This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::SecurityHub::Insight The `AWS::SecurityHub::Insight` resource creates a custom insight in AWS Security Hub CSPM. An insight is a collection of findings that relate to a security issue that requires attention or remediation. For more information, see [Insights in AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-insights.html) in the *AWS Security Hub CSPM User Guide*. Tags aren't supported for this resource. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::SecurityHub::Insight", "Properties" : { "[Filters](#cfn-securityhub-insight-filters)" : AwsSecurityFindingFilters, "[GroupByAttribute](#cfn-securityhub-insight-groupbyattribute)" : String, "[Name](#cfn-securityhub-insight-name)" : String } } ``` ### YAML ``` Type: AWS::SecurityHub::Insight Properties: [Filters](#cfn-securityhub-insight-filters): AwsSecurityFindingFilters [GroupByAttribute](#cfn-securityhub-insight-groupbyattribute): String [Name](#cfn-securityhub-insight-name): String ``` ## Properties `Filters` One or more attributes used to filter the findings included in the insight. The insight only includes findings that match the criteria defined in the filters. You can filter by up to ten finding attributes. For each attribute, you can provide up to 20 filter values. *Required*: Yes *Type*: [AwsSecurityFindingFilters](aws-properties-securityhub-insight-awssecurityfindingfilters.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `GroupByAttribute` The grouping attribute for the insight's findings. Indicates how to group the matching findings, and identifies the type of item that the insight applies to. For example, if an insight is grouped by resource identifier, then the insight produces a list of resource identifiers. *Required*: Yes *Type*: String *Minimum*: `1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Name` The name of a Security Hub CSPM insight. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the Amazon Resource Name (ARN) of a Security Hub CSPM insight. For example, `arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111`. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `InsightArn` The ARN of a Security Hub CSPM insight. ## Examples ### Creating a Security Hub CSPM insight The following example creates a custom Security Hub CSPM insight. The insight includes findings that match the specified filters. #### JSON ``` { "Description": "Example template to create a Security Hub insight", "Resources": { "SecurityHubInsight": { "Type": "AWS::SecurityHub::Insight", "Properties": { "Name": "Example insight name", "GroupByAttribute": "ResourceId", "Filters": { "CompanyName": [ { "Comparison": "EQUALS", "Value": "AWS" } ], "CreatedAt": [ { "DateRange": { "Unit": "DAYS", "Value": 5 } } ], "Criticality": [ { "Gte": 50, "Lte": 95 } ], "Id": [ { "Comparison": "EQUALS", "Value": "example-id" } ], "RecordState": [ { "Comparison": "EQUALS", "Value": "ACTIVE" } ], "ResourceTags": [ { "Comparison": "EQUALS", "Key": "department", "Value": "security" }, { "Comparison": "EQUALS", "Key": "department", "Value": "operations" } ], "SeverityLabel": [ { "Comparison": "EQUALS", "Value": "LOW" }, { "Comparison": "EQUALS", "Value": "HIGH" } ], "UpdatedAt": [ { "Start": "2023-04-25T17:05:54.832Z", "End": "2023-05-25T17:05:54.832Z" } ] } } } } } ``` #### YAML ``` Description: Example template to create a Security Hub insight Resources: SecurityHubInsight: Type: "AWS::SecurityHub::Insight" Properties: Name: "Example insight name" GroupByAttribute: "ResourceId" Filters: CompanyName: - Comparison: EQUALS Value: AWS CreatedAt: - DateRange: Unit: DAYS Value: 5 Criticality: - Gte: 50 Lte: 95 Id: - Comparison: EQUALS Value: example-id RecordState: - Comparison: EQUALS Value: ACTIVE ResourceTags: - Comparison: EQUALS Key: department Value: security - Comparison: EQUALS Key: department Value: operations SeverityLabel: - Comparison: EQUALS Value: LOW - Comparison: EQUALS Value: HIGH UpdatedAt: - Start: "2023-04-25T17:05:54.832Z" End: "2023-05-25T17:05:54.832Z" ``` # AWS::SecurityHub::Insight AwsSecurityFindingFilters A collection of filters that are applied to all active findings aggregated by AWS Security Hub CSPM. You can filter by up to ten finding attributes. For each attribute, you can provide up to 20 filter values. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[AwsAccountId](#cfn-securityhub-insight-awssecurityfindingfilters-awsaccountid)" : [ StringFilter, ... ], "[AwsAccountName](#cfn-securityhub-insight-awssecurityfindingfilters-awsaccountname)" : [ StringFilter, ... ], "[CompanyName](#cfn-securityhub-insight-awssecurityfindingfilters-companyname)" : [ StringFilter, ... ], "[ComplianceAssociatedStandardsId](#cfn-securityhub-insight-awssecurityfindingfilters-complianceassociatedstandardsid)" : [ StringFilter, ... ], "[ComplianceSecurityControlId](#cfn-securityhub-insight-awssecurityfindingfilters-compliancesecuritycontrolid)" : [ StringFilter, ... ], "[ComplianceSecurityControlParametersName](#cfn-securityhub-insight-awssecurityfindingfilters-compliancesecuritycontrolparametersname)" : [ StringFilter, ... ], "[ComplianceSecurityControlParametersValue](#cfn-securityhub-insight-awssecurityfindingfilters-compliancesecuritycontrolparametersvalue)" : [ StringFilter, ... ], "[ComplianceStatus](#cfn-securityhub-insight-awssecurityfindingfilters-compliancestatus)" : [ StringFilter, ... ], "[Confidence](#cfn-securityhub-insight-awssecurityfindingfilters-confidence)" : [ NumberFilter, ... ], "[CreatedAt](#cfn-securityhub-insight-awssecurityfindingfilters-createdat)" : [ DateFilter, ... ], "[Criticality](#cfn-securityhub-insight-awssecurityfindingfilters-criticality)" : [ NumberFilter, ... ], "[Description](#cfn-securityhub-insight-awssecurityfindingfilters-description)" : [ StringFilter, ... ], "[FindingProviderFieldsConfidence](#cfn-securityhub-insight-awssecurityfindingfilters-findingproviderfieldsconfidence)" : [ NumberFilter, ... ], "[FindingProviderFieldsCriticality](#cfn-securityhub-insight-awssecurityfindingfilters-findingproviderfieldscriticality)" : [ NumberFilter, ... ], "[FindingProviderFieldsRelatedFindingsId](#cfn-securityhub-insight-awssecurityfindingfilters-findingproviderfieldsrelatedfindingsid)" : [ StringFilter, ... ], "[FindingProviderFieldsRelatedFindingsProductArn](#cfn-securityhub-insight-awssecurityfindingfilters-findingproviderfieldsrelatedfindingsproductarn)" : [ StringFilter, ... ], "[FindingProviderFieldsSeverityLabel](#cfn-securityhub-insight-awssecurityfindingfilters-findingproviderfieldsseveritylabel)" : [ StringFilter, ... ], "[FindingProviderFieldsSeverityOriginal](#cfn-securityhub-insight-awssecurityfindingfilters-findingproviderfieldsseverityoriginal)" : [ StringFilter, ... ], "[FindingProviderFieldsTypes](#cfn-securityhub-insight-awssecurityfindingfilters-findingproviderfieldstypes)" : [ StringFilter, ... ], "[FirstObservedAt](#cfn-securityhub-insight-awssecurityfindingfilters-firstobservedat)" : [ DateFilter, ... ], "[GeneratorId](#cfn-securityhub-insight-awssecurityfindingfilters-generatorid)" : [ StringFilter, ... ], "[Id](#cfn-securityhub-insight-awssecurityfindingfilters-id)" : [ StringFilter, ... ], "[Keyword](#cfn-securityhub-insight-awssecurityfindingfilters-keyword)" : [ KeywordFilter, ... ], "[LastObservedAt](#cfn-securityhub-insight-awssecurityfindingfilters-lastobservedat)" : [ DateFilter, ... ], "[MalwareName](#cfn-securityhub-insight-awssecurityfindingfilters-malwarename)" : [ StringFilter, ... ], "[MalwarePath](#cfn-securityhub-insight-awssecurityfindingfilters-malwarepath)" : [ StringFilter, ... ], "[MalwareState](#cfn-securityhub-insight-awssecurityfindingfilters-malwarestate)" : [ StringFilter, ... ], "[MalwareType](#cfn-securityhub-insight-awssecurityfindingfilters-malwaretype)" : [ StringFilter, ... ], "[NetworkDestinationDomain](#cfn-securityhub-insight-awssecurityfindingfilters-networkdestinationdomain)" : [ StringFilter, ... ], "[NetworkDestinationIpV4](#cfn-securityhub-insight-awssecurityfindingfilters-networkdestinationipv4)" : [ IpFilter, ... ], "[NetworkDestinationIpV6](#cfn-securityhub-insight-awssecurityfindingfilters-networkdestinationipv6)" : [ IpFilter, ... ], "[NetworkDestinationPort](#cfn-securityhub-insight-awssecurityfindingfilters-networkdestinationport)" : [ NumberFilter, ... ], "[NetworkDirection](#cfn-securityhub-insight-awssecurityfindingfilters-networkdirection)" : [ StringFilter, ... ], "[NetworkProtocol](#cfn-securityhub-insight-awssecurityfindingfilters-networkprotocol)" : [ StringFilter, ... ], "[NetworkSourceDomain](#cfn-securityhub-insight-awssecurityfindingfilters-networksourcedomain)" : [ StringFilter, ... ], "[NetworkSourceIpV4](#cfn-securityhub-insight-awssecurityfindingfilters-networksourceipv4)" : [ IpFilter, ... ], "[NetworkSourceIpV6](#cfn-securityhub-insight-awssecurityfindingfilters-networksourceipv6)" : [ IpFilter, ... ], "[NetworkSourceMac](#cfn-securityhub-insight-awssecurityfindingfilters-networksourcemac)" : [ StringFilter, ... ], "[NetworkSourcePort](#cfn-securityhub-insight-awssecurityfindingfilters-networksourceport)" : [ NumberFilter, ... ], "[NoteText](#cfn-securityhub-insight-awssecurityfindingfilters-notetext)" : [ StringFilter, ... ], "[NoteUpdatedAt](#cfn-securityhub-insight-awssecurityfindingfilters-noteupdatedat)" : [ DateFilter, ... ], "[NoteUpdatedBy](#cfn-securityhub-insight-awssecurityfindingfilters-noteupdatedby)" : [ StringFilter, ... ], "[ProcessLaunchedAt](#cfn-securityhub-insight-awssecurityfindingfilters-processlaunchedat)" : [ DateFilter, ... ], "[ProcessName](#cfn-securityhub-insight-awssecurityfindingfilters-processname)" : [ StringFilter, ... ], "[ProcessParentPid](#cfn-securityhub-insight-awssecurityfindingfilters-processparentpid)" : [ NumberFilter, ... ], "[ProcessPath](#cfn-securityhub-insight-awssecurityfindingfilters-processpath)" : [ StringFilter, ... ], "[ProcessPid](#cfn-securityhub-insight-awssecurityfindingfilters-processpid)" : [ NumberFilter, ... ], "[ProcessTerminatedAt](#cfn-securityhub-insight-awssecurityfindingfilters-processterminatedat)" : [ DateFilter, ... ], "[ProductArn](#cfn-securityhub-insight-awssecurityfindingfilters-productarn)" : [ StringFilter, ... ], "[ProductFields](#cfn-securityhub-insight-awssecurityfindingfilters-productfields)" : [ MapFilter, ... ], "[ProductName](#cfn-securityhub-insight-awssecurityfindingfilters-productname)" : [ StringFilter, ... ], "[RecommendationText](#cfn-securityhub-insight-awssecurityfindingfilters-recommendationtext)" : [ StringFilter, ... ], "[RecordState](#cfn-securityhub-insight-awssecurityfindingfilters-recordstate)" : [ StringFilter, ... ], "[Region](#cfn-securityhub-insight-awssecurityfindingfilters-region)" : [ StringFilter, ... ], "[RelatedFindingsId](#cfn-securityhub-insight-awssecurityfindingfilters-relatedfindingsid)" : [ StringFilter, ... ], "[RelatedFindingsProductArn](#cfn-securityhub-insight-awssecurityfindingfilters-relatedfindingsproductarn)" : [ StringFilter, ... ], "[ResourceApplicationArn](#cfn-securityhub-insight-awssecurityfindingfilters-resourceapplicationarn)" : [ StringFilter, ... ], "[ResourceApplicationName](#cfn-securityhub-insight-awssecurityfindingfilters-resourceapplicationname)" : [ StringFilter, ... ], "[ResourceAwsEc2InstanceIamInstanceProfileArn](#cfn-securityhub-insight-awssecurityfindingfilters-resourceawsec2instanceiaminstanceprofilearn)" : [ StringFilter, ... ], "[ResourceAwsEc2InstanceImageId](#cfn-securityhub-insight-awssecurityfindingfilters-resourceawsec2instanceimageid)" : [ StringFilter, ... ], "[ResourceAwsEc2InstanceIpV4Addresses](#cfn-securityhub-insight-awssecurityfindingfilters-resourceawsec2instanceipv4addresses)" : [ IpFilter, ... ], "[ResourceAwsEc2InstanceIpV6Addresses](#cfn-securityhub-insight-awssecurityfindingfilters-resourceawsec2instanceipv6addresses)" : [ IpFilter, ... ], "[ResourceAwsEc2InstanceKeyName](#cfn-securityhub-insight-awssecurityfindingfilters-resourceawsec2instancekeyname)" : [ StringFilter, ... ], "[ResourceAwsEc2InstanceLaunchedAt](#cfn-securityhub-insight-awssecurityfindingfilters-resourceawsec2instancelaunchedat)" : [ DateFilter, ... ], "[ResourceAwsEc2InstanceSubnetId](#cfn-securityhub-insight-awssecurityfindingfilters-resourceawsec2instancesubnetid)" : [ StringFilter, ... ], "[ResourceAwsEc2InstanceType](#cfn-securityhub-insight-awssecurityfindingfilters-resourceawsec2instancetype)" : [ StringFilter, ... ], "[ResourceAwsEc2InstanceVpcId](#cfn-securityhub-insight-awssecurityfindingfilters-resourceawsec2instancevpcid)" : [ StringFilter, ... ], "[ResourceAwsIamAccessKeyCreatedAt](#cfn-securityhub-insight-awssecurityfindingfilters-resourceawsiamaccesskeycreatedat)" : [ DateFilter, ... ], "[ResourceAwsIamAccessKeyPrincipalName](#cfn-securityhub-insight-awssecurityfindingfilters-resourceawsiamaccesskeyprincipalname)" : [ StringFilter, ... ], "[ResourceAwsIamAccessKeyStatus](#cfn-securityhub-insight-awssecurityfindingfilters-resourceawsiamaccesskeystatus)" : [ StringFilter, ... ], "[ResourceAwsIamAccessKeyUserName](#cfn-securityhub-insight-awssecurityfindingfilters-resourceawsiamaccesskeyusername)" : [ StringFilter, ... ], "[ResourceAwsIamUserUserName](#cfn-securityhub-insight-awssecurityfindingfilters-resourceawsiamuserusername)" : [ StringFilter, ... ], "[ResourceAwsS3BucketOwnerId](#cfn-securityhub-insight-awssecurityfindingfilters-resourceawss3bucketownerid)" : [ StringFilter, ... ], "[ResourceAwsS3BucketOwnerName](#cfn-securityhub-insight-awssecurityfindingfilters-resourceawss3bucketownername)" : [ StringFilter, ... ], "[ResourceContainerImageId](#cfn-securityhub-insight-awssecurityfindingfilters-resourcecontainerimageid)" : [ StringFilter, ... ], "[ResourceContainerImageName](#cfn-securityhub-insight-awssecurityfindingfilters-resourcecontainerimagename)" : [ StringFilter, ... ], "[ResourceContainerLaunchedAt](#cfn-securityhub-insight-awssecurityfindingfilters-resourcecontainerlaunchedat)" : [ DateFilter, ... ], "[ResourceContainerName](#cfn-securityhub-insight-awssecurityfindingfilters-resourcecontainername)" : [ StringFilter, ... ], "[ResourceDetailsOther](#cfn-securityhub-insight-awssecurityfindingfilters-resourcedetailsother)" : [ MapFilter, ... ], "[ResourceId](#cfn-securityhub-insight-awssecurityfindingfilters-resourceid)" : [ StringFilter, ... ], "[ResourcePartition](#cfn-securityhub-insight-awssecurityfindingfilters-resourcepartition)" : [ StringFilter, ... ], "[ResourceRegion](#cfn-securityhub-insight-awssecurityfindingfilters-resourceregion)" : [ StringFilter, ... ], "[ResourceTags](#cfn-securityhub-insight-awssecurityfindingfilters-resourcetags)" : [ MapFilter, ... ], "[ResourceType](#cfn-securityhub-insight-awssecurityfindingfilters-resourcetype)" : [ StringFilter, ... ], "[Sample](#cfn-securityhub-insight-awssecurityfindingfilters-sample)" : [ BooleanFilter, ... ], "[SeverityLabel](#cfn-securityhub-insight-awssecurityfindingfilters-severitylabel)" : [ StringFilter, ... ], "[SeverityNormalized](#cfn-securityhub-insight-awssecurityfindingfilters-severitynormalized)" : [ NumberFilter, ... ], "[SeverityProduct](#cfn-securityhub-insight-awssecurityfindingfilters-severityproduct)" : [ NumberFilter, ... ], "[SourceUrl](#cfn-securityhub-insight-awssecurityfindingfilters-sourceurl)" : [ StringFilter, ... ], "[ThreatIntelIndicatorCategory](#cfn-securityhub-insight-awssecurityfindingfilters-threatintelindicatorcategory)" : [ StringFilter, ... ], "[ThreatIntelIndicatorLastObservedAt](#cfn-securityhub-insight-awssecurityfindingfilters-threatintelindicatorlastobservedat)" : [ DateFilter, ... ], "[ThreatIntelIndicatorSource](#cfn-securityhub-insight-awssecurityfindingfilters-threatintelindicatorsource)" : [ StringFilter, ... ], "[ThreatIntelIndicatorSourceUrl](#cfn-securityhub-insight-awssecurityfindingfilters-threatintelindicatorsourceurl)" : [ StringFilter, ... ], "[ThreatIntelIndicatorType](#cfn-securityhub-insight-awssecurityfindingfilters-threatintelindicatortype)" : [ StringFilter, ... ], "[ThreatIntelIndicatorValue](#cfn-securityhub-insight-awssecurityfindingfilters-threatintelindicatorvalue)" : [ StringFilter, ... ], "[Title](#cfn-securityhub-insight-awssecurityfindingfilters-title)" : [ StringFilter, ... ], "[Type](#cfn-securityhub-insight-awssecurityfindingfilters-type)" : [ StringFilter, ... ], "[UpdatedAt](#cfn-securityhub-insight-awssecurityfindingfilters-updatedat)" : [ DateFilter, ... ], "[UserDefinedFields](#cfn-securityhub-insight-awssecurityfindingfilters-userdefinedfields)" : [ MapFilter, ... ], "[VerificationState](#cfn-securityhub-insight-awssecurityfindingfilters-verificationstate)" : [ StringFilter, ... ], "[VulnerabilitiesExploitAvailable](#cfn-securityhub-insight-awssecurityfindingfilters-vulnerabilitiesexploitavailable)" : [ StringFilter, ... ], "[VulnerabilitiesFixAvailable](#cfn-securityhub-insight-awssecurityfindingfilters-vulnerabilitiesfixavailable)" : [ StringFilter, ... ], "[WorkflowState](#cfn-securityhub-insight-awssecurityfindingfilters-workflowstate)" : [ StringFilter, ... ], "[WorkflowStatus](#cfn-securityhub-insight-awssecurityfindingfilters-workflowstatus)" : [ StringFilter, ... ] } ``` ### YAML ``` [AwsAccountId](#cfn-securityhub-insight-awssecurityfindingfilters-awsaccountid): - StringFilter [AwsAccountName](#cfn-securityhub-insight-awssecurityfindingfilters-awsaccountname): - StringFilter [CompanyName](#cfn-securityhub-insight-awssecurityfindingfilters-companyname): - StringFilter [ComplianceAssociatedStandardsId](#cfn-securityhub-insight-awssecurityfindingfilters-complianceassociatedstandardsid): - StringFilter [ComplianceSecurityControlId](#cfn-securityhub-insight-awssecurityfindingfilters-compliancesecuritycontrolid): - StringFilter [ComplianceSecurityControlParametersName](#cfn-securityhub-insight-awssecurityfindingfilters-compliancesecuritycontrolparametersname): - StringFilter [ComplianceSecurityControlParametersValue](#cfn-securityhub-insight-awssecurityfindingfilters-compliancesecuritycontrolparametersvalue): - StringFilter [ComplianceStatus](#cfn-securityhub-insight-awssecurityfindingfilters-compliancestatus): - StringFilter [Confidence](#cfn-securityhub-insight-awssecurityfindingfilters-confidence): - NumberFilter [CreatedAt](#cfn-securityhub-insight-awssecurityfindingfilters-createdat): - DateFilter [Criticality](#cfn-securityhub-insight-awssecurityfindingfilters-criticality): - NumberFilter [Description](#cfn-securityhub-insight-awssecurityfindingfilters-description): - StringFilter [FindingProviderFieldsConfidence](#cfn-securityhub-insight-awssecurityfindingfilters-findingproviderfieldsconfidence): - NumberFilter [FindingProviderFieldsCriticality](#cfn-securityhub-insight-awssecurityfindingfilters-findingproviderfieldscriticality): - NumberFilter [FindingProviderFieldsRelatedFindingsId](#cfn-securityhub-insight-awssecurityfindingfilters-findingproviderfieldsrelatedfindingsid): - StringFilter [FindingProviderFieldsRelatedFindingsProductArn](#cfn-securityhub-insight-awssecurityfindingfilters-findingproviderfieldsrelatedfindingsproductarn): - StringFilter [FindingProviderFieldsSeverityLabel](#cfn-securityhub-insight-awssecurityfindingfilters-findingproviderfieldsseveritylabel): - StringFilter [FindingProviderFieldsSeverityOriginal](#cfn-securityhub-insight-awssecurityfindingfilters-findingproviderfieldsseverityoriginal): - StringFilter [FindingProviderFieldsTypes](#cfn-securityhub-insight-awssecurityfindingfilters-findingproviderfieldstypes): - StringFilter [FirstObservedAt](#cfn-securityhub-insight-awssecurityfindingfilters-firstobservedat): - DateFilter [GeneratorId](#cfn-securityhub-insight-awssecurityfindingfilters-generatorid): - StringFilter [Id](#cfn-securityhub-insight-awssecurityfindingfilters-id): - StringFilter [Keyword](#cfn-securityhub-insight-awssecurityfindingfilters-keyword): - KeywordFilter [LastObservedAt](#cfn-securityhub-insight-awssecurityfindingfilters-lastobservedat): - DateFilter [MalwareName](#cfn-securityhub-insight-awssecurityfindingfilters-malwarename): - StringFilter [MalwarePath](#cfn-securityhub-insight-awssecurityfindingfilters-malwarepath): - StringFilter [MalwareState](#cfn-securityhub-insight-awssecurityfindingfilters-malwarestate): - StringFilter [MalwareType](#cfn-securityhub-insight-awssecurityfindingfilters-malwaretype): - StringFilter [NetworkDestinationDomain](#cfn-securityhub-insight-awssecurityfindingfilters-networkdestinationdomain): - StringFilter [NetworkDestinationIpV4](#cfn-securityhub-insight-awssecurityfindingfilters-networkdestinationipv4): - IpFilter [NetworkDestinationIpV6](#cfn-securityhub-insight-awssecurityfindingfilters-networkdestinationipv6): - IpFilter [NetworkDestinationPort](#cfn-securityhub-insight-awssecurityfindingfilters-networkdestinationport): - NumberFilter [NetworkDirection](#cfn-securityhub-insight-awssecurityfindingfilters-networkdirection): - StringFilter [NetworkProtocol](#cfn-securityhub-insight-awssecurityfindingfilters-networkprotocol): - StringFilter [NetworkSourceDomain](#cfn-securityhub-insight-awssecurityfindingfilters-networksourcedomain): - StringFilter [NetworkSourceIpV4](#cfn-securityhub-insight-awssecurityfindingfilters-networksourceipv4): - IpFilter [NetworkSourceIpV6](#cfn-securityhub-insight-awssecurityfindingfilters-networksourceipv6): - IpFilter [NetworkSourceMac](#cfn-securityhub-insight-awssecurityfindingfilters-networksourcemac): - StringFilter [NetworkSourcePort](#cfn-securityhub-insight-awssecurityfindingfilters-networksourceport): - NumberFilter [NoteText](#cfn-securityhub-insight-awssecurityfindingfilters-notetext): - StringFilter [NoteUpdatedAt](#cfn-securityhub-insight-awssecurityfindingfilters-noteupdatedat): - DateFilter [NoteUpdatedBy](#cfn-securityhub-insight-awssecurityfindingfilters-noteupdatedby): - StringFilter [ProcessLaunchedAt](#cfn-securityhub-insight-awssecurityfindingfilters-processlaunchedat): - DateFilter [ProcessName](#cfn-securityhub-insight-awssecurityfindingfilters-processname): - StringFilter [ProcessParentPid](#cfn-securityhub-insight-awssecurityfindingfilters-processparentpid): - NumberFilter [ProcessPath](#cfn-securityhub-insight-awssecurityfindingfilters-processpath): - StringFilter [ProcessPid](#cfn-securityhub-insight-awssecurityfindingfilters-processpid): - NumberFilter [ProcessTerminatedAt](#cfn-securityhub-insight-awssecurityfindingfilters-processterminatedat): - DateFilter [ProductArn](#cfn-securityhub-insight-awssecurityfindingfilters-productarn): - StringFilter [ProductFields](#cfn-securityhub-insight-awssecurityfindingfilters-productfields): - MapFilter [ProductName](#cfn-securityhub-insight-awssecurityfindingfilters-productname): - StringFilter [RecommendationText](#cfn-securityhub-insight-awssecurityfindingfilters-recommendationtext): - StringFilter [RecordState](#cfn-securityhub-insight-awssecurityfindingfilters-recordstate): - StringFilter [Region](#cfn-securityhub-insight-awssecurityfindingfilters-region): - StringFilter [RelatedFindingsId](#cfn-securityhub-insight-awssecurityfindingfilters-relatedfindingsid): - StringFilter [RelatedFindingsProductArn](#cfn-securityhub-insight-awssecurityfindingfilters-relatedfindingsproductarn): - StringFilter [ResourceApplicationArn](#cfn-securityhub-insight-awssecurityfindingfilters-resourceapplicationarn): - StringFilter [ResourceApplicationName](#cfn-securityhub-insight-awssecurityfindingfilters-resourceapplicationname): - StringFilter [ResourceAwsEc2InstanceIamInstanceProfileArn](#cfn-securityhub-insight-awssecurityfindingfilters-resourceawsec2instanceiaminstanceprofilearn): - StringFilter [ResourceAwsEc2InstanceImageId](#cfn-securityhub-insight-awssecurityfindingfilters-resourceawsec2instanceimageid): - StringFilter [ResourceAwsEc2InstanceIpV4Addresses](#cfn-securityhub-insight-awssecurityfindingfilters-resourceawsec2instanceipv4addresses): - IpFilter [ResourceAwsEc2InstanceIpV6Addresses](#cfn-securityhub-insight-awssecurityfindingfilters-resourceawsec2instanceipv6addresses): - IpFilter [ResourceAwsEc2InstanceKeyName](#cfn-securityhub-insight-awssecurityfindingfilters-resourceawsec2instancekeyname): - StringFilter [ResourceAwsEc2InstanceLaunchedAt](#cfn-securityhub-insight-awssecurityfindingfilters-resourceawsec2instancelaunchedat): - DateFilter [ResourceAwsEc2InstanceSubnetId](#cfn-securityhub-insight-awssecurityfindingfilters-resourceawsec2instancesubnetid): - StringFilter [ResourceAwsEc2InstanceType](#cfn-securityhub-insight-awssecurityfindingfilters-resourceawsec2instancetype): - StringFilter [ResourceAwsEc2InstanceVpcId](#cfn-securityhub-insight-awssecurityfindingfilters-resourceawsec2instancevpcid): - StringFilter [ResourceAwsIamAccessKeyCreatedAt](#cfn-securityhub-insight-awssecurityfindingfilters-resourceawsiamaccesskeycreatedat): - DateFilter [ResourceAwsIamAccessKeyPrincipalName](#cfn-securityhub-insight-awssecurityfindingfilters-resourceawsiamaccesskeyprincipalname): - StringFilter [ResourceAwsIamAccessKeyStatus](#cfn-securityhub-insight-awssecurityfindingfilters-resourceawsiamaccesskeystatus): - StringFilter [ResourceAwsIamAccessKeyUserName](#cfn-securityhub-insight-awssecurityfindingfilters-resourceawsiamaccesskeyusername): - StringFilter [ResourceAwsIamUserUserName](#cfn-securityhub-insight-awssecurityfindingfilters-resourceawsiamuserusername): - StringFilter [ResourceAwsS3BucketOwnerId](#cfn-securityhub-insight-awssecurityfindingfilters-resourceawss3bucketownerid): - StringFilter [ResourceAwsS3BucketOwnerName](#cfn-securityhub-insight-awssecurityfindingfilters-resourceawss3bucketownername): - StringFilter [ResourceContainerImageId](#cfn-securityhub-insight-awssecurityfindingfilters-resourcecontainerimageid): - StringFilter [ResourceContainerImageName](#cfn-securityhub-insight-awssecurityfindingfilters-resourcecontainerimagename): - StringFilter [ResourceContainerLaunchedAt](#cfn-securityhub-insight-awssecurityfindingfilters-resourcecontainerlaunchedat): - DateFilter [ResourceContainerName](#cfn-securityhub-insight-awssecurityfindingfilters-resourcecontainername): - StringFilter [ResourceDetailsOther](#cfn-securityhub-insight-awssecurityfindingfilters-resourcedetailsother): - MapFilter [ResourceId](#cfn-securityhub-insight-awssecurityfindingfilters-resourceid): - StringFilter [ResourcePartition](#cfn-securityhub-insight-awssecurityfindingfilters-resourcepartition): - StringFilter [ResourceRegion](#cfn-securityhub-insight-awssecurityfindingfilters-resourceregion): - StringFilter [ResourceTags](#cfn-securityhub-insight-awssecurityfindingfilters-resourcetags): - MapFilter [ResourceType](#cfn-securityhub-insight-awssecurityfindingfilters-resourcetype): - StringFilter [Sample](#cfn-securityhub-insight-awssecurityfindingfilters-sample): - BooleanFilter [SeverityLabel](#cfn-securityhub-insight-awssecurityfindingfilters-severitylabel): - StringFilter [SeverityNormalized](#cfn-securityhub-insight-awssecurityfindingfilters-severitynormalized): - NumberFilter [SeverityProduct](#cfn-securityhub-insight-awssecurityfindingfilters-severityproduct): - NumberFilter [SourceUrl](#cfn-securityhub-insight-awssecurityfindingfilters-sourceurl): - StringFilter [ThreatIntelIndicatorCategory](#cfn-securityhub-insight-awssecurityfindingfilters-threatintelindicatorcategory): - StringFilter [ThreatIntelIndicatorLastObservedAt](#cfn-securityhub-insight-awssecurityfindingfilters-threatintelindicatorlastobservedat): - DateFilter [ThreatIntelIndicatorSource](#cfn-securityhub-insight-awssecurityfindingfilters-threatintelindicatorsource): - StringFilter [ThreatIntelIndicatorSourceUrl](#cfn-securityhub-insight-awssecurityfindingfilters-threatintelindicatorsourceurl): - StringFilter [ThreatIntelIndicatorType](#cfn-securityhub-insight-awssecurityfindingfilters-threatintelindicatortype): - StringFilter [ThreatIntelIndicatorValue](#cfn-securityhub-insight-awssecurityfindingfilters-threatintelindicatorvalue): - StringFilter [Title](#cfn-securityhub-insight-awssecurityfindingfilters-title): - StringFilter [Type](#cfn-securityhub-insight-awssecurityfindingfilters-type): - StringFilter [UpdatedAt](#cfn-securityhub-insight-awssecurityfindingfilters-updatedat): - DateFilter [UserDefinedFields](#cfn-securityhub-insight-awssecurityfindingfilters-userdefinedfields): - MapFilter [VerificationState](#cfn-securityhub-insight-awssecurityfindingfilters-verificationstate): - StringFilter [VulnerabilitiesExploitAvailable](#cfn-securityhub-insight-awssecurityfindingfilters-vulnerabilitiesexploitavailable): - StringFilter [VulnerabilitiesFixAvailable](#cfn-securityhub-insight-awssecurityfindingfilters-vulnerabilitiesfixavailable): - StringFilter [WorkflowState](#cfn-securityhub-insight-awssecurityfindingfilters-workflowstate): - StringFilter [WorkflowStatus](#cfn-securityhub-insight-awssecurityfindingfilters-workflowstatus): - StringFilter ``` ## Properties `AwsAccountId` The AWS account ID in which a finding is generated. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `AwsAccountName` The name of the AWS account in which a finding is generated. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `CompanyName` The name of the findings provider (company) that owns the solution (product) that generates findings. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ComplianceAssociatedStandardsId` The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the [DescribeStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) API response. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ComplianceSecurityControlId` The unique identifier of a control across standards. Values for this field typically consist of an AWS service and a number, such as APIGateway.5. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ComplianceSecurityControlParametersName` The name of a security control parameter. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ComplianceSecurityControlParametersValue` The current value of a security control parameter. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ComplianceStatus` Exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard, such as CIS AWS Foundations. Contains security standard-related finding details. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Confidence` A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence. *Required*: No *Type*: Array of [NumberFilter](aws-properties-securityhub-insight-numberfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `CreatedAt` A timestamp that indicates when the security findings provider created the potential security issue that a finding reflects. For more information about the validation and formatting of timestamp fields in AWS Security Hub CSPM, see [Timestamps](https://docs.aws.amazon.com/securityhub/1.0/APIReference/Welcome.html#timestamps). *Required*: No *Type*: Array of [DateFilter](aws-properties-securityhub-insight-datefilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Criticality` The level of importance assigned to the resources associated with the finding. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources. *Required*: No *Type*: Array of [NumberFilter](aws-properties-securityhub-insight-numberfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Description` A finding's description. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `FindingProviderFieldsConfidence` The finding provider value for the finding confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence. *Required*: No *Type*: Array of [NumberFilter](aws-properties-securityhub-insight-numberfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `FindingProviderFieldsCriticality` The finding provider value for the level of importance assigned to the resources associated with the findings. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources. *Required*: No *Type*: Array of [NumberFilter](aws-properties-securityhub-insight-numberfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `FindingProviderFieldsRelatedFindingsId` The finding identifier of a related finding that is identified by the finding provider. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `FindingProviderFieldsRelatedFindingsProductArn` The ARN of the solution that generated a related finding that is identified by the finding provider. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `FindingProviderFieldsSeverityLabel` The finding provider value for the severity label. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `FindingProviderFieldsSeverityOriginal` The finding provider's original value for the severity. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `FindingProviderFieldsTypes` One or more finding types that the finding provider assigned to the finding. Uses the format of `namespace/category/classifier` that classify a finding. Valid namespace values are: Software and Configuration Checks \$1 TTPs \$1 Effects \$1 Unusual Behaviors \$1 Sensitive Data Identifications *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `FirstObservedAt` A timestamp that indicates when the security findings provider first observed the potential security issue that a finding captured. For more information about the validation and formatting of timestamp fields in AWS Security Hub CSPM, see [Timestamps](https://docs.aws.amazon.com/securityhub/1.0/APIReference/Welcome.html#timestamps). *Required*: No *Type*: Array of [DateFilter](aws-properties-securityhub-insight-datefilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `GeneratorId` The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security findings providers' solutions, this generator can be called a rule, a check, a detector, a plugin, etc. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Id` The security findings provider-specific identifier for a finding. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Keyword` This field is deprecated. A keyword for a finding. *Required*: No *Type*: Array of [KeywordFilter](aws-properties-securityhub-insight-keywordfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `LastObservedAt` A timestamp that indicates when the security findings provider most recently observed a change in the resource that is involved in the finding. For more information about the validation and formatting of timestamp fields in AWS Security Hub CSPM, see [Timestamps](https://docs.aws.amazon.com/securityhub/1.0/APIReference/Welcome.html#timestamps). *Required*: No *Type*: Array of [DateFilter](aws-properties-securityhub-insight-datefilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MalwareName` The name of the malware that was observed. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MalwarePath` The filesystem path of the malware that was observed. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MalwareState` The state of the malware that was observed. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MalwareType` The type of the malware that was observed. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `NetworkDestinationDomain` The destination domain of network-related information about a finding. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `NetworkDestinationIpV4` The destination IPv4 address of network-related information about a finding. *Required*: No *Type*: Array of [IpFilter](aws-properties-securityhub-insight-ipfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `NetworkDestinationIpV6` The destination IPv6 address of network-related information about a finding. *Required*: No *Type*: Array of [IpFilter](aws-properties-securityhub-insight-ipfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `NetworkDestinationPort` The destination port of network-related information about a finding. *Required*: No *Type*: Array of [NumberFilter](aws-properties-securityhub-insight-numberfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `NetworkDirection` Indicates the direction of network traffic associated with a finding. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `NetworkProtocol` The protocol of network-related information about a finding. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `NetworkSourceDomain` The source domain of network-related information about a finding. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `NetworkSourceIpV4` The source IPv4 address of network-related information about a finding. *Required*: No *Type*: Array of [IpFilter](aws-properties-securityhub-insight-ipfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `NetworkSourceIpV6` The source IPv6 address of network-related information about a finding. *Required*: No *Type*: Array of [IpFilter](aws-properties-securityhub-insight-ipfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `NetworkSourceMac` The source media access control (MAC) address of network-related information about a finding. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `NetworkSourcePort` The source port of network-related information about a finding. *Required*: No *Type*: Array of [NumberFilter](aws-properties-securityhub-insight-numberfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `NoteText` The text of a note. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `NoteUpdatedAt` The timestamp of when the note was updated. *Required*: No *Type*: Array of [DateFilter](aws-properties-securityhub-insight-datefilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `NoteUpdatedBy` The principal that created a note. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ProcessLaunchedAt` A timestamp that identifies when the process was launched. For more information about the validation and formatting of timestamp fields in AWS Security Hub CSPM, see [Timestamps](https://docs.aws.amazon.com/securityhub/1.0/APIReference/Welcome.html#timestamps). *Required*: No *Type*: Array of [DateFilter](aws-properties-securityhub-insight-datefilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ProcessName` The name of the process. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ProcessParentPid` The parent process ID. This field accepts positive integers between `O` and `2147483647`. *Required*: No *Type*: Array of [NumberFilter](aws-properties-securityhub-insight-numberfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ProcessPath` The path to the process executable. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ProcessPid` The process ID. *Required*: No *Type*: Array of [NumberFilter](aws-properties-securityhub-insight-numberfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ProcessTerminatedAt` A timestamp that identifies when the process was terminated. For more information about the validation and formatting of timestamp fields in AWS Security Hub CSPM, see [Timestamps](https://docs.aws.amazon.com/securityhub/1.0/APIReference/Welcome.html#timestamps). *Required*: No *Type*: Array of [DateFilter](aws-properties-securityhub-insight-datefilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ProductArn` The ARN generated by Security Hub CSPM that uniquely identifies a third-party company (security findings provider) after this provider's product (solution that generates findings) is registered with Security Hub CSPM. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ProductFields` A data type where security findings providers can include additional solution-specific details that aren't part of the defined `AwsSecurityFinding` format. *Required*: No *Type*: Array of [MapFilter](aws-properties-securityhub-insight-mapfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ProductName` The name of the solution (product) that generates findings. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RecommendationText` The recommendation of what to do about the issue described in a finding. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RecordState` The updated record state for the finding. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Region` The Region from which the finding was generated. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RelatedFindingsId` The solution-generated identifier for a related finding. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RelatedFindingsProductArn` The ARN of the solution that generated a related finding. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceApplicationArn` The ARN of the application that is related to a finding. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceApplicationName` The name of the application that is related to a finding. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceAwsEc2InstanceIamInstanceProfileArn` The IAM profile ARN of the instance. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceAwsEc2InstanceImageId` The Amazon Machine Image (AMI) ID of the instance. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceAwsEc2InstanceIpV4Addresses` The IPv4 addresses associated with the instance. *Required*: No *Type*: Array of [IpFilter](aws-properties-securityhub-insight-ipfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceAwsEc2InstanceIpV6Addresses` The IPv6 addresses associated with the instance. *Required*: No *Type*: Array of [IpFilter](aws-properties-securityhub-insight-ipfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceAwsEc2InstanceKeyName` The key name associated with the instance. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceAwsEc2InstanceLaunchedAt` The date and time the instance was launched. *Required*: No *Type*: Array of [DateFilter](aws-properties-securityhub-insight-datefilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceAwsEc2InstanceSubnetId` The identifier of the subnet that the instance was launched in. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceAwsEc2InstanceType` The instance type of the instance. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceAwsEc2InstanceVpcId` The identifier of the VPC that the instance was launched in. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceAwsIamAccessKeyCreatedAt` The creation date/time of the IAM access key related to a finding. *Required*: No *Type*: Array of [DateFilter](aws-properties-securityhub-insight-datefilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceAwsIamAccessKeyPrincipalName` The name of the principal that is associated with an IAM access key. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceAwsIamAccessKeyStatus` The status of the IAM access key related to a finding. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceAwsIamAccessKeyUserName` This field is deprecated. The username associated with the IAM access key related to a finding. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceAwsIamUserUserName` The name of an IAM user. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceAwsS3BucketOwnerId` The canonical user ID of the owner of the S3 bucket. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceAwsS3BucketOwnerName` The display name of the owner of the S3 bucket. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceContainerImageId` The identifier of the image related to a finding. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceContainerImageName` The name of the image related to a finding. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceContainerLaunchedAt` A timestamp that identifies when the container was started. For more information about the validation and formatting of timestamp fields in AWS Security Hub CSPM, see [Timestamps](https://docs.aws.amazon.com/securityhub/1.0/APIReference/Welcome.html#timestamps). *Required*: No *Type*: Array of [DateFilter](aws-properties-securityhub-insight-datefilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceContainerName` The name of the container related to a finding. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceDetailsOther` The details of a resource that doesn't have a specific subfield for the resource type defined. *Required*: No *Type*: Array of [MapFilter](aws-properties-securityhub-insight-mapfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceId` The canonical identifier for the given resource type. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourcePartition` The canonical AWS partition name that the Region is assigned to. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceRegion` The canonical AWS external Region name where this resource is located. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceTags` A list of AWS tags associated with a resource at the time the finding was processed. *Required*: No *Type*: Array of [MapFilter](aws-properties-securityhub-insight-mapfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ResourceType` Specifies the type of the resource that details are provided for. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Sample` Indicates whether or not sample findings are included in the filter results. *Required*: No *Type*: Array of [BooleanFilter](aws-properties-securityhub-insight-booleanfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SeverityLabel` The label of a finding's severity. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SeverityNormalized` Deprecated. The normalized severity of a finding. Instead of providing `Normalized`, provide `Label`. The value of `Normalized` can be an integer between `0` and `100`. If you provide `Label` and don't provide `Normalized`, then `Normalized` is set automatically as follows. + `INFORMATIONAL` - 0 + `LOW` - 1 + `MEDIUM` - 40 + `HIGH` - 70 + `CRITICAL` - 90 *Required*: No *Type*: Array of [NumberFilter](aws-properties-securityhub-insight-numberfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SeverityProduct` Deprecated. This attribute isn't included in findings. Instead of providing `Product`, provide `Original`. The native severity as defined by the AWS service or integrated partner product that generated the finding. *Required*: No *Type*: Array of [NumberFilter](aws-properties-securityhub-insight-numberfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SourceUrl` A URL that links to a page about the current finding in the security findings provider's solution. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ThreatIntelIndicatorCategory` The category of a threat intelligence indicator. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ThreatIntelIndicatorLastObservedAt` A timestamp that identifies the last observation of a threat intelligence indicator. For more information about the validation and formatting of timestamp fields in AWS Security Hub CSPM, see [Timestamps](https://docs.aws.amazon.com/securityhub/1.0/APIReference/Welcome.html#timestamps). *Required*: No *Type*: Array of [DateFilter](aws-properties-securityhub-insight-datefilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ThreatIntelIndicatorSource` The source of the threat intelligence. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ThreatIntelIndicatorSourceUrl` The URL for more details from the source of the threat intelligence. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ThreatIntelIndicatorType` The type of a threat intelligence indicator. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ThreatIntelIndicatorValue` The value of a threat intelligence indicator. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Title` A finding's title. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Type` A finding type in the format of `namespace/category/classifier` that classifies a finding. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `UpdatedAt` A timestamp that indicates when the security findings provider last updated the finding record. For more information about the validation and formatting of timestamp fields in AWS Security Hub CSPM, see [Timestamps](https://docs.aws.amazon.com/securityhub/1.0/APIReference/Welcome.html#timestamps). *Required*: No *Type*: Array of [DateFilter](aws-properties-securityhub-insight-datefilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `UserDefinedFields` A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding. *Required*: No *Type*: Array of [MapFilter](aws-properties-securityhub-insight-mapfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `VerificationState` The veracity of a finding. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `VulnerabilitiesExploitAvailable` Indicates whether a software vulnerability in your environment has a known exploit. You can filter findings by this field only if you use Security Hub CSPM and Amazon Inspector. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `VulnerabilitiesFixAvailable` Indicates whether a vulnerability is fixed in a newer version of the affected software packages. You can filter findings by this field only if you use Security Hub CSPM and Amazon Inspector. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `WorkflowState` The workflow state of a finding. Note that this field is deprecated. To search for a finding based on its workflow status, use `WorkflowStatus`. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `WorkflowStatus` The status of the investigation into a finding. Allowed values are the following. + `NEW` - The initial state of a finding, before it is reviewed. Security Hub CSPM also resets the workflow status from `NOTIFIED` or `RESOLVED` to `NEW` in the following cases: + `RecordState` changes from `ARCHIVED` to `ACTIVE`. + `Compliance.Status` changes from `PASSED` to either `WARNING`, `FAILED`, or `NOT_AVAILABLE`. + `NOTIFIED` - Indicates that the resource owner has been notified about the security issue. Used when the initial reviewer is not the resource owner, and needs intervention from the resource owner. If one of the following occurs, the workflow status is changed automatically from `NOTIFIED` to `NEW`: + `RecordState` changes from `ARCHIVED` to `ACTIVE`. + `Compliance.Status` changes from `PASSED` to `FAILED`, `WARNING`, or `NOT_AVAILABLE`. + `SUPPRESSED` - Indicates that you reviewed the finding and don't believe that any action is needed. The workflow status of a `SUPPRESSED` finding does not change if `RecordState` changes from `ARCHIVED` to `ACTIVE`. + `RESOLVED` - The finding was reviewed and remediated and is now considered resolved. The finding remains `RESOLVED` unless one of the following occurs: + `RecordState` changes from `ARCHIVED` to `ACTIVE`. + `Compliance.Status` changes from `PASSED` to `FAILED`, `WARNING`, or `NOT_AVAILABLE`. In those cases, the workflow status is automatically reset to `NEW`. For findings from controls, if `Compliance.Status` is `PASSED`, then Security Hub CSPM automatically sets the workflow status to `RESOLVED`. *Required*: No *Type*: Array of [StringFilter](aws-properties-securityhub-insight-stringfilter.md) *Maximum*: `20` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::Insight BooleanFilter Boolean filter for querying findings. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Value](#cfn-securityhub-insight-booleanfilter-value)" : Boolean } ``` ### YAML ``` [Value](#cfn-securityhub-insight-booleanfilter-value): Boolean ``` ## Properties `Value` The value of the boolean. *Required*: Yes *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::Insight DateFilter A date filter for querying findings. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[DateRange](#cfn-securityhub-insight-datefilter-daterange)" : DateRange, "[End](#cfn-securityhub-insight-datefilter-end)" : String, "[Start](#cfn-securityhub-insight-datefilter-start)" : String } ``` ### YAML ``` [DateRange](#cfn-securityhub-insight-datefilter-daterange): DateRange [End](#cfn-securityhub-insight-datefilter-end): String [Start](#cfn-securityhub-insight-datefilter-start): String ``` ## Properties `DateRange` A date range for the date filter. *Required*: No *Type*: [DateRange](aws-properties-securityhub-insight-daterange.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `End` A timestamp that provides the end date for the date filter. For more information about the validation and formatting of timestamp fields in AWS Security Hub CSPM, see [Timestamps](https://docs.aws.amazon.com/securityhub/1.0/APIReference/Welcome.html#timestamps). *Required*: No *Type*: String *Pattern*: `^([\+-]?\d{4}(?!\d{2}))((-?)((0[1-9]|1[0-2])(\3([12]\d|0[1-9]|3[01]))?|W([0-4]\d|5[0-2])(-?[1-7])?|(00[1-9]|0[1-9]\d|[12]\d{2}|3([0-5]\d|6[1-6])))([tT]((([01]\d|2[0-3])((:?)[0-5]\d)?|24\:?00)([\.,]\d+(?!:))?)?(\17[0-5]\d([\.,]\d+)?)?([zZ]|([\+-])([01]\d|2[0-3]):?([0-5]\d)?)?)?)?$` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Start` A timestamp that provides the start date for the date filter. For more information about the validation and formatting of timestamp fields in AWS Security Hub CSPM, see [Timestamps](https://docs.aws.amazon.com/securityhub/1.0/APIReference/Welcome.html#timestamps). *Required*: No *Type*: String *Pattern*: `^([\+-]?\d{4}(?!\d{2}))((-?)((0[1-9]|1[0-2])(\3([12]\d|0[1-9]|3[01]))?|W([0-4]\d|5[0-2])(-?[1-7])?|(00[1-9]|0[1-9]\d|[12]\d{2}|3([0-5]\d|6[1-6])))([tT]((([01]\d|2[0-3])((:?)[0-5]\d)?|24\:?00)([\.,]\d+(?!:))?)?(\17[0-5]\d([\.,]\d+)?)?([zZ]|([\+-])([01]\d|2[0-3]):?([0-5]\d)?)?)?)?$` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::Insight DateRange A date range for the date filter. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Unit](#cfn-securityhub-insight-daterange-unit)" : String, "[Value](#cfn-securityhub-insight-daterange-value)" : Number } ``` ### YAML ``` [Unit](#cfn-securityhub-insight-daterange-unit): String [Value](#cfn-securityhub-insight-daterange-value): Number ``` ## Properties `Unit` A date range unit for the date filter. *Required*: Yes *Type*: String *Allowed values*: `DAYS` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` A date range value for the date filter. *Required*: Yes *Type*: Number *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::Insight IpFilter The IP filter for querying findings. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Cidr](#cfn-securityhub-insight-ipfilter-cidr)" : String } ``` ### YAML ``` [Cidr](#cfn-securityhub-insight-ipfilter-cidr): String ``` ## Properties `Cidr` A finding's CIDR value. *Required*: Yes *Type*: String *Minimum*: `1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::Insight KeywordFilter A keyword filter for querying findings. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Value](#cfn-securityhub-insight-keywordfilter-value)" : String } ``` ### YAML ``` [Value](#cfn-securityhub-insight-keywordfilter-value): String ``` ## Properties `Value` A value for the keyword. *Required*: Yes *Type*: String *Minimum*: `1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::Insight MapFilter A map filter for filtering AWS Security Hub CSPM findings. Each map filter provides the field to check for, the value to check for, and the comparison operator. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Comparison](#cfn-securityhub-insight-mapfilter-comparison)" : String, "[Key](#cfn-securityhub-insight-mapfilter-key)" : String, "[Value](#cfn-securityhub-insight-mapfilter-value)" : String } ``` ### YAML ``` [Comparison](#cfn-securityhub-insight-mapfilter-comparison): String [Key](#cfn-securityhub-insight-mapfilter-key): String [Value](#cfn-securityhub-insight-mapfilter-value): String ``` ## Properties `Comparison` The condition to apply to the key value when filtering Security Hub CSPM findings with a map filter. To search for values that have the filter value, use one of the following comparison operators: + To search for values that include the filter value, use `CONTAINS`. For example, for the `ResourceTags` field, the filter `Department CONTAINS Security` matches findings that include the value `Security` for the `Department` tag. In the same example, a finding with a value of `Security team` for the `Department` tag is a match. + To search for values that exactly match the filter value, use `EQUALS`. For example, for the `ResourceTags` field, the filter `Department EQUALS Security` matches findings that have the value `Security` for the `Department` tag. `CONTAINS` and `EQUALS` filters on the same field are joined by `OR`. A finding matches if it matches any one of those filters. For example, the filters `Department CONTAINS Security OR Department CONTAINS Finance` match a finding that includes either `Security`, `Finance`, or both values. To search for values that don't have the filter value, use one of the following comparison operators: + To search for values that exclude the filter value, use `NOT_CONTAINS`. For example, for the `ResourceTags` field, the filter `Department NOT_CONTAINS Finance` matches findings that exclude the value `Finance` for the `Department` tag. + To search for values other than the filter value, use `NOT_EQUALS`. For example, for the `ResourceTags` field, the filter `Department NOT_EQUALS Finance` matches findings that don’t have the value `Finance` for the `Department` tag. `NOT_CONTAINS` and `NOT_EQUALS` filters on the same field are joined by `AND`. A finding matches only if it matches all of those filters. For example, the filters `Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance` match a finding that excludes both the `Security` and `Finance` values. `CONTAINS` filters can only be used with other `CONTAINS` filters. `NOT_CONTAINS` filters can only be used with other `NOT_CONTAINS` filters. You can’t have both a `CONTAINS` filter and a `NOT_CONTAINS` filter on the same field. Similarly, you can’t have both an `EQUALS` filter and a `NOT_EQUALS` filter on the same field. Combining filters in this way returns an error. `CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the *AWS Security Hub CSPM User Guide*. *Required*: Yes *Type*: String *Allowed values*: `EQUALS | NOT_EQUALS` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Key` The key of the map filter. For example, for `ResourceTags`, `Key` identifies the name of the tag. For `UserDefinedFields`, `Key` is the name of the field. *Required*: Yes *Type*: String *Minimum*: `1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called `Department` might be `Security`. If you provide `security` as the filter value, then there's no match. *Required*: Yes *Type*: String *Minimum*: `1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::Insight NumberFilter A number filter for querying findings. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Eq](#cfn-securityhub-insight-numberfilter-eq)" : Number, "[Gte](#cfn-securityhub-insight-numberfilter-gte)" : Number, "[Lte](#cfn-securityhub-insight-numberfilter-lte)" : Number } ``` ### YAML ``` [Eq](#cfn-securityhub-insight-numberfilter-eq): Number [Gte](#cfn-securityhub-insight-numberfilter-gte): Number [Lte](#cfn-securityhub-insight-numberfilter-lte): Number ``` ## Properties `Eq` The equal-to condition to be applied to a single field when querying for findings. *Required*: No *Type*: Number *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Gte` The greater-than-equal condition to be applied to a single field when querying for findings. *Required*: No *Type*: Number *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Lte` The less-than-equal condition to be applied to a single field when querying for findings. *Required*: No *Type*: Number *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::SecurityHub::Insight StringFilter A string filter for filtering AWS Security Hub CSPM findings. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Comparison](#cfn-securityhub-insight-stringfilter-comparison)" : String, "[Value](#cfn-securityhub-insight-stringfilter-value)" : String } ``` ### YAML ``` [Comparison](#cfn-securityhub-insight-stringfilter-comparison): String [Value](#cfn-securityhub-insight-stringfilter-value): String ``` ## Properties `Comparison` The condition to apply to a string value when filtering Security Hub CSPM findings. To search for values that have the filter value, use one of the following comparison operators: + To search for values that include the filter value, use `CONTAINS`. For example, the filter `Title CONTAINS CloudFront` matches findings that have a `Title` that includes the string CloudFront. + To search for values that exactly match the filter value, use `EQUALS`. For example, the filter `AwsAccountId EQUALS 123456789012` only matches findings that have an account ID of `123456789012`. + To search for values that start with the filter value, use `PREFIX`. For example, the filter `ResourceRegion PREFIX us` matches findings that have a `ResourceRegion` that starts with `us`. A `ResourceRegion` that starts with a different value, such as `af`, `ap`, or `ca`, doesn't match. `CONTAINS`, `EQUALS`, and `PREFIX` filters on the same field are joined by `OR`. A finding matches if it matches any one of those filters. For example, the filters `Title CONTAINS CloudFront OR Title CONTAINS CloudWatch` match a finding that includes either `CloudFront`, `CloudWatch`, or both strings in the title. To search for values that don’t have the filter value, use one of the following comparison operators: + To search for values that exclude the filter value, use `NOT_CONTAINS`. For example, the filter `Title NOT_CONTAINS CloudFront` matches findings that have a `Title` that excludes the string CloudFront. + To search for values other than the filter value, use `NOT_EQUALS`. For example, the filter `AwsAccountId NOT_EQUALS 123456789012` only matches findings that have an account ID other than `123456789012`. + To search for values that don't start with the filter value, use `PREFIX_NOT_EQUALS`. For example, the filter `ResourceRegion PREFIX_NOT_EQUALS us` matches findings with a `ResourceRegion` that starts with a value other than `us`. `NOT_CONTAINS`, `NOT_EQUALS`, and `PREFIX_NOT_EQUALS` filters on the same field are joined by `AND`. A finding matches only if it matches all of those filters. For example, the filters `Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch` match a finding that excludes both `CloudFront` and `CloudWatch` in the title. You can’t have both a `CONTAINS` filter and a `NOT_CONTAINS` filter on the same field. Similarly, you can't provide both an `EQUALS` filter and a `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filter on the same field. Combining filters in this way returns an error. `CONTAINS` filters can only be used with other `CONTAINS` filters. `NOT_CONTAINS` filters can only be used with other `NOT_CONTAINS` filters. You can combine `PREFIX` filters with `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters for the same field. Security Hub CSPM first processes the `PREFIX` filters, and then the `NOT_EQUALS` or `PREFIX_NOT_EQUALS` filters. For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either `AwsIam` or `AwsEc2`. It then excludes findings that have a resource type of `AwsIamPolicy` and findings that have a resource type of `AwsEc2NetworkInterface`. + `ResourceType PREFIX AwsIam` + `ResourceType PREFIX AwsEc2` + `ResourceType NOT_EQUALS AwsIamPolicy` + `ResourceType NOT_EQUALS AwsEc2NetworkInterface` `CONTAINS` and `NOT_CONTAINS` operators can be used only with automation rules V1. `CONTAINS_WORD` operator is only supported in `GetFindingsV2`, `GetFindingStatisticsV2`, `GetResourcesV2`, and `GetResourcesStatisticsV2` APIs. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the *AWS Security Hub CSPM User Guide*. *Required*: Yes *Type*: String *Allowed values*: `EQUALS | PREFIX | NOT_EQUALS | PREFIX_NOT_EQUALS` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Value` The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is `Security Hub CSPM`. If you provide `security hub` as the filter value, there's no match. *Required*: Yes *Type*: String *Minimum*: `1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)