# AwsSecurityFindingFilters A collection of filters that are applied to all active findings aggregated by AWS Security Hub CSPM. You can filter by up to ten finding attributes. For each attribute, you can provide up to 20 filter values. ## Contents ** AwsAccountId ** The AWS account ID in which a finding is generated. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** AwsAccountName ** The name of the AWS account in which a finding is generated. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** CompanyName ** The name of the findings provider (company) that owns the solution (product) that generates findings. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ComplianceAssociatedStandardsId ** The unique identifier of a standard in which a control is enabled. This field consists of the resource portion of the Amazon Resource Name (ARN) returned for a standard in the [DescribeStandards](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_DescribeStandards.html) API response. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ComplianceSecurityControlId ** The unique identifier of a control across standards. Values for this field typically consist of an AWS service and a number, such as APIGateway.5. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ComplianceSecurityControlParametersName ** The name of a security control parameter. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ComplianceSecurityControlParametersValue ** The current value of a security control parameter. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ComplianceStatus ** Exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard, such as CIS AWS Foundations. Contains security standard-related finding details. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** Confidence ** A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence. Type: Array of [NumberFilter](API_NumberFilter.md) objects Required: No ** CreatedAt ** A timestamp that indicates when the security findings provider created the potential security issue that a finding reflects. For more information about the validation and formatting of timestamp fields in AWS Security Hub CSPM, see [Timestamps](https://docs.aws.amazon.com/securityhub/1.0/APIReference/Welcome.html#timestamps). Type: Array of [DateFilter](API_DateFilter.md) objects Required: No ** Criticality ** The level of importance assigned to the resources associated with the finding. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources. Type: Array of [NumberFilter](API_NumberFilter.md) objects Required: No ** Description ** A finding's description. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** FindingProviderFieldsConfidence ** The finding provider value for the finding confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence. Type: Array of [NumberFilter](API_NumberFilter.md) objects Required: No ** FindingProviderFieldsCriticality ** The finding provider value for the level of importance assigned to the resources associated with the findings. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources. Type: Array of [NumberFilter](API_NumberFilter.md) objects Required: No ** FindingProviderFieldsRelatedFindingsId ** The finding identifier of a related finding that is identified by the finding provider. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** FindingProviderFieldsRelatedFindingsProductArn ** The ARN of the solution that generated a related finding that is identified by the finding provider. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** FindingProviderFieldsSeverityLabel ** The finding provider value for the severity label. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** FindingProviderFieldsSeverityOriginal ** The finding provider's original value for the severity. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** FindingProviderFieldsTypes ** One or more finding types that the finding provider assigned to the finding. Uses the format of `namespace/category/classifier` that classify a finding. Valid namespace values are: Software and Configuration Checks \$1 TTPs \$1 Effects \$1 Unusual Behaviors \$1 Sensitive Data Identifications Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** FirstObservedAt ** A timestamp that indicates when the security findings provider first observed the potential security issue that a finding captured. For more information about the validation and formatting of timestamp fields in AWS Security Hub CSPM, see [Timestamps](https://docs.aws.amazon.com/securityhub/1.0/APIReference/Welcome.html#timestamps). Type: Array of [DateFilter](API_DateFilter.md) objects Required: No ** GeneratorId ** The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security findings providers' solutions, this generator can be called a rule, a check, a detector, a plugin, etc. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** Id ** The security findings provider-specific identifier for a finding. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** Keyword ** *This member has been deprecated.* A keyword for a finding. Type: Array of [KeywordFilter](API_KeywordFilter.md) objects Required: No ** LastObservedAt ** A timestamp that indicates when the security findings provider most recently observed a change in the resource that is involved in the finding. For more information about the validation and formatting of timestamp fields in AWS Security Hub CSPM, see [Timestamps](https://docs.aws.amazon.com/securityhub/1.0/APIReference/Welcome.html#timestamps). Type: Array of [DateFilter](API_DateFilter.md) objects Required: No ** MalwareName ** The name of the malware that was observed. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** MalwarePath ** The filesystem path of the malware that was observed. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** MalwareState ** The state of the malware that was observed. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** MalwareType ** The type of the malware that was observed. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** NetworkDestinationDomain ** The destination domain of network-related information about a finding. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** NetworkDestinationIpV4 ** The destination IPv4 address of network-related information about a finding. Type: Array of [IpFilter](API_IpFilter.md) objects Required: No ** NetworkDestinationIpV6 ** The destination IPv6 address of network-related information about a finding. Type: Array of [IpFilter](API_IpFilter.md) objects Required: No ** NetworkDestinationPort ** The destination port of network-related information about a finding. Type: Array of [NumberFilter](API_NumberFilter.md) objects Required: No ** NetworkDirection ** Indicates the direction of network traffic associated with a finding. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** NetworkProtocol ** The protocol of network-related information about a finding. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** NetworkSourceDomain ** The source domain of network-related information about a finding. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** NetworkSourceIpV4 ** The source IPv4 address of network-related information about a finding. Type: Array of [IpFilter](API_IpFilter.md) objects Required: No ** NetworkSourceIpV6 ** The source IPv6 address of network-related information about a finding. Type: Array of [IpFilter](API_IpFilter.md) objects Required: No ** NetworkSourceMac ** The source media access control (MAC) address of network-related information about a finding. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** NetworkSourcePort ** The source port of network-related information about a finding. Type: Array of [NumberFilter](API_NumberFilter.md) objects Required: No ** NoteText ** The text of a note. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** NoteUpdatedAt ** The timestamp of when the note was updated. Type: Array of [DateFilter](API_DateFilter.md) objects Required: No ** NoteUpdatedBy ** The principal that created a note. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ProcessLaunchedAt ** A timestamp that identifies when the process was launched. For more information about the validation and formatting of timestamp fields in AWS Security Hub CSPM, see [Timestamps](https://docs.aws.amazon.com/securityhub/1.0/APIReference/Welcome.html#timestamps). Type: Array of [DateFilter](API_DateFilter.md) objects Required: No ** ProcessName ** The name of the process. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ProcessParentPid ** The parent process ID. This field accepts positive integers between `O` and `2147483647`. Type: Array of [NumberFilter](API_NumberFilter.md) objects Required: No ** ProcessPath ** The path to the process executable. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ProcessPid ** The process ID. Type: Array of [NumberFilter](API_NumberFilter.md) objects Required: No ** ProcessTerminatedAt ** A timestamp that identifies when the process was terminated. For more information about the validation and formatting of timestamp fields in AWS Security Hub CSPM, see [Timestamps](https://docs.aws.amazon.com/securityhub/1.0/APIReference/Welcome.html#timestamps). Type: Array of [DateFilter](API_DateFilter.md) objects Required: No ** ProductArn ** The ARN generated by Security Hub CSPM that uniquely identifies a third-party company (security findings provider) after this provider's product (solution that generates findings) is registered with Security Hub CSPM. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ProductFields ** A data type where security findings providers can include additional solution-specific details that aren't part of the defined `AwsSecurityFinding` format. Type: Array of [MapFilter](API_MapFilter.md) objects Required: No ** ProductName ** The name of the solution (product) that generates findings. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** RecommendationText ** The recommendation of what to do about the issue described in a finding. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** RecordState ** The updated record state for the finding. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** Region ** The Region from which the finding was generated. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** RelatedFindingsId ** The solution-generated identifier for a related finding. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** RelatedFindingsProductArn ** The ARN of the solution that generated a related finding. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ResourceApplicationArn ** The ARN of the application that is related to a finding. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ResourceApplicationName ** The name of the application that is related to a finding. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ResourceAwsEc2InstanceIamInstanceProfileArn ** The IAM profile ARN of the instance. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ResourceAwsEc2InstanceImageId ** The Amazon Machine Image (AMI) ID of the instance. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ResourceAwsEc2InstanceIpV4Addresses ** The IPv4 addresses associated with the instance. Type: Array of [IpFilter](API_IpFilter.md) objects Required: No ** ResourceAwsEc2InstanceIpV6Addresses ** The IPv6 addresses associated with the instance. Type: Array of [IpFilter](API_IpFilter.md) objects Required: No ** ResourceAwsEc2InstanceKeyName ** The key name associated with the instance. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ResourceAwsEc2InstanceLaunchedAt ** The date and time the instance was launched. Type: Array of [DateFilter](API_DateFilter.md) objects Required: No ** ResourceAwsEc2InstanceSubnetId ** The identifier of the subnet that the instance was launched in. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ResourceAwsEc2InstanceType ** The instance type of the instance. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ResourceAwsEc2InstanceVpcId ** The identifier of the VPC that the instance was launched in. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ResourceAwsIamAccessKeyCreatedAt ** The creation date/time of the IAM access key related to a finding. Type: Array of [DateFilter](API_DateFilter.md) objects Required: No ** ResourceAwsIamAccessKeyPrincipalName ** The name of the principal that is associated with an IAM access key. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ResourceAwsIamAccessKeyStatus ** The status of the IAM access key related to a finding. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ResourceAwsIamAccessKeyUserName ** *This member has been deprecated.* The user associated with the IAM access key related to a finding. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ResourceAwsIamUserUserName ** The name of an IAM user. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ResourceAwsS3BucketOwnerId ** The canonical user ID of the owner of the S3 bucket. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ResourceAwsS3BucketOwnerName ** The display name of the owner of the S3 bucket. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ResourceContainerImageId ** The identifier of the image related to a finding. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ResourceContainerImageName ** The name of the image related to a finding. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ResourceContainerLaunchedAt ** A timestamp that identifies when the container was started. For more information about the validation and formatting of timestamp fields in AWS Security Hub CSPM, see [Timestamps](https://docs.aws.amazon.com/securityhub/1.0/APIReference/Welcome.html#timestamps). Type: Array of [DateFilter](API_DateFilter.md) objects Required: No ** ResourceContainerName ** The name of the container related to a finding. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ResourceDetailsOther ** The details of a resource that doesn't have a specific subfield for the resource type defined. Type: Array of [MapFilter](API_MapFilter.md) objects Required: No ** ResourceId ** The canonical identifier for the given resource type. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ResourcePartition ** The canonical AWS partition name that the Region is assigned to. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ResourceRegion ** The canonical AWS external Region name where this resource is located. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ResourceTags ** A list of AWS tags associated with a resource at the time the finding was processed. Type: Array of [MapFilter](API_MapFilter.md) objects Required: No ** ResourceType ** Specifies the type of the resource that details are provided for. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** Sample ** Indicates whether or not sample findings are included in the filter results. Type: Array of [BooleanFilter](API_BooleanFilter.md) objects Required: No ** SeverityLabel ** The label of a finding's severity. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** SeverityNormalized ** *This member has been deprecated.* The normalized severity of a finding. Type: Array of [NumberFilter](API_NumberFilter.md) objects Required: No ** SeverityProduct ** *This member has been deprecated.* The native severity as defined by the security findings provider's solution that generated the finding. Type: Array of [NumberFilter](API_NumberFilter.md) objects Required: No ** SourceUrl ** A URL that links to a page about the current finding in the security findings provider's solution. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ThreatIntelIndicatorCategory ** The category of a threat intelligence indicator. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ThreatIntelIndicatorLastObservedAt ** A timestamp that identifies the last observation of a threat intelligence indicator. For more information about the validation and formatting of timestamp fields in AWS Security Hub CSPM, see [Timestamps](https://docs.aws.amazon.com/securityhub/1.0/APIReference/Welcome.html#timestamps). Type: Array of [DateFilter](API_DateFilter.md) objects Required: No ** ThreatIntelIndicatorSource ** The source of the threat intelligence. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ThreatIntelIndicatorSourceUrl ** The URL for more details from the source of the threat intelligence. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ThreatIntelIndicatorType ** The type of a threat intelligence indicator. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** ThreatIntelIndicatorValue ** The value of a threat intelligence indicator. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** Title ** A finding's title. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** Type ** A finding type in the format of `namespace/category/classifier` that classifies a finding. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** UpdatedAt ** A timestamp that indicates when the security findings provider last updated the finding record. For more information about the validation and formatting of timestamp fields in AWS Security Hub CSPM, see [Timestamps](https://docs.aws.amazon.com/securityhub/1.0/APIReference/Welcome.html#timestamps). Type: Array of [DateFilter](API_DateFilter.md) objects Required: No ** UserDefinedFields ** A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding. Type: Array of [MapFilter](API_MapFilter.md) objects Required: No ** VerificationState ** The veracity of a finding. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** VulnerabilitiesExploitAvailable ** Indicates whether a software vulnerability in your environment has a known exploit. You can filter findings by this field only if you use Security Hub CSPM and Amazon Inspector. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** VulnerabilitiesFixAvailable ** Indicates whether a vulnerability is fixed in a newer version of the affected software packages. You can filter findings by this field only if you use Security Hub CSPM and Amazon Inspector. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** WorkflowState ** The workflow state of a finding. Note that this field is deprecated. To search for a finding based on its workflow status, use `WorkflowStatus`. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ** WorkflowStatus ** The status of the investigation into a finding. Allowed values are the following. + `NEW` - The initial state of a finding, before it is reviewed. Security Hub CSPM also resets the workflow status from `NOTIFIED` or `RESOLVED` to `NEW` in the following cases: + `RecordState` changes from `ARCHIVED` to `ACTIVE`. + `Compliance.Status` changes from `PASSED` to either `WARNING`, `FAILED`, or `NOT_AVAILABLE`. + `NOTIFIED` - Indicates that the resource owner has been notified about the security issue. Used when the initial reviewer is not the resource owner, and needs intervention from the resource owner. If one of the following occurs, the workflow status is changed automatically from `NOTIFIED` to `NEW`: + `RecordState` changes from `ARCHIVED` to `ACTIVE`. + `Compliance.Status` changes from `PASSED` to `FAILED`, `WARNING`, or `NOT_AVAILABLE`. + `SUPPRESSED` - Indicates that you reviewed the finding and don't believe that any action is needed. The workflow status of a `SUPPRESSED` finding does not change if `RecordState` changes from `ARCHIVED` to `ACTIVE`. + `RESOLVED` - The finding was reviewed and remediated and is now considered resolved. The finding remains `RESOLVED` unless one of the following occurs: + `RecordState` changes from `ARCHIVED` to `ACTIVE`. + `Compliance.Status` changes from `PASSED` to `FAILED`, `WARNING`, or `NOT_AVAILABLE`. In those cases, the workflow status is automatically reset to `NEW`. For findings from controls, if `Compliance.Status` is `PASSED`, then Security Hub CSPM automatically sets the workflow status to `RESOLVED`. Type: Array of [StringFilter](API_StringFilter.md) objects Required: No ## See Also For more information about using this API in one of the language-specific AWS SDKs, see the following: + [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/securityhub-2018-10-26/AwsSecurityFindingFilters) + [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/securityhub-2018-10-26/AwsSecurityFindingFilters) + [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/securityhub-2018-10-26/AwsSecurityFindingFilters)