[ aws . securityhub ]
Creates a custom insight in Security Hub. An insight is a consolidation of findings that relate to a security issue that requires attention or remediation.
To group the related findings in the insight, use the GroupByAttribute
.
See also: AWS API Documentation
See ‘aws help’ for descriptions of global parameters.
create-insight
--name <value>
--filters <value>
--group-by-attribute <value>
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--cli-auto-prompt <value>]
--name
(string)
The name of the custom insight to create.
--filters
(structure)
One or more attributes used to filter the findings included in the insight. The insight only includes findings that match the criteria defined in the filters.
ProductArn -> (list)
The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) after this provider’s product (solution that generates findings) is registered with Security Hub.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
AwsAccountId -> (list)
The AWS account ID that a finding is generated in.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
Id -> (list)
The security findings provider-specific identifier for a finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
GeneratorId -> (list)
The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security-findings providers’ solutions, this generator can be called a rule, a check, a detector, a plugin, etc.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
Type -> (list)
A finding type in the format of
namespace/category/classifier
that classifies a finding.(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
FirstObservedAt -> (list)
An ISO8601-formatted timestamp that indicates when the security-findings provider first observed the potential security issue that a finding captured.
(structure)
A date filter for querying findings.
Start -> (string)
A start date for the date filter.
End -> (string)
An end date for the date filter.
DateRange -> (structure)
A date range for the date filter.
Value -> (integer)
A date range value for the date filter.
Unit -> (string)
A date range unit for the date filter.
LastObservedAt -> (list)
An ISO8601-formatted timestamp that indicates when the security-findings provider most recently observed the potential security issue that a finding captured.
(structure)
A date filter for querying findings.
Start -> (string)
A start date for the date filter.
End -> (string)
An end date for the date filter.
DateRange -> (structure)
A date range for the date filter.
Value -> (integer)
A date range value for the date filter.
Unit -> (string)
A date range unit for the date filter.
CreatedAt -> (list)
An ISO8601-formatted timestamp that indicates when the security-findings provider captured the potential security issue that a finding captured.
(structure)
A date filter for querying findings.
Start -> (string)
A start date for the date filter.
End -> (string)
An end date for the date filter.
DateRange -> (structure)
A date range for the date filter.
Value -> (integer)
A date range value for the date filter.
Unit -> (string)
A date range unit for the date filter.
UpdatedAt -> (list)
An ISO8601-formatted timestamp that indicates when the security-findings provider last updated the finding record.
(structure)
A date filter for querying findings.
Start -> (string)
A start date for the date filter.
End -> (string)
An end date for the date filter.
DateRange -> (structure)
A date range for the date filter.
Value -> (integer)
A date range value for the date filter.
Unit -> (string)
A date range unit for the date filter.
SeverityProduct -> (list)
The native severity as defined by the security-findings provider’s solution that generated the finding.
(structure)
A number filter for querying findings.
Gte -> (double)
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte -> (double)
The less-than-equal condition to be applied to a single field when querying for findings.
Eq -> (double)
The equal-to condition to be applied to a single field when querying for findings.
SeverityNormalized -> (list)
The normalized severity of a finding.
(structure)
A number filter for querying findings.
Gte -> (double)
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte -> (double)
The less-than-equal condition to be applied to a single field when querying for findings.
Eq -> (double)
The equal-to condition to be applied to a single field when querying for findings.
SeverityLabel -> (list)
The label of a finding’s severity.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
Confidence -> (list)
A finding’s confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify.
Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence.
(structure)
A number filter for querying findings.
Gte -> (double)
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte -> (double)
The less-than-equal condition to be applied to a single field when querying for findings.
Eq -> (double)
The equal-to condition to be applied to a single field when querying for findings.
Criticality -> (list)
The level of importance assigned to the resources associated with the finding.
A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.
(structure)
A number filter for querying findings.
Gte -> (double)
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte -> (double)
The less-than-equal condition to be applied to a single field when querying for findings.
Eq -> (double)
The equal-to condition to be applied to a single field when querying for findings.
Title -> (list)
A finding’s title.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
Description -> (list)
A finding’s description.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
RecommendationText -> (list)
The recommendation of what to do about the issue described in a finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
SourceUrl -> (list)
A URL that links to a page about the current finding in the security-findings provider’s solution.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ProductFields -> (list)
A data type where security-findings providers can include additional solution-specific details that aren’t part of the defined
AwsSecurityFinding
format.(structure)
The map filter for querying findings.
Key -> (string)
The key of the map filter.
Value -> (string)
The value for the key in the map filter.
Comparison -> (string)
The condition to apply to a key value when querying for findings with a map filter.
ProductName -> (list)
The name of the solution (product) that generates findings.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
CompanyName -> (list)
The name of the findings provider (company) that owns the solution (product) that generates findings.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
UserDefinedFields -> (list)
A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.
(structure)
The map filter for querying findings.
Key -> (string)
The key of the map filter.
Value -> (string)
The value for the key in the map filter.
Comparison -> (string)
The condition to apply to a key value when querying for findings with a map filter.
MalwareName -> (list)
The name of the malware that was observed.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
MalwareType -> (list)
The type of the malware that was observed.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
MalwarePath -> (list)
The filesystem path of the malware that was observed.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
MalwareState -> (list)
The state of the malware that was observed.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
NetworkDirection -> (list)
Indicates the direction of network traffic associated with a finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
NetworkProtocol -> (list)
The protocol of network-related information about a finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
NetworkSourceIpV4 -> (list)
The source IPv4 address of network-related information about a finding.
(structure)
The IP filter for querying findings.
Cidr -> (string)
A finding’s CIDR value.
NetworkSourceIpV6 -> (list)
The source IPv6 address of network-related information about a finding.
(structure)
The IP filter for querying findings.
Cidr -> (string)
A finding’s CIDR value.
NetworkSourcePort -> (list)
The source port of network-related information about a finding.
(structure)
A number filter for querying findings.
Gte -> (double)
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte -> (double)
The less-than-equal condition to be applied to a single field when querying for findings.
Eq -> (double)
The equal-to condition to be applied to a single field when querying for findings.
NetworkSourceDomain -> (list)
The source domain of network-related information about a finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
NetworkSourceMac -> (list)
The source media access control (MAC) address of network-related information about a finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
NetworkDestinationIpV4 -> (list)
The destination IPv4 address of network-related information about a finding.
(structure)
The IP filter for querying findings.
Cidr -> (string)
A finding’s CIDR value.
NetworkDestinationIpV6 -> (list)
The destination IPv6 address of network-related information about a finding.
(structure)
The IP filter for querying findings.
Cidr -> (string)
A finding’s CIDR value.
NetworkDestinationPort -> (list)
The destination port of network-related information about a finding.
(structure)
A number filter for querying findings.
Gte -> (double)
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte -> (double)
The less-than-equal condition to be applied to a single field when querying for findings.
Eq -> (double)
The equal-to condition to be applied to a single field when querying for findings.
NetworkDestinationDomain -> (list)
The destination domain of network-related information about a finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ProcessName -> (list)
The name of the process.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ProcessPath -> (list)
The path to the process executable.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ProcessPid -> (list)
The process ID.
(structure)
A number filter for querying findings.
Gte -> (double)
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte -> (double)
The less-than-equal condition to be applied to a single field when querying for findings.
Eq -> (double)
The equal-to condition to be applied to a single field when querying for findings.
ProcessParentPid -> (list)
The parent process ID.
(structure)
A number filter for querying findings.
Gte -> (double)
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte -> (double)
The less-than-equal condition to be applied to a single field when querying for findings.
Eq -> (double)
The equal-to condition to be applied to a single field when querying for findings.
ProcessLaunchedAt -> (list)
The date/time that the process was launched.
(structure)
A date filter for querying findings.
Start -> (string)
A start date for the date filter.
End -> (string)
An end date for the date filter.
DateRange -> (structure)
A date range for the date filter.
Value -> (integer)
A date range value for the date filter.
Unit -> (string)
A date range unit for the date filter.
ProcessTerminatedAt -> (list)
The date/time that the process was terminated.
(structure)
A date filter for querying findings.
Start -> (string)
A start date for the date filter.
End -> (string)
An end date for the date filter.
DateRange -> (structure)
A date range for the date filter.
Value -> (integer)
A date range value for the date filter.
Unit -> (string)
A date range unit for the date filter.
ThreatIntelIndicatorType -> (list)
The type of a threat intelligence indicator.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ThreatIntelIndicatorValue -> (list)
The value of a threat intelligence indicator.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ThreatIntelIndicatorCategory -> (list)
The category of a threat intelligence indicator.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ThreatIntelIndicatorLastObservedAt -> (list)
The date/time of the last observation of a threat intelligence indicator.
(structure)
A date filter for querying findings.
Start -> (string)
A start date for the date filter.
End -> (string)
An end date for the date filter.
DateRange -> (structure)
A date range for the date filter.
Value -> (integer)
A date range value for the date filter.
Unit -> (string)
A date range unit for the date filter.
ThreatIntelIndicatorSource -> (list)
The source of the threat intelligence.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ThreatIntelIndicatorSourceUrl -> (list)
The URL for more details from the source of the threat intelligence.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceType -> (list)
Specifies the type of the resource that details are provided for.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceId -> (list)
The canonical identifier for the given resource type.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourcePartition -> (list)
The canonical AWS partition name that the Region is assigned to.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceRegion -> (list)
The canonical AWS external Region name where this resource is located.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceTags -> (list)
A list of AWS tags associated with a resource at the time the finding was processed.
(structure)
The map filter for querying findings.
Key -> (string)
The key of the map filter.
Value -> (string)
The value for the key in the map filter.
Comparison -> (string)
The condition to apply to a key value when querying for findings with a map filter.
ResourceAwsEc2InstanceType -> (list)
The instance type of the instance.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceImageId -> (list)
The Amazon Machine Image (AMI) ID of the instance.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceIpV4Addresses -> (list)
The IPv4 addresses associated with the instance.
(structure)
The IP filter for querying findings.
Cidr -> (string)
A finding’s CIDR value.
ResourceAwsEc2InstanceIpV6Addresses -> (list)
The IPv6 addresses associated with the instance.
(structure)
The IP filter for querying findings.
Cidr -> (string)
A finding’s CIDR value.
ResourceAwsEc2InstanceKeyName -> (list)
The key name associated with the instance.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceIamInstanceProfileArn -> (list)
The IAM profile ARN of the instance.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceVpcId -> (list)
The identifier of the VPC that the instance was launched in.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceSubnetId -> (list)
The identifier of the subnet that the instance was launched in.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceLaunchedAt -> (list)
The date and time the instance was launched.
(structure)
A date filter for querying findings.
Start -> (string)
A start date for the date filter.
End -> (string)
An end date for the date filter.
DateRange -> (structure)
A date range for the date filter.
Value -> (integer)
A date range value for the date filter.
Unit -> (string)
A date range unit for the date filter.
ResourceAwsS3BucketOwnerId -> (list)
The canonical user ID of the owner of the S3 bucket.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceAwsS3BucketOwnerName -> (list)
The display name of the owner of the S3 bucket.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceAwsIamAccessKeyUserName -> (list)
The user associated with the IAM access key related to a finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceAwsIamAccessKeyStatus -> (list)
The status of the IAM access key related to a finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceAwsIamAccessKeyCreatedAt -> (list)
The creation date/time of the IAM access key related to a finding.
(structure)
A date filter for querying findings.
Start -> (string)
A start date for the date filter.
End -> (string)
An end date for the date filter.
DateRange -> (structure)
A date range for the date filter.
Value -> (integer)
A date range value for the date filter.
Unit -> (string)
A date range unit for the date filter.
ResourceContainerName -> (list)
The name of the container related to a finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceContainerImageId -> (list)
The identifier of the image related to a finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceContainerImageName -> (list)
The name of the image related to a finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceContainerLaunchedAt -> (list)
The date/time that the container was started.
(structure)
A date filter for querying findings.
Start -> (string)
A start date for the date filter.
End -> (string)
An end date for the date filter.
DateRange -> (structure)
A date range for the date filter.
Value -> (integer)
A date range value for the date filter.
Unit -> (string)
A date range unit for the date filter.
ResourceDetailsOther -> (list)
The details of a resource that doesn’t have a specific subfield for the resource type defined.
(structure)
The map filter for querying findings.
Key -> (string)
The key of the map filter.
Value -> (string)
The value for the key in the map filter.
Comparison -> (string)
The condition to apply to a key value when querying for findings with a map filter.
ComplianceStatus -> (list)
Exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard, such as CIS AWS Foundations. Contains security standard-related finding details.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
VerificationState -> (list)
The veracity of a finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
WorkflowState -> (list)
The workflow state of a finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
WorkflowStatus -> (list)
The status of the investigation into a finding. Allowed values are the following.
NEW
- The initial state of a finding, before it is reviewed.
NOTIFIED
- Indicates that the resource owner has been notified about the security issue. Used when the initial reviewer is not the resource owner, and needs intervention from the resource owner.
SUPPRESSED
- The finding will not be reviewed again and will not be acted upon.
RESOLVED
- The finding was reviewed and remediated and is now considered resolved.(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
RecordState -> (list)
The updated record state for the finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
RelatedFindingsProductArn -> (list)
The ARN of the solution that generated a related finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
RelatedFindingsId -> (list)
The solution-generated identifier for a related finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
NoteText -> (list)
The text of a note.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
NoteUpdatedAt -> (list)
The timestamp of when the note was updated.
(structure)
A date filter for querying findings.
Start -> (string)
A start date for the date filter.
End -> (string)
An end date for the date filter.
DateRange -> (structure)
A date range for the date filter.
Value -> (integer)
A date range value for the date filter.
Unit -> (string)
A date range unit for the date filter.
NoteUpdatedBy -> (list)
The principal that created a note.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
Keyword -> (list)
A keyword for a finding.
(structure)
A keyword filter for querying findings.
Value -> (string)
A value for the keyword.
JSON Syntax:
{
"ProductArn": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"AwsAccountId": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"Id": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"GeneratorId": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"Type": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"FirstObservedAt": [
{
"Start": "string",
"End": "string",
"DateRange": {
"Value": integer,
"Unit": "DAYS"
}
}
...
],
"LastObservedAt": [
{
"Start": "string",
"End": "string",
"DateRange": {
"Value": integer,
"Unit": "DAYS"
}
}
...
],
"CreatedAt": [
{
"Start": "string",
"End": "string",
"DateRange": {
"Value": integer,
"Unit": "DAYS"
}
}
...
],
"UpdatedAt": [
{
"Start": "string",
"End": "string",
"DateRange": {
"Value": integer,
"Unit": "DAYS"
}
}
...
],
"SeverityProduct": [
{
"Gte": double,
"Lte": double,
"Eq": double
}
...
],
"SeverityNormalized": [
{
"Gte": double,
"Lte": double,
"Eq": double
}
...
],
"SeverityLabel": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"Confidence": [
{
"Gte": double,
"Lte": double,
"Eq": double
}
...
],
"Criticality": [
{
"Gte": double,
"Lte": double,
"Eq": double
}
...
],
"Title": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"Description": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"RecommendationText": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"SourceUrl": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ProductFields": [
{
"Key": "string",
"Value": "string",
"Comparison": "EQUALS"
}
...
],
"ProductName": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"CompanyName": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"UserDefinedFields": [
{
"Key": "string",
"Value": "string",
"Comparison": "EQUALS"
}
...
],
"MalwareName": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"MalwareType": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"MalwarePath": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"MalwareState": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"NetworkDirection": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"NetworkProtocol": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"NetworkSourceIpV4": [
{
"Cidr": "string"
}
...
],
"NetworkSourceIpV6": [
{
"Cidr": "string"
}
...
],
"NetworkSourcePort": [
{
"Gte": double,
"Lte": double,
"Eq": double
}
...
],
"NetworkSourceDomain": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"NetworkSourceMac": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"NetworkDestinationIpV4": [
{
"Cidr": "string"
}
...
],
"NetworkDestinationIpV6": [
{
"Cidr": "string"
}
...
],
"NetworkDestinationPort": [
{
"Gte": double,
"Lte": double,
"Eq": double
}
...
],
"NetworkDestinationDomain": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ProcessName": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ProcessPath": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ProcessPid": [
{
"Gte": double,
"Lte": double,
"Eq": double
}
...
],
"ProcessParentPid": [
{
"Gte": double,
"Lte": double,
"Eq": double
}
...
],
"ProcessLaunchedAt": [
{
"Start": "string",
"End": "string",
"DateRange": {
"Value": integer,
"Unit": "DAYS"
}
}
...
],
"ProcessTerminatedAt": [
{
"Start": "string",
"End": "string",
"DateRange": {
"Value": integer,
"Unit": "DAYS"
}
}
...
],
"ThreatIntelIndicatorType": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ThreatIntelIndicatorValue": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ThreatIntelIndicatorCategory": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ThreatIntelIndicatorLastObservedAt": [
{
"Start": "string",
"End": "string",
"DateRange": {
"Value": integer,
"Unit": "DAYS"
}
}
...
],
"ThreatIntelIndicatorSource": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ThreatIntelIndicatorSourceUrl": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceType": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceId": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourcePartition": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceRegion": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceTags": [
{
"Key": "string",
"Value": "string",
"Comparison": "EQUALS"
}
...
],
"ResourceAwsEc2InstanceType": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceAwsEc2InstanceImageId": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceAwsEc2InstanceIpV4Addresses": [
{
"Cidr": "string"
}
...
],
"ResourceAwsEc2InstanceIpV6Addresses": [
{
"Cidr": "string"
}
...
],
"ResourceAwsEc2InstanceKeyName": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceAwsEc2InstanceIamInstanceProfileArn": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceAwsEc2InstanceVpcId": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceAwsEc2InstanceSubnetId": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceAwsEc2InstanceLaunchedAt": [
{
"Start": "string",
"End": "string",
"DateRange": {
"Value": integer,
"Unit": "DAYS"
}
}
...
],
"ResourceAwsS3BucketOwnerId": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceAwsS3BucketOwnerName": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceAwsIamAccessKeyUserName": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceAwsIamAccessKeyStatus": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceAwsIamAccessKeyCreatedAt": [
{
"Start": "string",
"End": "string",
"DateRange": {
"Value": integer,
"Unit": "DAYS"
}
}
...
],
"ResourceContainerName": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceContainerImageId": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceContainerImageName": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceContainerLaunchedAt": [
{
"Start": "string",
"End": "string",
"DateRange": {
"Value": integer,
"Unit": "DAYS"
}
}
...
],
"ResourceDetailsOther": [
{
"Key": "string",
"Value": "string",
"Comparison": "EQUALS"
}
...
],
"ComplianceStatus": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"VerificationState": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"WorkflowState": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"WorkflowStatus": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"RecordState": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"RelatedFindingsProductArn": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"RelatedFindingsId": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"NoteText": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"NoteUpdatedAt": [
{
"Start": "string",
"End": "string",
"DateRange": {
"Value": integer,
"Unit": "DAYS"
}
}
...
],
"NoteUpdatedBy": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"Keyword": [
{
"Value": "string"
}
...
]
}
--group-by-attribute
(string)
The attribute used to group the findings for the insight. The grouping attribute identifies the type of item that the insight applies to. For example, if an insight is grouped by resource identifier, then the insight produces a list of resource identifiers.
--cli-input-json
| --cli-input-yaml
(string)
Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton
. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml
.
--generate-cli-skeleton
(string)
Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input
, prints a sample input JSON that can be used as an argument for --cli-input-json
. Similarly, if provided yaml-input
it will print a sample input YAML that can be used with --cli-input-yaml
. If provided with the value output
, it validates the command inputs and returns a sample output JSON for that command.
--cli-auto-prompt
(boolean)
Automatically prompt for CLI input parameters.
See ‘aws help’ for descriptions of global parameters.
To create a custom insight
The following create-insight
example creates a custom insight named Critical role findings that returns critical findings that are related to AWS roles.
aws securityhub create-insight \
--filters '{"ResourceType": [{ "Comparison": "EQUALS", "Value": "AwsIamRole"}], "SeverityLabel": [{"Comparison": "EQUALS", "Value": "CRITICAL"}]}' \
--group-by-attribute "ResourceId" \
--name "Critical role findings"
Output:
{
"InsightArn": "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
}
For more information, see Managing custom insights in the AWS Security Hub User Guide.