[ aws . securityhub ]
update-insight¶
Description¶
Updates the Security Hub insight identified by the specified insight ARN.
See also: AWS API Documentation
See ‘aws help’ for descriptions of global parameters.
Synopsis¶
update-insight
--insight-arn <value>
[--name <value>]
[--filters <value>]
[--group-by-attribute <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--cli-auto-prompt <value>]
Options¶
--insight-arn (string)
The ARN of the insight that you want to update.
--name (string)
The updated name for the insight.
--filters (structure)
The updated filters that define this insight.
ProductArn -> (list)
The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) after this provider’s product (solution that generates findings) is registered with Security Hub.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
AwsAccountId -> (list)
The AWS account ID that a finding is generated in.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
Id -> (list)
The security findings provider-specific identifier for a finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
GeneratorId -> (list)
The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. In various security-findings providers’ solutions, this generator can be called a rule, a check, a detector, a plugin, etc.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
Type -> (list)
A finding type in the format of
namespace/category/classifierthat classifies a finding.(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
FirstObservedAt -> (list)
An ISO8601-formatted timestamp that indicates when the security-findings provider first observed the potential security issue that a finding captured.
(structure)
A date filter for querying findings.
Start -> (string)
A start date for the date filter.
End -> (string)
An end date for the date filter.
DateRange -> (structure)
A date range for the date filter.
Value -> (integer)
A date range value for the date filter.
Unit -> (string)
A date range unit for the date filter.
LastObservedAt -> (list)
An ISO8601-formatted timestamp that indicates when the security-findings provider most recently observed the potential security issue that a finding captured.
(structure)
A date filter for querying findings.
Start -> (string)
A start date for the date filter.
End -> (string)
An end date for the date filter.
DateRange -> (structure)
A date range for the date filter.
Value -> (integer)
A date range value for the date filter.
Unit -> (string)
A date range unit for the date filter.
CreatedAt -> (list)
An ISO8601-formatted timestamp that indicates when the security-findings provider captured the potential security issue that a finding captured.
(structure)
A date filter for querying findings.
Start -> (string)
A start date for the date filter.
End -> (string)
An end date for the date filter.
DateRange -> (structure)
A date range for the date filter.
Value -> (integer)
A date range value for the date filter.
Unit -> (string)
A date range unit for the date filter.
UpdatedAt -> (list)
An ISO8601-formatted timestamp that indicates when the security-findings provider last updated the finding record.
(structure)
A date filter for querying findings.
Start -> (string)
A start date for the date filter.
End -> (string)
An end date for the date filter.
DateRange -> (structure)
A date range for the date filter.
Value -> (integer)
A date range value for the date filter.
Unit -> (string)
A date range unit for the date filter.
SeverityProduct -> (list)
The native severity as defined by the security-findings provider’s solution that generated the finding.
(structure)
A number filter for querying findings.
Gte -> (double)
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte -> (double)
The less-than-equal condition to be applied to a single field when querying for findings.
Eq -> (double)
The equal-to condition to be applied to a single field when querying for findings.
SeverityNormalized -> (list)
The normalized severity of a finding.
(structure)
A number filter for querying findings.
Gte -> (double)
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte -> (double)
The less-than-equal condition to be applied to a single field when querying for findings.
Eq -> (double)
The equal-to condition to be applied to a single field when querying for findings.
SeverityLabel -> (list)
The label of a finding’s severity.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
Confidence -> (list)
A finding’s confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify.
Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence.
(structure)
A number filter for querying findings.
Gte -> (double)
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte -> (double)
The less-than-equal condition to be applied to a single field when querying for findings.
Eq -> (double)
The equal-to condition to be applied to a single field when querying for findings.
Criticality -> (list)
The level of importance assigned to the resources associated with the finding.
A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources.
(structure)
A number filter for querying findings.
Gte -> (double)
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte -> (double)
The less-than-equal condition to be applied to a single field when querying for findings.
Eq -> (double)
The equal-to condition to be applied to a single field when querying for findings.
Title -> (list)
A finding’s title.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
Description -> (list)
A finding’s description.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
RecommendationText -> (list)
The recommendation of what to do about the issue described in a finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
SourceUrl -> (list)
A URL that links to a page about the current finding in the security-findings provider’s solution.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ProductFields -> (list)
A data type where security-findings providers can include additional solution-specific details that aren’t part of the defined
AwsSecurityFindingformat.(structure)
The map filter for querying findings.
Key -> (string)
The key of the map filter.
Value -> (string)
The value for the key in the map filter.
Comparison -> (string)
The condition to apply to a key value when querying for findings with a map filter.
ProductName -> (list)
The name of the solution (product) that generates findings.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
CompanyName -> (list)
The name of the findings provider (company) that owns the solution (product) that generates findings.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
UserDefinedFields -> (list)
A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding.
(structure)
The map filter for querying findings.
Key -> (string)
The key of the map filter.
Value -> (string)
The value for the key in the map filter.
Comparison -> (string)
The condition to apply to a key value when querying for findings with a map filter.
MalwareName -> (list)
The name of the malware that was observed.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
MalwareType -> (list)
The type of the malware that was observed.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
MalwarePath -> (list)
The filesystem path of the malware that was observed.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
MalwareState -> (list)
The state of the malware that was observed.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
NetworkDirection -> (list)
Indicates the direction of network traffic associated with a finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
NetworkProtocol -> (list)
The protocol of network-related information about a finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
NetworkSourceIpV4 -> (list)
The source IPv4 address of network-related information about a finding.
(structure)
The IP filter for querying findings.
Cidr -> (string)
A finding’s CIDR value.
NetworkSourceIpV6 -> (list)
The source IPv6 address of network-related information about a finding.
(structure)
The IP filter for querying findings.
Cidr -> (string)
A finding’s CIDR value.
NetworkSourcePort -> (list)
The source port of network-related information about a finding.
(structure)
A number filter for querying findings.
Gte -> (double)
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte -> (double)
The less-than-equal condition to be applied to a single field when querying for findings.
Eq -> (double)
The equal-to condition to be applied to a single field when querying for findings.
NetworkSourceDomain -> (list)
The source domain of network-related information about a finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
NetworkSourceMac -> (list)
The source media access control (MAC) address of network-related information about a finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
NetworkDestinationIpV4 -> (list)
The destination IPv4 address of network-related information about a finding.
(structure)
The IP filter for querying findings.
Cidr -> (string)
A finding’s CIDR value.
NetworkDestinationIpV6 -> (list)
The destination IPv6 address of network-related information about a finding.
(structure)
The IP filter for querying findings.
Cidr -> (string)
A finding’s CIDR value.
NetworkDestinationPort -> (list)
The destination port of network-related information about a finding.
(structure)
A number filter for querying findings.
Gte -> (double)
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte -> (double)
The less-than-equal condition to be applied to a single field when querying for findings.
Eq -> (double)
The equal-to condition to be applied to a single field when querying for findings.
NetworkDestinationDomain -> (list)
The destination domain of network-related information about a finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ProcessName -> (list)
The name of the process.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ProcessPath -> (list)
The path to the process executable.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ProcessPid -> (list)
The process ID.
(structure)
A number filter for querying findings.
Gte -> (double)
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte -> (double)
The less-than-equal condition to be applied to a single field when querying for findings.
Eq -> (double)
The equal-to condition to be applied to a single field when querying for findings.
ProcessParentPid -> (list)
The parent process ID.
(structure)
A number filter for querying findings.
Gte -> (double)
The greater-than-equal condition to be applied to a single field when querying for findings.
Lte -> (double)
The less-than-equal condition to be applied to a single field when querying for findings.
Eq -> (double)
The equal-to condition to be applied to a single field when querying for findings.
ProcessLaunchedAt -> (list)
The date/time that the process was launched.
(structure)
A date filter for querying findings.
Start -> (string)
A start date for the date filter.
End -> (string)
An end date for the date filter.
DateRange -> (structure)
A date range for the date filter.
Value -> (integer)
A date range value for the date filter.
Unit -> (string)
A date range unit for the date filter.
ProcessTerminatedAt -> (list)
The date/time that the process was terminated.
(structure)
A date filter for querying findings.
Start -> (string)
A start date for the date filter.
End -> (string)
An end date for the date filter.
DateRange -> (structure)
A date range for the date filter.
Value -> (integer)
A date range value for the date filter.
Unit -> (string)
A date range unit for the date filter.
ThreatIntelIndicatorType -> (list)
The type of a threat intelligence indicator.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ThreatIntelIndicatorValue -> (list)
The value of a threat intelligence indicator.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ThreatIntelIndicatorCategory -> (list)
The category of a threat intelligence indicator.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ThreatIntelIndicatorLastObservedAt -> (list)
The date/time of the last observation of a threat intelligence indicator.
(structure)
A date filter for querying findings.
Start -> (string)
A start date for the date filter.
End -> (string)
An end date for the date filter.
DateRange -> (structure)
A date range for the date filter.
Value -> (integer)
A date range value for the date filter.
Unit -> (string)
A date range unit for the date filter.
ThreatIntelIndicatorSource -> (list)
The source of the threat intelligence.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ThreatIntelIndicatorSourceUrl -> (list)
The URL for more details from the source of the threat intelligence.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceType -> (list)
Specifies the type of the resource that details are provided for.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceId -> (list)
The canonical identifier for the given resource type.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourcePartition -> (list)
The canonical AWS partition name that the Region is assigned to.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceRegion -> (list)
The canonical AWS external Region name where this resource is located.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceTags -> (list)
A list of AWS tags associated with a resource at the time the finding was processed.
(structure)
The map filter for querying findings.
Key -> (string)
The key of the map filter.
Value -> (string)
The value for the key in the map filter.
Comparison -> (string)
The condition to apply to a key value when querying for findings with a map filter.
ResourceAwsEc2InstanceType -> (list)
The instance type of the instance.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceImageId -> (list)
The Amazon Machine Image (AMI) ID of the instance.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceIpV4Addresses -> (list)
The IPv4 addresses associated with the instance.
(structure)
The IP filter for querying findings.
Cidr -> (string)
A finding’s CIDR value.
ResourceAwsEc2InstanceIpV6Addresses -> (list)
The IPv6 addresses associated with the instance.
(structure)
The IP filter for querying findings.
Cidr -> (string)
A finding’s CIDR value.
ResourceAwsEc2InstanceKeyName -> (list)
The key name associated with the instance.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceIamInstanceProfileArn -> (list)
The IAM profile ARN of the instance.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceVpcId -> (list)
The identifier of the VPC that the instance was launched in.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceSubnetId -> (list)
The identifier of the subnet that the instance was launched in.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceAwsEc2InstanceLaunchedAt -> (list)
The date and time the instance was launched.
(structure)
A date filter for querying findings.
Start -> (string)
A start date for the date filter.
End -> (string)
An end date for the date filter.
DateRange -> (structure)
A date range for the date filter.
Value -> (integer)
A date range value for the date filter.
Unit -> (string)
A date range unit for the date filter.
ResourceAwsS3BucketOwnerId -> (list)
The canonical user ID of the owner of the S3 bucket.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceAwsS3BucketOwnerName -> (list)
The display name of the owner of the S3 bucket.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceAwsIamAccessKeyUserName -> (list)
The user associated with the IAM access key related to a finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceAwsIamAccessKeyStatus -> (list)
The status of the IAM access key related to a finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceAwsIamAccessKeyCreatedAt -> (list)
The creation date/time of the IAM access key related to a finding.
(structure)
A date filter for querying findings.
Start -> (string)
A start date for the date filter.
End -> (string)
An end date for the date filter.
DateRange -> (structure)
A date range for the date filter.
Value -> (integer)
A date range value for the date filter.
Unit -> (string)
A date range unit for the date filter.
ResourceContainerName -> (list)
The name of the container related to a finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceContainerImageId -> (list)
The identifier of the image related to a finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceContainerImageName -> (list)
The name of the image related to a finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
ResourceContainerLaunchedAt -> (list)
The date/time that the container was started.
(structure)
A date filter for querying findings.
Start -> (string)
A start date for the date filter.
End -> (string)
An end date for the date filter.
DateRange -> (structure)
A date range for the date filter.
Value -> (integer)
A date range value for the date filter.
Unit -> (string)
A date range unit for the date filter.
ResourceDetailsOther -> (list)
The details of a resource that doesn’t have a specific subfield for the resource type defined.
(structure)
The map filter for querying findings.
Key -> (string)
The key of the map filter.
Value -> (string)
The value for the key in the map filter.
Comparison -> (string)
The condition to apply to a key value when querying for findings with a map filter.
ComplianceStatus -> (list)
Exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard, such as CIS AWS Foundations. Contains security standard-related finding details.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
VerificationState -> (list)
The veracity of a finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
WorkflowState -> (list)
The workflow state of a finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
WorkflowStatus -> (list)
The status of the investigation into a finding. Allowed values are the following.
NEW- The initial state of a finding, before it is reviewed.
NOTIFIED- Indicates that the resource owner has been notified about the security issue. Used when the initial reviewer is not the resource owner, and needs intervention from the resource owner.
SUPPRESSED- The finding will not be reviewed again and will not be acted upon.
RESOLVED- The finding was reviewed and remediated and is now considered resolved.(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
RecordState -> (list)
The updated record state for the finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
RelatedFindingsProductArn -> (list)
The ARN of the solution that generated a related finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
RelatedFindingsId -> (list)
The solution-generated identifier for a related finding.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
NoteText -> (list)
The text of a note.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
NoteUpdatedAt -> (list)
The timestamp of when the note was updated.
(structure)
A date filter for querying findings.
Start -> (string)
A start date for the date filter.
End -> (string)
An end date for the date filter.
DateRange -> (structure)
A date range for the date filter.
Value -> (integer)
A date range value for the date filter.
Unit -> (string)
A date range unit for the date filter.
NoteUpdatedBy -> (list)
The principal that created a note.
(structure)
A string filter for querying findings.
Value -> (string)
The string filter value.
Comparison -> (string)
The condition to be applied to a string value when querying for findings.
Keyword -> (list)
A keyword for a finding.
(structure)
A keyword filter for querying findings.
Value -> (string)
A value for the keyword.
JSON Syntax:
{
"ProductArn": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"AwsAccountId": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"Id": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"GeneratorId": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"Type": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"FirstObservedAt": [
{
"Start": "string",
"End": "string",
"DateRange": {
"Value": integer,
"Unit": "DAYS"
}
}
...
],
"LastObservedAt": [
{
"Start": "string",
"End": "string",
"DateRange": {
"Value": integer,
"Unit": "DAYS"
}
}
...
],
"CreatedAt": [
{
"Start": "string",
"End": "string",
"DateRange": {
"Value": integer,
"Unit": "DAYS"
}
}
...
],
"UpdatedAt": [
{
"Start": "string",
"End": "string",
"DateRange": {
"Value": integer,
"Unit": "DAYS"
}
}
...
],
"SeverityProduct": [
{
"Gte": double,
"Lte": double,
"Eq": double
}
...
],
"SeverityNormalized": [
{
"Gte": double,
"Lte": double,
"Eq": double
}
...
],
"SeverityLabel": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"Confidence": [
{
"Gte": double,
"Lte": double,
"Eq": double
}
...
],
"Criticality": [
{
"Gte": double,
"Lte": double,
"Eq": double
}
...
],
"Title": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"Description": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"RecommendationText": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"SourceUrl": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ProductFields": [
{
"Key": "string",
"Value": "string",
"Comparison": "EQUALS"
}
...
],
"ProductName": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"CompanyName": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"UserDefinedFields": [
{
"Key": "string",
"Value": "string",
"Comparison": "EQUALS"
}
...
],
"MalwareName": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"MalwareType": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"MalwarePath": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"MalwareState": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"NetworkDirection": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"NetworkProtocol": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"NetworkSourceIpV4": [
{
"Cidr": "string"
}
...
],
"NetworkSourceIpV6": [
{
"Cidr": "string"
}
...
],
"NetworkSourcePort": [
{
"Gte": double,
"Lte": double,
"Eq": double
}
...
],
"NetworkSourceDomain": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"NetworkSourceMac": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"NetworkDestinationIpV4": [
{
"Cidr": "string"
}
...
],
"NetworkDestinationIpV6": [
{
"Cidr": "string"
}
...
],
"NetworkDestinationPort": [
{
"Gte": double,
"Lte": double,
"Eq": double
}
...
],
"NetworkDestinationDomain": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ProcessName": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ProcessPath": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ProcessPid": [
{
"Gte": double,
"Lte": double,
"Eq": double
}
...
],
"ProcessParentPid": [
{
"Gte": double,
"Lte": double,
"Eq": double
}
...
],
"ProcessLaunchedAt": [
{
"Start": "string",
"End": "string",
"DateRange": {
"Value": integer,
"Unit": "DAYS"
}
}
...
],
"ProcessTerminatedAt": [
{
"Start": "string",
"End": "string",
"DateRange": {
"Value": integer,
"Unit": "DAYS"
}
}
...
],
"ThreatIntelIndicatorType": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ThreatIntelIndicatorValue": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ThreatIntelIndicatorCategory": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ThreatIntelIndicatorLastObservedAt": [
{
"Start": "string",
"End": "string",
"DateRange": {
"Value": integer,
"Unit": "DAYS"
}
}
...
],
"ThreatIntelIndicatorSource": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ThreatIntelIndicatorSourceUrl": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceType": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceId": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourcePartition": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceRegion": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceTags": [
{
"Key": "string",
"Value": "string",
"Comparison": "EQUALS"
}
...
],
"ResourceAwsEc2InstanceType": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceAwsEc2InstanceImageId": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceAwsEc2InstanceIpV4Addresses": [
{
"Cidr": "string"
}
...
],
"ResourceAwsEc2InstanceIpV6Addresses": [
{
"Cidr": "string"
}
...
],
"ResourceAwsEc2InstanceKeyName": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceAwsEc2InstanceIamInstanceProfileArn": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceAwsEc2InstanceVpcId": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceAwsEc2InstanceSubnetId": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceAwsEc2InstanceLaunchedAt": [
{
"Start": "string",
"End": "string",
"DateRange": {
"Value": integer,
"Unit": "DAYS"
}
}
...
],
"ResourceAwsS3BucketOwnerId": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceAwsS3BucketOwnerName": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceAwsIamAccessKeyUserName": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceAwsIamAccessKeyStatus": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceAwsIamAccessKeyCreatedAt": [
{
"Start": "string",
"End": "string",
"DateRange": {
"Value": integer,
"Unit": "DAYS"
}
}
...
],
"ResourceContainerName": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceContainerImageId": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceContainerImageName": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"ResourceContainerLaunchedAt": [
{
"Start": "string",
"End": "string",
"DateRange": {
"Value": integer,
"Unit": "DAYS"
}
}
...
],
"ResourceDetailsOther": [
{
"Key": "string",
"Value": "string",
"Comparison": "EQUALS"
}
...
],
"ComplianceStatus": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"VerificationState": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"WorkflowState": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"WorkflowStatus": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"RecordState": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"RelatedFindingsProductArn": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"RelatedFindingsId": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"NoteText": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"NoteUpdatedAt": [
{
"Start": "string",
"End": "string",
"DateRange": {
"Value": integer,
"Unit": "DAYS"
}
}
...
],
"NoteUpdatedBy": [
{
"Value": "string",
"Comparison": "EQUALS"|"PREFIX"
}
...
],
"Keyword": [
{
"Value": "string"
}
...
]
}
--group-by-attribute (string)
The updated
GroupByattribute that defines this insight.
--cli-input-json | --cli-input-yaml (string)
Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.
--generate-cli-skeleton (string)
Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.
--cli-auto-prompt (boolean)
Automatically prompt for CLI input parameters.
See ‘aws help’ for descriptions of global parameters.
Examples¶
Example 1: To change the filter for a custom insight
The following update-insight example changes the filters for a custom insight. The updated insight looks for findings with a high severity that are related to AWS roles.
aws securityhub update-insight \
--insight-arn "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" \
--filters '{"ResourceType": [{ "Comparison": "EQUALS", "Value": "AwsIamRole"}], "SeverityLabel": [{"Comparison": "EQUALS", "Value": "HIGH"}]}' \
--name "High severity role findings"
Example 2: To change the grouping attribute for a custom insight
The following update-insight example changes the grouping attribute for the custom insight with the specified ARN. The new grouping attribute is the resource ID.
aws securityhub update-insight \
--insight-arn "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" \
--group-by-attribute "ResourceId" \
--name "Critical role findings"
Output:
{
"Insights": [
{
"InsightArn": "arn:aws:securityhub:us-west-1:123456789012:insight/123456789012/custom/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"Name": "Critical role findings",
"Filters": {
"SeverityLabel": [
{
"Value": "CRITICAL",
"Comparison": "EQUALS"
}
],
"ResourceType": [
{
"Value": "AwsIamRole",
"Comparison": "EQUALS"
}
]
},
"GroupByAttribute": "ResourceId"
}
]
}
For more information, see Managing custom insights in the AWS Security Hub User Guide.
Output¶
None