Imports security findings generated from an integrated third-party product into Security Hub. This action is requested by the integrated product to import its findings into Security Hub.
The maximum allowed size for a finding is 240 Kb. An error is returned for any finding larger than 240 Kb.
After a finding is created, BatchImportFindings cannot be used to update the following finding fields and objects, which Security Hub customers use to manage their investigation workflow.
Note
UserDefinedFields
VerificationState
Workflow
BatchImportFindings can be used to update the following finding fields and objects only if they have not been updated using BatchUpdateFindings. After they are updated using BatchUpdateFindings, these fields cannot be updated using BatchImportFindings.
Confidence
Criticality
RelatedFindings
Severity
Types
Imports security findings generated from an integrated product into Security Hub. This action is requested by the integrated product to import its findings into Security Hub.
The maximum allowed size for a finding is 240 Kb. An error is returned for any finding larger than 240 Kb.
After a finding is created, BatchImportFindings cannot be used to update the following finding fields and objects, which Security Hub customers use to manage their investigation workflow.
Note
UserDefinedFields
VerificationState
Workflow
Finding providers also should not use BatchImportFindings to update the following attributes.
Confidence
Criticality
RelatedFindings
Severity
Types
Instead, finding providers use FindingProviderFields to provide values for these attributes.
Indicates whether to reject calls to update an S3 bucket if the calls include a public access control list (ACL).
" + }, + "BlockPublicPolicy":{ + "shape":"Boolean", + "documentation":"Indicates whether to reject calls to update the access policy for an S3 bucket or access point if the policy allows public access.
" + }, + "IgnorePublicAcls":{ + "shape":"Boolean", + "documentation":"Indicates whether Amazon S3 ignores public ACLs that are associated with an S3 bucket.
" + }, + "RestrictPublicBuckets":{ + "shape":"Boolean", + "documentation":"Indicates whether to restrict access to an access point or S3 bucket that has a public policy to only AWS service principals and authorized users within the S3 bucket owner's account.
" + } + }, + "documentation":"provides information about the Amazon S3 Public Access Block configuration for accounts.
" + }, "AwsS3BucketDetails":{ "type":"structure", "members":{ @@ -5452,6 +5474,10 @@ "ServerSideEncryptionConfiguration":{ "shape":"AwsS3BucketServerSideEncryptionConfiguration", "documentation":"The encryption rules that are applied to the S3 bucket.
" + }, + "PublicAccessBlockConfiguration":{ + "shape":"AwsS3AccountPublicAccessBlockDetails", + "documentation":"Provides information about the Amazon S3 Public Access Block configuration for the S3 bucket.
" } }, "documentation":"The details of an Amazon S3 bucket.
" @@ -5580,10 +5606,8 @@ "ProductArn", "GeneratorId", "AwsAccountId", - "Types", "CreatedAt", "UpdatedAt", - "Severity", "Title", "Description", "Resources" @@ -5728,6 +5752,10 @@ "Action":{ "shape":"Action", "documentation":"Provides details about an action that affects or that was taken on a resource.
" + }, + "FindingProviderFields":{ + "shape":"FindingProviderFields", + "documentation":"In a BatchImportFindings request, finding providers use FindingProviderFields to provide and update their own values for confidence, criticality, related findings, severity, and types.
Provides consistent format for the contents of the Security Hub-aggregated findings. AwsSecurityFinding format enables you to share findings between AWS security services and third-party solutions, and security standards checks.
A finding is a potential security issue generated either by AWS services (Amazon GuardDuty, Amazon Inspector, and Amazon Macie) or by the integrated third-party solutions and standards checks.
The native severity as defined by the security-findings provider's solution that generated the finding.
" + "documentation":"The native severity as defined by the security-findings provider's solution that generated the finding.
", + "deprecated":true, + "deprecatedMessage":"This filter is deprecated, use FindingProviiltersSeverityOriginal instead." }, "SeverityNormalized":{ "shape":"NumberFilterList", - "documentation":"The normalized severity of a finding.
" + "documentation":"The normalized severity of a finding.
", + "deprecated":true, + "deprecatedMessage":"This filter is deprecated, use SeverityLabel or FindingProviderFieldsSeverityLabel instead." }, "SeverityLabel":{ "shape":"StringFilterList", @@ -6070,6 +6102,34 @@ "Keyword":{ "shape":"KeywordFilterList", "documentation":"A keyword for a finding.
" + }, + "FindingProviderFieldsConfidence":{ + "shape":"NumberFilterList", + "documentation":"The finding provider value for the finding confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify.
Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence.
" + }, + "FindingProviderFieldsCriticality":{ + "shape":"NumberFilterList", + "documentation":"The finding provider value for the level of importance assigned to the resources associated with the findings.
A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.
" + }, + "FindingProviderFieldsRelatedFindingsId":{ + "shape":"StringFilterList", + "documentation":"The finding identifier of a related finding that is identified by the finding provider.
" + }, + "FindingProviderFieldsRelatedFindingsProductArn":{ + "shape":"StringFilterList", + "documentation":"The ARN of the solution that generated a related finding that is identified by the finding provider.
" + }, + "FindingProviderFieldsSeverityLabel":{ + "shape":"StringFilterList", + "documentation":"The finding provider value for the severity label.
" + }, + "FindingProviderFieldsSeverityOriginal":{ + "shape":"StringFilterList", + "documentation":"The finding provider's original value for the severity.
" + }, + "FindingProviderFieldsTypes":{ + "shape":"StringFilterList", + "documentation":"One or more finding types that the finding provider assigned to the finding. Uses the format of namespace/category/classifier that classify a finding.
Valid namespace values are: Software and Configuration Checks | TTPs | Effects | Unusual Behaviors | Sensitive Data Identifications
" } }, "documentation":"A collection of attributes that are applied to all active Security Hub-aggregated findings and that result in a subset of findings that are included in this insight.
You can filter by up to 10 finding attributes. For each attribute, you can provide up to 20 filter values.
" @@ -6359,11 +6419,17 @@ "required":["Findings"], "members":{ "Findings":{ - "shape":"AwsSecurityFindingList", + "shape":"BatchImportFindingsRequestFindingList", "documentation":"A list of findings to import. To successfully import a finding, it must follow the AWS Security Finding Format. Maximum of 100 findings per request.
" } } }, + "BatchImportFindingsRequestFindingList":{ + "type":"list", + "member":{"shape":"AwsSecurityFinding"}, + "max":100, + "min":1 + }, "BatchImportFindingsResponse":{ "type":"structure", "required":[ @@ -6477,6 +6543,32 @@ "type":"list", "member":{"shape":"NonEmptyString"} }, + "Cell":{ + "type":"structure", + "members":{ + "Column":{ + "shape":"Long", + "documentation":"The column number of the column that contains the data. For a Microsoft Excel workbook, the column number corresponds to the alphabetical column identifiers. For example, a value of 1 for Column corresponds to the A column in the workbook.
" + }, + "Row":{ + "shape":"Long", + "documentation":"The row number of the row that contains the data.
" + }, + "ColumnName":{ + "shape":"NonEmptyString", + "documentation":"The name of the column that contains the data.
" + }, + "CellReference":{ + "shape":"NonEmptyString", + "documentation":"For a Microsoft Excel workbook, provides the location of the cell, as an absolute cell reference, that contains the data. For example, Sheet2!C5 for cell C5 on Sheet2.
" + } + }, + "documentation":"An occurrence of sensitive data detected in a Microsoft Excel workbook, comma-separated value (CSV) file, or tab-separated value (TSV) file.
" + }, + "Cells":{ + "type":"list", + "member":{"shape":"Cell"} + }, "CidrBlockAssociation":{ "type":"structure", "members":{ @@ -6509,6 +6601,50 @@ }, "documentation":"Information about a city.
" }, + "ClassificationResult":{ + "type":"structure", + "members":{ + "MimeType":{ + "shape":"NonEmptyString", + "documentation":"The type of content that the finding applies to.
" + }, + "SizeClassified":{ + "shape":"Long", + "documentation":"The total size in bytes of the affected data.
" + }, + "AdditionalOccurrences":{ + "shape":"Boolean", + "documentation":"Indicates whether there are additional occurrences of sensitive data that are not included in the finding. This occurs when the number of occurrences exceeds the maximum that can be included.
" + }, + "Status":{ + "shape":"ClassificationStatus", + "documentation":"The current status of the sensitive data detection.
" + }, + "SensitiveData":{ + "shape":"SensitiveDataResultList", + "documentation":"Provides details about sensitive data that was identified based on built-in configuration.
" + }, + "CustomDataIdentifiers":{ + "shape":"CustomDataIdentifiersResult", + "documentation":"Provides details about sensitive data that was identified based on customer-defined configuration.
" + } + }, + "documentation":"Details about the sensitive data that was detected on the resource.
" + }, + "ClassificationStatus":{ + "type":"structure", + "members":{ + "Code":{ + "shape":"NonEmptyString", + "documentation":"The code that represents the status of the sensitive data detection.
" + }, + "Reason":{ + "shape":"NonEmptyString", + "documentation":"A longer description of the current status of the sensitive data detection.
" + } + }, + "documentation":"Provides details about the current status of the sensitive data detection.
" + }, "Compliance":{ "type":"structure", "members":{ @@ -6667,6 +6803,46 @@ "max":50, "min":1 }, + "CustomDataIdentifiersDetections":{ + "type":"structure", + "members":{ + "Count":{ + "shape":"Long", + "documentation":"The total number of occurrences of sensitive data that were detected.
" + }, + "Arn":{ + "shape":"NonEmptyString", + "documentation":"The ARN of the custom identifier that was used to detect the sensitive data.
" + }, + "Name":{ + "shape":"NonEmptyString", + "documentation":"he name of the custom identifier that detected the sensitive data.
" + }, + "Occurrences":{ + "shape":"Occurrences", + "documentation":"Details about the sensitive data that was detected.
" + } + }, + "documentation":"The list of detected instances of sensitive data.
" + }, + "CustomDataIdentifiersDetectionsList":{ + "type":"list", + "member":{"shape":"CustomDataIdentifiersDetections"} + }, + "CustomDataIdentifiersResult":{ + "type":"structure", + "members":{ + "Detections":{ + "shape":"CustomDataIdentifiersDetectionsList", + "documentation":"The list of detected instances of sensitive data.
" + }, + "TotalCount":{ + "shape":"Long", + "documentation":"The total number of occurrences of sensitive data.
" + } + }, + "documentation":"Contains an instance of sensitive data that was detected by a customer-defined identifier.
" + }, "Cvss":{ "type":"structure", "members":{ @@ -6689,6 +6865,20 @@ "type":"list", "member":{"shape":"Cvss"} }, + "DataClassificationDetails":{ + "type":"structure", + "members":{ + "DetailedResultsLocation":{ + "shape":"NonEmptyString", + "documentation":"The path to the folder or file that contains the sensitive data.
" + }, + "Result":{ + "shape":"ClassificationResult", + "documentation":"The details about the sensitive data that was detected on the resource.
" + } + }, + "documentation":"Provides details about sensitive data that was detected on a resource.
" + }, "DateFilter":{ "type":"structure", "members":{ @@ -7154,6 +7344,46 @@ "key":{"shape":"NonEmptyString"}, "value":{"shape":"NonEmptyString"} }, + "FindingProviderFields":{ + "type":"structure", + "members":{ + "Confidence":{ + "shape":"RatioScale", + "documentation":"A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify.
Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence.
" + }, + "Criticality":{ + "shape":"RatioScale", + "documentation":"The level of importance assigned to the resources associated with the finding.
A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.
" + }, + "RelatedFindings":{ + "shape":"RelatedFindingList", + "documentation":"A list of findings that are related to the current finding.
" + }, + "Severity":{ + "shape":"FindingProviderSeverity", + "documentation":"The severity of a finding.
" + }, + "Types":{ + "shape":"TypeList", + "documentation":"One or more finding types in the format of namespace/category/classifier that classify a finding.
Valid namespace values are: Software and Configuration Checks | TTPs | Effects | Unusual Behaviors | Sensitive Data Identifications
" + } + }, + "documentation":"In a BatchImportFindings request, finding providers use FindingProviderFields to provide and update values for confidence, criticality, related findings, severity, and types.
The severity label assigned to the finding by the finding provider.
" + }, + "Original":{ + "shape":"NonEmptyString", + "documentation":"The finding provider's original value for the severity.
" + } + }, + "documentation":"The severity assigned to the finding by the finding provider.
" + }, "GeoLocation":{ "type":"structure", "members":{ @@ -8116,6 +8346,54 @@ "type":"list", "member":{"shape":"NumberFilter"} }, + "Occurrences":{ + "type":"structure", + "members":{ + "LineRanges":{ + "shape":"Ranges", + "documentation":"Occurrences of sensitive data detected in a non-binary text file or a Microsoft Word file. Non-binary text files include files such as HTML, XML, JSON, and TXT files.
" + }, + "OffsetRanges":{ + "shape":"Ranges", + "documentation":"Occurrences of sensitive data detected in a binary text file.
" + }, + "Pages":{ + "shape":"Pages", + "documentation":"Occurrences of sensitive data in an Adobe Portable Document Format (PDF) file.
" + }, + "Records":{ + "shape":"Records", + "documentation":"Occurrences of sensitive data in an Apache Avro object container or an Apache Parquet file.
" + }, + "Cells":{ + "shape":"Cells", + "documentation":"Occurrences of sensitive data detected in Microsoft Excel workbooks, comma-separated value (CSV) files, or tab-separated value (TSV) files.
" + } + }, + "documentation":"The detected occurrences of sensitive data.
" + }, + "Page":{ + "type":"structure", + "members":{ + "PageNumber":{ + "shape":"Long", + "documentation":"The page number of the page that contains the sensitive data.
" + }, + "LineRange":{ + "shape":"Range", + "documentation":"An occurrence of sensitive data detected in a non-binary text file or a Microsoft Word file. Non-binary text files include files such as HTML, XML, JSON, and TXT files.
" + }, + "OffsetRange":{ + "shape":"Range", + "documentation":"An occurrence of sensitive data detected in a binary text file.
" + } + }, + "documentation":"An occurrence of sensitive data in an Adobe Portable Document Format (PDF) file.
" + }, + "Pages":{ + "type":"list", + "member":{"shape":"Page"} + }, "Partition":{ "type":"string", "enum":[ @@ -8310,6 +8588,28 @@ "type":"list", "member":{"shape":"Product"} }, + "Range":{ + "type":"structure", + "members":{ + "Start":{ + "shape":"Long", + "documentation":"The number of lines (for a line range) or characters (for an offset range) from the beginning of the file to the end of the sensitive data.
" + }, + "End":{ + "shape":"Long", + "documentation":"The number of lines (for a line range) or characters (for an offset range) from the beginning of the file to the end of the sensitive data.
" + }, + "StartColumn":{ + "shape":"Long", + "documentation":"In the line where the sensitive data starts, the column within the line where the sensitive data starts.
" + } + }, + "documentation":"Identifies where the sensitive data begins and ends.
" + }, + "Ranges":{ + "type":"list", + "member":{"shape":"Range"} + }, "RatioScale":{ "type":"integer", "max":100, @@ -8329,6 +8629,20 @@ }, "documentation":"A recommendation on how to remediate the issue identified in a finding.
" }, + "Record":{ + "type":"structure", + "members":{ + "JsonPath":{ + "shape":"NonEmptyString", + "documentation":"The path, as a JSONPath expression, to the field in the record that contains the data. If the field name is longer than 20 characters, it is truncated. If the path is longer than 250 characters, it is truncated.
" + }, + "RecordIndex":{ + "shape":"Long", + "documentation":"The record index, starting from 0, for the record that contains the data.
" + } + }, + "documentation":"An occurrence of sensitive data in an Apache Avro object container or an Apache Parquet file.
" + }, "RecordState":{ "type":"string", "enum":[ @@ -8336,6 +8650,10 @@ "ARCHIVED" ] }, + "Records":{ + "type":"list", + "member":{"shape":"Record"} + }, "RelatedFinding":{ "type":"structure", "required":[ @@ -8403,6 +8721,10 @@ "shape":"FieldMap", "documentation":"A list of AWS tags associated with a resource at the time the finding was processed.
" }, + "DataClassification":{ + "shape":"DataClassificationDetails", + "documentation":"Contains information about sensitive data that was detected on the resource.
" + }, "Details":{ "shape":"ResourceDetails", "documentation":"Additional details about the resource related to a finding.
" @@ -8475,6 +8797,10 @@ "shape":"AwsS3BucketDetails", "documentation":"Details about an Amazon S3 bucket related to a finding.
" }, + "AwsS3AccountPublicAccessBlock":{ + "shape":"AwsS3AccountPublicAccessBlockDetails", + "documentation":"Details about the Amazon S3 Public Access Block configuration for an account.
" + }, "AwsS3Object":{ "shape":"AwsS3ObjectDetails", "documentation":"Details about an Amazon S3 object related to a finding.
" @@ -8630,6 +8956,50 @@ "type":"list", "member":{"shape":"NonEmptyString"} }, + "SensitiveDataDetections":{ + "type":"structure", + "members":{ + "Count":{ + "shape":"Long", + "documentation":"The total number of occurrences of sensitive data that were detected.
" + }, + "Type":{ + "shape":"NonEmptyString", + "documentation":"The type of sensitive data that was detected. For example, the type might indicate that the data is an email address.
" + }, + "Occurrences":{ + "shape":"Occurrences", + "documentation":"Details about the sensitive data that was detected.
" + } + }, + "documentation":"The list of detected instances of sensitive data.
" + }, + "SensitiveDataDetectionsList":{ + "type":"list", + "member":{"shape":"SensitiveDataDetections"} + }, + "SensitiveDataResult":{ + "type":"structure", + "members":{ + "Category":{ + "shape":"NonEmptyString", + "documentation":"The category of sensitive data that was detected. For example, the category can indicate that the sensitive data involved credentials, financial information, or personal information.
" + }, + "Detections":{ + "shape":"SensitiveDataDetectionsList", + "documentation":"The list of detected instances of sensitive data.
" + }, + "TotalCount":{ + "shape":"Long", + "documentation":"The total number of occurrences of sensitive data.
" + } + }, + "documentation":"Contains a detected instance of sensitive data that are based on built-in identifiers.
" + }, + "SensitiveDataResultList":{ + "type":"list", + "member":{"shape":"SensitiveDataResult"} + }, "Severity":{ "type":"structure", "members":{