BatchUpdateFindings for customers

Security Hub customers, and entities acting on their behalf, can use the BatchUpdateFindings operation to update information related to a customer's processing of Security Hub findings from finding providers. A customer or a SIEM, ticketing, incident management, or SOAR tool that works on behalf of a customer can use this operation.

You can't use BatchUpdateFindings to create new findings. You can use it to update up to 100 findings at a time. In your request, you specify which AWS Security Finding Format (ASFF) fields you want to update.

When Security Hub receives a BatchUpdateFindings request to update a finding, it automatically generates a Security Hub Findings - Imported event in Amazon EventBridge. You can take automated action on that event. For information, see Using EventBridge for automated response and remediation.

BatchUpdateFindings doesn't change the UpdatedAt field for the finding. UpdatedAt reflects the most recent update from the finding provider.

Available fields for BatchUpdateFindings

If you are signed in to a Security Hub administrator account, you can use BatchUpdateFindings to update findings that were generated by the administrator account or member accounts. Member accounts can use BatchUpdateFindings to update findings for their account only.

Customers can use BatchUpdateFindings to update the following fields and objects:

Configuring access to BatchUpdateFindings

You can configure AWS Identity and Access Management (IAM) policies to restrict access to using BatchUpdateFindings to update finding fields and field values.

In a statement to restrict access to BatchUpdateFindings, use the following values:

Condition keys

These are the condition keys for restricting access to BatchUpdateFindings.

Disallowing all updates to a field

To prevent a user from making any update to a specific field, use a condition like this:

 "Condition": {
                "Null": {
                    "securityhub:ASFFSyntaxPath/<fieldName>": "false"
               }
}

For example, the following statement indicates that BatchUpdateFindings can't be used to update the Workflow.Status field of findings.

{
    "Sid": "VisualEditor0",
    "Effect": "Deny",
    "Action": "securityhub:BatchUpdateFindings",
    "Resource": "*",
    "Condition": {
        "Null": {
            "securityhub:ASFFSyntaxPath/Workflow.Status": "false"
        }
    }
}

Disallowing specific field values

To prevent a user from setting a field to a specific value, use a condition like this:

"Condition": {
                "StringEquals": {
                    "securityhub:ASFFSyntaxPath/<fieldName>": "<fieldValue>"
               }
}

For example, the following statement indicates that BatchUpdateFindings can't be used to set Workflow.Status to SUPPRESSED.

{
    "Sid": "VisualEditor0",
    "Effect": "Deny",
    "Action": "securityhub:BatchUpdateFindings",
    "Resource": "*",
    "Condition": {
    "StringEquals": {
        "securityhub:ASFFSyntaxPath/Workflow.Status": "SUPPRESSED"
    }
}

You can also provide a list of values that are not permitted.

 "Condition": {
                "StringEquals": {
                    "securityhub:ASFFSyntaxPath/<fieldName>": [ "<fieldValue1>", "<fieldValue2>", "<fieldValuen>" ]
               }
}

For example, the following statement indicates that BatchUpdateFindings can't be used to set Workflow.Status to either RESOLVED or SUPPRESSED.

{
    "Sid": "VisualEditor0",
    "Effect": "Deny",
    "Action": "securityhub:BatchUpdateFindings",
    "Resource": "*",
    "Condition": {
    "StringEquals": {
        "securityhub:ASFFSyntaxPath/Workflow.Status": [
            "RESOLVED",
            "NOTIFIED"
        ]
    }
}