# Understanding automation rules in Security Hub CSPM
You can use automation rules to automatically update findings in AWS Security Hub CSPM. As it ingests findings, Security Hub CSPM can apply a variety of rule actions, such as suppressing findings, changing their severity, and adding notes. Such rule actions modify findings that match your specified criteria.
Examples of use cases for automation rules include the following:
+ Elevating a finding’s severity to `CRITICAL` if the finding's resource ID refers to a business-critical resource.
+ Elevating a finding’s severity from `HIGH` to `CRITICAL` if the finding affects resources in specific production accounts.
+ Assigning specific findings that have a severity of `INFORMATIONAL` a `SUPPRESSED` workflow status.
You can create and manage automation rules from a Security Hub CSPM administrator account only.
Rules apply to both new findings and updated findings. You can create a custom rule from scratch, or use a rule template provided by Security Hub CSPM. You can also start with a template and modify it as needed.
## Defining rule criteria and rule actions
From a Security Hub CSPM administrator account, you can create an automation rule by defining one or more rule *criteria* and one or more rule *actions*. When a finding matches the defined criteria, Security Hub CSPM applies the rule actions to it. For more information about available criteria and actions, see [Available rule criteria and rule actions](#automation-rules-criteria-actions).
Security Hub CSPM currently supports a maximum of 100 automation rules for each administrator account.
The Security Hub CSPM administrator account can also edit, view, and delete automation rules. A rule applies to matching findings in the administrator account and all of its member accounts. By providing member account IDs as rule criteria, Security Hub CSPM administrators can also use automation rules to update or suppress findings in specific member accounts.
An automation rule applies only in the AWS Region in which it's created. To apply a rule in multiple Regions, the administrator must create the rule in each Region. This can be done through the Security Hub CSPM console, Security Hub CSPM API, or [AWS CloudFormation](creating-resources-with-cloudformation.md).You can also use a [multi-Region deployment script](https://github.com/awslabs/aws-securityhub-multiaccount-scripts/blob/master/automation_rules).
## Available rule criteria and rule actions
The following AWS Security Finding Format (ASFF) fields are currently supported as criteria for automation rules:
| Rule criterion | Filter operators | Field type |
| --- | --- | --- |
| AwsAccountId | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String |
| AwsAccountName | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String |
| CompanyName | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String |
| ComplianceAssociatedStandardsId | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String |
| ComplianceSecurityControlId | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String |
| ComplianceStatus | Is, Is Not | Select: [FAILED, NOT\$1AVAILABLE, PASSED, WARNING] |
| Confidence | Eq (equal-to), Gte (greater-than-equal), Lte (less-than-equal) | Number |
| CreatedAt | Start, End, DateRange | Date (formatted as 2022-12-01T21:47:39.269Z) |
| Criticality | Eq (equal-to), Gte (greater-than-equal), Lte (less-than-equal) | Number |
| Description | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String |
| FirstObservedAt | Start, End, DateRange | Date (formatted as 2022-12-01T21:47:39.269Z) |
| GeneratorId | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String |
| Id | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String |
| LastObservedAt | Start, End, DateRange | Date (formatted as 2022-12-01T21:47:39.269Z) |
| NoteText | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String |
| NoteUpdatedAt | Start, End, DateRange | Date (formatted as 2022-12-01T21:47:39.269Z) |
| NoteUpdatedBy | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String |
| ProductArn | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String |
| ProductName | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String |
| RecordState | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String |
| RelatedFindingsId | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String |
| RelatedFindingsProductArn | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String |
| ResourceApplicationArn | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String |
| ResourceApplicationName | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String |
| ResourceDetailsOther | CONTAINS, EQUALS, NOT\$1CONTAINS, NOT\$1EQUALS | Map |
| ResourceId | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String |
| ResourcePartition | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String |
| ResourceRegion | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String |
| ResourceTags | CONTAINS, EQUALS, NOT\$1CONTAINS, NOT\$1EQUALS | Map |
| ResourceType | Is, Is Not | Select (see [Resources](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-resources.html) supported by ASFF) |
| SeverityLabel | Is, Is Not | Select: [CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL] |
| SourceUrl | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String |
| Title | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String |
| Type | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String |
| UpdatedAt | Start, End, DateRange | Date (formatted as 2022-12-01T21:47:39.269Z) |
| UserDefinedFields | CONTAINS, EQUALS, NOT\$1CONTAINS, NOT\$1EQUALS | Map |
| VerificationState | CONTAINS, EQUALS, PREFIX, NOT\$1CONTAINS, NOT\$1EQUALS, PREFIX\$1NOT\$1EQUALS | String |
| WorkflowStatus | Is, Is Not | Select: [NEW, NOTIFIED, RESOLVED, SUPPRESSED] |
For criteria that are labeled as string fields, using different filter operators on the same field affects the evaluation logic. For more information, see [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_StringFilter.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_StringFilter.html) in the *AWS Security Hub CSPM API Reference*.
Each criterion supports a maximum number of values that can be used to filter matching findings. For the limits on each criterion, see [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_AutomationRulesFindingFilters.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_AutomationRulesFindingFilters.html) in the *AWS Security Hub CSPM API Reference*.
The following ASFF fields are currently supported as actions for automation rules:
+ `Confidence`
+ `Criticality`
+ `Note`
+ `RelatedFindings`
+ `Severity`
+ `Types`
+ `UserDefinedFields`
+ `VerificationState`
+ `Workflow`
For more information about specific ASFF fields, see [AWS Security Finding Format (ASFF) syntax](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html).
**Tip**
If you want Security Hub CSPM to stop generating findings for a specific control, we recommend disabling the control instead of using an automation rule. When you disable a control, Security Hub CSPM stops running security checks on it and stops generating findings for it, so you won't incur charges for that control. We recommend using automation rules to change the values of specific ASFF fields for findings that match defined criteria. For more information about disabling controls, see [Disabling controls in Security Hub CSPM](disable-controls-overview.md).
## Findings that automation rules evaluate
An automation rule evaluates new and updated findings that Security Hub CSPM generates or ingests through the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchImportFindings.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchImportFindings.html) operation *after* you create the rule. Security Hub CSPM updates control findings every 12-24 hours or when the associated resource changes state. For more information, see [Schedule for running security checks](securityhub-standards-schedule.md).
Automation rules evaluate original, provider-supplied findings. Providers can supply new findings and update existing findings by using the `BatchImportFindings` operation of the Security Hub CSPM API. If the following fields don't exist in the original finding, Security Hub CSPM automatically populates the fields and then uses the populated values in the evaluation by the automation rule:
+ `AwsAccountName`
+ `CompanyName`
+ `ProductName`
+ `Resource.Tags`
+ `Workflow.Status`
After you create one or more automation rules, the rules aren't triggered if you update finding fields by using the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateFindings.html) operation. If you create an automation rule and make a `BatchUpdateFindings` update that both affect the same finding field, the last update sets the value for that field. Take the following example:
1. You use the `BatchUpdateFindings` operation to change the value for the `Workflow.Status` field of a finding from `NEW` to `NOTIFIED`.
1. If you call `GetFindings`, the `Workflow.Status` field now has a value of `NOTIFIED`.
1. You create an automation rule that changes the `Workflow.Status` field of the finding from `NEW` to `SUPPRESSED`. (Recall that rules ignore updates made using the `BatchUpdateFindings` operation.)
1. The finding provider uses the `BatchImportFindings` operation to update the finding and changes the value for the `Workflow.Status` field of the finding to `NEW`.
1. If you call `GetFindings`, the `Workflow.Status` field now has a value of `SUPPRESSED`. This is the case because the automation rule was applied, and the rule was the last action taken on the finding.
When you create or edit a rule on the Security Hub CSPM console, the console displays a beta of findings that match the rule criteria. Whereas automation rules evaluate original findings sent by the finding provider, the console beta reflects findings in their final state as they would be shown in a response to the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetFindings.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetFindings.html) operation (that is, after rule actions or other updates are applied to the finding).
## How rule order works
When creating automation rules, you assign each rule an order. This determines the order in which Security Hub CSPM applies your automation rules, and becomes important when multiple rules relate to the same finding or finding field.
When multiple rule actions relate to the same finding or finding field, the rule with the highest numerical value for rule order applies last and has the ultimate effect.
When you create a rule in the Security Hub CSPM console, Security Hub CSPM automatically assigns rule order based on the order of rule creation. The most recently created rule has the lowest numerical value for rule order and therefore applies first. Security Hub CSPM applies subsequent rules in ascending order.
When you create a rule through the Security Hub CSPM API or AWS CLI, Security Hub CSPM applies the rule with the lowest numerical value for `RuleOrder` first. It then applies subsequent rules in ascending order. If multiple findings have the same `RuleOrder`, Security Hub CSPM applies a rule with an earlier value for the `UpdatedAt` field first (that is, the rule which was most recently edited applies last).
You can modify rule order at any time.
**Example of rule order**:
**Rule A (rule order is `1`)**:
+ Rule A criteria
+ `ProductName` = `Security Hub CSPM`
+ `Resources.Type` is `S3 Bucket`
+ `Compliance.Status` = `FAILED`
+ `RecordState` is `NEW`
+ `Workflow.Status` = `ACTIVE`
+ Rule A actions
+ Update `Confidence` to `95`
+ Update `Severity` to `CRITICAL`
**Rule B (rule order is `2`)**:
+ Rule B criteria
+ `AwsAccountId` = `123456789012`
+ Rule B actions
+ Update `Severity` to `INFORMATIONAL`
Rule A actions apply first to Security Hub CSPM findings that match Rule A criteria. Next, Rule B actions apply to Security Hub CSPM findings with the specified account ID. In this example, since Rule B applies last, the end value of `Severity` in findings from the specified account ID is `INFORMATIONAL`. Based on the Rule A action, the end value of `Confidence` in matched findings is `95`.
# Creating automation rules
An automation rule can be used to automatically update findings in AWS Security Hub CSPM. You can create a custom automation rule from scratch or, on the Security Hub CSPM console, use a pre-populated rule template. For background information about how automation rules work, see [Understanding automation rules in Security Hub CSPM](automation-rules.md).
You can only create one automation rule at a time. To create multiple automation rules, follow the console procedures multiple times, or call the API or command multiple times with your desired parameters.
You must create an automation rule in each Region and account in which you want the rule to apply to findings.
When you create an automation rule in the Security Hub CSPM console, Security Hub CSPM shows you a beta of the findings to which your rule applies. The beta is currently not supported if your rule criteria include a CONTAINS or NOT\$1CONTAINS filter. You can choose these filters for map and string field types.
**Important**
AWS recommends that you don't include personally identifying, confidential, or sensitive information in your rule name, description, or other fields.
## Creating a custom automation rule
Choose your preferred method, and complete the following steps to create a custom automation rule.
------
#### [ Console ]
**To create a custom automation rule (console)**
1. Using the credentials of the Security Hub CSPM administrator, open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).
1. In the navigation pane, choose **Automations**.
1. Choose **Create rule**. For **Rule Type**, choose **Create custom rule**.
1. In the **Rule** section, provide a unique rule name and a description for your rule.
1. For **Criteria**, use the **Key**, **Operator**, and **Value** drop down menus to specify your rule criteria. You must specify at least one rule criterion.
If supported for your selected criteria, the console shows you a beta of findings that match your criteria.
1. For **Automated action**, use the drop down menus to specify which finding fields to update when findings match your rule criteria. You must specify at least one rule action.
1. For **Rule status**, choose whether you want the rule to be **Enabled** or **Disabled** after it's created.
1. (Optional) Expand the **Additional settings** section. Select **Ignore subsequent rules for findings that match these criteria** if you want this rule to be the last rule applied to findings that match the rule criteria.
1. (Optional) For **Tags**, add tags as key-value pairs to help you easily identify the rule.
1. Choose **Create rule**.
------
#### [ API ]
**To create a custom automation rule (API)**
1. Run [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_CreateAutomationRule.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_CreateAutomationRule.html) from the Security Hub CSPM administrator account. This API creates a rule with a specific Amazon Resource Name (ARN).
1. Provide a name and description for the rule.
1. Set the `IsTerminal` parameter to `true` if you want this rule to be the last rule applied to findings that match the rule criteria.
1. For the `RuleOrder` parameter, provide the order of the rule. Security Hub CSPM applies rules with a lower numerical value for this parameter first.
1. For the `RuleStatus` parameter, specify if you want Security Hub CSPM to enable and start applying the rule to findings after creation. If no value is specified, the default value is `ENABLED`. A value of `DISABLED` means that the rule is paused after creation.
1. For the `Criteria` parameter, provide the criteria that you want Security Hub CSPM to use to filter your findings. The rule action will apply to findings that match the criteria. For a list of supported criteria, see [Available rule criteria and rule actions](automation-rules.md#automation-rules-criteria-actions).
1. For the `Actions` parameter, provide the actions that you want Security Hub CSPM to take when there's a match between a finding and your defined criteria. For a list of supported actions, see [Available rule criteria and rule actions](automation-rules.md#automation-rules-criteria-actions).
The following example AWS CLI command creates an automation rule the updates the workflow status and note of matching findings. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability.
```
$ aws securityhub create-automation-rule \
--actions '[{
"Type": "FINDING_FIELDS_UPDATE",
"FindingFieldsUpdate": {
"Severity": {
"Label": "HIGH"
},
"Note": {
"Text": "Known issue that is a risk. Updated by automation rules",
"UpdatedBy": "sechub-automation"
}
}
}]' \
--criteria '{
"SeverityLabel": [{
"Value": "INFORMATIONAL",
"Comparison": "EQUALS"
}]
}' \
--description "A sample rule" \
--no-is-terminal \
--rule-name "sample rule" \
--rule-order 1 \
--rule-status "ENABLED" \
--region us-east-1
```
------
## Creating an automation rule from a template (console only)
Rule templates reflect common use cases for automation rules. Currently, only the Security Hub CSPM console supports rule templates. Complete the following steps to create an automation rule from a template in the console.
**To create an automation rule from a template (console)**
1. Using the credentials of the Security Hub CSPM administrator, open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).
1. In the navigation pane, choose **Automations**.
1. Choose **Create rule**. For **Rule Type**, choose **Create a rule from template**.
1. Select a rule template from the drop down menu.
1. (Optional) If necessary for your use case, modify the **Rule**, **Criteria**, and **Automated action** sections. You must specify at least one rule criterion and one rule action.
If supported for your selected criteria, the console shows you a beta of findings that match your criteria.
1. For **Rule status**, choose whether you want the rule to be **Enabled** or **Disabled** after it's created.
1. (Optional) Expand the **Additional settings** section. Select **Ignore subsequent rules for findings that match these criteria** if you want this rule to be the last rule applied to findings that match the rule criteria.
1. (Optional) For **Tags**, add tags as key-value pairs to help you easily identify the rule.
1. Choose **Create rule**.
# Viewing automation rules
An automation rule can be used to automatically update findings in AWS Security Hub CSPM. For background information about how automation rules work, see [Understanding automation rules in Security Hub CSPM](automation-rules.md).
Choose your preferred method, and follow the steps to view your existing automation rules and the details of each rule.
To view a history of how automation rules have changed your findings, see [Reviewing finding details and history in Security Hub CSPM](securityhub-findings-viewing.md).
------
#### [ Console ]
**To view automation rules (console)**
1. Using the credentials of the Security Hub CSPM administrator, open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).
1. In the navigation pane, choose **Automations**.
1. Choose a rule name. Alternatively, select a rule.
1. Choose **Actions** and **View**.
------
#### [ API ]
**To view automation rules (API)**
1. To view the automation rules for your account, run [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ListAutomationRules.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_ListAutomationRules.html) from the Security Hub CSPM administrator account. This API returns the rule ARNs and other metadata for your rules. No input parameters are required for this API, but you can optionally provide `MaxResults` to limit the number of results and `NextToken` as a pagination parameter. The initial value of `NextToken` should be `NULL`.
1. For additional rule details, including the criteria and actions for a rule, run [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchGetAutomationRules.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchGetAutomationRules.html) from the Security Hub CSPM administrator account. Provide the ARNs of the automation rules that you want details for.
The following example retrieves details for the specified automation rules. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability.
```
$ aws securityhub batch-get-automation-rules \
--automation-rules-arns '["arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222"]' \
--region us-east-1
```
------
# Editing automation rules
An automation rule can be used to automatically update findings in AWS Security Hub CSPM. For background information about how automation rules work, see [Understanding automation rules in Security Hub CSPM](automation-rules.md).
After creating an automation rule, the delegated Security Hub CSPM administrator can edit the rule. When you edit an automation rule, the changes apply to new and updated findings that Security Hub CSPM generates or ingests after the rule edit.
Choose your preferred method, and follow the steps to edit the contents of an automation rule. You can edit one or more rules with a single request. For instructions on editing rule order, see [Editing automation rule order](edit-rule-order.md).
------
#### [ Console ]
**To edit automation rules (console)**
1. Using the credentials of the Security Hub CSPM administrator, open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).
1. In the navigation pane, choose **Automations**.
1. Select the rule that you want to edit. Choose **Action** and **Edit**.
1. Change the rule as desired, and choose **Save changes**.
------
#### [ API ]
**To edit automation rules (API)**
1. Run [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateAutomationRules.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateAutomationRules.html) from the Security Hub CSPM administrator account.
1. For the `RuleArn` parameter, provide the ARN of the rule(s) that you want to edit.
1. Provide the new values for the parameters that you want to edit. You can edit any parameter except `RuleArn`.
The following example updates the specified automation rule. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability.
```
$ aws securityhub batch-update-automation-rules \
--update-automation-rules-request-items '[
{
"Actions": [{
"Type": "FINDING_FIELDS_UPDATE",
"FindingFieldsUpdate": {
"Note": {
"Text": "Known issue that is a risk",
"UpdatedBy": "sechub-automation"
},
"Workflow": {
"Status": "NEW"
}
}
}],
"Criteria": {
"SeverityLabel": [{
"Value": "LOW",
"Comparison": "EQUALS"
}]
},
"RuleArn": "arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"RuleOrder": 14,
"RuleStatus": "DISABLED",
}
]' \
--region us-east-1
```
------
# Editing automation rule order
An automation rule can be used to automatically update findings in AWS Security Hub CSPM. For background information about how automation rules work, see [Understanding automation rules in Security Hub CSPM](automation-rules.md).
After creating an automation rule, the delegated Security Hub CSPM administrator can edit the rule.
If you want to keep the rule criteria and actions the same, but change the order in which Security Hub CSPM applies an automation rule, you can edit just the rule order. Choose your preferred method, and follow the steps to edit rule order.
For instructions on editing the criteria or actions of an automation rule, see [Editing automation rules](edit-automation-rules.md).
------
#### [ Console ]
**To edit automation rule order (console)**
1. Using the credentials of the Security Hub CSPM administrator, open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).
1. In the navigation pane, choose **Automations**.
1. Select the rule whose order you want to change. Choose **Edit priority**.
1. Choose **Move up** to increase the rule's priority by one unit. Choose **Move down** to decrease the rule priority's by one unit. Choose **Move to top** to assign the rule an order of **1** (this gives the rule precedence over other existing rules).
**Note**
When you create a rule in the Security Hub CSPM console, Security Hub CSPM automatically assigns rule order based on the order of rule creation. The most recently created rule has the lowest numerical value for rule order and therefore applies first.
------
#### [ API ]
**To edit automation rule order (API)**
1. Use the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateAutomationRules.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchUpdateAutomationRules.html) operation from the Security Hub CSPM administrator account.
1. For the `RuleArn` parameter, provide the ARN of the rule(s) whose order you want to edit.
1. Modify the value of the `RuleOrder` field.
**Note**
If multiple rules have the same `RuleOrder`, Security Hub CSPM applies a rule with an earlier value for the `UpdatedAt` field first (that is, the rule which was most recently edited applies last).
------
# Deleting or disabling automation rules
An automation rule can be used to automatically update findings in AWS Security Hub CSPM. For background information about how automation rules work, see [Understanding automation rules in Security Hub CSPM](automation-rules.md).
When you delete an automation rule, Security Hub CSPM removes it from your account and no longer applies the rule to findings. As an alternative to deletion, you can *disable* a rule. This retains the rule for future use, but Security Hub CSPM won't apply the rule to any matching findings until you enable it.
Choose your preferred method, and follow the steps to delete an automation rule. You can delete one or more rules in a single request.
------
#### [ Console ]
**To delete or disable automation rules (console)**
1. Using the credentials of the Security Hub CSPM administrator, open the AWS Security Hub CSPM console at [https://console.aws.amazon.com/securityhub/](https://console.aws.amazon.com/securityhub/).
1. In the navigation pane, choose **Automations**.
1. Select the rule(s) that you want to delete. Choose **Action** and **Delete** (to retain a rule, but disable it temporarily, choose **Disable**).
1. Confirm your choice, and choose **Delete**.
------
#### [ API ]
**To delete or disable automation rules (API)**
1. Use the [https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchDeleteAutomationRules.html](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_BatchDeleteAutomationRules.html) operation from the Security Hub CSPM administrator account.
1. For the `AutomationRulesArns` parameter, provide the ARN of the rule(s) that you want to delete (to retain a rule, but disable it temporarily, provide `DISABLED` for the `RuleStatus` parameter).
The following example deletes the specified automation rule. This example is formatted for Linux, macOS, or Unix, and it uses the backslash (\$1) line-continuation character to improve readability.
```
$ aws securityhub batch-delete-automation-rules \
--automation-rules-arns '["arn:aws:securityhub:us-east-1:123456789012:automation-rule/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"]' \
--region us-east-1
```
------
# Examples of automation rules
This section provides examples of automation rules for common Security Hub CSPM use cases. These examples correspond to rule templates that are available on the Security Hub CSPM console.
## Elevate severity to Critical when specific resource such as an S3 bucket is at risk
In this example, the rule criteria are matched when the `ResourceId` in a finding is a specific Amazon Simple Storage Service (Amazon S3) bucket. The rule action is to change the severity of matched findings to `CRITICAL`. You can modify this template to apply to other resources.
**Example API request**:
```
{
"IsTerminal": true,
"RuleName": "Elevate severity of findings that relate to important resources",
"RuleOrder": 1,
"RuleStatus": "ENABLED",
"Description": "Elevate finding severity to CRITICAL when specific resource such as an S3 bucket is at risk",
"Criteria": {
"ProductName": [{
"Value": "Security Hub CSPM",
"Comparison": "EQUALS"
}],
"ComplianceStatus": [{
"Value": "FAILED",
"Comparison": "EQUALS"
}],
"RecordState": [{
"Value": "ACTIVE",
"Comparison": "EQUALS"
}],
"WorkflowStatus": [{
"Value": "NEW",
"Comparison": "EQUALS"
}],
"ResourceId": [{
"Value": "arn:aws:s3:::amzn-s3-demo-bucket/developers/design_info.doc",
"Comparison": "EQUALS"
}]
},
"Actions": [{
"Type": "FINDING_FIELDS_UPDATE",
"FindingFieldsUpdate": {
"Severity": {
"Label": "CRITICAL"
},
"Note": {
"Text": "This is a critical resource. Please review ASAP.",
"UpdatedBy": "sechub-automation"
}
}
}]
}
```
**Example CLI command:**
```
$
aws securityhub create-automation-rule \
--is-terminal \
--rule-name "Elevate severity of findings that relate to important resources" \
--rule-order 1 \
--rule-status "ENABLED" \
--description "Elevate finding severity to CRITICAL when specific resource such as an S3 bucket is at risk" \
--criteria '{
"ProductName": [{
"Value": "Security Hub CSPM",
"Comparison": "EQUALS"
}],
"ComplianceStatus": [{
"Value": "FAILED",
"Comparison": "EQUALS"
}],
"RecordState": [{
"Value": "ACTIVE",
"Comparison": "EQUALS"
}],
"WorkflowStatus": [{
"Value": "NEW",
"Comparison": "EQUALS"
}],
"ResourceId": [{
"Value": "arn:aws:s3:::amzn-s3-demo-bucket/developers/design_info.doc",
"Comparison": "EQUALS"
}]
}' \
--actions '[{
"Type": "FINDING_FIELDS_UPDATE",
"FindingFieldsUpdate": {
"Severity": {
"Label": "CRITICAL"
},
"Note": {
"Text": "This is a critical resource. Please review ASAP.",
"UpdatedBy": "sechub-automation"
}
}
}]' \
--region us-east-1
```
## Elevate severity of findings that relate to resources in production accounts
In this example, the rule criteria are matched when a `HIGH` severity finding is generated in specific production accounts. The rule action is to change the severity of matched findings to `CRITICAL`.
**Example API request**:
```
{
"IsTerminal": false,
"RuleName": "Elevate severity for production accounts",
"RuleOrder": 1,
"RuleStatus": "ENABLED",
"Description": "Elevate finding severity from HIGH to CRITICAL for findings that relate to resources in specific production accounts",
"Criteria": {
"ProductName": [{
"Value": "Security Hub CSPM",
"Comparison": "EQUALS"
}],
"ComplianceStatus": [{
"Value": "FAILED",
"Comparison": "EQUALS"
}],
"RecordState": [{
"Value": "ACTIVE",
"Comparison": "EQUALS"
}],
"WorkflowStatus": [{
"Value": "NEW",
"Comparison": "EQUALS"
}],
"SeverityLabel": [{
"Value": "HIGH",
"Comparison": "EQUALS"
}],
"AwsAccountId": [
{
"Value": "111122223333",
"Comparison": "EQUALS"
},
{
"Value": "123456789012",
"Comparison": "EQUALS"
}]
},
"Actions": [{
"Type": "FINDING_FIELDS_UPDATE",
"FindingFieldsUpdate": {
"Severity": {
"Label": "CRITICAL"
},
"Note": {
"Text": "A resource in production accounts is at risk. Please review ASAP.",
"UpdatedBy": "sechub-automation"
}
}
}]
}
```
**Example CLI command**:
```
aws securityhub create-automation-rule \
--no-is-terminal \
--rule-name "Elevate severity of findings that relate to resources in production accounts" \
--rule-order 1 \
--rule-status "ENABLED" \
--description "Elevate finding severity from HIGH to CRITICAL for findings that relate to resources in specific production accounts" \
--criteria '{
"ProductName": [{
"Value": "Security Hub CSPM",
"Comparison": "EQUALS"
}],
"ComplianceStatus": [{
"Value": "FAILED",
"Comparison": "EQUALS"
}],
"RecordState": [{
"Value": "ACTIVE",
"Comparison": "EQUALS"
}],
"SeverityLabel": [{
"Value": "HIGH",
"Comparison": "EQUALS"
}],
"AwsAccountId": [
{
"Value": "111122223333",
"Comparison": "EQUALS"
},
{
"Value": "123456789012",
"Comparison": "EQUALS"
}]
}' \
--actions '[{
"Type": "FINDING_FIELDS_UPDATE",
"FindingFieldsUpdate": {
"Severity": {
"Label": "CRITICAL"
},
"Note": {
"Text": "A resource in production accounts is at risk. Please review ASAP.",
"UpdatedBy": "sechub-automation"
}
}
}]' \
--region us-east-1
```
## Suppress informational findings
In this example, the rule criteria are matched for `INFORMATIONAL` severity findings sent to Security Hub CSPM from Amazon GuardDuty. The rule action is to change the workflow status of matched findings to `SUPPRESSED`.
**Example API request**:
```
{
"IsTerminal": false,
"RuleName": "Suppress informational findings",
"RuleOrder": 1,
"RuleStatus": "ENABLED",
"Description": "Suppress GuardDuty findings with INFORMATIONAL severity",
"Criteria": {
"ProductName": [{
"Value": "GuardDuty",
"Comparison": "EQUALS"
}],
"RecordState": [{
"Value": "ACTIVE",
"Comparison": "EQUALS"
}],
"WorkflowStatus": [{
"Value": "NEW",
"Comparison": "EQUALS"
}],
"SeverityLabel": [{
"Value": "INFORMATIONAL",
"Comparison": "EQUALS"
}]
},
"Actions": [{
"Type": "FINDING_FIELDS_UPDATE",
"FindingFieldsUpdate": {
"Workflow": {
"Status": "SUPPRESSED"
},
"Note": {
"Text": "Automatically suppress GuardDuty findings with INFORMATIONAL severity",
"UpdatedBy": "sechub-automation"
}
}
}]
}
```
**Example CLI command**:
```
aws securityhub create-automation-rule \
--no-is-terminal \
--rule-name "Suppress informational findings" \
--rule-order 1 \
--rule-status "ENABLED" \
--description "Suppress GuardDuty findings with INFORMATIONAL severity" \
--criteria '{
"ProductName": [{
"Value": "GuardDuty",
"Comparison": "EQUALS"
}],
"ComplianceStatus": [{
"Value": "FAILED",
"Comparison": "EQUALS"
}],
"RecordState": [{
"Value": "ACTIVE",
"Comparison": "EQUALS"
}],
"WorkflowStatus": [{
"Value": "NEW",
"Comparison": "EQUALS"
}],
"SeverityLabel": [{
"Value": "INFORMATIONAL",
"Comparison": "EQUALS"
}]
}' \
--actions '[{
"Type": "FINDING_FIELDS_UPDATE",
"FindingFieldsUpdate": {
"Workflow": {
"Status": "SUPPRESSED"
},
"Note": {
"Text": "Automatically suppress GuardDuty findings with INFORMATIONAL severity",
"UpdatedBy": "sechub-automation"
}
}
}]' \
--region us-east-1
```