SecurityHub / Client / get_resources_statistics_v2

get_resources_statistics_v2

SecurityHub.Client.get_resources_statistics_v2(**kwargs)

Retrieves statistical information about Amazon Web Services resources and their associated security findings.

You can use the Scopes parameter to define the data boundary for the query. Currently, Scopes supports AwsOrganizations, which lets you aggregate resources from your entire organization or from specific organizational units. Only the delegated administrator account can use Scopes.

See also: AWS API Documentation

Request Syntax

response = client.get_resources_statistics_v2(
    GroupByRules=[
        {
            'GroupByField': 'AccountId'|'Region'|'ResourceCategory'|'ResourceType'|'ResourceName'|'FindingsSummary.FindingType',
            'Filters': {
                'CompositeFilters': [
                    {
                        'StringFilters': [
                            {
                                'FieldName': 'ResourceGuid'|'ResourceId'|'AccountId'|'Region'|'ResourceCategory'|'ResourceType'|'ResourceName'|'FindingsSummary.FindingType'|'FindingsSummary.ProductName',
                                'Filter': {
                                    'Value': 'string',
                                    'Comparison': 'EQUALS'|'PREFIX'|'NOT_EQUALS'|'PREFIX_NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'|'CONTAINS_WORD'
                                }
                            },
                        ],
                        'DateFilters': [
                            {
                                'FieldName': 'ResourceDetailCaptureTime'|'ResourceCreationTime',
                                'Filter': {
                                    'Start': 'string',
                                    'End': 'string',
                                    'DateRange': {
                                        'Value': 123,
                                        'Unit': 'DAYS'
                                    }
                                }
                            },
                        ],
                        'NumberFilters': [
                            {
                                'FieldName': 'FindingsSummary.TotalFindings'|'FindingsSummary.Severities.Other'|'FindingsSummary.Severities.Fatal'|'FindingsSummary.Severities.Critical'|'FindingsSummary.Severities.High'|'FindingsSummary.Severities.Medium'|'FindingsSummary.Severities.Low'|'FindingsSummary.Severities.Informational'|'FindingsSummary.Severities.Unknown',
                                'Filter': {
                                    'Gte': 123.0,
                                    'Lte': 123.0,
                                    'Eq': 123.0,
                                    'Gt': 123.0,
                                    'Lt': 123.0
                                }
                            },
                        ],
                        'MapFilters': [
                            {
                                'FieldName': 'ResourceTags',
                                'Filter': {
                                    'Key': 'string',
                                    'Value': 'string',
                                    'Comparison': 'EQUALS'|'NOT_EQUALS'|'CONTAINS'|'NOT_CONTAINS'
                                }
                            },
                        ],
                        'NestedCompositeFilters': {'... recursive ...'},
                        'Operator': 'AND'|'OR'
                    },
                ],
                'CompositeOperator': 'AND'|'OR'
            }
        },
    ],
    Scopes={
        'AwsOrganizations': [
            {
                'OrganizationId': 'string',
                'OrganizationalUnitId': 'string'
            },
        ]
    },
    SortOrder='asc'|'desc',
    MaxStatisticResults=123
)

Parameters:

• GroupByRules (list) –

  [REQUIRED]

  How resource statistics should be aggregated and organized in the response.

  • (dict) –

    Defines the configuration for organizing and categorizing Amazon Web Services resources based on associated security findings.

    • GroupByField (string) – [REQUIRED]

      Specifies the attribute that resources should be grouped by.

    • Filters (dict) –

      The criteria used to select resources and associated security findings.

      • CompositeFilters (list) –

        A collection of complex filtering conditions that can be applied to Amazon Web Services resources.

        • (dict) –

          Enables the creation of criteria for Amazon Web Services resources in Security Hub CSPM.

          • StringFilters (list) –

            Enables filtering based on string field values.

            • (dict) –

              Enables filtering of Amazon Web Services resources based on string field values.

              • FieldName (string) –

                The name of the field.

              • Filter (dict) –

                A string filter for filtering Security Hub CSPM findings.

                • Value (string) –

                  The string filter value. Filter values are case sensitive. For example, the product name for control-based findings is Security Hub CSPM. If you provide security hub as the filter value, there’s no match.

                • Comparison (string) –

                  The condition to apply to a string value when filtering Security Hub CSPM findings.

                  To search for values that have the filter value, use one of the following comparison operators:

                  • To search for values that include the filter value, use CONTAINS. For example, the filter Title CONTAINS CloudFront matches findings that have a Title that includes the string CloudFront.

                  • To search for values that exactly match the filter value, use EQUALS. For example, the filter AwsAccountId EQUALS 123456789012 only matches findings that have an account ID of 123456789012.

                  • To search for values that start with the filter value, use PREFIX. For example, the filter ResourceRegion PREFIX us matches findings that have a ResourceRegion that starts with us. A ResourceRegion that starts with a different value, such as af, ap, or ca, doesn’t match.

                  CONTAINS, EQUALS, and PREFIX filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Title CONTAINS CloudFront OR Title CONTAINS CloudWatch match a finding that includes either CloudFront, CloudWatch, or both strings in the title.

                  To search for values that don’t have the filter value, use one of the following comparison operators:

                  • To search for values that exclude the filter value, use NOT_CONTAINS. For example, the filter Title NOT_CONTAINS CloudFront matches findings that have a Title that excludes the string CloudFront.

                  • To search for values other than the filter value, use NOT_EQUALS. For example, the filter AwsAccountId NOT_EQUALS 123456789012 only matches findings that have an account ID other than 123456789012.

                  • To search for values that don’t start with the filter value, use PREFIX_NOT_EQUALS. For example, the filter ResourceRegion PREFIX_NOT_EQUALS us matches findings with a ResourceRegion that starts with a value other than us.

                  NOT_CONTAINS, NOT_EQUALS, and PREFIX_NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Title NOT_CONTAINS CloudFront AND Title NOT_CONTAINS CloudWatch match a finding that excludes both CloudFront and CloudWatch in the title.

                  You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t provide both an EQUALS filter and a NOT_EQUALS or PREFIX_NOT_EQUALS filter on the same field. Combining filters in this way returns an error. CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.

                  You can combine PREFIX filters with NOT_EQUALS or PREFIX_NOT_EQUALS filters for the same field. Security Hub CSPM first processes the PREFIX filters, and then the NOT_EQUALS or PREFIX_NOT_EQUALS filters.

                  For example, for the following filters, Security Hub CSPM first identifies findings that have resource types that start with either AwsIam or AwsEc2. It then excludes findings that have a resource type of AwsIamPolicy and findings that have a resource type of AwsEc2NetworkInterface.

                  • ResourceType PREFIX AwsIam

                  • ResourceType PREFIX AwsEc2

                  • ResourceType NOT_EQUALS AwsIamPolicy

                  • ResourceType NOT_EQUALS AwsEc2NetworkInterface

                  CONTAINS and NOT_CONTAINS operators can be used only with automation rules V1. CONTAINS_WORD operator is only supported in GetFindingsV2, GetFindingStatisticsV2, GetResourcesV2, and GetResourcesStatisticsV2 APIs. For more information, see Automation rules in the Security Hub CSPM User Guide.

          • DateFilters (list) –

            Enables filtering based on date and timestamp field values.

            • (dict) –

              Enables the filtering of Amazon Web Services resources based on date and timestamp attributes.

              • FieldName (string) –

                The name of the field.

              • Filter (dict) –

                A date filter for querying findings.

                • Start (string) –

                  A timestamp that provides the start date for the date filter.

                  For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.

                • End (string) –

                  A timestamp that provides the end date for the date filter.

                  For more information about the validation and formatting of timestamp fields in Security Hub CSPM, see Timestamps.

                • DateRange (dict) –

                  A date range for the date filter.

                  • Value (integer) –

                    A date range value for the date filter.

                  • Unit (string) –

                    A date range unit for the date filter.

          • NumberFilters (list) –

            Enables filtering based on numerical field values.

            • (dict) –

              Enables filtering of Amazon Web Services resources based on numerical values.

              • FieldName (string) –

                The name of the field.

              • Filter (dict) –

                A number filter for querying findings.

                • Gte (float) –

                  The greater-than-equal condition to be applied to a single field when querying for findings.

                • Lte (float) –

                  The less-than-equal condition to be applied to a single field when querying for findings.

                • Eq (float) –

                  The equal-to condition to be applied to a single field when querying for findings.

                • Gt (float) –

                  The greater-than condition to be applied to a single field when querying for findings.

                • Lt (float) –

                  The less-than condition to be applied to a single field when querying for findings.

          • MapFilters (list) –

            Enables filtering based on map-based field values.

            • (dict) –

              Enables filtering of Amazon Web Services resources based on key-value map attributes.

              • FieldName (string) –

                The name of the field.

              • Filter (dict) –

                A map filter for filtering Security Hub CSPM findings. Each map filter provides the field to check for, the value to check for, and the comparison operator.

                • Key (string) –

                  The key of the map filter. For example, for ResourceTags, Key identifies the name of the tag. For UserDefinedFields, Key is the name of the field.

                • Value (string) –

                  The value for the key in the map filter. Filter values are case sensitive. For example, one of the values for a tag called Department might be Security. If you provide security as the filter value, then there’s no match.

                • Comparison (string) –

                  The condition to apply to the key value when filtering Security Hub CSPM findings with a map filter.

                  To search for values that have the filter value, use one of the following comparison operators:

                  • To search for values that include the filter value, use CONTAINS. For example, for the ResourceTags field, the filter Department CONTAINS Security matches findings that include the value Security for the Department tag. In the same example, a finding with a value of Security team for the Department tag is a match.

                  • To search for values that exactly match the filter value, use EQUALS. For example, for the ResourceTags field, the filter Department EQUALS Security matches findings that have the value Security for the Department tag.

                  CONTAINS and EQUALS filters on the same field are joined by OR. A finding matches if it matches any one of those filters. For example, the filters Department CONTAINS Security OR Department CONTAINS Finance match a finding that includes either Security, Finance, or both values.

                  To search for values that don’t have the filter value, use one of the following comparison operators:

                  • To search for values that exclude the filter value, use NOT_CONTAINS. For example, for the ResourceTags field, the filter Department NOT_CONTAINS Finance matches findings that exclude the value Finance for the Department tag.

                  • To search for values other than the filter value, use NOT_EQUALS. For example, for the ResourceTags field, the filter Department NOT_EQUALS Finance matches findings that don’t have the value Finance for the Department tag.

                  NOT_CONTAINS and NOT_EQUALS filters on the same field are joined by AND. A finding matches only if it matches all of those filters. For example, the filters Department NOT_CONTAINS Security AND Department NOT_CONTAINS Finance match a finding that excludes both the Security and Finance values.

                  CONTAINS filters can only be used with other CONTAINS filters. NOT_CONTAINS filters can only be used with other NOT_CONTAINS filters.

                  You can’t have both a CONTAINS filter and a NOT_CONTAINS filter on the same field. Similarly, you can’t have both an EQUALS filter and a NOT_EQUALS filter on the same field. Combining filters in this way returns an error.

                  CONTAINS and NOT_CONTAINS operators can be used only with automation rules. For more information, see Automation rules in the Security Hub CSPM User Guide.

          • NestedCompositeFilters (list) –

            Provides an additional level of filtering, creating a three-layer nested structure. The first layer is a CompositeFilters array with a CompositeOperator ( AND/ OR). The second layer is a CompositeFilter object that contains direct filters and NestedCompositeFilters. The third layer is NestedCompositeFilters, which contains additional filter conditions.

          • Operator (string) –

            The logical operator used to combine multiple filter conditions.

      • CompositeOperator (string) –

        The logical operator used to combine multiple filter conditions in the structure.

• Scopes (dict) –

  Limits the results to resources from specific organizational units or from the delegated administrator’s organization. Only the delegated administrator account can use this parameter. Other accounts receive an AccessDeniedException.

  This parameter is optional. If you omit it, the delegated administrator sees statistics from all accounts across the entire organization. Other accounts see only statistics for their own resources.

  You can specify up to 10 entries in Scopes.AwsOrganizations. If multiple entries are specified, the entries are combined using OR logic.

  • AwsOrganizations (list) –

    A list of Organizations scopes to include in the query results. Each entry in the list specifies an organization or organizational unit to include for the delegated administrator’s account. If the list specifies multiple entries, the entries are combined using OR logic.

    • (dict) –

      Specifies an Organizations scope. Data from the specified organization or organizational unit is included in the response.

      To scope to a specific organizational unit, provide OrganizationalUnitId. You can optionally include OrganizationId. If you omit OrganizationId, Security Hub uses the caller’s organization ID. To scope to the delegated administrator’s entire organization, provide only OrganizationId.

      The organization ID and organizational unit must belong to the delegated administrator’s own organization. Each request must use one scoping approach: either scope to the entire organization by providing an AwsOrganizationScope entry with only OrganizationId, or scope to specific organizational units by providing AwsOrganizationScope entries with OrganizationalUnitId. You can’t combine both approaches in the same request.

      • OrganizationId (string) –

        The unique identifier (ID) of the organization (for example, o-abcd1234567890). The organization must be the delegated administrator’s own organization. If you omit this value and provide OrganizationalUnitId, Security Hub uses the caller’s organization ID.

      • OrganizationalUnitId (string) –

        The unique identifier (ID) of the organizational unit (OU) (for example, ou-ab12-cd345678). The OU must exist within the delegated administrator’s own organization. When specified, the results include only data from accounts in this OU.

• SortOrder (string) – Sorts aggregated statistics.

• MaxStatisticResults (integer) – The maximum number of results to be returned.

Return type:

dict

Returns:

Response Syntax

{
    'GroupByResults': [
        {
            'GroupByField': 'string',
            'GroupByValues': [
                {
                    'FieldValue': 'string',
                    'Count': 123
                },
            ]
        },
    ]
}

Response Structure

• (dict) –

  • GroupByResults (list) –

    The aggregated statistics about resources based on the specified grouping rule.

    • (dict) –

      Represents finding statistics grouped by GroupedByField.

      • GroupByField (string) –

        The attribute by which filtered security findings should be grouped.

      • GroupByValues (list) –

        An array of grouped values and their respective counts for each GroupByField.

        • (dict) –

          Represents individual aggregated results when grouping security findings for each GroupByField.

          • FieldValue (string) –

            The value of the field by which findings are grouped.

          • Count (integer) –

            The number of findings for a specific FieldValue and GroupByField.

Exceptions

• SecurityHub.Client.exceptions.InternalServerException

• SecurityHub.Client.exceptions.AccessDeniedException

• SecurityHub.Client.exceptions.ThrottlingException

• SecurityHub.Client.exceptions.ConflictException

• SecurityHub.Client.exceptions.ValidationException

• SecurityHub.Client.exceptions.ResourceNotFoundException

• SecurityHub.Client.exceptions.OrganizationalUnitNotFoundException

• SecurityHub.Client.exceptions.OrganizationNotFoundException