This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::SecurityHub::AutomationRuleV2 Creates a V2 automation rule. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::SecurityHub::AutomationRuleV2", "Properties" : { "[Actions](#cfn-securityhub-automationrulev2-actions)" : [ AutomationRulesActionV2, ... ], "[Criteria](#cfn-securityhub-automationrulev2-criteria)" : Criteria, "[Description](#cfn-securityhub-automationrulev2-description)" : String, "[RuleName](#cfn-securityhub-automationrulev2-rulename)" : String, "[RuleOrder](#cfn-securityhub-automationrulev2-ruleorder)" : Number, "[RuleStatus](#cfn-securityhub-automationrulev2-rulestatus)" : String, "[Tags](#cfn-securityhub-automationrulev2-tags)" : {Key: Value, ...} } } ``` ### YAML ``` Type: AWS::SecurityHub::AutomationRuleV2 Properties: [Actions](#cfn-securityhub-automationrulev2-actions): - AutomationRulesActionV2 [Criteria](#cfn-securityhub-automationrulev2-criteria): Criteria [Description](#cfn-securityhub-automationrulev2-description): String [RuleName](#cfn-securityhub-automationrulev2-rulename): String [RuleOrder](#cfn-securityhub-automationrulev2-ruleorder): Number [RuleStatus](#cfn-securityhub-automationrulev2-rulestatus): String [Tags](#cfn-securityhub-automationrulev2-tags): Key: Value ``` ## Properties `Actions` A list of actions to be performed when the rule criteria is met. *Required*: Yes *Type*: Array of [AutomationRulesActionV2](aws-properties-securityhub-automationrulev2-automationrulesactionv2.md) *Minimum*: `1` *Maximum*: `1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Criteria` The filtering type and configuration of the automation rule. *Required*: Yes *Type*: [Criteria](aws-properties-securityhub-automationrulev2-criteria.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Description` A description of the V2 automation rule. *Required*: Yes *Type*: String *Pattern*: `.*\S.*` *Minimum*: `1` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RuleName` The name of the V2 automation rule. *Required*: Yes *Type*: String *Pattern*: `.*\S.*` *Minimum*: `1` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RuleOrder` The value for the rule priority. *Required*: Yes *Type*: Number *Minimum*: `1` *Maximum*: `1000` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RuleStatus` The status of the V2 automation rule. *Required*: No *Type*: String *Allowed values*: `ENABLED | DISABLED` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` A list of key-value pairs associated with the V2 automation rule. *Required*: No *Type*: Object of String *Pattern*: `^(?!aws:)[a-zA-Z+-=._:/]{1,128}$` *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the `AutomationRuleV2Arn` for the `AutomationRuleV2Arn` resource created: `arn:aws:securityhub:region:123456789012:automationrulev2/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `CreatedAt` The timestamp when the V2 automation rule was created. `RuleArn` The ARN of the V2 automation rule. `RuleId` The ID of the V2 automation rule. `UpdatedAt` The timestamp when the V2 automation rule was updated. # AWS::SecurityHub::AutomationRuleV2 AutomationRulesActionV2 Allows you to configure automated responses. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ExternalIntegrationConfiguration](#cfn-securityhub-automationrulev2-automationrulesactionv2-externalintegrationconfiguration)" : ExternalIntegrationConfiguration, "[FindingFieldsUpdate](#cfn-securityhub-automationrulev2-automationrulesactionv2-findingfieldsupdate)" : AutomationRulesFindingFieldsUpdateV2, "[Type](#cfn-securityhub-automationrulev2-automationrulesactionv2-type)" : String } ``` ### YAML ``` [ExternalIntegrationConfiguration](#cfn-securityhub-automationrulev2-automationrulesactionv2-externalintegrationconfiguration): ExternalIntegrationConfiguration [FindingFieldsUpdate](#cfn-securityhub-automationrulev2-automationrulesactionv2-findingfieldsupdate): AutomationRulesFindingFieldsUpdateV2 [Type](#cfn-securityhub-automationrulev2-automationrulesactionv2-type): String ``` ## Properties `ExternalIntegrationConfiguration` The settings for integrating automation rule actions with external systems or service. *Required*: No *Type*: [ExternalIntegrationConfiguration](aws-properties-securityhub-automationrulev2-externalintegrationconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `FindingFieldsUpdate` Specifies that the automation rule action is an update to a finding field. *Required*: No *Type*: [AutomationRulesFindingFieldsUpdateV2](aws-properties-securityhub-automationrulev2-automationrulesfindingfieldsupdatev2.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Type` Specifies the type of action that Security Hub CSPM takes when a finding matches the defined criteria of a rule. *Required*: Yes *Type*: String *Allowed values*: `FINDING_FIELDS_UPDATE | EXTERNAL_INTEGRATION` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::AutomationRuleV2 AutomationRulesFindingFieldsUpdateV2 Allows you to define the structure for modifying specific fields in security findings. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Comment](#cfn-securityhub-automationrulev2-automationrulesfindingfieldsupdatev2-comment)" : String, "[SeverityId](#cfn-securityhub-automationrulev2-automationrulesfindingfieldsupdatev2-severityid)" : Integer, "[StatusId](#cfn-securityhub-automationrulev2-automationrulesfindingfieldsupdatev2-statusid)" : Integer } ``` ### YAML ``` [Comment](#cfn-securityhub-automationrulev2-automationrulesfindingfieldsupdatev2-comment): String [SeverityId](#cfn-securityhub-automationrulev2-automationrulesfindingfieldsupdatev2-severityid): Integer [StatusId](#cfn-securityhub-automationrulev2-automationrulesfindingfieldsupdatev2-statusid): Integer ``` ## Properties `Comment` Notes or contextual information for findings that are modified by the automation rule. *Required*: No *Type*: String *Pattern*: `.*\S.*` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SeverityId` The severity level to be assigned to findings that match the automation rule criteria. *Required*: No *Type*: Integer *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `StatusId` The status to be applied to findings that match automation rule criteria. *Required*: No *Type*: Integer *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::AutomationRuleV2 BooleanFilter Boolean filter for querying findings. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Value](#cfn-securityhub-automationrulev2-booleanfilter-value)" : Boolean } ``` ### YAML ``` [Value](#cfn-securityhub-automationrulev2-booleanfilter-value): Boolean ``` ## Properties `Value` The value of the boolean. *Required*: Yes *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::AutomationRuleV2 CompositeFilter Enables the creation of filtering criteria for security findings. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[BooleanFilters](#cfn-securityhub-automationrulev2-compositefilter-booleanfilters)" : [ OcsfBooleanFilter, ... ], "[DateFilters](#cfn-securityhub-automationrulev2-compositefilter-datefilters)" : [ OcsfDateFilter, ... ], "[MapFilters](#cfn-securityhub-automationrulev2-compositefilter-mapfilters)" : [ OcsfMapFilter, ... ], "[NumberFilters](#cfn-securityhub-automationrulev2-compositefilter-numberfilters)" : [ OcsfNumberFilter, ... ], "[Operator](#cfn-securityhub-automationrulev2-compositefilter-operator)" : String, "[StringFilters](#cfn-securityhub-automationrulev2-compositefilter-stringfilters)" : [ OcsfStringFilter, ... ] } ``` ### YAML ``` [BooleanFilters](#cfn-securityhub-automationrulev2-compositefilter-booleanfilters): - OcsfBooleanFilter [DateFilters](#cfn-securityhub-automationrulev2-compositefilter-datefilters): - OcsfDateFilter [MapFilters](#cfn-securityhub-automationrulev2-compositefilter-mapfilters): - OcsfMapFilter [NumberFilters](#cfn-securityhub-automationrulev2-compositefilter-numberfilters): - OcsfNumberFilter [Operator](#cfn-securityhub-automationrulev2-compositefilter-operator): String [StringFilters](#cfn-securityhub-automationrulev2-compositefilter-stringfilters): - OcsfStringFilter ``` ## Properties `BooleanFilters` Enables filtering based on boolean field values. *Required*: No *Type*: Array of [OcsfBooleanFilter](aws-properties-securityhub-automationrulev2-ocsfbooleanfilter.md) *Minimum*: `1` *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `DateFilters` Enables filtering based on date and timestamp fields. *Required*: No *Type*: Array of [OcsfDateFilter](aws-properties-securityhub-automationrulev2-ocsfdatefilter.md) *Minimum*: `1` *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MapFilters` Enables the creation of filtering criteria for security findings. *Required*: No *Type*: Array of [OcsfMapFilter](aws-properties-securityhub-automationrulev2-ocsfmapfilter.md) *Minimum*: `1` *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `NumberFilters` Enables filtering based on numerical field values. *Required*: No *Type*: Array of [OcsfNumberFilter](aws-properties-securityhub-automationrulev2-ocsfnumberfilter.md) *Minimum*: `1` *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Operator` The logical operator used to combine multiple filter conditions. *Required*: No *Type*: String *Allowed values*: `AND | OR` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `StringFilters` Enables filtering based on string field values. *Required*: No *Type*: Array of [OcsfStringFilter](aws-properties-securityhub-automationrulev2-ocsfstringfilter.md) *Minimum*: `1` *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::AutomationRuleV2 Criteria The filtering type and configuration of the automation rule. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[OcsfFindingCriteria](#cfn-securityhub-automationrulev2-criteria-ocsffindingcriteria)" : OcsfFindingFilters } ``` ### YAML ``` [OcsfFindingCriteria](#cfn-securityhub-automationrulev2-criteria-ocsffindingcriteria): OcsfFindingFilters ``` ## Properties `OcsfFindingCriteria` The filtering conditions that align with OCSF standards. *Required*: No *Type*: [OcsfFindingFilters](aws-properties-securityhub-automationrulev2-ocsffindingfilters.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::AutomationRuleV2 DateFilter A date filter for querying findings. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[DateRange](#cfn-securityhub-automationrulev2-datefilter-daterange)" : DateRange, "[End](#cfn-securityhub-automationrulev2-datefilter-end)" : String, "[Start](#cfn-securityhub-automationrulev2-datefilter-start)" : String } ``` ### YAML ``` [DateRange](#cfn-securityhub-automationrulev2-datefilter-daterange): DateRange [End](#cfn-securityhub-automationrulev2-datefilter-end): String [Start](#cfn-securityhub-automationrulev2-datefilter-start): String ``` ## Properties `DateRange` A date range for the date filter. *Required*: No *Type*: [DateRange](aws-properties-securityhub-automationrulev2-daterange.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `End` A timestamp that provides the end date for the date filter. For more information about the validation and formatting of timestamp fields in AWS Security Hub CSPM, see [Timestamps](https://docs.aws.amazon.com/securityhub/1.0/APIReference/Welcome.html#timestamps). *Required*: No *Type*: String *Pattern*: `^(\d\d\d\d)-([0][1-9]|[1][0-2])-([0][1-9]|[1-2](\d)|[3][0-1])[T](?:([0-1](\d)|[2][0-3]):[0-5](\d):[0-5](\d)|23:59:60)(?:\.(\d)+)?([Z]|[+-](\d\d)(:?(\d\d))?)$` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Start` A timestamp that provides the start date for the date filter. For more information about the validation and formatting of timestamp fields in AWS Security Hub CSPM, see [Timestamps](https://docs.aws.amazon.com/securityhub/1.0/APIReference/Welcome.html#timestamps). *Required*: No *Type*: String *Pattern*: `^(\d\d\d\d)-([0][1-9]|[1][0-2])-([0][1-9]|[1-2](\d)|[3][0-1])[T](?:([0-1](\d)|[2][0-3]):[0-5](\d):[0-5](\d)|23:59:60)(?:\.(\d)+)?([Z]|[+-](\d\d)(:?(\d\d))?)$` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::AutomationRuleV2 DateRange A date range for the date filter. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Unit](#cfn-securityhub-automationrulev2-daterange-unit)" : String, "[Value](#cfn-securityhub-automationrulev2-daterange-value)" : Number } ``` ### YAML ``` [Unit](#cfn-securityhub-automationrulev2-daterange-unit): String [Value](#cfn-securityhub-automationrulev2-daterange-value): Number ``` ## Properties `Unit` A date range unit for the date filter. *Required*: Yes *Type*: String *Allowed values*: `DAYS` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` A date range value for the date filter. *Required*: Yes *Type*: Number *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::AutomationRuleV2 ExternalIntegrationConfiguration The settings for integrating automation rule actions with external systems or service. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ConnectorArn](#cfn-securityhub-automationrulev2-externalintegrationconfiguration-connectorarn)" : String } ``` ### YAML ``` [ConnectorArn](#cfn-securityhub-automationrulev2-externalintegrationconfiguration-connectorarn): String ``` ## Properties `ConnectorArn` The ARN of the connector that establishes the integration. *Required*: No *Type*: String *Pattern*: `.*\S.*` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::AutomationRuleV2 MapFilter A map filter for filtering AWS Security Hub CSPM findings. Each map filter provides the field to check for, the value to check for, and the comparison operator. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Comparison](#cfn-securityhub-automationrulev2-mapfilter-comparison)" : String, "[Key](#cfn-securityhub-automationrulev2-mapfilter-key)" : String, "[Value](#cfn-securityhub-automationrulev2-mapfilter-value)" : String } ``` ### YAML ``` [Comparison](#cfn-securityhub-automationrulev2-mapfilter-comparison): String [Key](#cfn-securityhub-automationrulev2-mapfilter-key): String [Value](#cfn-securityhub-automationrulev2-mapfilter-value): String ``` ## Properties `Comparison` The condition to apply to the key value when filtering Security Hub CSPM findings with a map filter. To search for values that have the filter value, use one of the following comparison operators: + To search for values that include the filter value, use `CONTAINS`. For example, for the `ResourceTags` field, the filter `Department CONTAINS Security` matches findings that include the value `Security` for the `Department` tag. In the same example, a finding with a value of `Security team` for the `Department` tag is a match. + To search for values that exactly match the filter value, use `EQUALS`. For example, for the `ResourceTags` field, the filter `Department EQUALS Security` matches findings that have the value `Security` for the `Department` tag. `CONTAINS` and `EQUALS` filters on the same field are joined by `OR`. A finding matches if it matches any one of those filters. For example, the filters `Department CONTAINS Security OR Department CONTAINS Finance` match a finding that includes either `Security`, `Finance`, or both values. To search for values that don't have the filter value, use one of the following comparison operators: + To search for values that exclude the filter value, use `NOT_CONTAINS`. For example, for the `ResourceTags` field, the filter `Department NOT_CONTAINS Finance` matches findings that exclude the value `Finance` for the `Department` tag. + To search for values other than the filter value, use `NOT_EQUALS`. For example, for the `ResourceTags` field, the filter `Department NOT_EQUALS Finance` matches findings that don’t have the value `Finance` for the `Department` tag. `NOT_CONTAINS` and `NOT_EQUALS` filters on the same field are joined by `AND`. A finding matches only if it matches all of those filters. For example, the filters `Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance` match a finding that excludes both the `Security` and `Finance` values. `CONTAINS` filters can only be used with other `CONTAINS` filters. `NOT_CONTAINS` filters can only be used with other `NOT_CONTAINS` filters. You can’t have both a `CONTAINS` filter and a `NOT_CONTAINS` filter on the same field. Similarly, you can’t have both an `EQUALS` filter and a `NOT_EQUALS` filter on the same field. Combining filters in this way returns an error. `CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the *AWS Security Hub CSPM User Guide*. *Required*: Yes *Type*: String *Allowed values*: `EQUALS | NOT_EQUALS` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Key` The key of the map filter. For example, for `ResourceTags`, `Key` identifies the name of the tag. For `UserDefinedFields`, `Key` is the name of the field. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `4096` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called `Department` might be `Security`. If you provide `security` as the filter value, then there's no match. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `4096` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::AutomationRuleV2 NumberFilter A number filter for querying findings. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Eq](#cfn-securityhub-automationrulev2-numberfilter-eq)" : Number, "[Gte](#cfn-securityhub-automationrulev2-numberfilter-gte)" : Number, "[Lte](#cfn-securityhub-automationrulev2-numberfilter-lte)" : Number } ``` ### YAML ``` [Eq](#cfn-securityhub-automationrulev2-numberfilter-eq): Number [Gte](#cfn-securityhub-automationrulev2-numberfilter-gte): Number [Lte](#cfn-securityhub-automationrulev2-numberfilter-lte): Number ``` ## Properties `Eq` The equal-to condition to be applied to a single field when querying for findings. *Required*: No *Type*: Number *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Gte` The greater-than-equal condition to be applied to a single field when querying for findings. *Required*: No *Type*: Number *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Lte` The less-than-equal condition to be applied to a single field when querying for findings. *Required*: No *Type*: Number *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::AutomationRuleV2 OcsfBooleanFilter Enables filtering of security findings based on boolean field values in OCSF. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[FieldName](#cfn-securityhub-automationrulev2-ocsfbooleanfilter-fieldname)" : String, "[Filter](#cfn-securityhub-automationrulev2-ocsfbooleanfilter-filter)" : BooleanFilter } ``` ### YAML ``` [FieldName](#cfn-securityhub-automationrulev2-ocsfbooleanfilter-fieldname): String [Filter](#cfn-securityhub-automationrulev2-ocsfbooleanfilter-filter): BooleanFilter ``` ## Properties `FieldName` The name of the field. *Required*: Yes *Type*: String *Allowed values*: `compliance.assessments.meets_criteria | vulnerabilities.is_exploit_available | vulnerabilities.is_fix_available` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Filter` Enables filtering of security findings based on boolean field values in OCSF. *Required*: Yes *Type*: [BooleanFilter](aws-properties-securityhub-automationrulev2-booleanfilter.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::AutomationRuleV2 OcsfDateFilter Enables filtering of security findings based on date and timestamp fields in OCSF. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[FieldName](#cfn-securityhub-automationrulev2-ocsfdatefilter-fieldname)" : String, "[Filter](#cfn-securityhub-automationrulev2-ocsfdatefilter-filter)" : DateFilter } ``` ### YAML ``` [FieldName](#cfn-securityhub-automationrulev2-ocsfdatefilter-fieldname): String [Filter](#cfn-securityhub-automationrulev2-ocsfdatefilter-filter): DateFilter ``` ## Properties `FieldName` The name of the field. *Required*: Yes *Type*: String *Allowed values*: `finding_info.created_time_dt | finding_info.first_seen_time_dt | finding_info.last_seen_time_dt | finding_info.modified_time_dt` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Filter` Enables filtering of security findings based on date and timestamp fields in OCSF. *Required*: Yes *Type*: [DateFilter](aws-properties-securityhub-automationrulev2-datefilter.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::AutomationRuleV2 OcsfFindingFilters Specifies the filtering criteria for security findings using OCSF. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[CompositeFilters](#cfn-securityhub-automationrulev2-ocsffindingfilters-compositefilters)" : [ CompositeFilter, ... ], "[CompositeOperator](#cfn-securityhub-automationrulev2-ocsffindingfilters-compositeoperator)" : String } ``` ### YAML ``` [CompositeFilters](#cfn-securityhub-automationrulev2-ocsffindingfilters-compositefilters): - CompositeFilter [CompositeOperator](#cfn-securityhub-automationrulev2-ocsffindingfilters-compositeoperator): String ``` ## Properties `CompositeFilters` Enables the creation of complex filtering conditions by combining filter criteria. *Required*: No *Type*: Array of [CompositeFilter](aws-properties-securityhub-automationrulev2-compositefilter.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `CompositeOperator` The logical operators used to combine the filtering on multiple `CompositeFilters`. *Required*: No *Type*: String *Allowed values*: `AND | OR` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::AutomationRuleV2 OcsfMapFilter Enables filtering of security findings based on map field values in OCSF. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[FieldName](#cfn-securityhub-automationrulev2-ocsfmapfilter-fieldname)" : String, "[Filter](#cfn-securityhub-automationrulev2-ocsfmapfilter-filter)" : MapFilter } ``` ### YAML ``` [FieldName](#cfn-securityhub-automationrulev2-ocsfmapfilter-fieldname): String [Filter](#cfn-securityhub-automationrulev2-ocsfmapfilter-filter): MapFilter ``` ## Properties `FieldName` The name of the field. *Required*: Yes *Type*: String *Allowed values*: `resources.tags` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Filter` Enables filtering of security findings based on map field values in OCSF. *Required*: Yes *Type*: [MapFilter](aws-properties-securityhub-automationrulev2-mapfilter.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::AutomationRuleV2 OcsfNumberFilter Enables filtering of security findings based on numerical field values in OCSF. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[FieldName](#cfn-securityhub-automationrulev2-ocsfnumberfilter-fieldname)" : String, "[Filter](#cfn-securityhub-automationrulev2-ocsfnumberfilter-filter)" : NumberFilter } ``` ### YAML ``` [FieldName](#cfn-securityhub-automationrulev2-ocsfnumberfilter-fieldname): String [Filter](#cfn-securityhub-automationrulev2-ocsfnumberfilter-filter): NumberFilter ``` ## Properties `FieldName` The name of the field. *Required*: Yes *Type*: String *Allowed values*: `activity_id | compliance.status_id | confidence_score | finding_info.related_events_count | vendor_attributes.severity_id` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Filter` Enables filtering of security findings based on numerical field values in OCSF. *Required*: Yes *Type*: [NumberFilter](aws-properties-securityhub-automationrulev2-numberfilter.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::AutomationRuleV2 OcsfStringFilter Enables filtering of security findings based on string field values in OCSF. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[FieldName](#cfn-securityhub-automationrulev2-ocsfstringfilter-fieldname)" : String, "[Filter](#cfn-securityhub-automationrulev2-ocsfstringfilter-filter)" : StringFilter } ``` ### YAML ``` [FieldName](#cfn-securityhub-automationrulev2-ocsfstringfilter-fieldname): String [Filter](#cfn-securityhub-automationrulev2-ocsfstringfilter-filter): StringFilter ``` ## Properties `FieldName` The name of the field. *Required*: Yes *Type*: String *Allowed values*: `activity_name | cloud.account.name | cloud.account.uid | cloud.provider | cloud.region | compliance.assessments.category | compliance.assessments.name | compliance.control | compliance.status | compliance.standards | finding_info.desc | finding_info.src_url | finding_info.title | finding_info.types | finding_info.uid | finding_info.related_events.uid | finding_info.related_events.product.uid | finding_info.related_events.title | metadata.product.feature.uid | metadata.product.name | metadata.product.uid | metadata.product.vendor_name | remediation.desc | remediation.references | resources.cloud_partition | resources.name | resources.region | resources.type | resources.uid | vulnerabilities.fix_coverage | class_name | vendor_attributes.severity` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Filter` Enables filtering of security findings based on string field values in OCSF. *Required*: Yes *Type*: [StringFilter](aws-properties-securityhub-automationrulev2-stringfilter.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::AutomationRuleV2 StringFilter A string filter for filtering AWS Security Hub CSPM findings. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Comparison](#cfn-securityhub-automationrulev2-stringfilter-comparison)" : String, "[Value](#cfn-securityhub-automationrulev2-stringfilter-value)" : String } ``` ### YAML ``` [Comparison](#cfn-securityhub-automationrulev2-stringfilter-comparison): String [Value](#cfn-securityhub-automationrulev2-stringfilter-value): String ``` ## Properties `Comparison` The condition to apply to a string value when filtering Security Hub CSPM findings. To search for values that have the filter value, use one of the following comparison operators: + To search for values that include the filter value, use `CONTAINS`. For example, the filter `Title CONTAINS CloudFront` matches findings that have a `Title` that includes the string CloudFront. + To search for values that exactly match the filter value, use `EQUALS`. For example, the filter `AwsAccountId EQUALS 123456789012` only matches findings that have an account ID of `123456789012`. + To search for values that start with the filter value, use `PREFIX`. For example, the filter `ResourceRegion PREFIX us` matches findings that have a `ResourceRegion` that starts with `us`. A `ResourceRegion` that starts with a different value, such as `af`, `ap`, or `ca`, doesn't match. `CONTAINS`, `EQUALS`, and `PREFIX` filters on the same field are joined by `OR`. A finding matches if it matches any one of those filters. For example, the filters `Title CONTAINS CloudFront OR Title CONTAINS CloudWatch` match a finding that includes either `CloudFront`, `CloudWatch`, or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: + To search for values that exclude the filter value, use `NOT_CONTAINS`. For example, the filter `Title NOT_CONTAINS CloudFront` matches findings that have a `Title` that excludes the string CloudFront. + To search for values other than the filter value, use `NOT_EQUALS`. For example, the filter `AwsAccountId NOT_EQUALS 123456789012` only matches findings that have an account ID other than `123456789012`. + To search for values that don't start with the filter value, use `PREFIX_NOT_EQUALS`. For example, the filter `ResourceRegion PREFIX_NOT_EQUALS us` matches findings with a `ResourceRegion` that starts with a value other than `us`. `NOT_CONTAINS`, `NOT_EQUALS`, and `PREFIX_NOT_EQUALS` filters on the same field are joined by `AND`. A finding matches only if it matches all of those filters. For example, the filters `Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch` match a finding that excludes both `CloudFront` and `CloudWatch` in the title. You can’t have both a `CONTAINS` filter and a `NOT_CONTAINS` filter on the same field. Similarly, you can't provide both an `EQUALS` filter and a `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filter on the same field. Combining filters in this way returns an error. `CONTAINS` filters can only be used with other `CONTAINS` filters. `NOT_CONTAINS` filters can only be used with other `NOT_CONTAINS` filters. You can combine `PREFIX` filters with `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters for the same field. Security Hub CSPM first processes the `PREFIX` filters, and then the `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters. For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either `AwsIam` or `AwsEc2`. It then excludes findings that have a resource type of `AwsIamPolicy` and findings that have a resource type of `AwsEc2NetworkInterface`. + `ResourceType PREFIX AwsIam` + `ResourceType PREFIX AwsEc2` + `ResourceType NOT_EQUALS AwsIamPolicy` + `ResourceType NOT_EQUALS AwsEc2NetworkInterface` `CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules V1. `CONTAINS_WORD` operator is only supported in `GetFindingsV2`, `GetFindingStatisticsV2`, `GetResourcesV2`, and `GetResourcesStatisticsV2` APIs. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the *AWS Security Hub CSPM User Guide*. *Required*: Yes *Type*: String *Allowed values*: `EQUALS | PREFIX | NOT_EQUALS | PREFIX_NOT_EQUALS | CONTAINS` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is `Security Hub CSPM`. If you provide `security hub` as the filter value, there's no match. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `4096` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)