automation_rules

Creates, updates, deletes or gets an automation_rule resource or lists automation_rules in a region

Overview

Name	`automation_rules`
Type	Resource
Description	The `AWS::SecurityHub::AutomationRule` resource specifies an automation rule based on input parameters. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the User Guide.
Id	`aws.securityhub.automation_rules`

Fields

Name	Datatype	Description
`rule_arn`	`string`
`rule_status`	`string`	Whether the rule is active after it is created. If this parameter is equal to `ENABLED`, ASH applies the rule to findings and finding updates after the rule is created.
`rule_order`	`integer`	An integer ranging from 1 to 1000 that represents the order in which the rule action is applied to findings. Security Hub applies rules with lower values for this parameter first.
`description`	`string`	A description of the rule.
`rule_name`	`string`	The name of the rule.
`created_at`	`string`	The date and time, in UTC and ISO 8601 format.
`updated_at`	`string`	The date and time, in UTC and ISO 8601 format.
`created_by`	`string`
`is_terminal`	`boolean`	Specifies whether a rule is the last to be applied with respect to a finding that matches the rule criteria. This is useful when a finding matches the criteria for multiple rules, and each rule has different actions. If a rule is terminal, Security Hub applies the rule action to a finding that matches the rule criteria and doesn't evaluate other rules for the finding. By default, a rule isn't terminal.
`actions`	`array`	One or more actions to update finding fields if a finding matches the conditions specified in `Criteria`.
`criteria`	`object`	A set of [Security Finding Format (ASFF)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) finding field attributes and corresponding expected values that ASH uses to filter findings. If a rule is enabled and a finding matches the criteria specified in this parameter, ASH applies the rule action to the finding.
`tags`	`object`	User-defined tags associated with an automation rule.
`region`	`string`	AWS region.

For more information, see AWS::SecurityHub::AutomationRule.

Methods

Name	Accessible by	Required Params
`create_resource`	`INSERT`	`RuleOrder, RuleName, Description, Criteria, Actions, region`
`delete_resource`	`DELETE`	`data__Identifier, region`
`update_resource`	`UPDATE`	`data__Identifier, data__PatchDocument, region`
`list_resources`	`SELECT`	`region`
`get_resource`	`SELECT`	`data__Identifier, region`

`SELECT` examples

Gets all automation_rules in a region.

SELECT
region,
rule_arn,
rule_status,
rule_order,
description,
rule_name,
created_at,
updated_at,
created_by,
is_terminal,
actions,
criteria,
tags
FROM aws.securityhub.automation_rules
WHERE region = 'us-east-1';

Gets all properties from an individual automation_rule.

SELECT
region,
rule_arn,
rule_status,
rule_order,
description,
rule_name,
created_at,
updated_at,
created_by,
is_terminal,
actions,
criteria,
tags
FROM aws.securityhub.automation_rules
WHERE region = 'us-east-1' AND data__Identifier = '<RuleArn>';

`INSERT` example

Use the following StackQL query and manifest file to create a new automation_rule resource, using stack-deploy.

Required Properties
All Properties
Manifest

/*+ create */
INSERT INTO aws.securityhub.automation_rules (
 RuleOrder,
 Description,
 RuleName,
 Actions,
 Criteria,
 region
)
SELECT 
'{{ RuleOrder }}',
 '{{ Description }}',
 '{{ RuleName }}',
 '{{ Actions }}',
 '{{ Criteria }}',
'{{ region }}';

/*+ create */
INSERT INTO aws.securityhub.automation_rules (
 RuleStatus,
 RuleOrder,
 Description,
 RuleName,
 IsTerminal,
 Actions,
 Criteria,
 Tags,
 region
)
SELECT 
 '{{ RuleStatus }}',
 '{{ RuleOrder }}',
 '{{ Description }}',
 '{{ RuleName }}',
 '{{ IsTerminal }}',
 '{{ Actions }}',
 '{{ Criteria }}',
 '{{ Tags }}',
 '{{ region }}';

version: 1
name: stack name
description: stack description
providers:
  - aws
globals:
  - name: region
    value: '{{ vars.AWS_REGION }}'
resources:
  - name: automation_rule
    props:
      - name: RuleStatus
        value: '{{ RuleStatus }}'
      - name: RuleOrder
        value: '{{ RuleOrder }}'
      - name: Description
        value: '{{ Description }}'
      - name: RuleName
        value: '{{ RuleName }}'
      - name: IsTerminal
        value: '{{ IsTerminal }}'
      - name: Actions
        value:
          - Type: '{{ Type }}'
            FindingFieldsUpdate:
              Types:
                - '{{ Types[0] }}'
              Severity:
                Product: null
                Label: '{{ Label }}'
                Normalized: '{{ Normalized }}'
              Confidence: null
              Criticality: null
              UserDefinedFields: {}
              VerificationState: '{{ VerificationState }}'
              RelatedFindings:
                - ProductArn: '{{ ProductArn }}'
                  Id: null
              Note:
                Text: '{{ Text }}'
                UpdatedBy: null
              Workflow:
                Status: '{{ Status }}'
      - name: Criteria
        value:
          ProductArn:
            - Comparison: '{{ Comparison }}'
              Value: '{{ Value }}'
          AwsAccountId:
            - null
          Id:
            - null
          GeneratorId:
            - null
          Type:
            - null
          FirstObservedAt:
            - DateRange:
                Unit: '{{ Unit }}'
                Value: null
              End: '{{ End }}'
              Start: null
          LastObservedAt:
            - null
          CreatedAt:
            - null
          UpdatedAt:
            - null
          Confidence:
            - Eq: null
              Gte: null
              Lte: null
          Criticality:
            - null
          Title:
            - null
          Description:
            - null
          SourceUrl:
            - null
          ProductName:
            - null
          CompanyName:
            - null
          SeverityLabel:
            - null
          ResourceType:
            - null
          ResourceId:
            - null
          ResourcePartition:
            - null
          ResourceRegion:
            - null
          ResourceTags:
            - Comparison: '{{ Comparison }}'
              Key: null
              Value: null
          ResourceDetailsOther:
            - null
          ComplianceStatus:
            - null
          ComplianceSecurityControlId:
            - null
          ComplianceAssociatedStandardsId:
            - null
          VerificationState:
            - null
          WorkflowStatus:
            - null
          RecordState:
            - null
          RelatedFindingsProductArn:
            - null
          RelatedFindingsId:
            - null
          NoteText:
            - null
          NoteUpdatedAt:
            - null
          NoteUpdatedBy:
            - null
          UserDefinedFields:
            - null
      - name: Tags
        value: {}

`DELETE` example

/*+ delete */
DELETE FROM aws.securityhub.automation_rules
WHERE data__Identifier = '<RuleArn>'
AND region = 'us-east-1';

Permissions

To operate on the automation_rules resource, the following permissions are required:

Create

securityhub:CreateAutomationRule,
securityhub:TagResource,
securityhub:ListTagsForResource

Read

securityhub:ListAutomationRules,
securityhub:BatchGetAutomationRules,
securityhub:ListTagsForResource

Update

securityhub:BatchUpdateAutomationRules,
securityhub:TagResource,
securityhub:UntagResource,
securityhub:ListTagsForResource

Delete

securityhub:BatchDeleteAutomationRules,
securityhub:BatchGetAutomationRules

List

securityhub:ListAutomationRules,
securityhub:ListTagsForResource

Overview​

Fields​

Methods​

SELECT examples​

INSERT example​

DELETE example​

Permissions​

Create​

Read​

Update​

Delete​

List​