"Begin": 443, "End": 443 }
] },
"Protocol": "TCP", "Source": {
"Address": ["203.0.113.0/24"]
} },
"Ingress": {
"Destination": {
"Address": [ "198.51.100.0/24" ], "PortRanges": [
{
"Begin": 443, "End": 443 }
] },
"Protocol": "TCP", "Source": {
"Address": [ "203.0.113.0/24" ] }
} } ]
NetworkPath attributes
Each component of the network path can have the following attributes.
ComponentId Required
The identifier of a component in the network path.
Type: String ComponentType
Required
The type of component.
Type: String Egress (p. 181)
Optional
Information about the component that comes after the current component in the network path.
Type: Object Ingress (p. 181)
Optional
Information about the component that comes before the current component in the network path.
Type: Object
ASFF attributes
Egress
The Egress object contains information about the component that comes after the current component in the network path. It can have the following attributes.
Destination (p. 181) Optional
Information about the destination of the component.
Type: Object Protocol
Optional
The protocol used for the component.
Type: String Source (p. 182)
Optional
Information about the origin of the component.
Type: Object
Ingress
The Ingress object contains information about the previous component in the network path. It can have the following attributes.
Destination (p. 181) Optional
Information about the destination for the previous component.
Type: Object Protocol
Optional
The protocol used by the previous component.
Type: String Source (p. 182)
Optional
Information about the origin of the previous component.
Type: Object
Destination
The Destination object in Egress or Ingress contains the destination information for the previous or next component. It can have the following attributes.
ASFF attributes
Address Optional
IP addresses of the previous or next component.
Type: Array of strings PortRanges
Optional
List of open port ranges for the destination of the previous or next component.
Type: Array of objects PortRanges.Begin
Optional
For an open port range, the beginning of the range.
Type: Integer PortRanges.End
Optional
For an open port range, the end of the range.
Type: Number
Source
The Source object under Egress or Ingress contains information about the origin of the previous or next component. It can have the following attributes.
Address Optional
IP addresses for the origin of the previous or next component.
Type: Array of strings PortRanges
Optional
List of open port ranges for the origin of the previous or next component.
Type: Array of objects PortRanges.Begin
Optional
For an open port range, the beginning of the range.
Type: Integer PortRanges.End
Optional
ASFF attributes
For an open port range, the end of the range.
Type: Number
Note
The Note object adds a user-defined note to the finding.
A finding provider can provide an initial note for a finding but cannot add notes after that. A note can only be updated using BatchUpdateFindings.
Example
"Note": {
"Text": "Don't forget to check under the mat.", "UpdatedBy": "jsmith",
"UpdatedAt": "2018-08-31T00:15:09Z"
}
The Note object can have the following attributes.
Text Required
The text of a finding note.
Type: String
Maximum length: 512 Example
"Text": "Example text."
UpdatedAt Required
Indicates when the note was updated.
Type: String
Format: Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format.
The value cannot contain spaces.
Example
"UpdatedAt": "2018-08-31T00:15:09Z"
UpdatedBy Required
The principal that created a note.
Type: String or ARN
ASFF attributes
Maximum length: 512 Example
"UpdatedBy": "jsmith"
PatchSummary
The PatchSummary object provides an overview of the patch compliance status for an instance against a selected compliance standard.
Example
"PatchSummary" : {
"Id" : "pb-123456789098"
"InstalledCount" : "100", "MissingCount" : "100", "FailedCount" : "0",
"InstalledOtherCount" : "1023", "InstalledRejectedCount" : "0", "InstalledPendingReboot" : "0",
"OperationStartTime" : "2018-09-27T23:37:31Z", "OperationEndTime" : "2018-09-27T23:39:31Z", "RebootOption" : "RebootIfNeeded",
"Operation" : "Install"
}
The PatchSummary object can have the following attributes.
FailedCount Optional
The number of patches from the compliance standard with installation failures.
Type: Number Minimum value: 0 Maximum value: 100,000 Id
Required
The identifier of the compliance standard that was used to determine the patch compliance status.
Type: String
Minimum length: 20 Maximum length: 128 InstalledCount
Optional
The number of patches from the compliance standard that were installed successfully.
Type: Number
ASFF attributes
Minimum value: 0 Maximum value: 100,000 InstalledOtherCount
Optional
The number of installed patches that are not part of the compliance standard.
Type: Number Minimum value: 0 Maximum value: 100,000 InstalledPendingReboot
Optional
The number of patches that were applied but that require the instance to be rebooted in order to be marked as installed.
Type: Number Minimum value: 0 Maximum value: 100,000 InstalledRejectedCount
Optional
The number of patches that are installed but are also on a list of patches that the customer rejected.
Type: Number Minimum value: 0 Maximum value: 100,000 MissingCount
Optional
The number of patches that are part of the compliance standard but are not installed. The count includes patches with installation failures.
Type: Number Minimum value: 0 Maximum value: 100,000 Operation
Optional
The type of patch operation that was performed.
For Patch Manager, the values are SCAN and INSTALL.
Type: String
Maximum length: 256
ASFF attributes
OperationEndTime Optional
Indicates when the operation was completed.
Type: String
Format: Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format.
The value cannot contain spaces.
Example
"OperationEndTime": "2020-06-22T17:40:12.322Z"
OperationStartTime Optional
Indicates when the operation started.
Type: String
Format: Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format.
The value cannot contain spaces.
Example
"OperationStartTime": "2020-06-22T17:40:12.322Z"
RebootOption Optional
The reboot option specified for the instance.
Type: String
Maximum length: 256
Valid values: NoReboot | RebootIfNeeded.
Process
The Process object provides process-related details about the finding.
Example
"Process": {
"Name": "syslogd",
"Path": "/usr/sbin/syslogd", "Pid": 12345,
"ParentPid": 56789,
"LaunchedAt": "2018-09-27T22:37:31Z", "TerminatedAt": "2018-09-27T23:37:31Z"
}
The Process object can have the following attributes.
ASFF attributes
LaunchedAt Optional
Indicates when the process was launched.
Type: String
Format: Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format.
The value cannot contain spaces.
Example
"LaunchedAt": "2018-09-27T22:37:31Z"
Name Optional
The name of the process.
Type: String
Maximum length: 64 Example
"Name": "syslogd"
ParentPid Optional
The parent process ID.
Type: Number Example
"ParentPid": 56789
Path Optional
The path to the process executable.
Type: String
Maximum length: 512 Example
"Path": "/usr/sbin/syslogd"
Pid
Optional
ASFF attributes
The process ID.
Type: Number Example
"Pid": 12345
TerminatedAt Optional
Indicates when the process was terminated.
Type: String
Format: Uses the date-time format specified in RFC 3339 section 5.6, Internet Date/Time Format.
The value cannot contain spaces.
Example
"TerminatedAt": "2018-09-27T23:37:31Z"
RelatedFindings
The RelatedFindings object provides a list of findings that are related to the current finding.
For BatchImportFindings requests, finding providers should use the RelatedFindings object under FindingProviderFields (p. 173).
Example
"RelatedFindings": [
{ "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/guardduty", "Id": "123e4567-e89b-12d3-a456-426655440000" },
{ "ProductArn": "arn:aws:securityhub:us-west-2::product/aws/guardduty", "Id": "AcmeNerfHerder-111111111111-x189dx7824" }
]
Each related finding object can have the following attributes.
Id
Required
The product-generated identifier for a related finding.
Type: String or ARN Maximum length: 512 Example
"Id": "123e4567-e89b-12d3-a456-426655440000"
ProductArn Required
ASFF attributes
The ARN of the product that generated a related finding.
Type: ARN Example
"ProductArn": "arn:aws:securityhub:us-west-2::product/aws/guardduty"