Compliance attributes

Contains finding details related to a control. Only returned for findings that are generated as the result of a check that is run on a control.

Example

"Compliance": {

"RelatedRequirements": ["Req1", "Req2"], "Status": "FAILED",

"StatusReasons": [ {

"ReasonCode": "CLOUDWATCH_ALARMS_NOT_PRESENT",

"Description": "CloudWatch alarms do not exist in the account"

} ] }

Compliance attributes

The Compliance object can have the following attributes.

RelatedRequirements Optional

For a Security Hub control, the industry or regulatory framework requirements that are related to the control. The check for that control is aligned with those requirements.

You can provide up to 32 related requirements.

ASFF attributes

To identify a requirement, use its identifier.

Type: Array of strings Status

Optional

The result of a security check.

Type: Enum Valid values:

• PASSED – Security check passed for all evaluated resources. If Compliance.Status is PASSED, then Security Hub automatically sets Workflow.Status to RESOLVED.

If Compliance.Status for a finding changes from PASSED to FAILED, WARNING, or

NOT_AVAILABLE, and Workflow.Status was either NOTIFIED or RESOLVED, then Security Hub automatically sets Workflow.Status to NEW.

• WARNING – Some information is missing, or this check is not supported given your configuration.

• FAILED – Security check failed for at least one evaluated resource.

• NOT_AVAILABLE – Check could not be performed due to a service outage or API error. The NOT_AVAILABLE status can also indicate that the result of the AWS Config evaluation was NOT_APPLICABLE. In that case, after 3 days, Security Hub automatically archives the finding.

Example

"Status": "PASSED"

StatusReasons (p. 172) Optional

For findings generated from controls, a list of reasons behind the value of Compliance.Status.

For the list of status codes and their meanings, see the section called “Generating and updating control findings” (p. 552).

Type: String Example:

"StatusReasons": [ {

"Description": "CloudWatch alarms do not exist in the account", "ReasonCode": "CW_ALARMS_NOT_PRESENT"

} ]

StatusReasons

For findings generated from controls, a list of reasons for the value of Compliance.Status.

"StatusReasons": [ {

"Description": "CloudWatch alarms do not exist in the account",

ASFF attributes

"ReasonCode": "CW_ALARMS_NOT_PRESENT"

} ]

Each reason in the StatusReasons object can have the following attributes.

Description Optional

The corresponding description for the reason.

Type: String ReasonCode

Required

A code that represents a reason for the current control status.

Type: String

For the list of available status codes and their meanings, see the section called “Generating and updating control findings” (p. 552).

FindingProviderFields

In a BatchImportFindings request, finding providers use FindingProviderFields to provide values for attributes that should only be updated by BatchUpdateFindings.

For details on how Security Hub handles updates from BatchImportFindings to

FindingProviderFields and to the corresponding top-level attributes, see the section called “Using FindingProviderFields” (p. 85).

Example

"FindingProviderFields": { "Confidence": 42, "Criticality": 99, "RelatedFindings":[

{

"ProductArn": "arn:aws:securityhub:us-west-2::product/aws/guardduty", "Id": "123e4567-e89b-12d3-a456-426655440000"

} ],

"Severity": {

"Label": "MEDIUM", "Original": "MEDIUM"

},

"Types": [ "Software and Configuration Checks/Vulnerabilities/CVE" ] }

FindingProviderFields can contain the following attributes.

Confidence Optional

A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify.

ASFF attributes

Type: Integer (range 0–100)

Confidence is scored on a 0–100 basis using a ratio scale, where 0 means 0-percent confidence and 100 means 100-percent confidence.

Criticality Optional

The level of importance that is assigned to the resources that are associated with the finding. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.

Type: Integer Minimum value: 0 Maximum value: 100

Criticality is scored on a 0–100 basis, using a ratio scale that supports only full integers. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.

RelatedFindings (p. 188) Optional

A list of related findings.

Type: Array of RelatedFinding objects Maximum number of objects: 10 Severity

Required

Details about the severity of the finding.

Finding providers can use the Severity object in FindingProviderFields to provide values for Label and Original.

For details on the available values for Label and Original, and guidance on how to assess severity, see the information for the Severity object (p. 498).

Type: Object Types

Required

One or more finding types in the format of namespace/category/classifier that classify a finding.

Type: Array of strings

Maximum number of strings: 50

Malware

The Malware object provides a list of malware that is related to a finding. It is an array that can contain up to five malware objects.

Example

ASFF attributes

"Malware": [ {

"Name": "Stringler", "Type": "COIN_MINER",

"Path": "/usr/sbin/stringler", "State": "OBSERVED"

} ]

Each malware object can have the following attributes.

Name Required

The name of the malware that was observed.

Type: String

Maximum length: 64 Example

"Name": "Stringler"

Path Optional

The file path of the malware that was observed.

Type: String

Maximum length: 512 Example

"Path": "/usr/sbin/stringler"

State Optional

The state of the malware that was observed.

Type: Enum

Valid values: OBSERVED | REMOVAL_FAILED | REMOVED Example

"State": "OBSERVED"

Type Optional

The type of the malware that was observed.

ASFF attributes

Type: Enum

Valid values: ADWARE | BLENDED_THREAT | BOTNET_AGENT | COIN_MINER | EXPLOIT_KIT | KEYLOGGER | MACRO | POTENTIALLY_UNWANTED | SPYWARE | RANSOMWARE | REMOTE_ACCESS | ROOTKIT | TROJAN | VIRUS | WORM

Example

"Type": "COIN_MINER"

Network (Deprecated)

The details of network-related information about a finding.

This object is deprecated. To provide this data, you can either map it to a resource in Resources, or use the Action object.

Example

"Network": {

"Direction": "IN", "OpenPortRange": { "Begin": 443, "End": 443 },

"Protocol": "TCP", "SourceIpV4": "1.2.3.4",

"SourceIpV6": "FE80:CD00:0000:0CDE:1257:0000:211E:729C", "SourcePort": "42",

"SourceDomain": "example1.com", "SourceMac": "00:0d:83:b1:c0:8e", "DestinationIpV4": "2.3.4.5",

"DestinationIpV6": "FE80:CD00:0000:0CDE:1257:0000:211E:729C", "DestinationPort": "80",

"DestinationDomain": "example2.com"

}