "100" is reserved for the most critical resources. For more information, see Criticality in the *Security Hub User Guide*. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A number filter for querying findings. * **Gte** *(float) --* The greater-than-equal condition to be applied to a single field when querying for findings. * **Lte** *(float) --* The less-than-equal condition to be applied to a single field when querying for findings. * **Eq** *(float) --* The equal-to condition to be applied to a single field when querying for findings. * **Gt** *(float) --* The greater-than condition to be applied to a single field when querying for findings. * **Lt** *(float) --* The less-than condition to be applied to a single field when querying for findings. * **Title** *(list) --* A finding's title. Array Members: Minimum number of 1 item. Maximum number of 100 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **Description** *(list) --* A finding's description. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **SourceUrl** *(list) --* Provides a URL that links to a page about the current finding in the finding product. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **ProductName** *(list) --* Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **CompanyName** *(list) --* The name of the company for the product that generated the finding. For control-based findings, the company is Amazon Web Services. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **SeverityLabel** *(list) --* The severity value of the finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **ResourceType** *(list) --* The type of resource that the finding pertains to. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **ResourceId** *(list) --* The identifier for the given resource type. For Amazon Web Services resources that are identified by Amazon Resource Names (ARNs), this is the ARN. For Amazon Web Services resources that lack ARNs, this is the identifier as defined by the Amazon Web Services service that created the resource. For non-Amazon Web Services resources, this is a unique identifier that is associated with the resource. Array Members: Minimum number of 1 item. Maximum number of 100 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **ResourcePartition** *(list) --* The partition in which the resource that the finding pertains to is located. A partition is a group of Amazon Web Services Regions. Each Amazon Web Services account is scoped to one partition. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **ResourceRegion** *(list) --* The Amazon Web Services Region where the resource that a finding pertains to is located. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **ResourceTags** *(list) --* A list of Amazon Web Services tags associated with a resource at the time the finding was processed. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator. * **Key** *(string) --* The key of the map filter. For example, for "ResourceTags", "Key" identifies the name of the tag. For "UserDefinedFields", "Key" is the name of the field. * **Value** *(string) --* The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called "Department" might be "Security". If you provide "security" as the filter value, then there's no match. * **Comparison** *(string) --* The condition to apply to the key value when filtering Security Hub findings with a map filter. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, for the "ResourceTags" field, the filter "Department CONTAINS Security" matches findings that include the value "Security" for the "Department" tag. In the same example, a finding with a value of "Security team" for the "Department" tag is a match. * To search for values that exactly match the filter value, use "EQUALS". For example, for the "ResourceTags" field, the filter "Department EQUALS Security" matches findings that have the value "Security" for the "Department" tag. "CONTAINS" and "EQUALS" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Department CONTAINS Security OR Department CONTAINS Finance" match a finding that includes either "Security", "Finance", or both values. To search for values that don't have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, for the "ResourceTags" field, the filter "Department NOT_CONTAINS Finance" matches findings that exclude the value "Finance" for the "Department" tag. * To search for values other than the filter value, use "NOT_EQUALS". For example, for the "ResourceTags" field, the filter "Department NOT_EQUALS Finance" matches findings that don’t have the value "Finance" for the "Department" tag. "NOT_CONTAINS" and "NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance" match a finding that excludes both the "Security" and "Finance" values. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can’t have both an "EQUALS" filter and a "NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules. For more information, see Automation rules in the *Security Hub User Guide*. * **ResourceDetailsOther** *(list) --* Custom fields and values about the resource that a finding pertains to. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator. * **Key** *(string) --* The key of the map filter. For example, for "ResourceTags", "Key" identifies the name of the tag. For "UserDefinedFields", "Key" is the name of the field. * **Value** *(string) --* The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called "Department" might be "Security". If you provide "security" as the filter value, then there's no match. * **Comparison** *(string) --* The condition to apply to the key value when filtering Security Hub findings with a map filter. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, for the "ResourceTags" field, the filter "Department CONTAINS Security" matches findings that include the value "Security" for the "Department" tag. In the same example, a finding with a value of "Security team" for the "Department" tag is a match. * To search for values that exactly match the filter value, use "EQUALS". For example, for the "ResourceTags" field, the filter "Department EQUALS Security" matches findings that have the value "Security" for the "Department" tag. "CONTAINS" and "EQUALS" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Department CONTAINS Security OR Department CONTAINS Finance" match a finding that includes either "Security", "Finance", or both values. To search for values that don't have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, for the "ResourceTags" field, the filter "Department NOT_CONTAINS Finance" matches findings that exclude the value "Finance" for the "Department" tag. * To search for values other than the filter value, use "NOT_EQUALS". For example, for the "ResourceTags" field, the filter "Department NOT_EQUALS Finance" matches findings that don’t have the value "Finance" for the "Department" tag. "NOT_CONTAINS" and "NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance" match a finding that excludes both the "Security" and "Finance" values. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can’t have both an "EQUALS" filter and a "NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules. For more information, see Automation rules in the *Security Hub User Guide*. * **ComplianceStatus** *(list) --* The result of a security check. This field is only used for findings generated from controls. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **ComplianceSecurityControlId** *(list) --* The security control ID for which a finding was generated. Security control IDs are the same across standards. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **ComplianceAssociatedStandardsId** *(list) --* The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the DescribeStandards API response. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **VerificationState** *(list) --* Provides the veracity of a finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **WorkflowStatus** *(list) --* Provides information about the status of the investigation into a finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **RecordState** *(list) --* Provides the current state of a finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **RelatedFindingsProductArn** *(list) --* The ARN for the product that generated a related finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **RelatedFindingsId** *(list) --* The product-generated identifier for a related finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **NoteText** *(list) --* The text of a user-defined note that's added to a finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **NoteUpdatedAt** *(list) --* The timestamp of when the note was updated. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A date filter for querying findings. * **Start** *(string) --* A timestamp that provides the start date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **End** *(string) --* A timestamp that provides the end date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **DateRange** *(dict) --* A date range for the date filter. * **Value** *(integer) --* A date range value for the date filter. * **Unit** *(string) --* A date range unit for the date filter. * **NoteUpdatedBy** *(list) --* The principal that created a note. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **UserDefinedFields** *(list) --* A list of user-defined name and value string pairs added to a finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator. * **Key** *(string) --* The key of the map filter. For example, for "ResourceTags", "Key" identifies the name of the tag. For "UserDefinedFields", "Key" is the name of the field. * **Value** *(string) --* The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called "Department" might be "Security". If you provide "security" as the filter value, then there's no match. * **Comparison** *(string) --* The condition to apply to the key value when filtering Security Hub findings with a map filter. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, for the "ResourceTags" field, the filter "Department CONTAINS Security" matches findings that include the value "Security" for the "Department" tag. In the same example, a finding with a value of "Security team" for the "Department" tag is a match. * To search for values that exactly match the filter value, use "EQUALS". For example, for the "ResourceTags" field, the filter "Department EQUALS Security" matches findings that have the value "Security" for the "Department" tag. "CONTAINS" and "EQUALS" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Department CONTAINS Security OR Department CONTAINS Finance" match a finding that includes either "Security", "Finance", or both values. To search for values that don't have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, for the "ResourceTags" field, the filter "Department NOT_CONTAINS Finance" matches findings that exclude the value "Finance" for the "Department" tag. * To search for values other than the filter value, use "NOT_EQUALS". For example, for the "ResourceTags" field, the filter "Department NOT_EQUALS Finance" matches findings that don’t have the value "Finance" for the "Department" tag. "NOT_CONTAINS" and "NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance" match a finding that excludes both the "Security" and "Finance" values. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can’t have both an "EQUALS" filter and a "NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules. For more information, see Automation rules in the *Security Hub User Guide*. * **ResourceApplicationArn** *(list) --* The Amazon Resource Name (ARN) of the application that is related to a finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **ResourceApplicationName** *(list) --* The name of the application that is related to a finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **AwsAccountName** *(list) --* The name of the Amazon Web Services account in which a finding was generated. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **Actions** (*list*) -- **[REQUIRED]** One or more actions to update finding fields if a finding matches the conditions specified in "Criteria". * *(dict) --* One or more actions that Security Hub takes when a finding matches the defined criteria of a rule. * **Type** *(string) --* Specifies the type of action that Security Hub takes when a finding matches the defined criteria of a rule. * **FindingFieldsUpdate** *(dict) --* Specifies that the automation rule action is an update to a finding field. * **Note** *(dict) --* The updated note. * **Text** *(string) --* **[REQUIRED]** The updated note text. * **UpdatedBy** *(string) --* **[REQUIRED]** The principal that updated the note. * **Severity** *(dict) --* Updates to the severity information for a finding. * **Normalized** *(integer) --* The normalized severity for the finding. This attribute is to be deprecated in favor of "Label". If you provide "Normalized" and don't provide "Label", "Label" is set automatically as follows. * 0 - "INFORMATIONAL" * 1–39 - "LOW" * 40–69 - "MEDIUM" * 70–89 - "HIGH" * 90–100 - "CRITICAL" * **Product** *(float) --* The native severity as defined by the Amazon Web Services service or integrated partner product that generated the finding. * **Label** *(string) --* The severity value of the finding. The allowed values are the following. * "INFORMATIONAL" - No issue was found. * "LOW" - The issue does not require action on its own. * "MEDIUM" - The issue must be addressed but not urgently. * "HIGH" - The issue must be addressed as a priority. * "CRITICAL" - The issue must be remediated immediately to avoid it escalating. * **VerificationState** *(string) --* The rule action updates the "VerificationState" field of a finding. * **Confidence** *(integer) --* The rule action updates the "Confidence" field of a finding. * **Criticality** *(integer) --* The rule action updates the "Criticality" field of a finding. * **Types** *(list) --* The rule action updates the "Types" field of a finding. * *(string) --* * **UserDefinedFields** *(dict) --* The rule action updates the "UserDefinedFields" field of a finding. * *(string) --* * *(string) --* * **Workflow** *(dict) --* Used to update information about the investigation into the finding. * **Status** *(string) --* The status of the investigation into the finding. The workflow status is specific to an individual finding. It does not affect the generation of new findings. For example, setting the workflow status to "SUPPRESSED" or "RESOLVED" does not prevent a new finding for the same issue. The allowed values are the following. * "NEW" - The initial state of a finding, before it is reviewed. Security Hub also resets "WorkFlowStatus" from "NOTIFIED" or "RESOLVED" to "NEW" in the following cases: * The record state changes from "ARCHIVED" to "ACTIVE". * The compliance status changes from "PASSED" to either "WARNING", "FAILED", or "NOT_AVAILABLE". * "NOTIFIED" - Indicates that you notified the resource owner about the security issue. Used when the initial reviewer is not the resource owner, and needs intervention from the resource owner. * "RESOLVED" - The finding was reviewed and remediated and is now considered resolved. * "SUPPRESSED" - Indicates that you reviewed the finding and don't believe that any action is needed. The finding is no longer updated. * **RelatedFindings** *(list) --* The rule action updates the "RelatedFindings" field of a finding. * *(dict) --* Details about a related finding. * **ProductArn** *(string) --* **[REQUIRED]** The ARN of the product that generated a related finding. * **Id** *(string) --* **[REQUIRED]** The product-generated identifier for a related finding. Return type: dict Returns: **Response Syntax** { 'RuleArn': 'string' } **Response Structure** * *(dict) --* * **RuleArn** *(string) --* The Amazon Resource Name (ARN) of the automation rule that you created. **Exceptions** * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.LimitExceededException" SecurityHub / Client / create_ticket_v2 create_ticket_v2 **************** SecurityHub.Client.create_ticket_v2(**kwargs) Grants permission to create a ticket in the chosen ITSM based on finding information for the provided finding metadata UID. This API is in preview release and subject to change. See also: AWS API Documentation **Request Syntax** response = client.create_ticket_v2( ConnectorId='string', FindingMetadataUid='string', ClientToken='string' ) Parameters: * **ConnectorId** (*string*) -- **[REQUIRED]** The UUID of the connectorV2 to identify connectorV2 resource. * **FindingMetadataUid** (*string*) -- **[REQUIRED]** The the unique ID for the finding. * **ClientToken** (*string*) -- The client idempotency token. This field is autopopulated if not provided. Return type: dict Returns: **Response Syntax** { 'TicketId': 'string', 'TicketSrcUrl': 'string' } **Response Structure** * *(dict) --* * **TicketId** *(string) --* The ID for the ticketv2. * **TicketSrcUrl** *(string) --* The url to the created ticket. **Exceptions** * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.InternalServerException" * "SecurityHub.Client.exceptions.ValidationException" * "SecurityHub.Client.exceptions.ThrottlingException" * "SecurityHub.Client.exceptions.ConflictException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / get_paginator get_paginator ************* SecurityHub.Client.get_paginator(operation_name) Create a paginator for an operation. Parameters: **operation_name** (*string*) -- The operation name. This is the same name as the method name on the client. For example, if the method name is "create_foo", and you'd normally invoke the operation as "client.create_foo(**kwargs)", if the "create_foo" operation can be paginated, you can use the call "client.get_paginator("create_foo")". Raises: **OperationNotPageableError** -- Raised if the operation is not pageable. You can use the "client.can_paginate" method to check if an operation is pageable. Return type: "botocore.paginate.Paginator" Returns: A paginator object. SecurityHub / Client / get_findings_v2 get_findings_v2 *************** SecurityHub.Client.get_findings_v2(**kwargs) Return a list of findings that match the specified criteria. "GetFindings" and "GetFindingsV2" both use "securityhub:GetFindings" in the "Action" element of an IAM policy statement. You must have permission to perform the "securityhub:GetFindings" action. This API is in private preview and subject to change. See also: AWS API Documentation **Request Syntax** response = client.get_findings_v2( Filters={ 'CompositeFilters': [ { 'StringFilters': [ { 'FieldName': 'metadata.uid'|'activity_name'|'cloud.account.uid'|'cloud.provider'|'cloud.region'|'compliance.assessments.category'|'compliance.assessments.name'|'compliance.control'|'compliance.status'|'compliance.standards'|'finding_info.desc'|'finding_info.src_url'|'finding_info.title'|'finding_info.types'|'finding_info.uid'|'finding_info.related_events.uid'|'finding_info.related_events.product.uid'|'finding_info.related_events.title'|'metadata.product.name'|'metadata.product.uid'|'metadata.product.vendor_name'|'remediation.desc'|'remediation.references'|'resources.cloud_partition'|'resources.region'|'resources.type'|'resources.uid'|'severity'|'status'|'comment'|'vulnerabilities.fix_coverage'|'class_name', 'Filter': { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' } }, ], 'DateFilters': [ { 'FieldName': 'finding_info.created_time_dt'|'finding_info.first_seen_time_dt'|'finding_info.last_seen_time_dt'|'finding_info.modified_time_dt', 'Filter': { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } } }, ], 'BooleanFilters': [ { 'FieldName': 'compliance.assessments.meets_criteria'|'vulnerabilities.is_exploit_available'|'vulnerabilities.is_fix_available', 'Filter': { 'Value': True|False } }, ], 'NumberFilters': [ { 'FieldName': 'activity_id'|'compliance.status_id'|'confidence_score'|'severity_id'|'status_id'|'finding_info.related_events_count', 'Filter': { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 } }, ], 'MapFilters': [ { 'FieldName': 'resources.tags', 'Filter': { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' } }, ], 'Operator': 'AND'|'OR' }, ], 'CompositeOperator': 'AND'|'OR' }, SortCriteria=[ { 'Field': 'string', 'SortOrder': 'asc'|'desc' }, ], NextToken='string', MaxResults=123 ) Parameters: * **Filters** (*dict*) -- The finding attributes used to define a condition to filter the returned OCSF findings. You can filter up to 10 composite filters. For each filter type inside of a composite filter, you can provide up to 20 filters. * **CompositeFilters** *(list) --* Enables the creation of complex filtering conditions by combining filter criteria. * *(dict) --* Enables the creation of filtering criteria for security findings. * **StringFilters** *(list) --* Enables filtering based on string field values. * *(dict) --* Enables filtering of security findings based on string field values in OCSF. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **DateFilters** *(list) --* Enables filtering based on date and timestamp fields. * *(dict) --* Enables filtering of security findings based on date and timestamp fields in OCSF. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A date filter for querying findings. * **Start** *(string) --* A timestamp that provides the start date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **End** *(string) --* A timestamp that provides the end date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **DateRange** *(dict) --* A date range for the date filter. * **Value** *(integer) --* A date range value for the date filter. * **Unit** *(string) --* A date range unit for the date filter. * **BooleanFilters** *(list) --* Enables filtering based on boolean field values. * *(dict) --* Enables filtering of security findings based on boolean field values in OCSF. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* Boolean filter for querying findings. * **Value** *(boolean) --* The value of the boolean. * **NumberFilters** *(list) --* Enables filtering based on numerical field values. * *(dict) --* Enables filtering of security findings based on numerical field values in OCSF. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A number filter for querying findings. * **Gte** *(float) --* The greater-than-equal condition to be applied to a single field when querying for findings. * **Lte** *(float) --* The less-than-equal condition to be applied to a single field when querying for findings. * **Eq** *(float) --* The equal-to condition to be applied to a single field when querying for findings. * **Gt** *(float) --* The greater-than condition to be applied to a single field when querying for findings. * **Lt** *(float) --* The less-than condition to be applied to a single field when querying for findings. * **MapFilters** *(list) --* Enables filtering based on map field values. * *(dict) --* Enables filtering of security findings based on map field values in OCSF. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator. * **Key** *(string) --* The key of the map filter. For example, for "ResourceTags", "Key" identifies the name of the tag. For "UserDefinedFields", "Key" is the name of the field. * **Value** *(string) --* The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called "Department" might be "Security". If you provide "security" as the filter value, then there's no match. * **Comparison** *(string) --* The condition to apply to the key value when filtering Security Hub findings with a map filter. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, for the "ResourceTags" field, the filter "Department CONTAINS Security" matches findings that include the value "Security" for the "Department" tag. In the same example, a finding with a value of "Security team" for the "Department" tag is a match. * To search for values that exactly match the filter value, use "EQUALS". For example, for the "ResourceTags" field, the filter "Department EQUALS Security" matches findings that have the value "Security" for the "Department" tag. "CONTAINS" and "EQUALS" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Department CONTAINS Security OR Department CONTAINS Finance" match a finding that includes either "Security", "Finance", or both values. To search for values that don't have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, for the "ResourceTags" field, the filter "Department NOT_CONTAINS Finance" matches findings that exclude the value "Finance" for the "Department" tag. * To search for values other than the filter value, use "NOT_EQUALS". For example, for the "ResourceTags" field, the filter "Department NOT_EQUALS Finance" matches findings that don’t have the value "Finance" for the "Department" tag. "NOT_CONTAINS" and "NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance" match a finding that excludes both the "Security" and "Finance" values. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can’t have both an "EQUALS" filter and a "NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules. For more information, see Automation rules in the *Security Hub User Guide*. * **Operator** *(string) --* The logical operator used to combine multiple filter conditions. * **CompositeOperator** *(string) --* The logical operators used to combine the filtering on multiple "CompositeFilters". * **SortCriteria** (*list*) -- The finding attributes used to sort the list of returned findings. * *(dict) --* A collection of finding attributes used to sort findings. * **Field** *(string) --* The finding attribute used to sort findings. * **SortOrder** *(string) --* The order used to sort findings. * **NextToken** (*string*) -- The token required for pagination. On your first call, set the value of this parameter to "NULL". For subsequent calls, to continue listing data, set the value of this parameter to the value returned in the previous response. * **MaxResults** (*integer*) -- The maximum number of results to return. Return type: dict Returns: **Response Syntax** { 'Findings': [ {...}|[...]|123|123.4|'string'|True|None, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **Findings** *(list) --* An array of security findings returned by the operation. * (*document*) -- * **NextToken** *(string) --* The pagination token to use to request the next page of results. Otherwise, this parameter is null. **Exceptions** * "SecurityHub.Client.exceptions.InternalServerException" * "SecurityHub.Client.exceptions.ValidationException" * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.ConflictException" * "SecurityHub.Client.exceptions.ThrottlingException" SecurityHub / Client / create_automation_rule_v2 create_automation_rule_v2 ************************* SecurityHub.Client.create_automation_rule_v2(**kwargs) Creates a V2 automation rule. This API is in private preview and subject to change. See also: AWS API Documentation **Request Syntax** response = client.create_automation_rule_v2( RuleName='string', RuleStatus='ENABLED'|'DISABLED', Description='string', RuleOrder=..., Criteria={ 'OcsfFindingCriteria': { 'CompositeFilters': [ { 'StringFilters': [ { 'FieldName': 'metadata.uid'|'activity_name'|'cloud.account.uid'|'cloud.provider'|'cloud.region'|'compliance.assessments.category'|'compliance.assessments.name'|'compliance.control'|'compliance.status'|'compliance.standards'|'finding_info.desc'|'finding_info.src_url'|'finding_info.title'|'finding_info.types'|'finding_info.uid'|'finding_info.related_events.uid'|'finding_info.related_events.product.uid'|'finding_info.related_events.title'|'metadata.product.name'|'metadata.product.uid'|'metadata.product.vendor_name'|'remediation.desc'|'remediation.references'|'resources.cloud_partition'|'resources.region'|'resources.type'|'resources.uid'|'severity'|'status'|'comment'|'vulnerabilities.fix_coverage'|'class_name', 'Filter': { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' } }, ], 'DateFilters': [ { 'FieldName': 'finding_info.created_time_dt'|'finding_info.first_seen_time_dt'|'finding_info.last_seen_time_dt'|'finding_info.modified_time_dt', 'Filter': { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } } }, ], 'BooleanFilters': [ { 'FieldName': 'compliance.assessments.meets_criteria'|'vulnerabilities.is_exploit_available'|'vulnerabilities.is_fix_available', 'Filter': { 'Value': True|False } }, ], 'NumberFilters': [ { 'FieldName': 'activity_id'|'compliance.status_id'|'confidence_score'|'severity_id'|'status_id'|'finding_info.related_events_count', 'Filter': { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 } }, ], 'MapFilters': [ { 'FieldName': 'resources.tags', 'Filter': { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' } }, ], 'Operator': 'AND'|'OR' }, ], 'CompositeOperator': 'AND'|'OR' } }, Actions=[ { 'Type': 'FINDING_FIELDS_UPDATE'|'EXTERNAL_INTEGRATION', 'FindingFieldsUpdate': { 'SeverityId': 123, 'Comment': 'string', 'StatusId': 123 }, 'ExternalIntegrationConfiguration': { 'ConnectorArn': 'string' } }, ], Tags={ 'string': 'string' }, ClientToken='string' ) Parameters: * **RuleName** (*string*) -- **[REQUIRED]** The name of the V2 automation rule. * **RuleStatus** (*string*) -- The status of the V2 automation rule. * **Description** (*string*) -- **[REQUIRED]** A description of the V2 automation rule. * **RuleOrder** (*float*) -- **[REQUIRED]** The value for the rule priority. * **Criteria** (*dict*) -- **[REQUIRED]** The filtering type and configuration of the automation rule. Note: This is a Tagged Union structure. Only one of the following top level keys can be set: "OcsfFindingCriteria". * **OcsfFindingCriteria** *(dict) --* The filtering conditions that align with OCSF standards. * **CompositeFilters** *(list) --* Enables the creation of complex filtering conditions by combining filter criteria. * *(dict) --* Enables the creation of filtering criteria for security findings. * **StringFilters** *(list) --* Enables filtering based on string field values. * *(dict) --* Enables filtering of security findings based on string field values in OCSF. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **DateFilters** *(list) --* Enables filtering based on date and timestamp fields. * *(dict) --* Enables filtering of security findings based on date and timestamp fields in OCSF. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A date filter for querying findings. * **Start** *(string) --* A timestamp that provides the start date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **End** *(string) --* A timestamp that provides the end date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **DateRange** *(dict) --* A date range for the date filter. * **Value** *(integer) --* A date range value for the date filter. * **Unit** *(string) --* A date range unit for the date filter. * **BooleanFilters** *(list) --* Enables filtering based on boolean field values. * *(dict) --* Enables filtering of security findings based on boolean field values in OCSF. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* Boolean filter for querying findings. * **Value** *(boolean) --* The value of the boolean. * **NumberFilters** *(list) --* Enables filtering based on numerical field values. * *(dict) --* Enables filtering of security findings based on numerical field values in OCSF. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A number filter for querying findings. * **Gte** *(float) --* The greater-than-equal condition to be applied to a single field when querying for findings. * **Lte** *(float) --* The less-than-equal condition to be applied to a single field when querying for findings. * **Eq** *(float) --* The equal-to condition to be applied to a single field when querying for findings. * **Gt** *(float) --* The greater-than condition to be applied to a single field when querying for findings. * **Lt** *(float) --* The less-than condition to be applied to a single field when querying for findings. * **MapFilters** *(list) --* Enables filtering based on map field values. * *(dict) --* Enables filtering of security findings based on map field values in OCSF. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator. * **Key** *(string) --* The key of the map filter. For example, for "ResourceTags", "Key" identifies the name of the tag. For "UserDefinedFields", "Key" is the name of the field. * **Value** *(string) --* The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called "Department" might be "Security". If you provide "security" as the filter value, then there's no match. * **Comparison** *(string) --* The condition to apply to the key value when filtering Security Hub findings with a map filter. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, for the "ResourceTags" field, the filter "Department CONTAINS Security" matches findings that include the value "Security" for the "Department" tag. In the same example, a finding with a value of "Security team" for the "Department" tag is a match. * To search for values that exactly match the filter value, use "EQUALS". For example, for the "ResourceTags" field, the filter "Department EQUALS Security" matches findings that have the value "Security" for the "Department" tag. "CONTAINS" and "EQUALS" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Department CONTAINS Security OR Department CONTAINS Finance" match a finding that includes either "Security", "Finance", or both values. To search for values that don't have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, for the "ResourceTags" field, the filter "Department NOT_CONTAINS Finance" matches findings that exclude the value "Finance" for the "Department" tag. * To search for values other than the filter value, use "NOT_EQUALS". For example, for the "ResourceTags" field, the filter "Department NOT_EQUALS Finance" matches findings that don’t have the value "Finance" for the "Department" tag. "NOT_CONTAINS" and "NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance" match a finding that excludes both the "Security" and "Finance" values. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can’t have both an "EQUALS" filter and a "NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules. For more information, see Automation rules in the *Security Hub User Guide*. * **Operator** *(string) --* The logical operator used to combine multiple filter conditions. * **CompositeOperator** *(string) --* The logical operators used to combine the filtering on multiple "CompositeFilters". * **Actions** (*list*) -- **[REQUIRED]** A list of actions to be performed when the rule criteria is met. * *(dict) --* Allows you to configure automated responses. * **Type** *(string) --* **[REQUIRED]** The category of action to be executed by the automation rule. * **FindingFieldsUpdate** *(dict) --* The changes to be applied to fields in a security finding when an automation rule is triggered. * **SeverityId** *(integer) --* The severity level to be assigned to findings that match the automation rule criteria. * **Comment** *(string) --* Notes or contextual information for findings that are modified by the automation rule. * **StatusId** *(integer) --* The status to be applied to findings that match automation rule criteria. * **ExternalIntegrationConfiguration** *(dict) --* The settings for integrating automation rule actions with external systems or service. * **ConnectorArn** *(string) --* The ARN of the connector that establishes the integration. * **Tags** (*dict*) -- A list of key-value pairs associated with the V2 automation rule. * *(string) --* * *(string) --* * **ClientToken** (*string*) -- A unique identifier used to ensure idempotency. This field is autopopulated if not provided. Return type: dict Returns: **Response Syntax** { 'RuleArn': 'string', 'RuleId': 'string' } **Response Structure** * *(dict) --* * **RuleArn** *(string) --* The ARN of the V2 automation rule. * **RuleId** *(string) --* The ID of the V2 automation rule. **Exceptions** * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.InternalServerException" * "SecurityHub.Client.exceptions.ValidationException" * "SecurityHub.Client.exceptions.ThrottlingException" * "SecurityHub.Client.exceptions.ConflictException" SecurityHub / Client / describe_products_v2 describe_products_v2 ******************** SecurityHub.Client.describe_products_v2(**kwargs) Gets information about the product integration. This API is in private preview and subject to change. See also: AWS API Documentation **Request Syntax** response = client.describe_products_v2( NextToken='string', MaxResults=123 ) Parameters: * **NextToken** (*string*) -- The token required for pagination. On your first call, set the value of this parameter to "NULL". For subsequent calls, to continue listing data, set the value of this parameter to the value returned in the previous response. * **MaxResults** (*integer*) -- The maximum number of results to return. Return type: dict Returns: **Response Syntax** { 'ProductsV2': [ { 'ProductV2Name': 'string', 'CompanyName': 'string', 'Description': 'string', 'Categories': [ 'string', ], 'IntegrationV2Types': [ 'SEND_FINDINGS_TO_SECURITY_HUB'|'RECEIVE_FINDINGS_FROM_SECURITY_HUB'|'UPDATE_FINDINGS_IN_SECURITY_HUB', ], 'MarketplaceUrl': 'string', 'ActivationUrl': 'string' }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **ProductsV2** *(list) --* Gets information about the product integration. * *(dict) --* Defines the structure for the productV2. * **ProductV2Name** *(string) --* The name of the productV2. * **CompanyName** *(string) --* The name of the organization or vendor that provides the productV2. * **Description** *(string) --* Detailed information about the productV2. * **Categories** *(list) --* The domains or functional areas the productV2 addresses. * *(string) --* * **IntegrationV2Types** *(list) --* The type of integration. * *(string) --* * **MarketplaceUrl** *(string) --* The console URL where you can purchase or subscribe to products. * **ActivationUrl** *(string) --* The URL to the serviceV@ or productV2 documentation about the integration, which includes how to activate the integration. * **NextToken** *(string) --* The pagination token to use to request the next page of results. Otherwise, this parameter is null. **Exceptions** * "SecurityHub.Client.exceptions.InternalServerException" * "SecurityHub.Client.exceptions.ThrottlingException" * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.ValidationException" * "SecurityHub.Client.exceptions.ConflictException" SecurityHub / Client / invite_members invite_members ************** SecurityHub.Client.invite_members(**kwargs) Note: We recommend using Organizations instead of Security Hub invitations to manage your member accounts. For information, see Managing Security Hub administrator and member accounts with Organizations in the *Security Hub User Guide*. Invites other Amazon Web Services accounts to become member accounts for the Security Hub administrator account that the invitation is sent from. This operation is only used to invite accounts that don't belong to an Amazon Web Services organization. Organization accounts don't receive invitations. Before you can use this action to invite a member, you must first use the "CreateMembers" action to create the member account in Security Hub. When the account owner enables Security Hub and accepts the invitation to become a member account, the administrator account can view the findings generated in the member account. See also: AWS API Documentation **Request Syntax** response = client.invite_members( AccountIds=[ 'string', ] ) Parameters: **AccountIds** (*list*) -- **[REQUIRED]** The list of account IDs of the Amazon Web Services accounts to invite to Security Hub as members. * *(string) --* Return type: dict Returns: **Response Syntax** { 'UnprocessedAccounts': [ { 'AccountId': 'string', 'ProcessingResult': 'string' }, ] } **Response Structure** * *(dict) --* * **UnprocessedAccounts** *(list) --* The list of Amazon Web Services accounts that could not be processed. For each account, the list includes the account ID and the email address. * *(dict) --* Details about the account that was not processed. * **AccountId** *(string) --* An Amazon Web Services account ID of the account that was not processed. * **ProcessingResult** *(string) --* The reason that the account was not processed. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / get_configuration_policy get_configuration_policy ************************ SecurityHub.Client.get_configuration_policy(**kwargs) Provides information about a configuration policy. Only the Security Hub delegated administrator can invoke this operation from the home Region. See also: AWS API Documentation **Request Syntax** response = client.get_configuration_policy( Identifier='string' ) Parameters: **Identifier** (*string*) -- **[REQUIRED]** The Amazon Resource Name (ARN) or universally unique identifier (UUID) of the configuration policy. Return type: dict Returns: **Response Syntax** { 'Arn': 'string', 'Id': 'string', 'Name': 'string', 'Description': 'string', 'UpdatedAt': datetime(2015, 1, 1), 'CreatedAt': datetime(2015, 1, 1), 'ConfigurationPolicy': { 'SecurityHub': { 'ServiceEnabled': True|False, 'EnabledStandardIdentifiers': [ 'string', ], 'SecurityControlsConfiguration': { 'EnabledSecurityControlIdentifiers': [ 'string', ], 'DisabledSecurityControlIdentifiers': [ 'string', ], 'SecurityControlCustomParameters': [ { 'SecurityControlId': 'string', 'Parameters': { 'string': { 'ValueType': 'DEFAULT'|'CUSTOM', 'Value': { 'Integer': 123, 'IntegerList': [ 123, ], 'Double': 123.0, 'String': 'string', 'StringList': [ 'string', ], 'Boolean': True|False, 'Enum': 'string', 'EnumList': [ 'string', ] } } } }, ] } } } } **Response Structure** * *(dict) --* * **Arn** *(string) --* The ARN of the configuration policy. * **Id** *(string) --* The UUID of the configuration policy. * **Name** *(string) --* The name of the configuration policy. * **Description** *(string) --* The description of the configuration policy. * **UpdatedAt** *(datetime) --* The date and time, in UTC and ISO 8601 format, that the configuration policy was last updated. * **CreatedAt** *(datetime) --* The date and time, in UTC and ISO 8601 format, that the configuration policy was created. * **ConfigurationPolicy** *(dict) --* An object that defines how Security Hub is configured. It includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If the policy includes a list of security controls that are enabled, Security Hub disables all other controls (including newly released controls). If the policy includes a list of security controls that are disabled, Security Hub enables all other controls (including newly released controls). Note: This is a Tagged Union structure. Only one of the following top level keys will be set: "SecurityHub". If a client receives an unknown member it will set "SDK_UNKNOWN_MEMBER" as the top level key, which maps to the name or tag of the unknown member. The structure of "SDK_UNKNOWN_MEMBER" is as follows: 'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'} * **SecurityHub** *(dict) --* The Amazon Web Services service that the configuration policy applies to. * **ServiceEnabled** *(boolean) --* Indicates whether Security Hub is enabled in the policy. * **EnabledStandardIdentifiers** *(list) --* A list that defines which security standards are enabled in the configuration policy. * *(string) --* * **SecurityControlsConfiguration** *(dict) --* An object that defines which security controls are enabled in the configuration policy. The enablement status of a control is aligned across all of the enabled standards in an account. * **EnabledSecurityControlIdentifiers** *(list) --* A list of security controls that are enabled in the configuration policy. Security Hub disables all other controls (including newly released controls) other than the listed controls. * *(string) --* * **DisabledSecurityControlIdentifiers** *(list) --* A list of security controls that are disabled in the configuration policy. Security Hub enables all other controls (including newly released controls) other than the listed controls. * *(string) --* * **SecurityControlCustomParameters** *(list) --* A list of security controls and control parameter values that are included in a configuration policy. * *(dict) --* A list of security controls and control parameter values that are included in a configuration policy. * **SecurityControlId** *(string) --* The ID of the security control. * **Parameters** *(dict) --* An object that specifies parameter values for a control in a configuration policy. * *(string) --* * *(dict) --* An object that provides the current value of a security control parameter and identifies whether it has been customized. * **ValueType** *(string) --* Identifies whether a control parameter uses a custom user-defined value or subscribes to the default Security Hub behavior. When "ValueType" is set equal to "DEFAULT", the default behavior can be a specific Security Hub default value, or the default behavior can be to ignore a specific parameter. When "ValueType" is set equal to "DEFAULT", Security Hub ignores user- provided input for the "Value" field. When "ValueType" is set equal to "CUSTOM", the "Value" field can't be empty. * **Value** *(dict) --* The current value of a control parameter. Note: This is a Tagged Union structure. Only one of the following top level keys will be set: "Integer", "IntegerList", "Double", "String", "StringList", "Boolean", "Enum", "EnumList". If a client receives an unknown member it will set "SDK_UNKNOWN_MEMBER" as the top level key, which maps to the name or tag of the unknown member. The structure of "SDK_UNKNOWN_MEMBER" is as follows: 'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'} * **Integer** *(integer) --* A control parameter that is an integer. * **IntegerList** *(list) --* A control parameter that is a list of integers. * *(integer) --* * **Double** *(float) --* A control parameter that is a double. * **String** *(string) --* A control parameter that is a string. * **StringList** *(list) --* A control parameter that is a list of strings. * *(string) --* * **Boolean** *(boolean) --* A control parameter that is a boolean. * **Enum** *(string) --* A control parameter that is an enum. * **EnumList** *(list) --* A control parameter that is a list of enums. * *(string) --* **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" * "SecurityHub.Client.exceptions.AccessDeniedException" SecurityHub / Client / can_paginate can_paginate ************ SecurityHub.Client.can_paginate(operation_name) Check if an operation can be paginated. Parameters: **operation_name** (*string*) -- The operation name. This is the same name as the method name on the client. For example, if the method name is "create_foo", and you'd normally invoke the operation as "client.create_foo(**kwargs)", if the "create_foo" operation can be paginated, you can use the call "client.get_paginator("create_foo")". Returns: "True" if the operation can be paginated, "False" otherwise. SecurityHub / Client / describe_action_targets describe_action_targets *********************** SecurityHub.Client.describe_action_targets(**kwargs) Returns a list of the custom action targets in Security Hub in your account. See also: AWS API Documentation **Request Syntax** response = client.describe_action_targets( ActionTargetArns=[ 'string', ], NextToken='string', MaxResults=123 ) Parameters: * **ActionTargetArns** (*list*) -- A list of custom action target ARNs for the custom action targets to retrieve. * *(string) --* * **NextToken** (*string*) -- The token that is required for pagination. On your first call to the "DescribeActionTargets" operation, set the value of this parameter to "NULL". For subsequent calls to the operation, to continue listing data, set the value of this parameter to the value returned from the previous response. * **MaxResults** (*integer*) -- The maximum number of results to return. Return type: dict Returns: **Response Syntax** { 'ActionTargets': [ { 'ActionTargetArn': 'string', 'Name': 'string', 'Description': 'string' }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **ActionTargets** *(list) --* A list of "ActionTarget" objects. Each object includes the "ActionTargetArn", "Description", and "Name" of a custom action target available in Security Hub. * *(dict) --* An "ActionTarget" object. * **ActionTargetArn** *(string) --* The ARN for the target action. * **Name** *(string) --* The name of the action target. * **Description** *(string) --* The description of the target action. * **NextToken** *(string) --* The pagination token to use to request the next page of results. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / batch_get_automation_rules batch_get_automation_rules ************************** SecurityHub.Client.batch_get_automation_rules(**kwargs) Retrieves a list of details for automation rules based on rule Amazon Resource Names (ARNs). See also: AWS API Documentation **Request Syntax** response = client.batch_get_automation_rules( AutomationRulesArns=[ 'string', ] ) Parameters: **AutomationRulesArns** (*list*) -- **[REQUIRED]** A list of rule ARNs to get details for. * *(string) --* Return type: dict Returns: **Response Syntax** { 'Rules': [ { 'RuleArn': 'string', 'RuleStatus': 'ENABLED'|'DISABLED', 'RuleOrder': 123, 'RuleName': 'string', 'Description': 'string', 'IsTerminal': True|False, 'Criteria': { 'ProductArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'AwsAccountId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Id': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'GeneratorId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Type': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FirstObservedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'LastObservedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'CreatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'UpdatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'Confidence': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'Criticality': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'Title': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Description': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'SourceUrl': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ProductName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'CompanyName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'SeverityLabel': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceType': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourcePartition': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceRegion': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceTags': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'ResourceDetailsOther': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'ComplianceStatus': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ComplianceSecurityControlId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ComplianceAssociatedStandardsId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'VerificationState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'WorkflowStatus': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RecordState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RelatedFindingsProductArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RelatedFindingsId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NoteText': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NoteUpdatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'NoteUpdatedBy': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'UserDefinedFields': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'ResourceApplicationArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceApplicationName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'AwsAccountName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ] }, 'Actions': [ { 'Type': 'FINDING_FIELDS_UPDATE', 'FindingFieldsUpdate': { 'Note': { 'Text': 'string', 'UpdatedBy': 'string' }, 'Severity': { 'Normalized': 123, 'Product': 123.0, 'Label': 'INFORMATIONAL'|'LOW'|'MEDIUM'|'HIGH'|'CRITICAL' }, 'VerificationState': 'UNKNOWN'|'TRUE_POSITIVE'|'FALSE_POSITIVE'|'BENIGN_POSITIVE', 'Confidence': 123, 'Criticality': 123, 'Types': [ 'string', ], 'UserDefinedFields': { 'string': 'string' }, 'Workflow': { 'Status': 'NEW'|'NOTIFIED'|'RESOLVED'|'SUPPRESSED' }, 'RelatedFindings': [ { 'ProductArn': 'string', 'Id': 'string' }, ] } }, ], 'CreatedAt': datetime(2015, 1, 1), 'UpdatedAt': datetime(2015, 1, 1), 'CreatedBy': 'string' }, ], 'UnprocessedAutomationRules': [ { 'RuleArn': 'string', 'ErrorCode': 123, 'ErrorMessage': 'string' }, ] } **Response Structure** * *(dict) --* * **Rules** *(list) --* A list of rule details for the provided rule ARNs. * *(dict) --* Defines the configuration of an automation rule. * **RuleArn** *(string) --* The Amazon Resource Name (ARN) of a rule. * **RuleStatus** *(string) --* Whether the rule is active after it is created. If this parameter is equal to "ENABLED", Security Hub starts applying the rule to findings and finding updates after the rule is created. * **RuleOrder** *(integer) --* An integer ranging from 1 to 1000 that represents the order in which the rule action is applied to findings. Security Hub applies rules with lower values for this parameter first. * **RuleName** *(string) --* The name of the rule. * **Description** *(string) --* A description of the rule. * **IsTerminal** *(boolean) --* Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If a rule is terminal, Security Hub applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding. By default, a rule isn't terminal. * **Criteria** *(dict) --* A set of Amazon Web Services Security Finding Format finding field attributes and corresponding expected values that Security Hub uses to filter findings. If a rule is enabled and a finding matches the conditions specified in this parameter, Security Hub applies the rule action to the finding. * **ProductArn** *(list) --* The Amazon Resource Name (ARN) for a third-party product that generated a finding in Security Hub. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **AwsAccountId** *(list) --* The Amazon Web Services account ID in which a finding was generated. Array Members: Minimum number of 1 item. Maximum number of 100 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **Id** *(list) --* The product-specific identifier for a finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **GeneratorId** *(list) --* The identifier for the solution-specific component that generated a finding. Array Members: Minimum number of 1 item. Maximum number of 100 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **Type** *(list) --* One or more finding types in the format of namespace/category/classifier that classify a finding. For a list of namespaces, classifiers, and categories, see Types taxonomy for ASFF in the *Security Hub User Guide*. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **FirstObservedAt** *(list) --* A timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings product. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A date filter for querying findings. * **Start** *(string) --* A timestamp that provides the start date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **End** *(string) --* A timestamp that provides the end date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **DateRange** *(dict) --* A date range for the date filter. * **Value** *(integer) --* A date range value for the date filter. * **Unit** *(string) --* A date range unit for the date filter. * **LastObservedAt** *(list) --* A timestamp that indicates when the security findings provider most recently observed a change in the resource that is involved in the finding. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A date filter for querying findings. * **Start** *(string) --* A timestamp that provides the start date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **End** *(string) --* A timestamp that provides the end date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **DateRange** *(dict) --* A date range for the date filter. * **Value** *(integer) --* A date range value for the date filter. * **Unit** *(string) --* A date range unit for the date filter. * **CreatedAt** *(list) --* A timestamp that indicates when this finding record was created. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A date filter for querying findings. * **Start** *(string) --* A timestamp that provides the start date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **End** *(string) --* A timestamp that provides the end date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **DateRange** *(dict) --* A date range for the date filter. * **Value** *(integer) --* A date range value for the date filter. * **Unit** *(string) --* A date range unit for the date filter. * **UpdatedAt** *(list) --* A timestamp that indicates when the finding record was most recently updated. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A date filter for querying findings. * **Start** *(string) --* A timestamp that provides the start date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **End** *(string) --* A timestamp that provides the end date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **DateRange** *(dict) --* A date range for the date filter. * **Value** *(integer) --* A date range value for the date filter. * **Unit** *(string) --* A date range unit for the date filter. * **Confidence** *(list) --* The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. "Confidence" is scored on a 0–100 basis using a ratio scale. A value of "0" means 0 percent confidence, and a value of "100" means 100 percent confidence. For example, a data exfiltration detection based on a statistical deviation of network traffic has low confidence because an actual exfiltration hasn't been verified. For more information, see Confidence in the *Security Hub User Guide*. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A number filter for querying findings. * **Gte** *(float) --* The greater-than-equal condition to be applied to a single field when querying for findings. * **Lte** *(float) --* The less-than-equal condition to be applied to a single field when querying for findings. * **Eq** *(float) --* The equal-to condition to be applied to a single field when querying for findings. * **Gt** *(float) --* The greater-than condition to be applied to a single field when querying for findings. * **Lt** *(float) --* The less-than condition to be applied to a single field when querying for findings. * **Criticality** *(list) --* The level of importance that is assigned to the resources that are associated with a finding. "Criticality" is scored on a 0–100 basis, using a ratio scale that supports only full integers. A score of "0" means that the underlying resources have no criticality, and a score of "100" is reserved for the most critical resources. For more information, see Criticality in the *Security Hub User Guide*. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A number filter for querying findings. * **Gte** *(float) --* The greater-than-equal condition to be applied to a single field when querying for findings. * **Lte** *(float) --* The less-than-equal condition to be applied to a single field when querying for findings. * **Eq** *(float) --* The equal-to condition to be applied to a single field when querying for findings. * **Gt** *(float) --* The greater-than condition to be applied to a single field when querying for findings. * **Lt** *(float) --* The less-than condition to be applied to a single field when querying for findings. * **Title** *(list) --* A finding's title. Array Members: Minimum number of 1 item. Maximum number of 100 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **Description** *(list) --* A finding's description. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **SourceUrl** *(list) --* Provides a URL that links to a page about the current finding in the finding product. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **ProductName** *(list) --* Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **CompanyName** *(list) --* The name of the company for the product that generated the finding. For control-based findings, the company is Amazon Web Services. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **SeverityLabel** *(list) --* The severity value of the finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **ResourceType** *(list) --* The type of resource that the finding pertains to. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **ResourceId** *(list) --* The identifier for the given resource type. For Amazon Web Services resources that are identified by Amazon Resource Names (ARNs), this is the ARN. For Amazon Web Services resources that lack ARNs, this is the identifier as defined by the Amazon Web Services service that created the resource. For non-Amazon Web Services resources, this is a unique identifier that is associated with the resource. Array Members: Minimum number of 1 item. Maximum number of 100 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **ResourcePartition** *(list) --* The partition in which the resource that the finding pertains to is located. A partition is a group of Amazon Web Services Regions. Each Amazon Web Services account is scoped to one partition. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **ResourceRegion** *(list) --* The Amazon Web Services Region where the resource that a finding pertains to is located. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **ResourceTags** *(list) --* A list of Amazon Web Services tags associated with a resource at the time the finding was processed. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator. * **Key** *(string) --* The key of the map filter. For example, for "ResourceTags", "Key" identifies the name of the tag. For "UserDefinedFields", "Key" is the name of the field. * **Value** *(string) --* The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called "Department" might be "Security". If you provide "security" as the filter value, then there's no match. * **Comparison** *(string) --* The condition to apply to the key value when filtering Security Hub findings with a map filter. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, for the "ResourceTags" field, the filter "Department CONTAINS Security" matches findings that include the value "Security" for the "Department" tag. In the same example, a finding with a value of "Security team" for the "Department" tag is a match. * To search for values that exactly match the filter value, use "EQUALS". For example, for the "ResourceTags" field, the filter "Department EQUALS Security" matches findings that have the value "Security" for the "Department" tag. "CONTAINS" and "EQUALS" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Department CONTAINS Security OR Department CONTAINS Finance" match a finding that includes either "Security", "Finance", or both values. To search for values that don't have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, for the "ResourceTags" field, the filter "Department NOT_CONTAINS Finance" matches findings that exclude the value "Finance" for the "Department" tag. * To search for values other than the filter value, use "NOT_EQUALS". For example, for the "ResourceTags" field, the filter "Department NOT_EQUALS Finance" matches findings that don’t have the value "Finance" for the "Department" tag. "NOT_CONTAINS" and "NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance" match a finding that excludes both the "Security" and "Finance" values. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can’t have both an "EQUALS" filter and a "NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules. For more information, see Automation rules in the *Security Hub User Guide*. * **ResourceDetailsOther** *(list) --* Custom fields and values about the resource that a finding pertains to. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator. * **Key** *(string) --* The key of the map filter. For example, for "ResourceTags", "Key" identifies the name of the tag. For "UserDefinedFields", "Key" is the name of the field. * **Value** *(string) --* The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called "Department" might be "Security". If you provide "security" as the filter value, then there's no match. * **Comparison** *(string) --* The condition to apply to the key value when filtering Security Hub findings with a map filter. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, for the "ResourceTags" field, the filter "Department CONTAINS Security" matches findings that include the value "Security" for the "Department" tag. In the same example, a finding with a value of "Security team" for the "Department" tag is a match. * To search for values that exactly match the filter value, use "EQUALS". For example, for the "ResourceTags" field, the filter "Department EQUALS Security" matches findings that have the value "Security" for the "Department" tag. "CONTAINS" and "EQUALS" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Department CONTAINS Security OR Department CONTAINS Finance" match a finding that includes either "Security", "Finance", or both values. To search for values that don't have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, for the "ResourceTags" field, the filter "Department NOT_CONTAINS Finance" matches findings that exclude the value "Finance" for the "Department" tag. * To search for values other than the filter value, use "NOT_EQUALS". For example, for the "ResourceTags" field, the filter "Department NOT_EQUALS Finance" matches findings that don’t have the value "Finance" for the "Department" tag. "NOT_CONTAINS" and "NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance" match a finding that excludes both the "Security" and "Finance" values. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can’t have both an "EQUALS" filter and a "NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules. For more information, see Automation rules in the *Security Hub User Guide*. * **ComplianceStatus** *(list) --* The result of a security check. This field is only used for findings generated from controls. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **ComplianceSecurityControlId** *(list) --* The security control ID for which a finding was generated. Security control IDs are the same across standards. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **ComplianceAssociatedStandardsId** *(list) --* The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the DescribeStandards API response. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **VerificationState** *(list) --* Provides the veracity of a finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **WorkflowStatus** *(list) --* Provides information about the status of the investigation into a finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **RecordState** *(list) --* Provides the current state of a finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **RelatedFindingsProductArn** *(list) --* The ARN for the product that generated a related finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **RelatedFindingsId** *(list) --* The product-generated identifier for a related finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **NoteText** *(list) --* The text of a user-defined note that's added to a finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **NoteUpdatedAt** *(list) --* The timestamp of when the note was updated. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A date filter for querying findings. * **Start** *(string) --* A timestamp that provides the start date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **End** *(string) --* A timestamp that provides the end date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **DateRange** *(dict) --* A date range for the date filter. * **Value** *(integer) --* A date range value for the date filter. * **Unit** *(string) --* A date range unit for the date filter. * **NoteUpdatedBy** *(list) --* The principal that created a note. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **UserDefinedFields** *(list) --* A list of user-defined name and value string pairs added to a finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator. * **Key** *(string) --* The key of the map filter. For example, for "ResourceTags", "Key" identifies the name of the tag. For "UserDefinedFields", "Key" is the name of the field. * **Value** *(string) --* The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called "Department" might be "Security". If you provide "security" as the filter value, then there's no match. * **Comparison** *(string) --* The condition to apply to the key value when filtering Security Hub findings with a map filter. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, for the "ResourceTags" field, the filter "Department CONTAINS Security" matches findings that include the value "Security" for the "Department" tag. In the same example, a finding with a value of "Security team" for the "Department" tag is a match. * To search for values that exactly match the filter value, use "EQUALS". For example, for the "ResourceTags" field, the filter "Department EQUALS Security" matches findings that have the value "Security" for the "Department" tag. "CONTAINS" and "EQUALS" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Department CONTAINS Security OR Department CONTAINS Finance" match a finding that includes either "Security", "Finance", or both values. To search for values that don't have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, for the "ResourceTags" field, the filter "Department NOT_CONTAINS Finance" matches findings that exclude the value "Finance" for the "Department" tag. * To search for values other than the filter value, use "NOT_EQUALS". For example, for the "ResourceTags" field, the filter "Department NOT_EQUALS Finance" matches findings that don’t have the value "Finance" for the "Department" tag. "NOT_CONTAINS" and "NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance" match a finding that excludes both the "Security" and "Finance" values. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can’t have both an "EQUALS" filter and a "NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules. For more information, see Automation rules in the *Security Hub User Guide*. * **ResourceApplicationArn** *(list) --* The Amazon Resource Name (ARN) of the application that is related to a finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **ResourceApplicationName** *(list) --* The name of the application that is related to a finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **AwsAccountName** *(list) --* The name of the Amazon Web Services account in which a finding was generated. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **Actions** *(list) --* One or more actions to update finding fields if a finding matches the defined criteria of the rule. * *(dict) --* One or more actions that Security Hub takes when a finding matches the defined criteria of a rule. * **Type** *(string) --* Specifies the type of action that Security Hub takes when a finding matches the defined criteria of a rule. * **FindingFieldsUpdate** *(dict) --* Specifies that the automation rule action is an update to a finding field. * **Note** *(dict) --* The updated note. * **Text** *(string) --* The updated note text. * **UpdatedBy** *(string) --* The principal that updated the note. * **Severity** *(dict) --* Updates to the severity information for a finding. * **Normalized** *(integer) --* The normalized severity for the finding. This attribute is to be deprecated in favor of "Label". If you provide "Normalized" and don't provide "Label", "Label" is set automatically as follows. * 0 - "INFORMATIONAL" * 1–39 - "LOW" * 40–69 - "MEDIUM" * 70–89 - "HIGH" * 90–100 - "CRITICAL" * **Product** *(float) --* The native severity as defined by the Amazon Web Services service or integrated partner product that generated the finding. * **Label** *(string) --* The severity value of the finding. The allowed values are the following. * "INFORMATIONAL" - No issue was found. * "LOW" - The issue does not require action on its own. * "MEDIUM" - The issue must be addressed but not urgently. * "HIGH" - The issue must be addressed as a priority. * "CRITICAL" - The issue must be remediated immediately to avoid it escalating. * **VerificationState** *(string) --* The rule action updates the "VerificationState" field of a finding. * **Confidence** *(integer) --* The rule action updates the "Confidence" field of a finding. * **Criticality** *(integer) --* The rule action updates the "Criticality" field of a finding. * **Types** *(list) --* The rule action updates the "Types" field of a finding. * *(string) --* * **UserDefinedFields** *(dict) --* The rule action updates the "UserDefinedFields" field of a finding. * *(string) --* * *(string) --* * **Workflow** *(dict) --* Used to update information about the investigation into the finding. * **Status** *(string) --* The status of the investigation into the finding. The workflow status is specific to an individual finding. It does not affect the generation of new findings. For example, setting the workflow status to "SUPPRESSED" or "RESOLVED" does not prevent a new finding for the same issue. The allowed values are the following. * "NEW" - The initial state of a finding, before it is reviewed. Security Hub also resets "WorkFlowStatus" from "NOTIFIED" or "RESOLVED" to "NEW" in the following cases: * The record state changes from "ARCHIVED" to "ACTIVE". * The compliance status changes from "PASSED" to either "WARNING", "FAILED", or "NOT_AVAILABLE". * "NOTIFIED" - Indicates that you notified the resource owner about the security issue. Used when the initial reviewer is not the resource owner, and needs intervention from the resource owner. * "RESOLVED" - The finding was reviewed and remediated and is now considered resolved. * "SUPPRESSED" - Indicates that you reviewed the finding and don't believe that any action is needed. The finding is no longer updated. * **RelatedFindings** *(list) --* The rule action updates the "RelatedFindings" field of a finding. * *(dict) --* Details about a related finding. * **ProductArn** *(string) --* The ARN of the product that generated a related finding. * **Id** *(string) --* The product-generated identifier for a related finding. * **CreatedAt** *(datetime) --* A timestamp that indicates when the rule was created. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **UpdatedAt** *(datetime) --* A timestamp that indicates when the rule was most recently updated. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **CreatedBy** *(string) --* The principal that created a rule. * **UnprocessedAutomationRules** *(list) --* A list of objects containing "RuleArn", "ErrorCode", and "ErrorMessage". This parameter tells you which automation rules the request didn't retrieve and why. * *(dict) --* A list of objects containing "RuleArn", "ErrorCode", and "ErrorMessage". This parameter tells you which automation rules the request didn't process and why. * **RuleArn** *(string) --* The Amazon Resource Name (ARN) for the unprocessed automation rule. * **ErrorCode** *(integer) --* The error code associated with the unprocessed automation rule. * **ErrorMessage** *(string) --* An error message describing why a request didn't process a specific rule. **Exceptions** * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / batch_import_findings batch_import_findings ********************* SecurityHub.Client.batch_import_findings(**kwargs) Imports security findings generated by a finding provider into Security Hub. This action is requested by the finding provider to import its findings into Security Hub. "BatchImportFindings" must be called by one of the following: * The Amazon Web Services account that is associated with a finding if you are using the default product ARN or are a partner sending findings from within a customer's Amazon Web Services account. In these cases, the identifier of the account that you are calling "BatchImportFindings" from needs to be the same as the "AwsAccountId" attribute for the finding. * An Amazon Web Services account that Security Hub has allow-listed for an official partner integration. In this case, you can call "BatchImportFindings" from the allow-listed account and send findings from different customer accounts in the same batch. The maximum allowed size for a finding is 240 Kb. An error is returned for any finding larger than 240 Kb. After a finding is created, "BatchImportFindings" cannot be used to update the following finding fields and objects, which Security Hub customers use to manage their investigation workflow. * "Note" * "UserDefinedFields" * "VerificationState" * "Workflow" Finding providers also should not use "BatchImportFindings" to update the following attributes. * "Confidence" * "Criticality" * "RelatedFindings" * "Severity" * "Types" Instead, finding providers use "FindingProviderFields" to provide values for these attributes. See also: AWS API Documentation **Request Syntax** # This section is too large to render. # Please see the AWS API Documentation linked below. AWS API Documentation **Parameters** # This section is too large to render. # Please see the AWS API Documentation linked below. AWS API Documentation Return type: dict Returns: **Response Syntax** { 'FailedCount': 123, 'SuccessCount': 123, 'FailedFindings': [ { 'Id': 'string', 'ErrorCode': 'string', 'ErrorMessage': 'string' }, ] } **Response Structure** * *(dict) --* * **FailedCount** *(integer) --* The number of findings that failed to import. * **SuccessCount** *(integer) --* The number of findings that were successfully imported. * **FailedFindings** *(list) --* The list of findings that failed to import. * *(dict) --* The list of the findings that cannot be imported. For each finding, the list provides the error. * **Id** *(string) --* The identifier of the finding that could not be updated. * **ErrorCode** *(string) --* The code of the error returned by the "BatchImportFindings" operation. * **ErrorMessage** *(string) --* The message of the error returned by the "BatchImportFindings" operation. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.InvalidAccessException" SecurityHub / Client / get_insights get_insights ************ SecurityHub.Client.get_insights(**kwargs) Lists and describes insights for the specified insight ARNs. See also: AWS API Documentation **Request Syntax** response = client.get_insights( InsightArns=[ 'string', ], NextToken='string', MaxResults=123 ) Parameters: * **InsightArns** (*list*) -- The ARNs of the insights to describe. If you don't provide any insight ARNs, then "GetInsights" returns all of your custom insights. It does not return any managed insights. * *(string) --* * **NextToken** (*string*) -- The token that is required for pagination. On your first call to the "GetInsights" operation, set the value of this parameter to "NULL". For subsequent calls to the operation, to continue listing data, set the value of this parameter to the value returned from the previous response. * **MaxResults** (*integer*) -- The maximum number of items to return in the response. Return type: dict Returns: **Response Syntax** { 'Insights': [ { 'InsightArn': 'string', 'Name': 'string', 'Filters': { 'ProductArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'AwsAccountId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Id': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'GeneratorId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Region': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Type': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FirstObservedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'LastObservedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'CreatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'UpdatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'SeverityProduct': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'SeverityNormalized': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'SeverityLabel': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Confidence': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'Criticality': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'Title': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Description': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RecommendationText': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'SourceUrl': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ProductFields': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'ProductName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'CompanyName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'UserDefinedFields': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'MalwareName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'MalwareType': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'MalwarePath': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'MalwareState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkDirection': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkProtocol': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkSourceIpV4': [ { 'Cidr': 'string' }, ], 'NetworkSourceIpV6': [ { 'Cidr': 'string' }, ], 'NetworkSourcePort': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'NetworkSourceDomain': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkSourceMac': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkDestinationIpV4': [ { 'Cidr': 'string' }, ], 'NetworkDestinationIpV6': [ { 'Cidr': 'string' }, ], 'NetworkDestinationPort': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'NetworkDestinationDomain': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ProcessName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ProcessPath': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ProcessPid': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'ProcessParentPid': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'ProcessLaunchedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ProcessTerminatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ThreatIntelIndicatorType': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ThreatIntelIndicatorValue': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ThreatIntelIndicatorCategory': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ThreatIntelIndicatorLastObservedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ThreatIntelIndicatorSource': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ThreatIntelIndicatorSourceUrl': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceType': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourcePartition': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceRegion': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceTags': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'ResourceAwsEc2InstanceType': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceImageId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceIpV4Addresses': [ { 'Cidr': 'string' }, ], 'ResourceAwsEc2InstanceIpV6Addresses': [ { 'Cidr': 'string' }, ], 'ResourceAwsEc2InstanceKeyName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceIamInstanceProfileArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceVpcId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceSubnetId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceLaunchedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ResourceAwsS3BucketOwnerId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsS3BucketOwnerName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsIamAccessKeyUserName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsIamAccessKeyPrincipalName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsIamAccessKeyStatus': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsIamAccessKeyCreatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ResourceAwsIamUserUserName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceContainerName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceContainerImageId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceContainerImageName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceContainerLaunchedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ResourceDetailsOther': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'ComplianceStatus': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'VerificationState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'WorkflowState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'WorkflowStatus': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RecordState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RelatedFindingsProductArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RelatedFindingsId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NoteText': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NoteUpdatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'NoteUpdatedBy': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Keyword': [ { 'Value': 'string' }, ], 'FindingProviderFieldsConfidence': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'FindingProviderFieldsCriticality': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'FindingProviderFieldsRelatedFindingsId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FindingProviderFieldsRelatedFindingsProductArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FindingProviderFieldsSeverityLabel': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FindingProviderFieldsSeverityOriginal': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FindingProviderFieldsTypes': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Sample': [ { 'Value': True|False }, ], 'ComplianceSecurityControlId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ComplianceAssociatedStandardsId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'VulnerabilitiesExploitAvailable': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'VulnerabilitiesFixAvailable': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ComplianceSecurityControlParametersName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ComplianceSecurityControlParametersValue': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'AwsAccountName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceApplicationName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceApplicationArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ] }, 'GroupByAttribute': 'string' }, ], 'NextToken': 'string' } **Response Structure** # This section is too large to render. # Please see the AWS API Documentation linked below. AWS API Documentation **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / batch_disable_standards batch_disable_standards *********************** SecurityHub.Client.batch_disable_standards(**kwargs) Disables the standards specified by the provided "StandardsSubscriptionArns". For more information, see Security Standards section of the *Security Hub User Guide*. See also: AWS API Documentation **Request Syntax** response = client.batch_disable_standards( StandardsSubscriptionArns=[ 'string', ] ) Parameters: **StandardsSubscriptionArns** (*list*) -- **[REQUIRED]** The ARNs of the standards subscriptions to disable. * *(string) --* Return type: dict Returns: **Response Syntax** { 'StandardsSubscriptions': [ { 'StandardsSubscriptionArn': 'string', 'StandardsArn': 'string', 'StandardsInput': { 'string': 'string' }, 'StandardsStatus': 'PENDING'|'READY'|'FAILED'|'DELETING'|'INCOMPLETE', 'StandardsControlsUpdatable': 'READY_FOR_UPDATES'|'NOT_READY_FOR_UPDATES', 'StandardsStatusReason': { 'StatusReasonCode': 'NO_AVAILABLE_CONFIGURATION_RECORDER'|'MAXIMUM_NUMBER_OF_CONFIG_RULES_EXCEEDED'|'INTERNAL_ERROR' } }, ] } **Response Structure** * *(dict) --* * **StandardsSubscriptions** *(list) --* The details of the standards subscriptions that were disabled. * *(dict) --* A resource that represents your subscription to a supported standard. * **StandardsSubscriptionArn** *(string) --* The ARN of the resource that represents your subscription to the standard. * **StandardsArn** *(string) --* The ARN of the standard. * **StandardsInput** *(dict) --* A key-value pair of input for the standard. * *(string) --* * *(string) --* * **StandardsStatus** *(string) --* The status of your subscription to the standard. Possible values are: * "PENDING" - The standard is in the process of being enabled. Or the standard is already enabled and Security Hub is adding new controls to the standard. * "READY" - The standard is enabled. * "INCOMPLETE" - The standard could not be enabled completely. One or more errors ( "StandardsStatusReason") occurred when Security Hub attempted to enable the standard. * "DELETING" - The standard is in the process of being disabled. * "FAILED" - The standard could not be disabled. One or more errors ( "StandardsStatusReason") occurred when Security Hub attempted to disable the standard. * **StandardsControlsUpdatable** *(string) --* Specifies whether you can retrieve information about and configure individual controls that apply to the standard. Possible values are: * "READY_FOR_UPDATES" - Controls in the standard can be retrieved and configured. * "NOT_READY_FOR_UPDATES" - Controls in the standard cannot be retrieved or configured. * **StandardsStatusReason** *(dict) --* The reason for the current status. * **StatusReasonCode** *(string) --* The reason code that represents the reason for the current status of a standard subscription. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.AccessDeniedException" SecurityHub / Client / get_finding_statistics_v2 get_finding_statistics_v2 ************************* SecurityHub.Client.get_finding_statistics_v2(**kwargs) Returns aggregated statistical data about findings. "GetFindingStatisticsV2" use "securityhub:GetAdhocInsightResults" in the "Action" element of an IAM policy statement. You must have permission to perform the "s" action. This API is in private preview and subject to change. See also: AWS API Documentation **Request Syntax** response = client.get_finding_statistics_v2( GroupByRules=[ { 'Filters': { 'CompositeFilters': [ { 'StringFilters': [ { 'FieldName': 'metadata.uid'|'activity_name'|'cloud.account.uid'|'cloud.provider'|'cloud.region'|'compliance.assessments.category'|'compliance.assessments.name'|'compliance.control'|'compliance.status'|'compliance.standards'|'finding_info.desc'|'finding_info.src_url'|'finding_info.title'|'finding_info.types'|'finding_info.uid'|'finding_info.related_events.uid'|'finding_info.related_events.product.uid'|'finding_info.related_events.title'|'metadata.product.name'|'metadata.product.uid'|'metadata.product.vendor_name'|'remediation.desc'|'remediation.references'|'resources.cloud_partition'|'resources.region'|'resources.type'|'resources.uid'|'severity'|'status'|'comment'|'vulnerabilities.fix_coverage'|'class_name', 'Filter': { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' } }, ], 'DateFilters': [ { 'FieldName': 'finding_info.created_time_dt'|'finding_info.first_seen_time_dt'|'finding_info.last_seen_time_dt'|'finding_info.modified_time_dt', 'Filter': { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } } }, ], 'BooleanFilters': [ { 'FieldName': 'compliance.assessments.meets_criteria'|'vulnerabilities.is_exploit_available'|'vulnerabilities.is_fix_available', 'Filter': { 'Value': True|False } }, ], 'NumberFilters': [ { 'FieldName': 'activity_id'|'compliance.status_id'|'confidence_score'|'severity_id'|'status_id'|'finding_info.related_events_count', 'Filter': { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 } }, ], 'MapFilters': [ { 'FieldName': 'resources.tags', 'Filter': { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' } }, ], 'Operator': 'AND'|'OR' }, ], 'CompositeOperator': 'AND'|'OR' }, 'GroupByField': 'activity_name'|'cloud.account.uid'|'cloud.provider'|'cloud.region'|'compliance.assessments.name'|'compliance.status'|'compliance.control'|'finding_info.title'|'finding_info.types'|'metadata.product.name'|'metadata.product.uid'|'resources.type'|'resources.uid'|'severity'|'status'|'vulnerabilities.fix_coverage'|'class_name' }, ], SortOrder='asc'|'desc', MaxStatisticResults=123 ) Parameters: * **GroupByRules** (*list*) -- **[REQUIRED]** Specifies how security findings should be aggregated and organized in the statistical analysis. It can accept up to 5 "groupBy" fields in a single call. * *(dict) --* Defines the how the finding attribute should be grouped. * **Filters** *(dict) --* The criteria used to select which security findings should be included in the grouping operation. * **CompositeFilters** *(list) --* Enables the creation of complex filtering conditions by combining filter criteria. * *(dict) --* Enables the creation of filtering criteria for security findings. * **StringFilters** *(list) --* Enables filtering based on string field values. * *(dict) --* Enables filtering of security findings based on string field values in OCSF. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **DateFilters** *(list) --* Enables filtering based on date and timestamp fields. * *(dict) --* Enables filtering of security findings based on date and timestamp fields in OCSF. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A date filter for querying findings. * **Start** *(string) --* A timestamp that provides the start date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **End** *(string) --* A timestamp that provides the end date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **DateRange** *(dict) --* A date range for the date filter. * **Value** *(integer) --* A date range value for the date filter. * **Unit** *(string) --* A date range unit for the date filter. * **BooleanFilters** *(list) --* Enables filtering based on boolean field values. * *(dict) --* Enables filtering of security findings based on boolean field values in OCSF. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* Boolean filter for querying findings. * **Value** *(boolean) --* The value of the boolean. * **NumberFilters** *(list) --* Enables filtering based on numerical field values. * *(dict) --* Enables filtering of security findings based on numerical field values in OCSF. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A number filter for querying findings. * **Gte** *(float) --* The greater-than-equal condition to be applied to a single field when querying for findings. * **Lte** *(float) --* The less-than-equal condition to be applied to a single field when querying for findings. * **Eq** *(float) --* The equal-to condition to be applied to a single field when querying for findings. * **Gt** *(float) --* The greater-than condition to be applied to a single field when querying for findings. * **Lt** *(float) --* The less-than condition to be applied to a single field when querying for findings. * **MapFilters** *(list) --* Enables filtering based on map field values. * *(dict) --* Enables filtering of security findings based on map field values in OCSF. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator. * **Key** *(string) --* The key of the map filter. For example, for "ResourceTags", "Key" identifies the name of the tag. For "UserDefinedFields", "Key" is the name of the field. * **Value** *(string) --* The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called "Department" might be "Security". If you provide "security" as the filter value, then there's no match. * **Comparison** *(string) --* The condition to apply to the key value when filtering Security Hub findings with a map filter. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, for the "ResourceTags" field, the filter "Department CONTAINS Security" matches findings that include the value "Security" for the "Department" tag. In the same example, a finding with a value of "Security team" for the "Department" tag is a match. * To search for values that exactly match the filter value, use "EQUALS". For example, for the "ResourceTags" field, the filter "Department EQUALS Security" matches findings that have the value "Security" for the "Department" tag. "CONTAINS" and "EQUALS" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Department CONTAINS Security OR Department CONTAINS Finance" match a finding that includes either "Security", "Finance", or both values. To search for values that don't have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, for the "ResourceTags" field, the filter "Department NOT_CONTAINS Finance" matches findings that exclude the value "Finance" for the "Department" tag. * To search for values other than the filter value, use "NOT_EQUALS". For example, for the "ResourceTags" field, the filter "Department NOT_EQUALS Finance" matches findings that don’t have the value "Finance" for the "Department" tag. "NOT_CONTAINS" and "NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance" match a finding that excludes both the "Security" and "Finance" values. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can’t have both an "EQUALS" filter and a "NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules. For more information, see Automation rules in the *Security Hub User Guide*. * **Operator** *(string) --* The logical operator used to combine multiple filter conditions. * **CompositeOperator** *(string) --* The logical operators used to combine the filtering on multiple "CompositeFilters". * **GroupByField** *(string) --* **[REQUIRED]** The attribute by which filtered findings should be grouped. * **SortOrder** (*string*) -- Orders the aggregation count in descending or ascending order. Descending order is the default. * **MaxStatisticResults** (*integer*) -- The maximum number of results to be returned. Return type: dict Returns: **Response Syntax** { 'GroupByResults': [ { 'GroupByField': 'string', 'GroupByValues': [ { 'FieldValue': 'string', 'Count': 123 }, ] }, ] } **Response Structure** * *(dict) --* * **GroupByResults** *(list) --* Aggregated statistics about security findings based on specified grouping criteria. * *(dict) --* Represents finding statistics grouped by "GroupedByField". * **GroupByField** *(string) --* The attribute by which filtered security findings should be grouped. * **GroupByValues** *(list) --* An array of grouped values and their respective counts for each "GroupByField". * *(dict) --* Represents individual aggregated results when grouping security findings for each "GroupByField". * **FieldValue** *(string) --* The value of the field by which findings are grouped. * **Count** *(integer) --* The number of findings for a specific "FieldValue" and "GroupByField". **Exceptions** * "SecurityHub.Client.exceptions.InternalServerException" * "SecurityHub.Client.exceptions.ValidationException" * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.ConflictException" * "SecurityHub.Client.exceptions.ThrottlingException" SecurityHub / Client / disassociate_members disassociate_members ******************** SecurityHub.Client.disassociate_members(**kwargs) Disassociates the specified member accounts from the associated administrator account. Can be used to disassociate both accounts that are managed using Organizations and accounts that were invited manually. See also: AWS API Documentation **Request Syntax** response = client.disassociate_members( AccountIds=[ 'string', ] ) Parameters: **AccountIds** (*list*) -- **[REQUIRED]** The account IDs of the member accounts to disassociate from the administrator account. * *(string) --* Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" * "SecurityHub.Client.exceptions.AccessDeniedException" SecurityHub / Client / start_configuration_policy_disassociation start_configuration_policy_disassociation ***************************************** SecurityHub.Client.start_configuration_policy_disassociation(**kwargs) Disassociates a target account, organizational unit, or the root from a specified configuration. When you disassociate a configuration from its target, the target inherits the configuration of the closest parent. If there’s no configuration to inherit, the target retains its settings but becomes a self-managed account. A target can be disassociated from a configuration policy or self-managed behavior. Only the Security Hub delegated administrator can invoke this operation from the home Region. See also: AWS API Documentation **Request Syntax** response = client.start_configuration_policy_disassociation( Target={ 'AccountId': 'string', 'OrganizationalUnitId': 'string', 'RootId': 'string' }, ConfigurationPolicyIdentifier='string' ) Parameters: * **Target** (*dict*) -- The identifier of the target account, organizational unit, or the root to disassociate from the specified configuration. Note: This is a Tagged Union structure. Only one of the following top level keys can be set: "AccountId", "OrganizationalUnitId", "RootId". * **AccountId** *(string) --* The Amazon Web Services account ID of the target account. * **OrganizationalUnitId** *(string) --* The organizational unit ID of the target organizational unit. * **RootId** *(string) --* The ID of the organization root. * **ConfigurationPolicyIdentifier** (*string*) -- **[REQUIRED]** The Amazon Resource Name (ARN) of a configuration policy, the universally unique identifier (UUID) of a configuration policy, or a value of "SELF_MANAGED_SECURITY_HUB" for a self- managed configuration. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" * "SecurityHub.Client.exceptions.AccessDeniedException" SecurityHub / Client / get_administrator_account get_administrator_account ************************* SecurityHub.Client.get_administrator_account() Provides the details for the Security Hub administrator account for the current member account. Can be used by both member accounts that are managed using Organizations and accounts that were invited manually. See also: AWS API Documentation **Request Syntax** response = client.get_administrator_account() Return type: dict Returns: **Response Syntax** { 'Administrator': { 'AccountId': 'string', 'InvitationId': 'string', 'InvitedAt': datetime(2015, 1, 1), 'MemberStatus': 'string' } } **Response Structure** * *(dict) --* * **Administrator** *(dict) --* Details about an invitation. * **AccountId** *(string) --* The account ID of the Security Hub administrator account that the invitation was sent from. * **InvitationId** *(string) --* The ID of the invitation sent to the member account. * **InvitedAt** *(datetime) --* The timestamp of when the invitation was sent. * **MemberStatus** *(string) --* The current status of the association between the member and administrator accounts. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / get_aggregator_v2 get_aggregator_v2 ***************** SecurityHub.Client.get_aggregator_v2(**kwargs) Returns the configuration of the specified Aggregator V2. This API is in private preview and subject to change. See also: AWS API Documentation **Request Syntax** response = client.get_aggregator_v2( AggregatorV2Arn='string' ) Parameters: **AggregatorV2Arn** (*string*) -- **[REQUIRED]** The ARN of the Aggregator V2. Return type: dict Returns: **Response Syntax** { 'AggregatorV2Arn': 'string', 'AggregationRegion': 'string', 'RegionLinkingMode': 'string', 'LinkedRegions': [ 'string', ] } **Response Structure** * *(dict) --* * **AggregatorV2Arn** *(string) --* The ARN of the Aggregator V2. * **AggregationRegion** *(string) --* The Amazon Web Services Region where data is aggregated. * **RegionLinkingMode** *(string) --* Determines how Regions are linked to an Aggregator V2. * **LinkedRegions** *(list) --* The list of Regions that are linked to the aggregation Region. * *(string) --* **Exceptions** * "SecurityHub.Client.exceptions.InternalServerException" * "SecurityHub.Client.exceptions.ThrottlingException" * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.ValidationException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" * "SecurityHub.Client.exceptions.ConflictException" SecurityHub / Client / get_resources_statistics_v2 get_resources_statistics_v2 *************************** SecurityHub.Client.get_resources_statistics_v2(**kwargs) Retrieves statistical information about Amazon Web Services resources and their associated security findings. This API is in private preview and subject to change. See also: AWS API Documentation **Request Syntax** response = client.get_resources_statistics_v2( GroupByRules=[ { 'GroupByField': 'account_id'|'region'|'resource_category'|'resource_type'|'resource_name'|'findings_summary.finding_type', 'Filters': { 'CompositeFilters': [ { 'StringFilters': [ { 'FieldName': 'resource_arn'|'resource_id'|'account_id'|'region'|'resource_category'|'resource_type'|'resource_name'|'findings_summary.finding_type'|'findings_summary.product_name', 'Filter': { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' } }, ], 'DateFilters': [ { 'FieldName': 'resource_detail_capture_time_dt'|'resource_creation_time_dt', 'Filter': { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } } }, ], 'NumberFilters': [ { 'FieldName': 'findings_summary.total_findings'|'findings_summary.severities.other'|'findings_summary.severities.fatal'|'findings_summary.severities.critical'|'findings_summary.severities.high'|'findings_summary.severities.medium'|'findings_summary.severities.low'|'findings_summary.severities.informational'|'findings_summary.severities.unknown', 'Filter': { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 } }, ], 'MapFilters': [ { 'FieldName': 'tags', 'Filter': { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' } }, ], 'Operator': 'AND'|'OR' }, ], 'CompositeOperator': 'AND'|'OR' } }, ], SortOrder='asc'|'desc', MaxStatisticResults=123 ) Parameters: * **GroupByRules** (*list*) -- **[REQUIRED]** How resource statistics should be aggregated and organized in the response. * *(dict) --* Defines the configuration for organizing and categorizing Amazon Web Services resources based on associated security findings. * **GroupByField** *(string) --* **[REQUIRED]** Specifies the attribute that resources should be grouped by. * **Filters** *(dict) --* The criteria used to select resources and associated security findings. * **CompositeFilters** *(list) --* A collection of complex filtering conditions that can be applied to Amazon Web Services resources. * *(dict) --* Enables the creation of criteria for Amazon Web Services resources in Security Hub. * **StringFilters** *(list) --* Enables filtering based on string field values. * *(dict) --* Enables filtering of Amazon Web Services resources based on string field values. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **DateFilters** *(list) --* Enables filtering based on date and timestamp field values. * *(dict) --* Enables the filtering of Amazon Web Services resources based on date and timestamp attributes. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A date filter for querying findings. * **Start** *(string) --* A timestamp that provides the start date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **End** *(string) --* A timestamp that provides the end date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **DateRange** *(dict) --* A date range for the date filter. * **Value** *(integer) --* A date range value for the date filter. * **Unit** *(string) --* A date range unit for the date filter. * **NumberFilters** *(list) --* Enables filtering based on numerical field values. * *(dict) --* Enables filtering of Amazon Web Services resources based on numerical values. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A number filter for querying findings. * **Gte** *(float) --* The greater-than-equal condition to be applied to a single field when querying for findings. * **Lte** *(float) --* The less-than-equal condition to be applied to a single field when querying for findings. * **Eq** *(float) --* The equal-to condition to be applied to a single field when querying for findings. * **Gt** *(float) --* The greater-than condition to be applied to a single field when querying for findings. * **Lt** *(float) --* The less-than condition to be applied to a single field when querying for findings. * **MapFilters** *(list) --* Enables filtering based on map-based field values. * *(dict) --* Enables filtering of Amazon Web Services resources based on key-value map attributes. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator. * **Key** *(string) --* The key of the map filter. For example, for "ResourceTags", "Key" identifies the name of the tag. For "UserDefinedFields", "Key" is the name of the field. * **Value** *(string) --* The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called "Department" might be "Security". If you provide "security" as the filter value, then there's no match. * **Comparison** *(string) --* The condition to apply to the key value when filtering Security Hub findings with a map filter. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, for the "ResourceTags" field, the filter "Department CONTAINS Security" matches findings that include the value "Security" for the "Department" tag. In the same example, a finding with a value of "Security team" for the "Department" tag is a match. * To search for values that exactly match the filter value, use "EQUALS". For example, for the "ResourceTags" field, the filter "Department EQUALS Security" matches findings that have the value "Security" for the "Department" tag. "CONTAINS" and "EQUALS" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Department CONTAINS Security OR Department CONTAINS Finance" match a finding that includes either "Security", "Finance", or both values. To search for values that don't have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, for the "ResourceTags" field, the filter "Department NOT_CONTAINS Finance" matches findings that exclude the value "Finance" for the "Department" tag. * To search for values other than the filter value, use "NOT_EQUALS". For example, for the "ResourceTags" field, the filter "Department NOT_EQUALS Finance" matches findings that don’t have the value "Finance" for the "Department" tag. "NOT_CONTAINS" and "NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance" match a finding that excludes both the "Security" and "Finance" values. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can’t have both an "EQUALS" filter and a "NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules. For more information, see Automation rules in the *Security Hub User Guide*. * **Operator** *(string) --* The logical operator used to combine multiple filter conditions. * **CompositeOperator** *(string) --* The logical operator used to combine multiple filter conditions in the structure. * **SortOrder** (*string*) -- Sorts aggregated statistics. * **MaxStatisticResults** (*integer*) -- The maximum number of results to be returned. Return type: dict Returns: **Response Syntax** { 'GroupByResults': [ { 'GroupByField': 'string', 'GroupByValues': [ { 'FieldValue': 'string', 'Count': 123 }, ] }, ] } **Response Structure** * *(dict) --* * **GroupByResults** *(list) --* The aggregated statistics about resources based on the specified grouping rule. * *(dict) --* Represents finding statistics grouped by "GroupedByField". * **GroupByField** *(string) --* The attribute by which filtered security findings should be grouped. * **GroupByValues** *(list) --* An array of grouped values and their respective counts for each "GroupByField". * *(dict) --* Represents individual aggregated results when grouping security findings for each "GroupByField". * **FieldValue** *(string) --* The value of the field by which findings are grouped. * **Count** *(integer) --* The number of findings for a specific "FieldValue" and "GroupByField". **Exceptions** * "SecurityHub.Client.exceptions.InternalServerException" * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.ThrottlingException" * "SecurityHub.Client.exceptions.ConflictException" * "SecurityHub.Client.exceptions.ValidationException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / create_finding_aggregator create_finding_aggregator ************************* SecurityHub.Client.create_finding_aggregator(**kwargs) Note: The *aggregation Region* is now called the *home Region*. Used to enable cross-Region aggregation. This operation can be invoked from the home Region only. For information about how cross-Region aggregation works, see Understanding cross-Region aggregation in Security Hub in the *Security Hub User Guide*. See also: AWS API Documentation **Request Syntax** response = client.create_finding_aggregator( RegionLinkingMode='string', Regions=[ 'string', ] ) Parameters: * **RegionLinkingMode** (*string*) -- **[REQUIRED]** Indicates whether to aggregate findings from all of the available Regions in the current partition. Also determines whether to automatically aggregate findings from new Regions as Security Hub supports them and you opt into them. The selected option also determines how to use the Regions provided in the Regions list. The options are as follows: * "ALL_REGIONS" - Aggregates findings from all of the Regions where Security Hub is enabled. When you choose this option, Security Hub also automatically aggregates findings from new Regions as Security Hub supports them and you opt into them. * "ALL_REGIONS_EXCEPT_SPECIFIED" - Aggregates findings from all of the Regions where Security Hub is enabled, except for the Regions listed in the "Regions" parameter. When you choose this option, Security Hub also automatically aggregates findings from new Regions as Security Hub supports them and you opt into them. * "SPECIFIED_REGIONS" - Aggregates findings only from the Regions listed in the "Regions" parameter. Security Hub does not automatically aggregate findings from new Regions. * "NO_REGIONS" - Aggregates no data because no Regions are selected as linked Regions. * **Regions** (*list*) -- If "RegionLinkingMode" is "ALL_REGIONS_EXCEPT_SPECIFIED", then this is a space-separated list of Regions that don't replicate and send findings to the home Region. If "RegionLinkingMode" is "SPECIFIED_REGIONS", then this is a space-separated list of Regions that do replicate and send findings to the home Region. An "InvalidInputException" error results if you populate this field while "RegionLinkingMode" is "NO_REGIONS". * *(string) --* Return type: dict Returns: **Response Syntax** { 'FindingAggregatorArn': 'string', 'FindingAggregationRegion': 'string', 'RegionLinkingMode': 'string', 'Regions': [ 'string', ] } **Response Structure** * *(dict) --* * **FindingAggregatorArn** *(string) --* The ARN of the finding aggregator. You use the finding aggregator ARN to retrieve details for, update, and stop cross-Region aggregation. * **FindingAggregationRegion** *(string) --* The home Region. Findings generated in linked Regions are replicated and sent to the home Region. * **RegionLinkingMode** *(string) --* Indicates whether to link all Regions, all Regions except for a list of excluded Regions, or a list of included Regions. * **Regions** *(list) --* The list of excluded Regions or included Regions. * *(string) --* **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.InvalidInputException" SecurityHub / Client / get_resources_v2 get_resources_v2 **************** SecurityHub.Client.get_resources_v2(**kwargs) Returns a list of resources. This API is in private preview and subject to change. See also: AWS API Documentation **Request Syntax** response = client.get_resources_v2( Filters={ 'CompositeFilters': [ { 'StringFilters': [ { 'FieldName': 'resource_arn'|'resource_id'|'account_id'|'region'|'resource_category'|'resource_type'|'resource_name'|'findings_summary.finding_type'|'findings_summary.product_name', 'Filter': { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' } }, ], 'DateFilters': [ { 'FieldName': 'resource_detail_capture_time_dt'|'resource_creation_time_dt', 'Filter': { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } } }, ], 'NumberFilters': [ { 'FieldName': 'findings_summary.total_findings'|'findings_summary.severities.other'|'findings_summary.severities.fatal'|'findings_summary.severities.critical'|'findings_summary.severities.high'|'findings_summary.severities.medium'|'findings_summary.severities.low'|'findings_summary.severities.informational'|'findings_summary.severities.unknown', 'Filter': { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 } }, ], 'MapFilters': [ { 'FieldName': 'tags', 'Filter': { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' } }, ], 'Operator': 'AND'|'OR' }, ], 'CompositeOperator': 'AND'|'OR' }, SortCriteria=[ { 'Field': 'string', 'SortOrder': 'asc'|'desc' }, ], NextToken='string', MaxResults=123 ) Parameters: * **Filters** (*dict*) -- Filters resources based on a set of criteria. * **CompositeFilters** *(list) --* A collection of complex filtering conditions that can be applied to Amazon Web Services resources. * *(dict) --* Enables the creation of criteria for Amazon Web Services resources in Security Hub. * **StringFilters** *(list) --* Enables filtering based on string field values. * *(dict) --* Enables filtering of Amazon Web Services resources based on string field values. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **DateFilters** *(list) --* Enables filtering based on date and timestamp field values. * *(dict) --* Enables the filtering of Amazon Web Services resources based on date and timestamp attributes. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A date filter for querying findings. * **Start** *(string) --* A timestamp that provides the start date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **End** *(string) --* A timestamp that provides the end date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **DateRange** *(dict) --* A date range for the date filter. * **Value** *(integer) --* A date range value for the date filter. * **Unit** *(string) --* A date range unit for the date filter. * **NumberFilters** *(list) --* Enables filtering based on numerical field values. * *(dict) --* Enables filtering of Amazon Web Services resources based on numerical values. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A number filter for querying findings. * **Gte** *(float) --* The greater-than-equal condition to be applied to a single field when querying for findings. * **Lte** *(float) --* The less-than-equal condition to be applied to a single field when querying for findings. * **Eq** *(float) --* The equal-to condition to be applied to a single field when querying for findings. * **Gt** *(float) --* The greater-than condition to be applied to a single field when querying for findings. * **Lt** *(float) --* The less-than condition to be applied to a single field when querying for findings. * **MapFilters** *(list) --* Enables filtering based on map-based field values. * *(dict) --* Enables filtering of Amazon Web Services resources based on key-value map attributes. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator. * **Key** *(string) --* The key of the map filter. For example, for "ResourceTags", "Key" identifies the name of the tag. For "UserDefinedFields", "Key" is the name of the field. * **Value** *(string) --* The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called "Department" might be "Security". If you provide "security" as the filter value, then there's no match. * **Comparison** *(string) --* The condition to apply to the key value when filtering Security Hub findings with a map filter. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, for the "ResourceTags" field, the filter "Department CONTAINS Security" matches findings that include the value "Security" for the "Department" tag. In the same example, a finding with a value of "Security team" for the "Department" tag is a match. * To search for values that exactly match the filter value, use "EQUALS". For example, for the "ResourceTags" field, the filter "Department EQUALS Security" matches findings that have the value "Security" for the "Department" tag. "CONTAINS" and "EQUALS" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Department CONTAINS Security OR Department CONTAINS Finance" match a finding that includes either "Security", "Finance", or both values. To search for values that don't have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, for the "ResourceTags" field, the filter "Department NOT_CONTAINS Finance" matches findings that exclude the value "Finance" for the "Department" tag. * To search for values other than the filter value, use "NOT_EQUALS". For example, for the "ResourceTags" field, the filter "Department NOT_EQUALS Finance" matches findings that don’t have the value "Finance" for the "Department" tag. "NOT_CONTAINS" and "NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance" match a finding that excludes both the "Security" and "Finance" values. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can’t have both an "EQUALS" filter and a "NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules. For more information, see Automation rules in the *Security Hub User Guide*. * **Operator** *(string) --* The logical operator used to combine multiple filter conditions. * **CompositeOperator** *(string) --* The logical operator used to combine multiple filter conditions in the structure. * **SortCriteria** (*list*) -- The finding attributes used to sort the list of returned findings. * *(dict) --* A collection of finding attributes used to sort findings. * **Field** *(string) --* The finding attribute used to sort findings. * **SortOrder** *(string) --* The order used to sort findings. * **NextToken** (*string*) -- The token required for pagination. On your first call, set the value of this parameter to "NULL". For subsequent calls, to continue listing data, set the value of this parameter to the value returned in the previous response. * **MaxResults** (*integer*) -- The maximum number of results to return. Return type: dict Returns: **Response Syntax** { 'Resources': [ { 'ResourceArn': 'string', 'ResourceId': 'string', 'AccountId': 'string', 'Region': 'string', 'ResourceCategory': 'Compute'|'Database'|'Storage'|'Code'|'AI/ML'|'Identity'|'Network'|'Other', 'ResourceType': 'string', 'ResourceName': 'string', 'ResourceCreationTimeDt': 'string', 'ResourceDetailCaptureTimeDt': 'string', 'FindingsSummary': [ { 'FindingType': 'string', 'ProductName': 'string', 'TotalFindings': 123, 'Severities': { 'Other': 123, 'Fatal': 123, 'Critical': 123, 'High': 123, 'Medium': 123, 'Low': 123, 'Informational': 123, 'Unknown': 123 } }, ], 'ResourceTags': [ { 'Key': 'string', 'Value': 'string' }, ], 'ResourceConfig': {...}|[...]|123|123.4|'string'|True|None }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **Resources** *(list) --* Filters resources based on a set of criteria. * *(dict) --* Provides comprehensive details about an Amazon Web Services resource and its associated security findings. * **ResourceArn** *(string) --* Specifies the ARN that uniquely identifies a resource. * **ResourceId** *(string) --* The unique identifier for a resource. * **AccountId** *(string) --* The Amazon Web Services account that owns the resource. * **Region** *(string) --* The Amazon Web Services Region where the resource is located. * **ResourceCategory** *(string) --* The grouping where the resource belongs. * **ResourceType** *(string) --* The type of resource. * **ResourceName** *(string) --* The name of the resource. * **ResourceCreationTimeDt** *(string) --* The time when the resource was created. * **ResourceDetailCaptureTimeDt** *(string) --* The timestamp when information about the resource was captured. * **FindingsSummary** *(list) --* An aggregated view of security findings associated with a resource. * *(dict) --* A list of summaries for all finding types on a resource. * **FindingType** *(string) --* The category or classification of the security finding. * **ProductName** *(string) --* The name of the product associated with the security finding. * **TotalFindings** *(integer) --* The total count of security findings. * **Severities** *(dict) --* A breakdown of security findings by their severity levels. * **Other** *(integer) --* The number of findings not in any of the severity categories. * **Fatal** *(integer) --* The number of findings with a severity level of fatal. * **Critical** *(integer) --* The number of findings with a severity level of critical. * **High** *(integer) --* The number of findings with a severity level of high. * **Medium** *(integer) --* The number of findings with a severity level of medium. * **Low** *(integer) --* The number of findings with a severity level of low. * **Informational** *(integer) --* The number of findings that provide security- related information. * **Unknown** *(integer) --* The number of findings with a severity level cannot be determined. * **ResourceTags** *(list) --* The key-value pairs associated with a resource. * *(dict) --* Represents tag information associated with Amazon Web Services resources. * **Key** *(string) --* The identifier or name of the tag. * **Value** *(string) --* The data associated with the tag key. * **ResourceConfig** (*document*) -- The configuration details of a resource. * **NextToken** *(string) --* The pagination token to use to request the next page of results. Otherwise, this parameter is null. **Exceptions** * "SecurityHub.Client.exceptions.InternalServerException" * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.ThrottlingException" * "SecurityHub.Client.exceptions.ConflictException" * "SecurityHub.Client.exceptions.ValidationException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / list_invitations list_invitations **************** SecurityHub.Client.list_invitations(**kwargs) Note: We recommend using Organizations instead of Security Hub invitations to manage your member accounts. For information, see Managing Security Hub administrator and member accounts with Organizations in the *Security Hub User Guide*. Lists all Security Hub membership invitations that were sent to the calling account. Only accounts that are managed by invitation can use this operation. Accounts that are managed using the integration with Organizations don't receive invitations. See also: AWS API Documentation **Request Syntax** response = client.list_invitations( MaxResults=123, NextToken='string' ) Parameters: * **MaxResults** (*integer*) -- The maximum number of items to return in the response. * **NextToken** (*string*) -- The token that is required for pagination. On your first call to the "ListInvitations" operation, set the value of this parameter to "NULL". For subsequent calls to the operation, to continue listing data, set the value of this parameter to the value returned from the previous response. Return type: dict Returns: **Response Syntax** { 'Invitations': [ { 'AccountId': 'string', 'InvitationId': 'string', 'InvitedAt': datetime(2015, 1, 1), 'MemberStatus': 'string' }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **Invitations** *(list) --* The details of the invitations returned by the operation. * *(dict) --* Details about an invitation. * **AccountId** *(string) --* The account ID of the Security Hub administrator account that the invitation was sent from. * **InvitationId** *(string) --* The ID of the invitation sent to the member account. * **InvitedAt** *(datetime) --* The timestamp of when the invitation was sent. * **MemberStatus** *(string) --* The current status of the association between the member and administrator accounts. * **NextToken** *(string) --* The pagination token to use to request the next page of results. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.LimitExceededException" SecurityHub / Client / get_insight_results get_insight_results ******************* SecurityHub.Client.get_insight_results(**kwargs) Lists the results of the Security Hub insight specified by the insight ARN. See also: AWS API Documentation **Request Syntax** response = client.get_insight_results( InsightArn='string' ) Parameters: **InsightArn** (*string*) -- **[REQUIRED]** The ARN of the insight for which to return results. Return type: dict Returns: **Response Syntax** { 'InsightResults': { 'InsightArn': 'string', 'GroupByAttribute': 'string', 'ResultValues': [ { 'GroupByAttributeValue': 'string', 'Count': 123 }, ] } } **Response Structure** * *(dict) --* * **InsightResults** *(dict) --* The insight results returned by the operation. * **InsightArn** *(string) --* The ARN of the insight whose results are returned by the "GetInsightResults" operation. * **GroupByAttribute** *(string) --* The attribute that the findings are grouped by for the insight whose results are returned by the "GetInsightResults" operation. * **ResultValues** *(list) --* The list of insight result values returned by the "GetInsightResults" operation. * *(dict) --* The insight result values returned by the "GetInsightResults" operation. * **GroupByAttributeValue** *(string) --* The value of the attribute that the findings are grouped by for the insight whose results are returned by the "GetInsightResults" operation. * **Count** *(integer) --* The number of findings returned for each "GroupByAttributeValue". **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / create_action_target create_action_target ******************** SecurityHub.Client.create_action_target(**kwargs) Creates a custom action target in Security Hub. You can use custom actions on findings and insights in Security Hub to trigger target actions in Amazon CloudWatch Events. See also: AWS API Documentation **Request Syntax** response = client.create_action_target( Name='string', Description='string', Id='string' ) Parameters: * **Name** (*string*) -- **[REQUIRED]** The name of the custom action target. Can contain up to 20 characters. * **Description** (*string*) -- **[REQUIRED]** The description for the custom action target. * **Id** (*string*) -- **[REQUIRED]** The ID for the custom action target. Can contain up to 20 alphanumeric characters. Return type: dict Returns: **Response Syntax** { 'ActionTargetArn': 'string' } **Response Structure** * *(dict) --* * **ActionTargetArn** *(string) --* The Amazon Resource Name (ARN) for the custom action target. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.ResourceConflictException" SecurityHub / Client / enable_security_hub_v2 enable_security_hub_v2 ********************** SecurityHub.Client.enable_security_hub_v2(**kwargs) Enables the service in account for the current Amazon Web Services Region or specified Amazon Web Services Region. This API is in private preview and subject to change. See also: AWS API Documentation **Request Syntax** response = client.enable_security_hub_v2( Tags={ 'string': 'string' } ) Parameters: **Tags** (*dict*) -- The tags to add to the hub V2 resource when you enable Security Hub. * *(string) --* * *(string) --* Return type: dict Returns: **Response Syntax** { 'HubV2Arn': 'string' } **Response Structure** * *(dict) --* * **HubV2Arn** *(string) --* The ARN of the V2 resource that was created. **Exceptions** * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.InternalServerException" * "SecurityHub.Client.exceptions.ThrottlingException" * "SecurityHub.Client.exceptions.ValidationException" SecurityHub / Client / get_invitations_count get_invitations_count ********************* SecurityHub.Client.get_invitations_count() Note: We recommend using Organizations instead of Security Hub invitations to manage your member accounts. For information, see Managing Security Hub administrator and member accounts with Organizations in the *Security Hub User Guide*. Returns the count of all Security Hub membership invitations that were sent to the calling member account, not including the currently accepted invitation. See also: AWS API Documentation **Request Syntax** response = client.get_invitations_count() Return type: dict Returns: **Response Syntax** { 'InvitationsCount': 123 } **Response Structure** * *(dict) --* * **InvitationsCount** *(integer) --* The number of all membership invitations sent to this Security Hub member account, not including the currently accepted invitation. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.LimitExceededException" SecurityHub / Client / batch_delete_automation_rules batch_delete_automation_rules ***************************** SecurityHub.Client.batch_delete_automation_rules(**kwargs) Deletes one or more automation rules. See also: AWS API Documentation **Request Syntax** response = client.batch_delete_automation_rules( AutomationRulesArns=[ 'string', ] ) Parameters: **AutomationRulesArns** (*list*) -- **[REQUIRED]** A list of Amazon Resource Names (ARNs) for the rules that are to be deleted. * *(string) --* Return type: dict Returns: **Response Syntax** { 'ProcessedAutomationRules': [ 'string', ], 'UnprocessedAutomationRules': [ { 'RuleArn': 'string', 'ErrorCode': 123, 'ErrorMessage': 'string' }, ] } **Response Structure** * *(dict) --* * **ProcessedAutomationRules** *(list) --* A list of properly processed rule ARNs. * *(string) --* * **UnprocessedAutomationRules** *(list) --* A list of objects containing "RuleArn", "ErrorCode", and "ErrorMessage". This parameter tells you which automation rules the request didn't delete and why. * *(dict) --* A list of objects containing "RuleArn", "ErrorCode", and "ErrorMessage". This parameter tells you which automation rules the request didn't process and why. * **RuleArn** *(string) --* The Amazon Resource Name (ARN) for the unprocessed automation rule. * **ErrorCode** *(integer) --* The error code associated with the unprocessed automation rule. * **ErrorMessage** *(string) --* An error message describing why a request didn't process a specific rule. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / batch_enable_standards batch_enable_standards ********************** SecurityHub.Client.batch_enable_standards(**kwargs) Enables the standards specified by the provided "StandardsArn". To obtain the ARN for a standard, use the "DescribeStandards" operation. For more information, see the Security Standards section of the *Security Hub User Guide*. See also: AWS API Documentation **Request Syntax** response = client.batch_enable_standards( StandardsSubscriptionRequests=[ { 'StandardsArn': 'string', 'StandardsInput': { 'string': 'string' } }, ] ) Parameters: **StandardsSubscriptionRequests** (*list*) -- **[REQUIRED]** The list of standards checks to enable. * *(dict) --* The standard that you want to enable. * **StandardsArn** *(string) --* **[REQUIRED]** The ARN of the standard that you want to enable. To view the list of available standards and their ARNs, use the "DescribeStandards" operation. * **StandardsInput** *(dict) --* A key-value pair of input for the standard. * *(string) --* * *(string) --* Return type: dict Returns: **Response Syntax** { 'StandardsSubscriptions': [ { 'StandardsSubscriptionArn': 'string', 'StandardsArn': 'string', 'StandardsInput': { 'string': 'string' }, 'StandardsStatus': 'PENDING'|'READY'|'FAILED'|'DELETING'|'INCOMPLETE', 'StandardsControlsUpdatable': 'READY_FOR_UPDATES'|'NOT_READY_FOR_UPDATES', 'StandardsStatusReason': { 'StatusReasonCode': 'NO_AVAILABLE_CONFIGURATION_RECORDER'|'MAXIMUM_NUMBER_OF_CONFIG_RULES_EXCEEDED'|'INTERNAL_ERROR' } }, ] } **Response Structure** * *(dict) --* * **StandardsSubscriptions** *(list) --* The details of the standards subscriptions that were enabled. * *(dict) --* A resource that represents your subscription to a supported standard. * **StandardsSubscriptionArn** *(string) --* The ARN of the resource that represents your subscription to the standard. * **StandardsArn** *(string) --* The ARN of the standard. * **StandardsInput** *(dict) --* A key-value pair of input for the standard. * *(string) --* * *(string) --* * **StandardsStatus** *(string) --* The status of your subscription to the standard. Possible values are: * "PENDING" - The standard is in the process of being enabled. Or the standard is already enabled and Security Hub is adding new controls to the standard. * "READY" - The standard is enabled. * "INCOMPLETE" - The standard could not be enabled completely. One or more errors ( "StandardsStatusReason") occurred when Security Hub attempted to enable the standard. * "DELETING" - The standard is in the process of being disabled. * "FAILED" - The standard could not be disabled. One or more errors ( "StandardsStatusReason") occurred when Security Hub attempted to disable the standard. * **StandardsControlsUpdatable** *(string) --* Specifies whether you can retrieve information about and configure individual controls that apply to the standard. Possible values are: * "READY_FOR_UPDATES" - Controls in the standard can be retrieved and configured. * "NOT_READY_FOR_UPDATES" - Controls in the standard cannot be retrieved or configured. * **StandardsStatusReason** *(dict) --* The reason for the current status. * **StatusReasonCode** *(string) --* The reason code that represents the reason for the current status of a standard subscription. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.AccessDeniedException" SecurityHub / Client / start_configuration_policy_association start_configuration_policy_association ************************************** SecurityHub.Client.start_configuration_policy_association(**kwargs) Associates a target account, organizational unit, or the root with a specified configuration. The target can be associated with a configuration policy or self-managed behavior. Only the Security Hub delegated administrator can invoke this operation from the home Region. See also: AWS API Documentation **Request Syntax** response = client.start_configuration_policy_association( ConfigurationPolicyIdentifier='string', Target={ 'AccountId': 'string', 'OrganizationalUnitId': 'string', 'RootId': 'string' } ) Parameters: * **ConfigurationPolicyIdentifier** (*string*) -- **[REQUIRED]** The Amazon Resource Name (ARN) of a configuration policy, the universally unique identifier (UUID) of a configuration policy, or a value of "SELF_MANAGED_SECURITY_HUB" for a self- managed configuration. * **Target** (*dict*) -- **[REQUIRED]** The identifier of the target account, organizational unit, or the root to associate with the specified configuration. Note: This is a Tagged Union structure. Only one of the following top level keys can be set: "AccountId", "OrganizationalUnitId", "RootId". * **AccountId** *(string) --* The Amazon Web Services account ID of the target account. * **OrganizationalUnitId** *(string) --* The organizational unit ID of the target organizational unit. * **RootId** *(string) --* The ID of the organization root. Return type: dict Returns: **Response Syntax** { 'ConfigurationPolicyId': 'string', 'TargetId': 'string', 'TargetType': 'ACCOUNT'|'ORGANIZATIONAL_UNIT'|'ROOT', 'AssociationType': 'INHERITED'|'APPLIED', 'UpdatedAt': datetime(2015, 1, 1), 'AssociationStatus': 'PENDING'|'SUCCESS'|'FAILED', 'AssociationStatusMessage': 'string' } **Response Structure** * *(dict) --* * **ConfigurationPolicyId** *(string) --* The UUID of the configuration policy. * **TargetId** *(string) --* The identifier of the target account, organizational unit, or the organization root with which the configuration is associated. * **TargetType** *(string) --* Indicates whether the target is an Amazon Web Services account, organizational unit, or the organization root. * **AssociationType** *(string) --* Indicates whether the association between the specified target and the configuration was directly applied by the Security Hub delegated administrator or inherited from a parent. * **UpdatedAt** *(datetime) --* The date and time, in UTC and ISO 8601 format, that the configuration policy association was last updated. * **AssociationStatus** *(string) --* The current status of the association between the specified target and the configuration. * **AssociationStatusMessage** *(string) --* An explanation for a "FAILED" value for "AssociationStatus". **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" * "SecurityHub.Client.exceptions.AccessDeniedException" SecurityHub / Client / list_finding_aggregators list_finding_aggregators ************************ SecurityHub.Client.list_finding_aggregators(**kwargs) If cross-Region aggregation is enabled, then "ListFindingAggregators" returns the Amazon Resource Name (ARN) of the finding aggregator. You can run this operation from any Amazon Web Services Region. See also: AWS API Documentation **Request Syntax** response = client.list_finding_aggregators( NextToken='string', MaxResults=123 ) Parameters: * **NextToken** (*string*) -- The token returned with the previous set of results. Identifies the next set of results to return. * **MaxResults** (*integer*) -- The maximum number of results to return. This operation currently only returns a single result. Return type: dict Returns: **Response Syntax** { 'FindingAggregators': [ { 'FindingAggregatorArn': 'string' }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **FindingAggregators** *(list) --* The list of finding aggregators. This operation currently only returns a single result. * *(dict) --* A finding aggregator is a Security Hub resource that specifies cross-Region aggregation settings, including the home Region and any linked Regions. * **FindingAggregatorArn** *(string) --* The ARN of the finding aggregator. You use the finding aggregator ARN to retrieve details for, update, and delete the finding aggregator. * **NextToken** *(string) --* If there are more results, this is the token to provide in the next call to "ListFindingAggregators". This operation currently only returns a single result. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.InvalidInputException" SecurityHub / Client / delete_invitations delete_invitations ****************** SecurityHub.Client.delete_invitations(**kwargs) Note: We recommend using Organizations instead of Security Hub invitations to manage your member accounts. For information, see Managing Security Hub administrator and member accounts with Organizations in the *Security Hub User Guide*. Deletes invitations to become a Security Hub member account. A Security Hub administrator account can use this operation to delete invitations sent to one or more prospective member accounts. This operation is only used to delete invitations that are sent to prospective member accounts that aren't part of an Amazon Web Services organization. Organization accounts don't receive invitations. See also: AWS API Documentation **Request Syntax** response = client.delete_invitations( AccountIds=[ 'string', ] ) Parameters: **AccountIds** (*list*) -- **[REQUIRED]** The list of member account IDs that received the invitations you want to delete. * *(string) --* Return type: dict Returns: **Response Syntax** { 'UnprocessedAccounts': [ { 'AccountId': 'string', 'ProcessingResult': 'string' }, ] } **Response Structure** * *(dict) --* * **UnprocessedAccounts** *(list) --* The list of Amazon Web Services accounts for which the invitations were not deleted. For each account, the list includes the account ID and the email address. * *(dict) --* Details about the account that was not processed. * **AccountId** *(string) --* An Amazon Web Services account ID of the account that was not processed. * **ProcessingResult** *(string) --* The reason that the account was not processed. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" * "SecurityHub.Client.exceptions.InvalidAccessException" SecurityHub / Client / create_members create_members ************** SecurityHub.Client.create_members(**kwargs) Creates a member association in Security Hub between the specified accounts and the account used to make the request, which is the administrator account. If you are integrated with Organizations, then the administrator account is designated by the organization management account. "CreateMembers" is always used to add accounts that are not organization members. For accounts that are managed using Organizations, "CreateMembers" is only used in the following cases: * Security Hub is not configured to automatically add new organization accounts. * The account was disassociated or deleted in Security Hub. This action can only be used by an account that has Security Hub enabled. To enable Security Hub, you can use the "EnableSecurityHub" operation. For accounts that are not organization members, you create the account association and then send an invitation to the member account. To send the invitation, you use the "InviteMembers" operation. If the account owner accepts the invitation, the account becomes a member account in Security Hub. Accounts that are managed using Organizations don't receive an invitation. They automatically become a member account in Security Hub. * If the organization account does not have Security Hub enabled, then Security Hub and the default standards are automatically enabled. Note that Security Hub cannot be enabled automatically for the organization management account. The organization management account must enable Security Hub before the administrator account enables it as a member account. * For organization accounts that already have Security Hub enabled, Security Hub does not make any other changes to those accounts. It does not change their enabled standards or controls. A permissions policy is added that permits the administrator account to view the findings generated in the member account. To remove the association between the administrator and member accounts, use the "DisassociateFromMasterAccount" or "DisassociateMembers" operation. See also: AWS API Documentation **Request Syntax** response = client.create_members( AccountDetails=[ { 'AccountId': 'string', 'Email': 'string' }, ] ) Parameters: **AccountDetails** (*list*) -- **[REQUIRED]** The list of accounts to associate with the Security Hub administrator account. For each account, the list includes the account ID and optionally the email address. * *(dict) --* The details of an Amazon Web Services account. * **AccountId** *(string) --* **[REQUIRED]** The ID of an Amazon Web Services account. * **Email** *(string) --* The email of an Amazon Web Services account. Return type: dict Returns: **Response Syntax** { 'UnprocessedAccounts': [ { 'AccountId': 'string', 'ProcessingResult': 'string' }, ] } **Response Structure** * *(dict) --* * **UnprocessedAccounts** *(list) --* The list of Amazon Web Services accounts that were not processed. For each account, the list includes the account ID and the email address. * *(dict) --* Details about the account that was not processed. * **AccountId** *(string) --* An Amazon Web Services account ID of the account that was not processed. * **ProcessingResult** *(string) --* The reason that the account was not processed. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.ResourceConflictException" * "SecurityHub.Client.exceptions.AccessDeniedException" SecurityHub / Client / update_finding_aggregator update_finding_aggregator ************************* SecurityHub.Client.update_finding_aggregator(**kwargs) Note: The *aggregation Region* is now called the *home Region*. Updates cross-Region aggregation settings. You can use this operation to update the Region linking mode and the list of included or excluded Amazon Web Services Regions. However, you can't use this operation to change the home Region. You can invoke this operation from the current home Region only. See also: AWS API Documentation **Request Syntax** response = client.update_finding_aggregator( FindingAggregatorArn='string', RegionLinkingMode='string', Regions=[ 'string', ] ) Parameters: * **FindingAggregatorArn** (*string*) -- **[REQUIRED]** The ARN of the finding aggregator. To obtain the ARN, use "ListFindingAggregators". * **RegionLinkingMode** (*string*) -- **[REQUIRED]** Indicates whether to aggregate findings from all of the available Regions in the current partition. Also determines whether to automatically aggregate findings from new Regions as Security Hub supports them and you opt into them. The selected option also determines how to use the Regions provided in the Regions list. The options are as follows: * "ALL_REGIONS" - Aggregates findings from all of the Regions where Security Hub is enabled. When you choose this option, Security Hub also automatically aggregates findings from new Regions as Security Hub supports them and you opt into them. * "ALL_REGIONS_EXCEPT_SPECIFIED" - Aggregates findings from all of the Regions where Security Hub is enabled, except for the Regions listed in the "Regions" parameter. When you choose this option, Security Hub also automatically aggregates findings from new Regions as Security Hub supports them and you opt into them. * "SPECIFIED_REGIONS" - Aggregates findings only from the Regions listed in the "Regions" parameter. Security Hub does not automatically aggregate findings from new Regions. * "NO_REGIONS" - Aggregates no data because no Regions are selected as linked Regions. * **Regions** (*list*) -- If "RegionLinkingMode" is "ALL_REGIONS_EXCEPT_SPECIFIED", then this is a space-separated list of Regions that don't replicate and send findings to the home Region. If "RegionLinkingMode" is "SPECIFIED_REGIONS", then this is a space-separated list of Regions that do replicate and send findings to the home Region. An "InvalidInputException" error results if you populate this field while "RegionLinkingMode" is "NO_REGIONS". * *(string) --* Return type: dict Returns: **Response Syntax** { 'FindingAggregatorArn': 'string', 'FindingAggregationRegion': 'string', 'RegionLinkingMode': 'string', 'Regions': [ 'string', ] } **Response Structure** * *(dict) --* * **FindingAggregatorArn** *(string) --* The ARN of the finding aggregator. * **FindingAggregationRegion** *(string) --* The home Region. Findings generated in linked Regions are replicated and sent to the home Region. * **RegionLinkingMode** *(string) --* Indicates whether to link all Regions, all Regions except for a list of excluded Regions, or a list of included Regions. * **Regions** *(list) --* The list of excluded Regions or included Regions. * *(string) --* **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / delete_connector_v2 delete_connector_v2 ******************* SecurityHub.Client.delete_connector_v2(**kwargs) Grants permission to delete a connectorV2. This API is in preview release and subject to change. See also: AWS API Documentation **Request Syntax** response = client.delete_connector_v2( ConnectorId='string' ) Parameters: **ConnectorId** (*string*) -- **[REQUIRED]** The UUID of the connectorV2 to identify connectorV2 resource. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.InternalServerException" * "SecurityHub.Client.exceptions.ValidationException" * "SecurityHub.Client.exceptions.ThrottlingException" * "SecurityHub.Client.exceptions.ConflictException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / batch_get_security_controls batch_get_security_controls *************************** SecurityHub.Client.batch_get_security_controls(**kwargs) Provides details about a batch of security controls for the current Amazon Web Services account and Amazon Web Services Region. See also: AWS API Documentation **Request Syntax** response = client.batch_get_security_controls( SecurityControlIds=[ 'string', ] ) Parameters: **SecurityControlIds** (*list*) -- **[REQUIRED]** A list of security controls (identified with "SecurityControlId", "SecurityControlArn", or a mix of both parameters). The security control ID or Amazon Resource Name (ARN) is the same across standards. * *(string) --* Return type: dict Returns: **Response Syntax** { 'SecurityControls': [ { 'SecurityControlId': 'string', 'SecurityControlArn': 'string', 'Title': 'string', 'Description': 'string', 'RemediationUrl': 'string', 'SeverityRating': 'LOW'|'MEDIUM'|'HIGH'|'CRITICAL', 'SecurityControlStatus': 'ENABLED'|'DISABLED', 'UpdateStatus': 'READY'|'UPDATING', 'Parameters': { 'string': { 'ValueType': 'DEFAULT'|'CUSTOM', 'Value': { 'Integer': 123, 'IntegerList': [ 123, ], 'Double': 123.0, 'String': 'string', 'StringList': [ 'string', ], 'Boolean': True|False, 'Enum': 'string', 'EnumList': [ 'string', ] } } }, 'LastUpdateReason': 'string' }, ], 'UnprocessedIds': [ { 'SecurityControlId': 'string', 'ErrorCode': 'INVALID_INPUT'|'ACCESS_DENIED'|'NOT_FOUND'|'LIMIT_EXCEEDED', 'ErrorReason': 'string' }, ] } **Response Structure** * *(dict) --* * **SecurityControls** *(list) --* An array that returns the identifier, Amazon Resource Name (ARN), and other details about a security control. The same information is returned whether the request includes "SecurityControlId" or "SecurityControlArn". * *(dict) --* A security control in Security Hub describes a security best practice related to a specific resource. * **SecurityControlId** *(string) --* The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Services service name and a number, such as APIGateway.3. * **SecurityControlArn** *(string) --* The Amazon Resource Name (ARN) for a security control across standards, such as "arn:aws:securityhub:eu- central-1:123456789012:security-control/S3.1". This parameter doesn't mention a specific standard. * **Title** *(string) --* The title of a security control. * **Description** *(string) --* The description of a security control across standards. This typically summarizes how Security Hub evaluates the control and the conditions under which it produces a failed finding. This parameter doesn't reference a specific standard. * **RemediationUrl** *(string) --* A link to Security Hub documentation that explains how to remediate a failed finding for a security control. * **SeverityRating** *(string) --* The severity of a security control. For more information about how Security Hub determines control severity, see Assigning severity to control findings in the *Security Hub User Guide*. * **SecurityControlStatus** *(string) --* The enablement status of a security control in a specific standard. * **UpdateStatus** *(string) --* Identifies whether customizable properties of a security control are reflected in Security Hub findings. A status of "READY" indicates that Security Hub uses the current control parameter values when running security checks of the control. A status of "UPDATING" indicates that all security checks might not use the current parameter values. * **Parameters** *(dict) --* An object that identifies the name of a control parameter, its current value, and whether it has been customized. * *(string) --* * *(dict) --* An object that provides the current value of a security control parameter and identifies whether it has been customized. * **ValueType** *(string) --* Identifies whether a control parameter uses a custom user-defined value or subscribes to the default Security Hub behavior. When "ValueType" is set equal to "DEFAULT", the default behavior can be a specific Security Hub default value, or the default behavior can be to ignore a specific parameter. When "ValueType" is set equal to "DEFAULT", Security Hub ignores user- provided input for the "Value" field. When "ValueType" is set equal to "CUSTOM", the "Value" field can't be empty. * **Value** *(dict) --* The current value of a control parameter. Note: This is a Tagged Union structure. Only one of the following top level keys will be set: "Integer", "IntegerList", "Double", "String", "StringList", "Boolean", "Enum", "EnumList". If a client receives an unknown member it will set "SDK_UNKNOWN_MEMBER" as the top level key, which maps to the name or tag of the unknown member. The structure of "SDK_UNKNOWN_MEMBER" is as follows: 'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'} * **Integer** *(integer) --* A control parameter that is an integer. * **IntegerList** *(list) --* A control parameter that is a list of integers. * *(integer) --* * **Double** *(float) --* A control parameter that is a double. * **String** *(string) --* A control parameter that is a string. * **StringList** *(list) --* A control parameter that is a list of strings. * *(string) --* * **Boolean** *(boolean) --* A control parameter that is a boolean. * **Enum** *(string) --* A control parameter that is an enum. * **EnumList** *(list) --* A control parameter that is a list of enums. * *(string) --* * **LastUpdateReason** *(string) --* The most recent reason for updating the customizable properties of a security control. This differs from the "UpdateReason" field of the BatchUpdateStandardsControlAssociations API, which tracks the reason for updating the enablement status of a control. This field accepts alphanumeric characters in addition to white spaces, dashes, and underscores. * **UnprocessedIds** *(list) --* A security control (identified with "SecurityControlId", "SecurityControlArn", or a mix of both parameters) for which details cannot be returned. * *(dict) --* Provides details about a security control for which a response couldn't be returned. * **SecurityControlId** *(string) --* The control (identified with "SecurityControlId", "SecurityControlArn", or a mix of both parameters) for which a response couldn't be returned. * **ErrorCode** *(string) --* The error code for the unprocessed security control. * **ErrorReason** *(string) --* The reason why the security control was unprocessed. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.InvalidInputException" SecurityHub / Client / describe_organization_configuration describe_organization_configuration *********************************** SecurityHub.Client.describe_organization_configuration() Returns information about the way your organization is configured in Security Hub. Only the Security Hub administrator account can invoke this operation. See also: AWS API Documentation **Request Syntax** response = client.describe_organization_configuration() Return type: dict Returns: **Response Syntax** { 'AutoEnable': True|False, 'MemberAccountLimitReached': True|False, 'AutoEnableStandards': 'NONE'|'DEFAULT', 'OrganizationConfiguration': { 'ConfigurationType': 'CENTRAL'|'LOCAL', 'Status': 'PENDING'|'ENABLED'|'FAILED', 'StatusMessage': 'string' } } **Response Structure** * *(dict) --* * **AutoEnable** *(boolean) --* Whether to automatically enable Security Hub in new member accounts when they join the organization. If set to "true", then Security Hub is automatically enabled in new accounts. If set to "false", then Security Hub isn't enabled in new accounts automatically. The default value is "false". If the "ConfigurationType" of your organization is set to "CENTRAL", then this field is set to "false" and can't be changed in the home Region and linked Regions. However, in that case, the delegated administrator can create a configuration policy in which Security Hub is enabled and associate the policy with new organization accounts. * **MemberAccountLimitReached** *(boolean) --* Whether the maximum number of allowed member accounts are already associated with the Security Hub administrator account. * **AutoEnableStandards** *(string) --* Whether to automatically enable Security Hub default standards in new member accounts when they join the organization. If equal to "DEFAULT", then Security Hub default standards are automatically enabled for new member accounts. If equal to "NONE", then default standards are not automatically enabled for new member accounts. The default value of this parameter is equal to "DEFAULT". If the "ConfigurationType" of your organization is set to "CENTRAL", then this field is set to "NONE" and can't be changed in the home Region and linked Regions. However, in that case, the delegated administrator can create a configuration policy in which specific security standards are enabled and associate the policy with new organization accounts. * **OrganizationConfiguration** *(dict) --* Provides information about the way an organization is configured in Security Hub. * **ConfigurationType** *(string) --* Indicates whether the organization uses local or central configuration. If you use local configuration, the Security Hub delegated administrator can set "AutoEnable" to "true" and "AutoEnableStandards" to "DEFAULT". This automatically enables Security Hub and default security standards in new organization accounts. These new account settings must be set separately in each Amazon Web Services Region, and settings may be different in each Region. If you use central configuration, the delegated administrator can create configuration policies. Configuration policies can be used to configure Security Hub, security standards, and security controls in multiple accounts and Regions. If you want new organization accounts to use a specific configuration, you can create a configuration policy and associate it with the root or specific organizational units (OUs). New accounts will inherit the policy from the root or their assigned OU. * **Status** *(string) --* Describes whether central configuration could be enabled as the "ConfigurationType" for the organization. If your "ConfigurationType" is local configuration, then the value of "Status" is always "ENABLED". * **StatusMessage** *(string) --* Provides an explanation if the value of "Status" is equal to "FAILED" when "ConfigurationType" is equal to "CENTRAL". **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.LimitExceededException" SecurityHub / Client / batch_update_automation_rules batch_update_automation_rules ***************************** SecurityHub.Client.batch_update_automation_rules(**kwargs) Updates one or more automation rules based on rule Amazon Resource Names (ARNs) and input parameters. See also: AWS API Documentation **Request Syntax** response = client.batch_update_automation_rules( UpdateAutomationRulesRequestItems=[ { 'RuleArn': 'string', 'RuleStatus': 'ENABLED'|'DISABLED', 'RuleOrder': 123, 'Description': 'string', 'RuleName': 'string', 'IsTerminal': True|False, 'Criteria': { 'ProductArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'AwsAccountId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Id': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'GeneratorId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Type': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FirstObservedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'LastObservedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'CreatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'UpdatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'Confidence': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'Criticality': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'Title': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Description': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'SourceUrl': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ProductName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'CompanyName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'SeverityLabel': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceType': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourcePartition': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceRegion': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceTags': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'ResourceDetailsOther': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'ComplianceStatus': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ComplianceSecurityControlId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ComplianceAssociatedStandardsId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'VerificationState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'WorkflowStatus': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RecordState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RelatedFindingsProductArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RelatedFindingsId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NoteText': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NoteUpdatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'NoteUpdatedBy': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'UserDefinedFields': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'ResourceApplicationArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceApplicationName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'AwsAccountName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ] }, 'Actions': [ { 'Type': 'FINDING_FIELDS_UPDATE', 'FindingFieldsUpdate': { 'Note': { 'Text': 'string', 'UpdatedBy': 'string' }, 'Severity': { 'Normalized': 123, 'Product': 123.0, 'Label': 'INFORMATIONAL'|'LOW'|'MEDIUM'|'HIGH'|'CRITICAL' }, 'VerificationState': 'UNKNOWN'|'TRUE_POSITIVE'|'FALSE_POSITIVE'|'BENIGN_POSITIVE', 'Confidence': 123, 'Criticality': 123, 'Types': [ 'string', ], 'UserDefinedFields': { 'string': 'string' }, 'Workflow': { 'Status': 'NEW'|'NOTIFIED'|'RESOLVED'|'SUPPRESSED' }, 'RelatedFindings': [ { 'ProductArn': 'string', 'Id': 'string' }, ] } }, ] }, ] ) Parameters: **UpdateAutomationRulesRequestItems** (*list*) -- **[REQUIRED]** An array of ARNs for the rules that are to be updated. Optionally, you can also include "RuleStatus" and "RuleOrder". * *(dict) --* Specifies the parameters to update in an existing automation rule. * **RuleArn** *(string) --* **[REQUIRED]** The Amazon Resource Name (ARN) for the rule. * **RuleStatus** *(string) --* Whether the rule is active after it is created. If this parameter is equal to "ENABLED", Security Hub starts applying the rule to findings and finding updates after the rule is created. To change the value of this parameter after creating a rule, use BatchUpdateAutomationRules. * **RuleOrder** *(integer) --* An integer ranging from 1 to 1000 that represents the order in which the rule action is applied to findings. Security Hub applies rules with lower values for this parameter first. * **Description** *(string) --* A description of the rule. * **RuleName** *(string) --* The name of the rule. * **IsTerminal** *(boolean) --* Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If a rule is terminal, Security Hub applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding. By default, a rule isn't terminal. * **Criteria** *(dict) --* A set of ASFF finding field attributes and corresponding expected values that Security Hub uses to filter findings. If a rule is enabled and a finding matches the conditions specified in this parameter, Security Hub applies the rule action to the finding. * **ProductArn** *(list) --* The Amazon Resource Name (ARN) for a third-party product that generated a finding in Security Hub. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **AwsAccountId** *(list) --* The Amazon Web Services account ID in which a finding was generated. Array Members: Minimum number of 1 item. Maximum number of 100 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **Id** *(list) --* The product-specific identifier for a finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **GeneratorId** *(list) --* The identifier for the solution-specific component that generated a finding. Array Members: Minimum number of 1 item. Maximum number of 100 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **Type** *(list) --* One or more finding types in the format of namespace/category/classifier that classify a finding. For a list of namespaces, classifiers, and categories, see Types taxonomy for ASFF in the *Security Hub User Guide*. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **FirstObservedAt** *(list) --* A timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings product. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A date filter for querying findings. * **Start** *(string) --* A timestamp that provides the start date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **End** *(string) --* A timestamp that provides the end date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **DateRange** *(dict) --* A date range for the date filter. * **Value** *(integer) --* A date range value for the date filter. * **Unit** *(string) --* A date range unit for the date filter. * **LastObservedAt** *(list) --* A timestamp that indicates when the security findings provider most recently observed a change in the resource that is involved in the finding. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A date filter for querying findings. * **Start** *(string) --* A timestamp that provides the start date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **End** *(string) --* A timestamp that provides the end date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **DateRange** *(dict) --* A date range for the date filter. * **Value** *(integer) --* A date range value for the date filter. * **Unit** *(string) --* A date range unit for the date filter. * **CreatedAt** *(list) --* A timestamp that indicates when this finding record was created. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A date filter for querying findings. * **Start** *(string) --* A timestamp that provides the start date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **End** *(string) --* A timestamp that provides the end date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **DateRange** *(dict) --* A date range for the date filter. * **Value** *(integer) --* A date range value for the date filter. * **Unit** *(string) --* A date range unit for the date filter. * **UpdatedAt** *(list) --* A timestamp that indicates when the finding record was most recently updated. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A date filter for querying findings. * **Start** *(string) --* A timestamp that provides the start date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **End** *(string) --* A timestamp that provides the end date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **DateRange** *(dict) --* A date range for the date filter. * **Value** *(integer) --* A date range value for the date filter. * **Unit** *(string) --* A date range unit for the date filter. * **Confidence** *(list) --* The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. "Confidence" is scored on a 0–100 basis using a ratio scale. A value of "0" means 0 percent confidence, and a value of "100" means 100 percent confidence. For example, a data exfiltration detection based on a statistical deviation of network traffic has low confidence because an actual exfiltration hasn't been verified. For more information, see Confidence in the *Security Hub User Guide*. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A number filter for querying findings. * **Gte** *(float) --* The greater-than-equal condition to be applied to a single field when querying for findings. * **Lte** *(float) --* The less-than-equal condition to be applied to a single field when querying for findings. * **Eq** *(float) --* The equal-to condition to be applied to a single field when querying for findings. * **Gt** *(float) --* The greater-than condition to be applied to a single field when querying for findings. * **Lt** *(float) --* The less-than condition to be applied to a single field when querying for findings. * **Criticality** *(list) --* The level of importance that is assigned to the resources that are associated with a finding. "Criticality" is scored on a 0–100 basis, using a ratio scale that supports only full integers. A score of "0" means that the underlying resources have no criticality, and a score of "100" is reserved for the most critical resources. For more information, see Criticality in the *Security Hub User Guide*. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A number filter for querying findings. * **Gte** *(float) --* The greater-than-equal condition to be applied to a single field when querying for findings. * **Lte** *(float) --* The less-than-equal condition to be applied to a single field when querying for findings. * **Eq** *(float) --* The equal-to condition to be applied to a single field when querying for findings. * **Gt** *(float) --* The greater-than condition to be applied to a single field when querying for findings. * **Lt** *(float) --* The less-than condition to be applied to a single field when querying for findings. * **Title** *(list) --* A finding's title. Array Members: Minimum number of 1 item. Maximum number of 100 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **Description** *(list) --* A finding's description. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **SourceUrl** *(list) --* Provides a URL that links to a page about the current finding in the finding product. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **ProductName** *(list) --* Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **CompanyName** *(list) --* The name of the company for the product that generated the finding. For control-based findings, the company is Amazon Web Services. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **SeverityLabel** *(list) --* The severity value of the finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **ResourceType** *(list) --* The type of resource that the finding pertains to. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **ResourceId** *(list) --* The identifier for the given resource type. For Amazon Web Services resources that are identified by Amazon Resource Names (ARNs), this is the ARN. For Amazon Web Services resources that lack ARNs, this is the identifier as defined by the Amazon Web Services service that created the resource. For non-Amazon Web Services resources, this is a unique identifier that is associated with the resource. Array Members: Minimum number of 1 item. Maximum number of 100 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **ResourcePartition** *(list) --* The partition in which the resource that the finding pertains to is located. A partition is a group of Amazon Web Services Regions. Each Amazon Web Services account is scoped to one partition. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **ResourceRegion** *(list) --* The Amazon Web Services Region where the resource that a finding pertains to is located. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **ResourceTags** *(list) --* A list of Amazon Web Services tags associated with a resource at the time the finding was processed. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator. * **Key** *(string) --* The key of the map filter. For example, for "ResourceTags", "Key" identifies the name of the tag. For "UserDefinedFields", "Key" is the name of the field. * **Value** *(string) --* The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called "Department" might be "Security". If you provide "security" as the filter value, then there's no match. * **Comparison** *(string) --* The condition to apply to the key value when filtering Security Hub findings with a map filter. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, for the "ResourceTags" field, the filter "Department CONTAINS Security" matches findings that include the value "Security" for the "Department" tag. In the same example, a finding with a value of "Security team" for the "Department" tag is a match. * To search for values that exactly match the filter value, use "EQUALS". For example, for the "ResourceTags" field, the filter "Department EQUALS Security" matches findings that have the value "Security" for the "Department" tag. "CONTAINS" and "EQUALS" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Department CONTAINS Security OR Department CONTAINS Finance" match a finding that includes either "Security", "Finance", or both values. To search for values that don't have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, for the "ResourceTags" field, the filter "Department NOT_CONTAINS Finance" matches findings that exclude the value "Finance" for the "Department" tag. * To search for values other than the filter value, use "NOT_EQUALS". For example, for the "ResourceTags" field, the filter "Department NOT_EQUALS Finance" matches findings that don’t have the value "Finance" for the "Department" tag. "NOT_CONTAINS" and "NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance" match a finding that excludes both the "Security" and "Finance" values. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can’t have both an "EQUALS" filter and a "NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules. For more information, see Automation rules in the *Security Hub User Guide*. * **ResourceDetailsOther** *(list) --* Custom fields and values about the resource that a finding pertains to. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator. * **Key** *(string) --* The key of the map filter. For example, for "ResourceTags", "Key" identifies the name of the tag. For "UserDefinedFields", "Key" is the name of the field. * **Value** *(string) --* The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called "Department" might be "Security". If you provide "security" as the filter value, then there's no match. * **Comparison** *(string) --* The condition to apply to the key value when filtering Security Hub findings with a map filter. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, for the "ResourceTags" field, the filter "Department CONTAINS Security" matches findings that include the value "Security" for the "Department" tag. In the same example, a finding with a value of "Security team" for the "Department" tag is a match. * To search for values that exactly match the filter value, use "EQUALS". For example, for the "ResourceTags" field, the filter "Department EQUALS Security" matches findings that have the value "Security" for the "Department" tag. "CONTAINS" and "EQUALS" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Department CONTAINS Security OR Department CONTAINS Finance" match a finding that includes either "Security", "Finance", or both values. To search for values that don't have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, for the "ResourceTags" field, the filter "Department NOT_CONTAINS Finance" matches findings that exclude the value "Finance" for the "Department" tag. * To search for values other than the filter value, use "NOT_EQUALS". For example, for the "ResourceTags" field, the filter "Department NOT_EQUALS Finance" matches findings that don’t have the value "Finance" for the "Department" tag. "NOT_CONTAINS" and "NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance" match a finding that excludes both the "Security" and "Finance" values. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can’t have both an "EQUALS" filter and a "NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules. For more information, see Automation rules in the *Security Hub User Guide*. * **ComplianceStatus** *(list) --* The result of a security check. This field is only used for findings generated from controls. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **ComplianceSecurityControlId** *(list) --* The security control ID for which a finding was generated. Security control IDs are the same across standards. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **ComplianceAssociatedStandardsId** *(list) --* The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the DescribeStandards API response. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **VerificationState** *(list) --* Provides the veracity of a finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **WorkflowStatus** *(list) --* Provides information about the status of the investigation into a finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **RecordState** *(list) --* Provides the current state of a finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **RelatedFindingsProductArn** *(list) --* The ARN for the product that generated a related finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **RelatedFindingsId** *(list) --* The product-generated identifier for a related finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **NoteText** *(list) --* The text of a user-defined note that's added to a finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **NoteUpdatedAt** *(list) --* The timestamp of when the note was updated. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A date filter for querying findings. * **Start** *(string) --* A timestamp that provides the start date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **End** *(string) --* A timestamp that provides the end date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **DateRange** *(dict) --* A date range for the date filter. * **Value** *(integer) --* A date range value for the date filter. * **Unit** *(string) --* A date range unit for the date filter. * **NoteUpdatedBy** *(list) --* The principal that created a note. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **UserDefinedFields** *(list) --* A list of user-defined name and value string pairs added to a finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator. * **Key** *(string) --* The key of the map filter. For example, for "ResourceTags", "Key" identifies the name of the tag. For "UserDefinedFields", "Key" is the name of the field. * **Value** *(string) --* The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called "Department" might be "Security". If you provide "security" as the filter value, then there's no match. * **Comparison** *(string) --* The condition to apply to the key value when filtering Security Hub findings with a map filter. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, for the "ResourceTags" field, the filter "Department CONTAINS Security" matches findings that include the value "Security" for the "Department" tag. In the same example, a finding with a value of "Security team" for the "Department" tag is a match. * To search for values that exactly match the filter value, use "EQUALS". For example, for the "ResourceTags" field, the filter "Department EQUALS Security" matches findings that have the value "Security" for the "Department" tag. "CONTAINS" and "EQUALS" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Department CONTAINS Security OR Department CONTAINS Finance" match a finding that includes either "Security", "Finance", or both values. To search for values that don't have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, for the "ResourceTags" field, the filter "Department NOT_CONTAINS Finance" matches findings that exclude the value "Finance" for the "Department" tag. * To search for values other than the filter value, use "NOT_EQUALS". For example, for the "ResourceTags" field, the filter "Department NOT_EQUALS Finance" matches findings that don’t have the value "Finance" for the "Department" tag. "NOT_CONTAINS" and "NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance" match a finding that excludes both the "Security" and "Finance" values. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can’t have both an "EQUALS" filter and a "NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules. For more information, see Automation rules in the *Security Hub User Guide*. * **ResourceApplicationArn** *(list) --* The Amazon Resource Name (ARN) of the application that is related to a finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **ResourceApplicationName** *(list) --* The name of the application that is related to a finding. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **AwsAccountName** *(list) --* The name of the Amazon Web Services account in which a finding was generated. Array Members: Minimum number of 1 item. Maximum number of 20 items. * *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control- based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **Actions** *(list) --* One or more actions to update finding fields if a finding matches the conditions specified in "Criteria". * *(dict) --* One or more actions that Security Hub takes when a finding matches the defined criteria of a rule. * **Type** *(string) --* Specifies the type of action that Security Hub takes when a finding matches the defined criteria of a rule. * **FindingFieldsUpdate** *(dict) --* Specifies that the automation rule action is an update to a finding field. * **Note** *(dict) --* The updated note. * **Text** *(string) --* **[REQUIRED]** The updated note text. * **UpdatedBy** *(string) --* **[REQUIRED]** The principal that updated the note. * **Severity** *(dict) --* Updates to the severity information for a finding. * **Normalized** *(integer) --* The normalized severity for the finding. This attribute is to be deprecated in favor of "Label". If you provide "Normalized" and don't provide "Label", "Label" is set automatically as follows. * 0 - "INFORMATIONAL" * 1–39 - "LOW" * 40–69 - "MEDIUM" * 70–89 - "HIGH" * 90–100 - "CRITICAL" * **Product** *(float) --* The native severity as defined by the Amazon Web Services service or integrated partner product that generated the finding. * **Label** *(string) --* The severity value of the finding. The allowed values are the following. * "INFORMATIONAL" - No issue was found. * "LOW" - The issue does not require action on its own. * "MEDIUM" - The issue must be addressed but not urgently. * "HIGH" - The issue must be addressed as a priority. * "CRITICAL" - The issue must be remediated immediately to avoid it escalating. * **VerificationState** *(string) --* The rule action updates the "VerificationState" field of a finding. * **Confidence** *(integer) --* The rule action updates the "Confidence" field of a finding. * **Criticality** *(integer) --* The rule action updates the "Criticality" field of a finding. * **Types** *(list) --* The rule action updates the "Types" field of a finding. * *(string) --* * **UserDefinedFields** *(dict) --* The rule action updates the "UserDefinedFields" field of a finding. * *(string) --* * *(string) --* * **Workflow** *(dict) --* Used to update information about the investigation into the finding. * **Status** *(string) --* The status of the investigation into the finding. The workflow status is specific to an individual finding. It does not affect the generation of new findings. For example, setting the workflow status to "SUPPRESSED" or "RESOLVED" does not prevent a new finding for the same issue. The allowed values are the following. * "NEW" - The initial state of a finding, before it is reviewed. Security Hub also resets "WorkFlowStatus" from "NOTIFIED" or "RESOLVED" to "NEW" in the following cases: * The record state changes from "ARCHIVED" to "ACTIVE". * The compliance status changes from "PASSED" to either "WARNING", "FAILED", or "NOT_AVAILABLE". * "NOTIFIED" - Indicates that you notified the resource owner about the security issue. Used when the initial reviewer is not the resource owner, and needs intervention from the resource owner. * "RESOLVED" - The finding was reviewed and remediated and is now considered resolved. * "SUPPRESSED" - Indicates that you reviewed the finding and don't believe that any action is needed. The finding is no longer updated. * **RelatedFindings** *(list) --* The rule action updates the "RelatedFindings" field of a finding. * *(dict) --* Details about a related finding. * **ProductArn** *(string) --* **[REQUIRED]** The ARN of the product that generated a related finding. * **Id** *(string) --* **[REQUIRED]** The product-generated identifier for a related finding. Return type: dict Returns: **Response Syntax** { 'ProcessedAutomationRules': [ 'string', ], 'UnprocessedAutomationRules': [ { 'RuleArn': 'string', 'ErrorCode': 123, 'ErrorMessage': 'string' }, ] } **Response Structure** * *(dict) --* * **ProcessedAutomationRules** *(list) --* A list of properly processed rule ARNs. * *(string) --* * **UnprocessedAutomationRules** *(list) --* A list of objects containing "RuleArn", "ErrorCode", and "ErrorMessage". This parameter tells you which automation rules the request didn't update and why. * *(dict) --* A list of objects containing "RuleArn", "ErrorCode", and "ErrorMessage". This parameter tells you which automation rules the request didn't process and why. * **RuleArn** *(string) --* The Amazon Resource Name (ARN) for the unprocessed automation rule. * **ErrorCode** *(integer) --* The error code associated with the unprocessed automation rule. * **ErrorMessage** *(string) --* An error message describing why a request didn't process a specific rule. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / get_enabled_standards get_enabled_standards ********************* SecurityHub.Client.get_enabled_standards(**kwargs) Returns a list of the standards that are currently enabled. See also: AWS API Documentation **Request Syntax** response = client.get_enabled_standards( StandardsSubscriptionArns=[ 'string', ], NextToken='string', MaxResults=123 ) Parameters: * **StandardsSubscriptionArns** (*list*) -- The list of the standards subscription ARNs for the standards to retrieve. * *(string) --* * **NextToken** (*string*) -- The token that is required for pagination. On your first call to the "GetEnabledStandards" operation, set the value of this parameter to "NULL". For subsequent calls to the operation, to continue listing data, set the value of this parameter to the value returned from the previous response. * **MaxResults** (*integer*) -- The maximum number of results to return in the response. Return type: dict Returns: **Response Syntax** { 'StandardsSubscriptions': [ { 'StandardsSubscriptionArn': 'string', 'StandardsArn': 'string', 'StandardsInput': { 'string': 'string' }, 'StandardsStatus': 'PENDING'|'READY'|'FAILED'|'DELETING'|'INCOMPLETE', 'StandardsControlsUpdatable': 'READY_FOR_UPDATES'|'NOT_READY_FOR_UPDATES', 'StandardsStatusReason': { 'StatusReasonCode': 'NO_AVAILABLE_CONFIGURATION_RECORDER'|'MAXIMUM_NUMBER_OF_CONFIG_RULES_EXCEEDED'|'INTERNAL_ERROR' } }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **StandardsSubscriptions** *(list) --* The list of "StandardsSubscriptions" objects that include information about the enabled standards. * *(dict) --* A resource that represents your subscription to a supported standard. * **StandardsSubscriptionArn** *(string) --* The ARN of the resource that represents your subscription to the standard. * **StandardsArn** *(string) --* The ARN of the standard. * **StandardsInput** *(dict) --* A key-value pair of input for the standard. * *(string) --* * *(string) --* * **StandardsStatus** *(string) --* The status of your subscription to the standard. Possible values are: * "PENDING" - The standard is in the process of being enabled. Or the standard is already enabled and Security Hub is adding new controls to the standard. * "READY" - The standard is enabled. * "INCOMPLETE" - The standard could not be enabled completely. One or more errors ( "StandardsStatusReason") occurred when Security Hub attempted to enable the standard. * "DELETING" - The standard is in the process of being disabled. * "FAILED" - The standard could not be disabled. One or more errors ( "StandardsStatusReason") occurred when Security Hub attempted to disable the standard. * **StandardsControlsUpdatable** *(string) --* Specifies whether you can retrieve information about and configure individual controls that apply to the standard. Possible values are: * "READY_FOR_UPDATES" - Controls in the standard can be retrieved and configured. * "NOT_READY_FOR_UPDATES" - Controls in the standard cannot be retrieved or configured. * **StandardsStatusReason** *(dict) --* The reason for the current status. * **StatusReasonCode** *(string) --* The reason code that represents the reason for the current status of a standard subscription. * **NextToken** *(string) --* The pagination token to use to request the next page of results. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.LimitExceededException" SecurityHub / Client / update_aggregator_v2 update_aggregator_v2 ******************** SecurityHub.Client.update_aggregator_v2(**kwargs) Udpates the configuration for the Aggregator V2. This API is in private preview and subject to change. See also: AWS API Documentation **Request Syntax** response = client.update_aggregator_v2( AggregatorV2Arn='string', RegionLinkingMode='string', LinkedRegions=[ 'string', ] ) Parameters: * **AggregatorV2Arn** (*string*) -- **[REQUIRED]** The ARN of the Aggregator V2. * **RegionLinkingMode** (*string*) -- **[REQUIRED]** Determines how Amazon Web Services Regions should be linked to the Aggregator V2. * **LinkedRegions** (*list*) -- A list of Amazon Web Services Regions linked to the aggegation Region. * *(string) --* Return type: dict Returns: **Response Syntax** { 'AggregatorV2Arn': 'string', 'AggregationRegion': 'string', 'RegionLinkingMode': 'string', 'LinkedRegions': [ 'string', ] } **Response Structure** * *(dict) --* * **AggregatorV2Arn** *(string) --* The ARN of the Aggregator V2. * **AggregationRegion** *(string) --* The Amazon Web Services Region where data is aggregated. * **RegionLinkingMode** *(string) --* Determines how Amazon Web Services Regions should be linked to the Aggregator V2. * **LinkedRegions** *(list) --* A list of Amazon Web Services Regions linked to the aggegation Region. * *(string) --* **Exceptions** * "SecurityHub.Client.exceptions.InternalServerException" * "SecurityHub.Client.exceptions.ThrottlingException" * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.ValidationException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" * "SecurityHub.Client.exceptions.ConflictException" SecurityHub / Client / list_members list_members ************ SecurityHub.Client.list_members(**kwargs) Lists details about all member accounts for the current Security Hub administrator account. The results include both member accounts that belong to an organization and member accounts that were invited manually. See also: AWS API Documentation **Request Syntax** response = client.list_members( OnlyAssociated=True|False, MaxResults=123, NextToken='string' ) Parameters: * **OnlyAssociated** (*boolean*) -- Specifies which member accounts to include in the response based on their relationship status with the administrator account. The default value is "TRUE". If "OnlyAssociated" is set to "TRUE", the response includes member accounts whose relationship status with the administrator account is set to "ENABLED". If "OnlyAssociated" is set to "FALSE", the response includes all existing member accounts. * **MaxResults** (*integer*) -- The maximum number of items to return in the response. * **NextToken** (*string*) -- The token that is required for pagination. On your first call to the "ListMembers" operation, set the value of this parameter to "NULL". For subsequent calls to the operation, to continue listing data, set the value of this parameter to the value returned from the previous response. Return type: dict Returns: **Response Syntax** { 'Members': [ { 'AccountId': 'string', 'Email': 'string', 'MasterId': 'string', 'AdministratorId': 'string', 'MemberStatus': 'string', 'InvitedAt': datetime(2015, 1, 1), 'UpdatedAt': datetime(2015, 1, 1) }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **Members** *(list) --* Member details returned by the operation. * *(dict) --* The details about a member account. * **AccountId** *(string) --* The Amazon Web Services account ID of the member account. * **Email** *(string) --* The email address of the member account. * **MasterId** *(string) --* This is replaced by "AdministratorID". The Amazon Web Services account ID of the Security Hub administrator account associated with this member account. * **AdministratorId** *(string) --* The Amazon Web Services account ID of the Security Hub administrator account associated with this member account. * **MemberStatus** *(string) --* The status of the relationship between the member account and its administrator account. The status can have one of the following values: * "Created" - Indicates that the administrator account added the member account, but has not yet invited the member account. * "Invited" - Indicates that the administrator account invited the member account. The member account has not yet responded to the invitation. * "Enabled" - Indicates that the member account is currently active. For manually invited member accounts, indicates that the member account accepted the invitation. * "Removed" - Indicates that the administrator account disassociated the member account. * "Resigned" - Indicates that the member account disassociated themselves from the administrator account. * "Deleted" - Indicates that the administrator account deleted the member account. * "AccountSuspended" - Indicates that an organization account was suspended from Amazon Web Services at the same time that the administrator account tried to enable the organization account as a member account. * **InvitedAt** *(datetime) --* A timestamp for the date and time when the invitation was sent to the member account. * **UpdatedAt** *(datetime) --* The timestamp for the date and time when the member account was updated. * **NextToken** *(string) --* The pagination token to use to request the next page of results. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.LimitExceededException" SecurityHub / Client / delete_members delete_members ************** SecurityHub.Client.delete_members(**kwargs) Deletes the specified member accounts from Security Hub. You can invoke this API only to delete accounts that became members through invitation. You can't invoke this API to delete accounts that belong to an Organizations organization. See also: AWS API Documentation **Request Syntax** response = client.delete_members( AccountIds=[ 'string', ] ) Parameters: **AccountIds** (*list*) -- **[REQUIRED]** The list of account IDs for the member accounts to delete. * *(string) --* Return type: dict Returns: **Response Syntax** { 'UnprocessedAccounts': [ { 'AccountId': 'string', 'ProcessingResult': 'string' }, ] } **Response Structure** * *(dict) --* * **UnprocessedAccounts** *(list) --* The list of Amazon Web Services accounts that were not deleted. For each account, the list includes the account ID and the email address. * *(dict) --* Details about the account that was not processed. * **AccountId** *(string) --* An Amazon Web Services account ID of the account that was not processed. * **ProcessingResult** *(string) --* The reason that the account was not processed. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / list_tags_for_resource list_tags_for_resource ********************** SecurityHub.Client.list_tags_for_resource(**kwargs) Returns a list of tags associated with a resource. See also: AWS API Documentation **Request Syntax** response = client.list_tags_for_resource( ResourceArn='string' ) Parameters: **ResourceArn** (*string*) -- **[REQUIRED]** The ARN of the resource to retrieve tags for. Return type: dict Returns: **Response Syntax** { 'Tags': { 'string': 'string' } } **Response Structure** * *(dict) --* * **Tags** *(dict) --* The tags associated with a resource. * *(string) --* * *(string) --* **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / list_configuration_policy_associations list_configuration_policy_associations ************************************** SecurityHub.Client.list_configuration_policy_associations(**kwargs) Provides information about the associations for your configuration policies and self-managed behavior. Only the Security Hub delegated administrator can invoke this operation from the home Region. See also: AWS API Documentation **Request Syntax** response = client.list_configuration_policy_associations( NextToken='string', MaxResults=123, Filters={ 'ConfigurationPolicyId': 'string', 'AssociationType': 'INHERITED'|'APPLIED', 'AssociationStatus': 'PENDING'|'SUCCESS'|'FAILED' } ) Parameters: * **NextToken** (*string*) -- The "NextToken" value that's returned from a previous paginated "ListConfigurationPolicyAssociations" request where "MaxResults" was used but the results exceeded the value of that parameter. Pagination continues from the end of the previous response that returned the "NextToken" value. This value is "null" when there are no more results to return. * **MaxResults** (*integer*) -- The maximum number of results that's returned by "ListConfigurationPolicies" in each page of the response. When this parameter is used, "ListConfigurationPolicyAssociations" returns the specified number of results in a single page and a "NextToken" response element. You can see the remaining results of the initial request by sending another "ListConfigurationPolicyAssociations" request with the returned "NextToken" value. A valid range for "MaxResults" is between 1 and 100. * **Filters** (*dict*) -- Options for filtering the "ListConfigurationPolicyAssociations" response. You can filter by the Amazon Resource Name (ARN) or universally unique identifier (UUID) of a configuration, "AssociationType", or "AssociationStatus". * **ConfigurationPolicyId** *(string) --* The ARN or UUID of the configuration policy. * **AssociationType** *(string) --* Indicates whether the association between a target and a configuration was directly applied by the Security Hub delegated administrator or inherited from a parent. * **AssociationStatus** *(string) --* The current status of the association between a target and a configuration policy. Return type: dict Returns: **Response Syntax** { 'ConfigurationPolicyAssociationSummaries': [ { 'ConfigurationPolicyId': 'string', 'TargetId': 'string', 'TargetType': 'ACCOUNT'|'ORGANIZATIONAL_UNIT'|'ROOT', 'AssociationType': 'INHERITED'|'APPLIED', 'UpdatedAt': datetime(2015, 1, 1), 'AssociationStatus': 'PENDING'|'SUCCESS'|'FAILED', 'AssociationStatusMessage': 'string' }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **ConfigurationPolicyAssociationSummaries** *(list) --* An object that contains the details of each configuration policy association that’s returned in a "ListConfigurationPolicyAssociations" request. * *(dict) --* An object that contains the details of a configuration policy association that’s returned in a "ListConfigurationPolicyAssociations" request. * **ConfigurationPolicyId** *(string) --* The universally unique identifier (UUID) of the configuration policy. * **TargetId** *(string) --* The identifier of the target account, organizational unit, or the root. * **TargetType** *(string) --* Specifies whether the target is an Amazon Web Services account, organizational unit, or the root. * **AssociationType** *(string) --* Indicates whether the association between the specified target and the configuration was directly applied by the Security Hub delegated administrator or inherited from a parent. * **UpdatedAt** *(datetime) --* The date and time, in UTC and ISO 8601 format, that the configuration policy association was last updated. * **AssociationStatus** *(string) --* The current status of the association between the specified target and the configuration. * **AssociationStatusMessage** *(string) --* The explanation for a "FAILED" value for "AssociationStatus". * **NextToken** *(string) --* The "NextToken" value to include in the next "ListConfigurationPolicyAssociations" request. When the results of a "ListConfigurationPolicyAssociations" request exceed "MaxResults", this value can be used to retrieve the next page of results. This value is "null" when there are no more results to return. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.AccessDeniedException" SecurityHub / Client / batch_update_standards_control_associations batch_update_standards_control_associations ******************************************* SecurityHub.Client.batch_update_standards_control_associations(**kwargs) For a batch of security controls and standards, this operation updates the enablement status of a control in a standard. See also: AWS API Documentation **Request Syntax** response = client.batch_update_standards_control_associations( StandardsControlAssociationUpdates=[ { 'StandardsArn': 'string', 'SecurityControlId': 'string', 'AssociationStatus': 'ENABLED'|'DISABLED', 'UpdatedReason': 'string' }, ] ) Parameters: **StandardsControlAssociationUpdates** (*list*) -- **[REQUIRED]** Updates the enablement status of a security control in a specified standard. Calls to this operation return a "RESOURCE_NOT_FOUND_EXCEPTION" error when the standard subscription for the control has "StandardsControlsUpdatable" value "NOT_READY_FOR_UPDATES". * *(dict) --* An array of requested updates to the enablement status of controls in specified standards. The objects in the array include a security control ID, the Amazon Resource Name (ARN) of the standard, the requested enablement status, and the reason for updating the enablement status. * **StandardsArn** *(string) --* **[REQUIRED]** The Amazon Resource Name (ARN) of the standard in which you want to update the control's enablement status. * **SecurityControlId** *(string) --* **[REQUIRED]** The unique identifier for the security control whose enablement status you want to update. * **AssociationStatus** *(string) --* **[REQUIRED]** The desired enablement status of the control in the standard. * **UpdatedReason** *(string) --* The reason for updating the control's enablement status in the standard. Return type: dict Returns: **Response Syntax** { 'UnprocessedAssociationUpdates': [ { 'StandardsControlAssociationUpdate': { 'StandardsArn': 'string', 'SecurityControlId': 'string', 'AssociationStatus': 'ENABLED'|'DISABLED', 'UpdatedReason': 'string' }, 'ErrorCode': 'INVALID_INPUT'|'ACCESS_DENIED'|'NOT_FOUND'|'LIMIT_EXCEEDED', 'ErrorReason': 'string' }, ] } **Response Structure** * *(dict) --* * **UnprocessedAssociationUpdates** *(list) --* A security control (identified with "SecurityControlId", "SecurityControlArn", or a mix of both parameters) whose enablement status in a specified standard couldn't be updated. * *(dict) --* Provides details about which control's enablement status could not be updated in a specified standard when calling the BatchUpdateStandardsControlAssociations API. This parameter also provides details about why the request was unprocessed. * **StandardsControlAssociationUpdate** *(dict) --* An array of control and standard associations for which an update failed when calling BatchUpdateStandardsControlAssociations. * **StandardsArn** *(string) --* The Amazon Resource Name (ARN) of the standard in which you want to update the control's enablement status. * **SecurityControlId** *(string) --* The unique identifier for the security control whose enablement status you want to update. * **AssociationStatus** *(string) --* The desired enablement status of the control in the standard. * **UpdatedReason** *(string) --* The reason for updating the control's enablement status in the standard. * **ErrorCode** *(string) --* The error code for the unprocessed update of the control's enablement status in the specified standard. * **ErrorReason** *(string) --* The reason why a control's enablement status in the specified standard couldn't be updated. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.AccessDeniedException" SecurityHub / Client / batch_get_configuration_policy_associations batch_get_configuration_policy_associations ******************************************* SecurityHub.Client.batch_get_configuration_policy_associations(**kwargs) Returns associations between an Security Hub configuration and a batch of target accounts, organizational units, or the root. Only the Security Hub delegated administrator can invoke this operation from the home Region. A configuration can refer to a configuration policy or to a self-managed configuration. See also: AWS API Documentation **Request Syntax** response = client.batch_get_configuration_policy_associations( ConfigurationPolicyAssociationIdentifiers=[ { 'Target': { 'AccountId': 'string', 'OrganizationalUnitId': 'string', 'RootId': 'string' } }, ] ) Parameters: **ConfigurationPolicyAssociationIdentifiers** (*list*) -- **[REQUIRED]** Specifies one or more target account IDs, organizational unit (OU) IDs, or the root ID to retrieve associations for. * *(dict) --* Provides details about the association between an Security Hub configuration and a target account, organizational unit, or the root. An association can exist between a target and a configuration policy, or between a target and self-managed behavior. * **Target** *(dict) --* The target account, organizational unit, or the root. Note: This is a Tagged Union structure. Only one of the following top level keys can be set: "AccountId", "OrganizationalUnitId", "RootId". * **AccountId** *(string) --* The Amazon Web Services account ID of the target account. * **OrganizationalUnitId** *(string) --* The organizational unit ID of the target organizational unit. * **RootId** *(string) --* The ID of the organization root. Return type: dict Returns: **Response Syntax** { 'ConfigurationPolicyAssociations': [ { 'ConfigurationPolicyId': 'string', 'TargetId': 'string', 'TargetType': 'ACCOUNT'|'ORGANIZATIONAL_UNIT'|'ROOT', 'AssociationType': 'INHERITED'|'APPLIED', 'UpdatedAt': datetime(2015, 1, 1), 'AssociationStatus': 'PENDING'|'SUCCESS'|'FAILED', 'AssociationStatusMessage': 'string' }, ], 'UnprocessedConfigurationPolicyAssociations': [ { 'ConfigurationPolicyAssociationIdentifiers': { 'Target': { 'AccountId': 'string', 'OrganizationalUnitId': 'string', 'RootId': 'string' } }, 'ErrorCode': 'string', 'ErrorReason': 'string' }, ] } **Response Structure** * *(dict) --* * **ConfigurationPolicyAssociations** *(list) --* Describes associations for the target accounts, OUs, or the root. * *(dict) --* An object that contains the details of a configuration policy association that’s returned in a "ListConfigurationPolicyAssociations" request. * **ConfigurationPolicyId** *(string) --* The universally unique identifier (UUID) of the configuration policy. * **TargetId** *(string) --* The identifier of the target account, organizational unit, or the root. * **TargetType** *(string) --* Specifies whether the target is an Amazon Web Services account, organizational unit, or the root. * **AssociationType** *(string) --* Indicates whether the association between the specified target and the configuration was directly applied by the Security Hub delegated administrator or inherited from a parent. * **UpdatedAt** *(datetime) --* The date and time, in UTC and ISO 8601 format, that the configuration policy association was last updated. * **AssociationStatus** *(string) --* The current status of the association between the specified target and the configuration. * **AssociationStatusMessage** *(string) --* The explanation for a "FAILED" value for "AssociationStatus". * **UnprocessedConfigurationPolicyAssociations** *(list) --* An array of configuration policy associations, one for each configuration policy association identifier, that was specified in the request but couldn’t be processed due to an error. * *(dict) --* An array of configuration policy associations, one for each configuration policy association identifier, that was specified in a "BatchGetConfigurationPolicyAssociations" request but couldn’t be processed due to an error. * **ConfigurationPolicyAssociationIdentifiers** *(dict) --* Configuration policy association identifiers that were specified in a "BatchGetConfigurationPolicyAssociations" request but couldn’t be processed due to an error. * **Target** *(dict) --* The target account, organizational unit, or the root. Note: This is a Tagged Union structure. Only one of the following top level keys will be set: "AccountId", "OrganizationalUnitId", "RootId". If a client receives an unknown member it will set "SDK_UNKNOWN_MEMBER" as the top level key, which maps to the name or tag of the unknown member. The structure of "SDK_UNKNOWN_MEMBER" is as follows: 'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'} * **AccountId** *(string) --* The Amazon Web Services account ID of the target account. * **OrganizationalUnitId** *(string) --* The organizational unit ID of the target organizational unit. * **RootId** *(string) --* The ID of the organization root. * **ErrorCode** *(string) --* An HTTP status code that identifies why the configuration policy association failed. * **ErrorReason** *(string) --* A string that identifies why the configuration policy association failed. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" * "SecurityHub.Client.exceptions.AccessDeniedException" SecurityHub / Client / delete_automation_rule_v2 delete_automation_rule_v2 ************************* SecurityHub.Client.delete_automation_rule_v2(**kwargs) Deletes a V2 automation rule. This API is in private preview and subject to change. See also: AWS API Documentation **Request Syntax** response = client.delete_automation_rule_v2( Identifier='string' ) Parameters: **Identifier** (*string*) -- **[REQUIRED]** The ARN of the V2 automation rule. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.InternalServerException" * "SecurityHub.Client.exceptions.ValidationException" * "SecurityHub.Client.exceptions.ThrottlingException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" * "SecurityHub.Client.exceptions.ConflictException" SecurityHub / Client / enable_security_hub enable_security_hub ******************* SecurityHub.Client.enable_security_hub(**kwargs) Enables Security Hub for your account in the current Region or the Region you specify in the request. When you enable Security Hub, you grant to Security Hub the permissions necessary to gather findings from other services that are integrated with Security Hub. When you use the "EnableSecurityHub" operation to enable Security Hub, you also automatically enable the following standards: * Center for Internet Security (CIS) Amazon Web Services Foundations Benchmark v1.2.0 * Amazon Web Services Foundational Security Best Practices Other standards are not automatically enabled. To opt out of automatically enabled standards, set "EnableDefaultStandards" to "false". After you enable Security Hub, to enable a standard, use the "BatchEnableStandards" operation. To disable a standard, use the "BatchDisableStandards" operation. To learn more, see the setup information in the *Security Hub User Guide*. See also: AWS API Documentation **Request Syntax** response = client.enable_security_hub( Tags={ 'string': 'string' }, EnableDefaultStandards=True|False, ControlFindingGenerator='STANDARD_CONTROL'|'SECURITY_CONTROL' ) Parameters: * **Tags** (*dict*) -- The tags to add to the hub resource when you enable Security Hub. * *(string) --* * *(string) --* * **EnableDefaultStandards** (*boolean*) -- Whether to enable the security standards that Security Hub has designated as automatically enabled. If you don't provide a value for "EnableDefaultStandards", it is set to "true". To not enable the automatically enabled standards, set "EnableDefaultStandards" to "false". * **ControlFindingGenerator** (*string*) -- This field, used when enabling Security Hub, specifies whether the calling account has consolidated control findings turned on. If the value for this field is set to "SECURITY_CONTROL", Security Hub generates a single finding for a control check even when the check applies to multiple enabled standards. If the value for this field is set to "STANDARD_CONTROL", Security Hub generates separate findings for a control check when the check applies to multiple enabled standards. The value for this field in a member account matches the value in the administrator account. For accounts that aren't part of an organization, the default value of this field is "SECURITY_CONTROL" if you enabled Security Hub on or after February 23, 2023. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.ResourceConflictException" * "SecurityHub.Client.exceptions.AccessDeniedException" SecurityHub / Client / untag_resource untag_resource ************** SecurityHub.Client.untag_resource(**kwargs) Removes one or more tags from a resource. See also: AWS API Documentation **Request Syntax** response = client.untag_resource( ResourceArn='string', TagKeys=[ 'string', ] ) Parameters: * **ResourceArn** (*string*) -- **[REQUIRED]** The ARN of the resource to remove the tags from. * **TagKeys** (*list*) -- **[REQUIRED]** The tag keys associated with the tags to remove from the resource. You can remove up to 50 tags at a time. * *(string) --* Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / delete_finding_aggregator delete_finding_aggregator ************************* SecurityHub.Client.delete_finding_aggregator(**kwargs) Note: The *aggregation Region* is now called the *home Region*. Deletes a finding aggregator. When you delete the finding aggregator, you stop cross-Region aggregation. Finding replication stops occurring from the linked Regions to the home Region. When you stop cross-Region aggregation, findings that were already replicated and sent to the home Region are still visible from the home Region. However, new findings and finding updates are no longer replicated and sent to the home Region. See also: AWS API Documentation **Request Syntax** response = client.delete_finding_aggregator( FindingAggregatorArn='string' ) Parameters: **FindingAggregatorArn** (*string*) -- **[REQUIRED]** The ARN of the finding aggregator to delete. To obtain the ARN, use "ListFindingAggregators". Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / disable_security_hub disable_security_hub ******************** SecurityHub.Client.disable_security_hub() Disables Security Hub in your account only in the current Amazon Web Services Region. To disable Security Hub in all Regions, you must submit one request per Region where you have enabled Security Hub. You can't disable Security Hub in an account that is currently the Security Hub administrator. When you disable Security Hub, your existing findings and insights and any Security Hub configuration settings are deleted after 90 days and cannot be recovered. Any standards that were enabled are disabled, and your administrator and member account associations are removed. If you want to save your existing findings, you must export them before you disable Security Hub. See also: AWS API Documentation **Request Syntax** response = client.disable_security_hub() Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" * "SecurityHub.Client.exceptions.AccessDeniedException" SecurityHub / Client / disassociate_from_administrator_account disassociate_from_administrator_account *************************************** SecurityHub.Client.disassociate_from_administrator_account() Disassociates the current Security Hub member account from the associated administrator account. This operation is only used by accounts that are not part of an organization. For organization accounts, only the administrator account can disassociate a member account. See also: AWS API Documentation **Request Syntax** response = client.disassociate_from_administrator_account() Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / get_waiter get_waiter ********** SecurityHub.Client.get_waiter(waiter_name) Returns an object that can wait for some condition. Parameters: **waiter_name** (*str*) -- The name of the waiter to get. See the waiters section of the service docs for a list of available waiters. Returns: The specified waiter object. Return type: "botocore.waiter.Waiter" SecurityHub / Client / disable_organization_admin_account disable_organization_admin_account ********************************** SecurityHub.Client.disable_organization_admin_account(**kwargs) Disables a Security Hub administrator account. Can only be called by the organization management account. See also: AWS API Documentation **Request Syntax** response = client.disable_organization_admin_account( AdminAccountId='string', Feature='SecurityHub'|'SecurityHubV2' ) Parameters: * **AdminAccountId** (*string*) -- **[REQUIRED]** The Amazon Web Services account identifier of the Security Hub administrator account. * **Feature** (*string*) -- The feature for which the delegated admin account is disabled. Defaults to Security Hub if not specified. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.AccessDeniedException" SecurityHub / Client / update_standards_control update_standards_control ************************ SecurityHub.Client.update_standards_control(**kwargs) Used to control whether an individual security standard control is enabled or disabled. Calls to this operation return a "RESOURCE_NOT_FOUND_EXCEPTION" error when the standard subscription for the control has "StandardsControlsUpdatable" value "NOT_READY_FOR_UPDATES". See also: AWS API Documentation **Request Syntax** response = client.update_standards_control( StandardsControlArn='string', ControlStatus='ENABLED'|'DISABLED', DisabledReason='string' ) Parameters: * **StandardsControlArn** (*string*) -- **[REQUIRED]** The ARN of the security standard control to enable or disable. * **ControlStatus** (*string*) -- The updated status of the security standard control. * **DisabledReason** (*string*) -- A description of the reason why you are disabling a security standard control. If you are disabling a control, then this is required. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" * "SecurityHub.Client.exceptions.AccessDeniedException" SecurityHub / Client / get_master_account get_master_account ****************** SecurityHub.Client.get_master_account() This method is deprecated. Instead, use "GetAdministratorAccount". The Security Hub console continues to use "GetMasterAccount". It will eventually change to use "GetAdministratorAccount". Any IAM policies that specifically control access to this function must continue to use "GetMasterAccount". You should also add "GetAdministratorAccount" to your policies to ensure that the correct permissions are in place after the console begins to use "GetAdministratorAccount". Provides the details for the Security Hub administrator account for the current member account. Can be used by both member accounts that are managed using Organizations and accounts that were invited manually. Danger: This operation is deprecated and may not function as expected. This operation should not be used going forward and is only kept for the purpose of backwards compatiblity. See also: AWS API Documentation **Request Syntax** response = client.get_master_account() Return type: dict Returns: **Response Syntax** { 'Master': { 'AccountId': 'string', 'InvitationId': 'string', 'InvitedAt': datetime(2015, 1, 1), 'MemberStatus': 'string' } } **Response Structure** * *(dict) --* * **Master** *(dict) --* A list of details about the Security Hub administrator account for the current member account. * **AccountId** *(string) --* The account ID of the Security Hub administrator account that the invitation was sent from. * **InvitationId** *(string) --* The ID of the invitation sent to the member account. * **InvitedAt** *(datetime) --* The timestamp of when the invitation was sent. * **MemberStatus** *(string) --* The current status of the association between the member and administrator accounts. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / get_configuration_policy_association get_configuration_policy_association ************************************ SecurityHub.Client.get_configuration_policy_association(**kwargs) Returns the association between a configuration and a target account, organizational unit, or the root. The configuration can be a configuration policy or self-managed behavior. Only the Security Hub delegated administrator can invoke this operation from the home Region. See also: AWS API Documentation **Request Syntax** response = client.get_configuration_policy_association( Target={ 'AccountId': 'string', 'OrganizationalUnitId': 'string', 'RootId': 'string' } ) Parameters: **Target** (*dict*) -- **[REQUIRED]** The target account ID, organizational unit ID, or the root ID to retrieve the association for. Note: This is a Tagged Union structure. Only one of the following top level keys can be set: "AccountId", "OrganizationalUnitId", "RootId". * **AccountId** *(string) --* The Amazon Web Services account ID of the target account. * **OrganizationalUnitId** *(string) --* The organizational unit ID of the target organizational unit. * **RootId** *(string) --* The ID of the organization root. Return type: dict Returns: **Response Syntax** { 'ConfigurationPolicyId': 'string', 'TargetId': 'string', 'TargetType': 'ACCOUNT'|'ORGANIZATIONAL_UNIT'|'ROOT', 'AssociationType': 'INHERITED'|'APPLIED', 'UpdatedAt': datetime(2015, 1, 1), 'AssociationStatus': 'PENDING'|'SUCCESS'|'FAILED', 'AssociationStatusMessage': 'string' } **Response Structure** * *(dict) --* * **ConfigurationPolicyId** *(string) --* The universally unique identifier (UUID) of a configuration policy. For self-managed behavior, the value is "SELF_MANAGED_SECURITY_HUB". * **TargetId** *(string) --* The target account ID, organizational unit ID, or the root ID for which the association is retrieved. * **TargetType** *(string) --* Specifies whether the target is an Amazon Web Services account, organizational unit, or the organization root. * **AssociationType** *(string) --* Indicates whether the association between the specified target and the configuration was directly applied by the Security Hub delegated administrator or inherited from a parent. * **UpdatedAt** *(datetime) --* The date and time, in UTC and ISO 8601 format, that the configuration policy association was last updated. * **AssociationStatus** *(string) --* The current status of the association between the specified target and the configuration. * **AssociationStatusMessage** *(string) --* The explanation for a "FAILED" value for "AssociationStatus". **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" * "SecurityHub.Client.exceptions.AccessDeniedException" SecurityHub / Client / update_automation_rule_v2 update_automation_rule_v2 ************************* SecurityHub.Client.update_automation_rule_v2(**kwargs) Updates a V2 automation rule. This API is in private preview and subject to change. See also: AWS API Documentation **Request Syntax** response = client.update_automation_rule_v2( Identifier='string', RuleStatus='ENABLED'|'DISABLED', RuleOrder=..., Description='string', RuleName='string', Criteria={ 'OcsfFindingCriteria': { 'CompositeFilters': [ { 'StringFilters': [ { 'FieldName': 'metadata.uid'|'activity_name'|'cloud.account.uid'|'cloud.provider'|'cloud.region'|'compliance.assessments.category'|'compliance.assessments.name'|'compliance.control'|'compliance.status'|'compliance.standards'|'finding_info.desc'|'finding_info.src_url'|'finding_info.title'|'finding_info.types'|'finding_info.uid'|'finding_info.related_events.uid'|'finding_info.related_events.product.uid'|'finding_info.related_events.title'|'metadata.product.name'|'metadata.product.uid'|'metadata.product.vendor_name'|'remediation.desc'|'remediation.references'|'resources.cloud_partition'|'resources.region'|'resources.type'|'resources.uid'|'severity'|'status'|'comment'|'vulnerabilities.fix_coverage'|'class_name', 'Filter': { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' } }, ], 'DateFilters': [ { 'FieldName': 'finding_info.created_time_dt'|'finding_info.first_seen_time_dt'|'finding_info.last_seen_time_dt'|'finding_info.modified_time_dt', 'Filter': { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } } }, ], 'BooleanFilters': [ { 'FieldName': 'compliance.assessments.meets_criteria'|'vulnerabilities.is_exploit_available'|'vulnerabilities.is_fix_available', 'Filter': { 'Value': True|False } }, ], 'NumberFilters': [ { 'FieldName': 'activity_id'|'compliance.status_id'|'confidence_score'|'severity_id'|'status_id'|'finding_info.related_events_count', 'Filter': { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 } }, ], 'MapFilters': [ { 'FieldName': 'resources.tags', 'Filter': { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' } }, ], 'Operator': 'AND'|'OR' }, ], 'CompositeOperator': 'AND'|'OR' } }, Actions=[ { 'Type': 'FINDING_FIELDS_UPDATE'|'EXTERNAL_INTEGRATION', 'FindingFieldsUpdate': { 'SeverityId': 123, 'Comment': 'string', 'StatusId': 123 }, 'ExternalIntegrationConfiguration': { 'ConnectorArn': 'string' } }, ] ) Parameters: * **Identifier** (*string*) -- **[REQUIRED]** The ARN of the automation rule. * **RuleStatus** (*string*) -- The status of the automation rule. * **RuleOrder** (*float*) -- Represents a value for the rule priority. * **Description** (*string*) -- A description of the automation rule. * **RuleName** (*string*) -- The name of the automation rule. * **Criteria** (*dict*) -- The filtering type and configuration of the automation rule. Note: This is a Tagged Union structure. Only one of the following top level keys can be set: "OcsfFindingCriteria". * **OcsfFindingCriteria** *(dict) --* The filtering conditions that align with OCSF standards. * **CompositeFilters** *(list) --* Enables the creation of complex filtering conditions by combining filter criteria. * *(dict) --* Enables the creation of filtering criteria for security findings. * **StringFilters** *(list) --* Enables filtering based on string field values. * *(dict) --* Enables filtering of security findings based on string field values in OCSF. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **DateFilters** *(list) --* Enables filtering based on date and timestamp fields. * *(dict) --* Enables filtering of security findings based on date and timestamp fields in OCSF. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A date filter for querying findings. * **Start** *(string) --* A timestamp that provides the start date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **End** *(string) --* A timestamp that provides the end date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **DateRange** *(dict) --* A date range for the date filter. * **Value** *(integer) --* A date range value for the date filter. * **Unit** *(string) --* A date range unit for the date filter. * **BooleanFilters** *(list) --* Enables filtering based on boolean field values. * *(dict) --* Enables filtering of security findings based on boolean field values in OCSF. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* Boolean filter for querying findings. * **Value** *(boolean) --* The value of the boolean. * **NumberFilters** *(list) --* Enables filtering based on numerical field values. * *(dict) --* Enables filtering of security findings based on numerical field values in OCSF. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A number filter for querying findings. * **Gte** *(float) --* The greater-than-equal condition to be applied to a single field when querying for findings. * **Lte** *(float) --* The less-than-equal condition to be applied to a single field when querying for findings. * **Eq** *(float) --* The equal-to condition to be applied to a single field when querying for findings. * **Gt** *(float) --* The greater-than condition to be applied to a single field when querying for findings. * **Lt** *(float) --* The less-than condition to be applied to a single field when querying for findings. * **MapFilters** *(list) --* Enables filtering based on map field values. * *(dict) --* Enables filtering of security findings based on map field values in OCSF. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator. * **Key** *(string) --* The key of the map filter. For example, for "ResourceTags", "Key" identifies the name of the tag. For "UserDefinedFields", "Key" is the name of the field. * **Value** *(string) --* The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called "Department" might be "Security". If you provide "security" as the filter value, then there's no match. * **Comparison** *(string) --* The condition to apply to the key value when filtering Security Hub findings with a map filter. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, for the "ResourceTags" field, the filter "Department CONTAINS Security" matches findings that include the value "Security" for the "Department" tag. In the same example, a finding with a value of "Security team" for the "Department" tag is a match. * To search for values that exactly match the filter value, use "EQUALS". For example, for the "ResourceTags" field, the filter "Department EQUALS Security" matches findings that have the value "Security" for the "Department" tag. "CONTAINS" and "EQUALS" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Department CONTAINS Security OR Department CONTAINS Finance" match a finding that includes either "Security", "Finance", or both values. To search for values that don't have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, for the "ResourceTags" field, the filter "Department NOT_CONTAINS Finance" matches findings that exclude the value "Finance" for the "Department" tag. * To search for values other than the filter value, use "NOT_EQUALS". For example, for the "ResourceTags" field, the filter "Department NOT_EQUALS Finance" matches findings that don’t have the value "Finance" for the "Department" tag. "NOT_CONTAINS" and "NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance" match a finding that excludes both the "Security" and "Finance" values. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can’t have both an "EQUALS" filter and a "NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules. For more information, see Automation rules in the *Security Hub User Guide*. * **Operator** *(string) --* The logical operator used to combine multiple filter conditions. * **CompositeOperator** *(string) --* The logical operators used to combine the filtering on multiple "CompositeFilters". * **Actions** (*list*) -- A list of actions to be performed when the rule criteria is met. * *(dict) --* Allows you to configure automated responses. * **Type** *(string) --* **[REQUIRED]** The category of action to be executed by the automation rule. * **FindingFieldsUpdate** *(dict) --* The changes to be applied to fields in a security finding when an automation rule is triggered. * **SeverityId** *(integer) --* The severity level to be assigned to findings that match the automation rule criteria. * **Comment** *(string) --* Notes or contextual information for findings that are modified by the automation rule. * **StatusId** *(integer) --* The status to be applied to findings that match automation rule criteria. * **ExternalIntegrationConfiguration** *(dict) --* The settings for integrating automation rule actions with external systems or service. * **ConnectorArn** *(string) --* The ARN of the connector that establishes the integration. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.InternalServerException" * "SecurityHub.Client.exceptions.ValidationException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" * "SecurityHub.Client.exceptions.ConflictException" * "SecurityHub.Client.exceptions.ThrottlingException" SecurityHub / Client / delete_aggregator_v2 delete_aggregator_v2 ******************** SecurityHub.Client.delete_aggregator_v2(**kwargs) Deletes the Aggregator V2. This API is in private preview and subject to change. See also: AWS API Documentation **Request Syntax** response = client.delete_aggregator_v2( AggregatorV2Arn='string' ) Parameters: **AggregatorV2Arn** (*string*) -- **[REQUIRED]** The ARN of the Aggregator V2. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "SecurityHub.Client.exceptions.InternalServerException" * "SecurityHub.Client.exceptions.ThrottlingException" * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.ValidationException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" * "SecurityHub.Client.exceptions.ConflictException" SecurityHub / Client / describe_standards_controls describe_standards_controls *************************** SecurityHub.Client.describe_standards_controls(**kwargs) Returns a list of security standards controls. For each control, the results include information about whether it is currently enabled, the severity, and a link to remediation information. This operation returns an empty list for standard subscriptions where "StandardsControlsUpdatable" has value "NOT_READY_FOR_UPDATES". See also: AWS API Documentation **Request Syntax** response = client.describe_standards_controls( StandardsSubscriptionArn='string', NextToken='string', MaxResults=123 ) Parameters: * **StandardsSubscriptionArn** (*string*) -- **[REQUIRED]** The ARN of a resource that represents your subscription to a supported standard. To get the subscription ARNs of the standards you have enabled, use the "GetEnabledStandards" operation. * **NextToken** (*string*) -- The token that is required for pagination. On your first call to the "DescribeStandardsControls" operation, set the value of this parameter to "NULL". For subsequent calls to the operation, to continue listing data, set the value of this parameter to the value returned from the previous response. * **MaxResults** (*integer*) -- The maximum number of security standard controls to return. Return type: dict Returns: **Response Syntax** { 'Controls': [ { 'StandardsControlArn': 'string', 'ControlStatus': 'ENABLED'|'DISABLED', 'DisabledReason': 'string', 'ControlStatusUpdatedAt': datetime(2015, 1, 1), 'ControlId': 'string', 'Title': 'string', 'Description': 'string', 'RemediationUrl': 'string', 'SeverityRating': 'LOW'|'MEDIUM'|'HIGH'|'CRITICAL', 'RelatedRequirements': [ 'string', ] }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **Controls** *(list) --* A list of security standards controls. * *(dict) --* Details for an individual security standard control. * **StandardsControlArn** *(string) --* The ARN of the security standard control. * **ControlStatus** *(string) --* The current status of the security standard control. Indicates whether the control is enabled or disabled. Security Hub does not check against disabled controls. * **DisabledReason** *(string) --* The reason provided for the most recent change in status for the control. * **ControlStatusUpdatedAt** *(datetime) --* The date and time that the status of the security standard control was most recently updated. * **ControlId** *(string) --* The identifier of the security standard control. * **Title** *(string) --* The title of the security standard control. * **Description** *(string) --* The longer description of the security standard control. Provides information about what the control is checking for. * **RemediationUrl** *(string) --* A link to remediation information for the control in the Security Hub user documentation. * **SeverityRating** *(string) --* The severity of findings generated from this security standard control. The finding severity is based on an assessment of how easy it would be to compromise Amazon Web Services resources if the issue is detected. * **RelatedRequirements** *(list) --* The list of requirements that are related to this control. * *(string) --* * **NextToken** *(string) --* The pagination token to use to request the next page of results. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / create_connector_v2 create_connector_v2 ******************* SecurityHub.Client.create_connector_v2(**kwargs) Grants permission to create a connectorV2 based on input parameters. This API is in preview release and subject to change. See also: AWS API Documentation **Request Syntax** response = client.create_connector_v2( Name='string', Description='string', Provider={ 'JiraCloud': { 'ProjectKey': 'string' }, 'ServiceNow': { 'InstanceName': 'string', 'ClientId': 'string', 'ClientSecret': 'string' } }, KmsKeyArn='string', Tags={ 'string': 'string' }, ClientToken='string' ) Parameters: * **Name** (*string*) -- **[REQUIRED]** The unique name of the connectorV2. * **Description** (*string*) -- The description of the connectorV2. * **Provider** (*dict*) -- **[REQUIRED]** The third-party provider’s service configuration. Note: This is a Tagged Union structure. Only one of the following top level keys can be set: "JiraCloud", "ServiceNow". * **JiraCloud** *(dict) --* The configuration settings required to establish an integration with Jira Cloud. * **ProjectKey** *(string) --* The project key for a JiraCloud instance. * **ServiceNow** *(dict) --* The configuration settings required to establish an integration with ServiceNow ITSM. * **InstanceName** *(string) --* **[REQUIRED]** The instance name of ServiceNow ITSM. * **ClientId** *(string) --* **[REQUIRED]** The client ID of ServiceNow ITSM. * **ClientSecret** *(string) --* **[REQUIRED]** The client secret of ServiceNow ITSM. * **KmsKeyArn** (*string*) -- The Amazon Resource Name (ARN) of KMS key used to encrypt secrets for the connectorV2. * **Tags** (*dict*) -- The tags to add to the connectorV2 when you create. * *(string) --* * *(string) --* * **ClientToken** (*string*) -- A unique identifier used to ensure idempotency. This field is autopopulated if not provided. Return type: dict Returns: **Response Syntax** { 'ConnectorArn': 'string', 'ConnectorId': 'string', 'AuthUrl': 'string' } **Response Structure** * *(dict) --* * **ConnectorArn** *(string) --* The Amazon Resource Name (ARN) of the connectorV2. * **ConnectorId** *(string) --* The UUID of the connectorV2 to identify connectorV2 resource. * **AuthUrl** *(string) --* The Url provide to customers for OAuth auth code flow. **Exceptions** * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.InternalServerException" * "SecurityHub.Client.exceptions.ValidationException" * "SecurityHub.Client.exceptions.ThrottlingException" * "SecurityHub.Client.exceptions.ConflictException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / get_connector_v2 get_connector_v2 **************** SecurityHub.Client.get_connector_v2(**kwargs) Grants permission to retrieve details for a connectorV2 based on connector id. This API is in preview release and subject to change. See also: AWS API Documentation **Request Syntax** response = client.get_connector_v2( ConnectorId='string' ) Parameters: **ConnectorId** (*string*) -- **[REQUIRED]** The UUID of the connectorV2 to identify connectorV2 resource. Return type: dict Returns: **Response Syntax** { 'ConnectorArn': 'string', 'ConnectorId': 'string', 'Name': 'string', 'Description': 'string', 'KmsKeyArn': 'string', 'CreatedAt': datetime(2015, 1, 1), 'LastUpdatedAt': datetime(2015, 1, 1), 'Health': { 'ConnectorStatus': 'CONNECTED'|'FAILED_TO_CONNECT'|'PENDING_CONFIGURATION'|'PENDING_AUTHORIZATION', 'Message': 'string', 'LastCheckedAt': datetime(2015, 1, 1) }, 'ProviderDetail': { 'JiraCloud': { 'CloudId': 'string', 'ProjectKey': 'string', 'Domain': 'string', 'AuthUrl': 'string', 'AuthStatus': 'ACTIVE'|'FAILED' }, 'ServiceNow': { 'InstanceName': 'string', 'ClientId': 'string', 'AuthStatus': 'ACTIVE'|'FAILED' } } } **Response Structure** * *(dict) --* * **ConnectorArn** *(string) --* The Amazon Resource Name (ARN) of the connectorV2. * **ConnectorId** *(string) --* The UUID of the connectorV2 to identify connectorV2 resource. * **Name** *(string) --* The name of the connectorV2. * **Description** *(string) --* The description of the connectorV2. * **KmsKeyArn** *(string) --* The Amazon Resource Name (ARN) of KMS key used for the connectorV2. * **CreatedAt** *(datetime) --* ISO 8601 UTC timestamp for the time create the connectorV2. * **LastUpdatedAt** *(datetime) --* ISO 8601 UTC timestamp for the time update the connectorV2 connectorStatus. * **Health** *(dict) --* The current health status for connectorV2 * **ConnectorStatus** *(string) --* The status of the connectorV2. * **Message** *(string) --* The message for the reason of connectorStatus change. * **LastCheckedAt** *(datetime) --* ISO 8601 UTC timestamp for the time check the health status of the connectorV2. * **ProviderDetail** *(dict) --* The third-party provider detail for a service configuration. Note: This is a Tagged Union structure. Only one of the following top level keys will be set: "JiraCloud", "ServiceNow". If a client receives an unknown member it will set "SDK_UNKNOWN_MEMBER" as the top level key, which maps to the name or tag of the unknown member. The structure of "SDK_UNKNOWN_MEMBER" is as follows: 'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'} * **JiraCloud** *(dict) --* Details about a Jira Cloud integration. * **CloudId** *(string) --* The cloud id of the Jira Cloud. * **ProjectKey** *(string) --* The projectKey of Jira Cloud. * **Domain** *(string) --* The URL domain of your Jira Cloud instance. * **AuthUrl** *(string) --* The URL to provide to customers for OAuth auth code flow. * **AuthStatus** *(string) --* The status of the authorization between Jira Cloud and the service. * **ServiceNow** *(dict) --* Details about a ServiceNow ITSM integration. * **InstanceName** *(string) --* The instanceName of ServiceNow ITSM. * **ClientId** *(string) --* The clientId of ServiceNow ITSM. * **AuthStatus** *(string) --* The status of the authorization between Jira Cloud and the service. **Exceptions** * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.InternalServerException" * "SecurityHub.Client.exceptions.ValidationException" * "SecurityHub.Client.exceptions.ThrottlingException" * "SecurityHub.Client.exceptions.ConflictException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / get_members get_members *********** SecurityHub.Client.get_members(**kwargs) Returns the details for the Security Hub member accounts for the specified account IDs. An administrator account can be either the delegated Security Hub administrator account for an organization or an administrator account that enabled Security Hub manually. The results include both member accounts that are managed using Organizations and accounts that were invited manually. See also: AWS API Documentation **Request Syntax** response = client.get_members( AccountIds=[ 'string', ] ) Parameters: **AccountIds** (*list*) -- **[REQUIRED]** The list of account IDs for the Security Hub member accounts to return the details for. * *(string) --* Return type: dict Returns: **Response Syntax** { 'Members': [ { 'AccountId': 'string', 'Email': 'string', 'MasterId': 'string', 'AdministratorId': 'string', 'MemberStatus': 'string', 'InvitedAt': datetime(2015, 1, 1), 'UpdatedAt': datetime(2015, 1, 1) }, ], 'UnprocessedAccounts': [ { 'AccountId': 'string', 'ProcessingResult': 'string' }, ] } **Response Structure** * *(dict) --* * **Members** *(list) --* The list of details about the Security Hub member accounts. * *(dict) --* The details about a member account. * **AccountId** *(string) --* The Amazon Web Services account ID of the member account. * **Email** *(string) --* The email address of the member account. * **MasterId** *(string) --* This is replaced by "AdministratorID". The Amazon Web Services account ID of the Security Hub administrator account associated with this member account. * **AdministratorId** *(string) --* The Amazon Web Services account ID of the Security Hub administrator account associated with this member account. * **MemberStatus** *(string) --* The status of the relationship between the member account and its administrator account. The status can have one of the following values: * "Created" - Indicates that the administrator account added the member account, but has not yet invited the member account. * "Invited" - Indicates that the administrator account invited the member account. The member account has not yet responded to the invitation. * "Enabled" - Indicates that the member account is currently active. For manually invited member accounts, indicates that the member account accepted the invitation. * "Removed" - Indicates that the administrator account disassociated the member account. * "Resigned" - Indicates that the member account disassociated themselves from the administrator account. * "Deleted" - Indicates that the administrator account deleted the member account. * "AccountSuspended" - Indicates that an organization account was suspended from Amazon Web Services at the same time that the administrator account tried to enable the organization account as a member account. * **InvitedAt** *(datetime) --* A timestamp for the date and time when the invitation was sent to the member account. * **UpdatedAt** *(datetime) --* The timestamp for the date and time when the member account was updated. * **UnprocessedAccounts** *(list) --* The list of Amazon Web Services accounts that could not be processed. For each account, the list includes the account ID and the email address. * *(dict) --* Details about the account that was not processed. * **AccountId** *(string) --* An Amazon Web Services account ID of the account that was not processed. * **ProcessingResult** *(string) --* The reason that the account was not processed. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / delete_insight delete_insight ************** SecurityHub.Client.delete_insight(**kwargs) Deletes the insight specified by the "InsightArn". See also: AWS API Documentation **Request Syntax** response = client.delete_insight( InsightArn='string' ) Parameters: **InsightArn** (*string*) -- **[REQUIRED]** The ARN of the insight to delete. Return type: dict Returns: **Response Syntax** { 'InsightArn': 'string' } **Response Structure** * *(dict) --* * **InsightArn** *(string) --* The ARN of the insight that was deleted. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / update_organization_configuration update_organization_configuration ********************************* SecurityHub.Client.update_organization_configuration(**kwargs) Updates the configuration of your organization in Security Hub. Only the Security Hub administrator account can invoke this operation. See also: AWS API Documentation **Request Syntax** response = client.update_organization_configuration( AutoEnable=True|False, AutoEnableStandards='NONE'|'DEFAULT', OrganizationConfiguration={ 'ConfigurationType': 'CENTRAL'|'LOCAL', 'Status': 'PENDING'|'ENABLED'|'FAILED', 'StatusMessage': 'string' } ) Parameters: * **AutoEnable** (*boolean*) -- **[REQUIRED]** Whether to automatically enable Security Hub in new member accounts when they join the organization. If set to "true", then Security Hub is automatically enabled in new accounts. If set to "false", then Security Hub isn't enabled in new accounts automatically. The default value is "false". If the "ConfigurationType" of your organization is set to "CENTRAL", then this field is set to "false" and can't be changed in the home Region and linked Regions. However, in that case, the delegated administrator can create a configuration policy in which Security Hub is enabled and associate the policy with new organization accounts. * **AutoEnableStandards** (*string*) -- Whether to automatically enable Security Hub default standards in new member accounts when they join the organization. The default value of this parameter is equal to "DEFAULT". If equal to "DEFAULT", then Security Hub default standards are automatically enabled for new member accounts. If equal to "NONE", then default standards are not automatically enabled for new member accounts. If the "ConfigurationType" of your organization is set to "CENTRAL", then this field is set to "NONE" and can't be changed in the home Region and linked Regions. However, in that case, the delegated administrator can create a configuration policy in which specific security standards are enabled and associate the policy with new organization accounts. * **OrganizationConfiguration** (*dict*) -- Provides information about the way an organization is configured in Security Hub. * **ConfigurationType** *(string) --* Indicates whether the organization uses local or central configuration. If you use local configuration, the Security Hub delegated administrator can set "AutoEnable" to "true" and "AutoEnableStandards" to "DEFAULT". This automatically enables Security Hub and default security standards in new organization accounts. These new account settings must be set separately in each Amazon Web Services Region, and settings may be different in each Region. If you use central configuration, the delegated administrator can create configuration policies. Configuration policies can be used to configure Security Hub, security standards, and security controls in multiple accounts and Regions. If you want new organization accounts to use a specific configuration, you can create a configuration policy and associate it with the root or specific organizational units (OUs). New accounts will inherit the policy from the root or their assigned OU. * **Status** *(string) --* Describes whether central configuration could be enabled as the "ConfigurationType" for the organization. If your "ConfigurationType" is local configuration, then the value of "Status" is always "ENABLED". * **StatusMessage** *(string) --* Provides an explanation if the value of "Status" is equal to "FAILED" when "ConfigurationType" is equal to "CENTRAL". Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" * "SecurityHub.Client.exceptions.ResourceConflictException" SecurityHub / Client / create_configuration_policy create_configuration_policy *************************** SecurityHub.Client.create_configuration_policy(**kwargs) Creates a configuration policy with the defined configuration. Only the Security Hub delegated administrator can invoke this operation from the home Region. See also: AWS API Documentation **Request Syntax** response = client.create_configuration_policy( Name='string', Description='string', ConfigurationPolicy={ 'SecurityHub': { 'ServiceEnabled': True|False, 'EnabledStandardIdentifiers': [ 'string', ], 'SecurityControlsConfiguration': { 'EnabledSecurityControlIdentifiers': [ 'string', ], 'DisabledSecurityControlIdentifiers': [ 'string', ], 'SecurityControlCustomParameters': [ { 'SecurityControlId': 'string', 'Parameters': { 'string': { 'ValueType': 'DEFAULT'|'CUSTOM', 'Value': { 'Integer': 123, 'IntegerList': [ 123, ], 'Double': 123.0, 'String': 'string', 'StringList': [ 'string', ], 'Boolean': True|False, 'Enum': 'string', 'EnumList': [ 'string', ] } } } }, ] } } }, Tags={ 'string': 'string' } ) Parameters: * **Name** (*string*) -- **[REQUIRED]** The name of the configuration policy. Alphanumeric characters and the following ASCII characters are permitted: "-, ., !, *, /". * **Description** (*string*) -- The description of the configuration policy. * **ConfigurationPolicy** (*dict*) -- **[REQUIRED]** An object that defines how Security Hub is configured. It includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If you provide a list of security controls that are enabled in the configuration policy, Security Hub disables all other controls (including newly released controls). If you provide a list of security controls that are disabled in the configuration policy, Security Hub enables all other controls (including newly released controls). Note: This is a Tagged Union structure. Only one of the following top level keys can be set: "SecurityHub". * **SecurityHub** *(dict) --* The Amazon Web Services service that the configuration policy applies to. * **ServiceEnabled** *(boolean) --* Indicates whether Security Hub is enabled in the policy. * **EnabledStandardIdentifiers** *(list) --* A list that defines which security standards are enabled in the configuration policy. * *(string) --* * **SecurityControlsConfiguration** *(dict) --* An object that defines which security controls are enabled in the configuration policy. The enablement status of a control is aligned across all of the enabled standards in an account. * **EnabledSecurityControlIdentifiers** *(list) --* A list of security controls that are enabled in the configuration policy. Security Hub disables all other controls (including newly released controls) other than the listed controls. * *(string) --* * **DisabledSecurityControlIdentifiers** *(list) --* A list of security controls that are disabled in the configuration policy. Security Hub enables all other controls (including newly released controls) other than the listed controls. * *(string) --* * **SecurityControlCustomParameters** *(list) --* A list of security controls and control parameter values that are included in a configuration policy. * *(dict) --* A list of security controls and control parameter values that are included in a configuration policy. * **SecurityControlId** *(string) --* The ID of the security control. * **Parameters** *(dict) --* An object that specifies parameter values for a control in a configuration policy. * *(string) --* * *(dict) --* An object that provides the current value of a security control parameter and identifies whether it has been customized. * **ValueType** *(string) --* **[REQUIRED]** Identifies whether a control parameter uses a custom user-defined value or subscribes to the default Security Hub behavior. When "ValueType" is set equal to "DEFAULT", the default behavior can be a specific Security Hub default value, or the default behavior can be to ignore a specific parameter. When "ValueType" is set equal to "DEFAULT", Security Hub ignores user-provided input for the "Value" field. When "ValueType" is set equal to "CUSTOM", the "Value" field can't be empty. * **Value** *(dict) --* The current value of a control parameter. Note: This is a Tagged Union structure. Only one of the following top level keys can be set: "Integer", "IntegerList", "Double", "String", "StringList", "Boolean", "Enum", "EnumList". * **Integer** *(integer) --* A control parameter that is an integer. * **IntegerList** *(list) --* A control parameter that is a list of integers. * *(integer) --* * **Double** *(float) --* A control parameter that is a double. * **String** *(string) --* A control parameter that is a string. * **StringList** *(list) --* A control parameter that is a list of strings. * *(string) --* * **Boolean** *(boolean) --* A control parameter that is a boolean. * **Enum** *(string) --* A control parameter that is an enum. * **EnumList** *(list) --* A control parameter that is a list of enums. * *(string) --* * **Tags** (*dict*) -- User-defined tags associated with a configuration policy. For more information, see Tagging Security Hub resources in the *Security Hub user guide*. * *(string) --* * *(string) --* Return type: dict Returns: **Response Syntax** { 'Arn': 'string', 'Id': 'string', 'Name': 'string', 'Description': 'string', 'UpdatedAt': datetime(2015, 1, 1), 'CreatedAt': datetime(2015, 1, 1), 'ConfigurationPolicy': { 'SecurityHub': { 'ServiceEnabled': True|False, 'EnabledStandardIdentifiers': [ 'string', ], 'SecurityControlsConfiguration': { 'EnabledSecurityControlIdentifiers': [ 'string', ], 'DisabledSecurityControlIdentifiers': [ 'string', ], 'SecurityControlCustomParameters': [ { 'SecurityControlId': 'string', 'Parameters': { 'string': { 'ValueType': 'DEFAULT'|'CUSTOM', 'Value': { 'Integer': 123, 'IntegerList': [ 123, ], 'Double': 123.0, 'String': 'string', 'StringList': [ 'string', ], 'Boolean': True|False, 'Enum': 'string', 'EnumList': [ 'string', ] } } } }, ] } } } } **Response Structure** * *(dict) --* * **Arn** *(string) --* The Amazon Resource Name (ARN) of the configuration policy. * **Id** *(string) --* The universally unique identifier (UUID) of the configuration policy. * **Name** *(string) --* The name of the configuration policy. * **Description** *(string) --* The description of the configuration policy. * **UpdatedAt** *(datetime) --* The date and time, in UTC and ISO 8601 format, that the configuration policy was last updated. * **CreatedAt** *(datetime) --* The date and time, in UTC and ISO 8601 format, that the configuration policy was created. * **ConfigurationPolicy** *(dict) --* An object that defines how Security Hub is configured. It includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If the request included a list of security controls that are enabled in the configuration policy, Security Hub disables all other controls (including newly released controls). If the request included a list of security controls that are disabled in the configuration policy, Security Hub enables all other controls (including newly released controls). Note: This is a Tagged Union structure. Only one of the following top level keys will be set: "SecurityHub". If a client receives an unknown member it will set "SDK_UNKNOWN_MEMBER" as the top level key, which maps to the name or tag of the unknown member. The structure of "SDK_UNKNOWN_MEMBER" is as follows: 'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'} * **SecurityHub** *(dict) --* The Amazon Web Services service that the configuration policy applies to. * **ServiceEnabled** *(boolean) --* Indicates whether Security Hub is enabled in the policy. * **EnabledStandardIdentifiers** *(list) --* A list that defines which security standards are enabled in the configuration policy. * *(string) --* * **SecurityControlsConfiguration** *(dict) --* An object that defines which security controls are enabled in the configuration policy. The enablement status of a control is aligned across all of the enabled standards in an account. * **EnabledSecurityControlIdentifiers** *(list) --* A list of security controls that are enabled in the configuration policy. Security Hub disables all other controls (including newly released controls) other than the listed controls. * *(string) --* * **DisabledSecurityControlIdentifiers** *(list) --* A list of security controls that are disabled in the configuration policy. Security Hub enables all other controls (including newly released controls) other than the listed controls. * *(string) --* * **SecurityControlCustomParameters** *(list) --* A list of security controls and control parameter values that are included in a configuration policy. * *(dict) --* A list of security controls and control parameter values that are included in a configuration policy. * **SecurityControlId** *(string) --* The ID of the security control. * **Parameters** *(dict) --* An object that specifies parameter values for a control in a configuration policy. * *(string) --* * *(dict) --* An object that provides the current value of a security control parameter and identifies whether it has been customized. * **ValueType** *(string) --* Identifies whether a control parameter uses a custom user-defined value or subscribes to the default Security Hub behavior. When "ValueType" is set equal to "DEFAULT", the default behavior can be a specific Security Hub default value, or the default behavior can be to ignore a specific parameter. When "ValueType" is set equal to "DEFAULT", Security Hub ignores user- provided input for the "Value" field. When "ValueType" is set equal to "CUSTOM", the "Value" field can't be empty. * **Value** *(dict) --* The current value of a control parameter. Note: This is a Tagged Union structure. Only one of the following top level keys will be set: "Integer", "IntegerList", "Double", "String", "StringList", "Boolean", "Enum", "EnumList". If a client receives an unknown member it will set "SDK_UNKNOWN_MEMBER" as the top level key, which maps to the name or tag of the unknown member. The structure of "SDK_UNKNOWN_MEMBER" is as follows: 'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'} * **Integer** *(integer) --* A control parameter that is an integer. * **IntegerList** *(list) --* A control parameter that is a list of integers. * *(integer) --* * **Double** *(float) --* A control parameter that is a double. * **String** *(string) --* A control parameter that is a string. * **StringList** *(list) --* A control parameter that is a list of strings. * *(string) --* * **Boolean** *(boolean) --* A control parameter that is a boolean. * **Enum** *(string) --* A control parameter that is an enum. * **EnumList** *(list) --* A control parameter that is a list of enums. * *(string) --* **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.ResourceConflictException" SecurityHub / Client / describe_security_hub_v2 describe_security_hub_v2 ************************ SecurityHub.Client.describe_security_hub_v2() Returns details about the service resource in your account. This API is in private preview and subject to change. See also: AWS API Documentation **Request Syntax** response = client.describe_security_hub_v2() Return type: dict Returns: **Response Syntax** { 'HubV2Arn': 'string', 'SubscribedAt': 'string' } **Response Structure** * *(dict) --* * **HubV2Arn** *(string) --* The ARN of the service resource. * **SubscribedAt** *(string) --* The date and time when the service was enabled in the account. **Exceptions** * "SecurityHub.Client.exceptions.InternalServerException" * "SecurityHub.Client.exceptions.ThrottlingException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" * "SecurityHub.Client.exceptions.ValidationException" SecurityHub / Client / list_enabled_products_for_import list_enabled_products_for_import ******************************** SecurityHub.Client.list_enabled_products_for_import(**kwargs) Lists all findings-generating solutions (products) that you are subscribed to receive findings from in Security Hub. See also: AWS API Documentation **Request Syntax** response = client.list_enabled_products_for_import( NextToken='string', MaxResults=123 ) Parameters: * **NextToken** (*string*) -- The token that is required for pagination. On your first call to the "ListEnabledProductsForImport" operation, set the value of this parameter to "NULL". For subsequent calls to the operation, to continue listing data, set the value of this parameter to the value returned from the previous response. * **MaxResults** (*integer*) -- The maximum number of items to return in the response. Return type: dict Returns: **Response Syntax** { 'ProductSubscriptions': [ 'string', ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **ProductSubscriptions** *(list) --* The list of ARNs for the resources that represent your subscriptions to products. * *(string) --* * **NextToken** *(string) --* The pagination token to use to request the next page of results. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.InvalidAccessException" SecurityHub / Client / list_organization_admin_accounts list_organization_admin_accounts ******************************** SecurityHub.Client.list_organization_admin_accounts(**kwargs) Lists the Security Hub administrator accounts. Can only be called by the organization management account. See also: AWS API Documentation **Request Syntax** response = client.list_organization_admin_accounts( MaxResults=123, NextToken='string', Feature='SecurityHub'|'SecurityHubV2' ) Parameters: * **MaxResults** (*integer*) -- The maximum number of items to return in the response. * **NextToken** (*string*) -- The token that is required for pagination. On your first call to the "ListOrganizationAdminAccounts" operation, set the value of this parameter to "NULL". For subsequent calls to the operation, to continue listing data, set the value of this parameter to the value returned from the previous response. * **Feature** (*string*) -- The feature where the delegated administrator account is listed. Defaults to Security Hub if not specified. Return type: dict Returns: **Response Syntax** { 'AdminAccounts': [ { 'AccountId': 'string', 'Status': 'ENABLED'|'DISABLE_IN_PROGRESS' }, ], 'NextToken': 'string', 'Feature': 'SecurityHub'|'SecurityHubV2' } **Response Structure** * *(dict) --* * **AdminAccounts** *(list) --* The list of Security Hub administrator accounts. * *(dict) --* Represents a Security Hub administrator account designated by an organization management account. * **AccountId** *(string) --* The Amazon Web Services account identifier of the Security Hub administrator account. * **Status** *(string) --* The current status of the Security Hub administrator account. Indicates whether the account is currently enabled as a Security Hub administrator. * **NextToken** *(string) --* The pagination token to use to request the next page of results. * **Feature** *(string) --* The feature where the delegated administrator account is listed. Defaults to Security Hub CSPM if not specified. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.LimitExceededException" SecurityHub / Client / create_insight create_insight ************** SecurityHub.Client.create_insight(**kwargs) Creates a custom insight in Security Hub. An insight is a consolidation of findings that relate to a security issue that requires attention or remediation. To group the related findings in the insight, use the "GroupByAttribute". See also: AWS API Documentation **Request Syntax** response = client.create_insight( Name='string', Filters={ 'ProductArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'AwsAccountId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Id': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'GeneratorId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Region': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Type': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FirstObservedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'LastObservedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'CreatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'UpdatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'SeverityProduct': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'SeverityNormalized': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'SeverityLabel': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Confidence': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'Criticality': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'Title': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Description': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RecommendationText': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'SourceUrl': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ProductFields': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'ProductName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'CompanyName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'UserDefinedFields': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'MalwareName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'MalwareType': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'MalwarePath': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'MalwareState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkDirection': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkProtocol': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkSourceIpV4': [ { 'Cidr': 'string' }, ], 'NetworkSourceIpV6': [ { 'Cidr': 'string' }, ], 'NetworkSourcePort': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'NetworkSourceDomain': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkSourceMac': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkDestinationIpV4': [ { 'Cidr': 'string' }, ], 'NetworkDestinationIpV6': [ { 'Cidr': 'string' }, ], 'NetworkDestinationPort': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'NetworkDestinationDomain': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ProcessName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ProcessPath': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ProcessPid': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'ProcessParentPid': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'ProcessLaunchedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ProcessTerminatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ThreatIntelIndicatorType': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ThreatIntelIndicatorValue': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ThreatIntelIndicatorCategory': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ThreatIntelIndicatorLastObservedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ThreatIntelIndicatorSource': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ThreatIntelIndicatorSourceUrl': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceType': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourcePartition': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceRegion': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceTags': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'ResourceAwsEc2InstanceType': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceImageId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceIpV4Addresses': [ { 'Cidr': 'string' }, ], 'ResourceAwsEc2InstanceIpV6Addresses': [ { 'Cidr': 'string' }, ], 'ResourceAwsEc2InstanceKeyName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceIamInstanceProfileArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceVpcId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceSubnetId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceLaunchedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ResourceAwsS3BucketOwnerId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsS3BucketOwnerName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsIamAccessKeyUserName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsIamAccessKeyPrincipalName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsIamAccessKeyStatus': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsIamAccessKeyCreatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ResourceAwsIamUserUserName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceContainerName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceContainerImageId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceContainerImageName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceContainerLaunchedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ResourceDetailsOther': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'ComplianceStatus': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'VerificationState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'WorkflowState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'WorkflowStatus': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RecordState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RelatedFindingsProductArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RelatedFindingsId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NoteText': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NoteUpdatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'NoteUpdatedBy': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Keyword': [ { 'Value': 'string' }, ], 'FindingProviderFieldsConfidence': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'FindingProviderFieldsCriticality': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'FindingProviderFieldsRelatedFindingsId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FindingProviderFieldsRelatedFindingsProductArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FindingProviderFieldsSeverityLabel': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FindingProviderFieldsSeverityOriginal': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FindingProviderFieldsTypes': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Sample': [ { 'Value': True|False }, ], 'ComplianceSecurityControlId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ComplianceAssociatedStandardsId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'VulnerabilitiesExploitAvailable': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'VulnerabilitiesFixAvailable': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ComplianceSecurityControlParametersName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ComplianceSecurityControlParametersValue': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'AwsAccountName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceApplicationName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceApplicationArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ] }, GroupByAttribute='string' ) **Parameters** :: # This section is too large to render. # Please see the AWS API Documentation linked below. `AWS API Documentation `_ Return type: dict Returns: **Response Syntax** { 'InsightArn': 'string' } **Response Structure** * *(dict) --* * **InsightArn** *(string) --* The ARN of the insight created. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.ResourceConflictException" SecurityHub / Client / delete_action_target delete_action_target ******************** SecurityHub.Client.delete_action_target(**kwargs) Deletes a custom action target from Security Hub. Deleting a custom action target does not affect any findings or insights that were already sent to Amazon CloudWatch Events using the custom action. See also: AWS API Documentation **Request Syntax** response = client.delete_action_target( ActionTargetArn='string' ) Parameters: **ActionTargetArn** (*string*) -- **[REQUIRED]** The Amazon Resource Name (ARN) of the custom action target to delete. Return type: dict Returns: **Response Syntax** { 'ActionTargetArn': 'string' } **Response Structure** * *(dict) --* * **ActionTargetArn** *(string) --* The ARN of the custom action target that was deleted. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / describe_hub describe_hub ************ SecurityHub.Client.describe_hub(**kwargs) Returns details about the Hub resource in your account, including the "HubArn" and the time when you enabled Security Hub. See also: AWS API Documentation **Request Syntax** response = client.describe_hub( HubArn='string' ) Parameters: **HubArn** (*string*) -- The ARN of the Hub resource to retrieve. Return type: dict Returns: **Response Syntax** { 'HubArn': 'string', 'SubscribedAt': 'string', 'AutoEnableControls': True|False, 'ControlFindingGenerator': 'STANDARD_CONTROL'|'SECURITY_CONTROL' } **Response Structure** * *(dict) --* * **HubArn** *(string) --* The ARN of the Hub resource that was retrieved. * **SubscribedAt** *(string) --* The date and time when Security Hub was enabled in the account. * **AutoEnableControls** *(boolean) --* Whether to automatically enable new controls when they are added to standards that are enabled. If set to "true", then new controls for enabled standards are enabled automatically. If set to "false", then new controls are not enabled. When you automatically enable new controls, you can interact with the controls in the console and programmatically immediately after release. However, automatically enabled controls have a temporary default status of "DISABLED". It can take up to several days for Security Hub to process the control release and designate the control as "ENABLED" in your account. During the processing period, you can manually enable or disable a control, and Security Hub will maintain that designation regardless of whether you have "AutoEnableControls" set to "true". * **ControlFindingGenerator** *(string) --* Specifies whether the calling account has consolidated control findings turned on. If the value for this field is set to "SECURITY_CONTROL", Security Hub generates a single finding for a control check even when the check applies to multiple enabled standards. If the value for this field is set to "STANDARD_CONTROL", Security Hub generates separate findings for a control check when the check applies to multiple enabled standards. The value for this field in a member account matches the value in the administrator account. For accounts that aren't part of an organization, the default value of this field is "SECURITY_CONTROL" if you enabled Security Hub on or after February 23, 2023. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / list_security_control_definitions list_security_control_definitions ********************************* SecurityHub.Client.list_security_control_definitions(**kwargs) Lists all of the security controls that apply to a specified standard. See also: AWS API Documentation **Request Syntax** response = client.list_security_control_definitions( StandardsArn='string', NextToken='string', MaxResults=123 ) Parameters: * **StandardsArn** (*string*) -- The Amazon Resource Name (ARN) of the standard that you want to view controls for. * **NextToken** (*string*) -- Optional pagination parameter. * **MaxResults** (*integer*) -- An optional parameter that limits the total results of the API response to the specified number. If this parameter isn't provided in the request, the results include the first 25 security controls that apply to the specified standard. The results also include a "NextToken" parameter that you can use in a subsequent API call to get the next 25 controls. This repeats until all controls for the standard are returned. Return type: dict Returns: **Response Syntax** { 'SecurityControlDefinitions': [ { 'SecurityControlId': 'string', 'Title': 'string', 'Description': 'string', 'RemediationUrl': 'string', 'SeverityRating': 'LOW'|'MEDIUM'|'HIGH'|'CRITICAL', 'CurrentRegionAvailability': 'AVAILABLE'|'UNAVAILABLE', 'CustomizableProperties': [ 'Parameters', ], 'ParameterDefinitions': { 'string': { 'Description': 'string', 'ConfigurationOptions': { 'Integer': { 'DefaultValue': 123, 'Min': 123, 'Max': 123 }, 'IntegerList': { 'DefaultValue': [ 123, ], 'Min': 123, 'Max': 123, 'MaxItems': 123 }, 'Double': { 'DefaultValue': 123.0, 'Min': 123.0, 'Max': 123.0 }, 'String': { 'DefaultValue': 'string', 'Re2Expression': 'string', 'ExpressionDescription': 'string' }, 'StringList': { 'DefaultValue': [ 'string', ], 'Re2Expression': 'string', 'MaxItems': 123, 'ExpressionDescription': 'string' }, 'Boolean': { 'DefaultValue': True|False }, 'Enum': { 'DefaultValue': 'string', 'AllowedValues': [ 'string', ] }, 'EnumList': { 'DefaultValue': [ 'string', ], 'MaxItems': 123, 'AllowedValues': [ 'string', ] } } } } }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **SecurityControlDefinitions** *(list) --* An array of controls that apply to the specified standard. * *(dict) --* Provides metadata for a security control, including its unique standard-agnostic identifier, title, description, severity, availability in Amazon Web Services Regions, and a link to remediation steps. * **SecurityControlId** *(string) --* The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Services service name and a number (for example, APIGateway.3). This parameter differs from "SecurityControlArn", which is a unique Amazon Resource Name (ARN) assigned to a control. The ARN references the security control ID (for example, arn:aws:securityhub :eu-central-1:123456789012:security- control/APIGateway.3). * **Title** *(string) --* The title of a security control. * **Description** *(string) --* The description of a security control across standards. This typically summarizes how Security Hub evaluates the control and the conditions under which it produces a failed finding. This parameter doesn't reference a specific standard. * **RemediationUrl** *(string) --* A link to Security Hub documentation that explains how to remediate a failed finding for a security control. * **SeverityRating** *(string) --* The severity of a security control. For more information about how Security Hub determines control severity, see Assigning severity to control findings in the *Security Hub User Guide*. * **CurrentRegionAvailability** *(string) --* Specifies whether a security control is available in the current Amazon Web Services Region. * **CustomizableProperties** *(list) --* Security control properties that you can customize. Currently, only parameter customization is supported for select controls. An empty array is returned for controls that don’t support custom properties. * *(string) --* * **ParameterDefinitions** *(dict) --* An object that provides a security control parameter name, description, and the options for customizing it. This object is excluded for a control that doesn't support custom parameters. * *(string) --* * *(dict) --* An object that describes a security control parameter and the options for customizing it. * **Description** *(string) --* Description of a control parameter. * **ConfigurationOptions** *(dict) --* The options for customizing a control parameter. Customization options vary based on the data type of the parameter. Note: This is a Tagged Union structure. Only one of the following top level keys will be set: "Integer", "IntegerList", "Double", "String", "StringList", "Boolean", "Enum", "EnumList". If a client receives an unknown member it will set "SDK_UNKNOWN_MEMBER" as the top level key, which maps to the name or tag of the unknown member. The structure of "SDK_UNKNOWN_MEMBER" is as follows: 'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'} * **Integer** *(dict) --* The options for customizing a security control parameter that is an integer. * **DefaultValue** *(integer) --* The Security Hub default value for a control parameter that is an integer. * **Min** *(integer) --* The minimum valid value for a control parameter that is an integer. * **Max** *(integer) --* The maximum valid value for a control parameter that is an integer. * **IntegerList** *(dict) --* The options for customizing a security control parameter that is a list of integers. * **DefaultValue** *(list) --* The Security Hub default value for a control parameter that is a list of integers. * *(integer) --* * **Min** *(integer) --* The minimum valid value for a control parameter that is a list of integers. * **Max** *(integer) --* The maximum valid value for a control parameter that is a list of integers. * **MaxItems** *(integer) --* The maximum number of list items that an interger list control parameter can accept. * **Double** *(dict) --* The options for customizing a security control parameter that is a double. * **DefaultValue** *(float) --* The Security Hub default value for a control parameter that is a double. * **Min** *(float) --* The minimum valid value for a control parameter that is a double. * **Max** *(float) --* The maximum valid value for a control parameter that is a double. * **String** *(dict) --* The options for customizing a security control parameter that is a string data type. * **DefaultValue** *(string) --* The Security Hub default value for a control parameter that is a string. * **Re2Expression** *(string) --* An RE2 regular expression that Security Hub uses to validate a user-provided control parameter string. * **ExpressionDescription** *(string) --* The description of the RE2 regular expression. * **StringList** *(dict) --* The options for customizing a security control parameter that is a list of strings. * **DefaultValue** *(list) --* The Security Hub default value for a control parameter that is a list of strings. * *(string) --* * **Re2Expression** *(string) --* An RE2 regular expression that Security Hub uses to validate a user-provided list of strings for a control parameter. * **MaxItems** *(integer) --* The maximum number of list items that a string list control parameter can accept. * **ExpressionDescription** *(string) --* The description of the RE2 regular expression. * **Boolean** *(dict) --* The options for customizing a security control parameter that is a boolean. For a boolean parameter, the options are "true" and "false". * **DefaultValue** *(boolean) --* The Security Hub default value for a boolean parameter. * **Enum** *(dict) --* The options for customizing a security control parameter that is an enum. * **DefaultValue** *(string) --* The Security Hub default value for a control parameter that is an enum. * **AllowedValues** *(list) --* The valid values for a control parameter that is an enum. * *(string) --* * **EnumList** *(dict) --* The options for customizing a security control parameter that is a list of enums. * **DefaultValue** *(list) --* The Security Hub default value for a control parameter that is a list of enums. * *(string) --* * **MaxItems** *(integer) --* The maximum number of list items that an enum list control parameter can accept. * **AllowedValues** *(list) --* The valid values for a control parameter that is a list of enums. * *(string) --* * **NextToken** *(string) --* A pagination parameter that's included in the response only if it was included in the request. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.LimitExceededException" SecurityHub / Client / decline_invitations decline_invitations ******************* SecurityHub.Client.decline_invitations(**kwargs) Note: We recommend using Organizations instead of Security Hub invitations to manage your member accounts. For information, see Managing Security Hub administrator and member accounts with Organizations in the *Security Hub User Guide*. Declines invitations to become a Security Hub member account. A prospective member account uses this operation to decline an invitation to become a member. Only member accounts that aren't part of an Amazon Web Services organization should use this operation. Organization accounts don't receive invitations. See also: AWS API Documentation **Request Syntax** response = client.decline_invitations( AccountIds=[ 'string', ] ) Parameters: **AccountIds** (*list*) -- **[REQUIRED]** The list of prospective member account IDs for which to decline an invitation. * *(string) --* Return type: dict Returns: **Response Syntax** { 'UnprocessedAccounts': [ { 'AccountId': 'string', 'ProcessingResult': 'string' }, ] } **Response Structure** * *(dict) --* * **UnprocessedAccounts** *(list) --* The list of Amazon Web Services accounts that were not processed. For each account, the list includes the account ID and the email address. * *(dict) --* Details about the account that was not processed. * **AccountId** *(string) --* An Amazon Web Services account ID of the account that was not processed. * **ProcessingResult** *(string) --* The reason that the account was not processed. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / describe_products describe_products ***************** SecurityHub.Client.describe_products(**kwargs) Returns information about product integrations in Security Hub. You can optionally provide an integration ARN. If you provide an integration ARN, then the results only include that integration. If you don't provide an integration ARN, then the results include all of the available product integrations. See also: AWS API Documentation **Request Syntax** response = client.describe_products( NextToken='string', MaxResults=123, ProductArn='string' ) Parameters: * **NextToken** (*string*) -- The token that is required for pagination. On your first call to the "DescribeProducts" operation, set the value of this parameter to "NULL". For subsequent calls to the operation, to continue listing data, set the value of this parameter to the value returned from the previous response. * **MaxResults** (*integer*) -- The maximum number of results to return. * **ProductArn** (*string*) -- The ARN of the integration to return. Return type: dict Returns: **Response Syntax** { 'Products': [ { 'ProductArn': 'string', 'ProductName': 'string', 'CompanyName': 'string', 'Description': 'string', 'Categories': [ 'string', ], 'IntegrationTypes': [ 'SEND_FINDINGS_TO_SECURITY_HUB'|'RECEIVE_FINDINGS_FROM_SECURITY_HUB'|'UPDATE_FINDINGS_IN_SECURITY_HUB', ], 'MarketplaceUrl': 'string', 'ActivationUrl': 'string', 'ProductSubscriptionResourcePolicy': 'string' }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **Products** *(list) --* A list of products, including details for each product. * *(dict) --* Contains details about a product. * **ProductArn** *(string) --* The ARN assigned to the product. * **ProductName** *(string) --* The name of the product. * **CompanyName** *(string) --* The name of the company that provides the product. * **Description** *(string) --* A description of the product. * **Categories** *(list) --* The categories assigned to the product. * *(string) --* * **IntegrationTypes** *(list) --* The types of integration that the product supports. Available values are the following. * "SEND_FINDINGS_TO_SECURITY_HUB" - The integration sends findings to Security Hub. * "RECEIVE_FINDINGS_FROM_SECURITY_HUB" - The integration receives findings from Security Hub. * "UPDATE_FINDINGS_IN_SECURITY_HUB" - The integration does not send new findings to Security Hub, but does make updates to the findings that it receives from Security Hub. * *(string) --* * **MarketplaceUrl** *(string) --* For integrations with Amazon Web Services services, the Amazon Web Services Console URL from which to activate the service. For integrations with third-party products, the Amazon Web Services Marketplace URL from which to subscribe to or purchase the product. * **ActivationUrl** *(string) --* The URL to the service or product documentation about the integration with Security Hub, including how to activate the integration. * **ProductSubscriptionResourcePolicy** *(string) --* The resource policy associated with the product. * **NextToken** *(string) --* The pagination token to use to request the next page of results. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.InvalidInputException" SecurityHub / Client / delete_configuration_policy delete_configuration_policy *************************** SecurityHub.Client.delete_configuration_policy(**kwargs) Deletes a configuration policy. Only the Security Hub delegated administrator can invoke this operation from the home Region. For the deletion to succeed, you must first disassociate a configuration policy from target accounts, organizational units, or the root by invoking the "StartConfigurationPolicyDisassociation" operation. See also: AWS API Documentation **Request Syntax** response = client.delete_configuration_policy( Identifier='string' ) Parameters: **Identifier** (*string*) -- **[REQUIRED]** The Amazon Resource Name (ARN) or universally unique identifier (UUID) of the configuration policy. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" * "SecurityHub.Client.exceptions.ResourceConflictException" SecurityHub / Client / list_connectors_v2 list_connectors_v2 ****************** SecurityHub.Client.list_connectors_v2(**kwargs) Grants permission to retrieve a list of connectorsV2 and their metadata for the calling account. This API is in preview release and subject to change. See also: AWS API Documentation **Request Syntax** response = client.list_connectors_v2( NextToken='string', MaxResults=123, ProviderName='JIRA_CLOUD'|'SERVICENOW', ConnectorStatus='CONNECTED'|'FAILED_TO_CONNECT'|'PENDING_CONFIGURATION'|'PENDING_AUTHORIZATION' ) Parameters: * **NextToken** (*string*) -- The pagination token per the Amazon Web Services Pagination standard * **MaxResults** (*integer*) -- The maximum number of results to be returned. * **ProviderName** (*string*) -- The name of the third-party provider. * **ConnectorStatus** (*string*) -- The status for the connectorV2. Return type: dict Returns: **Response Syntax** { 'NextToken': 'string', 'Connectors': [ { 'ConnectorArn': 'string', 'ConnectorId': 'string', 'Name': 'string', 'Description': 'string', 'ProviderSummary': { 'ProviderName': 'JIRA_CLOUD'|'SERVICENOW', 'ConnectorStatus': 'CONNECTED'|'FAILED_TO_CONNECT'|'PENDING_CONFIGURATION'|'PENDING_AUTHORIZATION' }, 'CreatedAt': datetime(2015, 1, 1) }, ] } **Response Structure** * *(dict) --* * **NextToken** *(string) --* The pagination token to use to request the next page of results. Otherwise, this parameter is null. * **Connectors** *(list) --* An array of connectorV2 summaries. * *(dict) --* A condensed overview of the connectorV2.. * **ConnectorArn** *(string) --* The Amazon Resource Name (ARN) of the connectorV2. * **ConnectorId** *(string) --* The UUID of the connectorV2 to identify connectorV2 resource. * **Name** *(string) --* The Name field contains the user-defined name assigned to the integration connector. This helps identify and manage multiple connectors within Security Hub. * **Description** *(string) --* The description of the connectorV2. * **ProviderSummary** *(dict) --* The connectorV2 third party provider configuration summary. * **ProviderName** *(string) --* The name of the provider. * **ConnectorStatus** *(string) --* The status for the connectorV2. * **CreatedAt** *(datetime) --* ISO 8601 UTC timestamp for the time create the connectorV2. **Exceptions** * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.InternalServerException" * "SecurityHub.Client.exceptions.ValidationException" * "SecurityHub.Client.exceptions.ThrottlingException" * "SecurityHub.Client.exceptions.ConflictException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / batch_get_standards_control_associations batch_get_standards_control_associations **************************************** SecurityHub.Client.batch_get_standards_control_associations(**kwargs) For a batch of security controls and standards, identifies whether each control is currently enabled or disabled in a standard. Calls to this operation return a "RESOURCE_NOT_FOUND_EXCEPTION" error when the standard subscription for the association has a "NOT_READY_FOR_UPDATES" value for "StandardsControlsUpdatable". See also: AWS API Documentation **Request Syntax** response = client.batch_get_standards_control_associations( StandardsControlAssociationIds=[ { 'SecurityControlId': 'string', 'StandardsArn': 'string' }, ] ) Parameters: **StandardsControlAssociationIds** (*list*) -- **[REQUIRED]** An array with one or more objects that includes a security control (identified with "SecurityControlId", "SecurityControlArn", or a mix of both parameters) and the Amazon Resource Name (ARN) of a standard. This field is used to query the enablement status of a control in a specified standard. The security control ID or ARN is the same across standards. * *(dict) --* An array with one or more objects that includes a security control (identified with "SecurityControlId", "SecurityControlArn", or a mix of both parameters) and the Amazon Resource Name (ARN) of a standard. The security control ID or ARN is the same across standards. * **SecurityControlId** *(string) --* **[REQUIRED]** The unique identifier (identified with "SecurityControlId", "SecurityControlArn", or a mix of both parameters) of a security control across standards. * **StandardsArn** *(string) --* **[REQUIRED]** The ARN of a standard. Return type: dict Returns: **Response Syntax** { 'StandardsControlAssociationDetails': [ { 'StandardsArn': 'string', 'SecurityControlId': 'string', 'SecurityControlArn': 'string', 'AssociationStatus': 'ENABLED'|'DISABLED', 'RelatedRequirements': [ 'string', ], 'UpdatedAt': datetime(2015, 1, 1), 'UpdatedReason': 'string', 'StandardsControlTitle': 'string', 'StandardsControlDescription': 'string', 'StandardsControlArns': [ 'string', ] }, ], 'UnprocessedAssociations': [ { 'StandardsControlAssociationId': { 'SecurityControlId': 'string', 'StandardsArn': 'string' }, 'ErrorCode': 'INVALID_INPUT'|'ACCESS_DENIED'|'NOT_FOUND'|'LIMIT_EXCEEDED', 'ErrorReason': 'string' }, ] } **Response Structure** * *(dict) --* * **StandardsControlAssociationDetails** *(list) --* Provides the enablement status of a security control in a specified standard and other details for the control in relation to the specified standard. * *(dict) --* Provides details about a control's enablement status in a specified standard. * **StandardsArn** *(string) --* The Amazon Resource Name (ARN) of a security standard. * **SecurityControlId** *(string) --* The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Services service name and a number, such as APIGateway.3. * **SecurityControlArn** *(string) --* The ARN of a security control across standards, such as "arn:aws:securityhub:eu-central-1:123456789012:security- control/S3.1". This parameter doesn't mention a specific standard. * **AssociationStatus** *(string) --* Specifies whether a control is enabled or disabled in a specified standard. * **RelatedRequirements** *(list) --* The requirement that underlies a control in the compliance framework related to the standard. * *(string) --* * **UpdatedAt** *(datetime) --* The time at which the enablement status of the control in the specified standard was last updated. * **UpdatedReason** *(string) --* The reason for updating the enablement status of a control in a specified standard. * **StandardsControlTitle** *(string) --* The title of a control. This field may reference a specific standard. * **StandardsControlDescription** *(string) --* The description of a control. This typically summarizes how Security Hub evaluates the control and the conditions under which it produces a failed finding. This parameter may reference a specific standard. * **StandardsControlArns** *(list) --* Provides the input parameter that Security Hub uses to call the UpdateStandardsControl API. This API can be used to enable or disable a control in a specified standard. * *(string) --* * **UnprocessedAssociations** *(list) --* A security control (identified with "SecurityControlId", "SecurityControlArn", or a mix of both parameters) whose enablement status in a specified standard cannot be returned. * *(dict) --* Provides details about which control's enablement status couldn't be retrieved in a specified standard when calling BatchUpdateStandardsControlAssociations. This parameter also provides details about why the request was unprocessed. * **StandardsControlAssociationId** *(dict) --* An array with one or more objects that includes a security control (identified with "SecurityControlId", "SecurityControlArn", or a mix of both parameters) and the Amazon Resource Name (ARN) of a standard. This parameter shows the specific controls for which the enablement status couldn't be retrieved in specified standards when calling BatchUpdateStandardsControlAssociations. * **SecurityControlId** *(string) --* The unique identifier (identified with "SecurityControlId", "SecurityControlArn", or a mix of both parameters) of a security control across standards. * **StandardsArn** *(string) --* The ARN of a standard. * **ErrorCode** *(string) --* The error code for the unprocessed standard and control association. * **ErrorReason** *(string) --* The reason why the standard and control association was unprocessed. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.InvalidInputException" SecurityHub / Client / describe_standards describe_standards ****************** SecurityHub.Client.describe_standards(**kwargs) Returns a list of the available standards in Security Hub. For each standard, the results include the standard ARN, the name, and a description. See also: AWS API Documentation **Request Syntax** response = client.describe_standards( NextToken='string', MaxResults=123 ) Parameters: * **NextToken** (*string*) -- The token that is required for pagination. On your first call to the "DescribeStandards" operation, set the value of this parameter to "NULL". For subsequent calls to the operation, to continue listing data, set the value of this parameter to the value returned from the previous response. * **MaxResults** (*integer*) -- The maximum number of standards to return. Return type: dict Returns: **Response Syntax** { 'Standards': [ { 'StandardsArn': 'string', 'Name': 'string', 'Description': 'string', 'EnabledByDefault': True|False, 'StandardsManagedBy': { 'Company': 'string', 'Product': 'string' } }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **Standards** *(list) --* A list of available standards. * *(dict) --* Provides information about a specific security standard. * **StandardsArn** *(string) --* The ARN of the standard. * **Name** *(string) --* The name of the standard. * **Description** *(string) --* A description of the standard. * **EnabledByDefault** *(boolean) --* Whether the standard is enabled by default. When Security Hub is enabled from the console, if a standard is enabled by default, the check box for that standard is selected by default. When Security Hub is enabled using the "EnableSecurityHub" API operation, the standard is enabled by default unless "EnableDefaultStandards" is set to "false". * **StandardsManagedBy** *(dict) --* Provides details about the management of a standard. * **Company** *(string) --* An identifier for the company that manages a specific security standard. For existing standards, the value is equal to "Amazon Web Services". * **Product** *(string) --* An identifier for the product that manages a specific security standard. For existing standards, the value is equal to the Amazon Web Services service that manages the standard. * **NextToken** *(string) --* The pagination token to use to request the next page of results. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" SecurityHub / Client / update_configuration_policy update_configuration_policy *************************** SecurityHub.Client.update_configuration_policy(**kwargs) Updates a configuration policy. Only the Security Hub delegated administrator can invoke this operation from the home Region. See also: AWS API Documentation **Request Syntax** response = client.update_configuration_policy( Identifier='string', Name='string', Description='string', UpdatedReason='string', ConfigurationPolicy={ 'SecurityHub': { 'ServiceEnabled': True|False, 'EnabledStandardIdentifiers': [ 'string', ], 'SecurityControlsConfiguration': { 'EnabledSecurityControlIdentifiers': [ 'string', ], 'DisabledSecurityControlIdentifiers': [ 'string', ], 'SecurityControlCustomParameters': [ { 'SecurityControlId': 'string', 'Parameters': { 'string': { 'ValueType': 'DEFAULT'|'CUSTOM', 'Value': { 'Integer': 123, 'IntegerList': [ 123, ], 'Double': 123.0, 'String': 'string', 'StringList': [ 'string', ], 'Boolean': True|False, 'Enum': 'string', 'EnumList': [ 'string', ] } } } }, ] } } } ) Parameters: * **Identifier** (*string*) -- **[REQUIRED]** The Amazon Resource Name (ARN) or universally unique identifier (UUID) of the configuration policy. * **Name** (*string*) -- The name of the configuration policy. Alphanumeric characters and the following ASCII characters are permitted: "-, ., !, *, /". * **Description** (*string*) -- The description of the configuration policy. * **UpdatedReason** (*string*) -- The reason for updating the configuration policy. * **ConfigurationPolicy** (*dict*) -- An object that defines how Security Hub is configured. It includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If you provide a list of security controls that are enabled in the configuration policy, Security Hub disables all other controls (including newly released controls). If you provide a list of security controls that are disabled in the configuration policy, Security Hub enables all other controls (including newly released controls). When updating a configuration policy, provide a complete list of standards that you want to enable and a complete list of controls that you want to enable or disable. The updated configuration replaces the current configuration. Note: This is a Tagged Union structure. Only one of the following top level keys can be set: "SecurityHub". * **SecurityHub** *(dict) --* The Amazon Web Services service that the configuration policy applies to. * **ServiceEnabled** *(boolean) --* Indicates whether Security Hub is enabled in the policy. * **EnabledStandardIdentifiers** *(list) --* A list that defines which security standards are enabled in the configuration policy. * *(string) --* * **SecurityControlsConfiguration** *(dict) --* An object that defines which security controls are enabled in the configuration policy. The enablement status of a control is aligned across all of the enabled standards in an account. * **EnabledSecurityControlIdentifiers** *(list) --* A list of security controls that are enabled in the configuration policy. Security Hub disables all other controls (including newly released controls) other than the listed controls. * *(string) --* * **DisabledSecurityControlIdentifiers** *(list) --* A list of security controls that are disabled in the configuration policy. Security Hub enables all other controls (including newly released controls) other than the listed controls. * *(string) --* * **SecurityControlCustomParameters** *(list) --* A list of security controls and control parameter values that are included in a configuration policy. * *(dict) --* A list of security controls and control parameter values that are included in a configuration policy. * **SecurityControlId** *(string) --* The ID of the security control. * **Parameters** *(dict) --* An object that specifies parameter values for a control in a configuration policy. * *(string) --* * *(dict) --* An object that provides the current value of a security control parameter and identifies whether it has been customized. * **ValueType** *(string) --* **[REQUIRED]** Identifies whether a control parameter uses a custom user-defined value or subscribes to the default Security Hub behavior. When "ValueType" is set equal to "DEFAULT", the default behavior can be a specific Security Hub default value, or the default behavior can be to ignore a specific parameter. When "ValueType" is set equal to "DEFAULT", Security Hub ignores user-provided input for the "Value" field. When "ValueType" is set equal to "CUSTOM", the "Value" field can't be empty. * **Value** *(dict) --* The current value of a control parameter. Note: This is a Tagged Union structure. Only one of the following top level keys can be set: "Integer", "IntegerList", "Double", "String", "StringList", "Boolean", "Enum", "EnumList". * **Integer** *(integer) --* A control parameter that is an integer. * **IntegerList** *(list) --* A control parameter that is a list of integers. * *(integer) --* * **Double** *(float) --* A control parameter that is a double. * **String** *(string) --* A control parameter that is a string. * **StringList** *(list) --* A control parameter that is a list of strings. * *(string) --* * **Boolean** *(boolean) --* A control parameter that is a boolean. * **Enum** *(string) --* A control parameter that is an enum. * **EnumList** *(list) --* A control parameter that is a list of enums. * *(string) --* Return type: dict Returns: **Response Syntax** { 'Arn': 'string', 'Id': 'string', 'Name': 'string', 'Description': 'string', 'UpdatedAt': datetime(2015, 1, 1), 'CreatedAt': datetime(2015, 1, 1), 'ConfigurationPolicy': { 'SecurityHub': { 'ServiceEnabled': True|False, 'EnabledStandardIdentifiers': [ 'string', ], 'SecurityControlsConfiguration': { 'EnabledSecurityControlIdentifiers': [ 'string', ], 'DisabledSecurityControlIdentifiers': [ 'string', ], 'SecurityControlCustomParameters': [ { 'SecurityControlId': 'string', 'Parameters': { 'string': { 'ValueType': 'DEFAULT'|'CUSTOM', 'Value': { 'Integer': 123, 'IntegerList': [ 123, ], 'Double': 123.0, 'String': 'string', 'StringList': [ 'string', ], 'Boolean': True|False, 'Enum': 'string', 'EnumList': [ 'string', ] } } } }, ] } } } } **Response Structure** * *(dict) --* * **Arn** *(string) --* The ARN of the configuration policy. * **Id** *(string) --* The UUID of the configuration policy. * **Name** *(string) --* The name of the configuration policy. * **Description** *(string) --* The description of the configuration policy. * **UpdatedAt** *(datetime) --* The date and time, in UTC and ISO 8601 format, that the configuration policy was last updated. * **CreatedAt** *(datetime) --* The date and time, in UTC and ISO 8601 format, that the configuration policy was created. * **ConfigurationPolicy** *(dict) --* An object that defines how Security Hub is configured. It includes whether Security Hub is enabled or disabled, a list of enabled security standards, a list of enabled or disabled security controls, and a list of custom parameter values for specified controls. If the request included a list of security controls that are enabled in the configuration policy, Security Hub disables all other controls (including newly released controls). If the request included a list of security controls that are disabled in the configuration policy, Security Hub enables all other controls (including newly released controls). Note: This is a Tagged Union structure. Only one of the following top level keys will be set: "SecurityHub". If a client receives an unknown member it will set "SDK_UNKNOWN_MEMBER" as the top level key, which maps to the name or tag of the unknown member. The structure of "SDK_UNKNOWN_MEMBER" is as follows: 'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'} * **SecurityHub** *(dict) --* The Amazon Web Services service that the configuration policy applies to. * **ServiceEnabled** *(boolean) --* Indicates whether Security Hub is enabled in the policy. * **EnabledStandardIdentifiers** *(list) --* A list that defines which security standards are enabled in the configuration policy. * *(string) --* * **SecurityControlsConfiguration** *(dict) --* An object that defines which security controls are enabled in the configuration policy. The enablement status of a control is aligned across all of the enabled standards in an account. * **EnabledSecurityControlIdentifiers** *(list) --* A list of security controls that are enabled in the configuration policy. Security Hub disables all other controls (including newly released controls) other than the listed controls. * *(string) --* * **DisabledSecurityControlIdentifiers** *(list) --* A list of security controls that are disabled in the configuration policy. Security Hub enables all other controls (including newly released controls) other than the listed controls. * *(string) --* * **SecurityControlCustomParameters** *(list) --* A list of security controls and control parameter values that are included in a configuration policy. * *(dict) --* A list of security controls and control parameter values that are included in a configuration policy. * **SecurityControlId** *(string) --* The ID of the security control. * **Parameters** *(dict) --* An object that specifies parameter values for a control in a configuration policy. * *(string) --* * *(dict) --* An object that provides the current value of a security control parameter and identifies whether it has been customized. * **ValueType** *(string) --* Identifies whether a control parameter uses a custom user-defined value or subscribes to the default Security Hub behavior. When "ValueType" is set equal to "DEFAULT", the default behavior can be a specific Security Hub default value, or the default behavior can be to ignore a specific parameter. When "ValueType" is set equal to "DEFAULT", Security Hub ignores user- provided input for the "Value" field. When "ValueType" is set equal to "CUSTOM", the "Value" field can't be empty. * **Value** *(dict) --* The current value of a control parameter. Note: This is a Tagged Union structure. Only one of the following top level keys will be set: "Integer", "IntegerList", "Double", "String", "StringList", "Boolean", "Enum", "EnumList". If a client receives an unknown member it will set "SDK_UNKNOWN_MEMBER" as the top level key, which maps to the name or tag of the unknown member. The structure of "SDK_UNKNOWN_MEMBER" is as follows: 'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'} * **Integer** *(integer) --* A control parameter that is an integer. * **IntegerList** *(list) --* A control parameter that is a list of integers. * *(integer) --* * **Double** *(float) --* A control parameter that is a double. * **String** *(string) --* A control parameter that is a string. * **StringList** *(list) --* A control parameter that is a list of strings. * *(string) --* * **Boolean** *(boolean) --* A control parameter that is a boolean. * **Enum** *(string) --* A control parameter that is an enum. * **EnumList** *(list) --* A control parameter that is a list of enums. * *(string) --* **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.ResourceConflictException" SecurityHub / Client / list_aggregators_v2 list_aggregators_v2 ******************* SecurityHub.Client.list_aggregators_v2(**kwargs) Retrieves a list of V2 aggregators. This API is in private preview and subject to change. See also: AWS API Documentation **Request Syntax** response = client.list_aggregators_v2( NextToken='string', MaxResults=123 ) Parameters: * **NextToken** (*string*) -- The token required for pagination. On your first call, set the value of this parameter to "NULL". For subsequent calls, to continue listing data, set the value of this parameter to the value returned in the previous response. * **MaxResults** (*integer*) -- The maximum number of results to return. Return type: dict Returns: **Response Syntax** { 'AggregatorsV2': [ { 'AggregatorV2Arn': 'string' }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **AggregatorsV2** *(list) --* An array of aggregators. * *(dict) --* Specifies a cross-Region data aggregation configuration, including the aggregation Region and any linked Regions. * **AggregatorV2Arn** *(string) --* The ARN of the aggregatorV2. * **NextToken** *(string) --* The pagination token to use to request the next page of results. Otherwise, this parameter is null. **Exceptions** * "SecurityHub.Client.exceptions.InternalServerException" * "SecurityHub.Client.exceptions.ThrottlingException" * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.ValidationException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" * "SecurityHub.Client.exceptions.ConflictException" SecurityHub / Client / update_action_target update_action_target ******************** SecurityHub.Client.update_action_target(**kwargs) Updates the name and description of a custom action target in Security Hub. See also: AWS API Documentation **Request Syntax** response = client.update_action_target( ActionTargetArn='string', Name='string', Description='string' ) Parameters: * **ActionTargetArn** (*string*) -- **[REQUIRED]** The ARN of the custom action target to update. * **Name** (*string*) -- The updated name of the custom action target. * **Description** (*string*) -- The updated description for the custom action target. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / close close ***** SecurityHub.Client.close() Closes underlying endpoint connections. SecurityHub / Client / disable_import_findings_for_product disable_import_findings_for_product *********************************** SecurityHub.Client.disable_import_findings_for_product(**kwargs) Disables the integration of the specified product with Security Hub. After the integration is disabled, findings from that product are no longer sent to Security Hub. See also: AWS API Documentation **Request Syntax** response = client.disable_import_findings_for_product( ProductSubscriptionArn='string' ) Parameters: **ProductSubscriptionArn** (*string*) -- **[REQUIRED]** The ARN of the integrated product to disable the integration for. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.LimitExceededException" SecurityHub / Client / update_connector_v2 update_connector_v2 ******************* SecurityHub.Client.update_connector_v2(**kwargs) Grants permission to update a connectorV2 based on its id and input parameters. This API is in preview release and subject to change. See also: AWS API Documentation **Request Syntax** response = client.update_connector_v2( ConnectorId='string', ClientSecret='string', Description='string', Provider={ 'JiraCloud': { 'ProjectKey': 'string' } } ) Parameters: * **ConnectorId** (*string*) -- **[REQUIRED]** The UUID of the connectorV2 to identify connectorV2 resource. * **ClientSecret** (*string*) -- The clientSecret of ServiceNow. * **Description** (*string*) -- The description of the connectorV2. * **Provider** (*dict*) -- The third-party provider’s service configuration. Note: This is a Tagged Union structure. Only one of the following top level keys can be set: "JiraCloud". * **JiraCloud** *(dict) --* The parameters required to update the configuration for a Jira Cloud integration. * **ProjectKey** *(string) --* **[REQUIRED]** The project key for a JiraCloud instance. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.InternalServerException" * "SecurityHub.Client.exceptions.ValidationException" * "SecurityHub.Client.exceptions.ThrottlingException" * "SecurityHub.Client.exceptions.ConflictException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / list_standards_control_associations list_standards_control_associations *********************************** SecurityHub.Client.list_standards_control_associations(**kwargs) Specifies whether a control is currently enabled or disabled in each enabled standard in the calling account. This operation omits standards control associations for standard subscriptions where "StandardsControlsUpdatable" has value "NOT_READY_FOR_UPDATES". See also: AWS API Documentation **Request Syntax** response = client.list_standards_control_associations( SecurityControlId='string', NextToken='string', MaxResults=123 ) Parameters: * **SecurityControlId** (*string*) -- **[REQUIRED]** The identifier of the control (identified with "SecurityControlId", "SecurityControlArn", or a mix of both parameters) that you want to determine the enablement status of in each enabled standard. * **NextToken** (*string*) -- Optional pagination parameter. * **MaxResults** (*integer*) -- An optional parameter that limits the total results of the API response to the specified number. If this parameter isn't provided in the request, the results include the first 25 standard and control associations. The results also include a "NextToken" parameter that you can use in a subsequent API call to get the next 25 associations. This repeats until all associations for the specified control are returned. The number of results is limited by the number of supported Security Hub standards that you've enabled in the calling account. Return type: dict Returns: **Response Syntax** { 'StandardsControlAssociationSummaries': [ { 'StandardsArn': 'string', 'SecurityControlId': 'string', 'SecurityControlArn': 'string', 'AssociationStatus': 'ENABLED'|'DISABLED', 'RelatedRequirements': [ 'string', ], 'UpdatedAt': datetime(2015, 1, 1), 'UpdatedReason': 'string', 'StandardsControlTitle': 'string', 'StandardsControlDescription': 'string' }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **StandardsControlAssociationSummaries** *(list) --* An array that provides the enablement status and other details for each security control that applies to each enabled standard. * *(dict) --* An array that provides the enablement status and other details for each control that applies to each enabled standard. * **StandardsArn** *(string) --* The Amazon Resource Name (ARN) of a standard. * **SecurityControlId** *(string) --* A unique standard-agnostic identifier for a control. Values for this field typically consist of an Amazon Web Services service and a number, such as APIGateway.5. This field doesn't reference a specific standard. * **SecurityControlArn** *(string) --* The ARN of a control, such as "arn:aws:securityhub:eu- central-1:123456789012:security-control/S3.1". This parameter doesn't mention a specific standard. * **AssociationStatus** *(string) --* The enablement status of a control in a specific standard. * **RelatedRequirements** *(list) --* The requirement that underlies this control in the compliance framework related to the standard. * *(string) --* * **UpdatedAt** *(datetime) --* The last time that a control's enablement status in a specified standard was updated. * **UpdatedReason** *(string) --* The reason for updating a control's enablement status in a specified standard. * **StandardsControlTitle** *(string) --* The title of a control. * **StandardsControlDescription** *(string) --* The description of a control. This typically summarizes how Security Hub evaluates the control and the conditions under which it produces a failed finding. The parameter may reference a specific standard. * **NextToken** *(string) --* A pagination parameter that's included in the response only if it was included in the request. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.InvalidInputException" SecurityHub / Client / update_findings update_findings *************** SecurityHub.Client.update_findings(**kwargs) "UpdateFindings" is a deprecated operation. Instead of "UpdateFindings", use the "BatchUpdateFindings" operation. The "UpdateFindings" operation updates the "Note" and "RecordState" of the Security Hub aggregated findings that the filter attributes specify. Any member account that can view the finding can also see the update to the finding. Finding updates made with "UpdateFindings" aren't persisted if the same finding is later updated by the finding provider through the "BatchImportFindings" operation. In addition, Security Hub doesn't record updates made with "UpdateFindings" in the finding history. See also: AWS API Documentation **Request Syntax** response = client.update_findings( Filters={ 'ProductArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'AwsAccountId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Id': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'GeneratorId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Region': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Type': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FirstObservedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'LastObservedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'CreatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'UpdatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'SeverityProduct': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'SeverityNormalized': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'SeverityLabel': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Confidence': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'Criticality': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'Title': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Description': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RecommendationText': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'SourceUrl': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ProductFields': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'ProductName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'CompanyName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'UserDefinedFields': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'MalwareName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'MalwareType': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'MalwarePath': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'MalwareState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkDirection': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkProtocol': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkSourceIpV4': [ { 'Cidr': 'string' }, ], 'NetworkSourceIpV6': [ { 'Cidr': 'string' }, ], 'NetworkSourcePort': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'NetworkSourceDomain': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkSourceMac': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkDestinationIpV4': [ { 'Cidr': 'string' }, ], 'NetworkDestinationIpV6': [ { 'Cidr': 'string' }, ], 'NetworkDestinationPort': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'NetworkDestinationDomain': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ProcessName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ProcessPath': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ProcessPid': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'ProcessParentPid': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'ProcessLaunchedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ProcessTerminatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ThreatIntelIndicatorType': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ThreatIntelIndicatorValue': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ThreatIntelIndicatorCategory': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ThreatIntelIndicatorLastObservedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ThreatIntelIndicatorSource': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ThreatIntelIndicatorSourceUrl': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceType': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourcePartition': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceRegion': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceTags': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'ResourceAwsEc2InstanceType': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceImageId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceIpV4Addresses': [ { 'Cidr': 'string' }, ], 'ResourceAwsEc2InstanceIpV6Addresses': [ { 'Cidr': 'string' }, ], 'ResourceAwsEc2InstanceKeyName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceIamInstanceProfileArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceVpcId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceSubnetId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceLaunchedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ResourceAwsS3BucketOwnerId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsS3BucketOwnerName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsIamAccessKeyUserName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsIamAccessKeyPrincipalName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsIamAccessKeyStatus': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsIamAccessKeyCreatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ResourceAwsIamUserUserName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceContainerName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceContainerImageId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceContainerImageName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceContainerLaunchedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ResourceDetailsOther': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'ComplianceStatus': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'VerificationState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'WorkflowState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'WorkflowStatus': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RecordState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RelatedFindingsProductArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RelatedFindingsId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NoteText': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NoteUpdatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'NoteUpdatedBy': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Keyword': [ { 'Value': 'string' }, ], 'FindingProviderFieldsConfidence': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'FindingProviderFieldsCriticality': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'FindingProviderFieldsRelatedFindingsId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FindingProviderFieldsRelatedFindingsProductArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FindingProviderFieldsSeverityLabel': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FindingProviderFieldsSeverityOriginal': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FindingProviderFieldsTypes': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Sample': [ { 'Value': True|False }, ], 'ComplianceSecurityControlId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ComplianceAssociatedStandardsId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'VulnerabilitiesExploitAvailable': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'VulnerabilitiesFixAvailable': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ComplianceSecurityControlParametersName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ComplianceSecurityControlParametersValue': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'AwsAccountName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceApplicationName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceApplicationArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ] }, Note={ 'Text': 'string', 'UpdatedBy': 'string' }, RecordState='ACTIVE'|'ARCHIVED' ) **Parameters** :: # This section is too large to render. # Please see the AWS API Documentation linked below. `AWS API Documentation `_ Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / enable_import_findings_for_product enable_import_findings_for_product ********************************** SecurityHub.Client.enable_import_findings_for_product(**kwargs) Enables the integration of a partner product with Security Hub. Integrated products send findings to Security Hub. When you enable a product integration, a permissions policy that grants permission for the product to send findings to Security Hub is applied. See also: AWS API Documentation **Request Syntax** response = client.enable_import_findings_for_product( ProductArn='string' ) Parameters: **ProductArn** (*string*) -- **[REQUIRED]** The ARN of the product to enable the integration for. Return type: dict Returns: **Response Syntax** { 'ProductSubscriptionArn': 'string' } **Response Structure** * *(dict) --* * **ProductSubscriptionArn** *(string) --* The ARN of your subscription to the product to enable integrations for. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.ResourceConflictException" * "SecurityHub.Client.exceptions.LimitExceededException" SecurityHub / Client / batch_update_findings batch_update_findings ********************* SecurityHub.Client.batch_update_findings(**kwargs) Used by Security Hub customers to update information about their investigation into one or more findings. Requested by administrator accounts or member accounts. Administrator accounts can update findings for their account and their member accounts. A member account can update findings only for their own account. Administrator and member accounts can use this operation to update the following fields and objects for one or more findings: * "Confidence" * "Criticality" * "Note" * "RelatedFindings" * "Severity" * "Types" * "UserDefinedFields" * "VerificationState" * "Workflow" If you use this operation to update a finding, your updates don’t affect the value for the "UpdatedAt" field of the finding. Also note that it can take several minutes for Security Hub to process your request and update each finding specified in the request. You can configure IAM policies to restrict access to fields and field values. For example, you might not want member accounts to be able to suppress findings or change the finding severity. For more information see Configuring access to BatchUpdateFindings in the *Security Hub User Guide*. See also: AWS API Documentation **Request Syntax** response = client.batch_update_findings( FindingIdentifiers=[ { 'Id': 'string', 'ProductArn': 'string' }, ], Note={ 'Text': 'string', 'UpdatedBy': 'string' }, Severity={ 'Normalized': 123, 'Product': 123.0, 'Label': 'INFORMATIONAL'|'LOW'|'MEDIUM'|'HIGH'|'CRITICAL' }, VerificationState='UNKNOWN'|'TRUE_POSITIVE'|'FALSE_POSITIVE'|'BENIGN_POSITIVE', Confidence=123, Criticality=123, Types=[ 'string', ], UserDefinedFields={ 'string': 'string' }, Workflow={ 'Status': 'NEW'|'NOTIFIED'|'RESOLVED'|'SUPPRESSED' }, RelatedFindings=[ { 'ProductArn': 'string', 'Id': 'string' }, ] ) Parameters: * **FindingIdentifiers** (*list*) -- **[REQUIRED]** The list of findings to update. "BatchUpdateFindings" can be used to update up to 100 findings at a time. For each finding, the list provides the finding identifier and the ARN of the finding provider. * *(dict) --* Identifies which finding to get the finding history for. * **Id** *(string) --* **[REQUIRED]** The identifier of the finding that was specified by the finding provider. * **ProductArn** *(string) --* **[REQUIRED]** The ARN generated by Security Hub that uniquely identifies a product that generates findings. This can be the ARN for a third-party product that is integrated with Security Hub, or the ARN for a custom integration. * **Note** (*dict*) -- The updated note. * **Text** *(string) --* **[REQUIRED]** The updated note text. * **UpdatedBy** *(string) --* **[REQUIRED]** The principal that updated the note. * **Severity** (*dict*) -- Used to update the finding severity. * **Normalized** *(integer) --* The normalized severity for the finding. This attribute is to be deprecated in favor of "Label". If you provide "Normalized" and don't provide "Label", "Label" is set automatically as follows. * 0 - "INFORMATIONAL" * 1–39 - "LOW" * 40–69 - "MEDIUM" * 70–89 - "HIGH" * 90–100 - "CRITICAL" * **Product** *(float) --* The native severity as defined by the Amazon Web Services service or integrated partner product that generated the finding. * **Label** *(string) --* The severity value of the finding. The allowed values are the following. * "INFORMATIONAL" - No issue was found. * "LOW" - The issue does not require action on its own. * "MEDIUM" - The issue must be addressed but not urgently. * "HIGH" - The issue must be addressed as a priority. * "CRITICAL" - The issue must be remediated immediately to avoid it escalating. * **VerificationState** (*string*) -- Indicates the veracity of a finding. The available values for "VerificationState" are as follows. * "UNKNOWN" – The default disposition of a security finding * "TRUE_POSITIVE" – The security finding is confirmed * "FALSE_POSITIVE" – The security finding was determined to be a false alarm * "BENIGN_POSITIVE" – A special case of "TRUE_POSITIVE" where the finding doesn't pose any threat, is expected, or both * **Confidence** (*integer*) -- The updated value for the finding confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence. * **Criticality** (*integer*) -- The updated value for the level of importance assigned to the resources associated with the findings. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources. * **Types** (*list*) -- One or more finding types in the format of namespace/category/classifier that classify a finding. Valid namespace values are as follows. * Software and Configuration Checks * TTPs * Effects * Unusual Behaviors * Sensitive Data Identifications * *(string) --* * **UserDefinedFields** (*dict*) -- A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding. * *(string) --* * *(string) --* * **Workflow** (*dict*) -- Used to update the workflow status of a finding. The workflow status indicates the progress of the investigation into the finding. * **Status** *(string) --* The status of the investigation into the finding. The workflow status is specific to an individual finding. It does not affect the generation of new findings. For example, setting the workflow status to "SUPPRESSED" or "RESOLVED" does not prevent a new finding for the same issue. The allowed values are the following. * "NEW" - The initial state of a finding, before it is reviewed. Security Hub also resets "WorkFlowStatus" from "NOTIFIED" or "RESOLVED" to "NEW" in the following cases: * The record state changes from "ARCHIVED" to "ACTIVE". * The compliance status changes from "PASSED" to either "WARNING", "FAILED", or "NOT_AVAILABLE". * "NOTIFIED" - Indicates that you notified the resource owner about the security issue. Used when the initial reviewer is not the resource owner, and needs intervention from the resource owner. * "RESOLVED" - The finding was reviewed and remediated and is now considered resolved. * "SUPPRESSED" - Indicates that you reviewed the finding and don't believe that any action is needed. The finding is no longer updated. * **RelatedFindings** (*list*) -- A list of findings that are related to the updated findings. * *(dict) --* Details about a related finding. * **ProductArn** *(string) --* **[REQUIRED]** The ARN of the product that generated a related finding. * **Id** *(string) --* **[REQUIRED]** The product-generated identifier for a related finding. Return type: dict Returns: **Response Syntax** { 'ProcessedFindings': [ { 'Id': 'string', 'ProductArn': 'string' }, ], 'UnprocessedFindings': [ { 'FindingIdentifier': { 'Id': 'string', 'ProductArn': 'string' }, 'ErrorCode': 'string', 'ErrorMessage': 'string' }, ] } **Response Structure** * *(dict) --* * **ProcessedFindings** *(list) --* The list of findings that were updated successfully. * *(dict) --* Identifies which finding to get the finding history for. * **Id** *(string) --* The identifier of the finding that was specified by the finding provider. * **ProductArn** *(string) --* The ARN generated by Security Hub that uniquely identifies a product that generates findings. This can be the ARN for a third-party product that is integrated with Security Hub, or the ARN for a custom integration. * **UnprocessedFindings** *(list) --* The list of findings that were not updated. * *(dict) --* A finding from a "BatchUpdateFindings" request that Security Hub was unable to update. * **FindingIdentifier** *(dict) --* The identifier of the finding that was not updated. * **Id** *(string) --* The identifier of the finding that was specified by the finding provider. * **ProductArn** *(string) --* The ARN generated by Security Hub that uniquely identifies a product that generates findings. This can be the ARN for a third-party product that is integrated with Security Hub, or the ARN for a custom integration. * **ErrorCode** *(string) --* The code associated with the error. Possible values are: * "ConcurrentUpdateError" - Another request attempted to update the finding while this request was being processed. This error may also occur if you call BatchUpdateFindings and BatchImportFindings at the same time. * "DuplicatedFindingIdentifier" - The request included two or more findings with the same "FindingIdentifier". * "FindingNotFound" - The "FindingIdentifier" included in the request did not match an existing finding. * "FindingSizeExceeded" - The finding size was greater than the permissible value of 240 KB. * "InternalFailure" - An internal service failure occurred when updating the finding. * "InvalidInput" - The finding update contained an invalid value that did not satisfy the Amazon Web Services Security Finding Format syntax. * **ErrorMessage** *(string) --* The message associated with the error. Possible values are: * "Concurrent finding updates detected" * "Finding Identifier is duplicated" * "Finding Not Found" * "Finding size exceeded 240 KB" * "Internal service failure" * "Invalid Input" **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.InvalidAccessException" SecurityHub / Client / get_finding_history get_finding_history ******************* SecurityHub.Client.get_finding_history(**kwargs) Returns the history of a Security Hub finding. The history includes changes made to any fields in the Amazon Web Services Security Finding Format (ASFF) except top-level timestamp fields, such as the "CreatedAt" and "UpdatedAt" fields. This operation might return fewer results than the maximum number of results ( "MaxResults") specified in a request, even when more results are available. If this occurs, the response includes a "NextToken" value, which you should use to retrieve the next set of results in the response. The presence of a "NextToken" value in a response doesn't necessarily indicate that the results are incomplete. However, you should continue to specify a "NextToken" value until you receive a response that doesn't include this value. See also: AWS API Documentation **Request Syntax** response = client.get_finding_history( FindingIdentifier={ 'Id': 'string', 'ProductArn': 'string' }, StartTime=datetime(2015, 1, 1), EndTime=datetime(2015, 1, 1), NextToken='string', MaxResults=123 ) Parameters: * **FindingIdentifier** (*dict*) -- **[REQUIRED]** Identifies which finding to get the finding history for. * **Id** *(string) --* **[REQUIRED]** The identifier of the finding that was specified by the finding provider. * **ProductArn** *(string) --* **[REQUIRED]** The ARN generated by Security Hub that uniquely identifies a product that generates findings. This can be the ARN for a third-party product that is integrated with Security Hub, or the ARN for a custom integration. * **StartTime** (*datetime*) -- A timestamp that indicates the start time of the requested finding history. If you provide values for both "StartTime" and "EndTime", Security Hub returns finding history for the specified time period. If you provide a value for "StartTime" but not for "EndTime", Security Hub returns finding history from the "StartTime" to the time at which the API is called. If you provide a value for "EndTime" but not for "StartTime", Security Hub returns finding history from the CreatedAt timestamp of the finding to the "EndTime". If you provide neither "StartTime" nor "EndTime", Security Hub returns finding history from the "CreatedAt" timestamp of the finding to the time at which the API is called. In all of these scenarios, the response is limited to 100 results. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **EndTime** (*datetime*) -- An ISO 8601-formatted timestamp that indicates the end time of the requested finding history. If you provide values for both "StartTime" and "EndTime", Security Hub returns finding history for the specified time period. If you provide a value for "StartTime" but not for "EndTime", Security Hub returns finding history from the "StartTime" to the time at which the API is called. If you provide a value for "EndTime" but not for "StartTime", Security Hub returns finding history from the CreatedAt timestamp of the finding to the "EndTime". If you provide neither "StartTime" nor "EndTime", Security Hub returns finding history from the "CreatedAt" timestamp of the finding to the time at which the API is called. In all of these scenarios, the response is limited to 100 results. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **NextToken** (*string*) -- A token for pagination purposes. Provide "NULL" as the initial value. In subsequent requests, provide the token included in the response to get up to an additional 100 results of finding history. If you don’t provide "NextToken", Security Hub returns up to 100 results of finding history for each request. * **MaxResults** (*integer*) -- The maximum number of results to be returned. If you don’t provide it, Security Hub returns up to 100 results of finding history. Return type: dict Returns: **Response Syntax** { 'Records': [ { 'FindingIdentifier': { 'Id': 'string', 'ProductArn': 'string' }, 'UpdateTime': datetime(2015, 1, 1), 'FindingCreated': True|False, 'UpdateSource': { 'Type': 'BATCH_UPDATE_FINDINGS'|'BATCH_IMPORT_FINDINGS', 'Identity': 'string' }, 'Updates': [ { 'UpdatedField': 'string', 'OldValue': 'string', 'NewValue': 'string' }, ], 'NextToken': 'string' }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **Records** *(list) --* A list of events that altered the specified finding during the specified time period. * *(dict) --* A list of events that changed the specified finding during the specified time period. Each record represents a single finding change event. * **FindingIdentifier** *(dict) --* Identifies which finding to get the finding history for. * **Id** *(string) --* The identifier of the finding that was specified by the finding provider. * **ProductArn** *(string) --* The ARN generated by Security Hub that uniquely identifies a product that generates findings. This can be the ARN for a third-party product that is integrated with Security Hub, or the ARN for a custom integration. * **UpdateTime** *(datetime) --* A timestamp that indicates when Security Hub processed the updated finding record. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **FindingCreated** *(boolean) --* Identifies whether the event marks the creation of a new finding. A value of "True" means that the finding is newly created. A value of "False" means that the finding isn’t newly created. * **UpdateSource** *(dict) --* Identifies the source of the event that changed the finding. For example, an integrated Amazon Web Services service or third-party partner integration may call BatchImportFindings, or an Security Hub customer may call BatchUpdateFindings. * **Type** *(string) --* Describes the type of finding change event, such as a call to BatchImportFindings (by an integrated Amazon Web Services service or third party partner integration) or BatchUpdateFindings (by a Security Hub customer). * **Identity** *(string) --* The identity of the source that initiated the finding change event. For example, the Amazon Resource Name (ARN) of a partner that calls BatchImportFindings or of a customer that calls BatchUpdateFindings. * **Updates** *(list) --* An array of objects that provides details about the finding change event, including the Amazon Web Services Security Finding Format (ASFF) field that changed, the value of the field before the change, and the value of the field after the change. * *(dict) --* An array of objects that provides details about a change to a finding, including the Amazon Web Services Security Finding Format (ASFF) field that changed, the value of the field before the change, and the value of the field after the change. * **UpdatedField** *(string) --* The ASFF field that changed during the finding change event. * **OldValue** *(string) --* The value of the ASFF field before the finding change event. * **NewValue** *(string) --* The value of the ASFF field after the finding change event. To preserve storage and readability, Security Hub omits this value if FindingHistoryRecord exceeds database limits. * **NextToken** *(string) --* A token for pagination purposes. Provide this token in the subsequent request to GetFindingsHistory to get up to an additional 100 results of history for the same finding that you specified in your initial request. * **NextToken** *(string) --* A token for pagination purposes. Provide this token in the subsequent request to "GetFindingsHistory" to get up to an additional 100 results of history for the same finding that you specified in your initial request. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.LimitExceededException" SecurityHub / Client / get_automation_rule_v2 get_automation_rule_v2 ********************** SecurityHub.Client.get_automation_rule_v2(**kwargs) Returns an automation rule for the V2 service. This API is in private preview and subject to change. See also: AWS API Documentation **Request Syntax** response = client.get_automation_rule_v2( Identifier='string' ) Parameters: **Identifier** (*string*) -- **[REQUIRED]** The ARN of the V2 automation rule. Return type: dict Returns: **Response Syntax** { 'RuleArn': 'string', 'RuleId': 'string', 'RuleOrder': ..., 'RuleName': 'string', 'RuleStatus': 'ENABLED'|'DISABLED', 'Description': 'string', 'Criteria': { 'OcsfFindingCriteria': { 'CompositeFilters': [ { 'StringFilters': [ { 'FieldName': 'metadata.uid'|'activity_name'|'cloud.account.uid'|'cloud.provider'|'cloud.region'|'compliance.assessments.category'|'compliance.assessments.name'|'compliance.control'|'compliance.status'|'compliance.standards'|'finding_info.desc'|'finding_info.src_url'|'finding_info.title'|'finding_info.types'|'finding_info.uid'|'finding_info.related_events.uid'|'finding_info.related_events.product.uid'|'finding_info.related_events.title'|'metadata.product.name'|'metadata.product.uid'|'metadata.product.vendor_name'|'remediation.desc'|'remediation.references'|'resources.cloud_partition'|'resources.region'|'resources.type'|'resources.uid'|'severity'|'status'|'comment'|'vulnerabilities.fix_coverage'|'class_name', 'Filter': { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' } }, ], 'DateFilters': [ { 'FieldName': 'finding_info.created_time_dt'|'finding_info.first_seen_time_dt'|'finding_info.last_seen_time_dt'|'finding_info.modified_time_dt', 'Filter': { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } } }, ], 'BooleanFilters': [ { 'FieldName': 'compliance.assessments.meets_criteria'|'vulnerabilities.is_exploit_available'|'vulnerabilities.is_fix_available', 'Filter': { 'Value': True|False } }, ], 'NumberFilters': [ { 'FieldName': 'activity_id'|'compliance.status_id'|'confidence_score'|'severity_id'|'status_id'|'finding_info.related_events_count', 'Filter': { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 } }, ], 'MapFilters': [ { 'FieldName': 'resources.tags', 'Filter': { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' } }, ], 'Operator': 'AND'|'OR' }, ], 'CompositeOperator': 'AND'|'OR' } }, 'Actions': [ { 'Type': 'FINDING_FIELDS_UPDATE'|'EXTERNAL_INTEGRATION', 'FindingFieldsUpdate': { 'SeverityId': 123, 'Comment': 'string', 'StatusId': 123 }, 'ExternalIntegrationConfiguration': { 'ConnectorArn': 'string' } }, ], 'CreatedAt': datetime(2015, 1, 1), 'UpdatedAt': datetime(2015, 1, 1) } **Response Structure** * *(dict) --* * **RuleArn** *(string) --* The ARN of the V2 automation rule. * **RuleId** *(string) --* The ID of the V2 automation rule. * **RuleOrder** *(float) --* The value for the rule priority. * **RuleName** *(string) --* The name of the V2 automation rule. * **RuleStatus** *(string) --* The status of the V2 automation automation rule. * **Description** *(string) --* A description of the automation rule. * **Criteria** *(dict) --* The filtering type and configuration of the V2 automation rule. Note: This is a Tagged Union structure. Only one of the following top level keys will be set: "OcsfFindingCriteria". If a client receives an unknown member it will set "SDK_UNKNOWN_MEMBER" as the top level key, which maps to the name or tag of the unknown member. The structure of "SDK_UNKNOWN_MEMBER" is as follows: 'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'} * **OcsfFindingCriteria** *(dict) --* The filtering conditions that align with OCSF standards. * **CompositeFilters** *(list) --* Enables the creation of complex filtering conditions by combining filter criteria. * *(dict) --* Enables the creation of filtering criteria for security findings. * **StringFilters** *(list) --* Enables filtering based on string field values. * *(dict) --* Enables filtering of security findings based on string field values in OCSF. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A string filter for filtering Security Hub findings. * **Value** *(string) --* The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is "Security Hub". If you provide "security hub" as the filter value, there's no match. * **Comparison** *(string) --* The condition to apply to a string value when filtering Security Hub findings. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, the filter "Title CONTAINS CloudFront" matches findings that have a "Title" that includes the string CloudFront. * To search for values that exactly match the filter value, use "EQUALS". For example, the filter "AwsAccountId EQUALS 123456789012" only matches findings that have an account ID of "123456789012". * To search for values that start with the filter value, use "PREFIX". For example, the filter "ResourceRegion PREFIX us" matches findings that have a "ResourceRegion" that starts with "us". A "ResourceRegion" that starts with a different value, such as "af", "ap", or "ca", doesn't match. "CONTAINS", "EQUALS", and "PREFIX" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Title CONTAINS CloudFront OR Title CONTAINS CloudWatch" match a finding that includes either "CloudFront", "CloudWatch", or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, the filter "Title NOT_CONTAINS CloudFront" matches findings that have a "Title" that excludes the string CloudFront. * To search for values other than the filter value, use "NOT_EQUALS". For example, the filter "AwsAccountId NOT_EQUALS 123456789012" only matches findings that have an account ID other than "123456789012". * To search for values that don't start with the filter value, use "PREFIX_NOT_EQUALS". For example, the filter "ResourceRegion PREFIX_NOT_EQUALS us" matches findings with a "ResourceRegion" that starts with a value other than "us". "NOT_CONTAINS", "NOT_EQUALS", and "PREFIX_NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch" match a finding that excludes both "CloudFront" and "CloudWatch" in the title. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can't provide both an "EQUALS" filter and a "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can combine "PREFIX" filters with "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters for the same field. Security Hub first processes the "PREFIX" filters, and then the "NOT_EQUALS" or "PREFIX_NOT_EQUALS" filters. For example, for the following filters, Security Hub first identifies findings that have resource types that start with either "AwsIam" or "AwsEc2". It then excludes findings that have a resource type of "AwsIamPolicy" and findings that have a resource type of "AwsEc2NetworkInterface". * "ResourceType PREFIX AwsIam" * "ResourceType PREFIX AwsEc2" * "ResourceType NOT_EQUALS AwsIamPolicy" * "ResourceType NOT_EQUALS AwsEc2NetworkInterface" "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules V1. "CONTAINS_WORD" operator is only supported in "GetFindingsV2", "GetFindingStatisticsV2", "GetResourcesV2", and "GetResourceStatisticsV2" APIs. For more information, see Automation rules in the *Security Hub User Guide*. * **DateFilters** *(list) --* Enables filtering based on date and timestamp fields. * *(dict) --* Enables filtering of security findings based on date and timestamp fields in OCSF. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A date filter for querying findings. * **Start** *(string) --* A timestamp that provides the start date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **End** *(string) --* A timestamp that provides the end date for the date filter. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **DateRange** *(dict) --* A date range for the date filter. * **Value** *(integer) --* A date range value for the date filter. * **Unit** *(string) --* A date range unit for the date filter. * **BooleanFilters** *(list) --* Enables filtering based on boolean field values. * *(dict) --* Enables filtering of security findings based on boolean field values in OCSF. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* Boolean filter for querying findings. * **Value** *(boolean) --* The value of the boolean. * **NumberFilters** *(list) --* Enables filtering based on numerical field values. * *(dict) --* Enables filtering of security findings based on numerical field values in OCSF. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A number filter for querying findings. * **Gte** *(float) --* The greater-than-equal condition to be applied to a single field when querying for findings. * **Lte** *(float) --* The less-than-equal condition to be applied to a single field when querying for findings. * **Eq** *(float) --* The equal-to condition to be applied to a single field when querying for findings. * **Gt** *(float) --* The greater-than condition to be applied to a single field when querying for findings. * **Lt** *(float) --* The less-than condition to be applied to a single field when querying for findings. * **MapFilters** *(list) --* Enables filtering based on map field values. * *(dict) --* Enables filtering of security findings based on map field values in OCSF. * **FieldName** *(string) --* The name of the field. * **Filter** *(dict) --* A map filter for filtering Security Hub findings. Each map filter provides the field to check for, the value to check for, and the comparison operator. * **Key** *(string) --* The key of the map filter. For example, for "ResourceTags", "Key" identifies the name of the tag. For "UserDefinedFields", "Key" is the name of the field. * **Value** *(string) --* The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called "Department" might be "Security". If you provide "security" as the filter value, then there's no match. * **Comparison** *(string) --* The condition to apply to the key value when filtering Security Hub findings with a map filter. To search for values that have the filter value, use one of the following comparison operators: * To search for values that include the filter value, use "CONTAINS". For example, for the "ResourceTags" field, the filter "Department CONTAINS Security" matches findings that include the value "Security" for the "Department" tag. In the same example, a finding with a value of "Security team" for the "Department" tag is a match. * To search for values that exactly match the filter value, use "EQUALS". For example, for the "ResourceTags" field, the filter "Department EQUALS Security" matches findings that have the value "Security" for the "Department" tag. "CONTAINS" and "EQUALS" filters on the same field are joined by "OR". A finding matches if it matches any one of those filters. For example, the filters "Department CONTAINS Security OR Department CONTAINS Finance" match a finding that includes either "Security", "Finance", or both values. To search for values that don't have the filter value, use one of the following comparison operators: * To search for values that exclude the filter value, use "NOT_CONTAINS". For example, for the "ResourceTags" field, the filter "Department NOT_CONTAINS Finance" matches findings that exclude the value "Finance" for the "Department" tag. * To search for values other than the filter value, use "NOT_EQUALS". For example, for the "ResourceTags" field, the filter "Department NOT_EQUALS Finance" matches findings that don’t have the value "Finance" for the "Department" tag. "NOT_CONTAINS" and "NOT_EQUALS" filters on the same field are joined by "AND". A finding matches only if it matches all of those filters. For example, the filters "Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance" match a finding that excludes both the "Security" and "Finance" values. "CONTAINS" filters can only be used with other "CONTAINS" filters. "NOT_CONTAINS" filters can only be used with other "NOT_CONTAINS" filters. You can’t have both a "CONTAINS" filter and a "NOT_CONTAINS" filter on the same field. Similarly, you can’t have both an "EQUALS" filter and a "NOT_EQUALS" filter on the same field. Combining filters in this way returns an error. "CONTAINS" and "NOT_CONTAINS" operators can be used only with automation rules. For more information, see Automation rules in the *Security Hub User Guide*. * **Operator** *(string) --* The logical operator used to combine multiple filter conditions. * **CompositeOperator** *(string) --* The logical operators used to combine the filtering on multiple "CompositeFilters". * **Actions** *(list) --* A list of actions performed when the rule criteria is met. * *(dict) --* Allows you to configure automated responses. * **Type** *(string) --* The category of action to be executed by the automation rule. * **FindingFieldsUpdate** *(dict) --* The changes to be applied to fields in a security finding when an automation rule is triggered. * **SeverityId** *(integer) --* The severity level to be assigned to findings that match the automation rule criteria. * **Comment** *(string) --* Notes or contextual information for findings that are modified by the automation rule. * **StatusId** *(integer) --* The status to be applied to findings that match automation rule criteria. * **ExternalIntegrationConfiguration** *(dict) --* The settings for integrating automation rule actions with external systems or service. * **ConnectorArn** *(string) --* The ARN of the connector that establishes the integration. * **CreatedAt** *(datetime) --* The timestamp when the V2 automation rule was created. * **UpdatedAt** *(datetime) --* The timestamp when the V2 automation rule was updated. **Exceptions** * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.InternalServerException" * "SecurityHub.Client.exceptions.ValidationException" * "SecurityHub.Client.exceptions.ThrottlingException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" * "SecurityHub.Client.exceptions.ConflictException" SecurityHub / Client / create_aggregator_v2 create_aggregator_v2 ******************** SecurityHub.Client.create_aggregator_v2(**kwargs) Enables aggregation across Amazon Web Services Regions. This API is in private preview and subject to change. See also: AWS API Documentation **Request Syntax** response = client.create_aggregator_v2( RegionLinkingMode='string', LinkedRegions=[ 'string', ], Tags={ 'string': 'string' }, ClientToken='string' ) Parameters: * **RegionLinkingMode** (*string*) -- **[REQUIRED]** Determines how Regions are linked to an Aggregator V2. * **LinkedRegions** (*list*) -- The list of Regions that are linked to the aggregation Region. * *(string) --* * **Tags** (*dict*) -- A list of key-value pairs to be applied to the AggregatorV2. * *(string) --* * *(string) --* * **ClientToken** (*string*) -- A unique identifier used to ensure idempotency. This field is autopopulated if not provided. Return type: dict Returns: **Response Syntax** { 'AggregatorV2Arn': 'string', 'AggregationRegion': 'string', 'RegionLinkingMode': 'string', 'LinkedRegions': [ 'string', ] } **Response Structure** * *(dict) --* * **AggregatorV2Arn** *(string) --* The ARN of the AggregatorV2. * **AggregationRegion** *(string) --* The Amazon Web Services Region where data is aggregated. * **RegionLinkingMode** *(string) --* Determines how Regions are linked to an Aggregator V2. * **LinkedRegions** *(list) --* The list of Regions that are linked to the aggregation Region. * *(string) --* **Exceptions** * "SecurityHub.Client.exceptions.InternalServerException" * "SecurityHub.Client.exceptions.ThrottlingException" * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.ValidationException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" * "SecurityHub.Client.exceptions.ConflictException" SecurityHub / Client / get_finding_aggregator get_finding_aggregator ********************** SecurityHub.Client.get_finding_aggregator(**kwargs) Note: The *aggregation Region* is now called the *home Region*. Returns the current configuration in the calling account for cross- Region aggregation. A finding aggregator is a resource that establishes the home Region and any linked Regions. See also: AWS API Documentation **Request Syntax** response = client.get_finding_aggregator( FindingAggregatorArn='string' ) Parameters: **FindingAggregatorArn** (*string*) -- **[REQUIRED]** The ARN of the finding aggregator to return details for. To obtain the ARN, use "ListFindingAggregators". Return type: dict Returns: **Response Syntax** { 'FindingAggregatorArn': 'string', 'FindingAggregationRegion': 'string', 'RegionLinkingMode': 'string', 'Regions': [ 'string', ] } **Response Structure** * *(dict) --* * **FindingAggregatorArn** *(string) --* The ARN of the finding aggregator. * **FindingAggregationRegion** *(string) --* The home Region. Findings generated in linked Regions are replicated and sent to the home Region. * **RegionLinkingMode** *(string) --* Indicates whether to link all Regions, all Regions except for a list of excluded Regions, or a list of included Regions. * **Regions** *(list) --* The list of excluded Regions or included Regions. * *(string) --* **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / tag_resource tag_resource ************ SecurityHub.Client.tag_resource(**kwargs) Adds one or more tags to a resource. See also: AWS API Documentation **Request Syntax** response = client.tag_resource( ResourceArn='string', Tags={ 'string': 'string' } ) Parameters: * **ResourceArn** (*string*) -- **[REQUIRED]** The ARN of the resource to apply the tags to. * **Tags** (*dict*) -- **[REQUIRED]** The tags to add to the resource. You can add up to 50 tags at a time. The tag keys can be no longer than 128 characters. The tag values can be no longer than 256 characters. * *(string) --* * *(string) --* Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / list_automation_rules list_automation_rules ********************* SecurityHub.Client.list_automation_rules(**kwargs) A list of automation rules and their metadata for the calling account. See also: AWS API Documentation **Request Syntax** response = client.list_automation_rules( NextToken='string', MaxResults=123 ) Parameters: * **NextToken** (*string*) -- A token to specify where to start paginating the response. This is the "NextToken" from a previously truncated response. On your first call to the "ListAutomationRules" API, set the value of this parameter to "NULL". * **MaxResults** (*integer*) -- The maximum number of rules to return in the response. This currently ranges from 1 to 100. Return type: dict Returns: **Response Syntax** { 'AutomationRulesMetadata': [ { 'RuleArn': 'string', 'RuleStatus': 'ENABLED'|'DISABLED', 'RuleOrder': 123, 'RuleName': 'string', 'Description': 'string', 'IsTerminal': True|False, 'CreatedAt': datetime(2015, 1, 1), 'UpdatedAt': datetime(2015, 1, 1), 'CreatedBy': 'string' }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **AutomationRulesMetadata** *(list) --* Metadata for rules in the calling account. The response includes rules with a "RuleStatus" of "ENABLED" and "DISABLED". * *(dict) --* Metadata for automation rules in the calling account. The response includes rules with a "RuleStatus" of "ENABLED" and "DISABLED". * **RuleArn** *(string) --* The Amazon Resource Name (ARN) for the rule. * **RuleStatus** *(string) --* Whether the rule is active after it is created. If this parameter is equal to "ENABLED", Security Hub starts applying the rule to findings and finding updates after the rule is created. To change the value of this parameter after creating a rule, use BatchUpdateAutomationRules. * **RuleOrder** *(integer) --* An integer ranging from 1 to 1000 that represents the order in which the rule action is applied to findings. Security Hub applies rules with lower values for this parameter first. * **RuleName** *(string) --* The name of the rule. * **Description** *(string) --* A description of the rule. * **IsTerminal** *(boolean) --* Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If a rule is terminal, Security Hub applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding. By default, a rule isn't terminal. * **CreatedAt** *(datetime) --* A timestamp that indicates when the rule was created. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **UpdatedAt** *(datetime) --* A timestamp that indicates when the rule was most recently updated. For more information about the validation and formatting of timestamp fields in Security Hub, see Timestamps. * **CreatedBy** *(string) --* The principal that created a rule. * **NextToken** *(string) --* A pagination token for the response. **Exceptions** * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.LimitExceededException" SecurityHub / Client / accept_invitation accept_invitation ***************** SecurityHub.Client.accept_invitation(**kwargs) This method is deprecated. Instead, use "AcceptAdministratorInvitation". The Security Hub console continues to use "AcceptInvitation". It will eventually change to use "AcceptAdministratorInvitation". Any IAM policies that specifically control access to this function must continue to use "AcceptInvitation". You should also add "AcceptAdministratorInvitation" to your policies to ensure that the correct permissions are in place after the console begins to use "AcceptAdministratorInvitation". Accepts the invitation to be a member account and be monitored by the Security Hub administrator account that the invitation was sent from. This operation is only used by member accounts that are not added through Organizations. When the member account accepts the invitation, permission is granted to the administrator account to view findings generated in the member account. Danger: This operation is deprecated and may not function as expected. This operation should not be used going forward and is only kept for the purpose of backwards compatiblity. See also: AWS API Documentation **Request Syntax** response = client.accept_invitation( MasterId='string', InvitationId='string' ) Parameters: * **MasterId** (*string*) -- **[REQUIRED]** The account ID of the Security Hub administrator account that sent the invitation. * **InvitationId** (*string*) -- **[REQUIRED]** The identifier of the invitation sent from the Security Hub administrator account. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" * "SecurityHub.Client.exceptions.InvalidAccessException" SecurityHub / Client / disassociate_from_master_account disassociate_from_master_account ******************************** SecurityHub.Client.disassociate_from_master_account() This method is deprecated. Instead, use "DisassociateFromAdministratorAccount". The Security Hub console continues to use "DisassociateFromMasterAccount". It will eventually change to use "DisassociateFromAdministratorAccount". Any IAM policies that specifically control access to this function must continue to use "DisassociateFromMasterAccount". You should also add "DisassociateFromAdministratorAccount" to your policies to ensure that the correct permissions are in place after the console begins to use "DisassociateFromAdministratorAccount". Disassociates the current Security Hub member account from the associated administrator account. This operation is only used by accounts that are not part of an organization. For organization accounts, only the administrator account can disassociate a member account. Danger: This operation is deprecated and may not function as expected. This operation should not be used going forward and is only kept for the purpose of backwards compatiblity. See also: AWS API Documentation **Request Syntax** response = client.disassociate_from_master_account() Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / get_security_control_definition get_security_control_definition ******************************* SecurityHub.Client.get_security_control_definition(**kwargs) Retrieves the definition of a security control. The definition includes the control title, description, Region availability, parameter definitions, and other details. See also: AWS API Documentation **Request Syntax** response = client.get_security_control_definition( SecurityControlId='string' ) Parameters: **SecurityControlId** (*string*) -- **[REQUIRED]** The ID of the security control to retrieve the definition for. This field doesn’t accept an Amazon Resource Name (ARN). Return type: dict Returns: **Response Syntax** { 'SecurityControlDefinition': { 'SecurityControlId': 'string', 'Title': 'string', 'Description': 'string', 'RemediationUrl': 'string', 'SeverityRating': 'LOW'|'MEDIUM'|'HIGH'|'CRITICAL', 'CurrentRegionAvailability': 'AVAILABLE'|'UNAVAILABLE', 'CustomizableProperties': [ 'Parameters', ], 'ParameterDefinitions': { 'string': { 'Description': 'string', 'ConfigurationOptions': { 'Integer': { 'DefaultValue': 123, 'Min': 123, 'Max': 123 }, 'IntegerList': { 'DefaultValue': [ 123, ], 'Min': 123, 'Max': 123, 'MaxItems': 123 }, 'Double': { 'DefaultValue': 123.0, 'Min': 123.0, 'Max': 123.0 }, 'String': { 'DefaultValue': 'string', 'Re2Expression': 'string', 'ExpressionDescription': 'string' }, 'StringList': { 'DefaultValue': [ 'string', ], 'Re2Expression': 'string', 'MaxItems': 123, 'ExpressionDescription': 'string' }, 'Boolean': { 'DefaultValue': True|False }, 'Enum': { 'DefaultValue': 'string', 'AllowedValues': [ 'string', ] }, 'EnumList': { 'DefaultValue': [ 'string', ], 'MaxItems': 123, 'AllowedValues': [ 'string', ] } } } } } } **Response Structure** * *(dict) --* * **SecurityControlDefinition** *(dict) --* Provides metadata for a security control, including its unique standard-agnostic identifier, title, description, severity, availability in Amazon Web Services Regions, and a link to remediation steps. * **SecurityControlId** *(string) --* The unique identifier of a security control across standards. Values for this field typically consist of an Amazon Web Services service name and a number (for example, APIGateway.3). This parameter differs from "SecurityControlArn", which is a unique Amazon Resource Name (ARN) assigned to a control. The ARN references the security control ID (for example, arn:aws:securityhub:eu- central-1:123456789012:security-control/APIGateway.3). * **Title** *(string) --* The title of a security control. * **Description** *(string) --* The description of a security control across standards. This typically summarizes how Security Hub evaluates the control and the conditions under which it produces a failed finding. This parameter doesn't reference a specific standard. * **RemediationUrl** *(string) --* A link to Security Hub documentation that explains how to remediate a failed finding for a security control. * **SeverityRating** *(string) --* The severity of a security control. For more information about how Security Hub determines control severity, see Assigning severity to control findings in the *Security Hub User Guide*. * **CurrentRegionAvailability** *(string) --* Specifies whether a security control is available in the current Amazon Web Services Region. * **CustomizableProperties** *(list) --* Security control properties that you can customize. Currently, only parameter customization is supported for select controls. An empty array is returned for controls that don’t support custom properties. * *(string) --* * **ParameterDefinitions** *(dict) --* An object that provides a security control parameter name, description, and the options for customizing it. This object is excluded for a control that doesn't support custom parameters. * *(string) --* * *(dict) --* An object that describes a security control parameter and the options for customizing it. * **Description** *(string) --* Description of a control parameter. * **ConfigurationOptions** *(dict) --* The options for customizing a control parameter. Customization options vary based on the data type of the parameter. Note: This is a Tagged Union structure. Only one of the following top level keys will be set: "Integer", "IntegerList", "Double", "String", "StringList", "Boolean", "Enum", "EnumList". If a client receives an unknown member it will set "SDK_UNKNOWN_MEMBER" as the top level key, which maps to the name or tag of the unknown member. The structure of "SDK_UNKNOWN_MEMBER" is as follows: 'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'} * **Integer** *(dict) --* The options for customizing a security control parameter that is an integer. * **DefaultValue** *(integer) --* The Security Hub default value for a control parameter that is an integer. * **Min** *(integer) --* The minimum valid value for a control parameter that is an integer. * **Max** *(integer) --* The maximum valid value for a control parameter that is an integer. * **IntegerList** *(dict) --* The options for customizing a security control parameter that is a list of integers. * **DefaultValue** *(list) --* The Security Hub default value for a control parameter that is a list of integers. * *(integer) --* * **Min** *(integer) --* The minimum valid value for a control parameter that is a list of integers. * **Max** *(integer) --* The maximum valid value for a control parameter that is a list of integers. * **MaxItems** *(integer) --* The maximum number of list items that an interger list control parameter can accept. * **Double** *(dict) --* The options for customizing a security control parameter that is a double. * **DefaultValue** *(float) --* The Security Hub default value for a control parameter that is a double. * **Min** *(float) --* The minimum valid value for a control parameter that is a double. * **Max** *(float) --* The maximum valid value for a control parameter that is a double. * **String** *(dict) --* The options for customizing a security control parameter that is a string data type. * **DefaultValue** *(string) --* The Security Hub default value for a control parameter that is a string. * **Re2Expression** *(string) --* An RE2 regular expression that Security Hub uses to validate a user-provided control parameter string. * **ExpressionDescription** *(string) --* The description of the RE2 regular expression. * **StringList** *(dict) --* The options for customizing a security control parameter that is a list of strings. * **DefaultValue** *(list) --* The Security Hub default value for a control parameter that is a list of strings. * *(string) --* * **Re2Expression** *(string) --* An RE2 regular expression that Security Hub uses to validate a user-provided list of strings for a control parameter. * **MaxItems** *(integer) --* The maximum number of list items that a string list control parameter can accept. * **ExpressionDescription** *(string) --* The description of the RE2 regular expression. * **Boolean** *(dict) --* The options for customizing a security control parameter that is a boolean. For a boolean parameter, the options are "true" and "false". * **DefaultValue** *(boolean) --* The Security Hub default value for a boolean parameter. * **Enum** *(dict) --* The options for customizing a security control parameter that is an enum. * **DefaultValue** *(string) --* The Security Hub default value for a control parameter that is an enum. * **AllowedValues** *(list) --* The valid values for a control parameter that is an enum. * *(string) --* * **EnumList** *(dict) --* The options for customizing a security control parameter that is a list of enums. * **DefaultValue** *(list) --* The Security Hub default value for a control parameter that is a list of enums. * *(string) --* * **MaxItems** *(integer) --* The maximum number of list items that an enum list control parameter can accept. * **AllowedValues** *(list) --* The valid values for a control parameter that is a list of enums. * *(string) --* **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / list_automation_rules_v2 list_automation_rules_v2 ************************ SecurityHub.Client.list_automation_rules_v2(**kwargs) Returns a list of automation rules and metadata for the calling account. This API is in private preview and subject to change. See also: AWS API Documentation **Request Syntax** response = client.list_automation_rules_v2( NextToken='string', MaxResults=123 ) Parameters: * **NextToken** (*string*) -- The token required for pagination. On your first call, set the value of this parameter to "NULL". For subsequent calls, to continue listing data, set the value of this parameter to the value returned in the previous response. * **MaxResults** (*integer*) -- The maximum number of results to return. Return type: dict Returns: **Response Syntax** { 'Rules': [ { 'RuleArn': 'string', 'RuleId': 'string', 'RuleOrder': ..., 'RuleName': 'string', 'RuleStatus': 'ENABLED'|'DISABLED', 'Description': 'string', 'Actions': [ { 'Type': 'FINDING_FIELDS_UPDATE'|'EXTERNAL_INTEGRATION' }, ], 'CreatedAt': datetime(2015, 1, 1), 'UpdatedAt': datetime(2015, 1, 1) }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **Rules** *(list) --* An array of automation rules. * *(dict) --* Includes essential metadata information about automation rules. * **RuleArn** *(string) --* The ARN of the automation rule. * **RuleId** *(string) --* The ID of the automation rule. * **RuleOrder** *(float) --* The value for the rule priority. * **RuleName** *(string) --* The name of the automation rule. * **RuleStatus** *(string) --* The status of the automation rule. * **Description** *(string) --* An explanation for the purpose and funcitonality of the automation rule. * **Actions** *(list) --* The list of action to be performed when the rule criteria is met. * *(dict) --* Allows you to customize security response workflows. * **Type** *(string) --* The category of action to be executed by the automation rule. * **CreatedAt** *(datetime) --* The timestamp for when the automation rule was created. * **UpdatedAt** *(datetime) --* The timestamp for the most recent modification to the automation rule. * **NextToken** *(string) --* The pagination token to use to request the next page of results. Otherwise, this parameter is null. **Exceptions** * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.InternalServerException" * "SecurityHub.Client.exceptions.ValidationException" * "SecurityHub.Client.exceptions.ThrottlingException" * "SecurityHub.Client.exceptions.ConflictException" SecurityHub / Client / accept_administrator_invitation accept_administrator_invitation ******************************* SecurityHub.Client.accept_administrator_invitation(**kwargs) Note: We recommend using Organizations instead of Security Hub invitations to manage your member accounts. For information, see Managing Security Hub administrator and member accounts with Organizations in the *Security Hub User Guide*. Accepts the invitation to be a member account and be monitored by the Security Hub administrator account that the invitation was sent from. This operation is only used by member accounts that are not added through Organizations. When the member account accepts the invitation, permission is granted to the administrator account to view findings generated in the member account. See also: AWS API Documentation **Request Syntax** response = client.accept_administrator_invitation( AdministratorId='string', InvitationId='string' ) Parameters: * **AdministratorId** (*string*) -- **[REQUIRED]** The account ID of the Security Hub administrator account that sent the invitation. * **InvitationId** (*string*) -- **[REQUIRED]** The identifier of the invitation sent from the Security Hub administrator account. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" * "SecurityHub.Client.exceptions.InvalidAccessException" SecurityHub / Client / update_insight update_insight ************** SecurityHub.Client.update_insight(**kwargs) Updates the Security Hub insight identified by the specified insight ARN. See also: AWS API Documentation **Request Syntax** response = client.update_insight( InsightArn='string', Name='string', Filters={ 'ProductArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'AwsAccountId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Id': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'GeneratorId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Region': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Type': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FirstObservedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'LastObservedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'CreatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'UpdatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'SeverityProduct': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'SeverityNormalized': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'SeverityLabel': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Confidence': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'Criticality': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'Title': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Description': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RecommendationText': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'SourceUrl': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ProductFields': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'ProductName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'CompanyName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'UserDefinedFields': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'MalwareName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'MalwareType': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'MalwarePath': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'MalwareState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkDirection': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkProtocol': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkSourceIpV4': [ { 'Cidr': 'string' }, ], 'NetworkSourceIpV6': [ { 'Cidr': 'string' }, ], 'NetworkSourcePort': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'NetworkSourceDomain': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkSourceMac': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NetworkDestinationIpV4': [ { 'Cidr': 'string' }, ], 'NetworkDestinationIpV6': [ { 'Cidr': 'string' }, ], 'NetworkDestinationPort': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'NetworkDestinationDomain': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ProcessName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ProcessPath': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ProcessPid': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'ProcessParentPid': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'ProcessLaunchedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ProcessTerminatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ThreatIntelIndicatorType': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ThreatIntelIndicatorValue': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ThreatIntelIndicatorCategory': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ThreatIntelIndicatorLastObservedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ThreatIntelIndicatorSource': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ThreatIntelIndicatorSourceUrl': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceType': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourcePartition': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceRegion': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceTags': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'ResourceAwsEc2InstanceType': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceImageId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceIpV4Addresses': [ { 'Cidr': 'string' }, ], 'ResourceAwsEc2InstanceIpV6Addresses': [ { 'Cidr': 'string' }, ], 'ResourceAwsEc2InstanceKeyName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceIamInstanceProfileArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceVpcId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceSubnetId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsEc2InstanceLaunchedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ResourceAwsS3BucketOwnerId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsS3BucketOwnerName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsIamAccessKeyUserName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsIamAccessKeyPrincipalName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsIamAccessKeyStatus': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceAwsIamAccessKeyCreatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ResourceAwsIamUserUserName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceContainerName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceContainerImageId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceContainerImageName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceContainerLaunchedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'ResourceDetailsOther': [ { 'Key': 'string', 'Value': 'string', 'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS' }, ], 'ComplianceStatus': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'VerificationState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'WorkflowState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'WorkflowStatus': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RecordState': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RelatedFindingsProductArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'RelatedFindingsId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NoteText': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'NoteUpdatedAt': [ { 'Start': 'string', 'End': 'string', 'DateRange': { 'Value': 123, 'Unit': 'DAYS' } }, ], 'NoteUpdatedBy': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Keyword': [ { 'Value': 'string' }, ], 'FindingProviderFieldsConfidence': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'FindingProviderFieldsCriticality': [ { 'Gte': 123.0, 'Lte': 123.0, 'Eq': 123.0, 'Gt': 123.0, 'Lt': 123.0 }, ], 'FindingProviderFieldsRelatedFindingsId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FindingProviderFieldsRelatedFindingsProductArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FindingProviderFieldsSeverityLabel': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FindingProviderFieldsSeverityOriginal': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'FindingProviderFieldsTypes': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'Sample': [ { 'Value': True|False }, ], 'ComplianceSecurityControlId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ComplianceAssociatedStandardsId': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'VulnerabilitiesExploitAvailable': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'VulnerabilitiesFixAvailable': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ComplianceSecurityControlParametersName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ComplianceSecurityControlParametersValue': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'AwsAccountName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceApplicationName': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ], 'ResourceApplicationArn': [ { 'Value': 'string', 'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD' }, ] }, GroupByAttribute='string' ) **Parameters** :: # This section is too large to render. # Please see the AWS API Documentation linked below. `AWS API Documentation `_ Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" SecurityHub / Client / batch_update_findings_v2 batch_update_findings_v2 ************************ SecurityHub.Client.batch_update_findings_v2(**kwargs) Used by customers to update information about their investigation into a finding. Requested by delegated administrator accounts or member accounts. Delegated administrator accounts can update findings for their account and their member accounts. Member accounts can update findings for their account. "BatchUpdateFindings" and "BatchUpdateFindingV2" both use "securityhub:BatchUpdateFindings" in the "Action" element of an IAM policy statement. You must have permission to perform the "securityhub:BatchUpdateFindings" action. Updates from "BatchUpdateFindingsV2" don't affect the value of f "inding_info.modified_time", "finding_info.modified_time_dt", "time", "time_dt for a finding". This API is in private preview and subject to change. See also: AWS API Documentation **Request Syntax** response = client.batch_update_findings_v2( MetadataUids=[ 'string', ], FindingIdentifiers=[ { 'CloudAccountUid': 'string', 'FindingInfoUid': 'string', 'MetadataProductUid': 'string' }, ], Comment='string', SeverityId=123, StatusId=123 ) Parameters: * **MetadataUids** (*list*) -- The list of finding "metadata.uid" to indicate findings to update. Finding "metadata.uid" is a globally unique identifier associated with the finding. Customers cannot use "MetadataUids" together with "FindingIdentifiers". * *(string) --* * **FindingIdentifiers** (*list*) -- Provides information to identify a specific V2 finding. * *(dict) --* Provides a standard to identify security findings using OCSF. * **CloudAccountUid** *(string) --* **[REQUIRED]** Finding cloud.account.uid, which is a unique identifier in the Amazon Web Services account.. * **FindingInfoUid** *(string) --* **[REQUIRED]** Finding finding_info.uid, which is a unique identifier for the finding from the finding provider. * **MetadataProductUid** *(string) --* **[REQUIRED]** Finding metadata.product.uid, which is a unique identifier for the product. * **Comment** (*string*) -- The updated value for a user provided comment about the finding. Minimum character length 1. Maximum character length 512. * **SeverityId** (*integer*) -- The updated value for the normalized severity identifier. The severity ID is an integer with the allowed enum values [0, 1, 2, 3, 4, 5, 99]. When customer provides the updated severity ID, the string sibling severity will automatically be updated in the finding. * **StatusId** (*integer*) -- The updated value for the normalized status identifier. The status ID is an integer with the allowed enum values [0, 1, 2, 3, 4, 5, 6, 99]. When customer provides the updated status ID, the string sibling status will automatically be updated in the finding. Return type: dict Returns: **Response Syntax** { 'ProcessedFindings': [ { 'FindingIdentifier': { 'CloudAccountUid': 'string', 'FindingInfoUid': 'string', 'MetadataProductUid': 'string' }, 'MetadataUid': 'string' }, ], 'UnprocessedFindings': [ { 'FindingIdentifier': { 'CloudAccountUid': 'string', 'FindingInfoUid': 'string', 'MetadataProductUid': 'string' }, 'MetadataUid': 'string', 'ErrorCode': 'ResourceNotFoundException'|'ValidationException'|'InternalServerException'|'ConflictException', 'ErrorMessage': 'string' }, ] } **Response Structure** * *(dict) --* * **ProcessedFindings** *(list) --* The list of findings that were updated successfully. * *(dict) --* The list of findings that were updated. * **FindingIdentifier** *(dict) --* The finding identifier of a processed finding. * **CloudAccountUid** *(string) --* Finding cloud.account.uid, which is a unique identifier in the Amazon Web Services account.. * **FindingInfoUid** *(string) --* Finding finding_info.uid, which is a unique identifier for the finding from the finding provider. * **MetadataProductUid** *(string) --* Finding metadata.product.uid, which is a unique identifier for the product. * **MetadataUid** *(string) --* The metadata.uid of a processed finding. * **UnprocessedFindings** *(list) --* The list of V2 findings that were not updated. * *(dict) --* The list of findings that were not updated. * **FindingIdentifier** *(dict) --* The finding identifier of an unprocessed finding. * **CloudAccountUid** *(string) --* Finding cloud.account.uid, which is a unique identifier in the Amazon Web Services account.. * **FindingInfoUid** *(string) --* Finding finding_info.uid, which is a unique identifier for the finding from the finding provider. * **MetadataProductUid** *(string) --* Finding metadata.product.uid, which is a unique identifier for the product. * **MetadataUid** *(string) --* The metadata.uid of an unprocessed finding. * **ErrorCode** *(string) --* Indicates the specific type of error preventing successful processing of a finding during a batch update operation. * **ErrorMessage** *(string) --* A detailed description of why a finding could not be processed during a batch update operation. **Exceptions** * "SecurityHub.Client.exceptions.InternalServerException" * "SecurityHub.Client.exceptions.ValidationException" * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.ThrottlingException" * "SecurityHub.Client.exceptions.ConflictException" SecurityHub / Client / list_configuration_policies list_configuration_policies *************************** SecurityHub.Client.list_configuration_policies(**kwargs) Lists the configuration policies that the Security Hub delegated administrator has created for your organization. Only the delegated administrator can invoke this operation from the home Region. See also: AWS API Documentation **Request Syntax** response = client.list_configuration_policies( NextToken='string', MaxResults=123 ) Parameters: * **NextToken** (*string*) -- The NextToken value that's returned from a previous paginated "ListConfigurationPolicies" request where "MaxResults" was used but the results exceeded the value of that parameter. Pagination continues from the "MaxResults" was used but the results exceeded the value of that parameter. Pagination continues from the end of the previous response that returned the "NextToken" value. This value is "null" when there are no more results to return. * **MaxResults** (*integer*) -- The maximum number of results that's returned by "ListConfigurationPolicies" in each page of the response. When this parameter is used, "ListConfigurationPolicies" returns the specified number of results in a single page and a "NextToken" response element. You can see the remaining results of the initial request by sending another "ListConfigurationPolicies" request with the returned "NextToken" value. A valid range for "MaxResults" is between 1 and 100. Return type: dict Returns: **Response Syntax** { 'ConfigurationPolicySummaries': [ { 'Arn': 'string', 'Id': 'string', 'Name': 'string', 'Description': 'string', 'UpdatedAt': datetime(2015, 1, 1), 'ServiceEnabled': True|False }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **ConfigurationPolicySummaries** *(list) --* Provides metadata for each of your configuration policies. * *(dict) --* An object that contains the details of an Security Hub configuration policy that’s returned in a "ListConfigurationPolicies" request. * **Arn** *(string) --* The Amazon Resource Name (ARN) of the configuration policy. * **Id** *(string) --* The universally unique identifier (UUID) of the configuration policy. * **Name** *(string) --* The name of the configuration policy. Alphanumeric characters and the following ASCII characters are permitted: "-, ., !, *, /". * **Description** *(string) --* The description of the configuration policy. * **UpdatedAt** *(datetime) --* The date and time, in UTC and ISO 8601 format, that the configuration policy was last updated. * **ServiceEnabled** *(boolean) --* Indicates whether the service that the configuration policy applies to is enabled in the policy. * **NextToken** *(string) --* The "NextToken" value to include in the next "ListConfigurationPolicies" request. When the results of a "ListConfigurationPolicies" request exceed "MaxResults", this value can be used to retrieve the next page of results. This value is "null" when there are no more results to return. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.AccessDeniedException" SecurityHub / Client / enable_organization_admin_account enable_organization_admin_account ********************************* SecurityHub.Client.enable_organization_admin_account(**kwargs) Designates the Security Hub administrator account for an organization. Can only be called by the organization management account. See also: AWS API Documentation **Request Syntax** response = client.enable_organization_admin_account( AdminAccountId='string', Feature='SecurityHub'|'SecurityHubV2' ) Parameters: * **AdminAccountId** (*string*) -- **[REQUIRED]** The Amazon Web Services account identifier of the account to designate as the Security Hub administrator account. * **Feature** (*string*) -- The feature for which the delegated admin account is enabled. Defaults to Security Hub if not specified. Return type: dict Returns: **Response Syntax** { 'AdminAccountId': 'string', 'Feature': 'SecurityHub'|'SecurityHubV2' } **Response Structure** * *(dict) --* * **AdminAccountId** *(string) --* The Amazon Web Services account identifier of the account to designate as the Security Hub administrator account. * **Feature** *(string) --* The feature where the delegated administrator is enabled. The default is Security Hub CSPM if no delegated administrator is specified in the request. **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.AccessDeniedException" SecurityHub / Client / update_security_control update_security_control *********************** SecurityHub.Client.update_security_control(**kwargs) Updates the properties of a security control. See also: AWS API Documentation **Request Syntax** response = client.update_security_control( SecurityControlId='string', Parameters={ 'string': { 'ValueType': 'DEFAULT'|'CUSTOM', 'Value': { 'Integer': 123, 'IntegerList': [ 123, ], 'Double': 123.0, 'String': 'string', 'StringList': [ 'string', ], 'Boolean': True|False, 'Enum': 'string', 'EnumList': [ 'string', ] } } }, LastUpdateReason='string' ) Parameters: * **SecurityControlId** (*string*) -- **[REQUIRED]** The Amazon Resource Name (ARN) or ID of the control to update. * **Parameters** (*dict*) -- **[REQUIRED]** An object that specifies which security control parameters to update. * *(string) --* * *(dict) --* An object that provides the current value of a security control parameter and identifies whether it has been customized. * **ValueType** *(string) --* **[REQUIRED]** Identifies whether a control parameter uses a custom user-defined value or subscribes to the default Security Hub behavior. When "ValueType" is set equal to "DEFAULT", the default behavior can be a specific Security Hub default value, or the default behavior can be to ignore a specific parameter. When "ValueType" is set equal to "DEFAULT", Security Hub ignores user-provided input for the "Value" field. When "ValueType" is set equal to "CUSTOM", the "Value" field can't be empty. * **Value** *(dict) --* The current value of a control parameter. Note: This is a Tagged Union structure. Only one of the following top level keys can be set: "Integer", "IntegerList", "Double", "String", "StringList", "Boolean", "Enum", "EnumList". * **Integer** *(integer) --* A control parameter that is an integer. * **IntegerList** *(list) --* A control parameter that is a list of integers. * *(integer) --* * **Double** *(float) --* A control parameter that is a double. * **String** *(string) --* A control parameter that is a string. * **StringList** *(list) --* A control parameter that is a list of strings. * *(string) --* * **Boolean** *(boolean) --* A control parameter that is a boolean. * **Enum** *(string) --* A control parameter that is an enum. * **EnumList** *(list) --* A control parameter that is a list of enums. * *(string) --* * **LastUpdateReason** (*string*) -- The most recent reason for updating the properties of the security control. This field accepts alphanumeric characters in addition to white spaces, dashes, and underscores. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" * "SecurityHub.Client.exceptions.ResourceInUseException" * "SecurityHub.Client.exceptions.AccessDeniedException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" * "SecurityHub.Client.exceptions.ResourceInUseException" SecurityHub / Client / update_security_hub_configuration update_security_hub_configuration ********************************* SecurityHub.Client.update_security_hub_configuration(**kwargs) Updates configuration options for Security Hub. See also: AWS API Documentation **Request Syntax** response = client.update_security_hub_configuration( AutoEnableControls=True|False, ControlFindingGenerator='STANDARD_CONTROL'|'SECURITY_CONTROL' ) Parameters: * **AutoEnableControls** (*boolean*) -- Whether to automatically enable new controls when they are added to standards that are enabled. By default, this is set to "true", and new controls are enabled automatically. To not automatically enable new controls, set this to "false". When you automatically enable new controls, you can interact with the controls in the console and programmatically immediately after release. However, automatically enabled controls have a temporary default status of "DISABLED". It can take up to several days for Security Hub to process the control release and designate the control as "ENABLED" in your account. During the processing period, you can manually enable or disable a control, and Security Hub will maintain that designation regardless of whether you have "AutoEnableControls" set to "true". * **ControlFindingGenerator** (*string*) -- Updates whether the calling account has consolidated control findings turned on. If the value for this field is set to "SECURITY_CONTROL", Security Hub generates a single finding for a control check even when the check applies to multiple enabled standards. If the value for this field is set to "STANDARD_CONTROL", Security Hub generates separate findings for a control check when the check applies to multiple enabled standards. For accounts that are part of an organization, this value can only be updated in the administrator account. Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "SecurityHub.Client.exceptions.InternalException" * "SecurityHub.Client.exceptions.InvalidInputException" * "SecurityHub.Client.exceptions.InvalidAccessException" * "SecurityHub.Client.exceptions.LimitExceededException" * "SecurityHub.Client.exceptions.ResourceNotFoundException" * "SecurityHub.Client.exceptions.AccessDeniedException"