automation_rules
Creates, updates, deletes or gets an automation_rule resource or lists automation_rules in a region
Overview
| Name | automation_rules |
| Type | Resource |
| Description | The AWS::SecurityHub::AutomationRule resource specifies an automation rule based on input parameters. For more information, see [Automation rules](https://docs.aws.amazon.com/securityhub/latest/userguide/automation-rules.html) in the *User Guide*. |
| Id | aws.securityhub.automation_rules |
Fields
| Name | Datatype | Description |
|---|---|---|
rule_arn | string | |
rule_status | string | Whether the rule is active after it is created. If this parameter is equal to ENABLED, ASH applies the rule to findings and finding updates after the rule is created. |
rule_order | integer | |
description | string | |
rule_name | string | |
created_at | string | The date and time, in UTC and ISO 8601 format. |
updated_at | string | The date and time, in UTC and ISO 8601 format. |
created_by | string | |
is_terminal | boolean | |
actions | array | |
criteria | object | A set of [Security Finding Format (ASFF)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html) finding field attributes and corresponding expected values that ASH uses to filter findings. If a rule is enabled and a finding matches the criteria specified in this parameter, ASH applies the rule action to the finding. |
tags | object | A key-value pair to associate with a resource. |
region | string | AWS region. |
Methods
| Name | Accessible by | Required Params |
|---|---|---|
create_resource | INSERT | region |
delete_resource | DELETE | data__Identifier, region |
update_resource | UPDATE | data__Identifier, data__PatchDocument, region |
list_resources | SELECT | region |
get_resource | SELECT | data__Identifier, region |
SELECT examples
Gets all automation_rules in a region.
SELECT
region,
rule_arn,
rule_status,
rule_order,
description,
rule_name,
created_at,
updated_at,
created_by,
is_terminal,
actions,
criteria,
tags
FROM aws.securityhub.automation_rules
WHERE region = 'us-east-1';
Gets all properties from an individual automation_rule.
SELECT
region,
rule_arn,
rule_status,
rule_order,
description,
rule_name,
created_at,
updated_at,
created_by,
is_terminal,
actions,
criteria,
tags
FROM aws.securityhub.automation_rules
WHERE region = 'us-east-1' AND data__Identifier = '<RuleArn>';
INSERT example
Use the following StackQL query and manifest file to create a new automation_rule resource, using stack-deploy.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO aws.securityhub.automation_rules (
RuleStatus,
RuleOrder,
Description,
RuleName,
IsTerminal,
Actions,
Criteria,
Tags,
region
)
SELECT
'{{ RuleStatus }}',
'{{ RuleOrder }}',
'{{ Description }}',
'{{ RuleName }}',
'{{ IsTerminal }}',
'{{ Actions }}',
'{{ Criteria }}',
'{{ Tags }}',
'{{ region }}';
/*+ create */
INSERT INTO aws.securityhub.automation_rules (
RuleStatus,
RuleOrder,
Description,
RuleName,
IsTerminal,
Actions,
Criteria,
Tags,
region
)
SELECT
'{{ RuleStatus }}',
'{{ RuleOrder }}',
'{{ Description }}',
'{{ RuleName }}',
'{{ IsTerminal }}',
'{{ Actions }}',
'{{ Criteria }}',
'{{ Tags }}',
'{{ region }}';
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: automation_rule
props:
- name: RuleStatus
value: '{{ RuleStatus }}'
- name: RuleOrder
value: '{{ RuleOrder }}'
- name: Description
value: '{{ Description }}'
- name: RuleName
value: '{{ RuleName }}'
- name: IsTerminal
value: '{{ IsTerminal }}'
- name: Actions
value:
- Type: '{{ Type }}'
FindingFieldsUpdate:
Types:
- '{{ Types[0] }}'
Severity:
Product: null
Label: '{{ Label }}'
Normalized: '{{ Normalized }}'
Confidence: null
Criticality: null
UserDefinedFields: {}
VerificationState: '{{ VerificationState }}'
RelatedFindings:
- ProductArn: '{{ ProductArn }}'
Id: null
Note:
Text: '{{ Text }}'
UpdatedBy: null
Workflow:
Status: '{{ Status }}'
- name: Criteria
value:
ProductArn:
- Comparison: '{{ Comparison }}'
Value: '{{ Value }}'
AwsAccountId:
- null
Id:
- null
GeneratorId:
- null
Type:
- null
FirstObservedAt:
- DateRange:
Unit: '{{ Unit }}'
Value: null
End: '{{ End }}'
Start: null
LastObservedAt:
- null
CreatedAt:
- null
UpdatedAt:
- null
Confidence:
- Eq: null
Gte: null
Lte: null
Criticality:
- null
Title:
- null
Description:
- null
SourceUrl:
- null
ProductName:
- null
CompanyName:
- null
SeverityLabel:
- null
ResourceType:
- null
ResourceId:
- null
ResourcePartition:
- null
ResourceRegion:
- null
ResourceTags:
- Comparison: '{{ Comparison }}'
Key: null
Value: null
ResourceDetailsOther:
- null
ComplianceStatus:
- null
ComplianceSecurityControlId:
- null
ComplianceAssociatedStandardsId:
- null
VerificationState:
- null
WorkflowStatus:
- null
RecordState:
- null
RelatedFindingsProductArn:
- null
RelatedFindingsId:
- null
NoteText:
- null
NoteUpdatedAt:
- null
NoteUpdatedBy:
- null
UserDefinedFields:
- null
- name: Tags
value: {}
DELETE example
/*+ delete */
DELETE FROM aws.securityhub.automation_rules
WHERE data__Identifier = '<RuleArn>'
AND region = 'us-east-1';
Permissions
To operate on the automation_rules resource, the following permissions are required:
Create
securityhub:CreateAutomationRule,
securityhub:TagResource,
securityhub:ListTagsForResource
Read
securityhub:ListAutomationRules,
securityhub:BatchGetAutomationRules,
securityhub:ListTagsForResource
Update
securityhub:BatchUpdateAutomationRules,
securityhub:TagResource,
securityhub:UntagResource,
securityhub:ListTagsForResource
Delete
securityhub:BatchDeleteAutomationRules,
securityhub:BatchGetAutomationRules
List
securityhub:ListAutomationRules,
securityhub:ListTagsForResource