automation_rules
Creates, updates, deletes or gets an automation_rule resource or lists automation_rules in a region
Overview
| Name | automation_rules |
| Type | Resource |
| Description | The ``AWS::SecurityHub::AutomationRule`` resource specifies an automation rule based on input parameters. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the *User Guide*. |
| Id | awscc.securityhub.automation_rules |
Fields
- get (all properties)
- list (identifiers only)
| Name | Datatype | Description |
|---|---|---|
rule_arn | string | |
rule_status | string | Whether the rule is active after it is created. If this parameter is equal to ``ENABLED``, ASH applies the rule to findings and finding updates after the rule is created. |
rule_order | integer | An integer ranging from 1 to 1000 that represents the order in which the rule action is applied to findings. Security Hub applies rules with lower values for this parameter first. |
description | string | A description of the rule. |
rule_name | string | The name of the rule. |
created_at | string | The date and time, in UTC and ISO 8601 format. |
created_by | string | |
is_terminal | boolean | Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If a rule is terminal, Security Hub applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding. By default, a rule isn't terminal. |
actions | array | One or more actions to update finding fields if a finding matches the conditions specified in ``Criteria``. |
criteria | object | A set of [Security Finding Format (ASFF)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) finding field attributes and corresponding expected values that ASH uses to filter findings. If a rule is enabled and a finding matches the criteria specified in this parameter, ASH applies the rule action to the finding. |
tags | object | User-defined tags associated with an automation rule. |
region | string | AWS region. |
| Name | Datatype | Description |
|---|---|---|
rule_arn | string | |
region | string | AWS region. |
For more information, see AWS::SecurityHub::AutomationRule.
Methods
| Name | Resource | Accessible by | Required Params |
|---|---|---|---|
create_resource | automation_rules | INSERT | RuleOrder, RuleName, Description, Criteria, Actions, region |
delete_resource | automation_rules | DELETE | Identifier, region |
update_resource | automation_rules | UPDATE | Identifier, PatchDocument, region |
list_resources | automation_rules_list_only | SELECT | region |
get_resource | automation_rules | SELECT | Identifier, region |
SELECT examples
- get (all properties)
- list (identifiers only)
Gets all properties from an individual automation_rule.
SELECT
region,
rule_arn,
rule_status,
rule_order,
description,
rule_name,
created_at,
updated_at,
created_by,
is_terminal,
actions,
criteria,
tags
FROM awscc.securityhub.automation_rules
WHERE
region = 'us-east-1' AND
Identifier = '{{ rule_arn }}';
Lists all automation_rules in a region.
SELECT
region,
rule_arn
FROM awscc.securityhub.automation_rules_list_only
WHERE
region = 'us-east-1';
INSERT example
Use the following StackQL query and manifest file to create a new automation_rule resource, using stack-deploy.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO awscc.securityhub.automation_rules (
RuleOrder,
Description,
RuleName,
Actions,
Criteria,
region
)
SELECT
'{{ rule_order }}',
'{{ description }}',
'{{ rule_name }}',
'{{ actions }}',
'{{ criteria }}',
'{{ region }}';
/*+ create */
INSERT INTO awscc.securityhub.automation_rules (
RuleStatus,
RuleOrder,
Description,
RuleName,
IsTerminal,
Actions,
Criteria,
Tags,
region
)
SELECT
'{{ rule_status }}',
'{{ rule_order }}',
'{{ description }}',
'{{ rule_name }}',
'{{ is_terminal }}',
'{{ actions }}',
'{{ criteria }}',
'{{ tags }}',
'{{ region }}';
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: automation_rule
props:
- name: rule_status
value: '{{ rule_status }}'
- name: rule_order
value: '{{ rule_order }}'
- name: description
value: '{{ description }}'
- name: rule_name
value: '{{ rule_name }}'
- name: is_terminal
value: '{{ is_terminal }}'
- name: actions
value:
- type: '{{ type }}'
finding_fields_update:
types:
- '{{ types[0] }}'
severity:
product: null
label: '{{ label }}'
normalized: '{{ normalized }}'
confidence: null
criticality: null
user_defined_fields: {}
verification_state: '{{ verification_state }}'
related_findings:
- product_arn: '{{ product_arn }}'
id: null
note:
text: '{{ text }}'
updated_by: null
workflow:
status: '{{ status }}'
- name: criteria
value:
product_arn:
- comparison: '{{ comparison }}'
value: '{{ value }}'
aws_account_id:
- null
id:
- null
generator_id:
- null
type:
- null
first_observed_at:
- date_range:
unit: '{{ unit }}'
value: null
end: '{{ end }}'
start: null
last_observed_at:
- null
created_at:
- null
updated_at:
- null
confidence:
- eq: null
gte: null
lte: null
criticality:
- null
title:
- null
description:
- null
source_url:
- null
product_name:
- null
company_name:
- null
severity_label:
- null
resource_type:
- null
resource_id:
- null
resource_partition:
- null
resource_region:
- null
resource_tags:
- comparison: '{{ comparison }}'
key: null
value: null
resource_details_other:
- null
compliance_status:
- null
compliance_security_control_id:
- null
compliance_associated_standards_id:
- null
verification_state:
- null
workflow_status:
- null
record_state:
- null
related_findings_product_arn:
- null
related_findings_id:
- null
note_text:
- null
note_updated_at:
- null
note_updated_by:
- null
user_defined_fields:
- null
- name: tags
value: {}
UPDATE example
Use the following StackQL query and manifest file to update a automation_rule resource, using stack-deploy.
/*+ update */
UPDATE awscc.securityhub.automation_rules
SET PatchDocument = string('{{ {
"RuleStatus": rule_status,
"RuleOrder": rule_order,
"Description": description,
"RuleName": rule_name,
"IsTerminal": is_terminal,
"Actions": actions,
"Criteria": criteria,
"Tags": tags
} | generate_patch_document }}')
WHERE
region = '{{ region }}' AND
Identifier = '{{ rule_arn }}';
DELETE example
/*+ delete */
DELETE FROM awscc.securityhub.automation_rules
WHERE
Identifier = '{{ rule_arn }}' AND
region = 'us-east-1';
Permissions
To operate on the automation_rules resource, the following permissions are required:
- Create
- Read
- Update
- Delete
- List
securityhub:CreateAutomationRule,
securityhub:TagResource,
securityhub:ListTagsForResource
securityhub:ListAutomationRules,
securityhub:BatchGetAutomationRules,
securityhub:ListTagsForResource
securityhub:BatchUpdateAutomationRules,
securityhub:TagResource,
securityhub:UntagResource,
securityhub:ListTagsForResource
securityhub:BatchDeleteAutomationRules,
securityhub:BatchGetAutomationRules
securityhub:ListAutomationRules,
securityhub:ListTagsForResource