AWS Security Hub

Connecting AWS Security Hub logs to your Panther Console
Overview

Panther supports ingesting AWS Security Hub findings. You will use AWS EventBridge to forward security findings to Panther, where you can reference them in detections and search.
How to onboard AWS Security Hub findings to Panther

Follow Panther's instructions for creating an AWS SNS topic.
- In the Name field, enter something that makes it easy to identify e.g. panther-aws-security-hub.
- Copy the topic ARN value and store it in a secure location, as you will need it in the next steps.
  - Example ARN: arn:aws:sns:us-east-2:123456789012:panther-aws-security-hub
Step 2: Create Amazon EventBridge rule

Navigate to Amazon EventBrige > Buses > Rules.
Click Create Rule.
Enter following values for the fields:
- Name: panther-aws-security-hub
- Event bus: default
- Select Enable the rule on the selected event bus.
- Rule type: Rule with an event pattern
Click Next.
Enter the following values for the fields:
- Event source: AWS events or EventBridge partner events
- Creation method: Use pattern form
- Event pattern:
  - Event source: AWS services
  - AWS service: Security Hub
  - Event type: Security Hub Findings - Imported
Click Next.
Enter following values for the fields:
- Target types: AWS Service
- Select a target: SNS Topic
- Topic: Select the topic you created in Step 1, panther-aws-security-hub
Click Skip to review and create.
Click Create rule.
Stay logged in to the AWS console. You will navigate to the Panther Console for Step 3 and return to the AWS console for Step 4.
Step 3: Create an AWS Security Hub source in Panther

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "AWS Security Hub," then click its tile.
- In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the AWS SQS Queue option.
Click Start Setup.
Follow Panther's instructions for configuring an SQS Source.
- In the Allowed Source ARNs field, enter the ARN of the SNS topic you created in Step 1.
Click View Log Source.
Click SQS Queue ARN to copy the ARN of the SQS queue. Save it in a secure location, as you will need it in the next step.
Follow Panther's instructions to create an SNS subscription to an SQS queue.
- Select the topic you create in Step 1.
- In the Protocol field, enter Amazon SQS.
- In the Endpoint field, use the ARN of the SQS queue you created in Step 3.
Supported AWS Security Hub logs

AWS.SecurityFindingFormat

Learn more about the structure of a finding on the AWS Security Finding Format (ASFF) page.
schema: AWS.SecurityFindingFormat
description: AWS Security Hub consumes, aggregates, organizes, and prioritizes findings from AWS security services and from the third-party product integrations.Security Hub processes these findings using a standard findings format called the AWS Security Finding Format (ASFF), which eliminates the need for time-consuming data conversion efforts.Then it correlates ingested findings across products to prioritize the most important ones
referenceURL: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html
fields:
  - name: Action
    description: The Action object provides details about an action that affects or that was taken on a resource
    type: object
    fields:
      - name: ActionType
        description: ActionType field
        type: string
      - name: AwsApiCallAction
        description: AwsApiCallAction field
        type: object
        fields:
          - name: AffectedResources
            description: AffectedResources field
            type: json
          - name: Api
            description: API field
            type: string
          - name: CallerType
            description: CallerType field
            type: string
          - name: DomainDetails
            description: DomainDetails field
            type: object
            fields:
              - name: Domain
                description: Domain field
                type: string
          - name: FirstSeen
            description: FirstSeen field
            type: timestamp
            timeFormats:
              - rfc3339
          - name: LastSeen
            description: LastSeen field
            type: timestamp
            timeFormats:
              - rfc3339
          - name: RemoteIpDetails
            description: RemoteIpDetails field
            type: object
            fields:
              - name: City
                description: City field
                type: object
                fields:
                  - name: CityName
                    description: CityName field
                    type: string
              - name: Country
                description: Country field
                type: object
                fields:
                  - name: CountryCode
                    description: CountryCode field
                    type: string
                  - name: CountryName
                    description: CountryName field
                    type: string
              - name: GeoLocation
                description: GeoLocation field
                type: object
                fields:
                  - name: Lat
                    description: Lat field
                    type: float
                  - name: Lon
                    description: Lon field
                    type: float
              - name: IpAddressV4
                description: IpAddressV4 field
                type: string
                indicators:
                  - ip
              - name: Organization
                description: Organization field
                type: object
                fields:
                  - name: Asn
                    description: Asn field
                    type: string
                  - name: AsnOrg
                    description: AsnOrg field
                    type: string
                  - name: Isp
                    description: Isp field
                    type: string
                  - name: Org
                    description: Org field
                    type: string
          - name: ServiceName
            description: ServiceName field
            type: string
      - name: DnsRequestAction
        description: DnsRequestAction field
        type: object
        fields:
          - name: Blocked
            description: Blocked field
            type: boolean
          - name: Domain
            description: Domain field
            type: string
          - name: Protocol
            description: Protocol field
            type: string
      - name: NetworkConnectionAction
        description: NetworkConnectionAction field
        type: object
        fields:
          - name: Blocked
            description: Blocked field
            type: boolean
          - name: ConnectionDirection
            description: ConnectionDirection field
            type: string
          - name: LocalPortDetails
            description: LocalPortDetails field
            type: object
            fields:
              - name: Port
                description: Port field
                type: bigint
              - name: PortName
                description: PortName field
                type: string
          - name: Protocol
            description: Protocol field
            type: string
          - name: RemoteIpDetails
            description: RemoteIpDetails field
            type: object
            fields:
              - name: City
                description: City field
                type: object
                fields:
                  - name: CityName
                    description: CityName field
                    type: string
              - name: Country
                description: Country field
                type: object
                fields:
                  - name: CountryCode
                    description: CountryCode field
                    type: string
                  - name: CountryName
                    description: CountryName field
                    type: string
              - name: GeoLocation
                description: GeoLocation field
                type: object
                fields:
                  - name: Lat
                    description: Lat field
                    type: float
                  - name: Lon
                    description: Lon field
                    type: float
              - name: IpAddressV4
                description: IpAddressV4 field
                type: string
                indicators:
                  - ip
              - name: Organization
                description: Organization field
                type: object
                fields:
                  - name: Asn
                    description: Asn field
                    type: string
                  - name: AsnOrg
                    description: AsnOrg field
                    type: string
                  - name: Isp
                    description: Isp field
                    type: string
                  - name: Org
                    description: Org field
                    type: string
          - name: RemotePortDetails
            description: RemotePortDetails field
            type: object
            fields:
              - name: Port
                description: Port field
                type: bigint
              - name: PortName
                description: PortName field
                type: string
      - name: PortProbeAction
        description: PortProbeAction field
        type: object
        fields:
          - name: Blocked
            description: Blocked field
            type: boolean
          - name: PortProbeDetails
            description: PortProbeDetails field
            type: array
            element:
              type: object
              fields:
                - name: LocalIpDetails
                  description: LocalIpDetails field
                  type: object
                  fields:
                    - name: IpAddressV4
                      description: IpAddressV4 field
                      type: string
                      indicators:
                        - ip
                - name: LocalPortDetails
                  description: LocalPortDetails field
                  type: object
                  fields:
                    - name: PortName
                      description: PortName field
                      type: string
                    - name: Port
                      description: Port field
                      type: bigint
                - name: RemoteIpDetails
                  description: RemoteIpDetails field
                  type: object
                  fields:
                    - name: City
                      description: City field
                      type: object
                      fields:
                        - name: CityName
                          description: CityName field
                          type: string
                    - name: Country
                      description: Country field
                      type: object
                      fields:
                        - name: CountryCode
                          description: CountryCode field
                          type: string
                        - name: CountryName
                          description: CountryName field
                          type: string
                    - name: GeoLocation
                      description: GeoLocation field
                      type: object
                      fields:
                        - name: Lat
                          description: Lat field
                          type: float
                        - name: Lon
                          description: Lon field
                          type: float
                    - name: IpAddressV4
                      description: IpAddressV4 field
                      type: string
                      indicators:
                        - ip
                    - name: Organization
                      description: Organization field
                      type: object
                      fields:
                        - name: Asn
                          description: Asn field
                          type: string
                        - name: AsnOrg
                          description: AsnOrg field
                          type: string
                        - name: Isp
                          description: Isp field
                          type: string
                        - name: Org
                          description: Org field
                          type: string
  - name: AwsAccountId
    description: The AWS account ID that the finding applies to
    type: string
    indicators:
      - aws_account_id
  - name: CompanyName
    description: The name of the company for the product that generated the finding. For control-based findings, the company is AWS
    type: string
  - name: Compliance
    description: The Compliance object provides finding details related to a control. This attribute is returned for findings generated from a Security Hub control and for findings that AWS Config sends to Security Hub
    type: object
    fields:
      - name: AssociatedStandards
        description: AssociatedStandards field
        type: array
        element:
          type: object
          fields:
            - name: StandardsId
              description: StandardsId field
              type: string
      - name: RelatedRequirements
        description: RelatedRequirements field
        type: array
        element:
          type: string
      - name: SecurityControlId
        description: SecurityControlId field
        type: string
      - name: Status
        description: Status field
        type: string
      - name: StatusReasons
        description: StatusReasons field
        type: array
        element:
          type: object
          fields:
            - name: Description
              description: Description field
              type: string
            - name: ReasonCode
              description: ReasonCode field
              type: string
  - name: Confidence
    description: The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0–100 basis using a ratio scale. 0 means 0 percent confidence, and 100 means 100 percent confidence. For example, a data exfiltration detection based on a statistical deviation of network traffic has low confidence because an actual exfiltration hasn't been verified
    type: bigint
  - name: LastObservedAt
    description: Indicates when the potential security issue that was captured by a finding was most recently observed by the security findings product. This timestamp reflects the time when the event or vulnerability was last or most recently observed. Consequently, it can differ from the UpdatedAt timestamp, which reflects when this finding record was last or most recently updated
    type: timestamp
    timeFormats:
      - rfc3339
    isEventTime: true
  - name: CreatedAt
    required: true
    description: Indicates when the potential security issue captured by a finding was created
    type: timestamp
    timeFormats:
      - rfc3339
    isEventTime: true
  - name: ProcessedAt
    description: Indicates when the finding record was created or last updated. This value is typically the same as the value for the CreatedAt timestamp on the finding
    type: string
    timeFormats:
      - rfc3339
  - name: Criticality
    description: The level of importance that is assigned to the resources that are associated with a finding.
    type: bigint
  - name: Description
    required: true
    description: A finding's description. This field can be nonspecific boilerplate text or details that are specific to the instance of the finding.
    type: string
  - name: FindingProviderFields
    description: The FindingProviderFields object contains information about the provider of the finding
    type: object
    fields:
      - name: ConfidenceLevel
        description: ConfidenceLevel field
        type: bigint
      - name: Criticality
        description: Criticality field
        type: bigint
      - name: RelatedFindings
        description: RelatedFindings field
        type: array
        element:
          type: object
          fields:
            - name: ProductArn
              description: ProductArn field
              type: string
              indicators:
                - aws_arn
            - name: Id
              description: ID field
              type: string
      - name: Severity
        description: Severity field
        type: object
        fields:
          - name: Label
            description: Label field
            type: string
          - name: Normalized
            description: Normalized field
            type: bigint
          - name: Original
            description: Original field
            type: string
      - name: Types
        description: Types field
        type: array
        element:
          type: string
  - name: FirstObservedAt
    description: Indicates when the potential security issue captured by a finding was first observed. This timestamp reflects the time of when the event or vulnerability was first observed. Consequently, it can differ from the CreatedAt timestamp, which reflects the time this finding record was created.
    type: timestamp
    timeFormats:
      - rfc3339
  - name: GeneratorId
    required: true
    description: The identifier for the solution-specific component (a discrete unit of logic) that generated a finding
    type: string
  - name: Id
    required: true
    description: The product-specific identifier for a finding. For control findings that Security Hub generates, this field provides the Amazon Resource Name (ARN) of the finding
    type: string
    indicators:
      - aws_arn
  - name: Malware
    description: The Malware object provides a list of malware related to a finding
    type: array
    element:
      type: object
      fields:
        - name: Name
          description: Name field
          type: string
        - name: Path
          description: Path field
          type: string
        - name: State
          description: State field
          type: string
        - name: Type
          description: Type field
          type: string
  - name: Network
    description: The Network object provides network-related information about a finding. This object is retired
    type: object
    fields:
      - name: DestinationDomain
        description: DestinationDomain field
        type: string
        indicators:
          - domain
      - name: DestinationIpV4
        description: DestinationIpV4 field
        type: string
        indicators:
          - ip
      - name: DestinationIpV6
        description: DestinationIpV6 field
        type: string
        indicators:
          - ip
      - name: DestinationPort
        description: DestinationPort field
        type: bigint
      - name: Direction
        description: Direction field
        type: string
      - name: OpenPortRange
        description: OpenPortRange field
        type: object
        fields:
          - name: Begin
            description: Begin field
            type: bigint
          - name: End
            description: End field
            type: bigint
      - name: Protocol
        description: Protocol field
        type: string
      - name: SourceDomain
        description: SourceDomain field
        type: string
        indicators:
          - domain
      - name: SourceIpV4
        description: SourceIpV4 field
        type: string
        indicators:
          - ip
      - name: SourceIpV6
        description: SourceIpV6 field
        type: string
        indicators:
          - ip
      - name: SourceMac
        description: SourceMac field
        type: string
        indicators:
          - mac
      - name: SourcePort
        description: SourcePort field
        type: bigint
  - name: NetworkPath
    description: The NetworkPath object provides information about a network path that is related to a finding. Each entry in NetworkPath represents a component of the path
    type: array
    element:
      type: object
      fields:
        - name: ComponentId
          description: ComponentId field
          type: string
        - name: ComponentType
          description: ComponentType field
          type: string
        - name: Egress
          description: Egress field
          type: object
          fields:
            - name: Protocol
              description: Protocol field
              type: string
            - name: Destination
              description: Destination field
              type: object
              fields:
                - name: Address
                  description: Address field
                  type: array
                  element:
                    type: string
                    indicators:
                      - ip
                - name: PortRanges
                  description: PortRanges field
                  type: array
                  element:
                    type: object
                    fields:
                      - name: Begin
                        description: Begin field
                        type: bigint
                      - name: End
                        description: End field
                        type: bigint
            - name: Source
              description: Source field
              type: object
              fields:
                - name: Address
                  description: Address field
                  type: array
                  element:
                    type: string
                    indicators:
                      - ip
                - name: PortRanges
                  description: PortRanges field
                  type: array
                  element:
                    type: object
                    fields:
                      - name: Begin
                        description: Begin field
                        type: bigint
                      - name: End
                        description: End field
                        type: bigint
        - name: Ingress
          description: Ingress field
          type: object
          fields:
            - name: Protocol
              description: Protocol field
              type: string
            - name: Destination
              description: Destination field
              type: object
              fields:
                - name: Address
                  description: Address field
                  type: array
                  element:
                    type: string
                    indicators:
                      - ip
                - name: PortRanges
                  description: PortRanges field
                  type: array
                  element:
                    type: object
                    fields:
                      - name: Begin
                        description: Begin field
                        type: bigint
                      - name: End
                        description: End field
                        type: bigint
            - name: Source
              description: Source field
              type: object
              fields:
                - name: Address
                  description: Address field
                  type: array
                  element:
                    type: string
                    indicators:
                      - ip
                - name: PortRanges
                  description: PortRanges field
                  type: array
                  element:
                    type: object
                    fields:
                      - name: Begin
                        description: Begin field
                        type: bigint
                      - name: End
                        description: End field
                        type: bigint
  - name: Note
    description: The Note object specifies a user-defined note that you can add to a finding
    type: object
    fields:
      - name: Text
        description: Text field
        type: string
      - name: UpdatedAt
        description: UpdatedAt field
        type: timestamp
        timeFormats:
          - rfc3339
      - name: UpdatedBy
        description: UpdatedBy field
        type: string
        indicators:
          - username
  - name: PatchSummary
    description: The PatchSummary object provides a summary of the patch compliance status for an instance against a selected compliance standard
    type: object
    fields:
      - name: FailedCount
        description: FailedCount field
        type: bigint
      - name: Id
        description: ID field
        type: string
      - name: InstalledCount
        description: InstalledCount field
        type: bigint
      - name: InstalledOtherCount
        description: InstalledOtherCount field
        type: bigint
      - name: InstalledPendingReboot
        description: InstalledPendingReboot field
        type: bigint
      - name: InstalledRejectedCount
        description: InstalledRejectedCount field
        type: bigint
      - name: MissingCount
        description: MissingCount field
        type: bigint
      - name: Operation
        description: Operation field
        type: string
      - name: OperationEndTime
        description: OperationEndTime field
        type: timestamp
        timeFormats:
          - rfc3339
      - name: OperationStartTime
        description: OperationStartTime field
        type: timestamp
        timeFormats:
          - rfc3339
      - name: RebootOption
        description: RebootOption field
        type: string
  - name: Process
    description: The Process object provides process-related details about a finding
    type: object
    fields:
      - name: LaunchedAt
        description: LaunchedAt field
        type: timestamp
        timeFormats:
          - rfc3339
      - name: Name
        description: Name field
        type: string
      - name: ParentPid
        description: ParentPid field
        type: bigint
      - name: Path
        description: Path field
        type: string
      - name: Pid
        description: Pid field
        type: bigint
      - name: TerminatedAt
        description: TerminatedAt field
        type: timestamp
        timeFormats:
          - rfc3339
  - name: ProductArn
    required: true
    description: The Amazon Resource Name (ARN) generated by Security Hub that uniquely identifies a third-party findings product after the product is registered with Security Hub
    type: string
    indicators:
      - aws_arn
  - name: ProductFields
    description: A data type where security findings products can include additional solution-specific details that are not part of the defined AWS Security Finding Format. For findings generated by Security Hub controls, ProductFields includes information about the control.
    type: json
  - name: ProductName
    description: Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub
    type: string
  - name: RecordState
    description: Provides the record state of a finding. By default, when initially generated by a service, findings are considered ACTIVE. The ARCHIVED state indicates that a finding should be hidden from view. Archived findings are not immediately deleted. You can search, review, and report on them. Security Hub automatically archives control-based findings if the associated resource is deleted, the resource does not exist, or the control is disabled.
    type: string
  - name: Region
    description: Specifies the AWS Region from which the finding was generated
    type: string
  - name: RelatedFindings
    description: Provides a list of findings that are related to the current finding
    type: array
    element:
      type: object
      fields:
        - name: Id
          description: ID field
          type: string
        - name: ProductArn
          description: ProductArn field
          type: string
          indicators:
            - aws_arn
  - name: Remediation
    description: The Remediation object provides information about recommended remediation steps to address the finding
    type: object
    fields:
      - name: Recommendation
        description: Recommendation field
        type: object
        fields:
          - name: Text
            description: Text field
            type: string
          - name: Url
            description: Url field
            type: string
            indicators:
              - url
  - name: Resources
    required: true
    description: The Resources object provides a set of resource data types that describe the AWS resources that the finding refers to
    type: array
    element:
      type: json
  - name: SchemaVersion
    required: true
    description: The schema version that a finding is formatted for
    type: string
  - name: Severity
    description: The Severity object provides CVSS-based severity information about a finding
    type: object
    fields:
      - name: Label
        description: Label field
        type: string
      - name: Normalized
        description: Normalized field
        type: bigint
      - name: Original
        description: Original field
        type: string
  - name: Sample
    description: Indicates whether the finding is a sample finding. A sample finding is a finding that uses example data to demonstrate what a finding might contain
    type: boolean
  - name: SourceUrl
    description: Provides an HTTP URL that links to a page about the current finding in the security findings provider's solution
    type: string
    indicators:
      - url
  - name: Threats
    description: The Threats object provides details about the threat detected by a finding
    type: array
    element:
      type: object
      fields:
        - name: FilePaths
          description: FilePaths field
          type: array
          element:
            type: object
            fields:
              - name: FileName
                description: FileName field
                type: string
              - name: FilePath
                description: FilePath field
                type: string
              - name: Hash
                description: Hash field
                type: string
                indicators:
                  - md5
                  - sha1
                  - sha256
              - name: ResourceId
                description: ResourceId field
                type: string
                indicators:
                  - aws_arn
        - name: ItemCount
          description: ItemCount field
          type: bigint
        - name: Name
          description: Name field
          type: string
        - name: Severity
          description: Severity field
          type: string
  - name: ThreatIntelIndicators
    description: The ThreatIntelIndicator object provides threat intelligence details that are related to a finding
    type: array
    element:
      type: object
      fields:
        - name: Category
          description: Category field
          type: string
        - name: LastObservedAt
          description: LastObservedAt field
          type: timestamp
          timeFormats:
            - rfc3339
        - name: Source
          description: Source field
          type: string
        - name: SourceUrl
          description: SourceUrl field
          type: string
          indicators:
            - url
        - name: Type
          description: Type field
          type: string
        - name: Value
          description: Value field
          type: string
  - name: Title
    description: A finding's title. This field can be nonspecific boilerplate text or the actual title of the security issue or vulnerability
    type: string
  - name: Types
    description: One or more finding types in the format of namespace/category/classifier that classify a finding
    type: array
    element:
      type: string
  - name: UpdatedAt
    description: Indicates when the finding record was updated. This value is typically the same as the value for the ProcessedAt timestamp on the finding
    type: timestamp
    timeFormats:
      - rfc3339
  - name: UserDefinedFields
    description: A data type where security findings providers can include additional solution-specific details that are not part of the defined AWS Security Finding Format
    type: json
  - name: VerificationState
    description: 'Indicates the veracity of a finding. The available values for VerificationState are as follows: TRUE—The finding has been verified as accurate FALSE—The finding has been proven to be inaccurate or remediated UNKNOWN—The finding cannot be verified'
    type: string
  - name: Vulnerabilities
    description: Vulnerabilities field
    type: array
    element:
      type: object
      fields:
        - name: CodeVulnerabilities
          description: CodeVulnerabilities field
          type: array
          element:
            type: object
            fields:
              - name: Cwes
                description: Cwes field
                type: array
                element:
                  type: string
              - name: FilePath
                description: FilePath field
                type: object
                fields:
                  - name: EndLine
                    description: EndLine field
                    type: bigint
                  - name: FileName
                    description: FileName field
                    type: string
                  - name: FilePath
                    description: FilePath field
                    type: string
                  - name: StartLine
                    description: StartLine field
                    type: bigint
        - name: Cvss
          description: Cvss field
          type: array
          element:
            type: object
            fields:
              - name: BaseScore
                description: BaseScore field
                type: float
              - name: BaseVector
                description: BaseVector field
                type: string
              - name: Source
                description: Source field
                type: string
              - name: Version
                description: Version field
                type: string
        - name: EpssScore
          description: EpssScore field
          type: float
        - name: ExploitAvailable
          description: ExploitAvailable field
          type: string
        - name: FixAvailable
          description: FixAvailable field
          type: string
        - name: Id
          description: Id field
          type: string
        - name: ReferenceUrls
          description: ReferenceUrls field
          type: array
          element:
            type: string
            indicators:
              - url
        - name: RelatedVulnerabilities
          description: RelatedVulnerabilities field
          type: array
          element:
            type: string
        - name: Vendor
          description: Vendor field
          type: object
          fields:
            - name: Name
              description: Name field
              type: string
            - name: Url
              description: Url field
              type: string
              indicators:
                - url
            - name: VendorCreatedAt
              description: VendorCreatedAt field
              type: timestamp
              timeFormats:
                - rfc3339
            - name: VendorSeverity
              description: VendorSeverity field
              type: string
            - name: VendorUpdatedAt
              description: VendorUpdatedAt field
              type: timestamp
              timeFormats:
                - rfc3339
        - name: VulnerablePackages
          description: VulnerablePackages field
          type: array
          element:
            type: object
            fields:
              - name: Architecture
                description: Architecture field
                type: string
              - name: Epoch
                description: Epoch field
                type: string
              - name: FilePath
                description: FilePath field
                type: string
              - name: FixedInVersion
                description: FixedInVersion field
                type: string
              - name: Name
                description: Name field
                type: string
              - name: PackageManager
                description: PackageManager field
                type: string
              - name: Release
                description: Release field
                type: string
              - name: Remediation
                description: Remediation field
                type: string
              - name: SourceLayerArn
                description: SourceLayerArn field
                type: string
                indicators:
                  - aws_arn
              - name: SourceLayerHash
                description: SourceLayerHash field
                type: string
                indicators:
                  - md5
                  - sha1
                  - sha256
              - name: Version
                description: Version field
                type: string
  - name: Workflow
    description: Provides information about the status of the investigation into a finding
    type: object
    fields:
      - name: Status
        description: Status field
        type: string
  - name: WorkflowState
    description: The workflow state of a finding. This field is only provided for findings that are generated by a Security Hub control. It is not provided for findings that are imported manually
    type: string
PreviousAWS GuardDuty NextAmazon Security Lake
Last updated 6 months ago
Was this helpful?